Blame - library/ctr_drbg.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: 00b50d26bca9f6bd77386c65ddc15fdac3d28f92 [file] [log] [blame]

Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	1	/*
				2	* CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
				3	*
Manuel Pégourié-Gonnard	a658a40	2015-01-23 09:45:19 +0000	[diff] [blame]	4	* Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	5	*
Manuel Pégourié-Gonnard	fe44643	2015-03-06 13:17:10 +0000	[diff] [blame]	6	* This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	7	*
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	8	* This program is free software; you can redistribute it and/or modify
				9	* it under the terms of the GNU General Public License as published by
				10	* the Free Software Foundation; either version 2 of the License, or
				11	* (at your option) any later version.
				12	*
				13	* This program is distributed in the hope that it will be useful,
				14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
				15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
				16	* GNU General Public License for more details.
				17	*
				18	* You should have received a copy of the GNU General Public License along
				19	* with this program; if not, write to the Free Software Foundation, Inc.,
				20	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
				21	*/
				22	/*
				23	* The NIST SP 800-90 DRBGs are described in the following publucation.
				24	*
				25	* http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
				26	*/
				27
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	28	#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	29	#include "mbedtls/config.h"
Manuel Pégourié-Gonnard	cef4ad2	2014-04-29 12:39:06 +0200	[diff] [blame]	30	#else
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	31	#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnard	cef4ad2	2014-04-29 12:39:06 +0200	[diff] [blame]	32	#endif
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	33
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	34	#if defined(MBEDTLS_CTR_DRBG_C)
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	35
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	36	#include "mbedtls/ctr_drbg.h"
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	37
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	38	#include <string.h>
				39
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	40	#if defined(MBEDTLS_FS_IO)
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	41	#include <stdio.h>
				42	#endif
				43
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	44	#if defined(MBEDTLS_SELF_TEST)
				45	#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	46	#include "mbedtls/platform.h"
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	47	#else
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	48	#include <stdio.h>
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	49	#define mbedtls_printf printf
				50	#endif /* MBEDTLS_PLATFORM_C */
				51	#endif /* MBEDTLS_SELF_TEST */
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	52
Paul Bakker	fff0366	2014-06-18 16:21:25 +0200	[diff] [blame]	53	/* Implementation that should never be optimized out by the compiler */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	54	static void mbedtls_zeroize( void *v, size_t n ) {
Paul Bakker	fff0366	2014-06-18 16:21:25 +0200	[diff] [blame]	55	volatile unsigned char p = v; while( n-- ) p++ = 0;
				56	}
				57
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	58	/*
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	59	* CTR_DRBG context initialization
				60	*/
				61	void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx )
				62	{
				63	memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) );
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	64
				65	#if defined(MBEDTLS_THREADING_C)
				66	mbedtls_mutex_init( &ctx->mutex );
				67	#endif
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	68	}
				69
				70	/*
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	71	* Non-public function wrapped by ctr_crbg_init(). Necessary to allow NIST
				72	* tests to succeed (which require known length fixed entropy)
				73	*/
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	74	int mbedtls_ctr_drbg_seed_entropy_len(
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	75	mbedtls_ctr_drbg_context *ctx,
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	76	int (f_entropy)(void , unsigned char *, size_t),
				77	void *p_entropy,
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	78	const unsigned char *custom,
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	79	size_t len,
				80	size_t entropy_len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	81	{
				82	int ret;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	83	unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	84
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	85	memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	86
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	87	mbedtls_aes_init( &ctx->aes_ctx );
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	88
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	89	ctx->f_entropy = f_entropy;
				90	ctx->p_entropy = p_entropy;
				91
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	92	ctx->entropy_len = entropy_len;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	93	ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	94
				95	/*
				96	* Initialize with an empty key
				97	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	98	mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	99
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	100	if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	101	return( ret );
				102
				103	return( 0 );
				104	}
				105
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	106	int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	107	int (f_entropy)(void , unsigned char *, size_t),
				108	void *p_entropy,
				109	const unsigned char *custom,
				110	size_t len )
				111	{
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	112	return( mbedtls_ctr_drbg_seed_entropy_len( ctx, f_entropy, p_entropy, custom, len,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	113	MBEDTLS_CTR_DRBG_ENTROPY_LEN ) );
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	114	}
				115
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	116	void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx )
Paul Bakker	fff0366	2014-06-18 16:21:25 +0200	[diff] [blame]	117	{
				118	if( ctx == NULL )
				119	return;
				120
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	121	#if defined(MBEDTLS_THREADING_C)
				122	mbedtls_mutex_free( &ctx->mutex );
				123	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	124	mbedtls_aes_free( &ctx->aes_ctx );
				125	mbedtls_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) );
Paul Bakker	fff0366	2014-06-18 16:21:25 +0200	[diff] [blame]	126	}
				127
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	128	void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx, int resistance )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	129	{
				130	ctx->prediction_resistance = resistance;
				131	}
				132
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	133	void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx, size_t len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	134	{
				135	ctx->entropy_len = len;
				136	}
Paul Bakker	b6c5d2e	2013-06-25 16:25:17 +0200	[diff] [blame]	137
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	138	void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx, int interval )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	139	{
				140	ctx->reseed_interval = interval;
				141	}
Paul Bakker	b6c5d2e	2013-06-25 16:25:17 +0200	[diff] [blame]	142
				143	static int block_cipher_df( unsigned char *output,
				144	const unsigned char *data, size_t data_len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	145	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	146	unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
				147	unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
				148	unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
				149	unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
Manuel Pégourié-Gonnard	7c59363	2014-01-20 10:27:13 +0100	[diff] [blame]	150	unsigned char p, iv;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	151	mbedtls_aes_context aes_ctx;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	152
Paul Bakker	b9cfaa0	2013-10-11 18:58:55 +0200	[diff] [blame]	153	int i, j;
				154	size_t buf_len, use_len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	155
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	156	if( data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
				157	return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
Manuel Pégourié-Gonnard	5cb4b31	2014-11-25 17:41:50 +0100	[diff] [blame]	158
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	159	memset( buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16 );
				160	mbedtls_aes_init( &aes_ctx );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	161
				162	/*
				163	* Construct IV (16 bytes) and S in buffer
				164	* IV = Counter (in 32-bits) padded to 16 with zeroes
				165	* S = Length input string (in 32-bits) \|\| Length of output (in 32-bits) \|\|
				166	* data \|\| 0x80
				167	* (Total is padded to a multiple of 16-bytes with zeroes)
				168	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	169	p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE;
Paul Bakker	2bc7cf1	2011-11-29 10:50:51 +0000	[diff] [blame]	170	*p++ = ( data_len >> 24 ) & 0xff;
				171	*p++ = ( data_len >> 16 ) & 0xff;
				172	*p++ = ( data_len >> 8 ) & 0xff;
				173	*p++ = ( data_len ) & 0xff;
				174	p += 3;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	175	*p++ = MBEDTLS_CTR_DRBG_SEEDLEN;
Paul Bakker	2bc7cf1	2011-11-29 10:50:51 +0000	[diff] [blame]	176	memcpy( p, data, data_len );
				177	p[data_len] = 0x80;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	178
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	179	buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	180
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	181	for( i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++ )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	182	key[i] = i;
				183
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	184	mbedtls_aes_setkey_enc( &aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	185
				186	/*
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	187	* Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	188	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	189	for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	190	{
				191	p = buf;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	192	memset( chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	193	use_len = buf_len;
				194
				195	while( use_len > 0 )
				196	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	197	for( i = 0; i < MBEDTLS_CTR_DRBG_BLOCKSIZE; i++ )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	198	chain[i] ^= p[i];
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	199	p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
				200	use_len -= ( use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE ) ?
				201	MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	202
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	203	mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, chain, chain );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	204	}
Paul Bakker	b9cfaa0	2013-10-11 18:58:55 +0200	[diff] [blame]	205
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	206	memcpy( tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	207
				208	/*
				209	* Update IV
				210	*/
				211	buf[3]++;
				212	}
				213
				214	/*
				215	* Do final encryption with reduced data
				216	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	217	mbedtls_aes_setkey_enc( &aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS );
				218	iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	219	p = output;
				220
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	221	for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	222	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	223	mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
				224	memcpy( p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE );
				225	p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	226	}
				227
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	228	mbedtls_aes_free( &aes_ctx );
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	229
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	230	return( 0 );
				231	}
				232
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	233	static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
				234	const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN] )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	235	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	236	unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	237	unsigned char *p = tmp;
Paul Bakker	369e14b	2012-04-18 14:16:09 +0000	[diff] [blame]	238	int i, j;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	239
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	240	memset( tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	241
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	242	for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	243	{
				244	/*
				245	* Increase counter
				246	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	247	for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
Paul Bakker	369e14b	2012-04-18 14:16:09 +0000	[diff] [blame]	248	if( ++ctx->counter[i - 1] != 0 )
				249	break;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	250
				251	/*
				252	* Crypt counter block
				253	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	254	mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, p );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	255
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	256	p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	257	}
				258
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	259	for( i = 0; i < MBEDTLS_CTR_DRBG_SEEDLEN; i++ )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	260	tmp[i] ^= data[i];
				261
				262	/*
				263	* Update key and counter
				264	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	265	mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS );
				266	memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	267
				268	return( 0 );
				269	}
				270
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	271	void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	272	const unsigned char *additional, size_t add_len )
				273	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	274	unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	275
				276	if( add_len > 0 )
				277	{
Manuel Pégourié-Gonnard	5cb4b31	2014-11-25 17:41:50 +0100	[diff] [blame]	278	/* MAX_INPUT would be more logical here, but we have to match
				279	* block_cipher_df()'s limits since we can't propagate errors */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	280	if( add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
				281	add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT;
Manuel Pégourié-Gonnard	5cb4b31	2014-11-25 17:41:50 +0100	[diff] [blame]	282
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	283	block_cipher_df( add_input, additional, add_len );
				284	ctr_drbg_update_internal( ctx, add_input );
				285	}
				286	}
				287
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	288	int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	289	const unsigned char *additional, size_t len )
				290	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	291	unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	292	size_t seedlen = 0;
				293
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	294	if( ctx->entropy_len + len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
				295	return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	296
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	297	memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	298
				299	/*
Paul Bakker	18f0341	2013-09-11 10:53:05 +0200	[diff] [blame]	300	* Gather entropy_len bytes of entropy to seed state
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	301	*/
				302	if( 0 != ctx->f_entropy( ctx->p_entropy, seed,
				303	ctx->entropy_len ) )
				304	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	305	return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	306	}
				307
				308	seedlen += ctx->entropy_len;
				309
				310	/*
				311	* Add additional data
				312	*/
				313	if( additional && len )
				314	{
				315	memcpy( seed + seedlen, additional, len );
				316	seedlen += len;
				317	}
				318
				319	/*
				320	* Reduce to 384 bits
				321	*/
				322	block_cipher_df( seed, seed, seedlen );
				323
				324	/*
				325	* Update state
				326	*/
				327	ctr_drbg_update_internal( ctx, seed );
				328	ctx->reseed_counter = 1;
				329
				330	return( 0 );
				331	}
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	332
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	333	int mbedtls_ctr_drbg_random_with_add( void *p_rng,
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	334	unsigned char *output, size_t output_len,
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	335	const unsigned char *additional, size_t add_len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	336	{
				337	int ret = 0;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	338	mbedtls_ctr_drbg_context ctx = (mbedtls_ctr_drbg_context ) p_rng;
				339	unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	340	unsigned char *p = output;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	341	unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
Paul Bakker	369e14b	2012-04-18 14:16:09 +0000	[diff] [blame]	342	int i;
Paul Bakker	23fd5ea	2011-11-29 15:56:12 +0000	[diff] [blame]	343	size_t use_len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	344
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	345	if( output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST )
				346	return( MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	347
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	348	if( add_len > MBEDTLS_CTR_DRBG_MAX_INPUT )
				349	return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	350
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	351	memset( add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	352
				353	if( ctx->reseed_counter > ctx->reseed_interval \|\|
				354	ctx->prediction_resistance )
				355	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	356	if( ( ret = mbedtls_ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	357	return( ret );
				358
				359	add_len = 0;
				360	}
				361
				362	if( add_len > 0 )
				363	{
				364	block_cipher_df( add_input, additional, add_len );
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	365	ctr_drbg_update_internal( ctx, add_input );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	366	}
				367
				368	while( output_len > 0 )
				369	{
				370	/*
				371	* Increase counter
				372	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	373	for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
Paul Bakker	369e14b	2012-04-18 14:16:09 +0000	[diff] [blame]	374	if( ++ctx->counter[i - 1] != 0 )
				375	break;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	376
				377	/*
				378	* Crypt counter block
				379	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	380	mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, tmp );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	381
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	382	use_len = ( output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE ) ? MBEDTLS_CTR_DRBG_BLOCKSIZE :
Paul Bakker	b9e4e2c	2014-05-01 14:18:25 +0200	[diff] [blame]	383	output_len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	384	/*
				385	* Copy random block to destination
				386	*/
Paul Bakker	23fd5ea	2011-11-29 15:56:12 +0000	[diff] [blame]	387	memcpy( p, tmp, use_len );
				388	p += use_len;
				389	output_len -= use_len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	390	}
				391
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	392	ctr_drbg_update_internal( ctx, add_input );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	393
				394	ctx->reseed_counter++;
				395
				396	return( 0 );
				397	}
				398
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	399	int mbedtls_ctr_drbg_random( void p_rng, unsigned char output, size_t output_len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	400	{
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	401	int ret;
				402	mbedtls_ctr_drbg_context ctx = (mbedtls_ctr_drbg_context ) p_rng;
				403
				404	#if defined(MBEDTLS_THREADING_C)
				405	if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
				406	return( ret );
				407	#endif
				408
				409	ret = mbedtls_ctr_drbg_random_with_add( ctx, output, output_len, NULL, 0 );
				410
				411	#if defined(MBEDTLS_THREADING_C)
				412	if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
				413	return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
				414	#endif
				415
				416	return( ret );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	417	}
				418
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	419	#if defined(MBEDTLS_FS_IO)
				420	int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context ctx, const char path )
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	421	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	422	int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	423	FILE *f;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	424	unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	425
				426	if( ( f = fopen( path, "wb" ) ) == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	427	return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	428
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	429	if( ( ret = mbedtls_ctr_drbg_random( ctx, buf, MBEDTLS_CTR_DRBG_MAX_INPUT ) ) != 0 )
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	430	goto exit;
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	431
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	432	if( fwrite( buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f ) != MBEDTLS_CTR_DRBG_MAX_INPUT )
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	433	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	434	ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
Paul Bakker	4c284c9	2014-03-26 15:33:05 +0100	[diff] [blame]	435	goto exit;
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	436	}
				437
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	438	ret = 0;
				439
				440	exit:
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	441	fclose( f );
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	442	return( ret );
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	443	}
				444
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	445	int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context ctx, const char path )
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	446	{
				447	FILE *f;
				448	size_t n;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	449	unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	450
				451	if( ( f = fopen( path, "rb" ) ) == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	452	return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	453
				454	fseek( f, 0, SEEK_END );
				455	n = (size_t) ftell( f );
				456	fseek( f, 0, SEEK_SET );
				457
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	458	if( n > MBEDTLS_CTR_DRBG_MAX_INPUT )
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	459	{
				460	fclose( f );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	461	return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	462	}
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	463
				464	if( fread( buf, 1, n, f ) != n )
				465	{
Paul Bakker	4c284c9	2014-03-26 15:33:05 +0100	[diff] [blame]	466	fclose( f );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	467	return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	468	}
				469
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	470	fclose( f );
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	471
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	472	mbedtls_ctr_drbg_update( ctx, buf, n );
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	473
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	474	return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) );
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	475	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	476	#endif /* MBEDTLS_FS_IO */
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	477
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	478	#if defined(MBEDTLS_SELF_TEST)
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	479
Manuel Pégourié-Gonnard	28122e4	2015-03-11 09:13:42 +0000	[diff] [blame]	480	static const unsigned char entropy_source_pr[96] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	481	{ 0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16,
				482	0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02,
				483	0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b,
				484	0x6e, 0xa6, 0x62, 0x52, 0x6d, 0x51, 0xb1, 0xcb,
				485	0x58, 0x3b, 0xfa, 0xd5, 0x37, 0x5f, 0xfb, 0xc9,
				486	0xff, 0x46, 0xd2, 0x19, 0xc7, 0x22, 0x3e, 0x95,
				487	0x45, 0x9d, 0x82, 0xe1, 0xe7, 0x22, 0x9f, 0x63,
				488	0x31, 0x69, 0xd2, 0x6b, 0x57, 0x47, 0x4f, 0xa3,
				489	0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31,
				490	0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4,
				491	0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56,
				492	0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68 };
				493
Manuel Pégourié-Gonnard	28122e4	2015-03-11 09:13:42 +0000	[diff] [blame]	494	static const unsigned char entropy_source_nopr[64] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	495	{ 0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14,
				496	0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe,
				497	0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d,
				498	0x03, 0x21, 0x7c, 0x68, 0xd8, 0x03, 0x38, 0x20,
				499	0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9,
				500	0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46,
				501	0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e,
				502	0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e };
				503
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	504	static const unsigned char nonce_pers_pr[16] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	505	{ 0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2,
				506	0x29, 0xc9, 0xcf, 0xad, 0x85, 0xfa, 0x48, 0x6c };
				507
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	508	static const unsigned char nonce_pers_nopr[16] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	509	{ 0x1b, 0x54, 0xb8, 0xff, 0x06, 0x42, 0xbf, 0xf5,
				510	0x21, 0xf1, 0x5c, 0x1c, 0x0b, 0x66, 0x5f, 0x3f };
				511
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	512	static const unsigned char result_pr[16] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	513	{ 0x34, 0x01, 0x16, 0x56, 0xb4, 0x29, 0x00, 0x8f,
				514	0x35, 0x63, 0xec, 0xb5, 0xf2, 0x59, 0x07, 0x23 };
				515
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	516	static const unsigned char result_nopr[16] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	517	{ 0xa0, 0x54, 0x30, 0x3d, 0x8a, 0x7e, 0xa9, 0x88,
				518	0x9d, 0x90, 0x3e, 0x07, 0x7c, 0x6f, 0x21, 0x8f };
				519
Manuel Pégourié-Gonnard	9592485	2014-03-21 10:54:55 +0100	[diff] [blame]	520	static size_t test_offset;
Paul Bakker	b6c5d2e	2013-06-25 16:25:17 +0200	[diff] [blame]	521	static int ctr_drbg_self_test_entropy( void data, unsigned char buf,
				522	size_t len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	523	{
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	524	const unsigned char *p = data;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	525	memcpy( buf, p + test_offset, len );
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	526	test_offset += len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	527	return( 0 );
				528	}
				529
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	530	#define CHK( c ) if( (c) != 0 ) \
				531	{ \
				532	if( verbose != 0 ) \
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	533	mbedtls_printf( "failed\n" ); \
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	534	return( 1 ); \
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	535	}
				536
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	537	/*
				538	* Checkup routine
				539	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	540	int mbedtls_ctr_drbg_self_test( int verbose )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	541	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	542	mbedtls_ctr_drbg_context ctx;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	543	unsigned char buf[16];
				544
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	545	mbedtls_ctr_drbg_init( &ctx );
				546
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	547	/*
				548	* Based on a NIST CTR_DRBG test vector (PR = True)
				549	*/
				550	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	551	mbedtls_printf( " CTR_DRBG (PR = TRUE) : " );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	552
				553	test_offset = 0;
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	554	CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy,
Manuel Pégourié-Gonnard	28122e4	2015-03-11 09:13:42 +0000	[diff] [blame]	555	(void *) entropy_source_pr, nonce_pers_pr, 16, 32 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	556	mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
				557	CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
				558	CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
				559	CHK( memcmp( buf, result_pr, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	560
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	561	mbedtls_ctr_drbg_free( &ctx );
				562
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	563	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	564	mbedtls_printf( "passed\n" );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	565
				566	/*
				567	* Based on a NIST CTR_DRBG test vector (PR = FALSE)
				568	*/
				569	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	570	mbedtls_printf( " CTR_DRBG (PR = FALSE): " );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	571
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	572	mbedtls_ctr_drbg_init( &ctx );
				573
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	574	test_offset = 0;
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	575	CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy,
Manuel Pégourié-Gonnard	28122e4	2015-03-11 09:13:42 +0000	[diff] [blame]	576	(void *) entropy_source_nopr, nonce_pers_nopr, 16, 32 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	577	CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
				578	CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) );
				579	CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	580	CHK( memcmp( buf, result_nopr, 16 ) );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	581
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	582	mbedtls_ctr_drbg_free( &ctx );
				583
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	584	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	585	mbedtls_printf( "passed\n" );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	586
				587	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	588	mbedtls_printf( "\n" );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	589
				590	return( 0 );
				591	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	592	#endif /* MBEDTLS_SELF_TEST */
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	593
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	594	#endif /* MBEDTLS_CTR_DRBG_C */