TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls.git / a16ee6b7d4789c501baf5955e492cc27189b2706 / . / tests / suites / test_suite_ctr_drbg.function
blob: bdf3dca59a1931864917ba03af65c9c139ce658b [file] [log] [blame]
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]1/* BEGIN_HEADER */
Gilles Peskineef0624f2018-08-03 20:23:09 +0200[diff] [blame]2#include "mbedtls/entropy.h"
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]3#include "mbedtls/ctr_drbg.h"
Mohammad Azim Khan67735d52017-04-06 11:55:43 +0100[diff] [blame]4#include "string.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]5
Gilles Peskine5ef5a9a2018-08-03 20:27:50 +0200[diff] [blame]6/* Modes for ctr_drbg_validate */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]7enum reseed_mode {
Gilles Peskine5ef5a9a2018-08-03 20:27:50 +0200[diff] [blame]8 RESEED_NEVER, /* never reseed */
9 RESEED_FIRST, /* instantiate, reseed, generate, generate */
10 RESEED_SECOND, /* instantiate, generate, reseed, generate */
11 RESEED_ALWAYS /* prediction resistance, no explicit reseed */
12};
13
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]14static size_t test_offset_idx = 0;
15static size_t test_max_idx = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]16static int mbedtls_test_entropy_func(void *data, unsigned char *buf, size_t len)
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]17{
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]18 const unsigned char *p = (unsigned char *) data;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]19 if (test_offset_idx + len > test_max_idx) {
20 return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
21 }
22 memcpy(buf, p + test_offset_idx, len);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]23 test_offset_idx += len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]24 return 0;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]25}
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]26
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]27static void ctr_drbg_validate_internal(int reseed_mode, data_t *nonce,
28 int entropy_len_arg, data_t *entropy,
29 data_t *reseed,
30 data_t *add1, data_t *add2,
31 data_t *result)
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]32{
33 mbedtls_ctr_drbg_context ctx;
Gilles Peskine21e46b32023-10-17 16:35:20 +0200[diff] [blame]34 mbedtls_ctr_drbg_init(&ctx);
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]35 unsigned char buf[64];
36
37 size_t entropy_chunk_len = (size_t) entropy_len_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]38 TEST_ASSERT(entropy_chunk_len <= sizeof(buf));
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]39
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]40 test_offset_idx = 0;
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]41 test_max_idx = entropy->len;
42
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]43 /* CTR_DRBG_Instantiate(entropy[:entropy->len], nonce, perso, <ignored>)
44 * where nonce||perso = nonce[nonce->len] */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]45 mbedtls_ctr_drbg_set_entropy_len(&ctx, entropy_chunk_len);
46 mbedtls_ctr_drbg_set_nonce_len(&ctx, 0);
47 TEST_ASSERT(mbedtls_ctr_drbg_seed(
48 &ctx,
49 mbedtls_test_entropy_func, entropy->x,
50 nonce->x, nonce->len) == 0);
51 if (reseed_mode == RESEED_ALWAYS) {
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]52 mbedtls_ctr_drbg_set_prediction_resistance(
53 &ctx,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]54 MBEDTLS_CTR_DRBG_PR_ON);
55 }
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]56
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]57 if (reseed_mode == RESEED_FIRST) {
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]58 /* CTR_DRBG_Reseed(entropy[idx:idx+entropy->len],
59 * reseed[:reseed->len]) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]60 TEST_ASSERT(mbedtls_ctr_drbg_reseed(
61 &ctx,
62 reseed->x, reseed->len) == 0);
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]63 }
64
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]65 /* CTR_DRBG_Generate(result->len * 8 bits, add1[:add1->len]) -> buf */
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]66 /* Then reseed if prediction resistance is enabled. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]67 TEST_ASSERT(mbedtls_ctr_drbg_random_with_add(
68 &ctx,
69 buf, result->len,
70 add1->x, add1->len) == 0);
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]71
72
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]73 if (reseed_mode == RESEED_SECOND) {
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]74 /* CTR_DRBG_Reseed(entropy[idx:idx+entropy->len],
75 * reseed[:reseed->len]) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]76 TEST_ASSERT(mbedtls_ctr_drbg_reseed(
77 &ctx,
78 reseed->x, reseed->len) == 0);
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]79 }
80
81 /* CTR_DRBG_Generate(result->len * 8 bits, add2->x[:add2->len]) -> buf */
82 /* Then reseed if prediction resistance is enabled. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]83 TEST_ASSERT(mbedtls_ctr_drbg_random_with_add(
84 &ctx,
85 buf, result->len,
86 add2->x, add2->len) == 0);
87 TEST_ASSERT(memcmp(buf, result->x, result->len) == 0);
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]88
89exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]90 mbedtls_ctr_drbg_free(&ctx);
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]91}
92
Janos Follatha16ee6b2023-10-04 19:05:26 +0100[diff] [blame^]93static const int thread_random_reps = 10;
94void *thread_random_function( void* ctx )
95{
96 unsigned char out[16];
97 memset(out, 0, sizeof(out));
98
99 for(int i = 0; i < thread_random_reps; i++) {
100 TEST_EQUAL(mbedtls_ctr_drbg_random_with_add((mbedtls_ctr_drbg_context*) ctx, out, sizeof(out), NULL, 0), 0);
101 }
102
103exit:
104 return NULL;
105}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]106/* END_HEADER */
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]107
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]108/* BEGIN_DEPENDENCIES
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]109 * depends_on:MBEDTLS_CTR_DRBG_C
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]110 * END_DEPENDENCIES
111 */
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]112
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]113/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]114void ctr_drbg_special_behaviours()
Paul Bakker185ccf72016-07-14 13:21:10 +0100[diff] [blame]115{
116 mbedtls_ctr_drbg_context ctx;
117 unsigned char output[512];
118 unsigned char additional[512];
119
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]120 mbedtls_ctr_drbg_init(&ctx);
121 memset(output, 0, sizeof(output));
122 memset(additional, 0, sizeof(additional));
Paul Bakker185ccf72016-07-14 13:21:10 +0100[diff] [blame]123
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]124 TEST_ASSERT(mbedtls_ctr_drbg_random_with_add(&ctx,
125 output, MBEDTLS_CTR_DRBG_MAX_REQUEST + 1,
126 additional, 16) ==
127 MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG);
128 TEST_ASSERT(mbedtls_ctr_drbg_random_with_add(&ctx,
129 output, 16,
130 additional, MBEDTLS_CTR_DRBG_MAX_INPUT + 1) ==
131 MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG);
Paul Bakker185ccf72016-07-14 13:21:10 +0100[diff] [blame]132
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]133 TEST_ASSERT(mbedtls_ctr_drbg_reseed(&ctx, additional,
134 MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + 1) ==
135 MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG);
Andres Amaya Garcia6a543362017-01-17 23:04:22 +0000[diff] [blame]136
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]137 mbedtls_ctr_drbg_set_entropy_len(&ctx, ~0);
138 TEST_ASSERT(mbedtls_ctr_drbg_reseed(&ctx, additional,
139 MBEDTLS_CTR_DRBG_MAX_SEED_INPUT) ==
140 MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG);
Paul Bakker185ccf72016-07-14 13:21:10 +0100[diff] [blame]141exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]142 mbedtls_ctr_drbg_free(&ctx);
Paul Bakker185ccf72016-07-14 13:21:10 +0100[diff] [blame]143}
144/* END_CASE */
145
Gilles Peskine5ef5a9a2018-08-03 20:27:50 +0200[diff] [blame]146
147/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]148void ctr_drbg_validate_no_reseed(data_t *add_init, data_t *entropy,
149 data_t *add1, data_t *add2,
150 data_t *result_string)
Gilles Peskine5ef5a9a2018-08-03 20:27:50 +0200[diff] [blame]151{
Nir Sonnenscheinacedc912018-08-29 23:57:45 +0300[diff] [blame]152 data_t empty = { 0, 0 };
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]153 AES_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]154 ctr_drbg_validate_internal(RESEED_NEVER, add_init,
155 entropy->len, entropy,
156 &empty, add1, add2,
157 result_string);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]158 AES_PSA_DONE();
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]159 goto exit; // goto is needed to avoid warning ( no test assertions in func)
Gilles Peskine5ef5a9a2018-08-03 20:27:50 +0200[diff] [blame]160}
161/* END_CASE */
162
163/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]164void ctr_drbg_validate_pr(data_t *add_init, data_t *entropy,
165 data_t *add1, data_t *add2,
166 data_t *result_string)
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]167{
Nir Sonnenscheinacedc912018-08-29 23:57:45 +0300[diff] [blame]168 data_t empty = { 0, 0 };
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]169 AES_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]170 ctr_drbg_validate_internal(RESEED_ALWAYS, add_init,
171 entropy->len / 3, entropy,
172 &empty, add1, add2,
173 result_string);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]174 AES_PSA_DONE();
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]175 goto exit; // goto is needed to avoid warning ( no test assertions in func)
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]176}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]177/* END_CASE */
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]178
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]179/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]180void ctr_drbg_validate_reseed_between(data_t *add_init, data_t *entropy,
181 data_t *add1, data_t *add_reseed,
182 data_t *add2, data_t *result_string)
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]183{
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]184 AES_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]185 ctr_drbg_validate_internal(RESEED_SECOND, add_init,
186 entropy->len / 2, entropy,
187 add_reseed, add1, add2,
188 result_string);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]189 AES_PSA_DONE();
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]190 goto exit; // goto is needed to avoid warning ( no test assertions in func)
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]191}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]192/* END_CASE */
Manuel Pégourié-Gonnardb3b205e2014-01-31 12:04:06 +0100[diff] [blame]193
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]194/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]195void ctr_drbg_validate_reseed_first(data_t *add_init, data_t *entropy,
196 data_t *add1, data_t *add_reseed,
197 data_t *add2, data_t *result_string)
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]198{
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]199 AES_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]200 ctr_drbg_validate_internal(RESEED_FIRST, add_init,
201 entropy->len / 2, entropy,
202 add_reseed, add1, add2,
203 result_string);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]204 AES_PSA_DONE();
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]205 goto exit; // goto is needed to avoid warning ( no test assertions in func)
206}
207/* END_CASE */
208
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]209/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]210void ctr_drbg_entropy_strength(int expected_bit_strength)
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]211{
212 unsigned char entropy[/*initial entropy*/ MBEDTLS_CTR_DRBG_ENTROPY_LEN +
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]213 /*nonce*/ MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN +
214 /*reseed*/ MBEDTLS_CTR_DRBG_ENTROPY_LEN];
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]215 mbedtls_ctr_drbg_context ctx;
216 size_t last_idx;
217 size_t byte_strength = expected_bit_strength / 8;
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]218
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]219 mbedtls_ctr_drbg_init(&ctx);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]220
221 AES_PSA_INIT();
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]222 test_offset_idx = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]223 test_max_idx = sizeof(entropy);
224 memset(entropy, 0, sizeof(entropy));
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]225
226 /* The initial seeding must grab at least byte_strength bytes of entropy
227 * for the entropy input and byte_strength/2 bytes for a nonce. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]228 TEST_ASSERT(mbedtls_ctr_drbg_seed(&ctx,
229 mbedtls_test_entropy_func, entropy,
230 NULL, 0) == 0);
231 TEST_ASSERT(test_offset_idx >= (byte_strength * 3 + 1) / 2);
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]232 last_idx = test_offset_idx;
233
234 /* A reseed must grab at least byte_strength bytes of entropy. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]235 TEST_ASSERT(mbedtls_ctr_drbg_reseed(&ctx, NULL, 0) == 0);
236 TEST_ASSERT(test_offset_idx - last_idx >= byte_strength);
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]237
238exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]239 mbedtls_ctr_drbg_free(&ctx);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]240 AES_PSA_DONE();
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]241}
242/* END_CASE */
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]243
244/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]245void ctr_drbg_entropy_usage(int entropy_nonce_len)
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]246{
247 unsigned char out[16];
248 unsigned char add[16];
249 unsigned char entropy[1024];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]250 mbedtls_ctr_drbg_context ctx;
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]251 size_t i, reps = 10;
Gilles Peskine58b56ce2019-10-22 19:10:01 +0200[diff] [blame]252 size_t expected_idx = 0;
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]253
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]254 mbedtls_ctr_drbg_init(&ctx);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]255
256 AES_PSA_INIT();
257
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]258 test_offset_idx = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]259 test_max_idx = sizeof(entropy);
260 memset(entropy, 0, sizeof(entropy));
261 memset(out, 0, sizeof(out));
262 memset(add, 0, sizeof(add));
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]263
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]264 if (entropy_nonce_len >= 0) {
265 TEST_ASSERT(mbedtls_ctr_drbg_set_nonce_len(&ctx, entropy_nonce_len) == 0);
266 }
Gilles Peskinec949de02019-10-22 19:14:26 +0200[diff] [blame]267
Gavin Acquroff6aceb512020-03-01 17:06:11 -0800[diff] [blame]268 /* Set reseed interval before seed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]269 mbedtls_ctr_drbg_set_reseed_interval(&ctx, 2 * reps);
Gavin Acquroff6aceb512020-03-01 17:06:11 -0800[diff] [blame]270
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]271 /* Init must use entropy */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]272 TEST_ASSERT(mbedtls_ctr_drbg_seed(&ctx, mbedtls_test_entropy_func, entropy, NULL, 0) == 0);
Gilles Peskine58b56ce2019-10-22 19:10:01 +0200[diff] [blame]273 expected_idx += MBEDTLS_CTR_DRBG_ENTROPY_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]274 if (entropy_nonce_len >= 0) {
Gilles Peskinec949de02019-10-22 19:14:26 +0200[diff] [blame]275 expected_idx += entropy_nonce_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]276 } else {
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]277 expected_idx += MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]278 }
279 TEST_EQUAL(test_offset_idx, expected_idx);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]280
Gavin Acquroff6aceb512020-03-01 17:06:11 -0800[diff] [blame]281 /* By default, PR is off, and reseed interval was set to
282 * 2 * reps so the next few calls should not use entropy */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]283 for (i = 0; i < reps; i++) {
284 TEST_ASSERT(mbedtls_ctr_drbg_random(&ctx, out, sizeof(out) - 4) == 0);
285 TEST_ASSERT(mbedtls_ctr_drbg_random_with_add(&ctx, out, sizeof(out) - 4,
286 add, sizeof(add)) == 0);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]287 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]288 TEST_EQUAL(test_offset_idx, expected_idx);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]289
290 /* While at it, make sure we didn't write past the requested length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]291 TEST_ASSERT(out[sizeof(out) - 4] == 0);
292 TEST_ASSERT(out[sizeof(out) - 3] == 0);
293 TEST_ASSERT(out[sizeof(out) - 2] == 0);
294 TEST_ASSERT(out[sizeof(out) - 1] == 0);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]295
Gavin Acquroff6aceb512020-03-01 17:06:11 -0800[diff] [blame]296 /* There have been 2 * reps calls to random. The next call should reseed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]297 TEST_ASSERT(mbedtls_ctr_drbg_random(&ctx, out, sizeof(out)) == 0);
Gilles Peskine58b56ce2019-10-22 19:10:01 +0200[diff] [blame]298 expected_idx += MBEDTLS_CTR_DRBG_ENTROPY_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]299 TEST_EQUAL(test_offset_idx, expected_idx);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]300
Gavin Acquroff6aceb512020-03-01 17:06:11 -0800[diff] [blame]301 /* Set reseed interval after seed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]302 mbedtls_ctr_drbg_set_reseed_interval(&ctx, 4 * reps + 1);
Gavin Acquroff6aceb512020-03-01 17:06:11 -0800[diff] [blame]303
304 /* The next few calls should not reseed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]305 for (i = 0; i < (2 * reps); i++) {
306 TEST_ASSERT(mbedtls_ctr_drbg_random(&ctx, out, sizeof(out)) == 0);
307 TEST_ASSERT(mbedtls_ctr_drbg_random_with_add(&ctx, out, sizeof(out),
308 add, sizeof(add)) == 0);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]309 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]310 TEST_EQUAL(test_offset_idx, expected_idx);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]311
Dave Rodgman6dd757a2023-02-02 12:40:50 +0000[diff] [blame]312 /* Call update with too much data (sizeof(entropy) > MAX(_SEED)_INPUT).
Gilles Peskined9199932018-09-11 16:41:54 +0200[diff] [blame]313 * Make sure it's detected as an error and doesn't cause memory
314 * corruption. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]315 TEST_ASSERT(mbedtls_ctr_drbg_update(
316 &ctx, entropy, sizeof(entropy)) != 0);
Manuel Pégourié-Gonnardf5f25b32014-11-27 14:04:56 +0100[diff] [blame]317
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]318 /* Now enable PR, so the next few calls should all reseed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]319 mbedtls_ctr_drbg_set_prediction_resistance(&ctx, MBEDTLS_CTR_DRBG_PR_ON);
320 TEST_ASSERT(mbedtls_ctr_drbg_random(&ctx, out, sizeof(out)) == 0);
Gilles Peskine58b56ce2019-10-22 19:10:01 +0200[diff] [blame]321 expected_idx += MBEDTLS_CTR_DRBG_ENTROPY_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]322 TEST_EQUAL(test_offset_idx, expected_idx);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]323
324 /* Finally, check setting entropy_len */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]325 mbedtls_ctr_drbg_set_entropy_len(&ctx, 42);
326 TEST_ASSERT(mbedtls_ctr_drbg_random(&ctx, out, sizeof(out)) == 0);
Gilles Peskine58b56ce2019-10-22 19:10:01 +0200[diff] [blame]327 expected_idx += 42;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]328 TEST_EQUAL(test_offset_idx, expected_idx);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]329
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]330 mbedtls_ctr_drbg_set_entropy_len(&ctx, 13);
331 TEST_ASSERT(mbedtls_ctr_drbg_random(&ctx, out, sizeof(out)) == 0);
Gilles Peskine58b56ce2019-10-22 19:10:01 +0200[diff] [blame]332 expected_idx += 13;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]333 TEST_EQUAL(test_offset_idx, expected_idx);
Paul Bakkera317a982014-06-18 16:44:11 +0200[diff] [blame]334
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]335exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]336 mbedtls_ctr_drbg_free(&ctx);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]337 AES_PSA_DONE();
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]338}
339/* END_CASE */
340
Janos Follatha16ee6b2023-10-04 19:05:26 +0100[diff] [blame^]341/* BEGIN_CASE depends_on:MBEDTLS_THREADING_PTHREAD */
342void ctr_drbg_threads(data_t *expected_result, int reseed_interval)
343{
344#define THREAD_CNT 5
345 pthread_t threads[THREAD_CNT];
346
347 unsigned char out[16];
348 memset(out, 0, sizeof(out));
349
350 unsigned char entropy[1024];
351 memset(entropy, 0, sizeof(entropy));
352
353 test_offset_idx = 0;
354 test_max_idx = sizeof(entropy);
355
356 mbedtls_ctr_drbg_context ctx;
357 mbedtls_ctr_drbg_init(&ctx);
358
359 mbedtls_ctr_drbg_set_reseed_interval(&ctx, reseed_interval);
360
361 /* There are too many calls in this test to conveniently provide enough
362 * entropy for this to be on. Test cases can trigger reseeding by setting
363 * \p reseed_interval appropriately. */
364 mbedtls_ctr_drbg_set_prediction_resistance(&ctx, MBEDTLS_CTR_DRBG_PR_OFF);
365
366 TEST_EQUAL(
367 mbedtls_ctr_drbg_seed(&ctx, mbedtls_test_entropy_func, entropy, NULL, 0),
368 0);
369
370 for (size_t i = 0; i < THREAD_CNT; i++) {
371 TEST_EQUAL(
372 pthread_create(&threads[i], NULL,
373 thread_random_function, (void*) &ctx),
374 0);
375 }
376
377 for (size_t i = 0; i < THREAD_CNT; i++) {
378 TEST_EQUAL(pthread_join(threads[i], NULL), 0);
379 }
380
381 /* Take a last output for comparing and thus verifying the DRBG state */
382 TEST_EQUAL(mbedtls_ctr_drbg_random(&ctx, out, sizeof(out)), 0);
383
384 TEST_MEMORY_COMPARE(out, sizeof(out), expected_result->x, expected_result->len);
385
386exit:
387 mbedtls_ctr_drbg_free(&ctx);
388}
389#undef THREAD_CNT
390/* END_CASE */
391
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]392/* BEGIN_CASE depends_on:MBEDTLS_FS_IO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]393void ctr_drbg_seed_file(char *path, int ret)
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]394{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]395 mbedtls_ctr_drbg_context ctx;
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]396
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]397 mbedtls_ctr_drbg_init(&ctx);
Manuel Pégourié-Gonnard8d128ef2015-04-28 22:38:08 +0200[diff] [blame]398
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]399 AES_PSA_INIT();
400
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]401 TEST_ASSERT(mbedtls_ctr_drbg_seed(&ctx, mbedtls_test_rnd_std_rand,
402 NULL, NULL, 0) == 0);
403 TEST_ASSERT(mbedtls_ctr_drbg_write_seed_file(&ctx, path) == ret);
404 TEST_ASSERT(mbedtls_ctr_drbg_update_seed_file(&ctx, path) == ret);
Paul Bakkera317a982014-06-18 16:44:11 +0200[diff] [blame]405
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]406exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]407 mbedtls_ctr_drbg_free(&ctx);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]408 AES_PSA_DONE();
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]409}
410/* END_CASE */
411
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]412/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]413void ctr_drbg_selftest()
Manuel Pégourié-Gonnardb3b205e2014-01-31 12:04:06 +0100[diff] [blame]414{
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]415 AES_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]416 TEST_ASSERT(mbedtls_ctr_drbg_self_test(1) == 0);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]417 AES_PSA_DONE();
Manuel Pégourié-Gonnardb3b205e2014-01-31 12:04:06 +0100[diff] [blame]418}
419/* END_CASE */