diff -up libgcrypt-1.5.3/random/drbg.c.drbg libgcrypt-1.5.3/random/drbg.c

--- libgcrypt-1.5.3/random/drbg.c.drbg	2014-09-26 17:00:16.050215868 +0200

+++ libgcrypt-1.5.3/random/drbg.c	2014-09-26 17:15:41.576110018 +0200

@@ -0,0 +1,2352 @@

+/*

+ * DRBG: Deterministic Random Bits Generator

+ *       Based on NIST Recommended DRBG from NIST SP800-90A with the following

+ *       properties:

+ *		* CTR DRBG with DF with AES-128, AES-192, AES-256 cores

+ * 		* Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores

+ * 		* HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores

+ * 		* with and without prediction resistance

+ *

+ * Copyright Stephan Mueller <smueller@chronox.de>, 2014

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ * 1. Redistributions of source code must retain the above copyright

+ *    notice, and the entire permission notice in its entirety,

+ *    including the disclaimer of warranties.

+ * 2. Redistributions in binary form must reproduce the above copyright

+ *    notice, this list of conditions and the following disclaimer in the

+ *    documentation and/or other materials provided with the distribution.

+ * 3. The name of the author may not be used to endorse or promote

+ *    products derived from this software without specific prior

+ *    written permission.

+ *

+ * ALTERNATIVELY, this product may be distributed under the terms of

+ * LGPLv2+, in which case the provisions of the LGPL are

+ * required INSTEAD OF the above restrictions.  (This clause is

+ * necessary due to a potential bad interaction between the LGPL and

+ * the restrictions contained in a BSD-style copyright.)

+ *

+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED

+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF

+ * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE

+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT

+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR

+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE

+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH

+ * DAMAGE.

+ *

+ *

+ * gcry_control GCRYCTL_DRBG_REINIT

+ * ================================

+ * This control request re-initializes the DRBG completely, i.e. the entire

+ * state of the DRBG is zeroized (with two exceptions listed in

+ * GCRYCTL_DRBG_SET_ENTROPY).

+ *

+ * The control request takes the following values which influences how the DRBG

+ * is re-initialized:

+ *   * u32 flags: This variable specifies the DRBG type to be used for the

+ *		    next initialization. If set to 0, the previous DRBG type is

+ * 		    used for the initialization. The DRBG type is an OR of the

+ * 		    mandatory flags of the requested DRBG strength and DRBG

+ * 		    cipher type. Optionally, the prediction resistance flag

+ * 		    can be ORed into the flags variable. For example:

+ * 		    - CTR-DRBG with AES-128 without prediction resistance:

+ * 			DRBG_CTRAES128

+ * 		    - HMAC-DRBG with SHA-512 with prediction resistance:

+ * 			DRBG_HMACSHA512 | DRBG_PREDICTION_RESIST

+ *   * struct gcry_drbg_string *pers: personalization string to be used for

+ *			   	 initialization.

+ * The variable of flags is independent from the pers/perslen variables. If

+ * flags is set to 0 and perslen is set to 0, the current DRBG type is

+ * completely reset without using a personalization string.

+ *

+ * DRBG Usage

+ * ==========

+ * The SP 800-90A DRBG allows the user to specify a personalization string

+ * for initialization as well as an additional information string for each

+ * random number request. The following code fragments show how a caller

+ * uses the kernel crypto API to use the full functionality of the DRBG.

+ *

+ * Usage without any additional data

+ * ---------------------------------

+ * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);

+ *

+ *

+ * Usage with personalization string during initialization

+ * -------------------------------------------------------

+ * struct gcry_drbg_string pers;

+ * char personalization[11] = "some-string";

+ *

+ * gcry_drbg_string_fill(&pers, personalization, strlen(personalization));

+ * // The reset completely re-initializes the DRBG with the provided

+ * // personalization string without changing the DRBG type

+ * ret = gcry_control(GCRYCTL_DRBG_REINIT, 0, &pers;;

+ * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);

+ *

+ *

+ * Usage with additional information string during random number request

+ * ---------------------------------------------------------------------

+ * struct gcry_drbg_string addtl;

+ * char addtl_string[11] = "some-string";

+ *

+ * gcry_drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));

+ * // The following call is a wrapper to gcry_randomize() and returns

+ * // the same error codes.

+ * gcry_randomize_drbg(outbuf, OUTLEN, GCRY_STRONG_RANDOM, &addtl);

+ *

+ *

+ * Usage with personalization and additional information strings

+ * -------------------------------------------------------------

+ * Just mix both scenarios above.

+ *

+ *

+ * Switch the DRBG type to some other type

+ * ---------------------------------------

+ * // Switch to CTR DRBG AES-128 without prediction resistance

+ * ret = gcry_control(GCRYCTL_DRBG_REINIT, DRBG_NOPR_CTRAES128, NULL);

+ * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);

+ */

+

+#include <sys/types.h>

+#include <asm/types.h>

+#include <string.h>

+#include <unistd.h>

+#include <stdint.h>

+

+#include <config.h>

+

+#include "g10lib.h"

+#include "random.h"

+#include "rand-internal.h"

+#include "../cipher/bithelp.h"

+#include "ath.h"

+

+/******************************************************************

+ * Common data structures

+ ******************************************************************/

+

+struct gcry_drbg_state;

+

+struct gcry_drbg_core

+{

+  u32 flags;			/* flags for the cipher */

+  ushort statelen;		/* maximum state length */

+  ushort blocklen_bytes;	/* block size of output in bytes */

+  int backend_cipher;		/* libgcrypt backend cipher */

+};

+

+struct gcry_drbg_state_ops

+{

+  gpg_err_code_t (*update) (struct gcry_drbg_state * drbg,

+			    struct gcry_drbg_string * seed, int reseed);

+  gpg_err_code_t (*generate) (struct gcry_drbg_state * drbg,

+			      unsigned char *buf, unsigned int buflen,

+			      struct gcry_drbg_string * addtl);

+};

+

+/* DRBG test data */

+struct gcry_drbg_test_data

+{

+  struct gcry_drbg_string *testentropy;	/* TEST PARAMETER: test entropy */

+  int fail_seed_source:1;	/* if set, the seed function will return an error */

+};

+

+

+struct gcry_drbg_state

+{

+  unsigned char *V;		/* internal state 10.1.1.1 1a) */

+  unsigned char *C;		/* hash: static value 10.1.1.1 1b)

+				 * hmac / ctr: key */

+  size_t reseed_ctr;		/* Number of RNG requests since last reseed --

+				 * 10.1.1.1 1c) */

+  unsigned char *scratchpad;	/* some memory the DRBG can use for its

+				 * operation -- allocated during init */

+  int seeded:1;			/* DRBG fully seeded? */

+  int pr:1;			/* Prediction resistance enabled? */

+  int fips_primed:1;		/* Continuous test primed? */

+  unsigned char *prev;		/* previous output value of gcry_drbg_blocklen

+				 * for FIPS 140-2 continuous test */

+  /* Taken from libgcrypt ANSI X9.31 DRNG: We need to keep track of the

+   * process which did the initialization so that we can detect a fork.

+   * The volatile modifier is required so that the compiler does not

+   * optimize it away in case the getpid function is badly attributed. */

+  pid_t seed_init_pid;

+  const struct gcry_drbg_state_ops *d_ops;

+  const struct gcry_drbg_core *core;

+  struct gcry_drbg_test_data *test_data;

+};

+

+enum gcry_drbg_prefixes

+{

+  DRBG_PREFIX0 = 0x00,

+  DRBG_PREFIX1,

+  DRBG_PREFIX2,

+  DRBG_PREFIX3

+};

+

+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))

+

+/***************************************************************

+ * Backend cipher definitions available to DRBG

+ ***************************************************************/

+

+static const struct gcry_drbg_core gcry_drbg_cores[] = {

+  /* Hash DRBGs */

+  {GCRY_DRBG_HASHSHA1, 55, 20, GCRY_MD_SHA1},

+  {GCRY_DRBG_HASHSHA256, 55, 32, GCRY_MD_SHA256},

+  {GCRY_DRBG_HASHSHA384, 111, 48, GCRY_MD_SHA384},

+  {GCRY_DRBG_HASHSHA512, 111, 64, GCRY_MD_SHA512},

+  /* HMAC DRBGs */

+  {GCRY_DRBG_HASHSHA1 | GCRY_DRBG_HMAC, 20, 20, GCRY_MD_SHA1},

+  {GCRY_DRBG_HASHSHA256 | GCRY_DRBG_HMAC, 32, 32, GCRY_MD_SHA256},

+  {GCRY_DRBG_HASHSHA384 | GCRY_DRBG_HMAC, 48, 48, GCRY_MD_SHA384},

+  {GCRY_DRBG_HASHSHA512 | GCRY_DRBG_HMAC, 64, 64, GCRY_MD_SHA512},

+  /* block ciphers */

+  {GCRY_DRBG_CTRAES | GCRY_DRBG_SYM128, 32, 16, GCRY_CIPHER_AES128},

+  {GCRY_DRBG_CTRAES | GCRY_DRBG_SYM192, 40, 16, GCRY_CIPHER_AES192},

+  {GCRY_DRBG_CTRAES | GCRY_DRBG_SYM256, 48, 16, GCRY_CIPHER_AES256},

+};

+

+static gpg_err_code_t gcry_drbg_sym (struct gcry_drbg_state *drbg,

+				     const unsigned char *key,

+				     unsigned char *outval,

+				     const struct gcry_drbg_string *buf);

+static gpg_err_code_t gcry_drbg_hmac (struct gcry_drbg_state *drbg,

+				      const unsigned char *key,

+				      unsigned char *outval,

+				      const struct gcry_drbg_string *buf);

+

+/******************************************************************

+ ******************************************************************

+ ******************************************************************

+ * Generic DRBG code

+ ******************************************************************

+ ******************************************************************

+ ******************************************************************/

+

+/******************************************************************

+ * Generic helper functions

+ ******************************************************************/

+

+/* Byte swap for 32-bit and 64-bit integers. */

+static inline u32

+_gcry_bswap32(u32 x)

+{

+	return ((rol(x, 8) & 0x00ff00ffL) | (ror(x, 8) & 0xff00ff00L));

+}

+

+#ifdef HAVE_U64_TYPEDEF

+static inline u64

+_gcry_bswap64(u64 x)

+{

+	return ((u64)_gcry_bswap32(x) << 32) | (_gcry_bswap32(x >> 32));

+}

+#endif

+

+/* Endian dependent byte swap operations.  */

+#ifdef WORDS_BIGENDIAN

+# define le_bswap32(x) _gcry_bswap32(x)

+# define be_bswap32(x) ((u32)(x))

+# ifdef HAVE_U64_TYPEDEF

+#  define le_bswap64(x) _gcry_bswap64(x)

+#  define be_bswap64(x) ((u64)(x))

+# endif

+#else

+# define le_bswap32(x) ((u32)(x))

+# define be_bswap32(x) _gcry_bswap32(x)

+# ifdef HAVE_U64_TYPEDEF

+#  define le_bswap64(x) ((u64)(x))

+#  define be_bswap64(x) _gcry_bswap64(x)

+# endif

+#endif

+

+#define xcalloc_secure(a,b) gcry_xcalloc_secure((a),(b))

+#define xfree(a) _gcry_free(a)

+

+#if 0

+#define dbg(x) do { log_debug x; } while(0)

+#else

+#define dbg(x)

+#endif

+

+static inline ushort

+gcry_drbg_statelen (struct gcry_drbg_state *drbg)

+{

+  if (drbg && drbg->core)

+    return drbg->core->statelen;

+  return 0;

+}

+

+static inline ushort

+gcry_drbg_blocklen (struct gcry_drbg_state *drbg)

+{

+  if (drbg && drbg->core)

+    return drbg->core->blocklen_bytes;

+  return 0;

+}

+

+static inline ushort

+gcry_drbg_keylen (struct gcry_drbg_state *drbg)

+{

+  if (drbg && drbg->core)

+    return (drbg->core->statelen - drbg->core->blocklen_bytes);

+  return 0;

+}

+

+static inline size_t

+gcry_drbg_max_request_bytes (void)

+{

+  /* SP800-90A requires the limit 2**19 bits, but we return bytes */

+  return (1 << 16);

+}

+

+static inline size_t

+gcry_drbg_max_addtl (void)

+{

+  /* SP800-90A requires 2**35 bytes additional info str / pers str */

+#ifdef __LP64__

+  return (1UL << 35);

+#else

+  /*

+   * SP800-90A allows smaller maximum numbers to be returned -- we

+   * return SIZE_MAX - 1 to allow the verification of the enforcement

+   * of this value in gcry_drbg_healthcheck_sanity.

+   */

+  return (SIZE_MAX - 1);

+#endif

+}

+

+static inline size_t

+gcry_drbg_max_requests (void)

+{

+  /* SP800-90A requires 2**48 maximum requests before reseeding */

+#ifdef __LP64__

+  return (1UL << 48);

+#else

+  return SIZE_MAX;

+#endif

+}

+

+/*

+ * Return strength of DRBG according to SP800-90A section 8.4

+ *

+ * flags: DRBG flags reference

+ *

+ * Return: normalized strength value or 32 as a default to counter

+ * 	   programming errors

+ */

+static inline unsigned short

+gcry_drbg_sec_strength (u32 flags)

+{

+  if ((flags & GCRY_DRBG_HASHSHA1) || (flags & GCRY_DRBG_SYM128))

+    return 16;

+  else if (flags & GCRY_DRBG_SYM192)

+    return 24;

+  else if ((flags & GCRY_DRBG_SYM256) || (flags & GCRY_DRBG_HASHSHA256) ||

+	   (flags & GCRY_DRBG_HASHSHA384) || (flags & GCRY_DRBG_HASHSHA512))

+    return 32;

+  else

+    return 32;

+}

+

+/*

+ * FIPS 140-2 continuous self test

+ * The test is performed on the result of one round of the output

+ * function. Thus, the function implicitly knows the size of the

+ * buffer.

+ *

+ * @drbg DRBG handle

+ * @buf output buffer of random data to be checked

+ *

+ * return:

+ *	false on error

+ * 	true on success

+ */

+static gpg_err_code_t

+gcry_drbg_fips_continuous_test (struct gcry_drbg_state *drbg,

+				const unsigned char *buf)

+{

+  gpg_err_code_t ret = 0;

+  /* skip test if we test the overall system */

+  if (drbg->test_data)

+    return 1;

+  /* only perform test in FIPS mode */

+  if (0 == fips_mode ())

+    return 1;

+  if (!drbg->fips_primed)

+    {

+      /* Priming of FIPS test */

+      memcpy (drbg->prev, buf, gcry_drbg_blocklen (drbg));

+      drbg->fips_primed = 1;

+      /* return false due to priming, i.e. another round is needed */

+      return 0;

+    }

+  ret = memcmp (drbg->prev, buf, gcry_drbg_blocklen (drbg));

+  memcpy (drbg->prev, buf, gcry_drbg_blocklen (drbg));

+  /* the test shall pass when the two compared values are not equal */

+  return ret != 0;

+}

+

+/*

+ * Convert an integer into a byte representation of this integer.

+ * The byte representation is big-endian

+ *

+ * @val value to be converted

+ * @buf buffer holding the converted integer -- caller must ensure that

+ *      buffer size is at least 32 bit

+ */

+static inline void

+gcry_drbg_cpu_to_be32 (u32 val, unsigned char *buf)

+{

+  struct s

+  {

+    u32 conv;

+  };

+  struct s *conversion = (struct s *) buf;

+

+  conversion->conv = be_bswap32 (val);

+}

+

+static void

+gcry_drbg_add_buf (unsigned char *dst, size_t dstlen,

+		   unsigned char *add, size_t addlen)

+{

+  /* implied: dstlen > addlen */

+  unsigned char *dstptr, *addptr;

+  unsigned int remainder = 0;

+  size_t len = addlen;

+

+  dstptr = dst + (dstlen - 1);

+  addptr = add + (addlen - 1);

+  while (len)

+    {

+      remainder += *dstptr + *addptr;

+      *dstptr = remainder & 0xff;

+      remainder >>= 8;

+      len--;

+      dstptr--;

+      addptr--;

+    }

+  len = dstlen - addlen;

+  while (len && remainder > 0)

+    {

+      remainder = *dstptr + 1;

+      *dstptr = remainder & 0xff;

+      remainder >>= 8;

+      len--;

+      dstptr--;

+    }

+}

+

+/* Helper variables for read_cb().

+ *

+ *   The _gcry_rnd*_gather_random interface does not allow to provide a

+ *   data pointer.  Thus we need to use a global variable for

+ *   communication.  However, the then required locking is anyway a good

+ *   idea because it does not make sense to have several readers of (say

+ *   /dev/random).  It is easier to serve them one after the other.  */

+static unsigned char *read_cb_buffer;	/* The buffer.  */

+static size_t read_cb_size;	/* Size of the buffer.  */

+static size_t read_cb_len;	/* Used length.  */

+

+/* Callback for generating seed from kernel device. */

+static void

+gcry_drbg_read_cb (const void *buffer, size_t length,

+		   enum random_origins origin)

+{

+  const unsigned char *p = buffer;

+

+  (void) origin;

+  gcry_assert (read_cb_buffer);

+

+  /* Note that we need to protect against gatherers returning more

+   * than the requested bytes (e.g. rndw32).  */

+  while (length-- && read_cb_len < read_cb_size)

+    read_cb_buffer[read_cb_len++] = *p++;

+}

+

+static inline int

+gcry_drbg_get_entropy (struct gcry_drbg_state *drbg, unsigned char *buffer,

+		       size_t len)

+{

+  int rc = 0;

+

+  /* Perform testing as defined in 11.3.2 */

+  if (drbg->test_data && drbg->test_data->fail_seed_source)

+    return -1;

+

+  read_cb_buffer = buffer;

+  read_cb_size = len;

+  read_cb_len = 0;

+#if USE_RNDLINUX

+  rc = _gcry_rndlinux_gather_random (gcry_drbg_read_cb, 0, len,

+				     GCRY_VERY_STRONG_RANDOM);

+#elif USE_RNDUNIX

+  rc = _gcry_rndunix_gather_random (read_cb, 0, length,

+				    GCRY_VERY_STRONG_RANDOM);

+#elif USE_RNDW32

+  do

+    {

+      rc = _gcry_rndw32_gather_random (read_cb, 0, length,

+				       GCRY_VERY_STRONG_RANDOM);

+    }

+  while (rc >= 0 && read_cb_len < read_cb_size);

+#else

+  rc = -1;

+#endif

+  return rc;

+}

+

+/******************************************************************

+ * CTR DRBG callback functions

+ ******************************************************************/

+

+/* BCC function for CTR DRBG as defined in 10.4.3 */

+static gpg_err_code_t

+gcry_drbg_ctr_bcc (struct gcry_drbg_state *drbg,

+		   unsigned char *out, const unsigned char *key,

+		   struct gcry_drbg_string *in)

+{

+  gpg_err_code_t ret = GPG_ERR_GENERAL;

+  struct gcry_drbg_string *curr = in;

+  size_t inpos = curr->len;

+  const unsigned char *pos = curr->buf;

+  struct gcry_drbg_string data;

+

+  gcry_drbg_string_fill (&data, out, gcry_drbg_blocklen (drbg));

+

+  /* 10.4.3 step 1 */

+  memset (out, 0, gcry_drbg_blocklen (drbg));

+

+  /* 10.4.3 step 2 / 4 */

+  while (inpos)

+    {

+      short cnt = 0;

+      /* 10.4.3 step 4.1 */

+      for (cnt = 0; cnt < gcry_drbg_blocklen (drbg); cnt++)

+	{

+	  out[cnt] ^= *pos;

+	  pos++;

+	  inpos--;

+	  /* the following branch implements the linked list

+	   * iteration. If we are at the end of the current data

+	   * set, we have to start using the next data set if

+	   * available -- the inpos value always points to the

+	   * current byte and will be zero if we have processed

+	   * the last byte of the last linked list member */

+	  if (0 == inpos)

+	    {

+	      curr = curr->next;

+	      if (NULL != curr)

+		{

+		  pos = curr->buf;

+		  inpos = curr->len;

+		}

+	      else

+		{

+		  inpos = 0;

+		  break;

+		}

+	    }

+	}

+      /* 10.4.3 step 4.2 */

+      ret = gcry_drbg_sym (drbg, key, out, &data);

+      if (ret)

+	return ret;

+      /* 10.4.3 step 2 */

+    }

+  return 0;

+}

+

+

+/*

+ * scratchpad usage: gcry_drbg_ctr_update is interlinked with gcry_drbg_ctr_df

+ * (and gcry_drbg_ctr_bcc, but this function does not need any temporary buffers),

+ * the scratchpad is used as follows:

+ * gcry_drbg_ctr_update:

+ *	temp

+ *		start: drbg->scratchpad

+ *		length: gcry_drbg_statelen(drbg) + gcry_drbg_blocklen(drbg)

+ *			note: the cipher writing into this variable works

+ *			blocklen-wise. Now, when the statelen is not a multiple

+ *			of blocklen, the generateion loop below "spills over"

+ *			by at most blocklen. Thus, we need to give sufficient

+ *			memory.

+ *	df_data

+ *		start: drbg->scratchpad +

+ *				gcry_drbg_statelen(drbg) +

+ *				gcry_drbg_blocklen(drbg)

+ *		length: gcry_drbg_statelen(drbg)

+ *

+ * gcry_drbg_ctr_df:

+ *	pad

+ *		start: df_data + gcry_drbg_statelen(drbg)

+ *		length: gcry_drbg_blocklen(drbg)

+ *	iv

+ *		start: pad + gcry_drbg_blocklen(drbg)

+ *		length: gcry_drbg_blocklen(drbg)

+ *	temp

+ *		start: iv + gcry_drbg_blocklen(drbg)

+ *		length: gcry_drbg_satelen(drbg) + gcry_drbg_blocklen(drbg)

+ *			note: temp is the buffer that the BCC function operates

+ *			on. BCC operates blockwise. gcry_drbg_statelen(drbg)

+ *			is sufficient when the DRBG state length is a multiple

+ *			of the block size. For AES192 (and maybe other ciphers)

+ *			this is not correct and the length for temp is

+ *			insufficient (yes, that also means for such ciphers,

+ *			the final output of all BCC rounds are truncated).

+ *			Therefore, add gcry_drbg_blocklen(drbg) to cover all

+ *			possibilities.

+ */

+

+/* Derivation Function for CTR DRBG as defined in 10.4.2 */

+static gpg_err_code_t

+gcry_drbg_ctr_df (struct gcry_drbg_state *drbg, unsigned char *df_data,

+		  size_t bytes_to_return, struct gcry_drbg_string *addtl)

+{

+  gpg_err_code_t ret = GPG_ERR_GENERAL;

+  unsigned char L_N[8];

+  /* S3 is input */

+  struct gcry_drbg_string S1, S2, S4, cipherin;

+  struct gcry_drbg_string *tempstr = addtl;

+  unsigned char *pad = df_data + gcry_drbg_statelen (drbg);

+  unsigned char *iv = pad + gcry_drbg_blocklen (drbg);

+  unsigned char *temp = iv + gcry_drbg_blocklen (drbg);

+  size_t padlen = 0;

+  unsigned int templen = 0;

+  /* 10.4.2 step 7 */

+  unsigned int i = 0;

+  /* 10.4.2 step 8 */

+  const unsigned char *K = (unsigned char *)

+    "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"

+    "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";

+  unsigned char *X;

+  size_t generated_len = 0;

+  size_t inputlen = 0;

+

+  memset (pad, 0, gcry_drbg_blocklen (drbg));

+  memset (iv, 0, gcry_drbg_blocklen (drbg));

+  memset (temp, 0, gcry_drbg_statelen (drbg));

+

+  /* 10.4.2 step 1 is implicit as we work byte-wise */

+

+  /* 10.4.2 step 2 */

+  if ((512 / 8) < bytes_to_return)

+    return GPG_ERR_INV_ARG;

+

+  /* 10.4.2 step 2 -- calculate the entire length of all input data */

+  for (; NULL != tempstr; tempstr = tempstr->next)

+    inputlen += tempstr->len;

+  gcry_drbg_cpu_to_be32 (inputlen, &L_N[0]);

+

+  /* 10.4.2 step 3 */

+  gcry_drbg_cpu_to_be32 (bytes_to_return, &L_N[4]);

+

+  /* 10.4.2 step 5: length is size of L_N, input_string, one byte, padding */

+  padlen = (inputlen + sizeof (L_N) + 1) % (gcry_drbg_blocklen (drbg));

+  /* wrap the padlen appropriately */

+  if (padlen)

+    padlen = gcry_drbg_blocklen (drbg) - padlen;

+  /* pad / padlen contains the 0x80 byte and the following zero bytes, so

+   * add one for byte for 0x80 */

+  padlen++;

+  pad[0] = 0x80;

+

+  /* 10.4.2 step 4 -- first fill the linked list and then order it */

+  gcry_drbg_string_fill (&S1, iv, gcry_drbg_blocklen (drbg));

+  gcry_drbg_string_fill (&S2, L_N, sizeof (L_N));

+  gcry_drbg_string_fill (&S4, pad, padlen);

+  S1.next = &S2;

+  S2.next = addtl;

+

+  /* Splice in addtl between S2 and S4 -- we place S4 at the end of the

+   * input data chain. As this code is only triggered when addtl is not

+   * NULL, no NULL checks are necessary.*/

+  tempstr = addtl;

+  while (tempstr->next)

+    tempstr = tempstr->next;

+  tempstr->next = &S4;

+

+  /* 10.4.2 step 9 */

+  while (templen < (gcry_drbg_keylen (drbg) + (gcry_drbg_blocklen (drbg))))

+    {

+      /* 10.4.2 step 9.1 - the padding is implicit as the buffer

+       * holds zeros after allocation -- even the increment of i

+       * is irrelevant as the increment remains within length of i */

+      gcry_drbg_cpu_to_be32 (i, iv);

+      /* 10.4.2 step 9.2 -- BCC and concatenation with temp */

+      ret = gcry_drbg_ctr_bcc (drbg, temp + templen, K, &S1;;

+      if (ret)

+	goto out;

+      /* 10.4.2 step 9.3 */

+      i++;

+      templen += gcry_drbg_blocklen (drbg);

+    }

+

+  /* 10.4.2 step 11 */

+  /* implicit key len with seedlen - blocklen according to table 3 */

+  X = temp + (gcry_drbg_keylen (drbg));

+  gcry_drbg_string_fill (&cipherin, X, gcry_drbg_blocklen (drbg));

+

+  /* 10.4.2 step 12: overwriting of outval */

+

+  /* 10.4.2 step 13 */

+  while (generated_len < bytes_to_return)

+    {

+      short blocklen = 0;

+      /* 10.4.2 step 13.1 */

+      /* the truncation of the key length is implicit as the key

+       * is only gcry_drbg_blocklen in size -- check for the implementation

+       * of the cipher function callback */

+      ret = gcry_drbg_sym (drbg, temp, X, &cipherin);

+      if (ret)

+	goto out;

+      blocklen = (gcry_drbg_blocklen (drbg) <

+		  (bytes_to_return - generated_len)) ?

+	gcry_drbg_blocklen (drbg) : (bytes_to_return - generated_len);

+      /* 10.4.2 step 13.2 and 14 */

+      memcpy (df_data + generated_len, X, blocklen);

+      generated_len += blocklen;