TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls.git / fed410f58e4370cbd6025d959ac6084fe5864d73 / . / tests / suites / test_suite_ctr_drbg.function
blob: 329c222cf9f1d61181651b3b85ba931c99958069 [file] [log] [blame]
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]1/* BEGIN_HEADER */
Gilles Peskineef0624f2018-08-03 20:23:09 +0200[diff] [blame]2#include "mbedtls/entropy.h"
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]3#include "mbedtls/ctr_drbg.h"
Mohammad Azim Khan67735d52017-04-06 11:55:43 +0100[diff] [blame]4#include "string.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]5
Paul Elliott20b2efa2023-11-21 14:46:51 +0000[diff] [blame]6#if defined(MBEDTLS_THREADING_PTHREAD)
7#include "mbedtls/threading.h"
8#endif
9
Gilles Peskine5ef5a9a2018-08-03 20:27:50 +0200[diff] [blame]10/* Modes for ctr_drbg_validate */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]11enum reseed_mode {
Gilles Peskine5ef5a9a2018-08-03 20:27:50 +0200[diff] [blame]12 RESEED_NEVER, /* never reseed */
13 RESEED_FIRST, /* instantiate, reseed, generate, generate */
14 RESEED_SECOND, /* instantiate, generate, reseed, generate */
15 RESEED_ALWAYS /* prediction resistance, no explicit reseed */
16};
17
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]18static size_t test_offset_idx = 0;
19static size_t test_max_idx = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]20static int mbedtls_test_entropy_func(void *data, unsigned char *buf, size_t len)
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]21{
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]22 const unsigned char *p = (unsigned char *) data;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]23 if (test_offset_idx + len > test_max_idx) {
24 return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
25 }
26 memcpy(buf, p + test_offset_idx, len);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]27 test_offset_idx += len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]28 return 0;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]29}
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]30
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]31static void ctr_drbg_validate_internal(int reseed_mode, data_t *nonce,
32 int entropy_len_arg, data_t *entropy,
33 data_t *reseed,
34 data_t *add1, data_t *add2,
35 data_t *result)
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]36{
37 mbedtls_ctr_drbg_context ctx;
Gilles Peskine21e46b32023-10-17 16:35:20 +0200[diff] [blame]38 mbedtls_ctr_drbg_init(&ctx);
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]39 unsigned char buf[64];
40
41 size_t entropy_chunk_len = (size_t) entropy_len_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]42 TEST_ASSERT(entropy_chunk_len <= sizeof(buf));
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]43
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]44 test_offset_idx = 0;
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]45 test_max_idx = entropy->len;
46
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]47 /* CTR_DRBG_Instantiate(entropy[:entropy->len], nonce, perso, <ignored>)
48 * where nonce||perso = nonce[nonce->len] */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]49 mbedtls_ctr_drbg_set_entropy_len(&ctx, entropy_chunk_len);
50 mbedtls_ctr_drbg_set_nonce_len(&ctx, 0);
51 TEST_ASSERT(mbedtls_ctr_drbg_seed(
52 &ctx,
53 mbedtls_test_entropy_func, entropy->x,
54 nonce->x, nonce->len) == 0);
55 if (reseed_mode == RESEED_ALWAYS) {
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]56 mbedtls_ctr_drbg_set_prediction_resistance(
57 &ctx,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]58 MBEDTLS_CTR_DRBG_PR_ON);
59 }
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]60
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]61 if (reseed_mode == RESEED_FIRST) {
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]62 /* CTR_DRBG_Reseed(entropy[idx:idx+entropy->len],
63 * reseed[:reseed->len]) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]64 TEST_ASSERT(mbedtls_ctr_drbg_reseed(
65 &ctx,
66 reseed->x, reseed->len) == 0);
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]67 }
68
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]69 /* CTR_DRBG_Generate(result->len * 8 bits, add1[:add1->len]) -> buf */
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]70 /* Then reseed if prediction resistance is enabled. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]71 TEST_ASSERT(mbedtls_ctr_drbg_random_with_add(
72 &ctx,
73 buf, result->len,
74 add1->x, add1->len) == 0);
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]75
76
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]77 if (reseed_mode == RESEED_SECOND) {
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]78 /* CTR_DRBG_Reseed(entropy[idx:idx+entropy->len],
79 * reseed[:reseed->len]) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]80 TEST_ASSERT(mbedtls_ctr_drbg_reseed(
81 &ctx,
82 reseed->x, reseed->len) == 0);
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]83 }
84
85 /* CTR_DRBG_Generate(result->len * 8 bits, add2->x[:add2->len]) -> buf */
86 /* Then reseed if prediction resistance is enabled. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]87 TEST_ASSERT(mbedtls_ctr_drbg_random_with_add(
88 &ctx,
89 buf, result->len,
90 add2->x, add2->len) == 0);
91 TEST_ASSERT(memcmp(buf, result->x, result->len) == 0);
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]92
93exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]94 mbedtls_ctr_drbg_free(&ctx);
Nir Sonnenschein6275be32018-08-29 10:25:30 +0300[diff] [blame]95}
96
Janos Follatha16ee6b2023-10-04 19:05:26 +0100[diff] [blame]97static const int thread_random_reps = 10;
Paul Elliott6a997c92023-11-30 14:47:17 +0000[diff] [blame]98void *thread_random_function(void *ctx)
Janos Follatha16ee6b2023-10-04 19:05:26 +0100[diff] [blame]99{
100 unsigned char out[16];
101 memset(out, 0, sizeof(out));
102
Paul Elliott6a997c92023-11-30 14:47:17 +0000[diff] [blame]103 for (int i = 0; i < thread_random_reps; i++) {
104 TEST_EQUAL(mbedtls_ctr_drbg_random((mbedtls_ctr_drbg_context *) ctx, out, sizeof(out)), 0);
Janos Follatha16ee6b2023-10-04 19:05:26 +0100[diff] [blame]105 }
106
107exit:
108 return NULL;
109}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]110/* END_HEADER */
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]111
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]112/* BEGIN_DEPENDENCIES
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]113 * depends_on:MBEDTLS_CTR_DRBG_C
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]114 * END_DEPENDENCIES
115 */
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]116
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]117/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]118void ctr_drbg_special_behaviours()
Paul Bakker185ccf72016-07-14 13:21:10 +0100[diff] [blame]119{
120 mbedtls_ctr_drbg_context ctx;
121 unsigned char output[512];
122 unsigned char additional[512];
123
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]124 mbedtls_ctr_drbg_init(&ctx);
125 memset(output, 0, sizeof(output));
126 memset(additional, 0, sizeof(additional));
Paul Bakker185ccf72016-07-14 13:21:10 +0100[diff] [blame]127
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]128 TEST_ASSERT(mbedtls_ctr_drbg_random_with_add(&ctx,
129 output, MBEDTLS_CTR_DRBG_MAX_REQUEST + 1,
130 additional, 16) ==
131 MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG);
132 TEST_ASSERT(mbedtls_ctr_drbg_random_with_add(&ctx,
133 output, 16,
134 additional, MBEDTLS_CTR_DRBG_MAX_INPUT + 1) ==
135 MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG);
Paul Bakker185ccf72016-07-14 13:21:10 +0100[diff] [blame]136
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]137 TEST_ASSERT(mbedtls_ctr_drbg_reseed(&ctx, additional,
138 MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + 1) ==
139 MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG);
Andres Amaya Garcia6a543362017-01-17 23:04:22 +0000[diff] [blame]140
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]141 mbedtls_ctr_drbg_set_entropy_len(&ctx, ~0);
142 TEST_ASSERT(mbedtls_ctr_drbg_reseed(&ctx, additional,
143 MBEDTLS_CTR_DRBG_MAX_SEED_INPUT) ==
144 MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG);
Paul Bakker185ccf72016-07-14 13:21:10 +0100[diff] [blame]145exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]146 mbedtls_ctr_drbg_free(&ctx);
Paul Bakker185ccf72016-07-14 13:21:10 +0100[diff] [blame]147}
148/* END_CASE */
149
Gilles Peskine5ef5a9a2018-08-03 20:27:50 +0200[diff] [blame]150
151/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]152void ctr_drbg_validate_no_reseed(data_t *add_init, data_t *entropy,
153 data_t *add1, data_t *add2,
154 data_t *result_string)
Gilles Peskine5ef5a9a2018-08-03 20:27:50 +0200[diff] [blame]155{
Nir Sonnenscheinacedc912018-08-29 23:57:45 +0300[diff] [blame]156 data_t empty = { 0, 0 };
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]157 AES_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]158 ctr_drbg_validate_internal(RESEED_NEVER, add_init,
159 entropy->len, entropy,
160 &empty, add1, add2,
161 result_string);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]162 AES_PSA_DONE();
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]163 goto exit; // goto is needed to avoid warning ( no test assertions in func)
Gilles Peskine5ef5a9a2018-08-03 20:27:50 +0200[diff] [blame]164}
165/* END_CASE */
166
167/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]168void ctr_drbg_validate_pr(data_t *add_init, data_t *entropy,
169 data_t *add1, data_t *add2,
170 data_t *result_string)
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]171{
Nir Sonnenscheinacedc912018-08-29 23:57:45 +0300[diff] [blame]172 data_t empty = { 0, 0 };
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]173 AES_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]174 ctr_drbg_validate_internal(RESEED_ALWAYS, add_init,
175 entropy->len / 3, entropy,
176 &empty, add1, add2,
177 result_string);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]178 AES_PSA_DONE();
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]179 goto exit; // goto is needed to avoid warning ( no test assertions in func)
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]180}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]181/* END_CASE */
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]182
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]183/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]184void ctr_drbg_validate_reseed_between(data_t *add_init, data_t *entropy,
185 data_t *add1, data_t *add_reseed,
186 data_t *add2, data_t *result_string)
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]187{
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]188 AES_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]189 ctr_drbg_validate_internal(RESEED_SECOND, add_init,
190 entropy->len / 2, entropy,
191 add_reseed, add1, add2,
192 result_string);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]193 AES_PSA_DONE();
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]194 goto exit; // goto is needed to avoid warning ( no test assertions in func)
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]195}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]196/* END_CASE */
Manuel Pégourié-Gonnardb3b205e2014-01-31 12:04:06 +0100[diff] [blame]197
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]198/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]199void ctr_drbg_validate_reseed_first(data_t *add_init, data_t *entropy,
200 data_t *add1, data_t *add_reseed,
201 data_t *add2, data_t *result_string)
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]202{
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]203 AES_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]204 ctr_drbg_validate_internal(RESEED_FIRST, add_init,
205 entropy->len / 2, entropy,
206 add_reseed, add1, add2,
207 result_string);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]208 AES_PSA_DONE();
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]209 goto exit; // goto is needed to avoid warning ( no test assertions in func)
210}
211/* END_CASE */
212
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]213/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]214void ctr_drbg_entropy_strength(int expected_bit_strength)
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]215{
216 unsigned char entropy[/*initial entropy*/ MBEDTLS_CTR_DRBG_ENTROPY_LEN +
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]217 /*nonce*/ MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN +
218 /*reseed*/ MBEDTLS_CTR_DRBG_ENTROPY_LEN];
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]219 mbedtls_ctr_drbg_context ctx;
220 size_t last_idx;
221 size_t byte_strength = expected_bit_strength / 8;
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]222
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]223 mbedtls_ctr_drbg_init(&ctx);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]224
225 AES_PSA_INIT();
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]226 test_offset_idx = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]227 test_max_idx = sizeof(entropy);
228 memset(entropy, 0, sizeof(entropy));
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]229
230 /* The initial seeding must grab at least byte_strength bytes of entropy
231 * for the entropy input and byte_strength/2 bytes for a nonce. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]232 TEST_ASSERT(mbedtls_ctr_drbg_seed(&ctx,
233 mbedtls_test_entropy_func, entropy,
234 NULL, 0) == 0);
235 TEST_ASSERT(test_offset_idx >= (byte_strength * 3 + 1) / 2);
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]236 last_idx = test_offset_idx;
237
238 /* A reseed must grab at least byte_strength bytes of entropy. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]239 TEST_ASSERT(mbedtls_ctr_drbg_reseed(&ctx, NULL, 0) == 0);
240 TEST_ASSERT(test_offset_idx - last_idx >= byte_strength);
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]241
242exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]243 mbedtls_ctr_drbg_free(&ctx);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]244 AES_PSA_DONE();
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]245}
246/* END_CASE */
Nir Sonnenschein85fcb582018-08-29 23:38:57 +0300[diff] [blame]247
248/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]249void ctr_drbg_entropy_usage(int entropy_nonce_len)
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]250{
251 unsigned char out[16];
252 unsigned char add[16];
253 unsigned char entropy[1024];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]254 mbedtls_ctr_drbg_context ctx;
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]255 size_t i, reps = 10;
Gilles Peskine58b56ce2019-10-22 19:10:01 +0200[diff] [blame]256 size_t expected_idx = 0;
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]257
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]258 mbedtls_ctr_drbg_init(&ctx);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]259
260 AES_PSA_INIT();
261
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]262 test_offset_idx = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]263 test_max_idx = sizeof(entropy);
264 memset(entropy, 0, sizeof(entropy));
265 memset(out, 0, sizeof(out));
266 memset(add, 0, sizeof(add));
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]267
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]268 if (entropy_nonce_len >= 0) {
269 TEST_ASSERT(mbedtls_ctr_drbg_set_nonce_len(&ctx, entropy_nonce_len) == 0);
270 }
Gilles Peskinec949de02019-10-22 19:14:26 +0200[diff] [blame]271
Gavin Acquroff6aceb512020-03-01 17:06:11 -0800[diff] [blame]272 /* Set reseed interval before seed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]273 mbedtls_ctr_drbg_set_reseed_interval(&ctx, 2 * reps);
Gavin Acquroff6aceb512020-03-01 17:06:11 -0800[diff] [blame]274
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]275 /* Init must use entropy */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]276 TEST_ASSERT(mbedtls_ctr_drbg_seed(&ctx, mbedtls_test_entropy_func, entropy, NULL, 0) == 0);
Gilles Peskine58b56ce2019-10-22 19:10:01 +0200[diff] [blame]277 expected_idx += MBEDTLS_CTR_DRBG_ENTROPY_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]278 if (entropy_nonce_len >= 0) {
Gilles Peskinec949de02019-10-22 19:14:26 +0200[diff] [blame]279 expected_idx += entropy_nonce_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]280 } else {
Gilles Peskine69971662019-10-23 19:39:36 +0200[diff] [blame]281 expected_idx += MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]282 }
283 TEST_EQUAL(test_offset_idx, expected_idx);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]284
Gavin Acquroff6aceb512020-03-01 17:06:11 -0800[diff] [blame]285 /* By default, PR is off, and reseed interval was set to
286 * 2 * reps so the next few calls should not use entropy */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]287 for (i = 0; i < reps; i++) {
288 TEST_ASSERT(mbedtls_ctr_drbg_random(&ctx, out, sizeof(out) - 4) == 0);
289 TEST_ASSERT(mbedtls_ctr_drbg_random_with_add(&ctx, out, sizeof(out) - 4,
290 add, sizeof(add)) == 0);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]291 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]292 TEST_EQUAL(test_offset_idx, expected_idx);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]293
294 /* While at it, make sure we didn't write past the requested length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]295 TEST_ASSERT(out[sizeof(out) - 4] == 0);
296 TEST_ASSERT(out[sizeof(out) - 3] == 0);
297 TEST_ASSERT(out[sizeof(out) - 2] == 0);
298 TEST_ASSERT(out[sizeof(out) - 1] == 0);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]299
Gavin Acquroff6aceb512020-03-01 17:06:11 -0800[diff] [blame]300 /* There have been 2 * reps calls to random. The next call should reseed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]301 TEST_ASSERT(mbedtls_ctr_drbg_random(&ctx, out, sizeof(out)) == 0);
Gilles Peskine58b56ce2019-10-22 19:10:01 +0200[diff] [blame]302 expected_idx += MBEDTLS_CTR_DRBG_ENTROPY_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]303 TEST_EQUAL(test_offset_idx, expected_idx);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]304
Gavin Acquroff6aceb512020-03-01 17:06:11 -0800[diff] [blame]305 /* Set reseed interval after seed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]306 mbedtls_ctr_drbg_set_reseed_interval(&ctx, 4 * reps + 1);
Gavin Acquroff6aceb512020-03-01 17:06:11 -0800[diff] [blame]307
308 /* The next few calls should not reseed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]309 for (i = 0; i < (2 * reps); i++) {
310 TEST_ASSERT(mbedtls_ctr_drbg_random(&ctx, out, sizeof(out)) == 0);
311 TEST_ASSERT(mbedtls_ctr_drbg_random_with_add(&ctx, out, sizeof(out),
312 add, sizeof(add)) == 0);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]313 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]314 TEST_EQUAL(test_offset_idx, expected_idx);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]315
Dave Rodgman6dd757a2023-02-02 12:40:50 +0000[diff] [blame]316 /* Call update with too much data (sizeof(entropy) > MAX(_SEED)_INPUT).
Gilles Peskined9199932018-09-11 16:41:54 +0200[diff] [blame]317 * Make sure it's detected as an error and doesn't cause memory
318 * corruption. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]319 TEST_ASSERT(mbedtls_ctr_drbg_update(
320 &ctx, entropy, sizeof(entropy)) != 0);
Manuel Pégourié-Gonnardf5f25b32014-11-27 14:04:56 +0100[diff] [blame]321
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]322 /* Now enable PR, so the next few calls should all reseed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]323 mbedtls_ctr_drbg_set_prediction_resistance(&ctx, MBEDTLS_CTR_DRBG_PR_ON);
324 TEST_ASSERT(mbedtls_ctr_drbg_random(&ctx, out, sizeof(out)) == 0);
Gilles Peskine58b56ce2019-10-22 19:10:01 +0200[diff] [blame]325 expected_idx += MBEDTLS_CTR_DRBG_ENTROPY_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]326 TEST_EQUAL(test_offset_idx, expected_idx);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]327
328 /* Finally, check setting entropy_len */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]329 mbedtls_ctr_drbg_set_entropy_len(&ctx, 42);
330 TEST_ASSERT(mbedtls_ctr_drbg_random(&ctx, out, sizeof(out)) == 0);
Gilles Peskine58b56ce2019-10-22 19:10:01 +0200[diff] [blame]331 expected_idx += 42;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]332 TEST_EQUAL(test_offset_idx, expected_idx);
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]333
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]334 mbedtls_ctr_drbg_set_entropy_len(&ctx, 13);
335 TEST_ASSERT(mbedtls_ctr_drbg_random(&ctx, out, sizeof(out)) == 0);
Gilles Peskine58b56ce2019-10-22 19:10:01 +0200[diff] [blame]336 expected_idx += 13;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]337 TEST_EQUAL(test_offset_idx, expected_idx);
Paul Bakkera317a982014-06-18 16:44:11 +0200[diff] [blame]338
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]339exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]340 mbedtls_ctr_drbg_free(&ctx);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]341 AES_PSA_DONE();
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]342}
343/* END_CASE */
344
Janos Follatha16ee6b2023-10-04 19:05:26 +0100[diff] [blame]345/* BEGIN_CASE depends_on:MBEDTLS_THREADING_PTHREAD */
Paul Elliottbda25dd2023-11-21 17:07:40 +0000[diff] [blame]346void ctr_drbg_threads(data_t *expected_result, int reseed)
Janos Follatha16ee6b2023-10-04 19:05:26 +0100[diff] [blame]347{
348#define THREAD_CNT 5
349 pthread_t threads[THREAD_CNT];
350
351 unsigned char out[16];
Paul Elliottbda25dd2023-11-21 17:07:40 +0000[diff] [blame]352 unsigned char *entropy = NULL;
353
354 const size_t n_random_calls = THREAD_CNT * thread_random_reps + 1;
355
Janos Follatha16ee6b2023-10-04 19:05:26 +0100[diff] [blame]356 memset(out, 0, sizeof(out));
357
Janos Follatha16ee6b2023-10-04 19:05:26 +0100[diff] [blame]358 mbedtls_ctr_drbg_context ctx;
359 mbedtls_ctr_drbg_init(&ctx);
360
Paul Elliottbda25dd2023-11-21 17:07:40 +0000[diff] [blame]361 test_offset_idx = 0;
Janos Follatha16ee6b2023-10-04 19:05:26 +0100[diff] [blame]362
Paul Elliottbda25dd2023-11-21 17:07:40 +0000[diff] [blame]363 if (reseed == 0) {
364 mbedtls_ctr_drbg_set_prediction_resistance(&ctx, MBEDTLS_CTR_DRBG_PR_OFF);
365 mbedtls_ctr_drbg_set_reseed_interval(&ctx, n_random_calls + 1);
366
Paul Elliottfed410f2023-11-30 20:40:55 +0000[diff] [blame^]367 TEST_CALLOC(entropy, MBEDTLS_CTR_DRBG_ENTROPY_LEN + MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN);
368 test_max_idx = MBEDTLS_CTR_DRBG_ENTROPY_LEN + MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN;
Paul Elliottbda25dd2023-11-21 17:07:40 +0000[diff] [blame]369 } else {
Paul Elliottfed410f2023-11-30 20:40:55 +0000[diff] [blame^]370 const size_t entropy_size = ((n_random_calls + 1) * MBEDTLS_CTR_DRBG_ENTROPY_LEN)
371 + MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN;
Paul Elliottbda25dd2023-11-21 17:07:40 +0000[diff] [blame]372
373 mbedtls_ctr_drbg_set_prediction_resistance(&ctx, MBEDTLS_CTR_DRBG_PR_ON);
374
375 TEST_CALLOC(entropy, entropy_size);
376 test_max_idx = entropy_size;
377 }
Janos Follatha16ee6b2023-10-04 19:05:26 +0100[diff] [blame]378
379 TEST_EQUAL(
380 mbedtls_ctr_drbg_seed(&ctx, mbedtls_test_entropy_func, entropy, NULL, 0),
381 0);
382
383 for (size_t i = 0; i < THREAD_CNT; i++) {
384 TEST_EQUAL(
385 pthread_create(&threads[i], NULL,
Paul Elliott6a997c92023-11-30 14:47:17 +0000[diff] [blame]386 thread_random_function, (void *) &ctx),
Janos Follatha16ee6b2023-10-04 19:05:26 +0100[diff] [blame]387 0);
388 }
389
390 for (size_t i = 0; i < THREAD_CNT; i++) {
391 TEST_EQUAL(pthread_join(threads[i], NULL), 0);
392 }
393
394 /* Take a last output for comparing and thus verifying the DRBG state */
395 TEST_EQUAL(mbedtls_ctr_drbg_random(&ctx, out, sizeof(out)), 0);
396
397 TEST_MEMORY_COMPARE(out, sizeof(out), expected_result->x, expected_result->len);
398
399exit:
400 mbedtls_ctr_drbg_free(&ctx);
Paul Elliottbda25dd2023-11-21 17:07:40 +0000[diff] [blame]401 mbedtls_free(entropy);
Janos Follatha16ee6b2023-10-04 19:05:26 +0100[diff] [blame]402}
403#undef THREAD_CNT
404/* END_CASE */
405
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]406/* BEGIN_CASE depends_on:MBEDTLS_FS_IO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]407void ctr_drbg_seed_file(char *path, int ret)
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]408{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]409 mbedtls_ctr_drbg_context ctx;
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]410
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]411 mbedtls_ctr_drbg_init(&ctx);
Manuel Pégourié-Gonnard8d128ef2015-04-28 22:38:08 +0200[diff] [blame]412
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]413 AES_PSA_INIT();
414
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]415 TEST_ASSERT(mbedtls_ctr_drbg_seed(&ctx, mbedtls_test_rnd_std_rand,
416 NULL, NULL, 0) == 0);
417 TEST_ASSERT(mbedtls_ctr_drbg_write_seed_file(&ctx, path) == ret);
418 TEST_ASSERT(mbedtls_ctr_drbg_update_seed_file(&ctx, path) == ret);
Paul Bakkera317a982014-06-18 16:44:11 +0200[diff] [blame]419
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]420exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]421 mbedtls_ctr_drbg_free(&ctx);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]422 AES_PSA_DONE();
Manuel Pégourié-Gonnard7575daa2014-01-31 12:16:54 +0100[diff] [blame]423}
424/* END_CASE */
425
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]426/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]427void ctr_drbg_selftest()
Manuel Pégourié-Gonnardb3b205e2014-01-31 12:04:06 +0100[diff] [blame]428{
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]429 AES_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]430 TEST_ASSERT(mbedtls_ctr_drbg_self_test(1) == 0);
Valerio Settidc32ac22023-11-13 10:27:56 +0100[diff] [blame]431 AES_PSA_DONE();
Manuel Pégourié-Gonnardb3b205e2014-01-31 12:04:06 +0100[diff] [blame]432}
433/* END_CASE */