projects / proxmark3-svn / blame
| Commit | Line | Data |
|---|---|---|
| 700d8687 OM |
1 | /* |
| 2 | * CTR_DRBG implementation based on AES-256 (NIST SP 800-90) | |
| 3 | * | |
| 4 | * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved | |
| 5 | * SPDX-License-Identifier: GPL-2.0 | |
| 6 | * | |
| 7 | * This program is free software; you can redistribute it and/or modify | |
| 8 | * it under the terms of the GNU General Public License as published by | |
| 9 | * the Free Software Foundation; either version 2 of the License, or | |
| 10 | * (at your option) any later version. | |
| 11 | * | |
| 12 | * This program is distributed in the hope that it will be useful, | |
| 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 15 | * GNU General Public License for more details. | |
| 16 | * | |
| 17 | * You should have received a copy of the GNU General Public License along | |
| 18 | * with this program; if not, write to the Free Software Foundation, Inc., | |
| 19 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
| 20 | * | |
| 21 | * This file is part of mbed TLS (https://tls.mbed.org) | |
| 22 | */ | |
| 23 | /* | |
| 24 | * The NIST SP 800-90 DRBGs are described in the following publication. | |
| 25 | * | |
| 26 | * http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf | |
| 27 | */ | |
| 28 | ||
| 29 | #if !defined(MBEDTLS_CONFIG_FILE) | |
| 30 | #include "mbedtls/config.h" | |
| 31 | #else | |
| 32 | #include MBEDTLS_CONFIG_FILE | |
| 33 | #endif | |
| 34 | ||
| 35 | #if defined(MBEDTLS_CTR_DRBG_C) | |
| 36 | ||
| 37 | #include "mbedtls/ctr_drbg.h" | |
| 38 | #include "mbedtls/platform_util.h" | |
| 39 | ||
| 40 | #include <string.h> | |
| 41 | ||
| 42 | #if defined(MBEDTLS_FS_IO) | |
| 43 | #include <stdio.h> | |
| 44 | #endif | |
| 45 | ||
| 46 | #if defined(MBEDTLS_SELF_TEST) | |
| 47 | #if defined(MBEDTLS_PLATFORM_C) | |
| 48 | #include "mbedtls/platform.h" | |
| 49 | #else | |
| 50 | #include <stdio.h> | |
| 51 | #define mbedtls_printf printf | |
| 52 | #endif /* MBEDTLS_PLATFORM_C */ | |
| 53 | #endif /* MBEDTLS_SELF_TEST */ | |
| 54 | ||
| 55 | /* | |
| 56 | * CTR_DRBG context initialization | |
| 57 | */ | |
| 58 | void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx ) | |
| 59 | { | |
| 60 | memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) ); | |
| 61 | ||
| 62 | #if defined(MBEDTLS_THREADING_C) | |
| 63 | mbedtls_mutex_init( &ctx->mutex ); | |
| 64 | #endif | |
| 65 | } | |
| 66 | ||
| 67 | /* | |
| 68 | * Non-public function wrapped by mbedtls_ctr_drbg_seed(). Necessary to allow | |
| 69 | * NIST tests to succeed (which require known length fixed entropy) | |
| 70 | */ | |
| 71 | int mbedtls_ctr_drbg_seed_entropy_len( | |
| 72 | mbedtls_ctr_drbg_context *ctx, | |
| 73 | int (*f_entropy)(void *, unsigned char *, size_t), | |
| 74 | void *p_entropy, | |
| 75 | const unsigned char *custom, | |
| 76 | size_t len, | |
| 77 | size_t entropy_len ) | |
| 78 | { | |
| 79 | int ret; | |
| 80 | unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE]; | |
| 81 | ||
| 82 | memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE ); | |
| 83 | ||
| 84 | mbedtls_aes_init( &ctx->aes_ctx ); | |
| 85 | ||
| 86 | ctx->f_entropy = f_entropy; | |
| 87 | ctx->p_entropy = p_entropy; | |
| 88 | ||
| 89 | ctx->entropy_len = entropy_len; | |
| 90 | ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL; | |
| 91 | ||
| 92 | /* | |
| 93 | * Initialize with an empty key | |
| 94 | */ | |
| 95 | if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 ) | |
| 96 | { | |
| 97 | return( ret ); | |
| 98 | } | |
| 99 | ||
| 100 | if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 ) | |
| 101 | { | |
| 102 | return( ret ); | |
| 103 | } | |
| 104 | return( 0 ); | |
| 105 | } | |
| 106 | ||
| 107 | int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx, | |
| 108 | int (*f_entropy)(void *, unsigned char *, size_t), | |
| 109 | void *p_entropy, | |
| 110 | const unsigned char *custom, | |
| 111 | size_t len ) | |
| 112 | { | |
| 113 | return( mbedtls_ctr_drbg_seed_entropy_len( ctx, f_entropy, p_entropy, custom, len, | |
| 114 | MBEDTLS_CTR_DRBG_ENTROPY_LEN ) ); | |
| 115 | } | |
| 116 | ||
| 117 | void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx ) | |
| 118 | { | |
| 119 | if( ctx == NULL ) | |
| 120 | return; | |
| 121 | ||
| 122 | #if defined(MBEDTLS_THREADING_C) | |
| 123 | mbedtls_mutex_free( &ctx->mutex ); | |
| 124 | #endif | |
| 125 | mbedtls_aes_free( &ctx->aes_ctx ); | |
| 126 | mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) ); | |
| 127 | } | |
| 128 | ||
| 129 | void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx, int resistance ) | |
| 130 | { | |
| 131 | ctx->prediction_resistance = resistance; | |
| 132 | } | |
| 133 | ||
| 134 | void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx, size_t len ) | |
| 135 | { | |
| 136 | ctx->entropy_len = len; | |
| 137 | } | |
| 138 | ||
| 139 | void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx, int interval ) | |
| 140 | { | |
| 141 | ctx->reseed_interval = interval; | |
| 142 | } | |
| 143 | ||
| 144 | static int block_cipher_df( unsigned char *output, | |
| 145 | const unsigned char *data, size_t data_len ) | |
| 146 | { | |
| 147 | unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16]; | |
| 148 | unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN]; | |
| 149 | unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE]; | |
| 150 | unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE]; | |
| 151 | unsigned char *p, *iv; | |
| 152 | mbedtls_aes_context aes_ctx; | |
| 153 | int ret = 0; | |
| 154 | ||
| 155 | int i, j; | |
| 156 | size_t buf_len, use_len; | |
| 157 | ||
| 158 | if( data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ) | |
| 159 | return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG ); | |
| 160 | ||
| 161 | memset( buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16 ); | |
| 162 | mbedtls_aes_init( &aes_ctx ); | |
| 163 | ||
| 164 | /* | |
| 165 | * Construct IV (16 bytes) and S in buffer | |
| 166 | * IV = Counter (in 32-bits) padded to 16 with zeroes | |
| 167 | * S = Length input string (in 32-bits) || Length of output (in 32-bits) || | |
| 168 | * data || 0x80 | |
| 169 | * (Total is padded to a multiple of 16-bytes with zeroes) | |
| 170 | */ | |
| 171 | p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE; | |
| 172 | *p++ = ( data_len >> 24 ) & 0xff; | |
| 173 | *p++ = ( data_len >> 16 ) & 0xff; | |
| 174 | *p++ = ( data_len >> 8 ) & 0xff; | |
| 175 | *p++ = ( data_len ) & 0xff; | |
| 176 | p += 3; | |
| 177 | *p++ = MBEDTLS_CTR_DRBG_SEEDLEN; | |
| 178 | memcpy( p, data, data_len ); | |
| 179 | p[data_len] = 0x80; | |
| 180 | ||
| 181 | buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1; | |
| 182 | ||
| 183 | for( i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++ ) | |
| 184 | key[i] = i; | |
| 185 | ||
| 186 | if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 ) | |
| 187 | { | |
| 188 | goto exit; | |
| 189 | } | |
| 190 | ||
| 191 | /* | |
| 192 | * Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data | |
| 193 | */ | |
| 194 | for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE ) | |
| 195 | { | |
| 196 | p = buf; | |
| 197 | memset( chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE ); | |
| 198 | use_len = buf_len; | |
| 199 | ||
| 200 | while( use_len > 0 ) | |
| 201 | { | |
| 202 | for( i = 0; i < MBEDTLS_CTR_DRBG_BLOCKSIZE; i++ ) | |
| 203 | chain[i] ^= p[i]; | |
| 204 | p += MBEDTLS_CTR_DRBG_BLOCKSIZE; | |
| 205 | use_len -= ( use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE ) ? | |
| 206 | MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len; | |
| 207 | ||
| 208 | if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, chain, chain ) ) != 0 ) | |
| 209 | { | |
| 210 | goto exit; | |
| 211 | } | |
| 212 | } | |
| 213 | ||
| 214 | memcpy( tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE ); | |
| 215 | ||
| 216 | /* | |
| 217 | * Update IV | |
| 218 | */ | |
| 219 | buf[3]++; | |
| 220 | } | |
| 221 | ||
| 222 | /* | |
| 223 | * Do final encryption with reduced data | |
| 224 | */ | |
| 225 | if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 ) | |
| 226 | { | |
| 227 | goto exit; | |
| 228 | } | |
| 229 | iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE; | |
| 230 | p = output; | |
| 231 | ||
| 232 | for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE ) | |
| 233 | { | |
| 234 | if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, iv, iv ) ) != 0 ) | |
| 235 | { | |
| 236 | goto exit; | |
| 237 | } | |
| 238 | memcpy( p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE ); | |
| 239 | p += MBEDTLS_CTR_DRBG_BLOCKSIZE; | |
| 240 | } | |
| 241 | exit: | |
| 242 | mbedtls_aes_free( &aes_ctx ); | |
| 243 | /* | |
| 244 | * tidy up the stack | |
| 245 | */ | |
| 246 | mbedtls_platform_zeroize( buf, sizeof( buf ) ); | |
| 247 | mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); | |
| 248 | mbedtls_platform_zeroize( key, sizeof( key ) ); | |
| 249 | mbedtls_platform_zeroize( chain, sizeof( chain ) ); | |
| 250 | if( 0 != ret ) | |
| 251 | { | |
| 252 | /* | |
| 253 | * wipe partial seed from memory | |
| 254 | */ | |
| 255 | mbedtls_platform_zeroize( output, MBEDTLS_CTR_DRBG_SEEDLEN ); | |
| 256 | } | |
| 257 | ||
| 258 | return( ret ); | |
| 259 | } | |
| 260 | ||
| 261 | static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx, | |
| 262 | const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN] ) | |
| 263 | { | |
| 264 | unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN]; | |
| 265 | unsigned char *p = tmp; | |
| 266 | int i, j; | |
| 267 | int ret = 0; | |
| 268 | ||
| 269 | memset( tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN ); | |
| 270 | ||
| 271 | for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE ) | |
| 272 | { | |
| 273 | /* | |
| 274 | * Increase counter | |
| 275 | */ | |
| 276 | for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- ) | |
| 277 | if( ++ctx->counter[i - 1] != 0 ) | |
| 278 | break; | |
| 279 | ||
| 280 | /* | |
| 281 | * Crypt counter block | |
| 282 | */ | |
| 283 | if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, p ) ) != 0 ) | |
| 284 | { | |
| 285 | return( ret ); | |
| 286 | } | |
| 287 | ||
| 288 | p += MBEDTLS_CTR_DRBG_BLOCKSIZE; | |
| 289 | } | |
| 290 | ||
| 291 | for( i = 0; i < MBEDTLS_CTR_DRBG_SEEDLEN; i++ ) | |
| 292 | tmp[i] ^= data[i]; | |
| 293 | ||
| 294 | /* | |
| 295 | * Update key and counter | |
| 296 | */ | |
| 297 | if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 ) | |
| 298 | { | |
| 299 | return( ret ); | |
| 300 | } | |
| 301 | memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE ); | |
| 302 | ||
| 303 | return( 0 ); | |
| 304 | } | |
| 305 | ||
| 306 | void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx, | |
| 307 | const unsigned char *additional, size_t add_len ) | |
| 308 | { | |
| 309 | unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN]; | |
| 310 | ||
| 311 | if( add_len > 0 ) | |
| 312 | { | |
| 313 | /* MAX_INPUT would be more logical here, but we have to match | |
| 314 | * block_cipher_df()'s limits since we can't propagate errors */ | |
| 315 | if( add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ) | |
| 316 | add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT; | |
| 317 | ||
| 318 | block_cipher_df( add_input, additional, add_len ); | |
| 319 | ctr_drbg_update_internal( ctx, add_input ); | |
| 320 | } | |
| 321 | } | |
| 322 | ||
| 323 | int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx, | |
| 324 | const unsigned char *additional, size_t len ) | |
| 325 | { | |
| 326 | unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT]; | |
| 327 | size_t seedlen = 0; | |
| 328 | int ret; | |
| 329 | ||
| 330 | if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT || | |
| 331 | len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len ) | |
| 332 | return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG ); | |
| 333 | ||
| 334 | memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ); | |
| 335 | ||
| 336 | /* | |
| 337 | * Gather entropy_len bytes of entropy to seed state | |
| 338 | */ | |
| 339 | if( 0 != ctx->f_entropy( ctx->p_entropy, seed, | |
| 340 | ctx->entropy_len ) ) | |
| 341 | { | |
| 342 | return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED ); | |
| 343 | } | |
| 344 | ||
| 345 | seedlen += ctx->entropy_len; | |
| 346 | ||
| 347 | /* | |
| 348 | * Add additional data | |
| 349 | */ | |
| 350 | if( additional && len ) | |
| 351 | { | |
| 352 | memcpy( seed + seedlen, additional, len ); | |
| 353 | seedlen += len; | |
| 354 | } | |
| 355 | ||
| 356 | /* | |
| 357 | * Reduce to 384 bits | |
| 358 | */ | |
| 359 | if( ( ret = block_cipher_df( seed, seed, seedlen ) ) != 0 ) | |
| 360 | { | |
| 361 | return( ret ); | |
| 362 | } | |
| 363 | ||
| 364 | /* | |
| 365 | * Update state | |
| 366 | */ | |
| 367 | if( ( ret = ctr_drbg_update_internal( ctx, seed ) ) != 0 ) | |
| 368 | { | |
| 369 | return( ret ); | |
| 370 | } | |
| 371 | ctx->reseed_counter = 1; | |
| 372 | ||
| 373 | return( 0 ); | |
| 374 | } | |
| 375 | ||
| 376 | int mbedtls_ctr_drbg_random_with_add( void *p_rng, | |
| 377 | unsigned char *output, size_t output_len, | |
| 378 | const unsigned char *additional, size_t add_len ) | |
| 379 | { | |
| 380 | int ret = 0; | |
| 381 | mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng; | |
| 382 | unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN]; | |
| 383 | unsigned char *p = output; | |
| 384 | unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE]; | |
| 385 | int i; | |
| 386 | size_t use_len; | |
| 387 | ||
| 388 | if( output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST ) | |
| 389 | return( MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG ); | |
| 390 | ||
| 391 | if( add_len > MBEDTLS_CTR_DRBG_MAX_INPUT ) | |
| 392 | return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG ); | |
| 393 | ||
| 394 | memset( add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN ); | |
| 395 | ||
| 396 | if( ctx->reseed_counter > ctx->reseed_interval || | |
| 397 | ctx->prediction_resistance ) | |
| 398 | { | |
| 399 | if( ( ret = mbedtls_ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 ) | |
| 400 | { | |
| 401 | return( ret ); | |
| 402 | } | |
| 403 | add_len = 0; | |
| 404 | } | |
| 405 | ||
| 406 | if( add_len > 0 ) | |
| 407 | { | |
| 408 | if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 ) | |
| 409 | { | |
| 410 | return( ret ); | |
| 411 | } | |
| 412 | if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 ) | |
| 413 | { | |
| 414 | return( ret ); | |
| 415 | } | |
| 416 | } | |
| 417 | ||
| 418 | while( output_len > 0 ) | |
| 419 | { | |
| 420 | /* | |
| 421 | * Increase counter | |
| 422 | */ | |
| 423 | for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- ) | |
| 424 | if( ++ctx->counter[i - 1] != 0 ) | |
| 425 | break; | |
| 426 | ||
| 427 | /* | |
| 428 | * Crypt counter block | |
| 429 | */ | |
| 430 | if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, tmp ) ) != 0 ) | |
| 431 | { | |
| 432 | return( ret ); | |
| 433 | } | |
| 434 | ||
| 435 | use_len = ( output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE ) ? MBEDTLS_CTR_DRBG_BLOCKSIZE : | |
| 436 | output_len; | |
| 437 | /* | |
| 438 | * Copy random block to destination | |
| 439 | */ | |
| 440 | memcpy( p, tmp, use_len ); | |
| 441 | p += use_len; | |
| 442 | output_len -= use_len; | |
| 443 | } | |
| 444 | ||
| 445 | if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 ) | |
| 446 | { | |
| 447 | return( ret ); | |
| 448 | } | |
| 449 | ||
| 450 | ctx->reseed_counter++; | |
| 451 | ||
| 452 | return( 0 ); | |
| 453 | } | |
| 454 | ||
| 455 | int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len ) | |
| 456 | { | |
| 457 | int ret; | |
| 458 | mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng; | |
| 459 | ||
| 460 | #if defined(MBEDTLS_THREADING_C) | |
| 461 | if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) | |
| 462 | return( ret ); | |
| 463 | #endif | |
| 464 | ||
| 465 | ret = mbedtls_ctr_drbg_random_with_add( ctx, output, output_len, NULL, 0 ); | |
| 466 | ||
| 467 | #if defined(MBEDTLS_THREADING_C) | |
| 468 | if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) | |
| 469 | return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); | |
| 470 | #endif | |
| 471 | ||
| 472 | return( ret ); | |
| 473 | } | |
| 474 | ||
| 475 | #if defined(MBEDTLS_FS_IO) | |
| 476 | int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path ) | |
| 477 | { | |
| 478 | int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR; | |
| 479 | FILE *f; | |
| 480 | unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ]; | |
| 481 | ||
| 482 | if( ( f = fopen( path, "wb" ) ) == NULL ) | |
| 483 | return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR ); | |
| 484 | ||
| 485 | if( ( ret = mbedtls_ctr_drbg_random( ctx, buf, MBEDTLS_CTR_DRBG_MAX_INPUT ) ) != 0 ) | |
| 486 | goto exit; | |
| 487 | ||
| 488 | if( fwrite( buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f ) != MBEDTLS_CTR_DRBG_MAX_INPUT ) | |
| 489 | ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR; | |
| 490 | else | |
| 491 | ret = 0; | |
| 492 | ||
| 493 | exit: | |
| 494 | mbedtls_platform_zeroize( buf, sizeof( buf ) ); | |
| 495 | ||
| 496 | fclose( f ); | |
| 497 | return( ret ); | |
| 498 | } | |
| 499 | ||
| 500 | int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path ) | |
| 501 | { | |
| 502 | int ret = 0; | |
| 503 | FILE *f; | |
| 504 | size_t n; | |
| 505 | unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ]; | |
| 506 | ||
| 507 | if( ( f = fopen( path, "rb" ) ) == NULL ) | |
| 508 | return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR ); | |
| 509 | ||
| 510 | fseek( f, 0, SEEK_END ); | |
| 511 | n = (size_t) ftell( f ); | |
| 512 | fseek( f, 0, SEEK_SET ); | |
| 513 | ||
| 514 | if( n > MBEDTLS_CTR_DRBG_MAX_INPUT ) | |
| 515 | { | |
| 516 | fclose( f ); | |
| 517 | return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG ); | |
| 518 | } | |
| 519 | ||
| 520 | if( fread( buf, 1, n, f ) != n ) | |
| 521 | ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR; | |
| 522 | else | |
| 523 | mbedtls_ctr_drbg_update( ctx, buf, n ); | |
| 524 | ||
| 525 | fclose( f ); | |
| 526 | ||
| 527 | mbedtls_platform_zeroize( buf, sizeof( buf ) ); | |
| 528 | ||
| 529 | if( ret != 0 ) | |
| 530 | return( ret ); | |
| 531 | ||
| 532 | return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) ); | |
| 533 | } | |
| 534 | #endif /* MBEDTLS_FS_IO */ | |
| 535 | ||
| 536 | #if defined(MBEDTLS_SELF_TEST) | |
| 537 | ||
| 538 | static const unsigned char entropy_source_pr[96] = | |
| 539 | { 0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16, | |
| 540 | 0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02, | |
| 541 | 0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b, | |
| 542 | 0x6e, 0xa6, 0x62, 0x52, 0x6d, 0x51, 0xb1, 0xcb, | |
| 543 | 0x58, 0x3b, 0xfa, 0xd5, 0x37, 0x5f, 0xfb, 0xc9, | |
| 544 | 0xff, 0x46, 0xd2, 0x19, 0xc7, 0x22, 0x3e, 0x95, | |
| 545 | 0x45, 0x9d, 0x82, 0xe1, 0xe7, 0x22, 0x9f, 0x63, | |
| 546 | 0x31, 0x69, 0xd2, 0x6b, 0x57, 0x47, 0x4f, 0xa3, | |
| 547 | 0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31, | |
| 548 | 0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4, | |
| 549 | 0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56, | |
| 550 | 0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68 }; | |
| 551 | ||
| 552 | static const unsigned char entropy_source_nopr[64] = | |
| 553 | { 0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14, | |
| 554 | 0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe, | |
| 555 | 0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d, | |
| 556 | 0x03, 0x21, 0x7c, 0x68, 0xd8, 0x03, 0x38, 0x20, | |
| 557 | 0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9, | |
| 558 | 0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46, | |
| 559 | 0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e, | |
| 560 | 0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e }; | |
| 561 | ||
| 562 | static const unsigned char nonce_pers_pr[16] = | |
| 563 | { 0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2, | |
| 564 | 0x29, 0xc9, 0xcf, 0xad, 0x85, 0xfa, 0x48, 0x6c }; | |
| 565 | ||
| 566 | static const unsigned char nonce_pers_nopr[16] = | |
| 567 | { 0x1b, 0x54, 0xb8, 0xff, 0x06, 0x42, 0xbf, 0xf5, | |
| 568 | 0x21, 0xf1, 0x5c, 0x1c, 0x0b, 0x66, 0x5f, 0x3f }; | |
| 569 | ||
| 570 | static const unsigned char result_pr[16] = | |
| 571 | { 0x34, 0x01, 0x16, 0x56, 0xb4, 0x29, 0x00, 0x8f, | |
| 572 | 0x35, 0x63, 0xec, 0xb5, 0xf2, 0x59, 0x07, 0x23 }; | |
| 573 | ||
| 574 | static const unsigned char result_nopr[16] = | |
| 575 | { 0xa0, 0x54, 0x30, 0x3d, 0x8a, 0x7e, 0xa9, 0x88, | |
| 576 | 0x9d, 0x90, 0x3e, 0x07, 0x7c, 0x6f, 0x21, 0x8f }; | |
| 577 | ||
| 578 | static size_t test_offset; | |
| 579 | static int ctr_drbg_self_test_entropy( void *data, unsigned char *buf, | |
| 580 | size_t len ) | |
| 581 | { | |
| 582 | const unsigned char *p = data; | |
| 583 | memcpy( buf, p + test_offset, len ); | |
| 584 | test_offset += len; | |
| 585 | return( 0 ); | |
| 586 | } | |
| 587 | ||
| 588 | #define CHK( c ) if( (c) != 0 ) \ | |
| 589 | { \ | |
| 590 | if( verbose != 0 ) \ | |
| 591 | mbedtls_printf( "failed\n" ); \ | |
| 592 | return( 1 ); \ | |
| 593 | } | |
| 594 | ||
| 595 | /* | |
| 596 | * Checkup routine | |
| 597 | */ | |
| 598 | int mbedtls_ctr_drbg_self_test( int verbose ) | |
| 599 | { | |
| 600 | mbedtls_ctr_drbg_context ctx; | |
| 601 | unsigned char buf[16]; | |
| 602 | ||
| 603 | mbedtls_ctr_drbg_init( &ctx ); | |
| 604 | ||
| 605 | /* | |
| 606 | * Based on a NIST CTR_DRBG test vector (PR = True) | |
| 607 | */ | |
| 608 | if( verbose != 0 ) | |
| 609 | mbedtls_printf( " CTR_DRBG (PR = TRUE) : " ); | |
| 610 | ||
| 611 | test_offset = 0; | |
| 612 | CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy, | |
| 613 | (void *) entropy_source_pr, nonce_pers_pr, 16, 32 ) ); | |
| 614 | mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON ); | |
| 615 | CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) ); | |
| 616 | CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) ); | |
| 617 | CHK( memcmp( buf, result_pr, MBEDTLS_CTR_DRBG_BLOCKSIZE ) ); | |
| 618 | ||
| 619 | mbedtls_ctr_drbg_free( &ctx ); | |
| 620 | ||
| 621 | if( verbose != 0 ) | |
| 622 | mbedtls_printf( "passed\n" ); | |
| 623 | ||
| 624 | /* | |
| 625 | * Based on a NIST CTR_DRBG test vector (PR = FALSE) | |
| 626 | */ | |
| 627 | if( verbose != 0 ) | |
| 628 | mbedtls_printf( " CTR_DRBG (PR = FALSE): " ); | |
| 629 | ||
| 630 | mbedtls_ctr_drbg_init( &ctx ); | |
| 631 | ||
| 632 | test_offset = 0; | |
| 633 | CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy, | |
| 634 | (void *) entropy_source_nopr, nonce_pers_nopr, 16, 32 ) ); | |
| 635 | CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) ); | |
| 636 | CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) ); | |
| 637 | CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) ); | |
| 638 | CHK( memcmp( buf, result_nopr, 16 ) ); | |
| 639 | ||
| 640 | mbedtls_ctr_drbg_free( &ctx ); | |
| 641 | ||
| 642 | if( verbose != 0 ) | |
| 643 | mbedtls_printf( "passed\n" ); | |
| 644 | ||
| 645 | if( verbose != 0 ) | |
| 646 | mbedtls_printf( "\n" ); | |
| 647 | ||
| 648 | return( 0 ); | |
| 649 | } | |
| 650 | #endif /* MBEDTLS_SELF_TEST */ | |
| 651 | ||
| 652 | #endif /* MBEDTLS_CTR_DRBG_C */ |