TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / dbd3f7c68df4ba478a9f8b981458c7a1f76963df / . / library / ctr_drbg.c
blob: 92316dabbdac210d2ef272690abd8e0b8b7dffa9 [file] [log] [blame]
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]1/*
2 * CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]20 */
21/*
Paul Sokolovsky8d6d8c82018-02-10 11:11:41 +0200[diff] [blame]22 * The NIST SP 800-90 DRBGs are described in the following publication.
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]23 *
24 * http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
25 */
26
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]27#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]28#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]29#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]30#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]31#endif
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]32
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]33#if defined(MBEDTLS_CTR_DRBG_C)
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]34
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]35#include "mbedtls/ctr_drbg.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]36#include "mbedtls/platform_util.h"
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]37
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]38#include <string.h>
39
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]40#if defined(MBEDTLS_FS_IO)
Paul Bakkerfc754a92011-12-05 13:23:51 +0000[diff] [blame]41#include <stdio.h>
42#endif
43
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_SELF_TEST)
45#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]46#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]47#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]48#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]49#define mbedtls_printf printf
50#endif /* MBEDTLS_PLATFORM_C */
51#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]52
Paul Bakker18d32912011-12-10 21:42:49 +0000[diff] [blame]53/*
Manuel Pégourié-Gonnard8d128ef2015-04-28 22:38:08 +0200[diff] [blame]54 * CTR_DRBG context initialization
55 */
56void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx )
57{
58 memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) );
Manuel Pégourié-Gonnard0a4fb092015-05-07 12:50:31 +0100[diff] [blame]59
60#if defined(MBEDTLS_THREADING_C)
61 mbedtls_mutex_init( &ctx->mutex );
62#endif
Manuel Pégourié-Gonnard8d128ef2015-04-28 22:38:08 +0200[diff] [blame]63}
64
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]65void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx )
Paul Bakkerfff03662014-06-18 16:21:25 +0200[diff] [blame]66{
67 if( ctx == NULL )
68 return;
69
Manuel Pégourié-Gonnard0a4fb092015-05-07 12:50:31 +0100[diff] [blame]70#if defined(MBEDTLS_THREADING_C)
71 mbedtls_mutex_free( &ctx->mutex );
72#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]73 mbedtls_aes_free( &ctx->aes_ctx );
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]74 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) );
Paul Bakkerfff03662014-06-18 16:21:25 +0200[diff] [blame]75}
76
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]77void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
78 int resistance )
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]79{
80 ctx->prediction_resistance = resistance;
81}
82
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]83void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx,
84 size_t len )
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]85{
86 ctx->entropy_len = len;
87}
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]88
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]89void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx,
90 int interval )
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]91{
92 ctx->reseed_interval = interval;
93}
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]94
95static int block_cipher_df( unsigned char *output,
96 const unsigned char *data, size_t data_len )
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]97{
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]98 unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT +
99 MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]100 unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
101 unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
102 unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
Manuel Pégourié-Gonnard7c593632014-01-20 10:27:13 +0100[diff] [blame]103 unsigned char *p, *iv;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]104 mbedtls_aes_context aes_ctx;
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]105 int ret = 0;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]106
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]107 int i, j;
108 size_t buf_len, use_len;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]109
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]110 if( data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
111 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
Manuel Pégourié-Gonnard5cb4b312014-11-25 17:41:50 +0100[diff] [blame]112
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]113 memset( buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT +
114 MBEDTLS_CTR_DRBG_BLOCKSIZE + 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]115 mbedtls_aes_init( &aes_ctx );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]116
117 /*
118 * Construct IV (16 bytes) and S in buffer
119 * IV = Counter (in 32-bits) padded to 16 with zeroes
120 * S = Length input string (in 32-bits) || Length of output (in 32-bits) ||
121 * data || 0x80
122 * (Total is padded to a multiple of 16-bytes with zeroes)
123 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]124 p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE;
Paul Bakker2bc7cf12011-11-29 10:50:51 +0000[diff] [blame]125 *p++ = ( data_len >> 24 ) & 0xff;
126 *p++ = ( data_len >> 16 ) & 0xff;
127 *p++ = ( data_len >> 8 ) & 0xff;
128 *p++ = ( data_len ) & 0xff;
129 p += 3;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]130 *p++ = MBEDTLS_CTR_DRBG_SEEDLEN;
Paul Bakker2bc7cf12011-11-29 10:50:51 +0000[diff] [blame]131 memcpy( p, data, data_len );
132 p[data_len] = 0x80;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]133
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]134 buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]135
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]136 for( i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++ )
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]137 key[i] = i;
138
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]139 if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, key,
140 MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]141 {
142 goto exit;
143 }
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]144
145 /*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]146 * Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]147 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]148 for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]149 {
150 p = buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]151 memset( chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]152 use_len = buf_len;
153
154 while( use_len > 0 )
155 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]156 for( i = 0; i < MBEDTLS_CTR_DRBG_BLOCKSIZE; i++ )
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]157 chain[i] ^= p[i];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]158 p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
159 use_len -= ( use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE ) ?
160 MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]161
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]162 if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT,
163 chain, chain ) ) != 0 )
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]164 {
165 goto exit;
166 }
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]167 }
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]168
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]169 memcpy( tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]170
171 /*
172 * Update IV
173 */
174 buf[3]++;
175 }
176
177 /*
178 * Do final encryption with reduced data
179 */
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]180 if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, tmp,
181 MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]182 {
183 goto exit;
184 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]185 iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]186 p = output;
187
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]188 for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]189 {
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]190 if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT,
191 iv, iv ) ) != 0 )
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]192 {
193 goto exit;
194 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]195 memcpy( p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE );
196 p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]197 }
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]198exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]199 mbedtls_aes_free( &aes_ctx );
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]200 /*
201 * tidy up the stack
202 */
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]203 mbedtls_platform_zeroize( buf, sizeof( buf ) );
204 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
205 mbedtls_platform_zeroize( key, sizeof( key ) );
206 mbedtls_platform_zeroize( chain, sizeof( chain ) );
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]207 if( 0 != ret )
208 {
209 /*
210 * wipe partial seed from memory
211 */
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]212 mbedtls_platform_zeroize( output, MBEDTLS_CTR_DRBG_SEEDLEN );
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]213 }
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]214
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]215 return( ret );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]216}
217
Gilles Peskineed7da592018-08-03 20:16:52 +0200[diff] [blame]218/* CTR_DRBG_Update (SP 800-90A &sect;10.2.1.2)
219 * ctr_drbg_update_internal(ctx, provided_data)
220 * implements
221 * CTR_DRBG_Update(provided_data, Key, V)
222 * with inputs and outputs
223 * ctx->aes_ctx = Key
224 * ctx->counter = V
225 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]226static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]227 const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN] )
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]228{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]229 unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]230 unsigned char *p = tmp;
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]231 int i, j;
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]232 int ret = 0;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]233
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]234 memset( tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]235
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]236 for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]237 {
238 /*
239 * Increase counter
240 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]241 for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]242 if( ++ctx->counter[i - 1] != 0 )
243 break;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]244
245 /*
246 * Crypt counter block
247 */
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]248 if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
249 ctx->counter, p ) ) != 0 )
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]250 {
Gilles Peskined9aa84d2018-09-11 15:34:17 +0200[diff] [blame]251 goto exit;
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]252 }
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]253
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]254 p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]255 }
256
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]257 for( i = 0; i < MBEDTLS_CTR_DRBG_SEEDLEN; i++ )
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]258 tmp[i] ^= data[i];
259
260 /*
261 * Update key and counter
262 */
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]263 if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp,
264 MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]265 {
Gilles Peskined9aa84d2018-09-11 15:34:17 +0200[diff] [blame]266 goto exit;
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]267 }
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]268 memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE,
269 MBEDTLS_CTR_DRBG_BLOCKSIZE );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]270
Gilles Peskined9aa84d2018-09-11 15:34:17 +0200[diff] [blame]271exit:
272 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
273 return( ret );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]274}
275
Gilles Peskineed7da592018-08-03 20:16:52 +0200[diff] [blame]276/* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
277 * mbedtls_ctr_drbg_update(ctx, additional, add_len)
278 * implements
279 * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
280 * security_strength) -> initial_working_state
281 * with inputs
282 * ctx->counter = all-bits-0
283 * ctx->aes_ctx = context from all-bits-0 key
284 * additional[:add_len] = entropy_input || nonce || personalization_string
285 * and with outputs
286 * ctx = initial_working_state
287 */
Gilles Peskined9199932018-09-11 16:41:54 +0200[diff] [blame]288int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
289 const unsigned char *additional,
290 size_t add_len )
Paul Bakker1bc9efc2011-12-03 11:29:32 +0000[diff] [blame]291{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]292 unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
Gilles Peskined9199932018-09-11 16:41:54 +0200[diff] [blame]293 int ret;
Paul Bakker1bc9efc2011-12-03 11:29:32 +0000[diff] [blame]294
Gilles Peskined9199932018-09-11 16:41:54 +0200[diff] [blame]295 if( add_len == 0 )
296 return( 0 );
Manuel Pégourié-Gonnard5cb4b312014-11-25 17:41:50 +0100[diff] [blame]297
Gilles Peskined9199932018-09-11 16:41:54 +0200[diff] [blame]298 if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
299 goto exit;
300 if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
301 goto exit;
302
303exit:
304 mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
305 return( ret );
Paul Bakker1bc9efc2011-12-03 11:29:32 +0000[diff] [blame]306}
307
Gilles Peskined9199932018-09-11 16:41:54 +0200[diff] [blame]308#if !defined(MBEDTLS_DEPRECATED_REMOVED)
309void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
310 const unsigned char *additional,
311 size_t add_len )
312{
313 /* MAX_INPUT would be more logical here, but we have to match
314 * block_cipher_df()'s limits since we can't propagate errors */
315 if( add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
316 add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT;
317 (void) mbedtls_ctr_drbg_update_ret( ctx, additional, add_len );
318}
319#endif /* MBEDTLS_DEPRECATED_REMOVED */
320
Gilles Peskineed7da592018-08-03 20:16:52 +0200[diff] [blame]321/* CTR_DRBG_Reseed with derivation function (SP 800-90A &sect;10.2.1.4.2)
322 * mbedtls_ctr_drbg_reseed(ctx, additional, len)
323 * implements
324 * CTR_DRBG_Reseed(working_state, entropy_input, additional_input)
325 * -> new_working_state
326 * with inputs
327 * ctx contains working_state
328 * additional[:len] = additional_input
329 * and entropy_input comes from calling ctx->f_entropy
330 * and with output
331 * ctx contains new_working_state
332 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]333int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
Paul Bakker1bc9efc2011-12-03 11:29:32 +0000[diff] [blame]334 const unsigned char *additional, size_t len )
335{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]336 unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
Paul Bakker1bc9efc2011-12-03 11:29:32 +0000[diff] [blame]337 size_t seedlen = 0;
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]338 int ret;
Paul Bakker1bc9efc2011-12-03 11:29:32 +0000[diff] [blame]339
Gilles Peskinedbd3f7c2019-10-22 17:25:30 +0200[diff] [blame^]340 if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
341 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
342 if( len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]343 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
Paul Bakker1bc9efc2011-12-03 11:29:32 +0000[diff] [blame]344
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]345 memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );
Paul Bakker1bc9efc2011-12-03 11:29:32 +0000[diff] [blame]346
Gilles Peskinedbd3f7c2019-10-22 17:25:30 +0200[diff] [blame^]347 /* Gather entropy_len bytes of entropy to seed state. */
348 if( 0 != ctx->f_entropy( ctx->p_entropy, seed, ctx->entropy_len ) )
Paul Bakker1bc9efc2011-12-03 11:29:32 +0000[diff] [blame]349 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]350 return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
Paul Bakker1bc9efc2011-12-03 11:29:32 +0000[diff] [blame]351 }
Paul Bakker1bc9efc2011-12-03 11:29:32 +0000[diff] [blame]352 seedlen += ctx->entropy_len;
353
Gilles Peskinedbd3f7c2019-10-22 17:25:30 +0200[diff] [blame^]354 /* Add additional data if provided. */
355 if( additional != NULL && len != 0 )
Paul Bakker1bc9efc2011-12-03 11:29:32 +0000[diff] [blame]356 {
357 memcpy( seed + seedlen, additional, len );
358 seedlen += len;
359 }
360
Gilles Peskinedbd3f7c2019-10-22 17:25:30 +0200[diff] [blame^]361 /* Reduce to 384 bits. */
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]362 if( ( ret = block_cipher_df( seed, seed, seedlen ) ) != 0 )
Gilles Peskined9aa84d2018-09-11 15:34:17 +0200[diff] [blame]363 goto exit;
Paul Bakker1bc9efc2011-12-03 11:29:32 +0000[diff] [blame]364
Gilles Peskinedbd3f7c2019-10-22 17:25:30 +0200[diff] [blame^]365 /* Update state. */
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]366 if( ( ret = ctr_drbg_update_internal( ctx, seed ) ) != 0 )
Gilles Peskined9aa84d2018-09-11 15:34:17 +0200[diff] [blame]367 goto exit;
Paul Bakker1bc9efc2011-12-03 11:29:32 +0000[diff] [blame]368 ctx->reseed_counter = 1;
369
Gilles Peskined9aa84d2018-09-11 15:34:17 +0200[diff] [blame]370exit:
371 mbedtls_platform_zeroize( seed, sizeof( seed ) );
372 return( ret );
Paul Bakker1bc9efc2011-12-03 11:29:32 +0000[diff] [blame]373}
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]374
Gilles Peskine8bf56132019-10-02 20:31:54 +0200[diff] [blame]375/* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
Gilles Peskine379561f2019-10-18 16:57:48 +0200[diff] [blame]376 * mbedtls_ctr_drbg_seed(ctx, f_entropy, p_entropy, custom, len)
Gilles Peskine8bf56132019-10-02 20:31:54 +0200[diff] [blame]377 * implements
378 * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
379 * security_strength) -> initial_working_state
380 * with inputs
381 * custom[:len] = nonce || personalization_string
Gilles Peskine379561f2019-10-18 16:57:48 +0200[diff] [blame]382 * where entropy_input comes from f_entropy for ctx->entropy_len bytes
Gilles Peskine8bf56132019-10-02 20:31:54 +0200[diff] [blame]383 * and with outputs
384 * ctx = initial_working_state
385 */
Gilles Peskine50ed86b2019-10-04 12:15:55 +0200[diff] [blame]386int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
387 int (*f_entropy)(void *, unsigned char *, size_t),
388 void *p_entropy,
389 const unsigned char *custom,
390 size_t len )
Gilles Peskine8bf56132019-10-02 20:31:54 +0200[diff] [blame]391{
392 int ret;
393 unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
394
395 memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );
396
397 mbedtls_aes_init( &ctx->aes_ctx );
398
399 ctx->f_entropy = f_entropy;
400 ctx->p_entropy = p_entropy;
401
Gilles Peskine50ed86b2019-10-04 12:15:55 +0200[diff] [blame]402 if( ctx->entropy_len == 0 )
403 ctx->entropy_len = MBEDTLS_CTR_DRBG_ENTROPY_LEN;
Gilles Peskine8bf56132019-10-02 20:31:54 +0200[diff] [blame]404 ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
405
406 /*
407 * Initialize with an empty key
408 */
409 if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key,
410 MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
411 {
412 return( ret );
413 }
414
415 if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 )
416 {
417 return( ret );
418 }
419 return( 0 );
420}
421
Gilles Peskineed7da592018-08-03 20:16:52 +0200[diff] [blame]422/* CTR_DRBG_Generate with derivation function (SP 800-90A &sect;10.2.1.5.2)
423 * mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, additional, add_len)
424 * implements
425 * CTR_DRBG_Reseed(working_state, entropy_input, additional[:add_len])
426 * -> working_state_after_reseed
427 * if required, then
428 * CTR_DRBG_Generate(working_state_after_reseed,
429 * requested_number_of_bits, additional_input)
430 * -> status, returned_bits, new_working_state
431 * with inputs
432 * ctx contains working_state
433 * requested_number_of_bits = 8 * output_len
434 * additional[:add_len] = additional_input
435 * and entropy_input comes from calling ctx->f_entropy
436 * and with outputs
437 * status = SUCCESS (this function does the reseed internally)
438 * returned_bits = output[:output_len]
439 * ctx contains new_working_state
440 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]441int mbedtls_ctr_drbg_random_with_add( void *p_rng,
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]442 unsigned char *output, size_t output_len,
Paul Bakker1bc9efc2011-12-03 11:29:32 +0000[diff] [blame]443 const unsigned char *additional, size_t add_len )
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]444{
445 int ret = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]446 mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
447 unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]448 unsigned char *p = output;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]449 unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]450 int i;
Paul Bakker23fd5ea2011-11-29 15:56:12 +0000[diff] [blame]451 size_t use_len;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]452
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]453 if( output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST )
454 return( MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]455
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]456 if( add_len > MBEDTLS_CTR_DRBG_MAX_INPUT )
457 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]458
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]459 memset( add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]460
461 if( ctx->reseed_counter > ctx->reseed_interval ||
462 ctx->prediction_resistance )
463 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]464 if( ( ret = mbedtls_ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 )
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]465 {
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]466 return( ret );
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]467 }
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]468 add_len = 0;
469 }
470
471 if( add_len > 0 )
472 {
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]473 if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
Gilles Peskined9aa84d2018-09-11 15:34:17 +0200[diff] [blame]474 goto exit;
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]475 if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
Gilles Peskined9aa84d2018-09-11 15:34:17 +0200[diff] [blame]476 goto exit;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]477 }
478
479 while( output_len > 0 )
480 {
481 /*
482 * Increase counter
483 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]484 for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]485 if( ++ctx->counter[i - 1] != 0 )
486 break;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]487
488 /*
489 * Crypt counter block
490 */
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]491 if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
492 ctx->counter, tmp ) ) != 0 )
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]493 {
Gilles Peskined9aa84d2018-09-11 15:34:17 +0200[diff] [blame]494 goto exit;
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]495 }
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]496
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]497 use_len = ( output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE )
498 ? MBEDTLS_CTR_DRBG_BLOCKSIZE : output_len;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]499 /*
500 * Copy random block to destination
501 */
Paul Bakker23fd5ea2011-11-29 15:56:12 +0000[diff] [blame]502 memcpy( p, tmp, use_len );
503 p += use_len;
504 output_len -= use_len;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]505 }
506
Dvir Markovich1b364992017-06-26 13:43:34 +0300[diff] [blame]507 if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
Gilles Peskined9aa84d2018-09-11 15:34:17 +0200[diff] [blame]508 goto exit;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]509
510 ctx->reseed_counter++;
511
Gilles Peskined9aa84d2018-09-11 15:34:17 +0200[diff] [blame]512exit:
513 mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
514 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]515 return( 0 );
516}
517
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]518int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output,
519 size_t output_len )
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]520{
Manuel Pégourié-Gonnard0a4fb092015-05-07 12:50:31 +0100[diff] [blame]521 int ret;
522 mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
523
524#if defined(MBEDTLS_THREADING_C)
525 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
526 return( ret );
527#endif
528
529 ret = mbedtls_ctr_drbg_random_with_add( ctx, output, output_len, NULL, 0 );
530
531#if defined(MBEDTLS_THREADING_C)
532 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
533 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
534#endif
535
536 return( ret );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]537}
538
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]539#if defined(MBEDTLS_FS_IO)
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]540int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx,
541 const char *path )
Paul Bakkerfc754a92011-12-05 13:23:51 +0000[diff] [blame]542{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]543 int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
Paul Bakkerfc754a92011-12-05 13:23:51 +0000[diff] [blame]544 FILE *f;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]545 unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
Paul Bakkerfc754a92011-12-05 13:23:51 +0000[diff] [blame]546
547 if( ( f = fopen( path, "wb" ) ) == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]548 return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
Paul Bakkerfc754a92011-12-05 13:23:51 +0000[diff] [blame]549
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]550 if( ( ret = mbedtls_ctr_drbg_random( ctx, buf,
551 MBEDTLS_CTR_DRBG_MAX_INPUT ) ) != 0 )
Paul Bakkerc72d3f72013-05-14 13:22:41 +0200[diff] [blame]552 goto exit;
Paul Bakkerfc754a92011-12-05 13:23:51 +0000[diff] [blame]553
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]554 if( fwrite( buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f ) !=
555 MBEDTLS_CTR_DRBG_MAX_INPUT )
556 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]557 ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]558 }
Andres Amaya Garcia13f41e12017-06-26 10:56:58 +0100[diff] [blame]559 else
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]560 {
Andres Amaya Garcia13f41e12017-06-26 10:56:58 +0100[diff] [blame]561 ret = 0;
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]562 }
Paul Bakkerfc754a92011-12-05 13:23:51 +0000[diff] [blame]563
Andres Amaya Garcia4e2c07c2017-06-27 16:57:26 +0100[diff] [blame]564exit:
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]565 mbedtls_platform_zeroize( buf, sizeof( buf ) );
Paul Bakkerc72d3f72013-05-14 13:22:41 +0200[diff] [blame]566
Paul Bakkerfc754a92011-12-05 13:23:51 +0000[diff] [blame]567 fclose( f );
Paul Bakkerc72d3f72013-05-14 13:22:41 +0200[diff] [blame]568 return( ret );
Paul Bakkerfc754a92011-12-05 13:23:51 +0000[diff] [blame]569}
570
Hanno Beckera08651f2018-10-05 09:38:59 +0100[diff] [blame]571int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx,
572 const char *path )
Paul Bakkerfc754a92011-12-05 13:23:51 +0000[diff] [blame]573{
Andres Amaya Garcia13f41e12017-06-26 10:56:58 +0100[diff] [blame]574 int ret = 0;
Gilles Peskine82204662018-09-11 18:43:09 +0200[diff] [blame]575 FILE *f = NULL;
Paul Bakkerfc754a92011-12-05 13:23:51 +0000[diff] [blame]576 size_t n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]577 unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
Gilles Peskine82204662018-09-11 18:43:09 +0200[diff] [blame]578 unsigned char c;
Paul Bakkerfc754a92011-12-05 13:23:51 +0000[diff] [blame]579
580 if( ( f = fopen( path, "rb" ) ) == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581 return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
Paul Bakkerfc754a92011-12-05 13:23:51 +0000[diff] [blame]582
Gilles Peskine82204662018-09-11 18:43:09 +0200[diff] [blame]583 n = fread( buf, 1, sizeof( buf ), f );
584 if( fread( &c, 1, 1, f ) != 0 )
Andres Amaya Garcia4e2c07c2017-06-27 16:57:26 +0100[diff] [blame]585 {
Gilles Peskine82204662018-09-11 18:43:09 +0200[diff] [blame]586 ret = MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
587 goto exit;
Andres Amaya Garcia4e2c07c2017-06-27 16:57:26 +0100[diff] [blame]588 }
Gilles Peskine82204662018-09-11 18:43:09 +0200[diff] [blame]589 if( n == 0 || ferror( f ) )
590 {
Andres Amaya Garcia13f41e12017-06-26 10:56:58 +0100[diff] [blame]591 ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
Gilles Peskine82204662018-09-11 18:43:09 +0200[diff] [blame]592 goto exit;
593 }
Paul Bakkerfc754a92011-12-05 13:23:51 +0000[diff] [blame]594 fclose( f );
Gilles Peskine82204662018-09-11 18:43:09 +0200[diff] [blame]595 f = NULL;
Paul Bakkerc72d3f72013-05-14 13:22:41 +0200[diff] [blame]596
Gilles Peskine82204662018-09-11 18:43:09 +0200[diff] [blame]597 ret = mbedtls_ctr_drbg_update_ret( ctx, buf, n );
598
599exit:
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]600 mbedtls_platform_zeroize( buf, sizeof( buf ) );
Gilles Peskine82204662018-09-11 18:43:09 +0200[diff] [blame]601 if( f != NULL )
602 fclose( f );
Andres Amaya Garcia13f41e12017-06-26 10:56:58 +0100[diff] [blame]603 if( ret != 0 )
604 return( ret );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]605 return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) );
Paul Bakkerfc754a92011-12-05 13:23:51 +0000[diff] [blame]606}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]607#endif /* MBEDTLS_FS_IO */
Paul Bakkerfc754a92011-12-05 13:23:51 +0000[diff] [blame]608
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]609#if defined(MBEDTLS_SELF_TEST)
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]610
Manuel Pégourié-Gonnard28122e42015-03-11 09:13:42 +0000[diff] [blame]611static const unsigned char entropy_source_pr[96] =
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]612 { 0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16,
613 0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02,
614 0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b,
615 0x6e, 0xa6, 0x62, 0x52, 0x6d, 0x51, 0xb1, 0xcb,
616 0x58, 0x3b, 0xfa, 0xd5, 0x37, 0x5f, 0xfb, 0xc9,
617 0xff, 0x46, 0xd2, 0x19, 0xc7, 0x22, 0x3e, 0x95,
618 0x45, 0x9d, 0x82, 0xe1, 0xe7, 0x22, 0x9f, 0x63,
619 0x31, 0x69, 0xd2, 0x6b, 0x57, 0x47, 0x4f, 0xa3,
620 0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31,
621 0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4,
622 0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56,
623 0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68 };
624
Manuel Pégourié-Gonnard28122e42015-03-11 09:13:42 +0000[diff] [blame]625static const unsigned char entropy_source_nopr[64] =
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]626 { 0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14,
627 0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe,
628 0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d,
629 0x03, 0x21, 0x7c, 0x68, 0xd8, 0x03, 0x38, 0x20,
630 0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9,
631 0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46,
632 0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e,
633 0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e };
634
Manuel Pégourié-Gonnardb3b205e2014-01-31 12:04:06 +0100[diff] [blame]635static const unsigned char nonce_pers_pr[16] =
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]636 { 0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2,
637 0x29, 0xc9, 0xcf, 0xad, 0x85, 0xfa, 0x48, 0x6c };
638
Manuel Pégourié-Gonnardb3b205e2014-01-31 12:04:06 +0100[diff] [blame]639static const unsigned char nonce_pers_nopr[16] =
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]640 { 0x1b, 0x54, 0xb8, 0xff, 0x06, 0x42, 0xbf, 0xf5,
641 0x21, 0xf1, 0x5c, 0x1c, 0x0b, 0x66, 0x5f, 0x3f };
642
Manuel Pégourié-Gonnardb3b205e2014-01-31 12:04:06 +0100[diff] [blame]643static const unsigned char result_pr[16] =
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]644 { 0x34, 0x01, 0x16, 0x56, 0xb4, 0x29, 0x00, 0x8f,
645 0x35, 0x63, 0xec, 0xb5, 0xf2, 0x59, 0x07, 0x23 };
646
Manuel Pégourié-Gonnardb3b205e2014-01-31 12:04:06 +0100[diff] [blame]647static const unsigned char result_nopr[16] =
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]648 { 0xa0, 0x54, 0x30, 0x3d, 0x8a, 0x7e, 0xa9, 0x88,
649 0x9d, 0x90, 0x3e, 0x07, 0x7c, 0x6f, 0x21, 0x8f };
650
Manuel Pégourié-Gonnard95924852014-03-21 10:54:55 +0100[diff] [blame]651static size_t test_offset;
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]652static int ctr_drbg_self_test_entropy( void *data, unsigned char *buf,
653 size_t len )
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]654{
Manuel Pégourié-Gonnardb3b205e2014-01-31 12:04:06 +0100[diff] [blame]655 const unsigned char *p = data;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]656 memcpy( buf, p + test_offset, len );
Manuel Pégourié-Gonnardb3b205e2014-01-31 12:04:06 +0100[diff] [blame]657 test_offset += len;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]658 return( 0 );
659}
660
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]661#define CHK( c ) if( (c) != 0 ) \
662 { \
663 if( verbose != 0 ) \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]664 mbedtls_printf( "failed\n" ); \
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]665 return( 1 ); \
Manuel Pégourié-Gonnardb3b205e2014-01-31 12:04:06 +0100[diff] [blame]666 }
667
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]668/*
669 * Checkup routine
670 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]671int mbedtls_ctr_drbg_self_test( int verbose )
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]672{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]673 mbedtls_ctr_drbg_context ctx;
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]674 unsigned char buf[16];
675
Manuel Pégourié-Gonnard8d128ef2015-04-28 22:38:08 +0200[diff] [blame]676 mbedtls_ctr_drbg_init( &ctx );
677
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]678 /*
679 * Based on a NIST CTR_DRBG test vector (PR = True)
680 */
681 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]682 mbedtls_printf( " CTR_DRBG (PR = TRUE) : " );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]683
684 test_offset = 0;
Gilles Peskine50ed86b2019-10-04 12:15:55 +0200[diff] [blame]685 mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 );
686 CHK( mbedtls_ctr_drbg_seed( &ctx,
687 ctr_drbg_self_test_entropy,
688 (void *) entropy_source_pr,
689 nonce_pers_pr, 16 ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]690 mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
691 CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
692 CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
693 CHK( memcmp( buf, result_pr, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]694
Manuel Pégourié-Gonnard0a4fb092015-05-07 12:50:31 +0100[diff] [blame]695 mbedtls_ctr_drbg_free( &ctx );
696
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]697 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]698 mbedtls_printf( "passed\n" );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]699
700 /*
701 * Based on a NIST CTR_DRBG test vector (PR = FALSE)
702 */
703 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]704 mbedtls_printf( " CTR_DRBG (PR = FALSE): " );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]705
Manuel Pégourié-Gonnard0a4fb092015-05-07 12:50:31 +0100[diff] [blame]706 mbedtls_ctr_drbg_init( &ctx );
707
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]708 test_offset = 0;
Gilles Peskine50ed86b2019-10-04 12:15:55 +0200[diff] [blame]709 mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 );
710 CHK( mbedtls_ctr_drbg_seed( &ctx,
711 ctr_drbg_self_test_entropy,
712 (void *) entropy_source_nopr,
713 nonce_pers_nopr, 16 ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]714 CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
715 CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) );
716 CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
Manuel Pégourié-Gonnardb3b205e2014-01-31 12:04:06 +0100[diff] [blame]717 CHK( memcmp( buf, result_nopr, 16 ) );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]718
Manuel Pégourié-Gonnard0a4fb092015-05-07 12:50:31 +0100[diff] [blame]719 mbedtls_ctr_drbg_free( &ctx );
720
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]721 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]722 mbedtls_printf( "passed\n" );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]723
724 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]725 mbedtls_printf( "\n" );
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]726
727 return( 0 );
728}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]729#endif /* MBEDTLS_SELF_TEST */
Paul Bakker0e04d0e2011-11-27 14:46:59 +0000[diff] [blame]730
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]731#endif /* MBEDTLS_CTR_DRBG_C */