Blame - library/ctr_drbg.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: c023c699e530b0cb57f1ea102711a2072c62342a [file] [log] [blame]

Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	1	/*
				2	* CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
				3	*
Manuel Pégourié-Gonnard	6fb8187	2015-07-27 11:11:48 +0200	[diff] [blame]	4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard	37ff140	2015-09-04 14:21:07 +0200	[diff] [blame]	5	* SPDX-License-Identifier: Apache-2.0
				6	*
				7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
				8	* not use this file except in compliance with the License.
				9	* You may obtain a copy of the License at
				10	*
				11	* http://www.apache.org/licenses/LICENSE-2.0
				12	*
				13	* Unless required by applicable law or agreed to in writing, software
				14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
				15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				16	* See the License for the specific language governing permissions and
				17	* limitations under the License.
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	18	*
Manuel Pégourié-Gonnard	fe44643	2015-03-06 13:17:10 +0000	[diff] [blame]	19	* This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	20	*/
				21	/*
				22	* The NIST SP 800-90 DRBGs are described in the following publucation.
				23	*
				24	* http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
				25	*/
				26
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	27	#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	28	#include "mbedtls/config.h"
Manuel Pégourié-Gonnard	cef4ad2	2014-04-29 12:39:06 +0200	[diff] [blame]	29	#else
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	30	#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnard	cef4ad2	2014-04-29 12:39:06 +0200	[diff] [blame]	31	#endif
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	32
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	33	#if defined(MBEDTLS_CTR_DRBG_C)
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	34
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	35	#include "mbedtls/ctr_drbg.h"
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	36
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	37	#include <string.h>
				38
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	39	#if defined(MBEDTLS_FS_IO)
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	40	#include <stdio.h>
				41	#endif
				42
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	43	#if defined(MBEDTLS_SELF_TEST)
				44	#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	45	#include "mbedtls/platform.h"
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	46	#else
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	47	#include <stdio.h>
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	48	#define mbedtls_printf printf
				49	#endif /* MBEDTLS_PLATFORM_C */
				50	#endif /* MBEDTLS_SELF_TEST */
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	51
Paul Bakker	fff0366	2014-06-18 16:21:25 +0200	[diff] [blame]	52	/* Implementation that should never be optimized out by the compiler */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	53	static void mbedtls_zeroize( void *v, size_t n ) {
Paul Bakker	fff0366	2014-06-18 16:21:25 +0200	[diff] [blame]	54	volatile unsigned char p = v; while( n-- ) p++ = 0;
				55	}
				56
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	57	/*
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	58	* CTR_DRBG context initialization
				59	*/
				60	void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx )
				61	{
				62	memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) );
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	63
				64	#if defined(MBEDTLS_THREADING_C)
				65	mbedtls_mutex_init( &ctx->mutex );
				66	#endif
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	67	}
				68
				69	/*
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	70	* Non-public function wrapped by ctr_crbg_init(). Necessary to allow NIST
				71	* tests to succeed (which require known length fixed entropy)
				72	*/
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	73	int mbedtls_ctr_drbg_seed_entropy_len(
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	74	mbedtls_ctr_drbg_context *ctx,
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	75	int (f_entropy)(void , unsigned char *, size_t),
				76	void *p_entropy,
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	77	const unsigned char *custom,
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	78	size_t len,
				79	size_t entropy_len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	80	{
				81	int ret;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	82	unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	83
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	84	memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	85
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	86	mbedtls_aes_init( &ctx->aes_ctx );
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	87
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	88	ctx->f_entropy = f_entropy;
				89	ctx->p_entropy = p_entropy;
				90
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	91	ctx->entropy_len = entropy_len;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	92	ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	93
				94	/*
				95	* Initialize with an empty key
				96	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	97	mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	98
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	99	if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	100	return( ret );
				101
				102	return( 0 );
				103	}
				104
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	105	int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	106	int (f_entropy)(void , unsigned char *, size_t),
				107	void *p_entropy,
				108	const unsigned char *custom,
				109	size_t len )
				110	{
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	111	return( mbedtls_ctr_drbg_seed_entropy_len( ctx, f_entropy, p_entropy, custom, len,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	112	MBEDTLS_CTR_DRBG_ENTROPY_LEN ) );
Paul Bakker	18d3291	2011-12-10 21:42:49 +0000	[diff] [blame]	113	}
				114
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	115	void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx )
Paul Bakker	fff0366	2014-06-18 16:21:25 +0200	[diff] [blame]	116	{
				117	if( ctx == NULL )
				118	return;
				119
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	120	#if defined(MBEDTLS_THREADING_C)
				121	mbedtls_mutex_free( &ctx->mutex );
				122	#endif
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	123	mbedtls_aes_free( &ctx->aes_ctx );
				124	mbedtls_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) );
Paul Bakker	fff0366	2014-06-18 16:21:25 +0200	[diff] [blame]	125	}
				126
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	127	void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx, int resistance )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	128	{
				129	ctx->prediction_resistance = resistance;
				130	}
				131
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	132	void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx, size_t len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	133	{
				134	ctx->entropy_len = len;
				135	}
Paul Bakker	b6c5d2e	2013-06-25 16:25:17 +0200	[diff] [blame]	136
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	137	void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx, int interval )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	138	{
				139	ctx->reseed_interval = interval;
				140	}
Paul Bakker	b6c5d2e	2013-06-25 16:25:17 +0200	[diff] [blame]	141
				142	static int block_cipher_df( unsigned char *output,
				143	const unsigned char *data, size_t data_len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	144	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	145	unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
				146	unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
				147	unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
				148	unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
Manuel Pégourié-Gonnard	7c59363	2014-01-20 10:27:13 +0100	[diff] [blame]	149	unsigned char p, iv;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	150	mbedtls_aes_context aes_ctx;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	151
Paul Bakker	b9cfaa0	2013-10-11 18:58:55 +0200	[diff] [blame]	152	int i, j;
				153	size_t buf_len, use_len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	154
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	155	if( data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
				156	return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
Manuel Pégourié-Gonnard	5cb4b31	2014-11-25 17:41:50 +0100	[diff] [blame]	157
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	158	memset( buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16 );
				159	mbedtls_aes_init( &aes_ctx );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	160
				161	/*
				162	* Construct IV (16 bytes) and S in buffer
				163	* IV = Counter (in 32-bits) padded to 16 with zeroes
				164	* S = Length input string (in 32-bits) \|\| Length of output (in 32-bits) \|\|
				165	* data \|\| 0x80
				166	* (Total is padded to a multiple of 16-bytes with zeroes)
				167	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	168	p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE;
Paul Bakker	2bc7cf1	2011-11-29 10:50:51 +0000	[diff] [blame]	169	*p++ = ( data_len >> 24 ) & 0xff;
				170	*p++ = ( data_len >> 16 ) & 0xff;
				171	*p++ = ( data_len >> 8 ) & 0xff;
				172	*p++ = ( data_len ) & 0xff;
				173	p += 3;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	174	*p++ = MBEDTLS_CTR_DRBG_SEEDLEN;
Paul Bakker	2bc7cf1	2011-11-29 10:50:51 +0000	[diff] [blame]	175	memcpy( p, data, data_len );
				176	p[data_len] = 0x80;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	177
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	178	buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	179
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	180	for( i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++ )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	181	key[i] = i;
				182
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	183	mbedtls_aes_setkey_enc( &aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	184
				185	/*
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	186	* Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	187	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	188	for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	189	{
				190	p = buf;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	191	memset( chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	192	use_len = buf_len;
				193
				194	while( use_len > 0 )
				195	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	196	for( i = 0; i < MBEDTLS_CTR_DRBG_BLOCKSIZE; i++ )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	197	chain[i] ^= p[i];
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	198	p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
				199	use_len -= ( use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE ) ?
				200	MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	201
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	202	mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, chain, chain );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	203	}
Paul Bakker	b9cfaa0	2013-10-11 18:58:55 +0200	[diff] [blame]	204
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	205	memcpy( tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	206
				207	/*
				208	* Update IV
				209	*/
				210	buf[3]++;
				211	}
				212
				213	/*
				214	* Do final encryption with reduced data
				215	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	216	mbedtls_aes_setkey_enc( &aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS );
				217	iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	218	p = output;
				219
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	220	for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	221	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	222	mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
				223	memcpy( p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE );
				224	p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	225	}
				226
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	227	mbedtls_aes_free( &aes_ctx );
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	228
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	229	return( 0 );
				230	}
				231
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	232	static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
				233	const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN] )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	234	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	235	unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	236	unsigned char *p = tmp;
Paul Bakker	369e14b	2012-04-18 14:16:09 +0000	[diff] [blame]	237	int i, j;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	238
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	239	memset( tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	240
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	241	for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	242	{
				243	/*
				244	* Increase counter
				245	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	246	for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
Paul Bakker	369e14b	2012-04-18 14:16:09 +0000	[diff] [blame]	247	if( ++ctx->counter[i - 1] != 0 )
				248	break;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	249
				250	/*
				251	* Crypt counter block
				252	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	253	mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, p );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	254
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	255	p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	256	}
				257
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	258	for( i = 0; i < MBEDTLS_CTR_DRBG_SEEDLEN; i++ )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	259	tmp[i] ^= data[i];
				260
				261	/*
				262	* Update key and counter
				263	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	264	mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS );
				265	memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	266
Gilles Peskine	17b2ac2	2018-09-11 15:34:17 +0200	[diff] [blame]	267	mbedtls_zeroize( tmp, sizeof( tmp ) );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	268	return( 0 );
				269	}
				270
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	271	void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	272	const unsigned char *additional, size_t add_len )
				273	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	274	unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	275
				276	if( add_len > 0 )
				277	{
Manuel Pégourié-Gonnard	5cb4b31	2014-11-25 17:41:50 +0100	[diff] [blame]	278	/* MAX_INPUT would be more logical here, but we have to match
				279	* block_cipher_df()'s limits since we can't propagate errors */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	280	if( add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
				281	add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT;
Manuel Pégourié-Gonnard	5cb4b31	2014-11-25 17:41:50 +0100	[diff] [blame]	282
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	283	block_cipher_df( add_input, additional, add_len );
				284	ctr_drbg_update_internal( ctx, add_input );
Gilles Peskine	17b2ac2	2018-09-11 15:34:17 +0200	[diff] [blame]	285	mbedtls_zeroize( add_input, sizeof( add_input ) );
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	286	}
				287	}
				288
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	289	int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	290	const unsigned char *additional, size_t len )
				291	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	292	unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	293	size_t seedlen = 0;
				294
Andres Amaya Garcia	ef1329e	2017-01-17 23:24:02 +0000	[diff] [blame]	295	if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT \|\|
				296	len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	297	return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	298
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	299	memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	300
				301	/*
Paul Bakker	18f0341	2013-09-11 10:53:05 +0200	[diff] [blame]	302	* Gather entropy_len bytes of entropy to seed state
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	303	*/
				304	if( 0 != ctx->f_entropy( ctx->p_entropy, seed,
				305	ctx->entropy_len ) )
				306	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	307	return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	308	}
				309
				310	seedlen += ctx->entropy_len;
				311
				312	/*
				313	* Add additional data
				314	*/
				315	if( additional && len )
				316	{
				317	memcpy( seed + seedlen, additional, len );
				318	seedlen += len;
				319	}
				320
				321	/*
				322	* Reduce to 384 bits
				323	*/
				324	block_cipher_df( seed, seed, seedlen );
				325
				326	/*
				327	* Update state
				328	*/
				329	ctr_drbg_update_internal( ctx, seed );
				330	ctx->reseed_counter = 1;
				331
Gilles Peskine	17b2ac2	2018-09-11 15:34:17 +0200	[diff] [blame]	332	mbedtls_zeroize( seed, sizeof( seed ) );
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	333	return( 0 );
				334	}
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	335
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	336	int mbedtls_ctr_drbg_random_with_add( void *p_rng,
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	337	unsigned char *output, size_t output_len,
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	338	const unsigned char *additional, size_t add_len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	339	{
				340	int ret = 0;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	341	mbedtls_ctr_drbg_context ctx = (mbedtls_ctr_drbg_context ) p_rng;
				342	unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	343	unsigned char *p = output;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	344	unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
Paul Bakker	369e14b	2012-04-18 14:16:09 +0000	[diff] [blame]	345	int i;
Paul Bakker	23fd5ea	2011-11-29 15:56:12 +0000	[diff] [blame]	346	size_t use_len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	347
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	348	if( output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST )
				349	return( MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	350
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	351	if( add_len > MBEDTLS_CTR_DRBG_MAX_INPUT )
				352	return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	353
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	354	memset( add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	355
				356	if( ctx->reseed_counter > ctx->reseed_interval \|\|
				357	ctx->prediction_resistance )
				358	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	359	if( ( ret = mbedtls_ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	360	return( ret );
				361
				362	add_len = 0;
				363	}
				364
				365	if( add_len > 0 )
				366	{
				367	block_cipher_df( add_input, additional, add_len );
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	368	ctr_drbg_update_internal( ctx, add_input );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	369	}
				370
				371	while( output_len > 0 )
				372	{
				373	/*
				374	* Increase counter
				375	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	376	for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
Paul Bakker	369e14b	2012-04-18 14:16:09 +0000	[diff] [blame]	377	if( ++ctx->counter[i - 1] != 0 )
				378	break;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	379
				380	/*
				381	* Crypt counter block
				382	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	383	mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, tmp );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	384
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	385	use_len = ( output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE ) ? MBEDTLS_CTR_DRBG_BLOCKSIZE :
Paul Bakker	b9e4e2c	2014-05-01 14:18:25 +0200	[diff] [blame]	386	output_len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	387	/*
				388	* Copy random block to destination
				389	*/
Paul Bakker	23fd5ea	2011-11-29 15:56:12 +0000	[diff] [blame]	390	memcpy( p, tmp, use_len );
				391	p += use_len;
				392	output_len -= use_len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	393	}
				394
Paul Bakker	1bc9efc	2011-12-03 11:29:32 +0000	[diff] [blame]	395	ctr_drbg_update_internal( ctx, add_input );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	396
				397	ctx->reseed_counter++;
				398
Gilles Peskine	17b2ac2	2018-09-11 15:34:17 +0200	[diff] [blame]	399	mbedtls_zeroize( add_input, sizeof( add_input ) );
				400	mbedtls_zeroize( tmp, sizeof( tmp ) );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	401	return( 0 );
				402	}
				403
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	404	int mbedtls_ctr_drbg_random( void p_rng, unsigned char output, size_t output_len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	405	{
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	406	int ret;
				407	mbedtls_ctr_drbg_context ctx = (mbedtls_ctr_drbg_context ) p_rng;
				408
				409	#if defined(MBEDTLS_THREADING_C)
				410	if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
				411	return( ret );
				412	#endif
				413
				414	ret = mbedtls_ctr_drbg_random_with_add( ctx, output, output_len, NULL, 0 );
				415
				416	#if defined(MBEDTLS_THREADING_C)
				417	if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
				418	return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
				419	#endif
				420
				421	return( ret );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	422	}
				423
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	424	#if defined(MBEDTLS_FS_IO)
				425	int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context ctx, const char path )
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	426	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	427	int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	428	FILE *f;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	429	unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	430
				431	if( ( f = fopen( path, "wb" ) ) == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	432	return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	433
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	434	if( ( ret = mbedtls_ctr_drbg_random( ctx, buf, MBEDTLS_CTR_DRBG_MAX_INPUT ) ) != 0 )
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	435	goto exit;
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	436
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	437	if( fwrite( buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f ) != MBEDTLS_CTR_DRBG_MAX_INPUT )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	438	ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
Andres Amaya Garcia	e0a727e	2017-06-26 10:56:58 +0100	[diff] [blame]	439	else
				440	ret = 0;
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	441
Andres Amaya Garcia	c17cc44	2017-06-27 16:57:26 +0100	[diff] [blame]	442	exit:
Andres Amaya Garcia	e0a727e	2017-06-26 10:56:58 +0100	[diff] [blame]	443	mbedtls_zeroize( buf, sizeof( buf ) );
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	444
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	445	fclose( f );
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	446	return( ret );
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	447	}
				448
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	449	int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context ctx, const char path )
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	450	{
Andres Amaya Garcia	e0a727e	2017-06-26 10:56:58 +0100	[diff] [blame]	451	int ret = 0;
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	452	FILE *f;
				453	size_t n;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	454	unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	455
				456	if( ( f = fopen( path, "rb" ) ) == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	457	return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	458
				459	fseek( f, 0, SEEK_END );
				460	n = (size_t) ftell( f );
				461	fseek( f, 0, SEEK_SET );
				462
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	463	if( n > MBEDTLS_CTR_DRBG_MAX_INPUT )
Andres Amaya Garcia	c17cc44	2017-06-27 16:57:26 +0100	[diff] [blame]	464	{
				465	fclose( f );
				466	return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
				467	}
				468
				469	if( fread( buf, 1, n, f ) != n )
Andres Amaya Garcia	e0a727e	2017-06-26 10:56:58 +0100	[diff] [blame]	470	ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
				471	else
				472	mbedtls_ctr_drbg_update( ctx, buf, n );
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	473
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	474	fclose( f );
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	475
Andres Amaya Garcia	e0a727e	2017-06-26 10:56:58 +0100	[diff] [blame]	476	mbedtls_zeroize( buf, sizeof( buf ) );
				477
				478	if( ret != 0 )
				479	return( ret );
Paul Bakker	c72d3f7	2013-05-14 13:22:41 +0200	[diff] [blame]	480
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	481	return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) );
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	482	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	483	#endif /* MBEDTLS_FS_IO */
Paul Bakker	fc754a9	2011-12-05 13:23:51 +0000	[diff] [blame]	484
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	485	#if defined(MBEDTLS_SELF_TEST)
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	486
Manuel Pégourié-Gonnard	28122e4	2015-03-11 09:13:42 +0000	[diff] [blame]	487	static const unsigned char entropy_source_pr[96] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	488	{ 0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16,
				489	0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02,
				490	0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b,
				491	0x6e, 0xa6, 0x62, 0x52, 0x6d, 0x51, 0xb1, 0xcb,
				492	0x58, 0x3b, 0xfa, 0xd5, 0x37, 0x5f, 0xfb, 0xc9,
				493	0xff, 0x46, 0xd2, 0x19, 0xc7, 0x22, 0x3e, 0x95,
				494	0x45, 0x9d, 0x82, 0xe1, 0xe7, 0x22, 0x9f, 0x63,
				495	0x31, 0x69, 0xd2, 0x6b, 0x57, 0x47, 0x4f, 0xa3,
				496	0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31,
				497	0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4,
				498	0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56,
				499	0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68 };
				500
Manuel Pégourié-Gonnard	28122e4	2015-03-11 09:13:42 +0000	[diff] [blame]	501	static const unsigned char entropy_source_nopr[64] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	502	{ 0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14,
				503	0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe,
				504	0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d,
				505	0x03, 0x21, 0x7c, 0x68, 0xd8, 0x03, 0x38, 0x20,
				506	0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9,
				507	0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46,
				508	0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e,
				509	0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e };
				510
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	511	static const unsigned char nonce_pers_pr[16] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	512	{ 0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2,
				513	0x29, 0xc9, 0xcf, 0xad, 0x85, 0xfa, 0x48, 0x6c };
				514
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	515	static const unsigned char nonce_pers_nopr[16] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	516	{ 0x1b, 0x54, 0xb8, 0xff, 0x06, 0x42, 0xbf, 0xf5,
				517	0x21, 0xf1, 0x5c, 0x1c, 0x0b, 0x66, 0x5f, 0x3f };
				518
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	519	static const unsigned char result_pr[16] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	520	{ 0x34, 0x01, 0x16, 0x56, 0xb4, 0x29, 0x00, 0x8f,
				521	0x35, 0x63, 0xec, 0xb5, 0xf2, 0x59, 0x07, 0x23 };
				522
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	523	static const unsigned char result_nopr[16] =
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	524	{ 0xa0, 0x54, 0x30, 0x3d, 0x8a, 0x7e, 0xa9, 0x88,
				525	0x9d, 0x90, 0x3e, 0x07, 0x7c, 0x6f, 0x21, 0x8f };
				526
Manuel Pégourié-Gonnard	9592485	2014-03-21 10:54:55 +0100	[diff] [blame]	527	static size_t test_offset;
Paul Bakker	b6c5d2e	2013-06-25 16:25:17 +0200	[diff] [blame]	528	static int ctr_drbg_self_test_entropy( void data, unsigned char buf,
				529	size_t len )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	530	{
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	531	const unsigned char *p = data;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	532	memcpy( buf, p + test_offset, len );
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	533	test_offset += len;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	534	return( 0 );
				535	}
				536
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	537	#define CHK( c ) if( (c) != 0 ) \
				538	{ \
				539	if( verbose != 0 ) \
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	540	mbedtls_printf( "failed\n" ); \
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	541	return( 1 ); \
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	542	}
				543
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	544	/*
				545	* Checkup routine
				546	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	547	int mbedtls_ctr_drbg_self_test( int verbose )
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	548	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	549	mbedtls_ctr_drbg_context ctx;
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	550	unsigned char buf[16];
				551
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	552	mbedtls_ctr_drbg_init( &ctx );
				553
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	554	/*
				555	* Based on a NIST CTR_DRBG test vector (PR = True)
				556	*/
				557	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	558	mbedtls_printf( " CTR_DRBG (PR = TRUE) : " );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	559
				560	test_offset = 0;
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	561	CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy,
Manuel Pégourié-Gonnard	28122e4	2015-03-11 09:13:42 +0000	[diff] [blame]	562	(void *) entropy_source_pr, nonce_pers_pr, 16, 32 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	563	mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
				564	CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
				565	CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
				566	CHK( memcmp( buf, result_pr, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	567
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	568	mbedtls_ctr_drbg_free( &ctx );
				569
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	570	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	571	mbedtls_printf( "passed\n" );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	572
				573	/*
				574	* Based on a NIST CTR_DRBG test vector (PR = FALSE)
				575	*/
				576	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	577	mbedtls_printf( " CTR_DRBG (PR = FALSE): " );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	578
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	579	mbedtls_ctr_drbg_init( &ctx );
				580
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	581	test_offset = 0;
Manuel Pégourié-Gonnard	8d128ef	2015-04-28 22:38:08 +0200	[diff] [blame]	582	CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy,
Manuel Pégourié-Gonnard	28122e4	2015-03-11 09:13:42 +0000	[diff] [blame]	583	(void *) entropy_source_nopr, nonce_pers_nopr, 16, 32 ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	584	CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
				585	CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) );
				586	CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
Manuel Pégourié-Gonnard	b3b205e	2014-01-31 12:04:06 +0100	[diff] [blame]	587	CHK( memcmp( buf, result_nopr, 16 ) );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	588
Manuel Pégourié-Gonnard	0a4fb09	2015-05-07 12:50:31 +0100	[diff] [blame]	589	mbedtls_ctr_drbg_free( &ctx );
				590
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	591	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	592	mbedtls_printf( "passed\n" );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	593
				594	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	595	mbedtls_printf( "\n" );
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	596
				597	return( 0 );
				598	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	599	#endif /* MBEDTLS_SELF_TEST */
Paul Bakker	0e04d0e	2011-11-27 14:46:59 +0000	[diff] [blame]	600
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	601	#endif /* MBEDTLS_CTR_DRBG_C */