Blame - library/ctr_drbg.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: d3888483a36b4266249bf2934aafc218e1ae85b4 [file] [log] [blame]

Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	1	/*
				2	* CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
				3	*
Manuel Pégourié-Gonnard	6fb8187	2015-07-27 11:11:48 +0200	[diff] [blame]	4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard	37ff140	2015-09-04 14:21:07 +0200	[diff] [blame]	5	* SPDX-License-Identifier: Apache-2.0
				6	*
				7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
				8	* not use this file except in compliance with the License.
				9	* You may obtain a copy of the License at
				10	*
				11	* http://www.apache.org/licenses/LICENSE-2.0
				12	*
				13	* Unless required by applicable law or agreed to in writing, software
				14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
				15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				16	* See the License for the specific language governing permissions and
				17	* limitations under the License.
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	18	*
Manuel Pégourié-Gonnard	fe44643	2015-03-06 13:17:10 +0000	[diff] [blame]	19	* This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	20	*/
				21	/*
				22	* The NIST SP 800-90 DRBGs are described in the following publucation.
				23	*
				24	* http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
				25	*/
				26
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	27	#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	28	#include "mbedtls/config.h"
Manuel Pégourié-Gonnard	cef4ad2	2014-04-29 12:39:06 +0200	[diff] [blame]	29	#else
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	30	#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnard	cef4ad2	2014-04-29 12:39:06 +0200	[diff] [blame]	31	#endif
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	32
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	33	#if defined(MBEDTLS_CTR_DRBG_C)
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	34
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	35	#include "mbedtls/ctr_drbg.h"
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	36
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	37	#include <string.h>
				38
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	39	#if defined(MBEDTLS_FS_IO)
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	40	#include <stdio.h>
				41	#endif
				42
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	43	#if defined(MBEDTLS_SELF_TEST)
				44	#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	45	#include "mbedtls/platform.h"
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	46	#else
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	47	#include <stdio.h>
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	48	#define mbedtls_printf printf
				49	#endif /* MBEDTLS_PLATFORM_C */
				50	#endif /* MBEDTLS_SELF_TEST */
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	51
Paul Bakker	fff0366	2014-06-18 16:21:25 +0200	[diff] [blame]	52	/* Implementation that should never be optimized out by the compiler */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	53	static void mbedtls_zeroize( void *v, size_t n ) {
Paul Bakker	fff0366	2014-06-18 16:21:25 +0200	[diff] [blame]	54	volatile unsigned char p = v; while( n-- ) p++ = 0;
				55	}
				56
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	57	/*
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	58	* CTR_DRBG context initialization
				59	*/
				60	void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx )
				61	{
				62	memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) );
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	63
				64	#if defined(MBEDTLS_THREADING_C)
				65	mbedtls_mutex_init( &ctx->mutex );
				66	#endif
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	67	}
				68
				69	/*
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	70	* Non-public function wrapped by ctr_crbg_init(). Necessary to allow NIST
				71	* tests to succeed (which require known length fixed entropy)
				72	*/
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	73	int mbedtls_ctr_drbg_seed_entropy_len(
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	74	mbedtls_ctr_drbg_context *ctx,
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	75	int (f_entropy)(void , unsigned char *, size_t),
				76	void *p_entropy,
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	77	const unsigned char *custom,
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	78	size_t len,
				79	size_t entropy_len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	80	{
				81	int ret;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	82	unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	83
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	84	memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	85
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	86	mbedtls_aes_init( &ctx->aes_ctx );
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	87
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	88	ctx->f_entropy = f_entropy;
				89	ctx->p_entropy = p_entropy;
				90
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	91	ctx->entropy_len = entropy_len;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	92	ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	93
				94	/*
				95	* Initialize with an empty key
				96	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	97	mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	98
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	99	if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	100	return( ret );
				101
				102	return( 0 );
				103	}
				104
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	105	int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	106	int (f_entropy)(void , unsigned char *, size_t),
				107	void *p_entropy,
				108	const unsigned char *custom,
				109	size_t len )
				110	{
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	111	return( mbedtls_ctr_drbg_seed_entropy_len( ctx, f_entropy, p_entropy, custom, len,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	112	MBEDTLS_CTR_DRBG_ENTROPY_LEN ) );
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	113	}
				114
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	115	void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx )
Paul Bakker	fff0366	2014-06-18 16:21:25 +0200	[diff] [blame]	116	{
				117	if( ctx == NULL )
				118	return;
				119
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	120	#if defined(MBEDTLS_THREADING_C)
				121	mbedtls_mutex_free( &ctx->mutex );
				122	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	123	mbedtls_aes_free( &ctx->aes_ctx );
				124	mbedtls_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) );
Paul Bakker	fff0366	2014-06-18 16:21:25 +0200	[diff] [blame]	125	}
				126
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	127	void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx, int resistance )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	128	{
				129	ctx->prediction_resistance = resistance;
				130	}
				131
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	132	void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx, size_t len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	133	{
				134	ctx->entropy_len = len;
				135	}
Paul Bakker	b6c5d2e	2013-06-25 16:25:17 +0200	[diff] [blame]	136
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	137	void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx, int interval )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	138	{
				139	ctx->reseed_interval = interval;
				140	}
Paul Bakker	b6c5d2e	2013-06-25 16:25:17 +0200	[diff] [blame]	141
				142	static int block_cipher_df( unsigned char *output,
				143	const unsigned char *data, size_t data_len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	144	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	145	unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
				146	unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
				147	unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
				148	unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
Manuel Pégourié-Gonnard	7c59363	2014-01-20 10:27:13 +0100	[diff] [blame]	149	unsigned char p, iv;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	150	mbedtls_aes_context aes_ctx;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	151
Paul Bakker	b9cfaa0	2013-10-11 18:58:55 +0200	[diff] [blame]	152	int i, j;
				153	size_t buf_len, use_len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	154
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	155	if( data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
				156	return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
Manuel Pégourié-Gonnard	5cb4b31	2014-11-25 17:41:50 +0100	[diff] [blame]	157
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	158	memset( buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16 );
				159	mbedtls_aes_init( &aes_ctx );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	160
				161	/*
				162	* Construct IV (16 bytes) and S in buffer
				163	* IV = Counter (in 32-bits) padded to 16 with zeroes
				164	* S = Length input string (in 32-bits) \|\| Length of output (in 32-bits) \|\|
				165	* data \|\| 0x80
				166	* (Total is padded to a multiple of 16-bytes with zeroes)
				167	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	168	p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE;
Paul Bakker	2bc7cf1	2011-11-29 10:50:51 +0000	[diff] [blame]	169	*p++ = ( data_len >> 24 ) & 0xff;
				170	*p++ = ( data_len >> 16 ) & 0xff;
				171	*p++ = ( data_len >> 8 ) & 0xff;
				172	*p++ = ( data_len ) & 0xff;
				173	p += 3;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	174	*p++ = MBEDTLS_CTR_DRBG_SEEDLEN;
Paul Bakker	2bc7cf1	2011-11-29 10:50:51 +0000	[diff] [blame]	175	memcpy( p, data, data_len );
				176	p[data_len] = 0x80;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	177
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	178	buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	179
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	180	for( i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++ )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	181	key[i] = i;
				182
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	183	mbedtls_aes_setkey_enc( &aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	184
				185	/*
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	186	* Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	187	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	188	for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	189	{
				190	p = buf;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	191	memset( chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	192	use_len = buf_len;
				193
				194	while( use_len > 0 )
				195	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	196	for( i = 0; i < MBEDTLS_CTR_DRBG_BLOCKSIZE; i++ )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	197	chain[i] ^= p[i];
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	198	p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
				199	use_len -= ( use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE ) ?
				200	MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	201
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	202	mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, chain, chain );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	203	}
Paul Bakker	b9cfaa0	2013-10-11 18:58:55 +0200	[diff] [blame]	204
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	205	memcpy( tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	206
				207	/*
				208	* Update IV
				209	*/
				210	buf[3]++;
				211	}
				212
				213	/*
				214	* Do final encryption with reduced data
				215	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	216	mbedtls_aes_setkey_enc( &aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS );
				217	iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	218	p = output;
				219
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	220	for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	221	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	222	mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
				223	memcpy( p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE );
				224	p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	225	}
				226
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	227	mbedtls_aes_free( &aes_ctx );
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	228
Gilles Peskine	43c1964	2018-11-27 16:37:23 +0100	[diff] [blame]	229	mbedtls_zeroize( buf, sizeof( buf ) );
				230	mbedtls_zeroize( tmp, sizeof( tmp ) );
				231	mbedtls_zeroize( key, sizeof( key ) );
				232	mbedtls_zeroize( chain, sizeof( chain ) );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	233	return( 0 );
				234	}
				235
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	236	static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
				237	const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN] )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	238	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	239	unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	240	unsigned char *p = tmp;
Paul Bakker	369e14b	2012-04-18 14:16:09 +0000	[diff] [blame]	241	int i, j;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	242
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	243	memset( tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	244
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	245	for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	246	{
				247	/*
				248	* Increase counter
				249	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	250	for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
Paul Bakker	369e14b	2012-04-18 14:16:09 +0000	[diff] [blame]	251	if( ++ctx->counter[i - 1] != 0 )
				252	break;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	253
				254	/*
				255	* Crypt counter block
				256	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	257	mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, p );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	258
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	259	p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	260	}
				261
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	262	for( i = 0; i < MBEDTLS_CTR_DRBG_SEEDLEN; i++ )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	263	tmp[i] ^= data[i];
				264
				265	/*
				266	* Update key and counter
				267	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	268	mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS );
				269	memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	270
Gilles Peskine	17b2ac2	2018-09-11 15:34:17 +0200	[diff] [blame]	271	mbedtls_zeroize( tmp, sizeof( tmp ) );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	272	return( 0 );
				273	}
				274
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	275	void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	276	const unsigned char *additional, size_t add_len )
				277	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	278	unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	279
				280	if( add_len > 0 )
				281	{
Manuel Pégourié-Gonnard	5cb4b31	2014-11-25 17:41:50 +0100	[diff] [blame]	282	/* MAX_INPUT would be more logical here, but we have to match
				283	* block_cipher_df()'s limits since we can't propagate errors */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	284	if( add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
				285	add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT;
Manuel Pégourié-Gonnard	5cb4b31	2014-11-25 17:41:50 +0100	[diff] [blame]	286
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	287	block_cipher_df( add_input, additional, add_len );
				288	ctr_drbg_update_internal( ctx, add_input );
Gilles Peskine	17b2ac2	2018-09-11 15:34:17 +0200	[diff] [blame]	289	mbedtls_zeroize( add_input, sizeof( add_input ) );
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	290	}
				291	}
				292
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	293	int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	294	const unsigned char *additional, size_t len )
				295	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	296	unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	297	size_t seedlen = 0;
				298
Andres Amaya Garcia	ef1329e	2017-01-17 23:24:02 +0000	[diff] [blame]	299	if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT \|\|
				300	len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	301	return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	302
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	303	memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	304
				305	/*
Paul Bakker	18f0341	2013-09-11 10:53:05 +0200	[diff] [blame]	306	* Gather entropy_len bytes of entropy to seed state
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	307	*/
				308	if( 0 != ctx->f_entropy( ctx->p_entropy, seed,
				309	ctx->entropy_len ) )
				310	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	311	return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	312	}
				313
				314	seedlen += ctx->entropy_len;
				315
				316	/*
				317	* Add additional data
				318	*/
				319	if( additional && len )
				320	{
				321	memcpy( seed + seedlen, additional, len );
				322	seedlen += len;
				323	}
				324
				325	/*
				326	* Reduce to 384 bits
				327	*/
				328	block_cipher_df( seed, seed, seedlen );
				329
				330	/*
				331	* Update state
				332	*/
				333	ctr_drbg_update_internal( ctx, seed );
				334	ctx->reseed_counter = 1;
				335
Gilles Peskine	17b2ac2	2018-09-11 15:34:17 +0200	[diff] [blame]	336	mbedtls_zeroize( seed, sizeof( seed ) );
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	337	return( 0 );
				338	}
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	339
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	340	int mbedtls_ctr_drbg_random_with_add( void *p_rng,
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	341	unsigned char *output, size_t output_len,
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	342	const unsigned char *additional, size_t add_len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	343	{
				344	int ret = 0;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	345	mbedtls_ctr_drbg_context ctx = (mbedtls_ctr_drbg_context ) p_rng;
				346	unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	347	unsigned char *p = output;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	348	unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
Paul Bakker	369e14b	2012-04-18 14:16:09 +0000	[diff] [blame]	349	int i;
Paul Bakker	23fd5ea	2011-11-29 15:56:12 +0000	[diff] [blame]	350	size_t use_len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	351
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	352	if( output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST )
				353	return( MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	354
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	355	if( add_len > MBEDTLS_CTR_DRBG_MAX_INPUT )
				356	return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	357
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	358	memset( add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	359
				360	if( ctx->reseed_counter > ctx->reseed_interval \|\|
				361	ctx->prediction_resistance )
				362	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	363	if( ( ret = mbedtls_ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	364	return( ret );
				365
				366	add_len = 0;
				367	}
				368
				369	if( add_len > 0 )
				370	{
				371	block_cipher_df( add_input, additional, add_len );
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	372	ctr_drbg_update_internal( ctx, add_input );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	373	}
				374
				375	while( output_len > 0 )
				376	{
				377	/*
				378	* Increase counter
				379	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	380	for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
Paul Bakker	369e14b	2012-04-18 14:16:09 +0000	[diff] [blame]	381	if( ++ctx->counter[i - 1] != 0 )
				382	break;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	383
				384	/*
				385	* Crypt counter block
				386	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	387	mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, tmp );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	388
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	389	use_len = ( output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE ) ? MBEDTLS_CTR_DRBG_BLOCKSIZE :
Paul Bakker	b9e4e2c	2014-05-01 14:18:25 +0200	[diff] [blame]	390	output_len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	391	/*
				392	* Copy random block to destination
				393	*/
Paul Bakker	23fd5ea	2011-11-29 15:56:12 +0000	[diff] [blame]	394	memcpy( p, tmp, use_len );
				395	p += use_len;
				396	output_len -= use_len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	397	}
				398
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	399	ctr_drbg_update_internal( ctx, add_input );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	400
				401	ctx->reseed_counter++;
				402
Gilles Peskine	17b2ac2	2018-09-11 15:34:17 +0200	[diff] [blame]	403	mbedtls_zeroize( add_input, sizeof( add_input ) );
				404	mbedtls_zeroize( tmp, sizeof( tmp ) );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	405	return( 0 );
				406	}
				407
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	408	int mbedtls_ctr_drbg_random( void p_rng, unsigned char output, size_t output_len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	409	{
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	410	int ret;
				411	mbedtls_ctr_drbg_context ctx = (mbedtls_ctr_drbg_context ) p_rng;
				412
				413	#if defined(MBEDTLS_THREADING_C)
				414	if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
				415	return( ret );
				416	#endif
				417
				418	ret = mbedtls_ctr_drbg_random_with_add( ctx, output, output_len, NULL, 0 );
				419
				420	#if defined(MBEDTLS_THREADING_C)
				421	if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
				422	return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
				423	#endif
				424
				425	return( ret );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	426	}
				427
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	428	#if defined(MBEDTLS_FS_IO)
				429	int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context ctx, const char path )
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	430	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	431	int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	432	FILE *f;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	433	unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	434
				435	if( ( f = fopen( path, "wb" ) ) == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	436	return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	437
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	438	if( ( ret = mbedtls_ctr_drbg_random( ctx, buf, MBEDTLS_CTR_DRBG_MAX_INPUT ) ) != 0 )
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	439	goto exit;
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	440
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	441	if( fwrite( buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f ) != MBEDTLS_CTR_DRBG_MAX_INPUT )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	442	ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
Andres Amaya Garcia	e0a727e	2017-06-26 10:56:58 +0100	[diff] [blame]	443	else
				444	ret = 0;
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	445
Andres Amaya Garcia	c17cc44	2017-06-27 16:57:26 +0100	[diff] [blame]	446	exit:
Andres Amaya Garcia	e0a727e	2017-06-26 10:56:58 +0100	[diff] [blame]	447	mbedtls_zeroize( buf, sizeof( buf ) );
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	448
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	449	fclose( f );
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	450	return( ret );
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	451	}
				452
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	453	int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context ctx, const char path )
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	454	{
Andres Amaya Garcia	e0a727e	2017-06-26 10:56:58 +0100	[diff] [blame]	455	int ret = 0;
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	456	FILE *f;
				457	size_t n;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	458	unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	459
				460	if( ( f = fopen( path, "rb" ) ) == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	461	return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	462
				463	fseek( f, 0, SEEK_END );
				464	n = (size_t) ftell( f );
				465	fseek( f, 0, SEEK_SET );
				466
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	467	if( n > MBEDTLS_CTR_DRBG_MAX_INPUT )
Andres Amaya Garcia	c17cc44	2017-06-27 16:57:26 +0100	[diff] [blame]	468	{
				469	fclose( f );
				470	return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
				471	}
				472
				473	if( fread( buf, 1, n, f ) != n )
Andres Amaya Garcia	e0a727e	2017-06-26 10:56:58 +0100	[diff] [blame]	474	ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
				475	else
				476	mbedtls_ctr_drbg_update( ctx, buf, n );
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	477
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	478	fclose( f );
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	479
Andres Amaya Garcia	e0a727e	2017-06-26 10:56:58 +0100	[diff] [blame]	480	mbedtls_zeroize( buf, sizeof( buf ) );
				481
				482	if( ret != 0 )
				483	return( ret );
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	484
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	485	return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) );
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	486	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	487	#endif /* MBEDTLS_FS_IO */
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	488
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	489	#if defined(MBEDTLS_SELF_TEST)
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	490
Manuel Pégourié-Gonnard	28122e4	2015-03-11 09:13:42 +0000	[diff] [blame]	491	static const unsigned char entropy_source_pr[96] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	492	{ 0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16,
				493	0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02,
				494	0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b,
				495	0x6e, 0xa6, 0x62, 0x52, 0x6d, 0x51, 0xb1, 0xcb,
				496	0x58, 0x3b, 0xfa, 0xd5, 0x37, 0x5f, 0xfb, 0xc9,
				497	0xff, 0x46, 0xd2, 0x19, 0xc7, 0x22, 0x3e, 0x95,
				498	0x45, 0x9d, 0x82, 0xe1, 0xe7, 0x22, 0x9f, 0x63,
				499	0x31, 0x69, 0xd2, 0x6b, 0x57, 0x47, 0x4f, 0xa3,
				500	0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31,
				501	0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4,
				502	0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56,
				503	0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68 };
				504
Manuel Pégourié-Gonnard	28122e4	2015-03-11 09:13:42 +0000	[diff] [blame]	505	static const unsigned char entropy_source_nopr[64] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	506	{ 0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14,
				507	0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe,
				508	0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d,
				509	0x03, 0x21, 0x7c, 0x68, 0xd8, 0x03, 0x38, 0x20,
				510	0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9,
				511	0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46,
				512	0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e,
				513	0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e };
				514
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	515	static const unsigned char nonce_pers_pr[16] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	516	{ 0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2,
				517	0x29, 0xc9, 0xcf, 0xad, 0x85, 0xfa, 0x48, 0x6c };
				518
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	519	static const unsigned char nonce_pers_nopr[16] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	520	{ 0x1b, 0x54, 0xb8, 0xff, 0x06, 0x42, 0xbf, 0xf5,
				521	0x21, 0xf1, 0x5c, 0x1c, 0x0b, 0x66, 0x5f, 0x3f };
				522
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	523	static const unsigned char result_pr[16] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	524	{ 0x34, 0x01, 0x16, 0x56, 0xb4, 0x29, 0x00, 0x8f,
				525	0x35, 0x63, 0xec, 0xb5, 0xf2, 0x59, 0x07, 0x23 };
				526
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	527	static const unsigned char result_nopr[16] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	528	{ 0xa0, 0x54, 0x30, 0x3d, 0x8a, 0x7e, 0xa9, 0x88,
				529	0x9d, 0x90, 0x3e, 0x07, 0x7c, 0x6f, 0x21, 0x8f };
				530
Manuel Pégourié-Gonnard	9592485	2014-03-21 10:54:55 +0100	[diff] [blame]	531	static size_t test_offset;
Paul Bakker	b6c5d2e	2013-06-25 16:25:17 +0200	[diff] [blame]	532	static int ctr_drbg_self_test_entropy( void data, unsigned char buf,
				533	size_t len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	534	{
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	535	const unsigned char *p = data;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	536	memcpy( buf, p + test_offset, len );
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	537	test_offset += len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	538	return( 0 );
				539	}
				540
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	541	#define CHK( c ) if( (c) != 0 ) \
				542	{ \
				543	if( verbose != 0 ) \
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	544	mbedtls_printf( "failed\n" ); \
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	545	return( 1 ); \
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	546	}
				547
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	548	/*
				549	* Checkup routine
				550	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	551	int mbedtls_ctr_drbg_self_test( int verbose )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	552	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	553	mbedtls_ctr_drbg_context ctx;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	554	unsigned char buf[16];
				555
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	556	mbedtls_ctr_drbg_init( &ctx );
				557
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	558	/*
				559	* Based on a NIST CTR_DRBG test vector (PR = True)
				560	*/
				561	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	562	mbedtls_printf( " CTR_DRBG (PR = TRUE) : " );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	563
				564	test_offset = 0;
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	565	CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy,
Manuel Pégourié-Gonnard	28122e4	2015-03-11 09:13:42 +0000	[diff] [blame]	566	(void *) entropy_source_pr, nonce_pers_pr, 16, 32 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	567	mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
				568	CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
				569	CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
				570	CHK( memcmp( buf, result_pr, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	571
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	572	mbedtls_ctr_drbg_free( &ctx );
				573
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	574	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	575	mbedtls_printf( "passed\n" );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	576
				577	/*
				578	* Based on a NIST CTR_DRBG test vector (PR = FALSE)
				579	*/
				580	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	581	mbedtls_printf( " CTR_DRBG (PR = FALSE): " );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	582
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	583	mbedtls_ctr_drbg_init( &ctx );
				584
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	585	test_offset = 0;
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	586	CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy,
Manuel Pégourié-Gonnard	28122e4	2015-03-11 09:13:42 +0000	[diff] [blame]	587	(void *) entropy_source_nopr, nonce_pers_nopr, 16, 32 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	588	CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
				589	CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) );
				590	CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	591	CHK( memcmp( buf, result_nopr, 16 ) );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	592
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	593	mbedtls_ctr_drbg_free( &ctx );
				594
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	595	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	596	mbedtls_printf( "passed\n" );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	597
				598	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	599	mbedtls_printf( "\n" );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	600
				601	return( 0 );
				602	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	603	#endif /* MBEDTLS_SELF_TEST */
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	604
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	605	#endif /* MBEDTLS_CTR_DRBG_C */