SP800-90A Deterministic Random Bit Generator (DRBG)

NOTE: The kernel DRBG implementation is now available upstream starting with Linux kernel 3.17. Please use the upstream Linux kernel repository to obtain the latest code. You will find current testing code for the DRBG here nonetheless.

NOTE: the libgcrypt DRBG went upstream into the libgcrypt GIT tree on Feb 22, 2016 for release with version 1.7. Please note that the gcry_control interface API has changed compared to the code offered here.

This is a clean-room implementation of the DRBG defined in SP800-90A. All three viable DRBGs defined in the standard are implemented:

The DRBG implementation offers the following:

The implementation of the DRBG available for download here integrates with the Linux kernel crypto API as well as with libgcrypt.

A test that also covers the CAVS testing framework module showing how to use the DRBG integrated with the kernel crypto API is provided in kernel/test -- a simple make compiles the kernel.

The libgcrypt version is provided in the directory libgcrypt/. The provided patch must be applied to the libgcrypt source code (currently tested with libgcrypt git development code available on 2014-03-02). In addition, the drbg.c file must be copied to the random/ directory of the libgcrypt code tree. After compiling and installing libgcrypt, the DRBG code is available. A test application in libgcrypt/test can be compiled and linked with the newly generated libgcrypt. When executing the test application, it demonstrates how the DRBG integrated with libgcrypt is invoked.

Source Code

The following source code contains the implementation of the CPU Random Number Generator.

Link Changes
20140225 Initial version

Fix libgcrypt error reporting when changing DRBG types

Fix deadlock in libgcrypt code


Add kernel/ directory which contains the consolidated kernel module that should eventually be suggested for inclusion into the kernel


Solving how personalization / additional information string can be passed through kernel crypto API. Remove of all EXPORT_SYMBOLs as all CAVS testing and normal use can go through the kernel crypto API now. See the comments in drbg.c for examples on how to use the kernel crypto API to cover all use cases of the DRBG.


Remove DRBG strength flags

Add libgcrypt/ directory for consolidated libgcrypt code/patch

Solving all open questions around libgcrypt and adding documentation to drbg.c

Add CAVS test description / reference implementation

Small bug fixes in kernel code


Kernel code: Add testmgr integration of self tests provided with patch in kernel/ directory.


Kernel: Make HMAC DRBG configurable like the other DRBG types.

Kernel: Make cores[] const.

libgcrypt: Make cores[] const.

Kernel: Fix nasty array overflow bug in drbg_create_algs.


Kernel / libgcryt: add more sanity checks

Kernel: add null test vectors to testmgr to cover all DRBG types and prevent kernel messages about untested cipher types


Kernel / libgcryt: clean up code and data structures -- thanks to Jeremy Powell and Rafael Aquini for input.

Kernel: fix memory corruption bug


Kernel: Restructuring and simplification of code

Kernel: full CAVS test in kernel/test/


libgcrypt: Restructuring and simplification of code

libgcrypt: full CAVS test in libgcrypt/test/


libgcrypt: release v4 patches and associated tests updates

kernel: release v3 patches and associated tests updates


libgcrypt: release v5 patches

kernel: release v4 through v6 patches


kernel: release v7 through v9 patches

kernel: update test kernel module to use the new .cra_name.


kernel / libgcrypt: test case requests bit string of random length up to 1MB

kernel: DRBG is now in Linux kernel RC1 and the cryptodev-2.6 development tree -- source code in tarball is now secondary

libgcrypt: backport patches from kernel DRBG code that were requested while the DRBG was added to the kernel development tree


libgcrypt: update test application to match patch set v10 sent to the libgcrypt bug tracker ID 1701

2016-02-25 smueller at chronox.de