luna - wolfssl/wolfcrypt/src/random.c

   1/* random.c
   2 *
   3 * Copyright (C) 2006-2026 wolfSSL Inc.
   4 *
   5 * This file is part of wolfSSL.
   6 *
   7 * wolfSSL is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 3 of the License, or
  10 * (at your option) any later version.
  11 *
  12 * wolfSSL is distributed in the hope that it will be useful,
  13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 * GNU General Public License for more details.
  16 *
  17 * You should have received a copy of the GNU General Public License
  18 * along with this program; if not, write to the Free Software
  19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20 */
  21
  22/*
  23
  24DESCRIPTION
  25This library contains implementation for the random number generator.
  26
  27*/
  28
  29/*
  30 * Random Number Generator Build Options:
  31 *
  32 * Core RNG:
  33 * WC_NO_RNG:               Disable RNG support entirely         default: off
  34 * HAVE_HASHDRBG:            Enable Hash-based DRBG (SP 800-90A) default: on
  35 * WC_RNG_BLOCKING:          Make RNG operations blocking         default: off
  36 * WC_VERBOSE_RNG:           Enable verbose RNG debug output      default: off
  37 * WC_RNG_SEED_CB:           Use custom seed callback function    default: off
  38 * WC_RNG_BANK_SUPPORT:      Enable RNG bank (pre-generated)     default: off
  39 *                            random data support
  40 * WOLFSSL_RNG_USE_FULL_SEED: Use full-length seed for DRBG      default: off
  41 * WOLFSSL_GENSEED_FORTEST:  Use deterministic seed for testing   default: off
  42 *                            WARNING: not for production use
  43 * WOLFSSL_KEEP_RNG_SEED_FD_OPEN: Keep /dev/random fd open       default: off
  44 *                            between seed operations
  45 *
  46 * Custom RNG Sources:
  47 * CUSTOM_RAND_GENERATE:     Custom random word generator func    default: off
  48 * CUSTOM_RAND_GENERATE_BLOCK: Custom block random generator      default: off
  49 * CUSTOM_RAND_GENERATE_SEED: Custom seed generator function      default: off
  50 * CUSTOM_RAND_GENERATE_SEED_OS: Custom OS-level seed generator   default: off
  51 *
  52 * Entropy Sources:
  53 * HAVE_ENTROPY_MEMUSE:      Enable memory-use based entropy      default: off
  54 *                            source for DRBG seeding
  55 * ENTROPY_MEMUSE_FORCE_FAILURE: Force entropy failure (testing)  default: off
  56 * HAVE_GETRANDOM:           Use Linux getrandom() syscall        default: auto
  57 * WOLFSSL_GETRANDOM:        Use getrandom() for seed source      default: auto
  58 * FORCE_FAILURE_GETRANDOM:  Force getrandom failure (testing)    default: off
  59 * NO_DEV_RANDOM:            Don't use /dev/random for seeding    default: off
  60 * NO_DEV_URANDOM:           Don't use /dev/urandom for seeding   default: off
  61 * HAVE_INTEL_RDRAND:        Use Intel RDRAND instruction         default: off
  62 * HAVE_INTEL_RDSEED:        Use Intel RDSEED instruction         default: off
  63 * HAVE_AMD_RDSEED:          Use AMD RDSEED instruction           default: off
  64 * IDIRECT_DEV_RANDOM:       iDirect custom /dev/random path      default: off
  65 * WIN_REUSE_CRYPT_HANDLE:   Reuse Windows CryptContext handle    default: off
  66 *
  67 * Entropy Tuning (for HAVE_ENTROPY_MEMUSE):
  68 * ENTROPY_NUM_UPDATE:       Number of updates per sample         default: 18
  69 *                            More updates = better entropy but slower
  70 * ENTROPY_NUM_UPDATES_BITS: Bits to represent ENTROPY_NUM_UPDATE default: 5
  71 *                            = upper(log2(ENTROPY_NUM_UPDATE))
  72 * ENTROPY_NUM_WORDS_BITS:   State size as 2^N entries            default: 14
  73 *                            Range: 8-30. Base on cache sizes.
  74 *                            Larger = more cache misses = better entropy
  75 *                            but more static memory usage.
  76 *
  77 * DRBG Health Tests:
  78 * WC_RNG_SEED_APT_CUTOFF:  Adaptive proportion test cutoff      default: auto
  79 * WC_RNG_SEED_APT_WINDOW:  Adaptive proportion test window size  default: auto
  80 * WC_RNG_SEED_RCT_CUTOFF:  Repetition count test cutoff         default: auto
  81 *
  82 * Hardware RNG:
  83 * STM32_RNG:                STM32 hardware RNG                   default: off
  84 * STM32_NUTTX_RNG:          STM32 RNG via NuttX                  default: off
  85 * WOLFSSL_STM32F427_RNG:    STM32F427 hardware RNG               default: off
  86 * WOLFSSL_STM32_RNG_NOLIB:  STM32 RNG without HAL library        default: off
  87 * WOLFSSL_PIC32MZ_RNG:      PIC32MZ hardware RNG                 default: off
  88 * FREESCALE_RNGA:           Freescale RNGA                       default: off
  89 * FREESCALE_K70_RNGA:       Freescale K70 RNGA                   default: off
  90 * FREESCALE_RNGB:           Freescale RNGB                       default: off
  91 * FREESCALE_KSDK_2_0_RNGA:  Freescale KSDK 2.0 RNGA             default: off
  92 * FREESCALE_KSDK_2_0_TRNG:  Freescale KSDK 2.0 TRNG             default: off
  93 * MAX3266X_RNG:             MAX3266X hardware RNG                 default: off
  94 * QAT_ENABLE_RNG:           Intel QAT hardware RNG               default: off
  95 * WOLFSSL_ATECC_RNG:        ATECC508/608 hardware RNG             default: off
  96 * WOLFSSL_SILABS_TRNG:      Silicon Labs TRNG                    default: off
  97 * WOLFSSL_SCE_NO_TRNG:      Disable Renesas SCE TRNG             default: off
  98 * WOLFSSL_SCE_TRNG_HANDLE:  Renesas SCE TRNG handle              default: off
  99 * WOLFSSL_SE050_NO_TRNG:    Disable SE050 TRNG                   default: off
 100 * WOLFSSL_PSA_NO_RNG:       Disable PSA RNG                      default: off
 101 * HAVE_IOTSAFE_HWRNG:       IoT-Safe hardware RNG                default: off
 102 * WOLFSSL_XILINX_CRYPT_VERSAL: Xilinx Versal crypto RNG          default: off
 103 */
 104
 105#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
 106
 107/* on HPUX 11 you may need to install /dev/random see
 108   http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRNG11I
 109
 110*/
 111#if defined(ESP_IDF_VERSION_MAJOR) && ESP_IDF_VERSION_MAJOR >= 5
 112    #include <esp_random.h>
 113#endif
 114
 115#if defined(HAVE_FIPS) && \
 116    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
 117
 118    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
 119    #define FIPS_NO_WRAPPERS
 120
 121    #ifdef USE_WINDOWS_API
 122        #pragma code_seg(".fipsA$i")
 123        #pragma const_seg(".fipsB$i")
 124    #endif
 125#endif
 126
 127
 128#include <wolfssl/wolfcrypt/random.h>
 129#ifdef WC_RNG_BANK_SUPPORT
 130    #include <wolfssl/wolfcrypt/rng_bank.h>
 131#endif
 132#include <wolfssl/wolfcrypt/cpuid.h>
 133
 134#ifndef WC_NO_RNG /* if not FIPS and RNG is disabled then do not compile */
 135
 136#ifndef NO_SHA256
 137    #include <wolfssl/wolfcrypt/sha256.h>
 138#endif
 139#ifdef WOLFSSL_DRBG_SHA512
 140    #include <wolfssl/wolfcrypt/sha512.h>
 141#endif
 142
 143#ifdef WOLF_CRYPTO_CB
 144    #include <wolfssl/wolfcrypt/cryptocb.h>
 145#endif
 146
 147#ifdef NO_INLINE
 148    #include <wolfssl/wolfcrypt/misc.h>
 149#else
 150    #define WOLFSSL_MISC_INCLUDED
 151    #include <wolfcrypt/src/misc.c>
 152#endif
 153
 154#if defined(WOLFSSL_SGX)
 155    #include <sgx_trts.h>
 156#elif defined(USE_WINDOWS_API)
 157    #ifndef _WIN32_WINNT
 158        #define _WIN32_WINNT 0x0400
 159    #endif
 160    #define _WINSOCKAPI_ /* block inclusion of winsock.h header file */
 161    #include <windows.h>
 162    #include <wincrypt.h>
 163    #undef _WINSOCKAPI_ /* undefine it for MINGW winsock2.h header file */
 164#elif defined(HAVE_WNR)
 165    #include <wnr.h>
 166    wolfSSL_Mutex wnr_mutex WOLFSSL_MUTEX_INITIALIZER_CLAUSE(wnr_mutex);    /* global netRandom mutex */
 167    int wnr_timeout     = 0;    /* entropy timeout, milliseconds */
 168    #ifndef WOLFSSL_MUTEX_INITIALIZER
 169    int wnr_mutex_inited = 0;   /* flag for mutex init */
 170    #endif
 171    int wnr_inited = 0;    /* flag for whether wc_InitNetRandom() has been called */
 172    wnr_context*  wnr_ctx;      /* global netRandom context */
 173#elif defined(FREESCALE_KSDK_2_0_TRNG)
 174    #include "fsl_trng.h"
 175#elif defined(FREESCALE_KSDK_2_0_RNGA)
 176    #include "fsl_rnga.h"
 177#elif defined(WOLFSSL_WICED)
 178    #include "wiced_crypto.h"
 179#elif defined(WOLFSSL_NETBURNER)
 180    #include <predef.h>
 181    #include <basictypes.h>
 182    #include <random.h>
 183#elif defined(WOLFSSL_XILINX_CRYPT_VERSAL)
 184    #include "wolfssl/wolfcrypt/port/xilinx/xil-versal-trng.h"
 185#elif defined(WOLFSSL_RPIPICO)
 186    #include "wolfssl/wolfcrypt/port/rpi_pico/pico.h"
 187#elif defined(NO_DEV_RANDOM)
 188#elif defined(CUSTOM_RAND_GENERATE)
 189#elif defined(CUSTOM_RAND_GENERATE_BLOCK)
 190#elif defined(CUSTOM_RAND_GENERATE_SEED)
 191#elif defined(WOLFSSL_GENSEED_FORTEST)
 192#elif defined(WOLFSSL_MDK_ARM)
 193#elif defined(WOLFSSL_IAR_ARM)
 194#elif defined(WOLFSSL_ROWLEY_ARM)
 195#elif defined(WOLFSSL_EMBOS)
 196#elif defined(WOLFSSL_DEOS)
 197#elif defined(MICRIUM)
 198#elif defined(WOLFSSL_NUCLEUS)
 199#elif defined(WOLFSSL_PB)
 200#elif defined(WOLFSSL_ZEPHYR)
 201#elif defined(WOLFSSL_TELIT_M2MB)
 202#elif defined(WOLFSSL_RENESAS_TSIP)
 203    /* for wc_tsip_GenerateRandBlock */
 204    #include "wolfssl/wolfcrypt/port/Renesas/renesas_tsip_internal.h"
 205#elif defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_TRNG)
 206#elif defined(WOLFSSL_IMXRT1170_CAAM)
 207#elif defined(CY_USING_HAL) && defined(COMPONENT_WOLFSSL)
 208    #include "cyhal_trng.h" /* Infineon/Cypress HAL RNG implementation */
 209#elif defined(WOLFSSL_MAX3266X) || defined(WOLFSSL_MAX3266X_OLD)
 210    #include "wolfssl/wolfcrypt/port/maxim/max3266x.h"
 211#else
 212    #include <errno.h>
 213    #if defined(WOLFSSL_GETRANDOM) || defined(HAVE_GETRANDOM)
 214        #include <sys/random.h>
 215    #endif
 216    /* include headers that may be needed to get good seed */
 217    #include <fcntl.h>
 218    #ifndef EBSNET
 219        #include <unistd.h>
 220    #endif
 221#endif
 222
 223#if defined(WOLFSSL_SILABS_SE_ACCEL)
 224#include <wolfssl/wolfcrypt/port/silabs/silabs_random.h>
 225#endif
 226
 227#if defined(WOLFSSL_IOTSAFE) && defined(HAVE_IOTSAFE_HWRNG)
 228#include <wolfssl/wolfcrypt/port/iotsafe/iotsafe.h>
 229#endif
 230
 231#if defined(WOLFSSL_HAVE_PSA) && !defined(WOLFSSL_PSA_NO_RNG)
 232#include <wolfssl/wolfcrypt/port/psa/psa.h>
 233#endif
 234
 235#if FIPS_VERSION3_GE(6,0,0)
 236    const unsigned int wolfCrypt_FIPS_drbg_ro_sanity[2] =
 237                                                     { 0x1a2b3c4d, 0x00000011 };
 238    int wolfCrypt_FIPS_DRBG_sanity(void)
 239    {
 240        return 0;
 241    }
 242#endif
 243
 244#if defined(HAVE_INTEL_RDRAND) || defined(HAVE_INTEL_RDSEED) || \
 245    defined(HAVE_AMD_RDSEED)
 246    static cpuid_flags_t intel_flags = WC_CPUID_INITIALIZER;
 247    static void wc_InitRng_IntelRD(void)
 248    {
 249        cpuid_get_flags_ex(&intel_flags);
 250    }
 251    #if defined(HAVE_INTEL_RDSEED) || defined(HAVE_AMD_RDSEED)
 252    static int wc_GenerateSeed_IntelRD(OS_Seed* os, byte* output, word32 sz);
 253    #endif
 254    #ifdef HAVE_INTEL_RDRAND
 255    static int wc_GenerateRand_IntelRD(OS_Seed* os, byte* output, word32 sz);
 256    #endif
 257
 258#ifdef USE_WINDOWS_API
 259    #define USE_INTEL_INTRINSICS
 260#elif !defined __GNUC__ || defined __clang__ || __GNUC__ > 4
 261    #define USE_INTEL_INTRINSICS
 262#else
 263    #undef USE_INTEL_INTRINSICS
 264#endif
 265
 266#ifdef USE_INTEL_INTRINSICS
 267    #include <immintrin.h>
 268    /* Before clang 7 or GCC 9, immintrin.h did not define _rdseed64_step() */
 269    #ifndef HAVE_INTEL_RDSEED
 270    #elif defined __clang__ && __clang_major__ > 6
 271    #elif !defined __GNUC__
 272    #elif __GNUC__ > 8
 273    #else
 274        #ifndef __clang__
 275            #pragma GCC push_options
 276            #pragma GCC target("rdseed")
 277        #else
 278            #define __RDSEED__
 279        #endif
 280        #include <x86intrin.h>
 281        #ifndef __clang__
 282            #pragma GCC pop_options
 283        #endif
 284    #endif
 285#endif /* USE_WINDOWS_API */
 286#endif
 287
 288/* Start NIST DRBG code */
 289#ifdef HAVE_HASHDRBG
 290
 291#define OUTPUT_BLOCK_LEN  (WC_SHA256_DIGEST_SIZE)
 292#define MAX_REQUEST_LEN   (0x10000)
 293
 294#ifdef WC_RNG_SEED_CB
 295
 296#ifndef HAVE_FIPS
 297static wc_RngSeed_Cb seedCb = wc_GenerateSeed;
 298#else
 299static wc_RngSeed_Cb seedCb = NULL;
 300#endif
 301
 302int wc_SetSeed_Cb(wc_RngSeed_Cb cb)
 303{
 304    seedCb = cb;
 305    return 0;
 306}
 307
 308#endif
 309
 310
 311/* Internal return codes */
 312#define DRBG_SUCCESS      0
 313#define DRBG_FAILURE      1
 314#define DRBG_NEED_RESEED  2
 315#define DRBG_CONT_FAILURE 3
 316#define DRBG_NO_SEED_CB   4
 317
 318/* RNG health states */
 319#define DRBG_NOT_INIT     WC_DRBG_NOT_INIT
 320#define DRBG_OK           WC_DRBG_OK
 321#define DRBG_FAILED       WC_DRBG_FAILED
 322#define DRBG_CONT_FAILED  WC_DRBG_CONT_FAILED
 323
 324#define SEED_SZ           WC_DRBG_SEED_SZ
 325#define MAX_SEED_SZ       WC_DRBG_MAX_SEED_SZ
 326
 327/* Verify max gen block len */
 328#if RNG_MAX_BLOCK_LEN > MAX_REQUEST_LEN
 329    #error RNG_MAX_BLOCK_LEN is larger than NIST DBRG max request length
 330#endif
 331
 332enum {
 333    drbgInitC     = 0,
 334    drbgReseed    = 1,
 335    drbgGenerateW = 2,
 336    drbgGenerateH = 3,
 337    drbgInitV     = 4
 338};
 339
 340#ifndef NO_SHA256
 341typedef struct DRBG_internal DRBG_internal;
 342#endif
 343
 344#ifdef WOLFSSL_DRBG_SHA512
 345typedef struct DRBG_SHA512_internal DRBG_SHA512_internal;
 346
 347static int Hash512_DRBG_Reseed(DRBG_SHA512_internal* drbg, const byte* seed,
 348                               word32 seedSz,
 349                               const byte* additional, word32 additionalSz);
 350static int Hash512_DRBG_Generate(DRBG_SHA512_internal* drbg, byte* out,
 351                                 word32 outSz,
 352                                 const byte* additional, word32 additionalSz);
 353static int Hash512_DRBG_Instantiate(DRBG_SHA512_internal* drbg,
 354                                    const byte* seed, word32 seedSz,
 355                                    const byte* nonce, word32 nonceSz,
 356                                    const byte* perso, word32 persoSz,
 357                                    void* heap, int devId);
 358static int Hash512_DRBG_Uninstantiate(DRBG_SHA512_internal* drbg);
 359#endif
 360
 361/* Runtime DRBG disable state.
 362 * These flags control which DRBG type is used for new WC_RNG instances and
 363 * may be toggled at runtime (e.g. NSA Suite 2.0 threads disable SHA-256).
 364 * A mutex protects the check-then-set in disable functions so concurrent
 365 * calls cannot bypass the mutual-exclusion guard and disable both DRBG types.
 366 * _InitRng also holds the mutex while reading the flags to get a consistent
 367 * snapshot, and returns BAD_STATE_E if both are somehow disabled. */
 368#ifndef NO_SHA256
 369#ifdef WOLFSSL_NO_SHA256_DRBG
 370static int sha256DrbgDisabled = 1;
 371#else
 372static int sha256DrbgDisabled = 0;
 373#endif
 374#endif
 375#ifdef WOLFSSL_DRBG_SHA512
 376static int sha512DrbgDisabled = 0;
 377#endif
 378
 379#ifndef SINGLE_THREADED
 380static wolfSSL_Mutex drbgStateMutex
 381    WOLFSSL_MUTEX_INITIALIZER_CLAUSE(drbgStateMutex);
 382#ifndef WOLFSSL_MUTEX_INITIALIZER
 383static int drbgStateMutex_inited = 0;
 384#endif
 385#endif /* !SINGLE_THREADED */
 386
 387int wc_DrbgState_MutexInit(void)
 388{
 389#ifndef SINGLE_THREADED
 390#ifndef WOLFSSL_MUTEX_INITIALIZER
 391    if (!drbgStateMutex_inited) {
 392        int ret = wc_InitMutex(&drbgStateMutex);
 393        if (ret != 0)
 394            return ret;
 395        drbgStateMutex_inited = 1;
 396    }
 397#endif
 398#endif
 399    return 0;
 400}
 401
 402int wc_DrbgState_MutexFree(void)
 403{
 404#ifndef SINGLE_THREADED
 405#ifndef WOLFSSL_MUTEX_INITIALIZER
 406    if (drbgStateMutex_inited) {
 407        int ret = wc_FreeMutex(&drbgStateMutex);
 408        drbgStateMutex_inited = 0;
 409        return ret;
 410    }
 411#endif
 412#endif
 413    return 0;
 414}
 415
 416static int LockDrbgState(void)
 417{
 418#ifndef SINGLE_THREADED
 419    return wc_LockMutex(&drbgStateMutex);
 420#else
 421    return 0;
 422#endif
 423}
 424
 425static int UnlockDrbgState(void)
 426{
 427#ifndef SINGLE_THREADED
 428    return wc_UnLockMutex(&drbgStateMutex);
 429#else
 430    return 0;
 431#endif
 432}
 433
 434static int wc_RNG_HealthTestLocal(WC_RNG* rng, int reseed, void* heap,
 435                                  int devId);
 436
 437#ifdef WOLFSSL_DRBG_SHA512
 438static int wc_RNG_HealthTest_SHA512_ex_internal(DRBG_SHA512_internal* drbg,
 439                                  int reseed, const byte* nonce, word32 nonceSz,
 440                                  const byte* perso, word32 persoSz,
 441                                  const byte* seedA, word32 seedASz,
 442                                  const byte* seedB, word32 seedBSz,
 443                                  const byte* additionalA, word32 additionalASz,
 444                                  const byte* additionalB, word32 additionalBSz,
 445                                  byte* output, word32 outputSz,
 446                                  void* heap, int devId);
 447#endif
 448
 449/* The SHA-256 Hash_DRBG core (Hash_df, Hash_DRBG_*) operates on
 450 * DRBG_internal, which random.h defines only when SHA-256 is compiled in.
 451 * Wrap the whole block so a NO_SHA256 + WOLFSSL_DRBG_SHA512 build (the
 452 * SHA-512-only DRBG configuration) still compiles. The SHA-512 DRBG core
 453 * lives below in its own #ifdef WOLFSSL_DRBG_SHA512 section. */
 454#ifndef NO_SHA256
 455
 456/* Hash Derivation Function */
 457/* Returns: DRBG_SUCCESS or DRBG_FAILURE */
 458static int Hash_df(DRBG_internal* drbg, byte* out, word32 outSz, byte type,
 459                                                  const byte* inA, word32 inASz,
 460                                                  const byte* inB, word32 inBSz,
 461                                                  const byte* inC, word32 inCSz)
 462{
 463    int ret = DRBG_FAILURE;
 464    byte ctr;
 465    word32 i;
 466    word32 len;
 467    word32 bits = (outSz * 8); /* reverse byte order */
 468#ifdef WOLFSSL_SMALL_STACK_CACHE
 469    wc_Sha256* sha = &drbg->sha256;
 470#else
 471    wc_Sha256 sha[1];
 472#endif
 473#if defined(WOLFSSL_SMALL_STACK_CACHE)
 474    byte* digest = drbg->digest_scratch;
 475#elif defined(WOLFSSL_SMALL_STACK)
 476    byte* digest;
 477#else
 478    byte digest[WC_SHA256_DIGEST_SIZE];
 479#endif
 480
 481    if (drbg == NULL) {
 482        return DRBG_FAILURE;
 483    }
 484
 485#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
 486    digest = (byte*)XMALLOC(WC_SHA256_DIGEST_SIZE, drbg->heap,
 487        DYNAMIC_TYPE_DIGEST);
 488    if (digest == NULL)
 489        return DRBG_FAILURE;
 490#endif
 491
 492#ifdef LITTLE_ENDIAN_ORDER
 493    bits = ByteReverseWord32(bits);
 494#endif
 495    len = (outSz / OUTPUT_BLOCK_LEN)
 496        + ((outSz % OUTPUT_BLOCK_LEN) ? 1 : 0);
 497
 498    ctr = 1;
 499    for (i = 0; i < len; i++) {
 500#ifndef WOLFSSL_SMALL_STACK_CACHE
 501    #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
 502        ret = wc_InitSha256_ex(sha, drbg->heap, drbg->devId);
 503    #else
 504        ret = wc_InitSha256(sha);
 505    #endif
 506        if (ret != 0)
 507            break;
 508#endif
 509        ret = wc_Sha256Update(sha, &ctr, sizeof(ctr));
 510        if (ret == 0) {
 511            ctr++;
 512            ret = wc_Sha256Update(sha, (byte*)&bits, sizeof(bits));
 513        }
 514
 515        if (ret == 0) {
 516            /* churning V is the only string that doesn't have the type added */
 517            if (type != drbgInitV)
 518                ret = wc_Sha256Update(sha, &type, sizeof(type));
 519        }
 520        if (ret == 0)
 521            ret = wc_Sha256Update(sha, inA, inASz);
 522        if (ret == 0) {
 523            if (inB != NULL && inBSz > 0)
 524                ret = wc_Sha256Update(sha, inB, inBSz);
 525        }
 526        if (ret == 0) {
 527            if (inC != NULL && inCSz > 0)
 528                ret = wc_Sha256Update(sha, inC, inCSz);
 529        }
 530        if (ret == 0)
 531            ret = wc_Sha256Final(sha, digest);
 532
 533#ifndef WOLFSSL_SMALL_STACK_CACHE
 534        wc_Sha256Free(sha);
 535#endif
 536        if (ret == 0) {
 537            if (outSz > OUTPUT_BLOCK_LEN) {
 538                XMEMCPY(out, digest, OUTPUT_BLOCK_LEN);
 539                outSz -= OUTPUT_BLOCK_LEN;
 540                out += OUTPUT_BLOCK_LEN;
 541            }
 542            else {
 543                XMEMCPY(out, digest, outSz);
 544            }
 545        }
 546    }
 547
 548    ForceZero(digest, WC_SHA256_DIGEST_SIZE);
 549
 550#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
 551    XFREE(digest, drbg->heap, DYNAMIC_TYPE_DIGEST);
 552#endif
 553
 554#ifdef WC_VERBOSE_RNG
 555    if (ret != 0)
 556        WOLFSSL_DEBUG_PRINTF("ERROR: %s failed with err = %d", __FUNCTION__,
 557                             ret);
 558#endif
 559
 560    return (ret == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
 561}
 562
 563/* Returns: DRBG_SUCCESS or DRBG_FAILURE */
 564static int Hash_DRBG_Reseed(DRBG_internal* drbg, const byte* seed, word32 seedSz,
 565                            const byte* additional, word32 additionalSz)
 566{
 567    int ret;
 568    WC_DECLARE_VAR(newV, byte, DRBG_SEED_LEN, 0);
 569
 570    if (drbg == NULL) {
 571        return DRBG_FAILURE;
 572    }
 573
 574#ifdef WOLFSSL_SMALL_STACK_CACHE
 575    newV = drbg->seed_scratch;
 576#else
 577    WC_ALLOC_VAR_EX(newV, byte, DRBG_SEED_LEN, drbg->heap,
 578        DYNAMIC_TYPE_TMP_BUFFER, return MEMORY_E);
 579#endif
 580    XMEMSET(newV, 0, DRBG_SEED_LEN);
 581
 582    ret = Hash_df(drbg, newV, DRBG_SEED_LEN, drbgReseed,
 583                drbg->V, sizeof(drbg->V), seed, seedSz,
 584                additional, additionalSz);
 585    if (ret == DRBG_SUCCESS) {
 586        XMEMCPY(drbg->V, newV, sizeof(drbg->V));
 587
 588        ret = Hash_df(drbg, drbg->C, sizeof(drbg->C), drbgInitC, drbg->V,
 589                                    sizeof(drbg->V), NULL, 0, NULL, 0);
 590    }
 591    if (ret == DRBG_SUCCESS) {
 592        drbg->reseedCtr = 1;
 593    }
 594
 595    ForceZero(newV, DRBG_SEED_LEN);
 596
 597#ifndef WOLFSSL_SMALL_STACK_CACHE
 598    WC_FREE_VAR_EX(newV, drbg->heap, DYNAMIC_TYPE_TMP_BUFFER);
 599#endif
 600
 601    #ifdef WC_VERBOSE_RNG
 602    if (ret != 0)
 603        WOLFSSL_DEBUG_PRINTF("ERROR: Hash_DRBG_Reseed failed with err %d.",
 604                             ret);
 605    #endif
 606
 607    return ret;
 608}
 609
 610#endif /* !NO_SHA256 - close before wc_RNG_DRBG_Reseed (dual-DRBG-aware)
 611        *              and array_add_one (shared utility) which both must
 612        *              remain available to SHA-512-only builds */
 613
 614/* Returns: DRBG_SUCCESS and DRBG_FAILURE or BAD_FUNC_ARG on fail */
 615int wc_RNG_DRBG_Reseed(WC_RNG* rng, const byte* seed, word32 seedSz)
 616{
 617    if (rng == NULL || seed == NULL) {
 618        return BAD_FUNC_ARG;
 619    }
 620
 621#ifndef NO_SHA256
 622    if (rng->drbgType == WC_DRBG_SHA256) {
 623        if (rng->drbg == NULL) {
 624        #if defined(HAVE_INTEL_RDSEED) || defined(HAVE_INTEL_RDRAND)
 625            if (IS_INTEL_RDRAND(intel_flags)) {
 626                /* using RDRAND not DRBG, so return success */
 627                return 0;
 628            }
 629        #endif
 630            return BAD_FUNC_ARG;
 631        }
 632        return Hash_DRBG_Reseed((DRBG_internal *)rng->drbg, seed, seedSz,
 633                                NULL, 0);
 634    }
 635#endif
 636#ifdef WOLFSSL_DRBG_SHA512
 637    if (rng->drbgType == WC_DRBG_SHA512) {
 638        if (rng->drbg512 == NULL) {
 639        #if defined(HAVE_INTEL_RDSEED) || defined(HAVE_INTEL_RDRAND)
 640            if (IS_INTEL_RDRAND(intel_flags)) {
 641                /* using RDRAND not DRBG, so return success */
 642                return 0;
 643            }
 644        #endif
 645            return BAD_FUNC_ARG;
 646        }
 647        return Hash512_DRBG_Reseed((DRBG_SHA512_internal *)rng->drbg512,
 648                                   seed, seedSz, NULL, 0);
 649    }
 650#endif
 651
 652    /* No DRBG type matched; if using RDRAND, that's OK */
 653#if defined(HAVE_INTEL_RDSEED) || defined(HAVE_INTEL_RDRAND)
 654    if (IS_INTEL_RDRAND(intel_flags)) {
 655        return 0;
 656    }
 657#endif
 658
 659    return BAD_FUNC_ARG;
 660}
 661
 662/* Generic byte-array helper -- shared by both SHA-256 and SHA-512 DRBG
 663 * cores. Lives outside the NO_SHA256 guard so SHA-512-only builds
 664 * still link. */
 665static WC_INLINE void array_add_one(byte* data, word32 dataSz)
 666{
 667    int i;
 668    for (i = (int)dataSz - 1; i >= 0; i--) {
 669        data[i]++;
 670        if (data[i] != 0) break;
 671    }
 672}
 673
 674#ifndef NO_SHA256 /* re-open SHA-256 Hash_DRBG core */
 675
 676/* Returns: DRBG_SUCCESS or DRBG_FAILURE */
 677static int Hash_gen(DRBG_internal* drbg, byte* out, word32 outSz, const byte* V)
 678{
 679    int ret = DRBG_FAILURE;
 680    word32 i;
 681    word32 len;
 682#if defined(WOLFSSL_SMALL_STACK_CACHE)
 683    wc_Sha256* sha = &drbg->sha256;
 684    byte* data = drbg->seed_scratch;
 685    byte* digest = drbg->digest_scratch;
 686#elif defined(WOLFSSL_SMALL_STACK)
 687    wc_Sha256 sha[1];
 688    byte* data = NULL;
 689    byte* digest = NULL;
 690#else
 691    wc_Sha256 sha[1];
 692    byte data[DRBG_SEED_LEN];
 693    byte digest[WC_SHA256_DIGEST_SIZE];
 694#endif
 695
 696    if (drbg == NULL) {
 697        return DRBG_FAILURE;
 698    }
 699
 700#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
 701    data = (byte*)XMALLOC(DRBG_SEED_LEN, drbg->heap, DYNAMIC_TYPE_TMP_BUFFER);
 702    digest = (byte*)XMALLOC(WC_SHA256_DIGEST_SIZE, drbg->heap,
 703        DYNAMIC_TYPE_DIGEST);
 704    if (data == NULL || digest == NULL) {
 705        XFREE(digest, drbg->heap, DYNAMIC_TYPE_DIGEST);
 706        XFREE(data, drbg->heap, DYNAMIC_TYPE_TMP_BUFFER);
 707        return DRBG_FAILURE;
 708    }
 709#endif
 710
 711    /* Special case: outSz is 0 and out is NULL. wc_Generate a block to save for
 712     * the continuous test. */
 713
 714    if (outSz == 0) {
 715        outSz = 1;
 716    }
 717
 718    len = (outSz / OUTPUT_BLOCK_LEN) + ((outSz % OUTPUT_BLOCK_LEN) ? 1 : 0);
 719
 720    XMEMCPY(data, V, DRBG_SEED_LEN);
 721    for (i = 0; i < len; i++) {
 722#ifndef WOLFSSL_SMALL_STACK_CACHE
 723    #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
 724        ret = wc_InitSha256_ex(sha, drbg->heap, drbg->devId);
 725    #else
 726        ret = wc_InitSha256(sha);
 727    #endif
 728        if (ret == 0)
 729#endif
 730            ret = wc_Sha256Update(sha, data, DRBG_SEED_LEN);
 731        if (ret == 0)
 732            ret = wc_Sha256Final(sha, digest);
 733#ifndef WOLFSSL_SMALL_STACK_CACHE
 734        wc_Sha256Free(sha);
 735#endif
 736
 737        if (ret == 0) {
 738            if (out != NULL && outSz != 0) {
 739                if (outSz >= OUTPUT_BLOCK_LEN) {
 740                    XMEMCPY(out, digest, OUTPUT_BLOCK_LEN);
 741                    outSz -= OUTPUT_BLOCK_LEN;
 742                    out += OUTPUT_BLOCK_LEN;
 743                    array_add_one(data, DRBG_SEED_LEN);
 744                }
 745                else {
 746                    XMEMCPY(out, digest, outSz);
 747                    outSz = 0;
 748                }
 749            }
 750        }
 751        else {
 752            /* wc_Sha256Update or wc_Sha256Final returned error */
 753            break;
 754        }
 755    }
 756    ForceZero(data, DRBG_SEED_LEN);
 757
 758#ifndef WOLFSSL_SMALL_STACK_CACHE
 759    WC_FREE_VAR_EX(digest, drbg->heap, DYNAMIC_TYPE_DIGEST);
 760    WC_FREE_VAR_EX(data, drbg->heap, DYNAMIC_TYPE_TMP_BUFFER);
 761#endif
 762
 763    #ifdef WC_VERBOSE_RNG
 764    if ((ret != DRBG_SUCCESS) && (ret != DRBG_FAILURE)) {
 765        /* Note, if we're just going to return DRBG_FAILURE to the caller, then
 766         * there's no point printing it out here because (1) the lower-level
 767         * code that was remapped to DRBG_FAILURE already got printed before the
 768         * remapping, so a DRBG_FAILURE message would just be spamming the log,
 769         * and (2) the caller will actually see the DRBG_FAILURE code, and is
 770         * free to (and probably will) log it itself.
 771         */
 772        WOLFSSL_DEBUG_PRINTF("ERROR: Hash_gen failed with err %d.", ret);
 773    }
 774    #endif
 775
 776    return (ret == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
 777}
 778
 779#endif /* !NO_SHA256 - close to expose array_add to SHA-512 below */
 780
 781/* Generic multi-byte add. Shared by SHA-256 and SHA-512 DRBG cores;
 782 * lives outside the NO_SHA256 guard so SHA-512-only builds still link. */
 783static WC_INLINE void array_add(byte* d, word32 dLen, const byte* s, word32 sLen)
 784{
 785    if (dLen > 0 && sLen > 0 && dLen >= sLen) {
 786        int sIdx, dIdx;
 787        word16 carry = 0;
 788
 789        dIdx = (int)dLen - 1;
 790        for (sIdx = (int)sLen - 1; sIdx >= 0; sIdx--) {
 791            carry = (word16)(carry + d[dIdx] + s[sIdx]);
 792            d[dIdx] = (byte)carry;
 793            carry >>= 8;
 794            dIdx--;
 795        }
 796
 797        for (; dIdx >= 0; dIdx--) {
 798            carry = (word16)(carry + d[dIdx]);
 799            d[dIdx] = (byte)carry;
 800            carry >>= 8;
 801        }
 802    }
 803}
 804
 805#ifndef NO_SHA256 /* re-open SHA-256 Hash_DRBG core */
 806
 807/* Returns: DRBG_SUCCESS, DRBG_NEED_RESEED, or DRBG_FAILURE */
 808static int Hash_DRBG_Generate(DRBG_internal* drbg, byte* out, word32 outSz,
 809                              const byte* additional, word32 additionalSz)
 810{
 811    int ret;
 812#ifdef WOLFSSL_SMALL_STACK_CACHE
 813    wc_Sha256* sha = &drbg->sha256;
 814#else
 815    wc_Sha256 sha[1];
 816#endif
 817    byte type;
 818#ifdef WORD64_AVAILABLE
 819    word64 reseedCtr;
 820#else
 821    word32 reseedCtr;
 822#endif
 823
 824    if (drbg == NULL) {
 825        return DRBG_FAILURE;
 826    }
 827
 828    if (drbg->reseedCtr >= WC_RESEED_INTERVAL) {
 829    #if (defined(DEBUG_WOLFSSL) || defined(DEBUG_DRBG_RESEEDS)) && \
 830        defined(WOLFSSL_DEBUG_PRINTF)
 831        WOLFSSL_DEBUG_PRINTF("DRBG reseed triggered, reseedCtr == %lu",
 832                (unsigned long)drbg->reseedCtr);
 833    #endif
 834        return DRBG_NEED_RESEED;
 835    }
 836    else {
 837    #if defined(WOLFSSL_SMALL_STACK_CACHE)
 838        byte* digest = drbg->digest_scratch;
 839    #elif defined(WOLFSSL_SMALL_STACK)
 840        byte* digest = (byte*)XMALLOC(WC_SHA256_DIGEST_SIZE, drbg->heap,
 841            DYNAMIC_TYPE_DIGEST);
 842        if (digest == NULL)
 843            return DRBG_FAILURE;
 844    #else
 845        byte digest[WC_SHA256_DIGEST_SIZE];
 846    #endif
 847
 848        type = drbgGenerateH;
 849        reseedCtr = drbg->reseedCtr;
 850
 851        /* SP 800-90A 10.1.1.4 step 2: if additional_input != Null,
 852         * w = Hash(0x02 || V || additional_input), V = (V + w) mod 2^seedlen */
 853        if (additional != NULL && additionalSz > 0) {
 854            byte addType = drbgGenerateW;
 855#ifndef WOLFSSL_SMALL_STACK_CACHE
 856        #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
 857            ret = wc_InitSha256_ex(sha, drbg->heap, drbg->devId);
 858        #else
 859            ret = wc_InitSha256(sha);
 860        #endif
 861            if (ret != 0) {
 862            #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
 863                XFREE(digest, drbg->heap, DYNAMIC_TYPE_DIGEST);
 864            #endif
 865                return DRBG_FAILURE;
 866            }
 867#else
 868            ret = 0;
 869#endif
 870            if (ret == 0)
 871                ret = wc_Sha256Update(sha, &addType, sizeof(addType));
 872            if (ret == 0)
 873                ret = wc_Sha256Update(sha, drbg->V, sizeof(drbg->V));
 874            if (ret == 0)
 875                ret = wc_Sha256Update(sha, additional, additionalSz);
 876            if (ret == 0)
 877                ret = wc_Sha256Final(sha, digest);
 878#ifndef WOLFSSL_SMALL_STACK_CACHE
 879            wc_Sha256Free(sha);
 880#endif
 881            if (ret == 0) {
 882                array_add(drbg->V, sizeof(drbg->V), digest,
 883                          WC_SHA256_DIGEST_SIZE);
 884            }
 885            else {
 886                ForceZero(digest, WC_SHA256_DIGEST_SIZE);
 887            #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
 888                XFREE(digest, drbg->heap, DYNAMIC_TYPE_DIGEST);
 889            #endif
 890                return DRBG_FAILURE;
 891            }
 892        }
 893
 894        ret = Hash_gen(drbg, out, outSz, drbg->V);
 895        if (ret == DRBG_SUCCESS) {
 896#ifndef WOLFSSL_SMALL_STACK_CACHE
 897        #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
 898            ret = wc_InitSha256_ex(sha, drbg->heap, drbg->devId);
 899        #else
 900            ret = wc_InitSha256(sha);
 901        #endif
 902            if (ret == 0)
 903#endif
 904                ret = wc_Sha256Update(sha, &type, sizeof(type));
 905            if (ret == 0)
 906                ret = wc_Sha256Update(sha, drbg->V, sizeof(drbg->V));
 907            if (ret == 0)
 908                ret = wc_Sha256Final(sha, digest);
 909
 910#ifndef WOLFSSL_SMALL_STACK_CACHE
 911            wc_Sha256Free(sha);
 912#endif
 913
 914            if (ret == 0) {
 915                array_add(drbg->V, sizeof(drbg->V), digest, WC_SHA256_DIGEST_SIZE);
 916                array_add(drbg->V, sizeof(drbg->V), drbg->C, sizeof(drbg->C));
 917            #ifdef LITTLE_ENDIAN_ORDER
 918                #ifdef WORD64_AVAILABLE
 919                reseedCtr = ByteReverseWord64(reseedCtr);
 920                #else
 921                reseedCtr = ByteReverseWord32(reseedCtr);
 922                #endif
 923            #endif
 924                array_add(drbg->V, sizeof(drbg->V),
 925                                          (byte*)&reseedCtr, sizeof(reseedCtr));
 926                ret = DRBG_SUCCESS;
 927            }
 928            drbg->reseedCtr++;
 929        }
 930        ForceZero(digest, WC_SHA256_DIGEST_SIZE);
 931    #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
 932        XFREE(digest, drbg->heap, DYNAMIC_TYPE_DIGEST);
 933    #endif
 934    }
 935
 936    #ifdef WC_VERBOSE_RNG
 937    if ((ret != DRBG_SUCCESS) && (ret != DRBG_FAILURE)) {
 938        /* see note above regarding log spam reduction */
 939        WOLFSSL_DEBUG_PRINTF("ERROR: Hash_DRBG_Generate failed with err %d.",
 940                             ret);
 941    }
 942    #endif
 943
 944    return (ret == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
 945}
 946
 947/* Returns: DRBG_SUCCESS or DRBG_FAILURE */
 948static int Hash_DRBG_Init(DRBG_internal* drbg, const byte* seed, word32 seedSz,
 949                                             const byte* nonce, word32 nonceSz,
 950                                             const byte* perso, word32 persoSz)
 951{
 952    if (seed == NULL)
 953        return DRBG_FAILURE;
 954
 955    if (Hash_df(drbg, drbg->V, sizeof(drbg->V), drbgInitV, seed, seedSz,
 956                                              nonce, nonceSz,
 957                                              perso, persoSz) == DRBG_SUCCESS &&
 958        Hash_df(drbg, drbg->C, sizeof(drbg->C), drbgInitC, drbg->V,
 959                                    sizeof(drbg->V), NULL, 0,
 960                                    NULL, 0) == DRBG_SUCCESS) {
 961
 962        drbg->reseedCtr = 1;
 963        return DRBG_SUCCESS;
 964    }
 965    else {
 966        return DRBG_FAILURE;
 967    }
 968}
 969
 970/* Returns: DRBG_SUCCESS or DRBG_FAILURE */
 971static int Hash_DRBG_Instantiate(DRBG_internal* drbg, const byte* seed,
 972                                 word32 seedSz, const byte* nonce,
 973                                 word32 nonceSz, const byte* perso,
 974                                 word32 persoSz, void* heap, int devId)
 975{
 976    int ret = DRBG_FAILURE;
 977
 978    XMEMSET(drbg, 0, sizeof(DRBG_internal));
 979    drbg->heap = heap;
 980#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
 981    drbg->devId = devId;
 982#else
 983    (void)devId;
 984#endif
 985
 986#ifdef WOLFSSL_SMALL_STACK_CACHE
 987    #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
 988        ret = wc_InitSha256_ex(&drbg->sha256, drbg->heap, drbg->devId);
 989    #else
 990        ret = wc_InitSha256(&drbg->sha256);
 991    #endif
 992    if (ret != 0)
 993        return ret;
 994#endif
 995
 996    if (seed != NULL)
 997        ret = Hash_DRBG_Init(drbg, seed, seedSz, nonce, nonceSz,
 998                             perso, persoSz);
 999    return ret;
1000}
1001
1002/* Returns: DRBG_SUCCESS or DRBG_FAILURE */
1003static int Hash_DRBG_Uninstantiate(DRBG_internal* drbg)
1004{
1005    word32 i;
1006    int    compareSum = 0;
1007    byte*  compareDrbg = (byte*)drbg;
1008
1009#ifdef WOLFSSL_SMALL_STACK_CACHE
1010    wc_Sha256Free(&drbg->sha256);
1011#endif
1012
1013    ForceZero(drbg, sizeof(DRBG_internal));
1014
1015    for (i = 0; i < sizeof(DRBG_internal); i++) {
1016        compareSum |= compareDrbg[i] ^ 0;
1017    }
1018
1019    return (compareSum == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
1020}
1021
1022#endif /* !NO_SHA256 - SHA-256 Hash_DRBG core block */
1023
1024/* ====================================================================== */
1025/* SHA-512 Hash_DRBG (SP 800-90A Rev 1, Table 2)                          */
1026/*                                                                         */
1027/* Internal state (V, C): seedlen = 888 bits = 111 bytes each              */
1028/* Output block length:   512 bits = 64 bytes (WC_SHA512_DIGEST_SIZE)      */
1029/* Security strength:     256 bits                                         */
1030/*                                                                         */
1031/* NOTE: The raw entropy seed gathered at instantiation / reseed is        */
1032/* WC_DRBG_SEED_SZ (1024 bits in FIPS builds), NOT seedlen.  We overseed  */
1033/* to tolerate weak entropy sources.  Hash_df then compresses the seed     */
1034/* material down to the 888-bit V and derives C from V.  See random.h.    */
1035/* ====================================================================== */
1036#ifdef WOLFSSL_DRBG_SHA512
1037
1038#define OUTPUT_BLOCK_LEN_SHA512  (WC_SHA512_DIGEST_SIZE)  /* 64 bytes */
1039
1040/* Hash Derivation Function using SHA-512 */
1041/* Returns: DRBG_SUCCESS or DRBG_FAILURE */
1042static int Hash512_df(DRBG_SHA512_internal* drbg, byte* out, word32 outSz,
1043                      byte type,
1044                      const byte* inA, word32 inASz,
1045                      const byte* inB, word32 inBSz,
1046                      const byte* inC, word32 inCSz)
1047{
1048    int ret = DRBG_FAILURE;
1049    byte ctr;
1050    word32 i;
1051    word32 len;
1052    word32 bits = (outSz * 8);
1053#ifdef WOLFSSL_SMALL_STACK_CACHE
1054    wc_Sha512* sha = &drbg->sha512;
1055#else
1056    wc_Sha512 sha[1];
1057#endif
1058#if defined(WOLFSSL_SMALL_STACK_CACHE)
1059    byte* digest = drbg->digest_scratch;
1060#elif defined(WOLFSSL_SMALL_STACK)
1061    byte* digest;
1062#else
1063#if defined(__GNUC__) && !defined(__clang__) && defined(__AVX512F__)
1064    /* Use a jumbo alignment to work around a gcc compiler/optimizer bug that
1065     * assumes AVX512 alignment in an object sized correctly for AVX512 passed
1066     * to builtin memcpy(), which promptly crashes if not thus aligned.
1067     */
1068    byte digest[WC_SHA512_DIGEST_SIZE] WOLFSSL_ALIGN(WC_SHA512_DIGEST_SIZE);
1069#else
1070    byte digest[WC_SHA512_DIGEST_SIZE];
1071#endif
1072#endif
1073
1074    if (drbg == NULL) {
1075        return DRBG_FAILURE;
1076    }
1077
1078#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
1079    digest = (byte*)XMALLOC(WC_SHA512_DIGEST_SIZE, drbg->heap,
1080        DYNAMIC_TYPE_DIGEST);
1081    if (digest == NULL)
1082        return DRBG_FAILURE;
1083#endif
1084
1085#ifdef LITTLE_ENDIAN_ORDER
1086    bits = ByteReverseWord32(bits);
1087#endif
1088    len = (outSz / OUTPUT_BLOCK_LEN_SHA512)
1089        + ((outSz % OUTPUT_BLOCK_LEN_SHA512) ? 1 : 0);
1090
1091    ctr = 1;
1092    for (i = 0; i < len; i++) {
1093#ifndef WOLFSSL_SMALL_STACK_CACHE
1094    #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
1095        ret = wc_InitSha512_ex(sha, drbg->heap, drbg->devId);
1096    #else
1097        ret = wc_InitSha512(sha);
1098    #endif
1099        if (ret != 0)
1100            break;
1101#endif
1102        ret = wc_Sha512Update(sha, &ctr, sizeof(ctr));
1103        if (ret == 0) {
1104            ctr++;
1105            ret = wc_Sha512Update(sha, (byte*)&bits, sizeof(bits));
1106        }
1107
1108        if (ret == 0) {
1109            /* churning V is the only string that doesn't have the type added */
1110            if (type != drbgInitV)
1111                ret = wc_Sha512Update(sha, &type, sizeof(type));
1112        }
1113        if (ret == 0)
1114            ret = wc_Sha512Update(sha, inA, inASz);
1115        if (ret == 0) {
1116            if (inB != NULL && inBSz > 0)
1117                ret = wc_Sha512Update(sha, inB, inBSz);
1118        }
1119        if (ret == 0) {
1120            if (inC != NULL && inCSz > 0)
1121                ret = wc_Sha512Update(sha, inC, inCSz);
1122        }
1123        if (ret == 0)
1124            ret = wc_Sha512Final(sha, digest);
1125
1126#ifndef WOLFSSL_SMALL_STACK_CACHE
1127        wc_Sha512Free(sha);
1128#endif
1129        if (ret == 0) {
1130            if (outSz > OUTPUT_BLOCK_LEN_SHA512) {
1131                XMEMCPY(out, digest, OUTPUT_BLOCK_LEN_SHA512);
1132                outSz -= OUTPUT_BLOCK_LEN_SHA512;
1133                out += OUTPUT_BLOCK_LEN_SHA512;
1134            }
1135            else {
1136                XMEMCPY(out, digest, outSz);
1137            }
1138        }
1139    }
1140
1141    ForceZero(digest, WC_SHA512_DIGEST_SIZE);
1142
1143#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
1144    XFREE(digest, drbg->heap, DYNAMIC_TYPE_DIGEST);
1145#endif
1146
1147#ifdef WC_VERBOSE_RNG
1148    if (ret != 0)
1149        WOLFSSL_DEBUG_PRINTF("ERROR: %s failed with err = %d", __FUNCTION__,
1150                             ret);
1151#endif
1152
1153    return (ret == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
1154}
1155
1156/* Returns: DRBG_SUCCESS or DRBG_FAILURE */
1157static int Hash512_DRBG_Reseed(DRBG_SHA512_internal* drbg, const byte* seed,
1158                               word32 seedSz,
1159                               const byte* additional, word32 additionalSz)
1160{
1161    int ret;
1162    WC_DECLARE_VAR(newV, byte, DRBG_SHA512_SEED_LEN, 0);
1163
1164    if (drbg == NULL) {
1165        return DRBG_FAILURE;
1166    }
1167
1168#ifdef WOLFSSL_SMALL_STACK_CACHE
1169    newV = drbg->seed_scratch;
1170#else
1171    WC_ALLOC_VAR_EX(newV, byte, DRBG_SHA512_SEED_LEN, drbg->heap,
1172        DYNAMIC_TYPE_TMP_BUFFER, return MEMORY_E);
1173#endif
1174    XMEMSET(newV, 0, DRBG_SHA512_SEED_LEN);
1175
1176    ret = Hash512_df(drbg, newV, DRBG_SHA512_SEED_LEN, drbgReseed,
1177                drbg->V, sizeof(drbg->V), seed, seedSz,
1178                additional, additionalSz);
1179    if (ret == DRBG_SUCCESS) {
1180        XMEMCPY(drbg->V, newV, sizeof(drbg->V));
1181
1182        ret = Hash512_df(drbg, drbg->C, sizeof(drbg->C), drbgInitC, drbg->V,
1183                                    sizeof(drbg->V), NULL, 0,
1184                                    NULL, 0);
1185    }
1186    if (ret == DRBG_SUCCESS) {
1187        drbg->reseedCtr = 1;
1188    }
1189
1190    ForceZero(newV, DRBG_SHA512_SEED_LEN);
1191
1192#ifndef WOLFSSL_SMALL_STACK_CACHE
1193    WC_FREE_VAR_EX(newV, drbg->heap, DYNAMIC_TYPE_TMP_BUFFER);
1194#endif
1195
1196    return ret;
1197}
1198
1199/* Returns: DRBG_SUCCESS or DRBG_FAILURE */
1200static int Hash512_gen(DRBG_SHA512_internal* drbg, byte* out, word32 outSz,
1201                       const byte* V)
1202{
1203    int ret = DRBG_FAILURE;
1204    word32 i;
1205    word32 len;
1206#if defined(WOLFSSL_SMALL_STACK_CACHE)
1207    wc_Sha512* sha = &drbg->sha512;
1208    byte* data = drbg->seed_scratch;
1209    byte* digest = drbg->digest_scratch;
1210#elif defined(WOLFSSL_SMALL_STACK)
1211    wc_Sha512 sha[1];
1212    byte* data = NULL;
1213    byte* digest = NULL;
1214#else
1215    wc_Sha512 sha[1];
1216    byte data[DRBG_SHA512_SEED_LEN];
1217    byte digest[WC_SHA512_DIGEST_SIZE];
1218#endif
1219
1220    if (drbg == NULL) {
1221        return DRBG_FAILURE;
1222    }
1223
1224#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
1225    data = (byte*)XMALLOC(DRBG_SHA512_SEED_LEN, drbg->heap,
1226        DYNAMIC_TYPE_TMP_BUFFER);
1227    digest = (byte*)XMALLOC(WC_SHA512_DIGEST_SIZE, drbg->heap,
1228        DYNAMIC_TYPE_DIGEST);
1229    if (data == NULL || digest == NULL) {
1230        XFREE(digest, drbg->heap, DYNAMIC_TYPE_DIGEST);
1231        XFREE(data, drbg->heap, DYNAMIC_TYPE_TMP_BUFFER);
1232        return DRBG_FAILURE;
1233    }
1234#endif
1235
1236    /* Special case: outSz is 0 and out is NULL. Generate a block to save for
1237     * the continuous test. */
1238    if (outSz == 0) {
1239        outSz = 1;
1240    }
1241
1242    len = (outSz / OUTPUT_BLOCK_LEN_SHA512)
1243        + ((outSz % OUTPUT_BLOCK_LEN_SHA512) ? 1 : 0);
1244
1245    XMEMCPY(data, V, DRBG_SHA512_SEED_LEN);
1246    for (i = 0; i < len; i++) {
1247#ifndef WOLFSSL_SMALL_STACK_CACHE
1248    #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
1249        ret = wc_InitSha512_ex(sha, drbg->heap, drbg->devId);
1250    #else
1251        ret = wc_InitSha512(sha);
1252    #endif
1253        if (ret == 0)
1254#endif
1255            ret = wc_Sha512Update(sha, data, DRBG_SHA512_SEED_LEN);
1256        if (ret == 0)
1257            ret = wc_Sha512Final(sha, digest);
1258#ifndef WOLFSSL_SMALL_STACK_CACHE
1259        wc_Sha512Free(sha);
1260#endif
1261
1262        if (ret == 0) {
1263            if (out != NULL && outSz != 0) {
1264                if (outSz >= OUTPUT_BLOCK_LEN_SHA512) {
1265                    XMEMCPY(out, digest, OUTPUT_BLOCK_LEN_SHA512);
1266                    outSz -= OUTPUT_BLOCK_LEN_SHA512;
1267                    out += OUTPUT_BLOCK_LEN_SHA512;
1268                    array_add_one(data, DRBG_SHA512_SEED_LEN);
1269                }
1270                else {
1271                    XMEMCPY(out, digest, outSz);
1272                    outSz = 0;
1273                }
1274            }
1275        }
1276        else {
1277            break;
1278        }
1279    }
1280    ForceZero(data, DRBG_SHA512_SEED_LEN);
1281
1282#ifndef WOLFSSL_SMALL_STACK_CACHE
1283    WC_FREE_VAR_EX(digest, drbg->heap, DYNAMIC_TYPE_DIGEST);
1284    WC_FREE_VAR_EX(data, drbg->heap, DYNAMIC_TYPE_TMP_BUFFER);
1285#endif
1286
1287    return (ret == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
1288}
1289
1290/* Returns: DRBG_SUCCESS, DRBG_NEED_RESEED, or DRBG_FAILURE */
1291static int Hash512_DRBG_Generate(DRBG_SHA512_internal* drbg, byte* out,
1292                                 word32 outSz,
1293                                 const byte* additional, word32 additionalSz)
1294{
1295    int ret;
1296#ifdef WOLFSSL_SMALL_STACK_CACHE
1297    wc_Sha512* sha = &drbg->sha512;
1298#else
1299    wc_Sha512 sha[1];
1300#endif
1301    byte type;
1302    word64 reseedCtr;
1303
1304    if (drbg == NULL) {
1305        return DRBG_FAILURE;
1306    }
1307
1308    if (drbg->reseedCtr >= WC_RESEED_INTERVAL) {
1309        return DRBG_NEED_RESEED;
1310    }
1311    else {
1312    #if defined(WOLFSSL_SMALL_STACK_CACHE)
1313        byte* digest = drbg->digest_scratch;
1314    #elif defined(WOLFSSL_SMALL_STACK)
1315        byte* digest = (byte*)XMALLOC(WC_SHA512_DIGEST_SIZE, drbg->heap,
1316            DYNAMIC_TYPE_DIGEST);
1317        if (digest == NULL)
1318            return DRBG_FAILURE;
1319    #else
1320        byte digest[WC_SHA512_DIGEST_SIZE];
1321    #endif
1322
1323        type = drbgGenerateH;
1324        reseedCtr = drbg->reseedCtr;
1325
1326        /* SP 800-90A Section 10.1.1.4 step 2:
1327         * If additional_input != Null, w = Hash(0x02 || V || additional_input),
1328         * V = (V + w) mod 2^seedlen */
1329        ret = DRBG_SUCCESS;
1330        if (additional != NULL && additionalSz > 0) {
1331            byte addType = drbgGenerateW; /* 0x02 */
1332#ifndef WOLFSSL_SMALL_STACK_CACHE
1333        #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
1334            ret = wc_InitSha512_ex(sha, drbg->heap, drbg->devId);
1335        #else
1336            ret = wc_InitSha512(sha);
1337        #endif
1338            if (ret == 0)
1339#endif
1340                ret = wc_Sha512Update(sha, &addType, sizeof(addType));
1341            if (ret == 0)
1342                ret = wc_Sha512Update(sha, drbg->V, sizeof(drbg->V));
1343            if (ret == 0)
1344                ret = wc_Sha512Update(sha, additional, additionalSz);
1345            if (ret == 0)
1346                ret = wc_Sha512Final(sha, digest);
1347#ifndef WOLFSSL_SMALL_STACK_CACHE
1348            wc_Sha512Free(sha);
1349#endif
1350            if (ret == 0)
1351                array_add(drbg->V, sizeof(drbg->V), digest,
1352                          WC_SHA512_DIGEST_SIZE);
1353        }
1354
1355        if (ret == 0)
1356            ret = Hash512_gen(drbg, out, outSz, drbg->V);
1357        if (ret == DRBG_SUCCESS) {
1358#ifndef WOLFSSL_SMALL_STACK_CACHE
1359        #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
1360            ret = wc_InitSha512_ex(sha, drbg->heap, drbg->devId);
1361        #else
1362            ret = wc_InitSha512(sha);
1363        #endif
1364            if (ret == 0)
1365#endif
1366                ret = wc_Sha512Update(sha, &type, sizeof(type));
1367            if (ret == 0)
1368                ret = wc_Sha512Update(sha, drbg->V, sizeof(drbg->V));
1369            if (ret == 0)
1370                ret = wc_Sha512Final(sha, digest);
1371
1372#ifndef WOLFSSL_SMALL_STACK_CACHE
1373            wc_Sha512Free(sha);
1374#endif
1375
1376            if (ret == 0) {
1377                array_add(drbg->V, sizeof(drbg->V), digest,
1378                          WC_SHA512_DIGEST_SIZE);
1379                array_add(drbg->V, sizeof(drbg->V), drbg->C, sizeof(drbg->C));
1380            #ifdef LITTLE_ENDIAN_ORDER
1381                reseedCtr = ByteReverseWord64(reseedCtr);
1382            #endif
1383                array_add(drbg->V, sizeof(drbg->V),
1384                                          (byte*)&reseedCtr, sizeof(reseedCtr));
1385                ret = DRBG_SUCCESS;
1386            }
1387            drbg->reseedCtr++;
1388        }
1389        ForceZero(digest, WC_SHA512_DIGEST_SIZE);
1390    #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
1391        XFREE(digest, drbg->heap, DYNAMIC_TYPE_DIGEST);
1392    #endif
1393    }
1394
1395    return (ret == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
1396}
1397
1398/* Returns: DRBG_SUCCESS or DRBG_FAILURE */
1399static int Hash512_DRBG_Init(DRBG_SHA512_internal* drbg, const byte* seed,
1400                             word32 seedSz, const byte* nonce, word32 nonceSz,
1401                             const byte* perso, word32 persoSz)
1402{
1403    if (seed == NULL)
1404        return DRBG_FAILURE;
1405
1406    if (Hash512_df(drbg, drbg->V, sizeof(drbg->V), drbgInitV, seed, seedSz,
1407                                              nonce, nonceSz,
1408                                              perso, persoSz) == DRBG_SUCCESS &&
1409        Hash512_df(drbg, drbg->C, sizeof(drbg->C), drbgInitC, drbg->V,
1410                                    sizeof(drbg->V), NULL, 0,
1411                                    NULL, 0) == DRBG_SUCCESS) {
1412
1413        drbg->reseedCtr = 1;
1414        return DRBG_SUCCESS;
1415    }
1416    else {
1417        return DRBG_FAILURE;
1418    }
1419}
1420
1421/* Returns: DRBG_SUCCESS or DRBG_FAILURE */
1422static int Hash512_DRBG_Instantiate(DRBG_SHA512_internal* drbg,
1423                                    const byte* seed, word32 seedSz,
1424                                    const byte* nonce, word32 nonceSz,
1425                                    const byte* perso, word32 persoSz,
1426                                    void* heap, int devId)
1427{
1428    int ret = DRBG_FAILURE;
1429
1430    XMEMSET(drbg, 0, sizeof(DRBG_SHA512_internal));
1431    drbg->heap = heap;
1432#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
1433    drbg->devId = devId;
1434#else
1435    (void)devId;
1436#endif
1437
1438#ifdef WOLFSSL_SMALL_STACK_CACHE
1439    #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
1440        ret = wc_InitSha512_ex(&drbg->sha512, drbg->heap, drbg->devId);
1441    #else
1442        ret = wc_InitSha512(&drbg->sha512);
1443    #endif
1444    if (ret != 0)
1445        return ret;
1446#endif
1447
1448    if (seed != NULL)
1449        ret = Hash512_DRBG_Init(drbg, seed, seedSz, nonce, nonceSz,
1450                                perso, persoSz);
1451    return ret;
1452}
1453
1454/* Returns: DRBG_SUCCESS or DRBG_FAILURE */
1455static int Hash512_DRBG_Uninstantiate(DRBG_SHA512_internal* drbg)
1456{
1457    word32 i;
1458    int    compareSum = 0;
1459    byte*  compareDrbg = (byte*)drbg;
1460
1461#ifdef WOLFSSL_SMALL_STACK_CACHE
1462    wc_Sha512Free(&drbg->sha512);
1463#endif
1464
1465    ForceZero(drbg, sizeof(DRBG_SHA512_internal));
1466
1467    for (i = 0; i < sizeof(DRBG_SHA512_internal); i++) {
1468        compareSum |= compareDrbg[i] ^ 0;
1469    }
1470
1471    return (compareSum == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
1472}
1473
1474#endif /* WOLFSSL_DRBG_SHA512 */
1475
1476
1477/* FIPS 140-3 IG 10.3.A / SP800-90B Health Tests for Seed Data
1478 *
1479 * These tests replace the older FIPS 140-2 Continuous Random Number Generator
1480 * Test (CRNGT) with more mathematically robust statistical tests per
1481 * ISO 19790 / SP800-90B requirements.
1482 *
1483 * When HAVE_ENTROPY_MEMUSE is defined, the wolfentropy.c jitter-based TRNG
1484 * performs another set of these health tests, but those are on the noise not
1485 * the conditioned output so we still need to retest here even in that case
1486 * to evaluate the conditioned output for the same behavior. These tests ensure
1487 * the seed data meets basic entropy requirements regardless of the source.
1488 */
1489
1490/* SP800-90B 4.4.1 - Repetition Count Test
1491 * Detects if the noise source becomes "stuck" producing repeated output.
1492 *
1493 * C = 1 + ceil(-log2(alpha) / H)
1494 * For alpha = 2^-30 (false positive probability) and H = 1 (min entropy):
1495 * C = 1 + ceil(30 / 1) = 31
1496 */
1497#ifndef WC_RNG_SEED_RCT_CUTOFF
1498    #define WC_RNG_SEED_RCT_CUTOFF 31
1499#endif
1500
1501/* SP800-90B 4.4.2 - Adaptive Proportion Test
1502 * Monitors if a particular sample value appears too frequently within a
1503 * window of samples, indicating loss of entropy.
1504 *
1505 * Window size W = 512 for non-binary alphabet (byte values 0-255)
1506 * C = 1 + CRITBINOM(W, 2^(-H), 1-alpha)
1507 * For alpha = 2^-30 and H = 1, W = 512:
1508 * C = 1 + CRITBINOM(512, 0.5, 1-2^-30) = 325
1509 */
1510#ifndef WC_RNG_SEED_APT_WINDOW
1511    #define WC_RNG_SEED_APT_WINDOW 512
1512#endif
1513#ifndef WC_RNG_SEED_APT_CUTOFF
1514    #define WC_RNG_SEED_APT_CUTOFF 325
1515#endif
1516
1517int wc_RNG_TestSeed(const byte* seed, word32 seedSz)
1518{
1519    int ret = 0;
1520
1521    word32 i;
1522    int rctFailed = 0;
1523    int aptFailed = 0;
1524
1525    if (seed == NULL || seedSz < SEED_BLOCK_SZ) {
1526        return BAD_FUNC_ARG;
1527    }
1528
1529    /* SP800-90B 4.4.1 - Repetition Count Test (RCT)
1530     * Check for consecutive identical bytes that would indicate a stuck
1531     * entropy source. Fail if we see WC_RNG_SEED_RCT_CUTOFF or more
1532     * consecutive identical values.
1533     *
1534     * Constant-time implementation: always process full seed, accumulate
1535     * failure status without early exit to prevent timing side-channels.
1536     */
1537    {
1538        int repCount = 1;
1539        byte prevByte = seed[0];
1540
1541        for (i = 1; i < seedSz; i++) {
1542            /* Constant-time: always evaluate both branches effects */
1543            int match = (seed[i] == prevByte);
1544            /* If match, increment count, if not, reset to 1 */
1545            repCount = (match * (repCount + 1)) + (!match * 1);
1546            /* Update prevByte only when not matching (new value) */
1547            prevByte = (byte) ((match * prevByte) + (!match * seed[i]));
1548            /* Accumulate failure flag - once set, stays set */
1549            rctFailed |= (repCount >= WC_RNG_SEED_RCT_CUTOFF);
1550        }
1551    }
1552
1553    /* SP800-90B 4.4.2 - Adaptive Proportion Test (APT)
1554     * Check that no single byte value appears too frequently within
1555     * a sliding window. This detects bias in the entropy source.
1556     *
1557     * For seeds smaller than the window size, we test the entire seed.
1558     * For larger seeds, we use a sliding window approach.
1559     *
1560     * Constant-time implementation: always process full seed and check
1561     * all counts to prevent timing side-channels.
1562     */
1563    {
1564    #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
1565        word16* byteCounts = NULL;
1566    #else
1567        word16 byteCounts[MAX_ENTROPY_BITS];
1568    #endif
1569        word32 windowSize = min(seedSz, (word32)WC_RNG_SEED_APT_WINDOW);
1570        word32 windowStart = 0;
1571        word32 newIdx;
1572
1573    #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
1574        byteCounts = (word16*)XMALLOC(MAX_ENTROPY_BITS * sizeof(word16), NULL,
1575                                      DYNAMIC_TYPE_TMP_BUFFER);
1576        if (byteCounts == NULL)
1577            return MEMORY_E;
1578    #endif
1579        XMEMSET(byteCounts, 0, MAX_ENTROPY_BITS * sizeof(word16));
1580
1581        /* Initialize counts for first window */
1582        for (i = 0; i < windowSize; i++) {
1583            byteCounts[seed[i]]++;
1584        }
1585
1586        /* Check first window - scan all 256 counts */
1587        for (i = 0; i < MAX_ENTROPY_BITS; i++) {
1588            aptFailed |= (byteCounts[i] >= WC_RNG_SEED_APT_CUTOFF);
1589        }
1590
1591        /* Slide window through remaining seed data */
1592        while ((windowStart + windowSize) < seedSz) {
1593            /* Remove byte leaving the window */
1594            byteCounts[seed[windowStart]]--;
1595            windowStart++;
1596
1597            /* Add byte entering the window */
1598            newIdx = windowStart + windowSize - 1;
1599            byteCounts[seed[newIdx]]++;
1600
1601            /* Accumulate failure flag for new byte's count */
1602            aptFailed |= (byteCounts[seed[newIdx]] >= WC_RNG_SEED_APT_CUTOFF);
1603        }
1604
1605    #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
1606        XFREE(byteCounts, NULL, DYNAMIC_TYPE_TMP_BUFFER);
1607    #endif
1608    }
1609
1610    /* Set return code based on accumulated failure flags */
1611    if (rctFailed) {
1612        ret = ENTROPY_RT_E;
1613    }
1614    else if (aptFailed) {
1615        ret = ENTROPY_APT_E;
1616    }
1617
1618    return ret;
1619}
1620/* Runtime DRBG disable/enable API -- only available in non-selftest and
1621 * FIPS v7+ builds (older FIPS/selftest random.c doesn't have these) */
1622#if !defined(HAVE_SELFTEST) && \
1623    (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
1624#ifndef NO_SHA256
1625int wc_Sha256Drbg_Disable(void)
1626{
1627    int ret;
1628#ifdef WOLFSSL_DRBG_SHA512
1629    ret = LockDrbgState();
1630    if (ret != 0)
1631        return ret;
1632    if (sha512DrbgDisabled) {
1633        UnlockDrbgState();
1634        return BAD_STATE_E;  /* can't disable both */
1635    }
1636    sha256DrbgDisabled = 1;
1637    UnlockDrbgState();
1638    return 0;
1639#else
1640    (void)ret;
1641    return NOT_COMPILED_IN;
1642#endif
1643}
1644
1645int wc_Sha256Drbg_Enable(void)
1646{
1647    int ret = LockDrbgState();
1648    if (ret != 0)
1649        return ret;
1650    sha256DrbgDisabled = 0;
1651    UnlockDrbgState();
1652    return 0;
1653}
1654
1655int wc_Sha256Drbg_IsDisabled(void)
1656{
1657    int val;
1658    if (LockDrbgState() != 0)
1659        return 1; /* fail-safe: report disabled on mutex error */
1660    val = sha256DrbgDisabled;
1661    UnlockDrbgState();
1662    return val;
1663}
1664#else
1665/* When SHA-256 is not compiled in, these are stubs */
1666int wc_Sha256Drbg_Disable(void) { return NOT_COMPILED_IN; }
1667int wc_Sha256Drbg_Enable(void) { return 0; }
1668int wc_Sha256Drbg_IsDisabled(void) { return 1; } /* always disabled */
1669#endif /* !NO_SHA256 */
1670#endif /* !HAVE_SELFTEST && (!HAVE_FIPS || FIPS v7+) */
1671
1672#ifdef WOLFSSL_DRBG_SHA512
1673int wc_Sha512Drbg_Disable(void)
1674{
1675    int ret = LockDrbgState();
1676    if (ret != 0)
1677        return ret;
1678#ifndef NO_SHA256
1679    if (sha256DrbgDisabled) {
1680        UnlockDrbgState();
1681        return BAD_STATE_E;  /* can't disable both */
1682    }
1683#endif
1684    sha512DrbgDisabled = 1;
1685    UnlockDrbgState();
1686    return 0;
1687}
1688
1689int wc_Sha512Drbg_Enable(void)
1690{
1691    int ret = LockDrbgState();
1692    if (ret != 0)
1693        return ret;
1694    sha512DrbgDisabled = 0;
1695    UnlockDrbgState();
1696    return 0;
1697}
1698
1699int wc_Sha512Drbg_IsDisabled(void)
1700{
1701    int val;
1702    if (LockDrbgState() != 0)
1703        return 1; /* fail-safe: report disabled on mutex error */
1704    val = sha512DrbgDisabled;
1705    UnlockDrbgState();
1706    return val;
1707}
1708#endif /* WOLFSSL_DRBG_SHA512 */
1709
1710#endif /* HAVE_HASHDRBG */
1711/* End NIST DRBG Code */
1712
1713
1714static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz,
1715                    void* heap, int devId)
1716{
1717    int ret = 0;
1718#ifdef HAVE_HASHDRBG
1719#if !defined(HAVE_FIPS) && defined(WOLFSSL_RNG_USE_FULL_SEED)
1720    word32 seedSz = SEED_SZ;
1721#else
1722    word32 seedSz = SEED_SZ + SEED_BLOCK_SZ;
1723    WC_DECLARE_VAR(seed, byte, MAX_SEED_SZ, rng->heap);
1724#ifdef WOLFSSL_SMALL_STACK_CACHE
1725    int drbg_scratch_instantiated = 0;
1726#endif
1727#endif
1728#endif
1729
1730    (void)nonce;
1731    (void)nonceSz;
1732
1733    if (rng == NULL)
1734        return BAD_FUNC_ARG;
1735    if (nonce == NULL && nonceSz != 0)
1736        return BAD_FUNC_ARG;
1737
1738    XMEMSET(rng, 0, sizeof(*rng));
1739
1740#ifdef WOLFSSL_HEAP_TEST
1741    rng->heap = (void*)WOLFSSL_HEAP_TEST;
1742    (void)heap;
1743#else
1744    rng->heap = heap;
1745#endif
1746#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
1747    rng->pid = getpid();
1748#endif
1749#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
1750    rng->devId = devId;
1751    #if defined(WOLF_CRYPTO_CB)
1752        rng->seed.devId = devId;
1753    #endif
1754#else
1755    (void)devId;
1756#endif
1757
1758#ifdef HAVE_HASHDRBG
1759    /* init the DBRG to known values */
1760#ifndef NO_SHA256
1761    rng->drbg = NULL;
1762    #ifdef WOLFSSL_SMALL_STACK_CACHE
1763    rng->drbg_scratch = NULL;
1764    #endif
1765#endif
1766#ifdef WOLFSSL_DRBG_SHA512
1767    rng->drbg512 = NULL;
1768    #ifdef WOLFSSL_SMALL_STACK_CACHE
1769    rng->drbg512_scratch = NULL;
1770    rng->health_check_scratch_512 = NULL;
1771    #endif
1772#endif
1773#ifdef WOLFSSL_SMALL_STACK_CACHE
1774    rng->newSeed_buf = NULL;
1775#ifndef NO_SHA256
1776    rng->health_check_scratch = NULL;
1777#endif
1778#endif
1779    rng->status = DRBG_NOT_INIT;
1780
1781    /* Select DRBG type: prefer SHA-512 unless disabled or not compiled.
1782     * Hold the mutex for a consistent snapshot of both disable flags. */
1783#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
1784    ret = LockDrbgState();
1785    if (ret != 0)
1786        return ret;
1787#ifdef WOLFSSL_DRBG_SHA512
1788    if (!sha512DrbgDisabled)
1789        rng->drbgType = WC_DRBG_SHA512;
1790    else
1791#endif
1792#ifndef NO_SHA256
1793    if (!sha256DrbgDisabled)
1794        rng->drbgType = WC_DRBG_SHA256;
1795    else
1796#endif
1797    {
1798        UnlockDrbgState();
1799        return BAD_STATE_E; /* no DRBG available */
1800    }
1801    UnlockDrbgState();
1802#else
1803    rng->drbgType = WC_DRBG_SHA256;
1804#endif
1805#endif
1806
1807#if defined(HAVE_INTEL_RDSEED) || defined(HAVE_INTEL_RDRAND) || \
1808    defined(HAVE_AMD_RDSEED)
1809    /* init the intel RD seed and/or rand */
1810    wc_InitRng_IntelRD();
1811#endif
1812
1813    /* configure async RNG source if available */
1814#ifdef WOLFSSL_ASYNC_CRYPT
1815    ret = wolfAsync_DevCtxInit(&rng->asyncDev, WOLFSSL_ASYNC_MARKER_RNG,
1816                                                        rng->heap, rng->devId);
1817    if (ret != 0) {
1818    #ifdef HAVE_HASHDRBG
1819        rng->status = DRBG_OK;
1820    #endif
1821        return ret;
1822    }
1823#endif
1824
1825#ifdef HAVE_INTEL_RDRAND
1826    /* if CPU supports RDRAND, use it directly and by-pass DRBG init */
1827    if (IS_INTEL_RDRAND(intel_flags)) {
1828    #ifdef HAVE_HASHDRBG
1829        rng->status = DRBG_OK;
1830    #endif
1831        return 0;
1832    }
1833#endif
1834
1835#ifdef WOLFSSL_XILINX_CRYPT_VERSAL
1836    ret = wc_VersalTrngInit(nonce, nonceSz);
1837    if (ret) {
1838    #ifdef HAVE_HASHDRBG
1839        rng->status = DRBG_OK;
1840    #endif
1841        return ret;
1842    }
1843#endif
1844
1845#if defined(WOLFSSL_KEEP_RNG_SEED_FD_OPEN) && !defined(USE_WINDOWS_API)
1846    if (!rng->seed.seedFdOpen)
1847        rng->seed.fd = XBADFD;
1848#endif
1849
1850#ifdef CUSTOM_RAND_GENERATE_BLOCK
1851    ret = 0; /* success */
1852#else
1853
1854 /* not CUSTOM_RAND_GENERATE_BLOCK follows */
1855#ifdef HAVE_HASHDRBG
1856    if (nonceSz == 0) {
1857        seedSz = MAX_SEED_SZ;
1858    }
1859
1860#ifndef NO_SHA256
1861    if (rng->drbgType == WC_DRBG_SHA256) {
1862    #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
1863        rng->drbg =
1864            (struct DRBG*)XMALLOC(sizeof(DRBG_internal), rng->heap,
1865                                  DYNAMIC_TYPE_RNG);
1866        if (rng->drbg == NULL) {
1867        #if defined(DEBUG_WOLFSSL)
1868            WOLFSSL_MSG_EX("_InitRng XMALLOC failed to allocate %d bytes",
1869                           sizeof(DRBG_internal));
1870        #endif
1871            ret = MEMORY_E;
1872            rng->status = DRBG_FAILED;
1873        }
1874    #else
1875        rng->drbg = (struct DRBG*)&rng->drbg_data;
1876    #endif /* WOLFSSL_NO_MALLOC or WOLFSSL_STATIC_MEMORY */
1877
1878    #ifdef WOLFSSL_SMALL_STACK_CACHE
1879        if (ret == 0) {
1880            rng->drbg_scratch =
1881                (DRBG_internal *)XMALLOC(sizeof(DRBG_internal), rng->heap,
1882                                         DYNAMIC_TYPE_RNG);
1883            if (rng->drbg_scratch == NULL) {
1884    #if defined(DEBUG_WOLFSSL)
1885                WOLFSSL_MSG_EX("_InitRng XMALLOC failed to allocate %d bytes",
1886                               sizeof(DRBG_internal));
1887    #endif
1888                ret = MEMORY_E;
1889                rng->status = DRBG_FAILED;
1890            }
1891        }
1892
1893        if (ret == 0) {
1894            ret = Hash_DRBG_Instantiate((DRBG_internal *)rng->drbg_scratch,
1895                        NULL, 0, NULL, 0, NULL, 0, rng->heap, devId);
1896            if (ret == 0)
1897                drbg_scratch_instantiated = 1;
1898        }
1899
1900        if (ret == 0) {
1901            rng->health_check_scratch =
1902                (byte *)XMALLOC(RNG_HEALTH_TEST_CHECK_SIZE, rng->heap,
1903                                DYNAMIC_TYPE_TMP_BUFFER);
1904            if (rng->health_check_scratch == NULL) {
1905                ret = MEMORY_E;
1906                rng->status = DRBG_FAILED;
1907            }
1908        }
1909    #endif /* WOLFSSL_SMALL_STACK_CACHE */
1910    } /* WC_DRBG_SHA256 */
1911#endif /* !NO_SHA256 */
1912
1913#ifdef WOLFSSL_DRBG_SHA512
1914    if (rng->drbgType == WC_DRBG_SHA512) {
1915    #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
1916        rng->drbg512 =
1917            (struct DRBG_SHA512*)XMALLOC(sizeof(DRBG_SHA512_internal),
1918                                         rng->heap, DYNAMIC_TYPE_RNG);
1919        if (rng->drbg512 == NULL) {
1920        #if defined(DEBUG_WOLFSSL)
1921            WOLFSSL_MSG_EX("_InitRng XMALLOC failed to allocate %d bytes",
1922                           sizeof(DRBG_SHA512_internal));
1923        #endif
1924            ret = MEMORY_E;
1925            rng->status = DRBG_FAILED;
1926        }
1927    #else
1928        rng->drbg512 = (struct DRBG_SHA512*)&rng->drbg512_data;
1929    #endif
1930
1931    #ifdef WOLFSSL_SMALL_STACK_CACHE
1932        if (ret == 0) {
1933            rng->drbg512_scratch =
1934                (DRBG_SHA512_internal *)XMALLOC(sizeof(DRBG_SHA512_internal),
1935                    rng->heap, DYNAMIC_TYPE_RNG);
1936            if (rng->drbg512_scratch == NULL) {
1937                ret = MEMORY_E;
1938                rng->status = DRBG_FAILED;
1939            }
1940        }
1941
1942        if (ret == 0) {
1943            ret = Hash512_DRBG_Instantiate(rng->drbg512_scratch,
1944                        NULL, 0, NULL, 0, NULL, 0, rng->heap, devId);
1945            if (ret == 0)
1946                drbg_scratch_instantiated = 1;
1947        }
1948
1949        if (ret == 0) {
1950            rng->health_check_scratch_512 =
1951                (byte *)XMALLOC(RNG_HEALTH_TEST_CHECK_SIZE_SHA512, rng->heap,
1952                                DYNAMIC_TYPE_TMP_BUFFER);
1953            if (rng->health_check_scratch_512 == NULL) {
1954                ret = MEMORY_E;
1955                rng->status = DRBG_FAILED;
1956            }
1957        }
1958    #endif /* WOLFSSL_SMALL_STACK_CACHE */
1959    } /* WC_DRBG_SHA512 */
1960#endif /* WOLFSSL_DRBG_SHA512 */
1961
1962    /* newSeed_buf shared by both DRBG types for PollAndReSeed */
1963#ifdef WOLFSSL_SMALL_STACK_CACHE
1964    if (ret == 0) {
1965        rng->newSeed_buf = (byte*)XMALLOC(SEED_SZ + SEED_BLOCK_SZ, rng->heap,
1966                           DYNAMIC_TYPE_SEED);
1967        if (rng->newSeed_buf == NULL) {
1968            ret = MEMORY_E;
1969            rng->status = DRBG_FAILED;
1970        }
1971    }
1972#endif /* WOLFSSL_SMALL_STACK_CACHE */
1973
1974    if (ret == 0) {
1975        ret = wc_RNG_HealthTestLocal(rng, 0, rng->heap, devId);
1976        if (ret != 0) {
1977        #if defined(DEBUG_WOLFSSL)
1978            WOLFSSL_MSG_EX("wc_RNG_HealthTestLocal failed err = %d", ret);
1979        #endif
1980            ret = DRBG_CONT_FAILURE;
1981        }
1982    }
1983
1984    #ifdef WOLFSSL_SMALL_STACK
1985    if (ret == 0) {
1986        WC_ALLOC_VAR_EX(seed, byte, MAX_SEED_SZ, rng->heap, DYNAMIC_TYPE_SEED, WC_DO_NOTHING);
1987        if (seed == NULL) {
1988            ret = MEMORY_E;
1989            rng->status = DRBG_FAILED;
1990        }
1991    }
1992    #endif
1993
1994    if (ret != 0) {
1995#if defined(DEBUG_WOLFSSL)
1996        WOLFSSL_MSG_EX("_InitRng failed. err = %d", ret);
1997#endif
1998    }
1999    else {
2000#ifdef WC_RNG_SEED_CB
2001            if (seedCb == NULL) {
2002                ret = DRBG_NO_SEED_CB;
2003            }
2004            else {
2005                ret = seedCb(&rng->seed, seed, seedSz);
2006                if (ret != 0) {
2007#ifdef WC_VERBOSE_RNG
2008                    WOLFSSL_DEBUG_PRINTF(
2009                        "ERROR: seedCb in _InitRng() failed with err = %d",
2010                        ret);
2011#endif
2012                    ret = DRBG_FAILURE;
2013                }
2014            }
2015#else
2016            ret = wc_GenerateSeed(&rng->seed, seed, seedSz);
2017#endif /* WC_RNG_SEED_CB */
2018            if (ret != 0) {
2019    #if defined(DEBUG_WOLFSSL)
2020                WOLFSSL_MSG_EX("Seed generation failed... %d", ret);
2021    #elif defined(WC_VERBOSE_RNG)
2022                WOLFSSL_DEBUG_PRINTF(
2023                    "ERROR: wc_GenerateSeed() in _InitRng() failed with err %d",
2024                    ret);
2025    #endif
2026                ret = DRBG_FAILURE;
2027                rng->status = DRBG_FAILED;
2028            }
2029
2030            if (ret == 0)
2031                ret = wc_RNG_TestSeed(seed, seedSz);
2032    #if defined(DEBUG_WOLFSSL)
2033            if (ret != 0) {
2034                WOLFSSL_MSG_EX("wc_RNG_TestSeed failed... %d", ret);
2035            }
2036    #elif defined(WC_VERBOSE_RNG)
2037            if (ret != DRBG_SUCCESS) {
2038                WOLFSSL_DEBUG_PRINTF(
2039                    "ERROR: wc_RNG_TestSeed() in _InitRng() returned err %d.",
2040                    ret);
2041            }
2042    #endif
2043
2044            if (ret == DRBG_SUCCESS) {
2045#ifndef NO_SHA256
2046                if (rng->drbgType == WC_DRBG_SHA256)
2047                    ret = Hash_DRBG_Instantiate((DRBG_internal *)rng->drbg,
2048                #if defined(HAVE_FIPS) || !defined(WOLFSSL_RNG_USE_FULL_SEED)
2049                                seed + SEED_BLOCK_SZ, seedSz - SEED_BLOCK_SZ,
2050                #else
2051                                seed, seedSz,
2052                #endif
2053                                nonce, nonceSz, NULL, 0, rng->heap, devId);
2054#endif
2055#ifdef WOLFSSL_DRBG_SHA512
2056                if (rng->drbgType == WC_DRBG_SHA512)
2057                    ret = Hash512_DRBG_Instantiate(
2058                                (DRBG_SHA512_internal *)rng->drbg512,
2059                #if defined(HAVE_FIPS) || !defined(WOLFSSL_RNG_USE_FULL_SEED)
2060                                seed + SEED_BLOCK_SZ, seedSz - SEED_BLOCK_SZ,
2061                #else
2062                                seed, seedSz,
2063                #endif
2064                                nonce, nonceSz, NULL, 0, rng->heap, devId);
2065#endif
2066            }
2067    } /* ret == 0 */
2068
2069    #ifdef WOLFSSL_SMALL_STACK
2070    if (seed)
2071    #endif
2072    {
2073        ForceZero(seed, seedSz);
2074    }
2075    WC_FREE_VAR_EX(seed, rng->heap, DYNAMIC_TYPE_SEED);
2076
2077    if (ret != DRBG_SUCCESS) {
2078    #ifndef NO_SHA256
2079        if (rng->drbgType == WC_DRBG_SHA256) {
2080        #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
2081            XFREE(rng->drbg, rng->heap, DYNAMIC_TYPE_RNG);
2082        #endif
2083            rng->drbg = NULL;
2084        #ifdef WOLFSSL_SMALL_STACK_CACHE
2085            XFREE(rng->health_check_scratch, rng->heap,
2086                   DYNAMIC_TYPE_TMP_BUFFER);
2087            rng->health_check_scratch = NULL;
2088            if (drbg_scratch_instantiated)
2089                (void)Hash_DRBG_Uninstantiate(
2090                    (DRBG_internal *)rng->drbg_scratch);
2091            XFREE(rng->drbg_scratch, rng->heap, DYNAMIC_TYPE_RNG);
2092            rng->drbg_scratch = NULL;
2093        #endif
2094        }
2095    #endif /* !NO_SHA256 */
2096    #ifdef WOLFSSL_DRBG_SHA512
2097        if (rng->drbgType == WC_DRBG_SHA512) {
2098        #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
2099            XFREE(rng->drbg512, rng->heap, DYNAMIC_TYPE_RNG);
2100        #endif
2101            rng->drbg512 = NULL;
2102        #ifdef WOLFSSL_SMALL_STACK_CACHE
2103            XFREE(rng->health_check_scratch_512, rng->heap,
2104                   DYNAMIC_TYPE_TMP_BUFFER);
2105            rng->health_check_scratch_512 = NULL;
2106            if (drbg_scratch_instantiated)
2107                (void)Hash512_DRBG_Uninstantiate(rng->drbg512_scratch);
2108            XFREE(rng->drbg512_scratch, rng->heap, DYNAMIC_TYPE_RNG);
2109            rng->drbg512_scratch = NULL;
2110        #endif
2111        }
2112    #endif
2113    #ifdef WOLFSSL_SMALL_STACK_CACHE
2114        XFREE(rng->newSeed_buf, rng->heap, DYNAMIC_TYPE_SEED);
2115        rng->newSeed_buf = NULL;
2116    #endif
2117    }
2118    /* else wc_RNG_HealthTestLocal was successful */
2119
2120    if (ret == DRBG_SUCCESS) {
2121#ifdef WOLFSSL_CHECK_MEM_ZERO
2122    #ifndef NO_SHA256
2123        if (rng->drbgType == WC_DRBG_SHA256) {
2124            struct DRBG_internal* drbg = (struct DRBG_internal*)rng->drbg;
2125            wc_MemZero_Add("DRBG V", &drbg->V, sizeof(drbg->V));
2126            wc_MemZero_Add("DRBG C", &drbg->C, sizeof(drbg->C));
2127        }
2128    #endif
2129#endif
2130
2131        rng->status = DRBG_OK;
2132        ret = 0;
2133    }
2134    else if (ret == DRBG_CONT_FAILURE) {
2135        rng->status = DRBG_CONT_FAILED;
2136        ret = DRBG_CONT_FIPS_E;
2137    }
2138    else if (ret == DRBG_FAILURE) {
2139        rng->status = DRBG_FAILED;
2140        ret = RNG_FAILURE_E;
2141    }
2142    else {
2143        rng->status = DRBG_FAILED;
2144    }
2145#endif /* HAVE_HASHDRBG */
2146#endif /* CUSTOM_RAND_GENERATE_BLOCK */
2147
2148    return ret;
2149}
2150
2151
2152WOLFSSL_ABI
2153WC_RNG* wc_rng_new(byte* nonce, word32 nonceSz, void* heap)
2154{
2155    int ret = 0;
2156    WC_RNG* rng = NULL;
2157
2158    /* Assume if WC_USE_DEVID it is intended for default usage */
2159#ifdef WC_USE_DEVID
2160    ret = wc_rng_new_ex(&rng, nonce, nonceSz, heap, WC_USE_DEVID);
2161#else
2162    ret = wc_rng_new_ex(&rng, nonce, nonceSz, heap, INVALID_DEVID);
2163#endif
2164
2165    if (ret != 0) {
2166        return NULL;
2167    }
2168
2169    return rng;
2170}
2171
2172
2173int wc_rng_new_ex(WC_RNG **rng, byte* nonce, word32 nonceSz,
2174                  void* heap, int devId)
2175{
2176    int ret;
2177
2178    *rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), heap, DYNAMIC_TYPE_RNG);
2179    if (*rng == NULL) {
2180        return MEMORY_E;
2181    }
2182
2183    ret = _InitRng(*rng, nonce, nonceSz, heap, devId);
2184    if (ret != 0) {
2185        XFREE(*rng, heap, DYNAMIC_TYPE_RNG);
2186        *rng = NULL;
2187    }
2188
2189    return ret;
2190}
2191
2192
2193WOLFSSL_ABI
2194void wc_rng_free(WC_RNG* rng)
2195{
2196    if (rng) {
2197        void* heap = rng->heap;
2198
2199        wc_FreeRng(rng);
2200        ForceZero(rng, sizeof(WC_RNG));
2201        XFREE(rng, heap, DYNAMIC_TYPE_RNG);
2202        (void)heap;
2203    }
2204}
2205
2206WOLFSSL_ABI
2207int wc_InitRng(WC_RNG* rng)
2208{
2209    return _InitRng(rng, NULL, 0, NULL, INVALID_DEVID);
2210}
2211
2212
2213int wc_InitRng_ex(WC_RNG* rng, void* heap, int devId)
2214{
2215    return _InitRng(rng, NULL, 0, heap, devId);
2216}
2217
2218
2219int wc_InitRngNonce(WC_RNG* rng, byte* nonce, word32 nonceSz)
2220{
2221    return _InitRng(rng, nonce, nonceSz, NULL, INVALID_DEVID);
2222}
2223
2224
2225int wc_InitRngNonce_ex(WC_RNG* rng, byte* nonce, word32 nonceSz,
2226                       void* heap, int devId)
2227{
2228    return _InitRng(rng, nonce, nonceSz, heap, devId);
2229}
2230
2231#ifdef HAVE_HASHDRBG
2232static int PollAndReSeed(WC_RNG* rng)
2233{
2234    int ret   = DRBG_NEED_RESEED;
2235    int devId = INVALID_DEVID;
2236#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
2237    devId = rng->devId;
2238#endif
2239    if (wc_RNG_HealthTestLocal(rng, 1, rng->heap, devId) == 0) {
2240    #if defined(WOLFSSL_SMALL_STACK_CACHE)
2241        byte* newSeed = rng->newSeed_buf;
2242        ret = DRBG_SUCCESS;
2243    #elif defined(WOLFSSL_SMALL_STACK)
2244        byte* newSeed = (byte*)XMALLOC(SEED_SZ + SEED_BLOCK_SZ, rng->heap,
2245            DYNAMIC_TYPE_SEED);
2246        ret = (newSeed == NULL) ? MEMORY_E : DRBG_SUCCESS;
2247    #else
2248        byte newSeed[SEED_SZ + SEED_BLOCK_SZ];
2249        ret = DRBG_SUCCESS;
2250    #endif
2251        if (ret == DRBG_SUCCESS) {
2252        #ifdef WC_RNG_SEED_CB
2253            if (seedCb == NULL) {
2254                ret = DRBG_NO_SEED_CB;
2255            }
2256            else {
2257                ret = seedCb(&rng->seed, newSeed, SEED_SZ + SEED_BLOCK_SZ);
2258                if (ret != 0) {
2259    #ifdef WC_VERBOSE_RNG
2260                    WOLFSSL_DEBUG_PRINTF("ERROR: seedCb() in PollAndReSeed() "
2261                                         "failed with err %d", ret);
2262    #endif
2263                    ret = DRBG_FAILURE;
2264                }
2265            }
2266        #else
2267            ret = wc_GenerateSeed(&rng->seed, newSeed,
2268                              SEED_SZ + SEED_BLOCK_SZ);
2269            if (ret != 0) {
2270    #ifdef WC_VERBOSE_RNG
2271                WOLFSSL_DEBUG_PRINTF(
2272                    "ERROR: wc_GenerateSeed() in PollAndReSeed() failed with "
2273                    "err %d", ret);
2274    #endif
2275                ret = DRBG_FAILURE;
2276            }
2277        #endif
2278        }
2279        if (ret == DRBG_SUCCESS) {
2280            ret = wc_RNG_TestSeed(newSeed, SEED_SZ + SEED_BLOCK_SZ);
2281    #ifdef WC_VERBOSE_RNG
2282            if (ret != DRBG_SUCCESS)
2283                WOLFSSL_DEBUG_PRINTF(
2284                    "ERROR: wc_RNG_TestSeed() in PollAndReSeed() returned "
2285                    "err %d.", ret);
2286    #endif
2287        }
2288        if (ret == DRBG_SUCCESS) {
2289#ifndef NO_SHA256
2290            if (rng->drbgType == WC_DRBG_SHA256)
2291                ret = Hash_DRBG_Reseed((DRBG_internal *)rng->drbg,
2292                                       newSeed + SEED_BLOCK_SZ, SEED_SZ,
2293                                       NULL, 0);
2294#endif
2295#ifdef WOLFSSL_DRBG_SHA512
2296            if (rng->drbgType == WC_DRBG_SHA512)
2297                ret = Hash512_DRBG_Reseed(
2298                    (DRBG_SHA512_internal *)rng->drbg512,
2299                    newSeed + SEED_BLOCK_SZ, SEED_SZ, NULL, 0);
2300#endif
2301        }
2302    #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
2303        if (newSeed != NULL) {
2304            ForceZero(newSeed, SEED_SZ + SEED_BLOCK_SZ);
2305        }
2306        XFREE(newSeed, rng->heap, DYNAMIC_TYPE_SEED);
2307    #else
2308        ForceZero(newSeed, sizeof(newSeed));
2309    #endif
2310    }
2311    else {
2312        ret = DRBG_CONT_FAILURE;
2313    }
2314
2315    return ret;
2316}
2317#endif
2318
2319/* place a generated block in output */
2320#ifdef WC_RNG_BANK_SUPPORT
2321static int wc_local_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz)
2322#else
2323WOLFSSL_ABI
2324int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz)
2325#endif
2326{
2327    int ret;
2328
2329    if (rng == NULL || output == NULL)
2330        return BAD_FUNC_ARG;
2331
2332    if (sz == 0)
2333        return 0;
2334
2335#ifdef WOLF_CRYPTO_CB
2336    #ifndef WOLF_CRYPTO_CB_FIND
2337    if (rng->devId != INVALID_DEVID)
2338    #endif
2339    {
2340        ret = wc_CryptoCb_RandomBlock(rng, output, sz);
2341        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
2342            return ret;
2343        /* fall-through when unavailable */
2344    }
2345#endif
2346
2347#ifdef HAVE_INTEL_RDRAND
2348    if (IS_INTEL_RDRAND(intel_flags))
2349        return wc_GenerateRand_IntelRD(NULL, output, sz);
2350#endif
2351
2352#if defined(WOLFSSL_SILABS_SE_ACCEL) && defined(WOLFSSL_SILABS_TRNG)
2353    return silabs_GenerateRand(output, sz);
2354#endif
2355
2356#if defined(WOLFSSL_ASYNC_CRYPT)
2357    if (rng->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RNG) {
2358        /* these are blocking */
2359    #ifdef HAVE_CAVIUM
2360        return NitroxRngGenerateBlock(rng, output, sz);
2361    #elif defined(HAVE_INTEL_QA) && defined(QAT_ENABLE_RNG)
2362        return IntelQaDrbg(&rng->asyncDev, output, sz);
2363    #else
2364        /* simulator not supported */
2365    #endif
2366    }
2367#endif
2368
2369#ifdef CUSTOM_RAND_GENERATE_BLOCK
2370    XMEMSET(output, 0, sz);
2371    ret = (int)CUSTOM_RAND_GENERATE_BLOCK(output, sz);
2372    #ifdef WC_VERBOSE_RNG
2373    if (ret != 0)
2374        WOLFSSL_DEBUG_PRINTF(
2375            "ERROR: CUSTOM_RAND_GENERATE_BLOCK failed with err %d.", ret);
2376    #endif
2377#else
2378
2379#ifdef HAVE_HASHDRBG
2380    if (sz > RNG_MAX_BLOCK_LEN)
2381        return BAD_FUNC_ARG;
2382
2383    if (rng->status != DRBG_OK)
2384        return RNG_FAILURE_E;
2385
2386#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
2387    if (rng->pid != getpid()) {
2388        rng->pid = getpid();
2389        ret = PollAndReSeed(rng);
2390        if (ret != DRBG_SUCCESS) {
2391            rng->status = DRBG_FAILED;
2392            return RNG_FAILURE_E;
2393        }
2394    }
2395#endif
2396
2397#ifndef NO_SHA256
2398    if (rng->drbgType == WC_DRBG_SHA256) {
2399        ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz,
2400                                 NULL, 0);
2401        if (ret == DRBG_NEED_RESEED) {
2402            ret = PollAndReSeed(rng);
2403            if (ret == DRBG_SUCCESS)
2404                ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output,
2405                                         sz, NULL, 0);
2406        }
2407    }
2408    else
2409#endif
2410#ifdef WOLFSSL_DRBG_SHA512
2411    if (rng->drbgType == WC_DRBG_SHA512) {
2412        ret = Hash512_DRBG_Generate((DRBG_SHA512_internal *)rng->drbg512,
2413                                    output, sz, NULL, 0);
2414        if (ret == DRBG_NEED_RESEED) {
2415            ret = PollAndReSeed(rng);
2416            if (ret == DRBG_SUCCESS)
2417                ret = Hash512_DRBG_Generate(
2418                    (DRBG_SHA512_internal *)rng->drbg512, output, sz,
2419                    NULL, 0);
2420        }
2421    }
2422    else
2423#endif
2424    {
2425        ret = DRBG_FAILURE;
2426    }
2427
2428    if (ret == DRBG_SUCCESS) {
2429        ret = 0;
2430    }
2431    else if (ret == DRBG_CONT_FAILURE) {
2432        ret = DRBG_CONT_FIPS_E;
2433        rng->status = DRBG_CONT_FAILED;
2434    }
2435    else {
2436        ret = RNG_FAILURE_E;
2437        rng->status = DRBG_FAILED;
2438    }
2439#else
2440
2441    /* if we get here then there is an RNG configuration error */
2442    ret = RNG_FAILURE_E;
2443
2444#endif /* HAVE_HASHDRBG */
2445#endif /* CUSTOM_RAND_GENERATE_BLOCK */
2446
2447    return ret;
2448}
2449
2450#ifdef WC_RNG_BANK_SUPPORT
2451WOLFSSL_ABI
2452int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz)
2453{
2454    if (rng == NULL)
2455        return BAD_FUNC_ARG;
2456
2457    if (rng->status == WC_DRBG_BANKREF) {
2458        int ret;
2459        struct wc_rng_bank_inst *bank_inst = NULL;
2460
2461        ret = wc_local_rng_bank_checkout_for_bankref(rng->bankref, &bank_inst);
2462        if (ret != 0)
2463            return ret;
2464        if (bank_inst == NULL)
2465            return BAD_STATE_E;
2466        ret = wc_local_RNG_GenerateBlock(WC_RNG_BANK_INST_TO_RNG(bank_inst),
2467                                         output, sz);
2468        {
2469            int checkin_ret = wc_rng_bank_checkin(rng->bankref, &bank_inst);
2470            if (checkin_ret != 0) {
2471#ifdef WC_VERBOSE_RNG
2472                WOLFSSL_DEBUG_PRINTF(
2473                    "ERROR: wc_RNG_GenerateBlock() wc_rng_bank_checkin() "
2474                    "failed with err %d.", checkin_ret);
2475#endif
2476                if (ret == 0)
2477                    ret = checkin_ret;
2478            }
2479        }
2480        return ret;
2481    }
2482    else
2483        return wc_local_RNG_GenerateBlock(rng, output, sz);
2484}
2485#endif
2486
2487int wc_RNG_GenerateByte(WC_RNG* rng, byte* b)
2488{
2489    return wc_RNG_GenerateBlock(rng, b, 1);
2490}
2491
2492
2493int wc_FreeRng(WC_RNG* rng)
2494{
2495    int ret = 0;
2496
2497    if (rng == NULL)
2498        return BAD_FUNC_ARG;
2499
2500#ifdef WC_RNG_BANK_SUPPORT
2501    if (rng->status == WC_DRBG_BANKREF)
2502        return wc_BankRef_Release(rng);
2503#endif /* WC_RNG_BANK_SUPPORT */
2504
2505#if defined(WOLFSSL_ASYNC_CRYPT)
2506    wolfAsync_DevCtxFree(&rng->asyncDev, WOLFSSL_ASYNC_MARKER_RNG);
2507#endif
2508
2509#ifdef HAVE_HASHDRBG
2510#ifndef NO_SHA256
2511    if (rng->drbg != NULL) {
2512      if (Hash_DRBG_Uninstantiate((DRBG_internal *)rng->drbg) != DRBG_SUCCESS)
2513            ret = RNG_FAILURE_E;
2514
2515    #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
2516        XFREE(rng->drbg, rng->heap, DYNAMIC_TYPE_RNG);
2517    #elif defined(WOLFSSL_CHECK_MEM_ZERO)
2518        wc_MemZero_Check(rng->drbg, sizeof(DRBG_internal));
2519    #endif
2520        rng->drbg = NULL;
2521    }
2522
2523    #ifdef WOLFSSL_SMALL_STACK_CACHE
2524    /* Scratch buffers are tracked independently of rng->drbg so that a
2525     * partial-construction failure path that nulled rng->drbg early
2526     * (or any future restructure that does the same) cannot leak them.
2527     * Free on their own NULL check rather than nesting under drbg. */
2528    if (rng->drbg_scratch != NULL) {
2529        if (Hash_DRBG_Uninstantiate((DRBG_internal *)rng->drbg_scratch)
2530                            != DRBG_SUCCESS)
2531            ret = RNG_FAILURE_E;
2532        XFREE(rng->drbg_scratch, rng->heap, DYNAMIC_TYPE_RNG);
2533        rng->drbg_scratch = NULL;
2534    }
2535    if (rng->health_check_scratch != NULL) {
2536        XFREE(rng->health_check_scratch, rng->heap, DYNAMIC_TYPE_TMP_BUFFER);
2537        rng->health_check_scratch = NULL;
2538    }
2539    #endif
2540#endif /* !NO_SHA256 */
2541
2542#ifdef WOLFSSL_DRBG_SHA512
2543    if (rng->drbg512 != NULL) {
2544        if (Hash512_DRBG_Uninstantiate(
2545                (DRBG_SHA512_internal *)rng->drbg512) != DRBG_SUCCESS)
2546            ret = RNG_FAILURE_E;
2547
2548    #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
2549        XFREE(rng->drbg512, rng->heap, DYNAMIC_TYPE_RNG);
2550    #endif
2551        rng->drbg512 = NULL;
2552    }
2553
2554    #ifdef WOLFSSL_SMALL_STACK_CACHE
2555    /* Same independence rationale as the SHA-256 scratch above. */
2556    if (rng->drbg512_scratch != NULL) {
2557        if (Hash512_DRBG_Uninstantiate(rng->drbg512_scratch)
2558                                != DRBG_SUCCESS)
2559            ret = RNG_FAILURE_E;
2560        XFREE(rng->drbg512_scratch, rng->heap, DYNAMIC_TYPE_RNG);
2561        rng->drbg512_scratch = NULL;
2562    }
2563    if (rng->health_check_scratch_512 != NULL) {
2564        XFREE(rng->health_check_scratch_512, rng->heap,
2565               DYNAMIC_TYPE_TMP_BUFFER);
2566        rng->health_check_scratch_512 = NULL;
2567    }
2568    #endif
2569#endif /* WOLFSSL_DRBG_SHA512 */
2570
2571#ifdef WOLFSSL_SMALL_STACK_CACHE
2572    XFREE(rng->newSeed_buf, rng->heap, DYNAMIC_TYPE_SEED);
2573    rng->newSeed_buf = NULL;
2574#endif
2575
2576    rng->status = DRBG_NOT_INIT;
2577#endif /* HAVE_HASHDRBG */
2578
2579#ifdef WOLFSSL_XILINX_CRYPT_VERSAL
2580    /* don't overwrite previously set error */
2581    if (wc_VersalTrngReset() && !ret)
2582        ret = WC_HW_E;
2583#endif
2584
2585#if defined(WOLFSSL_KEEP_RNG_SEED_FD_OPEN) && defined(XCLOSE) && \
2586    !defined(USE_WINDOWS_API)
2587    if(rng->seed.seedFdOpen && rng->seed.fd != XBADFD) {
2588        XCLOSE(rng->seed.fd);
2589        rng->seed.fd = XBADFD;
2590        rng->seed.seedFdOpen = 0;
2591    }
2592#endif
2593
2594    return ret;
2595}
2596
2597#ifdef HAVE_HASHDRBG
2598/* The original wc_RNG_HealthTest{,_ex} entry points operate on the SHA-256
2599 * Hash_DRBG (DRBG_internal). Gate them out under NO_SHA256; SHA-512-only
2600 * builds use wc_RNG_HealthTest_SHA512_ex declared further down. */
2601#ifndef NO_SHA256
2602int wc_RNG_HealthTest(int reseed, const byte* seedA, word32 seedASz,
2603                                  const byte* seedB, word32 seedBSz,
2604                                  byte* output, word32 outputSz)
2605{
2606    return wc_RNG_HealthTest_ex(reseed, NULL, 0,
2607                                seedA, seedASz, seedB, seedBSz,
2608                                output, outputSz,
2609                                NULL, INVALID_DEVID);
2610}
2611
2612
2613static int wc_RNG_HealthTest_ex_internal(DRBG_internal* drbg,
2614                                  int reseed, const byte* nonce, word32 nonceSz,
2615                                  const byte* seedA, word32 seedASz,
2616                                  const byte* seedB, word32 seedBSz,
2617                                  byte* output, word32 outputSz,
2618                                  void* heap, int devId)
2619{
2620    int ret = -1;
2621
2622    if (seedA == NULL || output == NULL) {
2623        return BAD_FUNC_ARG;
2624    }
2625
2626    if (reseed != 0 && seedB == NULL) {
2627        return BAD_FUNC_ARG;
2628    }
2629
2630    if (outputSz != RNG_HEALTH_TEST_CHECK_SIZE) {
2631        return ret;
2632    }
2633
2634#ifdef WOLFSSL_SMALL_STACK_CACHE
2635    (void)heap;
2636    (void)devId;
2637
2638    if (Hash_DRBG_Init(drbg, seedA, seedASz, nonce, nonceSz,
2639                        NULL, 0) != 0) {
2640        goto exit_rng_ht;
2641    }
2642#else
2643    if (Hash_DRBG_Instantiate(drbg, seedA, seedASz, nonce, nonceSz,
2644                              NULL, 0, heap, devId) != 0) {
2645        goto exit_rng_ht;
2646    }
2647#endif
2648
2649    if (reseed) {
2650        if (Hash_DRBG_Reseed(drbg, seedB, seedBSz, NULL, 0) != 0) {
2651            goto exit_rng_ht;
2652        }
2653    }
2654
2655    /* This call to generate is prescribed by the NIST DRBGVS
2656     * procedure. The results are thrown away. The known
2657     * answer test checks the second block of DRBG out of
2658     * the generator to ensure the internal state is updated
2659     * as expected. */
2660    if (Hash_DRBG_Generate(drbg, output, outputSz, NULL, 0) != 0) {
2661        goto exit_rng_ht;
2662    }
2663
2664    if (Hash_DRBG_Generate(drbg, output, outputSz, NULL, 0) != 0) {
2665        goto exit_rng_ht;
2666    }
2667
2668    /* Mark success */
2669    ret = 0;
2670
2671exit_rng_ht:
2672
2673#ifndef WOLFSSL_SMALL_STACK_CACHE
2674    /* This is safe to call even if Hash_DRBG_Instantiate fails */
2675    if (Hash_DRBG_Uninstantiate(drbg) != 0) {
2676        ret = -1;
2677    }
2678#endif
2679
2680    return ret;
2681}
2682
2683int wc_RNG_HealthTest_ex(int reseed, const byte* nonce, word32 nonceSz,
2684                                  const byte* seedA, word32 seedASz,
2685                                  const byte* seedB, word32 seedBSz,
2686                                  byte* output, word32 outputSz,
2687                                  void* heap, int devId)
2688{
2689    int ret = -1;
2690    DRBG_internal* drbg;
2691#ifndef WOLFSSL_SMALL_STACK
2692    DRBG_internal  drbg_var;
2693#endif
2694
2695#ifdef WOLFSSL_SMALL_STACK
2696    drbg = (DRBG_internal*)XMALLOC(sizeof(DRBG_internal), heap,
2697        DYNAMIC_TYPE_RNG);
2698    if (drbg == NULL) {
2699        return MEMORY_E;
2700    }
2701#else
2702    drbg = &drbg_var;
2703#endif
2704
2705#ifdef WOLFSSL_SMALL_STACK_CACHE
2706    ret = Hash_DRBG_Instantiate(drbg,
2707                    NULL /* seed */, 0, NULL /* nonce */, 0,
2708                    NULL /* perso */, 0, heap, devId);
2709    if (ret == 0)
2710#endif
2711    {
2712        ret = wc_RNG_HealthTest_ex_internal(
2713                drbg, reseed, nonce, nonceSz, seedA, seedASz,
2714                seedB, seedBSz, output, outputSz, heap, devId);
2715#ifdef WOLFSSL_SMALL_STACK_CACHE
2716        Hash_DRBG_Uninstantiate(drbg);
2717#endif
2718    }
2719    WC_FREE_VAR_EX(drbg, heap, DYNAMIC_TYPE_RNG);
2720
2721    return ret;
2722}
2723#endif /* !NO_SHA256 - wc_RNG_HealthTest{,_ex,_ex_internal} */
2724
2725
2726const FLASH_QUALIFIER byte seedA_data[] = {
2727    0x63, 0x36, 0x33, 0x77, 0xe4, 0x1e, 0x86, 0x46, 0x8d, 0xeb, 0x0a, 0xb4,
2728    0xa8, 0xed, 0x68, 0x3f, 0x6a, 0x13, 0x4e, 0x47, 0xe0, 0x14, 0xc7, 0x00,
2729    0x45, 0x4e, 0x81, 0xe9, 0x53, 0x58, 0xa5, 0x69, 0x80, 0x8a, 0xa3, 0x8f,
2730    0x2a, 0x72, 0xa6, 0x23, 0x59, 0x91, 0x5a, 0x9f, 0x8a, 0x04, 0xca, 0x68
2731};
2732
2733const FLASH_QUALIFIER byte reseedSeedA_data[] = {
2734    0xe6, 0x2b, 0x8a, 0x8e, 0xe8, 0xf1, 0x41, 0xb6, 0x98, 0x05, 0x66, 0xe3,
2735    0xbf, 0xe3, 0xc0, 0x49, 0x03, 0xda, 0xd4, 0xac, 0x2c, 0xdf, 0x9f, 0x22,
2736    0x80, 0x01, 0x0a, 0x67, 0x39, 0xbc, 0x83, 0xd3
2737};
2738
2739const FLASH_QUALIFIER byte outputA_data[] = {
2740    0x04, 0xee, 0xc6, 0x3b, 0xb2, 0x31, 0xdf, 0x2c, 0x63, 0x0a, 0x1a, 0xfb,
2741    0xe7, 0x24, 0x94, 0x9d, 0x00, 0x5a, 0x58, 0x78, 0x51, 0xe1, 0xaa, 0x79,
2742    0x5e, 0x47, 0x73, 0x47, 0xc8, 0xb0, 0x56, 0x62, 0x1c, 0x18, 0xbd, 0xdc,
2743    0xdd, 0x8d, 0x99, 0xfc, 0x5f, 0xc2, 0xb9, 0x20, 0x53, 0xd8, 0xcf, 0xac,
2744    0xfb, 0x0b, 0xb8, 0x83, 0x12, 0x05, 0xfa, 0xd1, 0xdd, 0xd6, 0xc0, 0x71,
2745    0x31, 0x8a, 0x60, 0x18, 0xf0, 0x3b, 0x73, 0xf5, 0xed, 0xe4, 0xd4, 0xd0,
2746    0x71, 0xf9, 0xde, 0x03, 0xfd, 0x7a, 0xea, 0x10, 0x5d, 0x92, 0x99, 0xb8,
2747    0xaf, 0x99, 0xaa, 0x07, 0x5b, 0xdb, 0x4d, 0xb9, 0xaa, 0x28, 0xc1, 0x8d,
2748    0x17, 0x4b, 0x56, 0xee, 0x2a, 0x01, 0x4d, 0x09, 0x88, 0x96, 0xff, 0x22,
2749    0x82, 0xc9, 0x55, 0xa8, 0x19, 0x69, 0xe0, 0x69, 0xfa, 0x8c, 0xe0, 0x07,
2750    0xa1, 0x80, 0x18, 0x3a, 0x07, 0xdf, 0xae, 0x17
2751};
2752
2753const FLASH_QUALIFIER byte seedB_data[] = {
2754    0xa6, 0x5a, 0xd0, 0xf3, 0x45, 0xdb, 0x4e, 0x0e, 0xff, 0xe8, 0x75, 0xc3,
2755    0xa2, 0xe7, 0x1f, 0x42, 0xc7, 0x12, 0x9d, 0x62, 0x0f, 0xf5, 0xc1, 0x19,
2756    0xa9, 0xef, 0x55, 0xf0, 0x51, 0x85, 0xe0, 0xfb, /* nonce next */
2757    0x85, 0x81, 0xf9, 0x31, 0x75, 0x17, 0x27, 0x6e, 0x06, 0xe9, 0x60, 0x7d,
2758    0xdb, 0xcb, 0xcc, 0x2e
2759};
2760
2761const FLASH_QUALIFIER byte outputB_data[] = {
2762    0xd3, 0xe1, 0x60, 0xc3, 0x5b, 0x99, 0xf3, 0x40, 0xb2, 0x62, 0x82, 0x64,
2763    0xd1, 0x75, 0x10, 0x60, 0xe0, 0x04, 0x5d, 0xa3, 0x83, 0xff, 0x57, 0xa5,
2764    0x7d, 0x73, 0xa6, 0x73, 0xd2, 0xb8, 0xd8, 0x0d, 0xaa, 0xf6, 0xa6, 0xc3,
2765    0x5a, 0x91, 0xbb, 0x45, 0x79, 0xd7, 0x3f, 0xd0, 0xc8, 0xfe, 0xd1, 0x11,
2766    0xb0, 0x39, 0x13, 0x06, 0x82, 0x8a, 0xdf, 0xed, 0x52, 0x8f, 0x01, 0x81,
2767    0x21, 0xb3, 0xfe, 0xbd, 0xc3, 0x43, 0xe7, 0x97, 0xb8, 0x7d, 0xbb, 0x63,
2768    0xdb, 0x13, 0x33, 0xde, 0xd9, 0xd1, 0xec, 0xe1, 0x77, 0xcf, 0xa6, 0xb7,
2769    0x1f, 0xe8, 0xab, 0x1d, 0xa4, 0x66, 0x24, 0xed, 0x64, 0x15, 0xe5, 0x1c,
2770    0xcd, 0xe2, 0xc7, 0xca, 0x86, 0xe2, 0x83, 0x99, 0x0e, 0xea, 0xeb, 0x91,
2771    0x12, 0x04, 0x15, 0x52, 0x8b, 0x22, 0x95, 0x91, 0x02, 0x81, 0xb0, 0x2d,
2772    0xd4, 0x31, 0xf4, 0xc9, 0xf7, 0x04, 0x27, 0xdf
2773};
2774
2775
2776/* SHA-512 DRBG KAT vectors for local health test.
2777 * Source: NIST CAVP Hash_DRBG.rsp, [SHA-512], PredictionResistance=False,
2778 * EntropyInputLen=256, NonceLen=128, PersonalizationStringLen=0,
2779 * AdditionalInputLen=0, ReturnedBitsLen=2048. */
2780#ifdef WOLFSSL_DRBG_SHA512
2781
2782/* Reseed test vectors (COUNT=0 from reseed section) */
2783static const byte sha512_seedA_data[] = {
2784    /* EntropyInput (32 bytes) || Nonce (16 bytes) */
2785    0x31, 0x44, 0xe1, 0x7a, 0x10, 0xc8, 0x56, 0x12,
2786    0x97, 0x64, 0xf5, 0x8f, 0xd8, 0xe4, 0x23, 0x10,
2787    0x20, 0x54, 0x69, 0x96, 0xc0, 0xbf, 0x6c, 0xff,
2788    0x8e, 0x91, 0xc2, 0x4e, 0xe0, 0x9b, 0xe3, 0x33,
2789    0xb1, 0x6f, 0xcb, 0x1c, 0xf0, 0xc0, 0x10, 0xf3,
2790    0x1f, 0xea, 0xb7, 0x33, 0x58, 0x8b, 0x8e, 0x04
2791};
2792static const byte sha512_reseedSeedA_data[] = {
2793    /* EntropyInputReseed (32 bytes) */
2794    0xa0, 0xb3, 0x58, 0x4c, 0x2c, 0x84, 0x12, 0xf6,
2795    0x18, 0x40, 0x68, 0x34, 0x40, 0x4d, 0x1e, 0xb0,
2796    0xce, 0x99, 0x9b, 0xa2, 0x89, 0x66, 0x05, 0x4d,
2797    0x7e, 0x49, 0x7e, 0x0d, 0xb6, 0x08, 0xb9, 0x67
2798};
2799static const byte sha512_outputA_data[] = {
2800    0xef, 0xa3, 0x5d, 0xd0, 0x36, 0x2a, 0xdb, 0x76,
2801    0x26, 0x45, 0x6b, 0x36, 0xfa, 0xc7, 0x4d, 0x3c,
2802    0x28, 0xd0, 0x1d, 0x92, 0x64, 0x20, 0x27, 0x5a,
2803    0x28, 0xbe, 0xa9, 0xc9, 0xdd, 0x75, 0x47, 0xc1,
2804    0x5e, 0x79, 0x31, 0x85, 0x2a, 0xc1, 0x27, 0x70,
2805    0x76, 0x56, 0x75, 0x35, 0x23, 0x9c, 0x1f, 0x42,
2806    0x9c, 0x7f, 0x75, 0xcf, 0x74, 0xc2, 0x26, 0x7d,
2807    0xeb, 0x6a, 0x3e, 0x59, 0x6c, 0xf3, 0x26, 0x15,
2808    0x6c, 0x79, 0x69, 0x41, 0x28, 0x3b, 0x8d, 0x58,
2809    0x3f, 0x17, 0x1c, 0x2f, 0x6e, 0x33, 0x23, 0xf7,
2810    0x55, 0x5e, 0x1b, 0x18, 0x1f, 0xfd, 0xa3, 0x05,
2811    0x07, 0x21, 0x0c, 0xb1, 0xf5, 0x89, 0xb2, 0x3c,
2812    0xd7, 0x18, 0x80, 0xfd, 0x44, 0x37, 0x0c, 0xac,
2813    0xf4, 0x33, 0x75, 0xb0, 0xdb, 0x7e, 0x33, 0x6f,
2814    0x12, 0xb3, 0x09, 0xbf, 0xd4, 0xf6, 0x10, 0xbb,
2815    0x8f, 0x20, 0xe1, 0xa1, 0x5e, 0x25, 0x3a, 0x4f,
2816    0xe5, 0x11, 0xa0, 0x27, 0x96, 0x8d, 0xf0, 0xb1,
2817    0x05, 0xa1, 0xd7, 0x3a, 0xff, 0x7c, 0x7a, 0x82,
2818    0x6d, 0x39, 0xf6, 0x40, 0xdf, 0xb8, 0xf5, 0x22,
2819    0x25, 0x9e, 0xd4, 0x02, 0x28, 0x2e, 0x2c, 0x2e,
2820    0x9d, 0x3a, 0x49, 0x8f, 0x51, 0x72, 0x5f, 0xe4,
2821    0x14, 0x1b, 0x06, 0xda, 0x55, 0x98, 0xa4, 0x2a,
2822    0xc1, 0xe0, 0x49, 0x4e, 0x99, 0x7d, 0x56, 0x6a,
2823    0x1a, 0x39, 0xb6, 0x76, 0xb9, 0x6a, 0x60, 0x03,
2824    0xa4, 0xc5, 0xdb, 0x84, 0xf2, 0x46, 0x58, 0x4e,
2825    0xe6, 0x5a, 0xf7, 0x0f, 0xf2, 0x16, 0x02, 0x78,
2826    0x16, 0x6d, 0xa1, 0x6d, 0x91, 0xc9, 0xb8, 0xf2,
2827    0xde, 0xb0, 0x27, 0x51, 0xa1, 0x08, 0x8a, 0xd6,
2828    0xbe, 0x4e, 0x80, 0xef, 0x96, 0x6e, 0xb7, 0x3e,
2829    0x66, 0xbc, 0x87, 0xca, 0xd8, 0x7c, 0x77, 0xc0,
2830    0xb3, 0x4a, 0x21, 0xba, 0x1d, 0xa0, 0xba, 0x6d,
2831    0x16, 0xca, 0x50, 0x46, 0xdc, 0x4a, 0xbd, 0xa0
2832};
2833
2834/* No-reseed test vectors (COUNT=0 from no-reseed section) */
2835static const byte sha512_seedB_data[] = {
2836    /* EntropyInput (32 bytes) || Nonce (16 bytes) */
2837    0x6b, 0x50, 0xa7, 0xd8, 0xf8, 0xa5, 0x5d, 0x7a,
2838    0x3d, 0xf8, 0xbb, 0x40, 0xbc, 0xc3, 0xb7, 0x22,
2839    0xd8, 0x70, 0x8d, 0xe6, 0x7f, 0xda, 0x01, 0x0b,
2840    0x03, 0xc4, 0xc8, 0x4d, 0x72, 0x09, 0x6f, 0x8c,
2841    0x3e, 0xc6, 0x49, 0xcc, 0x62, 0x56, 0xd9, 0xfa,
2842    0x31, 0xdb, 0x7a, 0x29, 0x04, 0xaa, 0xf0, 0x25
2843};
2844static const byte sha512_outputB_data[] = {
2845    0x95, 0xb7, 0xf1, 0x7e, 0x98, 0x02, 0xd3, 0x57,
2846    0x73, 0x92, 0xc6, 0xa9, 0xc0, 0x80, 0x83, 0xb6,
2847    0x7d, 0xd1, 0x29, 0x22, 0x65, 0xb5, 0xf4, 0x2d,
2848    0x23, 0x7f, 0x1c, 0x55, 0xbb, 0x9b, 0x10, 0xbf,
2849    0xcf, 0xd8, 0x2c, 0x77, 0xa3, 0x78, 0xb8, 0x26,
2850    0x6a, 0x00, 0x99, 0x14, 0x3b, 0x3c, 0x2d, 0x64,
2851    0x61, 0x1e, 0xee, 0xb6, 0x9a, 0xcd, 0xc0, 0x55,
2852    0x95, 0x7c, 0x13, 0x9e, 0x8b, 0x19, 0x0c, 0x7a,
2853    0x06, 0x95, 0x5f, 0x2c, 0x79, 0x7c, 0x27, 0x78,
2854    0xde, 0x94, 0x03, 0x96, 0xa5, 0x01, 0xf4, 0x0e,
2855    0x91, 0x39, 0x6a, 0xcf, 0x8d, 0x7e, 0x45, 0xeb,
2856    0xdb, 0xb5, 0x3b, 0xbf, 0x8c, 0x97, 0x52, 0x30,
2857    0xd2, 0xf0, 0xff, 0x91, 0x06, 0xc7, 0x61, 0x19,
2858    0xae, 0x49, 0x8e, 0x7f, 0xbc, 0x03, 0xd9, 0x0f,
2859    0x8e, 0x4c, 0x51, 0x62, 0x7a, 0xed, 0x5c, 0x8d,
2860    0x42, 0x63, 0xd5, 0xd2, 0xb9, 0x78, 0x87, 0x3a,
2861    0x0d, 0xe5, 0x96, 0xee, 0x6d, 0xc7, 0xf7, 0xc2,
2862    0x9e, 0x37, 0xee, 0xe8, 0xb3, 0x4c, 0x90, 0xdd,
2863    0x1c, 0xf6, 0xa9, 0xdd, 0xb2, 0x2b, 0x4c, 0xbd,
2864    0x08, 0x6b, 0x14, 0xb3, 0x5d, 0xe9, 0x3d, 0xa2,
2865    0xd5, 0xcb, 0x18, 0x06, 0x69, 0x8c, 0xbd, 0x7b,
2866    0xbb, 0x67, 0xbf, 0xe3, 0xd3, 0x1f, 0xd2, 0xd1,
2867    0xdb, 0xd2, 0xa1, 0xe0, 0x58, 0xa3, 0xeb, 0x99,
2868    0xd7, 0xe5, 0x1f, 0x1a, 0x93, 0x8e, 0xed, 0x5e,
2869    0x1c, 0x1d, 0xe2, 0x3a, 0x6b, 0x43, 0x45, 0xd3,
2870    0x19, 0x14, 0x09, 0xf9, 0x2f, 0x39, 0xb3, 0x67,
2871    0x0d, 0x8d, 0xbf, 0xb6, 0x35, 0xd8, 0xe6, 0xa3,
2872    0x69, 0x32, 0xd8, 0x10, 0x33, 0xd1, 0x44, 0x8d,
2873    0x63, 0xb4, 0x03, 0xdd, 0xf8, 0x8e, 0x12, 0x1b,
2874    0x6e, 0x81, 0x9a, 0xc3, 0x81, 0x22, 0x6c, 0x13,
2875    0x21, 0xe4, 0xb0, 0x86, 0x44, 0xf6, 0x72, 0x7c,
2876    0x36, 0x8c, 0x5a, 0x9f, 0x7a, 0x4b, 0x3e, 0xe2
2877};
2878#endif /* WOLFSSL_DRBG_SHA512 */
2879
2880
2881static int wc_RNG_HealthTestLocal(WC_RNG* rng, int reseed, void* heap,
2882                                  int devId)
2883{
2884    int ret = 0;
2885
2886#ifdef WOLFSSL_DRBG_SHA512
2887    /* SHA-512 DRBG health test path */
2888    if (rng->drbgType == WC_DRBG_SHA512) {
2889    #ifdef WOLFSSL_SMALL_STACK_CACHE
2890        byte *check512 = rng->health_check_scratch_512;
2891        DRBG_SHA512_internal* drbg512 = rng->drbg512_scratch;
2892    #else
2893        WC_DECLARE_VAR(check512, byte, RNG_HEALTH_TEST_CHECK_SIZE_SHA512, 0);
2894        WC_DECLARE_VAR(drbg512, DRBG_SHA512_internal, 1, 0);
2895
2896        WC_ALLOC_VAR_EX(check512, byte, RNG_HEALTH_TEST_CHECK_SIZE_SHA512,
2897            heap, DYNAMIC_TYPE_TMP_BUFFER, return MEMORY_E);
2898        WC_ALLOC_VAR_EX(drbg512, DRBG_SHA512_internal, 1, heap,
2899            DYNAMIC_TYPE_TMP_BUFFER, WC_DO_NOTHING);
2900        #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
2901        if (drbg512 == NULL) {
2902            WC_FREE_VAR_EX(check512, heap, DYNAMIC_TYPE_TMP_BUFFER);
2903            return MEMORY_E;
2904        }
2905        #endif
2906    #endif
2907
2908        if (reseed) {
2909            /* Reseed test with NIST CAVP SHA-512 vectors */
2910            ret = wc_RNG_HealthTest_SHA512_ex_internal(
2911                        drbg512, 1, NULL, 0, NULL, 0,
2912                        sha512_seedA_data, sizeof(sha512_seedA_data),
2913                        sha512_reseedSeedA_data,
2914                        sizeof(sha512_reseedSeedA_data),
2915                        NULL, 0, NULL, 0,
2916                        check512, RNG_HEALTH_TEST_CHECK_SIZE_SHA512,
2917                        heap, devId);
2918            if (ret == 0) {
2919                if (ConstantCompare(check512, sha512_outputA_data,
2920                                    RNG_HEALTH_TEST_CHECK_SIZE_SHA512) != 0)
2921                    ret = -1;
2922            }
2923        }
2924        else {
2925            /* No-reseed test with NIST CAVP SHA-512 vectors */
2926            ret = wc_RNG_HealthTest_SHA512_ex_internal(
2927                        drbg512, 0, NULL, 0, NULL, 0,
2928                        sha512_seedB_data, sizeof(sha512_seedB_data),
2929                        NULL, 0,
2930                        NULL, 0, NULL, 0,
2931                        check512, RNG_HEALTH_TEST_CHECK_SIZE_SHA512,
2932                        heap, devId);
2933            if (ret == 0) {
2934                if (ConstantCompare(check512, sha512_outputB_data,
2935                                    RNG_HEALTH_TEST_CHECK_SIZE_SHA512) != 0)
2936                    ret = -1;
2937            }
2938        }
2939
2940    #ifndef WOLFSSL_SMALL_STACK_CACHE
2941        WC_FREE_VAR_EX(check512, heap, DYNAMIC_TYPE_TMP_BUFFER);
2942        WC_FREE_VAR_EX(drbg512, heap, DYNAMIC_TYPE_TMP_BUFFER);
2943    #endif
2944        return ret;
2945    }
2946#endif /* WOLFSSL_DRBG_SHA512 */
2947
2948    /* SHA-256 DRBG health test path (original) */
2949#ifndef NO_SHA256
2950    {
2951#ifdef WOLFSSL_SMALL_STACK_CACHE
2952    byte *check = rng->health_check_scratch;
2953    DRBG_internal* drbg = (DRBG_internal *)rng->drbg_scratch;
2954#else
2955    WC_DECLARE_VAR(check, byte, RNG_HEALTH_TEST_CHECK_SIZE, 0);
2956    WC_DECLARE_VAR(drbg, DRBG_internal, 1, 0);
2957
2958    (void)rng;
2959
2960    WC_ALLOC_VAR_EX(check, byte, RNG_HEALTH_TEST_CHECK_SIZE, heap,
2961        DYNAMIC_TYPE_TMP_BUFFER, return MEMORY_E);
2962    WC_ALLOC_VAR_EX(drbg, DRBG_internal, 1, heap,
2963        DYNAMIC_TYPE_TMP_BUFFER, WC_DO_NOTHING);
2964    #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
2965    if (drbg == NULL) {
2966        WC_FREE_VAR_EX(check, heap, DYNAMIC_TYPE_TMP_BUFFER);
2967        return MEMORY_E;
2968    }
2969    #endif
2970#endif
2971
2972    if (reseed) {
2973#ifdef WOLFSSL_USE_FLASHMEM
2974        byte* seedA = (byte*)XMALLOC(sizeof(seedA_data), heap,
2975                             DYNAMIC_TYPE_TMP_BUFFER);
2976        byte* reseedSeedA = (byte*)XMALLOC(sizeof(reseedSeedA_data), heap,
2977                             DYNAMIC_TYPE_TMP_BUFFER);
2978        byte* outputA = (byte*)XMALLOC(sizeof(outputA_data), heap,
2979                             DYNAMIC_TYPE_TMP_BUFFER);
2980
2981        if (!seedA || !reseedSeedA || !outputA) {
2982            XFREE(seedA, heap, DYNAMIC_TYPE_TMP_BUFFER);
2983            XFREE(reseedSeedA, heap, DYNAMIC_TYPE_TMP_BUFFER);
2984            XFREE(outputA, heap, DYNAMIC_TYPE_TMP_BUFFER);
2985            ret = MEMORY_E;
2986        }
2987        else {
2988            XMEMCPY_P(seedA, seedA_data, sizeof(seedA_data));
2989            XMEMCPY_P(reseedSeedA, reseedSeedA_data, sizeof(reseedSeedA_data));
2990            XMEMCPY_P(outputA, outputA_data, sizeof(outputA_data));
2991#else
2992        const byte* seedA = seedA_data;
2993        const byte* reseedSeedA = reseedSeedA_data;
2994        const byte* outputA = outputA_data;
2995#endif
2996        ret = wc_RNG_HealthTest_ex_internal(drbg, 1, NULL, 0,
2997                                   seedA, sizeof(seedA_data),
2998                                   reseedSeedA, sizeof(reseedSeedA_data),
2999                                   check, RNG_HEALTH_TEST_CHECK_SIZE,
3000                                   heap, devId);
3001        if (ret == 0) {
3002            if (ConstantCompare(check, outputA,
3003                                RNG_HEALTH_TEST_CHECK_SIZE) != 0)
3004                ret = -1;
3005        }
3006
3007#ifdef WOLFSSL_USE_FLASHMEM
3008            XFREE(seedA, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3009            XFREE(reseedSeedA, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3010            XFREE(outputA, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3011        }
3012#endif
3013    }
3014    else {
3015#ifdef WOLFSSL_USE_FLASHMEM
3016        byte* seedB = (byte*)XMALLOC(sizeof(seedB_data), heap,
3017                             DYNAMIC_TYPE_TMP_BUFFER);
3018        byte* outputB = (byte*)XMALLOC(sizeof(outputB_data), heap,
3019                               DYNAMIC_TYPE_TMP_BUFFER);
3020
3021        if (!seedB || !outputB) {
3022            XFREE(seedB, heap, DYNAMIC_TYPE_TMP_BUFFER);
3023            XFREE(outputB, heap, DYNAMIC_TYPE_TMP_BUFFER);
3024            ret = MEMORY_E;
3025        }
3026        else {
3027            XMEMCPY_P(seedB, seedB_data, sizeof(seedB_data));
3028            XMEMCPY_P(outputB, outputB_data, sizeof(outputB_data));
3029#else
3030        const byte* seedB = seedB_data;
3031        const byte* outputB = outputB_data;
3032#endif
3033#if defined(DEBUG_WOLFSSL)
3034        WOLFSSL_MSG_EX("RNG_HEALTH_TEST_CHECK_SIZE = %d",
3035                        RNG_HEALTH_TEST_CHECK_SIZE);
3036        WOLFSSL_MSG_EX("sizeof(seedB_data)         = %d",
3037                        (int)sizeof(outputB_data));
3038#endif
3039        ret = wc_RNG_HealthTest_ex_internal(drbg, 0, NULL, 0,
3040                                   seedB, sizeof(seedB_data),
3041                                   NULL, 0,
3042                                   check, RNG_HEALTH_TEST_CHECK_SIZE,
3043                                   heap, devId);
3044        if (ret != 0) {
3045            #if defined(DEBUG_WOLFSSL)
3046            WOLFSSL_MSG_EX("RNG_HealthTest failed: err = %d", ret);
3047            #endif
3048        }
3049        else {
3050            ret = ConstantCompare(check, outputB,
3051                                RNG_HEALTH_TEST_CHECK_SIZE);
3052            if (ret != 0) {
3053                #if defined(DEBUG_WOLFSSL)
3054                WOLFSSL_MSG_EX("Random ConstantCompare failed: err = %d", ret);
3055                #endif
3056                ret = -1;
3057            }
3058        }
3059
3060        /* The previous test cases use a large seed instead of a seed and nonce.
3061         * seedB is actually from a test case with a seed and nonce, and
3062         * just concatenates them. The pivot point between seed and nonce is
3063         * byte 32, feed them into the health test separately. */
3064        if (ret == 0) {
3065            ret = wc_RNG_HealthTest_ex_internal(drbg, 0,
3066                                       seedB + 32, sizeof(seedB_data) - 32,
3067                                       seedB, 32,
3068                                       NULL, 0,
3069                                       check, RNG_HEALTH_TEST_CHECK_SIZE,
3070                                       heap, devId);
3071            if (ret == 0) {
3072                if (ConstantCompare(check, outputB, sizeof(outputB_data)) != 0)
3073                    ret = -1;
3074            }
3075        }
3076
3077#ifdef WOLFSSL_USE_FLASHMEM
3078            XFREE(seedB, heap, DYNAMIC_TYPE_TMP_BUFFER);
3079            XFREE(outputB, heap, DYNAMIC_TYPE_TMP_BUFFER);
3080        }
3081#endif
3082    }
3083
3084#ifndef WOLFSSL_SMALL_STACK_CACHE
3085    WC_FREE_VAR_EX(check, heap, DYNAMIC_TYPE_TMP_BUFFER);
3086    WC_FREE_VAR_EX(drbg, heap, DYNAMIC_TYPE_TMP_BUFFER);
3087#endif
3088    } /* SHA-256 path */
3089#endif /* !NO_SHA256 */
3090
3091    return ret;
3092}
3093
3094/* ====================================================================== */
3095/* SHA-512 Health Test API                                                 */
3096/* ====================================================================== */
3097#ifdef WOLFSSL_DRBG_SHA512
3098
3099static int wc_RNG_HealthTest_SHA512_ex_internal(DRBG_SHA512_internal* drbg,
3100                                  int reseed, const byte* nonce, word32 nonceSz,
3101                                  const byte* perso, word32 persoSz,
3102                                  const byte* seedA, word32 seedASz,
3103                                  const byte* seedB, word32 seedBSz,
3104                                  const byte* additionalA, word32 additionalASz,
3105                                  const byte* additionalB, word32 additionalBSz,
3106                                  byte* output, word32 outputSz,
3107                                  void* heap, int devId)
3108{
3109    int ret = -1;
3110
3111    if (seedA == NULL || output == NULL) {
3112        return BAD_FUNC_ARG;
3113    }
3114
3115    if (reseed != 0 && seedB == NULL) {
3116        return BAD_FUNC_ARG;
3117    }
3118
3119    if (outputSz != RNG_HEALTH_TEST_CHECK_SIZE_SHA512) {
3120        return ret;
3121    }
3122
3123#ifdef WOLFSSL_SMALL_STACK_CACHE
3124    (void)heap;
3125    (void)devId;
3126
3127    if (Hash512_DRBG_Init(drbg, seedA, seedASz, nonce, nonceSz,
3128                          perso, persoSz) != 0) {
3129        goto exit_rng_ht512;
3130    }
3131#else
3132    if (Hash512_DRBG_Instantiate(drbg, seedA, seedASz, nonce, nonceSz,
3133                              perso, persoSz, heap, devId) != 0) {
3134        goto exit_rng_ht512;
3135    }
3136#endif
3137
3138    if (reseed) {
3139        if (Hash512_DRBG_Reseed(drbg, seedB, seedBSz, NULL, 0) != 0) {
3140            goto exit_rng_ht512;
3141        }
3142    }
3143
3144    /* First generate: output discarded per NIST DRBGVS procedure */
3145    if (Hash512_DRBG_Generate(drbg, output, outputSz,
3146                              additionalA, additionalASz) != 0) {
3147        goto exit_rng_ht512;
3148    }
3149
3150    /* Second generate: this is the actual test output */
3151    if (Hash512_DRBG_Generate(drbg, output, outputSz,
3152                              additionalB, additionalBSz) != 0) {
3153        goto exit_rng_ht512;
3154    }
3155
3156    ret = 0;
3157
3158exit_rng_ht512:
3159
3160#ifndef WOLFSSL_SMALL_STACK_CACHE
3161    if (Hash512_DRBG_Uninstantiate(drbg) != 0) {
3162        ret = -1;
3163    }
3164#endif
3165
3166    return ret;
3167}
3168
3169
3170/* Extended API with personalization string and additional input
3171 * for ACVP testing */
3172int wc_RNG_HealthTest_SHA512_ex(int reseed,
3173                                const byte* nonce, word32 nonceSz,
3174                                const byte* persoString, word32 persoStringSz,
3175                                const byte* seedA, word32 seedASz,
3176                                const byte* seedB, word32 seedBSz,
3177                                const byte* additionalA, word32 additionalASz,
3178                                const byte* additionalB, word32 additionalBSz,
3179                                byte* output, word32 outputSz,
3180                                void* heap, int devId)
3181{
3182    int ret = -1;
3183    DRBG_SHA512_internal* drbg;
3184#ifndef WOLFSSL_SMALL_STACK
3185    DRBG_SHA512_internal  drbg_var;
3186#endif
3187
3188    if (seedA == NULL || output == NULL) {
3189        return BAD_FUNC_ARG;
3190    }
3191
3192    if (outputSz != RNG_HEALTH_TEST_CHECK_SIZE_SHA512) {
3193        return ret;
3194    }
3195
3196#ifdef WOLFSSL_SMALL_STACK
3197    drbg = (DRBG_SHA512_internal*)XMALLOC(sizeof(DRBG_SHA512_internal), heap,
3198        DYNAMIC_TYPE_RNG);
3199    if (drbg == NULL) {
3200        return MEMORY_E;
3201    }
3202#else
3203    drbg = &drbg_var;
3204#endif
3205
3206    /* SP 800-90A Sec 10.1.1.2: personalization string is concatenated
3207     * with entropy during instantiation via Hash_df. */
3208    ret = Hash512_DRBG_Instantiate(drbg, seedA, seedASz, nonce, nonceSz,
3209                                   persoString, persoStringSz, heap, devId);
3210    if (ret != 0) {
3211        goto exit_sha512_ex;
3212    }
3213
3214    if (reseed) {
3215        if (seedB != NULL && seedBSz > 0) {
3216            ret = Hash512_DRBG_Reseed(drbg, seedB, seedBSz, NULL, 0);
3217            if (ret != 0) goto exit_sha512_ex;
3218        }
3219    }
3220
3221    /* First generate (output discarded per NIST procedure) */
3222    ret = Hash512_DRBG_Generate(drbg, output, outputSz,
3223                                additionalA, additionalASz);
3224    if (ret != 0) goto exit_sha512_ex;
3225
3226    /* Second generate (this is the actual output) */
3227    ret = Hash512_DRBG_Generate(drbg, output, outputSz,
3228                                additionalB, additionalBSz);
3229
3230exit_sha512_ex:
3231    (void)Hash512_DRBG_Uninstantiate(drbg);
3232
3233#ifdef WOLFSSL_SMALL_STACK
3234    XFREE(drbg, heap, DYNAMIC_TYPE_RNG);
3235#endif
3236
3237    return (ret == DRBG_SUCCESS) ? 0 : -1;
3238}
3239
3240
3241/* Simple API matching wc_RNG_HealthTest() pattern - entropy+nonce only */
3242int wc_RNG_HealthTest_SHA512(int reseed,
3243                             const byte* seedA, word32 seedASz,
3244                             const byte* seedB, word32 seedBSz,
3245                             byte* output, word32 outputSz)
3246{
3247    int ret = -1;
3248    DRBG_SHA512_internal* drbg;
3249#ifndef WOLFSSL_SMALL_STACK
3250    DRBG_SHA512_internal  drbg_var;
3251#endif
3252
3253#ifdef WOLFSSL_SMALL_STACK
3254    drbg = (DRBG_SHA512_internal*)XMALLOC(sizeof(DRBG_SHA512_internal), NULL,
3255        DYNAMIC_TYPE_RNG);
3256    if (drbg == NULL) {
3257        return MEMORY_E;
3258    }
3259#else
3260    drbg = &drbg_var;
3261#endif
3262
3263#ifdef WOLFSSL_SMALL_STACK_CACHE
3264    ret = Hash512_DRBG_Instantiate(drbg,
3265                    NULL /* seed */, 0, NULL /* nonce */, 0,
3266                    NULL, 0, NULL, INVALID_DEVID);
3267    if (ret == 0)
3268#endif
3269    {
3270        ret = wc_RNG_HealthTest_SHA512_ex_internal(
3271                drbg, reseed, NULL, 0, NULL, 0,
3272                seedA, seedASz, seedB, seedBSz,
3273                NULL, 0, NULL, 0,
3274                output, outputSz, NULL, INVALID_DEVID);
3275#ifdef WOLFSSL_SMALL_STACK_CACHE
3276        Hash512_DRBG_Uninstantiate(drbg);
3277#endif
3278    }
3279    WC_FREE_VAR_EX(drbg, NULL, DYNAMIC_TYPE_RNG);
3280
3281    return ret;
3282}
3283
3284#endif /* WOLFSSL_DRBG_SHA512 */
3285
3286#ifndef NO_SHA256
3287/* Extended SHA-256 Hash_DRBG health test per SP 800-90A.
3288 * Supports flexible output sizes, prediction resistance, personalization
3289 * strings, and additional input.
3290 *
3291 * predResistance=0: Instantiate(entropyA, nonce, perso) ->
3292 *                   Reseed(entropyB, additionalReseed) ->
3293 *                   Gen1(additionalA, discard) -> Gen2(additionalB, keep)
3294 * predResistance=1: Instantiate(entropyA, nonce, perso) ->
3295 *                   Reseed(entropyB, additionalA)+Gen1(NULL, discard) ->
3296 *                   Reseed(entropyC, additionalB)+Gen2(NULL, keep)
3297 */
3298int wc_RNG_HealthTest_SHA256_ex(
3299    int predResistance,
3300    const byte* nonce, word32 nonceSz,
3301    const byte* persoString, word32 persoStringSz,
3302    const byte* entropyA, word32 entropyASz,
3303    const byte* entropyB, word32 entropyBSz,
3304    const byte* entropyC, word32 entropyCsz,
3305    const byte* additionalA, word32 additionalASz,
3306    const byte* additionalB, word32 additionalBSz,
3307    const byte* additionalReseed, word32 additionalReseedSz,
3308    byte* output, word32 outputSz,
3309    void* heap, int devId)
3310{
3311    int ret;
3312    DRBG_internal* drbg;
3313#ifndef WOLFSSL_SMALL_STACK
3314    DRBG_internal  drbg_var;
3315#endif
3316
3317    if (entropyA == NULL || output == NULL || outputSz == 0) {
3318        return BAD_FUNC_ARG;
3319    }
3320
3321#ifdef WOLFSSL_SMALL_STACK
3322    drbg = (DRBG_internal*)XMALLOC(sizeof(DRBG_internal), heap,
3323        DYNAMIC_TYPE_RNG);
3324    if (drbg == NULL) {
3325        return MEMORY_E;
3326    }
3327#else
3328    drbg = &drbg_var;
3329#endif
3330
3331    /* Instantiate with entropy, nonce, personalization string */
3332    ret = Hash_DRBG_Instantiate(drbg, entropyA, entropyASz, nonce, nonceSz,
3333                                persoString, persoStringSz, heap, devId);
3334    if (ret != 0) goto exit_sha256_ex;
3335
3336    if (predResistance) {
3337        /* Prediction resistance mode per SP 800-90A 9.3.1:
3338         * additional_input is passed to Reseed, Generate gets NULL */
3339
3340        /* Reseed 1 with additionalA, then Generate 1 with NULL (discard) */
3341        if (entropyB != NULL && entropyBSz > 0) {
3342            ret = Hash_DRBG_Reseed(drbg, entropyB, entropyBSz,
3343                                   additionalA, additionalASz);
3344            if (ret != 0) goto exit_sha256_ex;
3345        }
3346        ret = Hash_DRBG_Generate(drbg, output, outputSz, NULL, 0);
3347        if (ret != 0) goto exit_sha256_ex;
3348
3349        /* Reseed 2 with additionalB, then Generate 2 with NULL (keep) */
3350        if (entropyC != NULL && entropyCsz > 0) {
3351            ret = Hash_DRBG_Reseed(drbg, entropyC, entropyCsz,
3352                                   additionalB, additionalBSz);
3353            if (ret != 0) goto exit_sha256_ex;
3354        }
3355        ret = Hash_DRBG_Generate(drbg, output, outputSz, NULL, 0);
3356    }
3357    else {
3358        /* Standard mode: explicit reseed, then two generates */
3359        if (entropyB != NULL && entropyBSz > 0) {
3360            ret = Hash_DRBG_Reseed(drbg, entropyB, entropyBSz,
3361                                   additionalReseed, additionalReseedSz);
3362            if (ret != 0) goto exit_sha256_ex;
3363        }
3364
3365        /* Generate 1 (output discarded per NIST DRBGVS procedure) */
3366        ret = Hash_DRBG_Generate(drbg, output, outputSz,
3367                                 additionalA, additionalASz);
3368        if (ret != 0) goto exit_sha256_ex;
3369
3370        /* Generate 2 (this is the actual test output) */
3371        ret = Hash_DRBG_Generate(drbg, output, outputSz,
3372                                 additionalB, additionalBSz);
3373    }
3374
3375exit_sha256_ex:
3376    (void)Hash_DRBG_Uninstantiate(drbg);
3377
3378#ifdef WOLFSSL_SMALL_STACK
3379    XFREE(drbg, heap, DYNAMIC_TYPE_RNG);
3380#endif
3381
3382    return ret;
3383}
3384#endif /* !NO_SHA256 */
3385
3386
3387#ifdef WOLFSSL_DRBG_SHA512
3388/* Extended SHA-512 Hash_DRBG health test per SP 800-90A.
3389 * Supports flexible output sizes and prediction resistance mode.
3390 *
3391 * Per SP 800-90A Section 9.3.1, when prediction resistance is requested,
3392 * the additional_input is consumed by the Reseed step and the subsequent
3393 * Generate uses NULL additional_input.
3394 *
3395 * predResistance=0: Instantiate ->
3396 *                   Reseed(entropyB, additionalReseed) ->
3397 *                   Gen1(additionalA, discard) -> Gen2(additionalB, keep)
3398 * predResistance=1: Instantiate ->
3399 *                   Reseed(entropyB, additionalA)+Gen1(NULL, discard) ->
3400 *                   Reseed(entropyC, additionalB)+Gen2(NULL, keep)
3401 */
3402int wc_RNG_HealthTest_SHA512_ex2(
3403    int predResistance,
3404    const byte* nonce, word32 nonceSz,
3405    const byte* persoString, word32 persoStringSz,
3406    const byte* entropyA, word32 entropyASz,
3407    const byte* entropyB, word32 entropyBSz,
3408    const byte* entropyC, word32 entropyCsz,
3409    const byte* additionalA, word32 additionalASz,
3410    const byte* additionalB, word32 additionalBSz,
3411    const byte* additionalReseed, word32 additionalReseedSz,
3412    byte* output, word32 outputSz,
3413    void* heap, int devId)
3414{
3415    int ret;
3416    DRBG_SHA512_internal* drbg;
3417#ifndef WOLFSSL_SMALL_STACK
3418    DRBG_SHA512_internal  drbg_var;
3419#endif
3420
3421    if (entropyA == NULL || output == NULL || outputSz == 0) {
3422        return BAD_FUNC_ARG;
3423    }
3424
3425#ifdef WOLFSSL_SMALL_STACK
3426    drbg = (DRBG_SHA512_internal*)XMALLOC(sizeof(DRBG_SHA512_internal), heap,
3427        DYNAMIC_TYPE_RNG);
3428    if (drbg == NULL) {
3429        return MEMORY_E;
3430    }
3431#else
3432    drbg = &drbg_var;
3433#endif
3434
3435    /* Instantiate with entropy, nonce, personalization string */
3436    ret = Hash512_DRBG_Instantiate(drbg, entropyA, entropyASz, nonce, nonceSz,
3437                                   persoString, persoStringSz, heap, devId);
3438    if (ret != 0) goto exit_sha512_ex2;
3439
3440    if (predResistance) {
3441        /* Prediction resistance mode per SP 800-90A 9.3.1:
3442         * additional_input is passed to Reseed, Generate gets NULL */
3443
3444        /* Reseed 1 with additionalA, then Generate 1 with NULL (discard) */
3445        if (entropyB != NULL && entropyBSz > 0) {
3446            ret = Hash512_DRBG_Reseed(drbg, entropyB, entropyBSz,
3447                                      additionalA, additionalASz);
3448            if (ret != 0) goto exit_sha512_ex2;
3449        }
3450        ret = Hash512_DRBG_Generate(drbg, output, outputSz, NULL, 0);
3451        if (ret != 0) goto exit_sha512_ex2;
3452
3453        /* Reseed 2 with additionalB, then Generate 2 with NULL (keep) */
3454        if (entropyC != NULL && entropyCsz > 0) {
3455            ret = Hash512_DRBG_Reseed(drbg, entropyC, entropyCsz,
3456                                      additionalB, additionalBSz);
3457            if (ret != 0) goto exit_sha512_ex2;
3458        }
3459        ret = Hash512_DRBG_Generate(drbg, output, outputSz, NULL, 0);
3460    }
3461    else {
3462        /* Standard mode: explicit reseed, then two generates */
3463        if (entropyB != NULL && entropyBSz > 0) {
3464            ret = Hash512_DRBG_Reseed(drbg, entropyB, entropyBSz,
3465                                      additionalReseed, additionalReseedSz);
3466            if (ret != 0) goto exit_sha512_ex2;
3467        }
3468
3469        /* Generate 1 (output discarded per NIST DRBGVS procedure) */
3470        ret = Hash512_DRBG_Generate(drbg, output, outputSz,
3471                                    additionalA, additionalASz);
3472        if (ret != 0) goto exit_sha512_ex2;
3473
3474        /* Generate 2 (this is the actual test output) */
3475        ret = Hash512_DRBG_Generate(drbg, output, outputSz,
3476                                    additionalB, additionalBSz);
3477    }
3478
3479exit_sha512_ex2:
3480    (void)Hash512_DRBG_Uninstantiate(drbg);
3481
3482#ifdef WOLFSSL_SMALL_STACK
3483    XFREE(drbg, heap, DYNAMIC_TYPE_RNG);
3484#endif
3485
3486    return (ret == DRBG_SUCCESS) ? 0 : -1;
3487}
3488
3489#endif /* WOLFSSL_DRBG_SHA512 */
3490
3491#endif /* HAVE_HASHDRBG */
3492
3493
3494#ifdef HAVE_WNR
3495
3496/*
3497 * Init global Whitewood netRandom context
3498 * Returns 0 on success, negative on error
3499 */
3500int wc_InitNetRandom(const char* configFile, wnr_hmac_key hmac_cb, int timeout)
3501{
3502    int ret;
3503
3504    if (configFile == NULL || timeout < 0)
3505        return BAD_FUNC_ARG;
3506
3507#ifndef WOLFSSL_MUTEX_INITIALIZER
3508    if (wnr_mutex_inited > 0) {
3509        WOLFSSL_MSG("netRandom context already created, skipping");
3510        return 0;
3511    }
3512
3513    if (wc_InitMutex(&wnr_mutex) != 0) {
3514        WOLFSSL_MSG("Bad Init Mutex wnr_mutex");
3515        return BAD_MUTEX_E;
3516    }
3517
3518    wnr_mutex_inited = 1;
3519#endif
3520
3521    if (wnr_inited > 0) {
3522        WOLFSSL_MSG("netRandom context already created, skipping");
3523        return 0;
3524    }
3525
3526    if (wc_LockMutex(&wnr_mutex) != 0) {
3527        WOLFSSL_MSG("Bad Lock Mutex wnr_mutex");
3528        return BAD_MUTEX_E;
3529    }
3530
3531    /* store entropy timeout */
3532    wnr_timeout = timeout;
3533
3534    /* create global wnr_context struct */
3535    if (wnr_create(&wnr_ctx) != WNR_ERROR_NONE) {
3536        WOLFSSL_MSG("Error creating global netRandom context");
3537        ret = RNG_FAILURE_E;
3538        goto out;
3539    }
3540
3541    /* load config file */
3542    if (wnr_config_loadf(wnr_ctx, (char*)configFile) != WNR_ERROR_NONE) {
3543        WOLFSSL_MSG("Error loading config file into netRandom context");
3544        wnr_destroy(wnr_ctx);
3545        wnr_ctx = NULL;
3546        ret = RNG_FAILURE_E;
3547        goto out;
3548    }
3549
3550    /* create/init polling mechanism */
3551    if (wnr_poll_create() != WNR_ERROR_NONE) {
3552        WOLFSSL_MSG("Error initializing netRandom polling mechanism");
3553        wnr_destroy(wnr_ctx);
3554        wnr_ctx = NULL;
3555        ret = RNG_FAILURE_E;
3556        goto out;
3557    }
3558
3559    /* validate config, set HMAC callback (optional) */
3560    if (wnr_setup(wnr_ctx, hmac_cb) != WNR_ERROR_NONE) {
3561        WOLFSSL_MSG("Error setting up netRandom context");
3562        wnr_destroy(wnr_ctx);
3563        wnr_ctx = NULL;
3564        wnr_poll_destroy();
3565        ret = RNG_FAILURE_E;
3566        goto out;
3567    }
3568
3569    wnr_inited = 1;
3570
3571out:
3572
3573    wc_UnLockMutex(&wnr_mutex);
3574
3575    return ret;
3576}
3577
3578/*
3579 * Free global Whitewood netRandom context
3580 * Returns 0 on success, negative on error
3581 */
3582int wc_FreeNetRandom(void)
3583{
3584    if (wnr_inited > 0) {
3585
3586        if (wc_LockMutex(&wnr_mutex) != 0) {
3587            WOLFSSL_MSG("Bad Lock Mutex wnr_mutex");
3588            return BAD_MUTEX_E;
3589        }
3590
3591        if (wnr_ctx != NULL) {
3592            wnr_destroy(wnr_ctx);
3593            wnr_ctx = NULL;
3594        }
3595        wnr_poll_destroy();
3596
3597        wc_UnLockMutex(&wnr_mutex);
3598
3599#ifndef WOLFSSL_MUTEX_INITIALIZER
3600        wc_FreeMutex(&wnr_mutex);
3601        wnr_mutex_inited = 0;
3602#endif
3603
3604        wnr_inited = 0;
3605    }
3606
3607    return 0;
3608}
3609
3610#endif /* HAVE_WNR */
3611
3612
3613#if defined(HAVE_INTEL_RDRAND) || defined(HAVE_INTEL_RDSEED) || \
3614    defined(HAVE_AMD_RDSEED)
3615
3616#ifdef WOLFSSL_ASYNC_CRYPT
3617    /* need more retries if multiple cores */
3618    #define INTELRD_RETRY (32 * 8)
3619#else
3620    #define INTELRD_RETRY 32
3621#endif
3622
3623#if defined(HAVE_INTEL_RDSEED) || defined(HAVE_AMD_RDSEED)
3624
3625#ifndef USE_INTEL_INTRINSICS
3626
3627    /* return 0 on success */
3628    static WC_INLINE int IntelRDseed64(word64* seed)
3629    {
3630        unsigned char ok;
3631
3632        __asm__ volatile("rdseed %0; setc %1":"=r"(*seed), "=qm"(ok));
3633        return (ok) ? 0 : -1;
3634    }
3635
3636#else /* USE_INTEL_INTRINSICS */
3637    /* The compiler Visual Studio uses does not allow inline assembly.
3638     * It does allow for Intel intrinsic functions. */
3639
3640    /* return 0 on success */
3641# ifdef __GNUC__
3642    __attribute__((target("rdseed")))
3643# endif
3644    static WC_INLINE int IntelRDseed64(word64* seed)
3645    {
3646        int ok;
3647
3648        ok = _rdseed64_step((unsigned long long*) seed);
3649        return (ok) ? 0 : -1;
3650    }
3651
3652#endif /* USE_INTEL_INTRINSICS */
3653
3654/* return 0 on success */
3655static WC_INLINE int IntelRDseed64_r(word64* rnd)
3656{
3657    int i;
3658    for (i = 0; i < INTELRD_RETRY; i++) {
3659        if (IntelRDseed64(rnd) == 0)
3660            return 0;
3661    }
3662    return -1;
3663}
3664
3665/* return 0 on success */
3666static int wc_GenerateSeed_IntelRD(OS_Seed* os, byte* output, word32 sz)
3667{
3668    int ret;
3669    word64 rndTmp;
3670    static int rdseed_sanity_status = 0;
3671
3672    (void)os;
3673
3674    if (!IS_INTEL_RDSEED(intel_flags))
3675        return -1;
3676
3677    /* Note, access to rdseed_sanity_status is benignly racey on multithreaded
3678     * targets.
3679     */
3680    if (rdseed_sanity_status == 0) {
3681        word64 sanity_word1 = 0, sanity_word2 = 0;
3682
3683        ret = IntelRDseed64_r(&sanity_word1);
3684        if (ret != 0)
3685            return ret;
3686
3687        ret = IntelRDseed64_r(&sanity_word2);
3688        if (ret != 0)
3689            return ret;
3690
3691        if (sanity_word1 == sanity_word2) {
3692            ret = IntelRDseed64_r(&sanity_word1);
3693            if (ret != 0)
3694                return ret;
3695
3696            if (sanity_word1 == sanity_word2) {
3697#ifdef WC_VERBOSE_RNG
3698                WOLFSSL_DEBUG_PRINTF(
3699                    "WARNING: disabling RDSEED due to repeating word 0x%lx -- "
3700                    "check CPU microcode version.", sanity_word2);
3701#endif
3702                rdseed_sanity_status = -1;
3703                return -1;
3704            }
3705        }
3706
3707        rdseed_sanity_status = 1;
3708    }
3709    else if (rdseed_sanity_status < 0) {
3710        return -1;
3711    }
3712
3713    for (; (sz / sizeof(word64)) > 0; sz -= sizeof(word64),
3714                                                    output += sizeof(word64)) {
3715        ret = IntelRDseed64_r((word64*)output);
3716        if (ret != 0)
3717            return ret;
3718    }
3719    if (sz == 0)
3720        return 0;
3721
3722    /* handle unaligned remainder */
3723    ret = IntelRDseed64_r(&rndTmp);
3724    if (ret != 0)
3725        return ret;
3726
3727    XMEMCPY(output, &rndTmp, sz);
3728    ForceZero(&rndTmp, sizeof(rndTmp));
3729
3730    return 0;
3731}
3732
3733#endif /* HAVE_INTEL_RDSEED || HAVE_AMD_RDSEED */
3734
3735#ifdef HAVE_INTEL_RDRAND
3736
3737#ifndef USE_INTEL_INTRINSICS
3738
3739/* return 0 on success */
3740static WC_INLINE int IntelRDrand64(word64 *rnd)
3741{
3742    unsigned char ok;
3743
3744    __asm__ volatile("rdrand %0; setc %1":"=r"(*rnd), "=qm"(ok));
3745
3746    return (ok) ? 0 : -1;
3747}
3748
3749#else /* USE_INTEL_INTRINSICS */
3750    /* The compiler Visual Studio uses does not allow inline assembly.
3751     * It does allow for Intel intrinsic functions. */
3752
3753/* return 0 on success */
3754# ifdef __GNUC__
3755__attribute__((target("rdrnd")))
3756# endif
3757static WC_INLINE int IntelRDrand64(word64 *rnd)
3758{
3759    int ok;
3760
3761    ok = _rdrand64_step((unsigned long long*) rnd);
3762
3763    return (ok) ? 0 : -1;
3764}
3765
3766#endif /* USE_INTEL_INTRINSICS */
3767
3768/* return 0 on success */
3769static WC_INLINE int IntelRDrand64_r(word64 *rnd)
3770{
3771    int i;
3772    for (i = 0; i < INTELRD_RETRY; i++) {
3773        if (IntelRDrand64(rnd) == 0)
3774            return 0;
3775    }
3776    return -1;
3777}
3778
3779/* return 0 on success */
3780static int wc_GenerateRand_IntelRD(OS_Seed* os, byte* output, word32 sz)
3781{
3782    int ret;
3783    word64 rndTmp;
3784
3785    (void)os;
3786
3787    if (!IS_INTEL_RDRAND(intel_flags))
3788        return -1;
3789
3790    for (; (sz / sizeof(word64)) > 0; sz -= sizeof(word64),
3791                                                    output += sizeof(word64)) {
3792        ret = IntelRDrand64_r((word64 *)output);
3793        if (ret != 0)
3794            return ret;
3795    }
3796    if (sz == 0)
3797        return 0;
3798
3799    /* handle unaligned remainder */
3800    ret = IntelRDrand64_r(&rndTmp);
3801    if (ret != 0)
3802        return ret;
3803
3804    XMEMCPY(output, &rndTmp, sz);
3805
3806    return 0;
3807}
3808
3809#endif /* HAVE_INTEL_RDRAND */
3810#endif /* HAVE_INTEL_RDRAND || HAVE_INTEL_RDSEED || HAVE_AMD_RDSEED */
3811
3812
3813/* Begin wc_GenerateSeed Implementations */
3814#if defined(CUSTOM_RAND_GENERATE_SEED)
3815
3816    /* Implement your own random generation function
3817     * Return 0 to indicate success
3818     * int rand_gen_seed(byte* output, word32 sz);
3819     * #define CUSTOM_RAND_GENERATE_SEED  rand_gen_seed */
3820
3821    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
3822    {
3823        (void)os; /* Suppress unused arg warning */
3824        return CUSTOM_RAND_GENERATE_SEED(output, sz);
3825    }
3826
3827#elif defined(CUSTOM_RAND_GENERATE_SEED_OS)
3828
3829    /* Implement your own random generation function,
3830     *  which includes OS_Seed.
3831     * Return 0 to indicate success
3832     * int rand_gen_seed(OS_Seed* os, byte* output, word32 sz);
3833     * #define CUSTOM_RAND_GENERATE_SEED_OS  rand_gen_seed */
3834
3835    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
3836    {
3837        return CUSTOM_RAND_GENERATE_SEED_OS(os, output, sz);
3838    }
3839
3840#elif defined(CUSTOM_RAND_GENERATE)
3841
3842   /* Implement your own random generation function
3843    * word32 rand_gen(void);
3844    * #define CUSTOM_RAND_GENERATE  rand_gen  */
3845
3846    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
3847    {
3848        word32 i = 0;
3849
3850        (void)os;
3851
3852        while (i < sz)
3853        {
3854            /* If not aligned or there is odd/remainder */
3855            if( (i + sizeof(CUSTOM_RAND_TYPE)) > sz ||
3856                ((wc_ptr_t)&output[i] % sizeof(CUSTOM_RAND_TYPE)) != 0
3857            ) {
3858                /* Single byte at a time */
3859                output[i++] = (byte)CUSTOM_RAND_GENERATE();
3860            }
3861            else {
3862                /* Use native 8, 16, 32 or 64 copy instruction */
3863                *((CUSTOM_RAND_TYPE*)&output[i]) = CUSTOM_RAND_GENERATE();
3864                i += sizeof(CUSTOM_RAND_TYPE);
3865            }
3866        }
3867
3868        return 0;
3869    }
3870
3871#elif defined(WOLFSSL_SGX)
3872
3873int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
3874{
3875    int ret = !SGX_SUCCESS;
3876    int i, read_max = 10;
3877
3878    for (i = 0; i < read_max && ret != SGX_SUCCESS; i++) {
3879        ret = sgx_read_rand(output, sz);
3880    }
3881
3882    (void)os;
3883    return (ret == SGX_SUCCESS) ? 0 : 1;
3884}
3885
3886#elif defined(USE_WINDOWS_API)
3887
3888#ifdef WIN_REUSE_CRYPT_HANDLE
3889/* shared crypt handle for RNG use */
3890static ProviderHandle gHandle = 0;
3891
3892int wc_WinCryptHandleInit(void)
3893{
3894    int ret = 0;
3895    if (gHandle == 0) {
3896        if(!CryptAcquireContext(&gHandle, 0, 0, PROV_RSA_FULL,
3897                                        CRYPT_VERIFYCONTEXT)) {
3898            DWORD dw = GetLastError();
3899            WOLFSSL_MSG("CryptAcquireContext failed!");
3900            WOLFSSL_ERROR((int)dw);
3901            ret = WINCRYPT_E;
3902        }
3903    }
3904    return ret;
3905}
3906
3907void wc_WinCryptHandleCleanup(void)
3908{
3909    if (gHandle != 0) {
3910        CryptReleaseContext(gHandle, 0);
3911        gHandle = 0;
3912    }
3913}
3914#endif /* WIN_REUSE_CRYPT_HANDLE */
3915
3916int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
3917{
3918#ifdef WOLF_CRYPTO_CB
3919    int ret;
3920
3921    if (os != NULL
3922    #ifndef WOLF_CRYPTO_CB_FIND
3923        && os->devId != INVALID_DEVID)
3924    #endif
3925    {
3926        ret = wc_CryptoCb_RandomSeed(os, output, sz);
3927        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
3928            return ret;
3929        /* fall-through when unavailable */
3930    }
3931#endif
3932
3933    #ifdef HAVE_INTEL_RDSEED
3934        if (IS_INTEL_RDSEED(intel_flags)) {
3935             if (!wc_GenerateSeed_IntelRD(NULL, output, sz)) {
3936                 /* success, we're done */
3937                 return 0;
3938             }
3939        #ifdef FORCE_FAILURE_RDSEED
3940             /* don't fall back to CryptoAPI */
3941             return READ_RAN_E;
3942        #endif
3943        }
3944    #endif /* HAVE_INTEL_RDSEED */
3945
3946#ifdef WIN_REUSE_CRYPT_HANDLE
3947    /* Check that handle was initialized.
3948     * Note: initialization should be done through:
3949     * wolfSSL_Init -> wolfCrypt_Init -> wc_WinCryptHandleInit
3950     */
3951    if (wc_WinCryptHandleInit() != 0) {
3952        return WINCRYPT_E;
3953    }
3954    if (!CryptGenRandom(gHandle, sz, output))
3955        return CRYPTGEN_E;
3956#else
3957    if (!CryptAcquireContext(&os->handle, 0, 0, PROV_RSA_FULL,
3958                            CRYPT_VERIFYCONTEXT)) {
3959        return WINCRYPT_E;
3960    }
3961    if (!CryptGenRandom(os->handle, sz, output)) {
3962        return CRYPTGEN_E;
3963    }
3964    CryptReleaseContext(os->handle, 0);
3965    os->handle = 0;
3966#endif
3967
3968    return 0;
3969}
3970
3971
3972#elif defined(HAVE_RTP_SYS) || defined(EBSNET)
3973
3974#include "rtprand.h"   /* rtp_rand () */
3975
3976#if (defined(HAVE_RTP_SYS) || (defined(RTPLATFORM) && (RTPLATFORM != 0)))
3977#include "rtptime.h"   /* rtp_get_system_msec() */
3978
3979int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
3980{
3981    word32 i;
3982
3983    rtp_srand(rtp_get_system_msec());
3984    for (i = 0; i < sz; i++ ) {
3985        output[i] = rtp_rand() % 256;
3986    }
3987
3988    return 0;
3989}
3990#else
3991int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
3992{
3993    word32 i;
3994    KS_SEED(ks_get_ticks());
3995
3996    for (i = 0; i < sz; i++ ) {
3997        output[i] = KS_RANDOM() % 256;
3998    }
3999
4000    return 0;
4001}
4002#endif /* defined(HAVE_RTP_SYS) || (defined(RTPLATFORM) && (RTPLATFORM != 0)) */
4003
4004#elif (defined(WOLFSSL_ATMEL) || defined(WOLFSSL_ATECC_RNG)) && \
4005      !defined(WOLFSSL_PIC32MZ_RNG)
4006    /* enable ATECC RNG unless using PIC32MZ one instead */
4007    #include <wolfssl/wolfcrypt/port/atmel/atmel.h>
4008
4009    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4010    {
4011        int ret = 0;
4012
4013        (void)os;
4014        if (output == NULL) {
4015            return BUFFER_E;
4016        }
4017
4018        ret = atmel_get_random_number(sz, output);
4019
4020        return ret;
4021    }
4022
4023#elif defined(MICROCHIP_PIC32) || defined(MICROCHIP_MPLAB_HARMONY)
4024
4025    #ifdef MICROCHIP_MPLAB_HARMONY
4026        #ifdef MICROCHIP_MPLAB_HARMONY_3
4027            #include "system/time/sys_time.h"
4028            #define PIC32_SEED_COUNT SYS_TIME_CounterGet
4029        #else
4030            #define PIC32_SEED_COUNT _CP0_GET_COUNT
4031        #endif
4032    #else
4033        #if !defined(WOLFSSL_MICROCHIP_PIC32MZ)
4034            #include <peripheral/timer.h>
4035        #endif
4036        extern word32 ReadCoreTimer(void);
4037        #define PIC32_SEED_COUNT ReadCoreTimer
4038    #endif
4039
4040    #ifdef WOLFSSL_PIC32MZ_RNG
4041        #include "xc.h"
4042        int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4043        {
4044            int i;
4045            byte rnd[8];
4046            word32 *rnd32 = (word32 *)rnd;
4047            word32 size = sz;
4048            byte* op = output;
4049
4050#if ((__PIC32_FEATURE_SET0 == 'E') && (__PIC32_FEATURE_SET1 == 'C'))
4051            RNGNUMGEN1 = _CP0_GET_COUNT();
4052            RNGPOLY1 = _CP0_GET_COUNT();
4053            RNGPOLY2 = _CP0_GET_COUNT();
4054            RNGNUMGEN2 = _CP0_GET_COUNT();
4055#else
4056            /* All others can be seeded from the TRNG */
4057            RNGCONbits.TRNGMODE = 1;
4058            RNGCONbits.TRNGEN = 1;
4059            while (RNGCNT < 64);
4060            RNGCONbits.LOAD = 1;
4061            while (RNGCONbits.LOAD == 1);
4062            while (RNGCNT < 64);
4063            RNGPOLY2 = RNGSEED2;
4064            RNGPOLY1 = RNGSEED1;
4065#endif
4066
4067            RNGCONbits.PLEN = 0x40;
4068            RNGCONbits.PRNGEN = 1;
4069            for (i=0; i<5; i++) { /* wait for RNGNUMGEN ready */
4070                volatile int x, y;
4071                x = RNGNUMGEN1;
4072                y = RNGNUMGEN2;
4073                (void)x;
4074                (void)y;
4075            }
4076            do {
4077                rnd32[0] = RNGNUMGEN1;
4078                rnd32[1] = RNGNUMGEN2;
4079
4080                for(i=0; i<8; i++, op++) {
4081                    *op = rnd[i];
4082                    size --;
4083                    if(size==0)break;
4084                }
4085            } while(size);
4086            return 0;
4087        }
4088    #else  /* WOLFSSL_PIC32MZ_RNG */
4089        /* uses the core timer, in nanoseconds to seed srand */
4090        int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4091        {
4092            int i;
4093            srand(PIC32_SEED_COUNT() * 25);
4094
4095            for (i = 0; i < sz; i++ ) {
4096                output[i] = rand() % 256;
4097                if ( (i % 8) == 7)
4098                    srand(PIC32_SEED_COUNT() * 25);
4099            }
4100            return 0;
4101        }
4102    #endif /* WOLFSSL_PIC32MZ_RNG */
4103
4104#elif defined(FREESCALE_K70_RNGA) || defined(FREESCALE_RNGA)
4105    /*
4106     * wc_Generates a RNG seed using the Random Number Generator Accelerator
4107     * on the Kinetis K70. Documentation located in Chapter 37 of
4108     * K70 Sub-Family Reference Manual (see Note 3 in the README for link).
4109     */
4110    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4111    {
4112        word32 i;
4113
4114        /* turn on RNGA module */
4115        #if defined(SIM_SCGC3_RNGA_MASK)
4116            SIM_SCGC3 |= SIM_SCGC3_RNGA_MASK;
4117        #endif
4118        #if defined(SIM_SCGC6_RNGA_MASK)
4119            /* additionally needed for at least K64F */
4120            SIM_SCGC6 |= SIM_SCGC6_RNGA_MASK;
4121        #endif
4122
4123        /* set SLP bit to 0 - "RNGA is not in sleep mode" */
4124        RNG_CR &= ~RNG_CR_SLP_MASK;
4125
4126        /* set HA bit to 1 - "security violations masked" */
4127        RNG_CR |= RNG_CR_HA_MASK;
4128
4129        /* set GO bit to 1 - "output register loaded with data" */
4130        RNG_CR |= RNG_CR_GO_MASK;
4131
4132        for (i = 0; i < sz; i++) {
4133
4134            /* wait for RNG FIFO to be full */
4135            while((RNG_SR & RNG_SR_OREG_LVL(0xF)) == 0) {}
4136
4137            /* get value */
4138            output[i] = RNG_OR;
4139        }
4140
4141        return 0;
4142    }
4143
4144#elif defined(FREESCALE_K53_RNGB) || defined(FREESCALE_RNGB)
4145    /*
4146     * wc_Generates a RNG seed using the Random Number Generator (RNGB)
4147     * on the Kinetis K53. Documentation located in Chapter 33 of
4148     * K53 Sub-Family Reference Manual (see note in the README for link).
4149     */
4150    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4151    {
4152        int i;
4153
4154        /* turn on RNGB module */
4155        SIM_SCGC3 |= SIM_SCGC3_RNGB_MASK;
4156
4157        /* reset RNGB */
4158        RNG_CMD |= RNG_CMD_SR_MASK;
4159
4160        /* FIFO generate interrupt, return all zeros on underflow,
4161         * set auto reseed */
4162        RNG_CR |= (RNG_CR_FUFMOD_MASK | RNG_CR_AR_MASK);
4163
4164        /* gen seed, clear interrupts, clear errors */
4165        RNG_CMD |= (RNG_CMD_GS_MASK | RNG_CMD_CI_MASK | RNG_CMD_CE_MASK);
4166
4167        /* wait for seeding to complete */
4168        while ((RNG_SR & RNG_SR_SDN_MASK) == 0) {}
4169
4170        for (i = 0; i < sz; i++) {
4171
4172            /* wait for a word to be available from FIFO */
4173            while((RNG_SR & RNG_SR_FIFO_LVL_MASK) == 0) {}
4174
4175            /* get value */
4176            output[i] = RNG_OUT;
4177        }
4178
4179        return 0;
4180    }
4181
4182#elif defined(FREESCALE_KSDK_2_0_TRNG)
4183    #ifndef TRNG0
4184    #define TRNG0 TRNG
4185    #endif
4186
4187    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4188    {
4189        status_t status;
4190        status = TRNG_GetRandomData(TRNG0, output, sz);
4191        (void)os;
4192        if (status == kStatus_Success)
4193        {
4194            return(0);
4195        }
4196        return RAN_BLOCK_E;
4197    }
4198
4199#elif defined(FREESCALE_KSDK_2_0_RNGA)
4200
4201    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4202    {
4203        status_t status;
4204        status = RNGA_GetRandomData(RNG, output, sz);
4205        (void)os;
4206        if (status == kStatus_Success)
4207        {
4208            return(0);
4209        }
4210        return RAN_BLOCK_E;
4211    }
4212
4213
4214#elif defined(FREESCALE_RNGA)
4215
4216    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4217    {
4218        status_t status;
4219        status = RNGA_GetRandomData(RNG, output, sz);
4220        (void)os;
4221        if (status == kStatus_Success)
4222        {
4223            return(0);
4224        }
4225        return RAN_BLOCK_E;
4226    }
4227#elif !defined(WOLFSSL_CAAM) && \
4228    (defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) || \
4229     defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS))
4230    /*
4231     * Fallback to USE_TEST_GENSEED if a FREESCALE platform did not match any
4232     * of the TRNG/RNGA/RNGB support
4233     */
4234    #define USE_TEST_GENSEED
4235
4236#elif defined(WOLFSSL_SILABS_SE_ACCEL)
4237    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4238    {
4239        (void)os;
4240        return silabs_GenerateRand(output, sz);
4241    }
4242
4243#elif defined(STM32_RNG)
4244     /* Generate a RNG seed using the hardware random number generator
4245      * on the STM32F2/F4/F7/L4. */
4246
4247    #ifdef WOLFSSL_STM32_CUBEMX
4248    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4249    {
4250        int ret;
4251        RNG_HandleTypeDef hrng;
4252        word32 i = 0;
4253        (void)os;
4254
4255        ret = wolfSSL_CryptHwMutexLock();
4256        if (ret != 0) {
4257            return ret;
4258        }
4259
4260        /* enable RNG clock source */
4261        __HAL_RCC_RNG_CLK_ENABLE();
4262
4263        /* enable RNG peripheral */
4264        XMEMSET(&hrng, 0, sizeof(hrng));
4265        hrng.Instance = RNG;
4266        HAL_RNG_Init(&hrng);
4267
4268        while (i < sz) {
4269            /* If not aligned or there is odd/remainder */
4270            if( (i + sizeof(word32)) > sz ||
4271                ((wc_ptr_t)&output[i] % sizeof(word32)) != 0
4272            ) {
4273                /* Single byte at a time */
4274                uint32_t tmpRng = 0;
4275                if (HAL_RNG_GenerateRandomNumber(&hrng, &tmpRng) != HAL_OK) {
4276                    wolfSSL_CryptHwMutexUnLock();
4277                    return RAN_BLOCK_E;
4278                }
4279                output[i++] = (byte)tmpRng;
4280            }
4281            else {
4282                /* Use native 32 instruction */
4283                if (HAL_RNG_GenerateRandomNumber(&hrng, (uint32_t*)&output[i]) != HAL_OK) {
4284                    wolfSSL_CryptHwMutexUnLock();
4285                    return RAN_BLOCK_E;
4286                }
4287                i += sizeof(word32);
4288            }
4289        }
4290
4291        HAL_RNG_DeInit(&hrng);
4292
4293        wolfSSL_CryptHwMutexUnLock();
4294
4295        return 0;
4296    }
4297    #elif defined(WOLFSSL_STM32F427_RNG) || defined(WOLFSSL_STM32_RNG_NOLIB) \
4298        || defined(STM32_NUTTX_RNG)
4299
4300    #ifdef STM32_NUTTX_RNG
4301        #include "hardware/stm32_rng.h"
4302        /* Set CONFIG_STM32U5_RNG in NuttX to enable the RCC */
4303        #define WC_RNG_CR *((volatile uint32_t*)(STM32_RNG_CR))
4304        #define WC_RNG_SR *((volatile uint32_t*)(STM32_RNG_SR))
4305        #define WC_RNG_DR *((volatile uint32_t*)(STM32_RNG_DR))
4306    #else
4307        /* Comes from "stm32xxxx_hal.h" */
4308        #define WC_RNG_CR RNG->CR
4309        #define WC_RNG_SR RNG->SR
4310        #define WC_RNG_DR RNG->DR
4311    #endif
4312
4313
4314    /* Generate a RNG seed using the hardware RNG on the STM32F427
4315     * directly, following steps outlined in STM32F4 Reference
4316     * Manual (Chapter 24) for STM32F4xx family. */
4317    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4318    {
4319        int ret;
4320        word32 i;
4321        (void)os;
4322
4323        ret = wolfSSL_CryptHwMutexLock();
4324        if (ret != 0) {
4325            return ret;
4326        }
4327
4328    #ifndef STM32_NUTTX_RNG
4329        /* enable RNG peripheral clock */
4330        RCC->AHB2ENR |= RCC_AHB2ENR_RNGEN;
4331    #endif
4332
4333        /* enable RNG interrupt, set IE bit in RNG->CR register */
4334        WC_RNG_CR |= RNG_CR_IE;
4335
4336        /* enable RNG, set RNGEN bit in RNG->CR. Activates RNG,
4337         * RNG_LFSR, and error detector */
4338        WC_RNG_CR |= RNG_CR_RNGEN;
4339
4340        /* verify no errors, make sure SEIS and CEIS bits are 0
4341         * in RNG->SR register */
4342        if (WC_RNG_SR & (RNG_SR_SECS | RNG_SR_CECS)) {
4343            wolfSSL_CryptHwMutexUnLock();
4344            return RNG_FAILURE_E;
4345        }
4346
4347        for (i = 0; i < sz; i++) {
4348            /* wait until RNG number is ready */
4349            while ((WC_RNG_SR & RNG_SR_DRDY) == 0) { }
4350
4351            /* get value */
4352            output[i] = WC_RNG_DR;
4353        }
4354
4355        wolfSSL_CryptHwMutexUnLock();
4356
4357        return 0;
4358    }
4359
4360    #else
4361
4362    /* Generate a RNG seed using the STM32 Standard Peripheral Library */
4363    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4364    {
4365        int ret;
4366        word32 i;
4367        (void)os;
4368
4369        ret = wolfSSL_CryptHwMutexLock();
4370        if (ret != 0) {
4371            return ret;
4372        }
4373
4374        /* enable RNG clock source */
4375        RCC_AHB2PeriphClockCmd(RCC_AHB2Periph_RNG, ENABLE);
4376
4377        /* reset RNG */
4378        RNG_DeInit();
4379
4380        /* enable RNG peripheral */
4381        RNG_Cmd(ENABLE);
4382
4383        /* verify no errors with RNG_CLK or Seed */
4384        if (RNG_GetFlagStatus(RNG_FLAG_SECS | RNG_FLAG_CECS) != RESET) {
4385            wolfSSL_CryptHwMutexUnLock();
4386            return RNG_FAILURE_E;
4387        }
4388
4389        for (i = 0; i < sz; i++) {
4390            /* wait until RNG number is ready */
4391            while (RNG_GetFlagStatus(RNG_FLAG_DRDY) == RESET) { }
4392
4393            /* get value */
4394            output[i] = RNG_GetRandomNumber();
4395        }
4396
4397        wolfSSL_CryptHwMutexUnLock();
4398
4399        return 0;
4400    }
4401    #endif /* WOLFSSL_STM32_CUBEMX */
4402
4403#elif defined(WOLFSSL_TIRTOS)
4404    #warning "potential for not enough entropy, currently being used for testing"
4405    #include <xdc/runtime/Timestamp.h>
4406    #include <stdlib.h>
4407    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4408    {
4409        int i;
4410        srand(xdc_runtime_Timestamp_get32());
4411
4412        for (i = 0; i < sz; i++ ) {
4413            output[i] = rand() % 256;
4414            if ((i % 8) == 7) {
4415                srand(xdc_runtime_Timestamp_get32());
4416            }
4417        }
4418
4419        return 0;
4420    }
4421
4422#elif defined(WOLFSSL_PB)
4423
4424    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4425    {
4426        word32 i;
4427        for (i = 0; i < sz; i++)
4428            output[i] = UTL_Rand();
4429
4430        (void)os;
4431
4432        return 0;
4433    }
4434
4435#elif defined(WOLFSSL_NUCLEUS)
4436#include "nucleus.h"
4437#include "kernel/plus_common.h"
4438
4439#warning "potential for not enough entropy, currently being used for testing"
4440int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4441{
4442    int i;
4443    srand(NU_Get_Time_Stamp());
4444
4445    for (i = 0; i < sz; i++ ) {
4446        output[i] = rand() % 256;
4447        if ((i % 8) == 7) {
4448            srand(NU_Get_Time_Stamp());
4449        }
4450    }
4451
4452    return 0;
4453}
4454#elif defined(WOLFSSL_DEOS) && !defined(CUSTOM_RAND_GENERATE)
4455    #include "stdlib.h"
4456
4457    #warning "potential for not enough entropy, currently being used for testing Deos"
4458    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4459    {
4460        int i;
4461        int seed = XTIME(0);
4462        (void)os;
4463
4464        for (i = 0; i < sz; i++ ) {
4465            output[i] = rand_r(&seed) % 256;
4466            if ((i % 8) == 7) {
4467                seed = XTIME(0);
4468                rand_r(&seed);
4469            }
4470        }
4471
4472        return 0;
4473    }
4474#elif defined(WOLFSSL_VXWORKS)
4475    #ifdef WOLFSSL_VXWORKS_6_x
4476        #include "stdlib.h"
4477        #warning "potential for not enough entropy, currently being used for testing"
4478        int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4479        {
4480            int i;
4481            unsigned int seed = (unsigned int)XTIME(0);
4482            (void)os;
4483
4484            for (i = 0; i < sz; i++ ) {
4485                output[i] = rand_r(&seed) % 256;
4486                if ((i % 8) == 7) {
4487                    seed = (unsigned int)XTIME(0);
4488                    rand_r(&seed);
4489                }
4490            }
4491
4492            return 0;
4493        }
4494    #else
4495        #include <randomNumGen.h>
4496        #include <tickLib.h>
4497
4498        int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) {
4499            STATUS                status   = ERROR;
4500            RANDOM_NUM_GEN_STATUS r_status = RANDOM_NUM_GEN_ERROR;
4501            _Vx_ticks_t           seed = 0;
4502
4503            #ifdef VXWORKS_SIM
4504                /* cannot generate true entropy with VxWorks simulator */
4505                #warning "not enough entropy, simulator for testing only"
4506                int i = 0;
4507
4508                for (i = 0; i < 1000; i++) {
4509                    randomAddTimeStamp();
4510                }
4511            #endif
4512
4513            /*
4514              wolfSSL can request 52 Bytes of random bytes. We need to add
4515              buffer to the entropy pool to ensure we can get more than 32 Bytes.
4516              Because VxWorks has entropy limits (ENTROPY_MIN and ENTROPY_MAX)
4517              defined as 256 and 1024 bits, see randomSWNumGenLib.c.
4518
4519              randStatus() can return the following status:
4520              RANDOM_NUM_GEN_NO_ENTROPY when entropy is 0
4521              RANDOM_NUM_GEN_ERROR, entropy is not initialized
4522              RANDOM_NUM_GEN_NOT_ENOUGH_ENTROPY if entropy < 32 Bytes
4523              RANDOM_NUM_GEN_ENOUGH_ENTROPY if entropy is between 32 and 128 Bytes
4524              RANDOM_NUM_GEN_MAX_ENTROPY if entropy is greater than 128 Bytes
4525            */
4526
4527            do {
4528                seed = tickGet();
4529                status = randAdd(&seed, sizeof(_Vx_ticks_t), 2);
4530                if (status == OK)
4531                    r_status = randStatus();
4532
4533            } while (r_status != RANDOM_NUM_GEN_MAX_ENTROPY &&
4534                     r_status != RANDOM_NUM_GEN_ERROR && status == OK);
4535
4536            if (r_status == RANDOM_NUM_GEN_ERROR)
4537                return RNG_FAILURE_E;
4538
4539            status = randBytes (output, sz);
4540
4541            if (status == ERROR) {
4542                return RNG_FAILURE_E;
4543            }
4544
4545            return 0;
4546        }
4547    #endif
4548#elif defined(WOLFSSL_NRF51) || defined(WOLFSSL_NRF5x)
4549    #include "app_error.h"
4550    #include "nrf_drv_rng.h"
4551    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4552    {
4553        int remaining = sz, pos = 0;
4554        word32 err_code;
4555        byte available;
4556        static byte initialized = 0;
4557
4558        (void)os;
4559
4560        /* Make sure RNG is running */
4561        if (!initialized) {
4562            err_code = nrf_drv_rng_init(NULL);
4563            if (err_code != NRF_SUCCESS && err_code != NRF_ERROR_INVALID_STATE
4564            #ifdef NRF_ERROR_MODULE_ALREADY_INITIALIZED
4565                && err_code != NRF_ERROR_MODULE_ALREADY_INITIALIZED
4566            #endif
4567            ) {
4568                return -1;
4569            }
4570            initialized = 1;
4571        }
4572
4573        while (remaining > 0) {
4574            int length;
4575            available = 0;
4576            nrf_drv_rng_bytes_available(&available); /* void func */
4577            length = (remaining < available) ? remaining : available;
4578            if (length > 0) {
4579                err_code = nrf_drv_rng_rand(&output[pos], length);
4580                if (err_code != NRF_SUCCESS) {
4581                    break;
4582                }
4583                remaining -= length;
4584                pos += length;
4585            }
4586        }
4587
4588        return (err_code == NRF_SUCCESS) ? 0 : -1;
4589    }
4590
4591#elif defined(HAVE_WNR)
4592
4593    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4594    {
4595        if (os == NULL || output == NULL || wnr_ctx == NULL ||
4596                wnr_timeout < 0) {
4597            return BAD_FUNC_ARG;
4598        }
4599
4600        if (wnr_mutex_init == 0) {
4601            WOLFSSL_MSG("netRandom context must be created before use");
4602            return RNG_FAILURE_E;
4603        }
4604
4605        if (wc_LockMutex(&wnr_mutex) != 0) {
4606            WOLFSSL_MSG("Bad Lock Mutex wnr_mutex");
4607            return BAD_MUTEX_E;
4608        }
4609
4610        if (wnr_get_entropy(wnr_ctx, wnr_timeout, output, sz, sz) !=
4611                WNR_ERROR_NONE)
4612            return RNG_FAILURE_E;
4613
4614        wc_UnLockMutex(&wnr_mutex);
4615
4616        return 0;
4617    }
4618
4619#elif defined(INTIME_RTOS)
4620    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4621    {
4622        uint32_t randval;
4623        word32 len;
4624
4625        if (output == NULL) {
4626            return BUFFER_E;
4627        }
4628
4629    #ifdef INTIMEVER
4630        /* If INTIMEVER exists then it is INTIME RTOS v6 or later */
4631        #define INTIME_RAND_FUNC arc4random
4632        len = 4;
4633    #else
4634        /* v5 and older */
4635        #define INTIME_RAND_FUNC rand
4636        srand(time(0));
4637        len = 2; /* don't use all 31 returned bits */
4638    #endif
4639
4640        while (sz > 0) {
4641            if (sz < len)
4642                len = sz;
4643            randval = INTIME_RAND_FUNC();
4644            XMEMCPY(output, &randval, len);
4645            output += len;
4646            sz -= len;
4647        }
4648        (void)os;
4649
4650        return 0;
4651    }
4652
4653#elif defined(WOLFSSL_WICED)
4654    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4655    {
4656        int ret;
4657        (void)os;
4658
4659        if (output == NULL || UINT16_MAX < sz) {
4660            return BUFFER_E;
4661        }
4662
4663        if ((ret = wiced_crypto_get_random((void*) output, sz) )
4664                         != WICED_SUCCESS) {
4665            return ret;
4666        }
4667
4668        return ret;
4669    }
4670
4671#elif defined(WOLFSSL_NETBURNER)
4672    #warning using NetBurner pseudo random GetRandomByte for seed
4673    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4674    {
4675        word32 i;
4676        (void)os;
4677
4678        if (output == NULL) {
4679            return BUFFER_E;
4680        }
4681
4682        for (i = 0; i < sz; i++) {
4683            output[i] = GetRandomByte();
4684
4685            /* check if was a valid random number */
4686            if (!RandomValid())
4687                return RNG_FAILURE_E;
4688        }
4689
4690        return 0;
4691    }
4692#elif defined(IDIRECT_DEV_RANDOM)
4693
4694    extern int getRandom( int sz, unsigned char *output );
4695
4696    int GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4697    {
4698        int num_bytes_returned = 0;
4699
4700        num_bytes_returned = getRandom( (int) sz, (unsigned char *) output );
4701
4702        return 0;
4703    }
4704
4705#elif defined(WOLFSSL_CAAM)
4706
4707    #include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
4708
4709    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4710    {
4711        unsigned int args[4] = {0};
4712        CAAM_BUFFER buf[1];
4713        int ret    = 0;
4714        int times  = 1000, i; /* 1000 is an arbitrary number chosen */
4715        word32 idx = 0;
4716
4717        (void)os;
4718
4719        if (output == NULL) {
4720            return BUFFER_E;
4721        }
4722
4723        /* Check Waiting to make sure entropy is ready */
4724        for (i = 0; i < times; i++) {
4725            buf[0].BufferType = DataBuffer | LastBuffer;
4726            buf[0].TheAddress = (CAAM_ADDRESS)(output + idx);
4727            buf[0].Length     = ((sz - idx) < WC_CAAM_MAX_ENTROPY)?
4728                                sz - idx : WC_CAAM_MAX_ENTROPY;
4729
4730            args[0] = buf[0].Length;
4731            ret = wc_caamAddAndWait(buf, 1, args, CAAM_ENTROPY);
4732            if (ret == 0) {
4733                idx += buf[0].Length;
4734                if (idx == sz)
4735                    break;
4736            }
4737
4738            /* driver could be waiting for entropy */
4739            if (ret != WC_NO_ERR_TRACE(RAN_BLOCK_E) && ret != 0) {
4740                return ret;
4741            }
4742#ifndef WOLFSSL_IMXRT1170_CAAM
4743            usleep(100);
4744#endif
4745        }
4746
4747        if (i == times && ret != 0) {
4748             return RNG_FAILURE_E;
4749        }
4750        else { /* Success case */
4751            ret = 0;
4752        }
4753
4754        return ret;
4755    }
4756
4757#elif defined(WOLFSSL_APACHE_MYNEWT)
4758
4759    #include <stdlib.h>
4760    #include "os/os_time.h"
4761    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4762    {
4763        int i;
4764        srand(os_time_get());
4765
4766        for (i = 0; i < sz; i++ ) {
4767            output[i] = rand() % 256;
4768            if ((i % 8) == 7) {
4769                srand(os_time_get());
4770            }
4771        }
4772
4773        return 0;
4774    }
4775
4776#elif defined(ARDUINO)
4777
4778    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4779    {
4780        int ret = 0;
4781        word32 rand;
4782        while (sz > 0) {
4783            word32 len = sizeof(rand);
4784            if (sz < len)
4785                len = sz;
4786        /* Get an Arduino framework random number */
4787        #if defined(ARDUINO_SAMD_NANO_33_IOT) || \
4788            defined(ARDUINO_ARCH_RP2040)
4789            /* Known, tested boards working with random() */
4790            rand = random();
4791        #elif defined(ARDUINO_SAM_DUE)
4792            /* See: https://github.com/avrxml/asf/tree/master/sam/utils/cmsis/sam3x/include */
4793            #if defined(__SAM3A4C__)
4794                #ifndef TRNG
4795                    #define TRNG (0x400BC000U)
4796                #endif
4797            #elif defined(__SAM3A8C__)
4798                #ifndef TRNG
4799                    #define TRNG (0x400BC000U)
4800                #endif
4801            #elif defined(__SAM3X4C__)
4802                #ifndef TRNG
4803                    #define TRNG (0x400BC000U)
4804                #endif
4805            #elif defined(__SAM3X4E__)
4806                #ifndef TRNG
4807                    #define TRNG (0x400BC000U)
4808                #endif
4809            #elif defined(__SAM3X8C__)
4810                #ifndef TRNG
4811                    #define TRNG (0x400BC000U)
4812                #endif
4813            #elif defined(__SAM3X8E__)
4814                /* This is the Arduino Due */
4815                #ifndef TRNG
4816                    #define TRNG (0x400BC000U)
4817                #endif
4818            #elif  defined(__SAM3A8H__)
4819                #ifndef TRNG
4820                    #define TRNG (0x400BC000U)
4821                #endif
4822            #else
4823                #ifndef TRNG
4824                    #error "Unknown TRNG for this device"
4825                #endif
4826            #endif
4827
4828            srand(analogRead(0));
4829            rand = trng_read_output_data(TRNG);
4830        #elif defined(__STM32__)
4831            /* TODO: confirm this is proper random number on Arduino STM32 */
4832            #warning "Not yet tested on STM32 targets"
4833            rand = random();
4834        #else
4835            /* TODO: Pull requests appreciated for new targets.
4836             * Do *all* other Arduino boards support random()?
4837             * Probably not 100%, but most will likely work: */
4838            rand = random();
4839        #endif
4840
4841            XMEMCPY(output, &rand, len);
4842            output += len;
4843            sz -= len;
4844        }
4845
4846        return ret;
4847    }
4848
4849#elif defined(WOLFSSL_ESPIDF)
4850
4851    /* Espressif */
4852    #if defined(WOLFSSL_ESP32) || defined(WOLFSSL_ESPWROOM32SE)
4853
4854        /* Espressif ESP32 */
4855        #include <esp_system.h>
4856        #if defined(CONFIG_IDF_TARGET_ESP32S2) || \
4857            defined(CONFIG_IDF_TARGET_ESP32S3)
4858            #include <esp_random.h>
4859        #endif
4860
4861        int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4862        {
4863            word32 rand;
4864            while (sz > 0) {
4865                word32 len = sizeof(rand);
4866                if (sz < len)
4867                    len = sz;
4868                /* Get one random 32-bit word from hw RNG */
4869                rand = esp_random( );
4870                XMEMCPY(output, &rand, len);
4871                output += len;
4872                sz -= len;
4873            }
4874
4875            return 0;
4876        }
4877
4878    #elif defined(WOLFSSL_ESP8266)
4879
4880        /* Espressif ESP8266 */
4881        #include <esp_system.h>
4882
4883        int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4884        {
4885    #if defined(DEBUG_WOLFSSL)
4886            WOLFSSL_ENTER("ESP8266 Random");
4887    #endif
4888            word32 rand;
4889            while (sz > 0) {
4890                word32 len = sizeof(rand);
4891                if (sz < len)
4892                    len = sz;
4893                /* Get one random 32-bit word from hw RNG */
4894                rand = esp_random( );
4895                XMEMCPY(output, &rand, len);
4896                output += len;
4897                sz -= len;
4898            }
4899
4900            return 0;
4901        }
4902    #endif /* end WOLFSSL_ESPIDF */
4903
4904#elif defined(WOLFSSL_LINUXKM)
4905
4906    #ifndef LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT
4907        #include <linux/random.h>
4908    #endif
4909
4910    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4911    {
4912        (void)os;
4913        int ret;
4914
4915    #ifdef HAVE_ENTROPY_MEMUSE
4916        ret = wc_Entropy_Get(MAX_ENTROPY_BITS, output, sz);
4917        if (ret == 0)
4918            return 0;
4919        #ifdef ENTROPY_MEMUSE_FORCE_FAILURE
4920        return ret;
4921        #endif
4922    #endif
4923
4924    #if defined(HAVE_INTEL_RDSEED) || defined(HAVE_AMD_RDSEED)
4925        if (IS_INTEL_RDSEED(intel_flags)) {
4926            ret = wc_GenerateSeed_IntelRD(NULL, output, sz);
4927            if (ret == 0)
4928                return 0;
4929            #ifdef FORCE_FAILURE_RDSEED
4930            return ret;
4931            #endif
4932        }
4933    #endif /* HAVE_INTEL_RDSEED || HAVE_AMD_RDSEED */
4934
4935    #ifdef LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT
4936        #if !defined(HAVE_ENTROPY_MEMUSE) && \
4937            !defined(HAVE_INTEL_RDSEED) && \
4938            !defined(HAVE_AMD_RDSEED)
4939            #error LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT requires an intrinsic entropy source.
4940        #else
4941            return ret;
4942        #endif
4943    #else
4944        (void)ret;
4945
4946        get_random_bytes(output, sz);
4947        return 0;
4948    #endif
4949    }
4950
4951#elif defined(WOLFSSL_BSDKM)
4952    #include <sys/random.h>
4953    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4954    {
4955        (void)os;
4956        int ret;
4957
4958    #ifdef HAVE_ENTROPY_MEMUSE
4959        ret = wc_Entropy_Get(MAX_ENTROPY_BITS, output, sz);
4960        if (ret == 0) {
4961            return 0;
4962        }
4963        #ifdef ENTROPY_MEMUSE_FORCE_FAILURE
4964        /* Don't fallback to /dev/urandom. */
4965        return ret;
4966        #endif
4967    #endif
4968
4969    #if defined(HAVE_INTEL_RDSEED) || defined(HAVE_AMD_RDSEED)
4970        if (IS_INTEL_RDSEED(intel_flags)) {
4971            ret = wc_GenerateSeed_IntelRD(NULL, output, sz);
4972        #ifndef FORCE_FAILURE_RDSEED
4973            if (ret == 0)
4974        #endif
4975            {
4976                return ret;
4977            }
4978        }
4979    #endif /* HAVE_INTEL_RDSEED || HAVE_AMD_RDSEED */
4980
4981        (void)ret;
4982
4983        arc4random_buf(output, sz);
4984        return 0;
4985    }
4986#elif defined(WOLFSSL_RENESAS_TSIP)
4987
4988    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
4989    {
4990        (void)os;
4991        return wc_tsip_GenerateRandBlock(output, sz);
4992    }
4993
4994
4995#elif defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_TRNG)
4996    #include "hal_data.h"
4997
4998    #ifndef WOLFSSL_SCE_TRNG_HANDLE
4999        #define WOLFSSL_SCE_TRNG_HANDLE g_sce_trng
5000    #endif
5001
5002    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
5003    {
5004        word32 ret;
5005        word32 blocks;
5006        word32 len = sz;
5007
5008        ret = WOLFSSL_SCE_TRNG_HANDLE.p_api->open(WOLFSSL_SCE_TRNG_HANDLE.p_ctrl,
5009                                                  WOLFSSL_SCE_TRNG_HANDLE.p_cfg);
5010        if (ret != SSP_SUCCESS && ret != SSP_ERR_CRYPTO_ALREADY_OPEN) {
5011            /* error opening TRNG driver */
5012            return -1;
5013        }
5014
5015        blocks = sz / sizeof(word32);
5016        if (blocks > 0) {
5017            ret = WOLFSSL_SCE_TRNG_HANDLE.p_api->read(WOLFSSL_SCE_TRNG_HANDLE.p_ctrl,
5018                                                       (word32*)output, blocks);
5019            if (ret != SSP_SUCCESS) {
5020                return -1;
5021            }
5022        }
5023
5024        len = len - (blocks * sizeof(word32));
5025        if (len > 0) {
5026            word32 tmp;
5027
5028            if (len > sizeof(word32)) {
5029                return -1;
5030            }
5031            ret = WOLFSSL_SCE_TRNG_HANDLE.p_api->read(WOLFSSL_SCE_TRNG_HANDLE.p_ctrl,
5032                                                      (word32*)&tmp, 1);
5033            if (ret != SSP_SUCCESS) {
5034                return -1;
5035            }
5036            XMEMCPY(output + (blocks * sizeof(word32)), (byte*)&tmp, len);
5037        }
5038
5039        ret = WOLFSSL_SCE_TRNG_HANDLE.p_api->close(WOLFSSL_SCE_TRNG_HANDLE.p_ctrl);
5040        if (ret != SSP_SUCCESS) {
5041            /* error opening TRNG driver */
5042            return -1;
5043        }
5044        return 0;
5045    }
5046#elif defined(CUSTOM_RAND_GENERATE_BLOCK)
5047    /* #define CUSTOM_RAND_GENERATE_BLOCK myRngFunc
5048     * extern int myRngFunc(byte* output, word32 sz);
5049     */
5050
5051#elif defined(__MICROBLAZE__)
5052    #warning weak source of entropy
5053    #define LPD_SCNTR_BASE_ADDRESS 0xFF250000
5054
5055    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
5056    {
5057        word32* cnt;
5058        word32 i;
5059
5060        /* using current time with srand */
5061        cnt = (word32*)LPD_SCNTR_BASE_ADDRESS;
5062        srand(*cnt | *(cnt+1));
5063
5064        for (i = 0; i < sz; i++)
5065            output[i] = rand();
5066
5067        (void)os;
5068        return 0;
5069    }
5070
5071#elif defined(WOLFSSL_ZEPHYR)
5072
5073    #ifdef __has_include
5074        #if __has_include(<zephyr/version.h>)
5075            #include <zephyr/version.h>
5076        #else
5077            #include <version.h>
5078        #endif
5079    #else
5080        #include <version.h>
5081    #endif
5082
5083    #include <sys/types.h>
5084
5085    #if KERNEL_VERSION_NUMBER >= 0x30500
5086        #include <zephyr/random/random.h>
5087    #else
5088        #if KERNEL_VERSION_NUMBER >= 0x30100
5089            #include <zephyr/random/rand32.h>
5090        #else
5091            #include <random/rand32.h>
5092        #endif
5093    #endif
5094
5095    #if KERNEL_VERSION_NUMBER >= 0x40300
5096        #include <time.h>
5097    #elif KERNEL_VERSION_NUMBER >= 0x30100
5098        #include <zephyr/posix/time.h>
5099    #else
5100        #include <posix/time.h>
5101    #endif
5102
5103    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
5104    {
5105        sys_rand_get(output, sz);
5106        return 0;
5107    }
5108
5109#elif defined(WOLFSSL_TELIT_M2MB)
5110
5111        #include "stdlib.h"
5112        static long get_timestamp(void) {
5113            long myTime = 0;
5114            INT32 fd = m2mb_rtc_open("/dev/rtc0", 0);
5115            if (fd >= 0) {
5116                M2MB_RTC_TIMEVAL_T timeval;
5117                m2mb_rtc_ioctl(fd, M2MB_RTC_IOCTL_GET_TIMEVAL, &timeval);
5118                myTime = timeval.msec;
5119                m2mb_rtc_close(fd);
5120            }
5121            return myTime;
5122        }
5123        int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
5124        {
5125            int i;
5126            srand(get_timestamp());
5127            for (i = 0; i < sz; i++ ) {
5128                output[i] = rand() % 256;
5129                if ((i % 8) == 7) {
5130                    srand(get_timestamp());
5131                }
5132            }
5133            return 0;
5134        }
5135#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_TRNG)
5136     #include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
5137
5138    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz){
5139        int ret = 0;
5140
5141        (void)os;
5142
5143        if (output == NULL) {
5144            return BUFFER_E;
5145        }
5146        ret = wolfSSL_CryptHwMutexLock();
5147        if (ret == 0) {
5148            ret = se050_get_random_number(sz, output);
5149            wolfSSL_CryptHwMutexUnLock();
5150        }
5151        return ret;
5152    }
5153
5154#elif defined(WOLFSSL_NXP_RNG_1)
5155    #include "fsl_rng.h"
5156
5157    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) {
5158        (void)os;
5159
5160        if (output == NULL) {
5161            return BUFFER_E;
5162        }
5163
5164        if (RNG_GetRandomData(RNG, output, sz) != kStatus_Success)
5165            return RNG_FAILURE_E;
5166
5167        return 0;
5168    }
5169
5170#elif defined(DOLPHIN_EMULATOR) || defined (WOLFSSL_NDS)
5171
5172        int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
5173        {
5174            word32 i;
5175            (void)os;
5176            srand(time(NULL));
5177            for (i = 0; i < sz; i++)
5178                output[i] = (byte)rand();
5179            return 0;
5180        }
5181#elif defined(WOLFSSL_MAXQ108X) || defined(WOLFSSL_MAXQ1065)
5182
5183    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
5184    {
5185        (void)os;
5186
5187        return maxq10xx_random(output, sz);
5188    }
5189#elif defined(MAX3266X_RNG)
5190    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
5191    {
5192        #ifdef WOLFSSL_MAX3266X
5193        int status;
5194        #endif /* WOLFSSL_MAX3266X */
5195        static int initDone = 0;
5196        (void)os;
5197        if (initDone == 0) {
5198            #ifdef WOLFSSL_MAX3266X
5199            status = wolfSSL_HwRngMutexLock();
5200            if (status != 0) {
5201                return status;
5202            }
5203            #endif /* WOLFSSL_MAX3266X */
5204            if(MXC_TRNG_HealthTest() != 0) {
5205                #ifdef DEBUG_WOLFSSL
5206                WOLFSSL_MSG("TRNG HW Health Test Failed");
5207                #endif /* DEBUG_WOLFSSL */
5208                #ifdef WOLFSSL_MAX3266X
5209                wolfSSL_HwRngMutexUnLock();
5210                #endif /* WOLFSSL_MAX3266X */
5211                return WC_HW_E;
5212            }
5213            #ifdef WOLFSSL_MAX3266X
5214            wolfSSL_HwRngMutexUnLock();
5215            #endif /* WOLFSSL_MAX3266X */
5216            initDone = 1;
5217        }
5218        return wc_MXC_TRNG_Random(output, sz);
5219    }
5220
5221#elif defined(CY_USING_HAL) && defined(COMPONENT_WOLFSSL)
5222
5223    /* Infineon/Cypress HAL RNG implementation */
5224    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
5225    {
5226        cyhal_trng_t obj;
5227        cy_rslt_t result;
5228        uint32_t val;
5229        word32 i = 0;
5230
5231        (void)os;
5232
5233        result = cyhal_trng_init(&obj);
5234        if (result == CY_RSLT_SUCCESS) {
5235            while (i < sz) {
5236                /* If not aligned or there is odd/remainder add single byte */
5237                if( (i + sizeof(word32)) > sz ||
5238                    ((wc_ptr_t)&output[i] % sizeof(word32)) != 0
5239                ) {
5240                    val = cyhal_trng_generate(&obj);
5241                    output[i++] = (byte)val;
5242                }
5243                else {
5244                    /* Use native 32 instruction */
5245                    val = cyhal_trng_generate(&obj);
5246                    *((uint32_t*)&output[i]) = val;
5247                    i += sizeof(word32);
5248                }
5249            }
5250            cyhal_trng_free(&obj);
5251        }
5252        return 0;
5253    }
5254
5255#elif defined(WOLFSSL_SAFERTOS) || defined(WOLFSSL_LEANPSK) || \
5256      defined(WOLFSSL_IAR_ARM)  || defined(WOLFSSL_MDK_ARM) || \
5257      defined(WOLFSSL_uITRON4)  || defined(WOLFSSL_uTKERNEL2) || \
5258      defined(WOLFSSL_LPC43xx)  || defined(NO_STM32_RNG) || \
5259      defined(MBED)             || defined(WOLFSSL_EMBOS) || \
5260      defined(WOLFSSL_GENSEED_FORTEST) || defined(WOLFSSL_CHIBIOS) || \
5261      defined(WOLFSSL_CONTIKI)  || defined(WOLFSSL_AZSPHERE)
5262
5263    /* these platforms do not have a default random seed and
5264       you'll need to implement your own wc_GenerateSeed or define via
5265       CUSTOM_RAND_GENERATE_BLOCK */
5266
5267    #define USE_TEST_GENSEED
5268
5269#elif defined(NO_DEV_RANDOM)
5270
5271    /* Allow bare-metal targets to use cryptoCb as seed provider */
5272    #if defined(WOLF_CRYPTO_CB)
5273
5274    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
5275    {
5276        int ret = WC_NO_ERR_TRACE(WC_HW_E);
5277
5278        #ifndef WOLF_CRYPTO_CB_FIND
5279        if (os->devId != INVALID_DEVID)
5280        #endif
5281        {
5282            ret = wc_CryptoCb_RandomSeed(os, output, sz);
5283            if (ret == WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
5284                ret = WC_HW_E;
5285            }
5286        }
5287
5288        return ret;
5289    }
5290
5291    #else /* defined(WOLF_CRYPTO_CB)*/
5292
5293    #error "you need to write an os specific wc_GenerateSeed() here"
5294
5295    /*
5296    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
5297    {
5298        return 0;
5299    }
5300    */
5301
5302   #endif  /* !defined(WOLF_CRYPTO_CB) */
5303
5304#else
5305
5306    /* may block */
5307    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
5308    {
5309        int ret = 0;
5310
5311        if (os == NULL) {
5312            return BAD_FUNC_ARG;
5313        }
5314
5315    #ifdef WOLF_CRYPTO_CB
5316        #ifndef WOLF_CRYPTO_CB_FIND
5317        if (os->devId != INVALID_DEVID)
5318        #endif
5319        {
5320            ret = wc_CryptoCb_RandomSeed(os, output, sz);
5321            if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
5322                return ret;
5323            /* fall-through when unavailable */
5324            ret = 0; /* reset error code */
5325        }
5326    #endif
5327
5328    #ifdef HAVE_ENTROPY_MEMUSE
5329        ret = wc_Entropy_Get(MAX_ENTROPY_BITS, output, sz);
5330        if (ret == 0) {
5331            /* success, we're done */
5332            return ret;
5333        }
5334    #ifdef ENTROPY_MEMUSE_FORCE_FAILURE
5335        /* Don't fall back to /dev/urandom. */
5336        return ret;
5337    #else
5338        /* Reset error and fall back to using /dev/urandom. */
5339        ret = 0;
5340    #endif
5341    #endif
5342
5343    #if !defined(HAVE_ENTROPY_MEMUSE) || !defined(ENTROPY_MEMUSE_FORCE_FAILURE)
5344
5345    #if defined(HAVE_INTEL_RDSEED) || defined(HAVE_AMD_RDSEED)
5346        if (IS_INTEL_RDSEED(intel_flags)) {
5347             ret = wc_GenerateSeed_IntelRD(NULL, output, sz);
5348             if (ret == 0) {
5349                 /* success, we're done */
5350                 return ret;
5351             }
5352        #ifdef FORCE_FAILURE_RDSEED
5353             /* Don't fall back to /dev/urandom. */
5354             return ret;
5355        #else
5356             /* Reset error and fall back to using /dev/urandom. */
5357             ret = 0;
5358        #endif
5359        }
5360    #ifdef FORCE_FAILURE_RDSEED
5361        else {
5362            /* Don't fall back to /dev/urandom */
5363            return MISSING_RNG_E;
5364        }
5365    #endif
5366    #endif /* HAVE_INTEL_RDSEED || HAVE_AMD_RDSEED */
5367
5368    #if (!defined(HAVE_INTEL_RDSEED) && !defined(HAVE_AMD_RDSEED)) || \
5369        !defined(FORCE_FAILURE_RDSEED)
5370
5371    #if defined(WOLFSSL_GETRANDOM) || defined(HAVE_GETRANDOM)
5372        {
5373            word32 grSz = sz;
5374            byte* grOutput = output;
5375
5376            while (grSz) {
5377                ssize_t len;
5378
5379                errno = 0;
5380                len = getrandom(grOutput, grSz, 0);
5381                if (len == -1) {
5382                    if (errno == EINTR) {
5383                        /* interrupted, call getrandom again */
5384                        continue;
5385                    }
5386                    else {
5387                        ret = READ_RAN_E;
5388                    }
5389                    break;
5390                }
5391
5392                grSz     -= (word32)len;
5393                grOutput += len;
5394            }
5395            if (ret == 0)
5396                return ret;
5397        #ifdef FORCE_FAILURE_GETRANDOM
5398            /* don't fall back to /dev/urandom */
5399            return ret;
5400        #elif !defined(NO_FILESYSTEM)
5401            /* reset error and fall back to using /dev/urandom if filesystem
5402             * support is compiled in */
5403            ret = 0;
5404        #endif
5405        }
5406    #endif
5407
5408#ifndef NO_FILESYSTEM
5409    #ifdef WOLFSSL_KEEP_RNG_SEED_FD_OPEN
5410        if (!os->seedFdOpen)
5411        {
5412        #ifndef NO_DEV_URANDOM /* way to disable use of /dev/urandom */
5413            os->fd = wc_open_cloexec("/dev/urandom", O_RDONLY);
5414            #if defined(DEBUG_WOLFSSL)
5415                WOLFSSL_MSG("opened /dev/urandom.");
5416            #endif /* DEBUG_WOLFSSL */
5417            if (os->fd == XBADFD)
5418        #endif /* NO_DEV_URANDOM */
5419            {
5420                /* may still have /dev/random */
5421                os->fd = wc_open_cloexec("/dev/random", O_RDONLY);
5422            #if defined(DEBUG_WOLFSSL)
5423                WOLFSSL_MSG("opened /dev/random.");
5424            #endif /* DEBUG_WOLFSSL */
5425                if (os->fd == XBADFD)
5426                    return OPEN_RAN_E;
5427                else {
5428                    os->keepSeedFdOpen = 0;
5429                    os->seedFdOpen = 1;
5430                }
5431            }
5432            else {
5433                os->keepSeedFdOpen = 1;
5434                os->seedFdOpen = 1;
5435            }
5436        }
5437    #else /* WOLFSSL_KEEP_RNG_SEED_FD_OPEN */
5438        #ifndef NO_DEV_URANDOM /* way to disable use of /dev/urandom */
5439        os->fd = wc_open_cloexec("/dev/urandom", O_RDONLY);
5440        #if defined(DEBUG_WOLFSSL)
5441            WOLFSSL_MSG("opened /dev/urandom.");
5442        #endif /* DEBUG_WOLFSSL */
5443        if (os->fd == XBADFD)
5444        #endif /* !NO_DEV_URANDOM */
5445        {
5446            /* may still have /dev/random */
5447            os->fd = wc_open_cloexec("/dev/random", O_RDONLY);
5448        #if defined(DEBUG_WOLFSSL)
5449            WOLFSSL_MSG("opened /dev/random.");
5450        #endif /* DEBUG_WOLFSSL */
5451            if (os->fd == XBADFD)
5452                return OPEN_RAN_E;
5453        }
5454    #endif /* WOLFSSL_KEEP_RNG_SEED_FD_OPEN */
5455    #if defined(DEBUG_WOLFSSL)
5456        WOLFSSL_MSG("rnd read...");
5457    #endif /* DEBUG_WOLFSSL */
5458        while (sz) {
5459            int len = (int)read(os->fd, output, sz);
5460            if (len == -1) {
5461                ret = READ_RAN_E;
5462                break;
5463            }
5464
5465            sz     -= (word32)len;
5466            output += len;
5467
5468            if (sz) {
5469    #if defined(BLOCKING) || defined(WC_RNG_BLOCKING)
5470                sleep(0);             /* context switch */
5471    #else
5472                ret = RAN_BLOCK_E;
5473                break;
5474    #endif /* BLOCKING || WC_RNG_BLOCKING */
5475            }
5476        }
5477    #ifdef WOLFSSL_KEEP_RNG_SEED_FD_OPEN
5478        if (!os->keepSeedFdOpen && os->seedFdOpen)
5479        {
5480            close(os->fd);
5481            os->fd = -1;
5482            os->seedFdOpen = 0;
5483        }
5484    #else
5485        close(os->fd);
5486    #endif /* WOLFSSL_KEEP_RNG_SEED_FD_OPEN */
5487#else /* NO_FILESYSTEM */
5488        (void)output;
5489        (void)sz;
5490        ret = NOT_COMPILED_IN;
5491#endif /* NO_FILESYSTEM */
5492
5493        return ret;
5494
5495    #endif /* (!HAVE_INTEL_RDSEED && !HAVE_AMD_RDSEED) || !FORCE_FAILURE_RDSEED */
5496
5497    #endif /*!HAVE_ENTROPY_MEMUSE || !ENTROPY_MEMUSE_FORCE_FAILURE */
5498
5499    }
5500
5501#endif
5502
5503#ifdef USE_TEST_GENSEED
5504    #if !defined(_MSC_VER) && !defined(__TASKING__)
5505        #warning "write a real random seed!!!!, just for testing now"
5506    #else
5507        #pragma message("Warning: write a real random seed!!!!, just for testing now")
5508    #endif
5509    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
5510    {
5511        word32 i;
5512        for (i = 0; i < sz; i++ )
5513            output[i] = (byte)i;
5514
5515        (void)os;
5516
5517        return 0;
5518    }
5519#endif
5520/* End wc_GenerateSeed */
5521
5522#if defined(CUSTOM_RAND_GENERATE_BLOCK) && defined(WOLFSSL_KCAPI)
5523#include <fcntl.h>
5524int wc_hwrng_generate_block(byte *output, word32 sz)
5525{
5526    int fd;
5527    int ret = 0;
5528    fd = wc_open_cloexec("/dev/hwrng", O_RDONLY);
5529    if (fd == -1)
5530        return OPEN_RAN_E;
5531    while(sz)
5532    {
5533        int len = (int)read(fd, output, sz);
5534        if (len == -1)
5535        {
5536            ret = READ_RAN_E;
5537            break;
5538        }
5539        sz -= len;
5540        output += len;
5541    }
5542    close(fd);
5543    return ret;
5544}
5545#endif
5546
5547#endif /* WC_NO_RNG */