ctr_drbg.c 29 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899
  1. /*
  2. * CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
  3. *
  4. * Copyright The Mbed TLS Contributors
  5. * SPDX-License-Identifier: Apache-2.0
  6. *
  7. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  8. * not use this file except in compliance with the License.
  9. * You may obtain a copy of the License at
  10. *
  11. * http://www.apache.org/licenses/LICENSE-2.0
  12. *
  13. * Unless required by applicable law or agreed to in writing, software
  14. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  15. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16. * See the License for the specific language governing permissions and
  17. * limitations under the License.
  18. */
  19. /*
  20. * The NIST SP 800-90 DRBGs are described in the following publication.
  21. *
  22. * http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
  23. */
  24. #include "common.h"
  25. #if defined(MBEDTLS_CTR_DRBG_C)
  26. #include "mbedtls/ctr_drbg.h"
  27. #include "mbedtls/platform_util.h"
  28. #include "mbedtls/error.h"
  29. #include <string.h>
  30. #if defined(MBEDTLS_FS_IO)
  31. #include <stdio.h>
  32. #endif
  33. #if defined(MBEDTLS_SELF_TEST)
  34. #if defined(MBEDTLS_PLATFORM_C)
  35. #include "mbedtls/platform.h"
  36. #else
  37. #include <stdio.h>
  38. #define mbedtls_printf printf
  39. #endif /* MBEDTLS_PLATFORM_C */
  40. #endif /* MBEDTLS_SELF_TEST */
  41. /*
  42. * CTR_DRBG context initialization
  43. */
  44. void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx )
  45. {
  46. memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) );
  47. /* Indicate that the entropy nonce length is not set explicitly.
  48. * See mbedtls_ctr_drbg_set_nonce_len(). */
  49. ctx->reseed_counter = -1;
  50. ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
  51. }
  52. /*
  53. * This function resets CTR_DRBG context to the state immediately
  54. * after initial call of mbedtls_ctr_drbg_init().
  55. */
  56. void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx )
  57. {
  58. if( ctx == NULL )
  59. return;
  60. #if defined(MBEDTLS_THREADING_C)
  61. /* The mutex is initialized iff f_entropy is set. */
  62. if( ctx->f_entropy != NULL )
  63. mbedtls_mutex_free( &ctx->mutex );
  64. #endif
  65. mbedtls_aes_free( &ctx->aes_ctx );
  66. mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) );
  67. ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
  68. ctx->reseed_counter = -1;
  69. }
  70. void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
  71. int resistance )
  72. {
  73. ctx->prediction_resistance = resistance;
  74. }
  75. void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx,
  76. size_t len )
  77. {
  78. ctx->entropy_len = len;
  79. }
  80. int mbedtls_ctr_drbg_set_nonce_len( mbedtls_ctr_drbg_context *ctx,
  81. size_t len )
  82. {
  83. /* If mbedtls_ctr_drbg_seed() has already been called, it's
  84. * too late. Return the error code that's closest to making sense. */
  85. if( ctx->f_entropy != NULL )
  86. return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
  87. if( len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
  88. return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
  89. #if SIZE_MAX > INT_MAX
  90. /* This shouldn't be an issue because
  91. * MBEDTLS_CTR_DRBG_MAX_SEED_INPUT < INT_MAX in any sensible
  92. * configuration, but make sure anyway. */
  93. if( len > INT_MAX )
  94. return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
  95. #endif
  96. /* For backward compatibility with Mbed TLS <= 2.19, store the
  97. * entropy nonce length in a field that already exists, but isn't
  98. * used until after the initial seeding. */
  99. /* Due to the capping of len above, the value fits in an int. */
  100. ctx->reseed_counter = (int) len;
  101. return( 0 );
  102. }
  103. void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx,
  104. int interval )
  105. {
  106. ctx->reseed_interval = interval;
  107. }
  108. static int block_cipher_df( unsigned char *output,
  109. const unsigned char *data, size_t data_len )
  110. {
  111. unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT +
  112. MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
  113. unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
  114. unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
  115. unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
  116. unsigned char *p, *iv;
  117. mbedtls_aes_context aes_ctx;
  118. int ret = 0;
  119. int i, j;
  120. size_t buf_len, use_len;
  121. if( data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
  122. return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
  123. memset( buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT +
  124. MBEDTLS_CTR_DRBG_BLOCKSIZE + 16 );
  125. mbedtls_aes_init( &aes_ctx );
  126. /*
  127. * Construct IV (16 bytes) and S in buffer
  128. * IV = Counter (in 32-bits) padded to 16 with zeroes
  129. * S = Length input string (in 32-bits) || Length of output (in 32-bits) ||
  130. * data || 0x80
  131. * (Total is padded to a multiple of 16-bytes with zeroes)
  132. */
  133. p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE;
  134. MBEDTLS_PUT_UINT32_BE( data_len, p, 0);
  135. p += 4 + 3;
  136. *p++ = MBEDTLS_CTR_DRBG_SEEDLEN;
  137. memcpy( p, data, data_len );
  138. p[data_len] = 0x80;
  139. buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
  140. for( i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++ )
  141. key[i] = i;
  142. if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, key,
  143. MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
  144. {
  145. goto exit;
  146. }
  147. /*
  148. * Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data
  149. */
  150. for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
  151. {
  152. p = buf;
  153. memset( chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE );
  154. use_len = buf_len;
  155. while( use_len > 0 )
  156. {
  157. for( i = 0; i < MBEDTLS_CTR_DRBG_BLOCKSIZE; i++ )
  158. chain[i] ^= p[i];
  159. p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
  160. use_len -= ( use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE ) ?
  161. MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
  162. if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT,
  163. chain, chain ) ) != 0 )
  164. {
  165. goto exit;
  166. }
  167. }
  168. memcpy( tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE );
  169. /*
  170. * Update IV
  171. */
  172. buf[3]++;
  173. }
  174. /*
  175. * Do final encryption with reduced data
  176. */
  177. if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, tmp,
  178. MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
  179. {
  180. goto exit;
  181. }
  182. iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
  183. p = output;
  184. for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
  185. {
  186. if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT,
  187. iv, iv ) ) != 0 )
  188. {
  189. goto exit;
  190. }
  191. memcpy( p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE );
  192. p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
  193. }
  194. exit:
  195. mbedtls_aes_free( &aes_ctx );
  196. /*
  197. * tidy up the stack
  198. */
  199. mbedtls_platform_zeroize( buf, sizeof( buf ) );
  200. mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
  201. mbedtls_platform_zeroize( key, sizeof( key ) );
  202. mbedtls_platform_zeroize( chain, sizeof( chain ) );
  203. if( 0 != ret )
  204. {
  205. /*
  206. * wipe partial seed from memory
  207. */
  208. mbedtls_platform_zeroize( output, MBEDTLS_CTR_DRBG_SEEDLEN );
  209. }
  210. return( ret );
  211. }
  212. /* CTR_DRBG_Update (SP 800-90A &sect;10.2.1.2)
  213. * ctr_drbg_update_internal(ctx, provided_data)
  214. * implements
  215. * CTR_DRBG_Update(provided_data, Key, V)
  216. * with inputs and outputs
  217. * ctx->aes_ctx = Key
  218. * ctx->counter = V
  219. */
  220. static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
  221. const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN] )
  222. {
  223. unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
  224. unsigned char *p = tmp;
  225. int i, j;
  226. int ret = 0;
  227. memset( tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
  228. for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
  229. {
  230. /*
  231. * Increase counter
  232. */
  233. for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
  234. if( ++ctx->counter[i - 1] != 0 )
  235. break;
  236. /*
  237. * Crypt counter block
  238. */
  239. if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
  240. ctx->counter, p ) ) != 0 )
  241. {
  242. goto exit;
  243. }
  244. p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
  245. }
  246. for( i = 0; i < MBEDTLS_CTR_DRBG_SEEDLEN; i++ )
  247. tmp[i] ^= data[i];
  248. /*
  249. * Update key and counter
  250. */
  251. if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp,
  252. MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
  253. {
  254. goto exit;
  255. }
  256. memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE,
  257. MBEDTLS_CTR_DRBG_BLOCKSIZE );
  258. exit:
  259. mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
  260. return( ret );
  261. }
  262. /* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
  263. * mbedtls_ctr_drbg_update(ctx, additional, add_len)
  264. * implements
  265. * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
  266. * security_strength) -> initial_working_state
  267. * with inputs
  268. * ctx->counter = all-bits-0
  269. * ctx->aes_ctx = context from all-bits-0 key
  270. * additional[:add_len] = entropy_input || nonce || personalization_string
  271. * and with outputs
  272. * ctx = initial_working_state
  273. */
  274. int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
  275. const unsigned char *additional,
  276. size_t add_len )
  277. {
  278. unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
  279. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  280. if( add_len == 0 )
  281. return( 0 );
  282. if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
  283. goto exit;
  284. if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
  285. goto exit;
  286. exit:
  287. mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
  288. return( ret );
  289. }
  290. #if !defined(MBEDTLS_DEPRECATED_REMOVED)
  291. void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
  292. const unsigned char *additional,
  293. size_t add_len )
  294. {
  295. /* MAX_INPUT would be more logical here, but we have to match
  296. * block_cipher_df()'s limits since we can't propagate errors */
  297. if( add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
  298. add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT;
  299. (void) mbedtls_ctr_drbg_update_ret( ctx, additional, add_len );
  300. }
  301. #endif /* MBEDTLS_DEPRECATED_REMOVED */
  302. /* CTR_DRBG_Reseed with derivation function (SP 800-90A &sect;10.2.1.4.2)
  303. * mbedtls_ctr_drbg_reseed(ctx, additional, len, nonce_len)
  304. * implements
  305. * CTR_DRBG_Reseed(working_state, entropy_input, additional_input)
  306. * -> new_working_state
  307. * with inputs
  308. * ctx contains working_state
  309. * additional[:len] = additional_input
  310. * and entropy_input comes from calling ctx->f_entropy
  311. * for (ctx->entropy_len + nonce_len) bytes
  312. * and with output
  313. * ctx contains new_working_state
  314. */
  315. static int mbedtls_ctr_drbg_reseed_internal( mbedtls_ctr_drbg_context *ctx,
  316. const unsigned char *additional,
  317. size_t len,
  318. size_t nonce_len )
  319. {
  320. unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
  321. size_t seedlen = 0;
  322. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  323. if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
  324. return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
  325. if( nonce_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len )
  326. return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
  327. if( len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len - nonce_len )
  328. return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
  329. memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );
  330. /* Gather entropy_len bytes of entropy to seed state. */
  331. if( 0 != ctx->f_entropy( ctx->p_entropy, seed, ctx->entropy_len ) )
  332. {
  333. return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
  334. }
  335. seedlen += ctx->entropy_len;
  336. /* Gather entropy for a nonce if requested. */
  337. if( nonce_len != 0 )
  338. {
  339. if( 0 != ctx->f_entropy( ctx->p_entropy, seed + seedlen, nonce_len ) )
  340. {
  341. return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
  342. }
  343. seedlen += nonce_len;
  344. }
  345. /* Add additional data if provided. */
  346. if( additional != NULL && len != 0 )
  347. {
  348. memcpy( seed + seedlen, additional, len );
  349. seedlen += len;
  350. }
  351. /* Reduce to 384 bits. */
  352. if( ( ret = block_cipher_df( seed, seed, seedlen ) ) != 0 )
  353. goto exit;
  354. /* Update state. */
  355. if( ( ret = ctr_drbg_update_internal( ctx, seed ) ) != 0 )
  356. goto exit;
  357. ctx->reseed_counter = 1;
  358. exit:
  359. mbedtls_platform_zeroize( seed, sizeof( seed ) );
  360. return( ret );
  361. }
  362. int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
  363. const unsigned char *additional, size_t len )
  364. {
  365. return( mbedtls_ctr_drbg_reseed_internal( ctx, additional, len, 0 ) );
  366. }
  367. /* Return a "good" nonce length for CTR_DRBG. The chosen nonce length
  368. * is sufficient to achieve the maximum security strength given the key
  369. * size and entropy length. If there is enough entropy in the initial
  370. * call to the entropy function to serve as both the entropy input and
  371. * the nonce, don't make a second call to get a nonce. */
  372. static size_t good_nonce_len( size_t entropy_len )
  373. {
  374. if( entropy_len >= MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2 )
  375. return( 0 );
  376. else
  377. return( ( entropy_len + 1 ) / 2 );
  378. }
  379. /* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
  380. * mbedtls_ctr_drbg_seed(ctx, f_entropy, p_entropy, custom, len)
  381. * implements
  382. * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
  383. * security_strength) -> initial_working_state
  384. * with inputs
  385. * custom[:len] = nonce || personalization_string
  386. * where entropy_input comes from f_entropy for ctx->entropy_len bytes
  387. * and with outputs
  388. * ctx = initial_working_state
  389. */
  390. int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
  391. int (*f_entropy)(void *, unsigned char *, size_t),
  392. void *p_entropy,
  393. const unsigned char *custom,
  394. size_t len )
  395. {
  396. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  397. unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
  398. size_t nonce_len;
  399. memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );
  400. /* The mutex is initialized iff f_entropy is set. */
  401. #if defined(MBEDTLS_THREADING_C)
  402. mbedtls_mutex_init( &ctx->mutex );
  403. #endif
  404. mbedtls_aes_init( &ctx->aes_ctx );
  405. ctx->f_entropy = f_entropy;
  406. ctx->p_entropy = p_entropy;
  407. if( ctx->entropy_len == 0 )
  408. ctx->entropy_len = MBEDTLS_CTR_DRBG_ENTROPY_LEN;
  409. /* ctx->reseed_counter contains the desired amount of entropy to
  410. * grab for a nonce (see mbedtls_ctr_drbg_set_nonce_len()).
  411. * If it's -1, indicating that the entropy nonce length was not set
  412. * explicitly, use a sufficiently large nonce for security. */
  413. nonce_len = ( ctx->reseed_counter >= 0 ?
  414. (size_t) ctx->reseed_counter :
  415. good_nonce_len( ctx->entropy_len ) );
  416. /* Initialize with an empty key. */
  417. if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key,
  418. MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
  419. {
  420. return( ret );
  421. }
  422. /* Do the initial seeding. */
  423. if( ( ret = mbedtls_ctr_drbg_reseed_internal( ctx, custom, len,
  424. nonce_len ) ) != 0 )
  425. {
  426. return( ret );
  427. }
  428. return( 0 );
  429. }
  430. /* CTR_DRBG_Generate with derivation function (SP 800-90A &sect;10.2.1.5.2)
  431. * mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, additional, add_len)
  432. * implements
  433. * CTR_DRBG_Reseed(working_state, entropy_input, additional[:add_len])
  434. * -> working_state_after_reseed
  435. * if required, then
  436. * CTR_DRBG_Generate(working_state_after_reseed,
  437. * requested_number_of_bits, additional_input)
  438. * -> status, returned_bits, new_working_state
  439. * with inputs
  440. * ctx contains working_state
  441. * requested_number_of_bits = 8 * output_len
  442. * additional[:add_len] = additional_input
  443. * and entropy_input comes from calling ctx->f_entropy
  444. * and with outputs
  445. * status = SUCCESS (this function does the reseed internally)
  446. * returned_bits = output[:output_len]
  447. * ctx contains new_working_state
  448. */
  449. int mbedtls_ctr_drbg_random_with_add( void *p_rng,
  450. unsigned char *output, size_t output_len,
  451. const unsigned char *additional, size_t add_len )
  452. {
  453. int ret = 0;
  454. mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
  455. unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
  456. unsigned char *p = output;
  457. unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
  458. int i;
  459. size_t use_len;
  460. if( output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST )
  461. return( MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG );
  462. if( add_len > MBEDTLS_CTR_DRBG_MAX_INPUT )
  463. return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
  464. memset( add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
  465. if( ctx->reseed_counter > ctx->reseed_interval ||
  466. ctx->prediction_resistance )
  467. {
  468. if( ( ret = mbedtls_ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 )
  469. {
  470. return( ret );
  471. }
  472. add_len = 0;
  473. }
  474. if( add_len > 0 )
  475. {
  476. if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
  477. goto exit;
  478. if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
  479. goto exit;
  480. }
  481. while( output_len > 0 )
  482. {
  483. /*
  484. * Increase counter
  485. */
  486. for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
  487. if( ++ctx->counter[i - 1] != 0 )
  488. break;
  489. /*
  490. * Crypt counter block
  491. */
  492. if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
  493. ctx->counter, tmp ) ) != 0 )
  494. {
  495. goto exit;
  496. }
  497. use_len = ( output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE )
  498. ? MBEDTLS_CTR_DRBG_BLOCKSIZE : output_len;
  499. /*
  500. * Copy random block to destination
  501. */
  502. memcpy( p, tmp, use_len );
  503. p += use_len;
  504. output_len -= use_len;
  505. }
  506. if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
  507. goto exit;
  508. ctx->reseed_counter++;
  509. exit:
  510. mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
  511. mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
  512. return( ret );
  513. }
  514. int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output,
  515. size_t output_len )
  516. {
  517. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  518. mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
  519. #if defined(MBEDTLS_THREADING_C)
  520. if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
  521. return( ret );
  522. #endif
  523. ret = mbedtls_ctr_drbg_random_with_add( ctx, output, output_len, NULL, 0 );
  524. #if defined(MBEDTLS_THREADING_C)
  525. if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
  526. return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
  527. #endif
  528. return( ret );
  529. }
  530. #if defined(MBEDTLS_FS_IO)
  531. int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx,
  532. const char *path )
  533. {
  534. int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
  535. FILE *f;
  536. unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
  537. if( ( f = fopen( path, "wb" ) ) == NULL )
  538. return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
  539. if( ( ret = mbedtls_ctr_drbg_random( ctx, buf,
  540. MBEDTLS_CTR_DRBG_MAX_INPUT ) ) != 0 )
  541. goto exit;
  542. if( fwrite( buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f ) !=
  543. MBEDTLS_CTR_DRBG_MAX_INPUT )
  544. {
  545. ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
  546. }
  547. else
  548. {
  549. ret = 0;
  550. }
  551. exit:
  552. mbedtls_platform_zeroize( buf, sizeof( buf ) );
  553. fclose( f );
  554. return( ret );
  555. }
  556. int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx,
  557. const char *path )
  558. {
  559. int ret = 0;
  560. FILE *f = NULL;
  561. size_t n;
  562. unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
  563. unsigned char c;
  564. if( ( f = fopen( path, "rb" ) ) == NULL )
  565. return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
  566. n = fread( buf, 1, sizeof( buf ), f );
  567. if( fread( &c, 1, 1, f ) != 0 )
  568. {
  569. ret = MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
  570. goto exit;
  571. }
  572. if( n == 0 || ferror( f ) )
  573. {
  574. ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
  575. goto exit;
  576. }
  577. fclose( f );
  578. f = NULL;
  579. ret = mbedtls_ctr_drbg_update_ret( ctx, buf, n );
  580. exit:
  581. mbedtls_platform_zeroize( buf, sizeof( buf ) );
  582. if( f != NULL )
  583. fclose( f );
  584. if( ret != 0 )
  585. return( ret );
  586. return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) );
  587. }
  588. #endif /* MBEDTLS_FS_IO */
  589. #if defined(MBEDTLS_SELF_TEST)
  590. /* The CTR_DRBG NIST test vectors used here are available at
  591. * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/drbg/drbgtestvectors.zip
  592. *
  593. * The parameters used to derive the test data are:
  594. *
  595. * [AES-128 use df]
  596. * [PredictionResistance = True/False]
  597. * [EntropyInputLen = 128]
  598. * [NonceLen = 64]
  599. * [PersonalizationStringLen = 128]
  600. * [AdditionalInputLen = 0]
  601. * [ReturnedBitsLen = 512]
  602. *
  603. * [AES-256 use df]
  604. * [PredictionResistance = True/False]
  605. * [EntropyInputLen = 256]
  606. * [NonceLen = 128]
  607. * [PersonalizationStringLen = 256]
  608. * [AdditionalInputLen = 0]
  609. * [ReturnedBitsLen = 512]
  610. *
  611. */
  612. #if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
  613. static const unsigned char entropy_source_pr[] =
  614. { 0x04, 0xd9, 0x49, 0xa6, 0xdc, 0xe8, 0x6e, 0xbb,
  615. 0xf1, 0x08, 0x77, 0x2b, 0x9e, 0x08, 0xca, 0x92,
  616. 0x65, 0x16, 0xda, 0x99, 0xa2, 0x59, 0xf3, 0xe8,
  617. 0x38, 0x7e, 0x3f, 0x6b, 0x51, 0x70, 0x7b, 0x20,
  618. 0xec, 0x53, 0xd0, 0x66, 0xc3, 0x0f, 0xe3, 0xb0,
  619. 0xe0, 0x86, 0xa6, 0xaa, 0x5f, 0x72, 0x2f, 0xad,
  620. 0xf7, 0xef, 0x06, 0xb8, 0xd6, 0x9c, 0x9d, 0xe8 };
  621. static const unsigned char entropy_source_nopr[] =
  622. { 0x07, 0x0d, 0x59, 0x63, 0x98, 0x73, 0xa5, 0x45,
  623. 0x27, 0x38, 0x22, 0x7b, 0x76, 0x85, 0xd1, 0xa9,
  624. 0x74, 0x18, 0x1f, 0x3c, 0x22, 0xf6, 0x49, 0x20,
  625. 0x4a, 0x47, 0xc2, 0xf3, 0x85, 0x16, 0xb4, 0x6f,
  626. 0x00, 0x2e, 0x71, 0xda, 0xed, 0x16, 0x9b, 0x5c };
  627. static const unsigned char pers_pr[] =
  628. { 0xbf, 0xa4, 0x9a, 0x8f, 0x7b, 0xd8, 0xb1, 0x7a,
  629. 0x9d, 0xfa, 0x45, 0xed, 0x21, 0x52, 0xb3, 0xad };
  630. static const unsigned char pers_nopr[] =
  631. { 0x4e, 0x61, 0x79, 0xd4, 0xc2, 0x72, 0xa1, 0x4c,
  632. 0xf1, 0x3d, 0xf6, 0x5e, 0xa3, 0xa6, 0xe5, 0x0f };
  633. static const unsigned char result_pr[] =
  634. { 0xc9, 0x0a, 0xaf, 0x85, 0x89, 0x71, 0x44, 0x66,
  635. 0x4f, 0x25, 0x0b, 0x2b, 0xde, 0xd8, 0xfa, 0xff,
  636. 0x52, 0x5a, 0x1b, 0x32, 0x5e, 0x41, 0x7a, 0x10,
  637. 0x1f, 0xef, 0x1e, 0x62, 0x23, 0xe9, 0x20, 0x30,
  638. 0xc9, 0x0d, 0xad, 0x69, 0xb4, 0x9c, 0x5b, 0xf4,
  639. 0x87, 0x42, 0xd5, 0xae, 0x5e, 0x5e, 0x43, 0xcc,
  640. 0xd9, 0xfd, 0x0b, 0x93, 0x4a, 0xe3, 0xd4, 0x06,
  641. 0x37, 0x36, 0x0f, 0x3f, 0x72, 0x82, 0x0c, 0xcf };
  642. static const unsigned char result_nopr[] =
  643. { 0x31, 0xc9, 0x91, 0x09, 0xf8, 0xc5, 0x10, 0x13,
  644. 0x3c, 0xd3, 0x96, 0xf9, 0xbc, 0x2c, 0x12, 0xc0,
  645. 0x7c, 0xc1, 0x61, 0x5f, 0xa3, 0x09, 0x99, 0xaf,
  646. 0xd7, 0xf2, 0x36, 0xfd, 0x40, 0x1a, 0x8b, 0xf2,
  647. 0x33, 0x38, 0xee, 0x1d, 0x03, 0x5f, 0x83, 0xb7,
  648. 0xa2, 0x53, 0xdc, 0xee, 0x18, 0xfc, 0xa7, 0xf2,
  649. 0xee, 0x96, 0xc6, 0xc2, 0xcd, 0x0c, 0xff, 0x02,
  650. 0x76, 0x70, 0x69, 0xaa, 0x69, 0xd1, 0x3b, 0xe8 };
  651. #else /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
  652. static const unsigned char entropy_source_pr[] =
  653. { 0xca, 0x58, 0xfd, 0xf2, 0xb9, 0x77, 0xcb, 0x49,
  654. 0xd4, 0xe0, 0x5b, 0xe2, 0x39, 0x50, 0xd9, 0x8a,
  655. 0x6a, 0xb3, 0xc5, 0x2f, 0xdf, 0x74, 0xd5, 0x85,
  656. 0x8f, 0xd1, 0xba, 0x64, 0x54, 0x7b, 0xdb, 0x1e,
  657. 0xc5, 0xea, 0x24, 0xc0, 0xfa, 0x0c, 0x90, 0x15,
  658. 0x09, 0x20, 0x92, 0x42, 0x32, 0x36, 0x45, 0x45,
  659. 0x7d, 0x20, 0x76, 0x6b, 0xcf, 0xa2, 0x15, 0xc8,
  660. 0x2f, 0x9f, 0xbc, 0x88, 0x3f, 0x80, 0xd1, 0x2c,
  661. 0xb7, 0x16, 0xd1, 0x80, 0x9e, 0xe1, 0xc9, 0xb3,
  662. 0x88, 0x1b, 0x21, 0x45, 0xef, 0xa1, 0x7f, 0xce,
  663. 0xc8, 0x92, 0x35, 0x55, 0x2a, 0xd9, 0x1d, 0x8e,
  664. 0x12, 0x38, 0xac, 0x01, 0x4e, 0x38, 0x18, 0x76,
  665. 0x9c, 0xf2, 0xb6, 0xd4, 0x13, 0xb6, 0x2c, 0x77,
  666. 0xc0, 0xe7, 0xe6, 0x0c, 0x47, 0x44, 0x95, 0xbe };
  667. static const unsigned char entropy_source_nopr[] =
  668. { 0x4c, 0xfb, 0x21, 0x86, 0x73, 0x34, 0x6d, 0x9d,
  669. 0x50, 0xc9, 0x22, 0xe4, 0x9b, 0x0d, 0xfc, 0xd0,
  670. 0x90, 0xad, 0xf0, 0x4f, 0x5c, 0x3b, 0xa4, 0x73,
  671. 0x27, 0xdf, 0xcd, 0x6f, 0xa6, 0x3a, 0x78, 0x5c,
  672. 0x01, 0x69, 0x62, 0xa7, 0xfd, 0x27, 0x87, 0xa2,
  673. 0x4b, 0xf6, 0xbe, 0x47, 0xef, 0x37, 0x83, 0xf1,
  674. 0xb7, 0xec, 0x46, 0x07, 0x23, 0x63, 0x83, 0x4a,
  675. 0x1b, 0x01, 0x33, 0xf2, 0xc2, 0x38, 0x91, 0xdb,
  676. 0x4f, 0x11, 0xa6, 0x86, 0x51, 0xf2, 0x3e, 0x3a,
  677. 0x8b, 0x1f, 0xdc, 0x03, 0xb1, 0x92, 0xc7, 0xe7 };
  678. static const unsigned char pers_pr[] =
  679. { 0x5a, 0x70, 0x95, 0xe9, 0x81, 0x40, 0x52, 0x33,
  680. 0x91, 0x53, 0x7e, 0x75, 0xd6, 0x19, 0x9d, 0x1e,
  681. 0xad, 0x0d, 0xc6, 0xa7, 0xde, 0x6c, 0x1f, 0xe0,
  682. 0xea, 0x18, 0x33, 0xa8, 0x7e, 0x06, 0x20, 0xe9 };
  683. static const unsigned char pers_nopr[] =
  684. { 0x88, 0xee, 0xb8, 0xe0, 0xe8, 0x3b, 0xf3, 0x29,
  685. 0x4b, 0xda, 0xcd, 0x60, 0x99, 0xeb, 0xe4, 0xbf,
  686. 0x55, 0xec, 0xd9, 0x11, 0x3f, 0x71, 0xe5, 0xeb,
  687. 0xcb, 0x45, 0x75, 0xf3, 0xd6, 0xa6, 0x8a, 0x6b };
  688. static const unsigned char result_pr[] =
  689. { 0xce, 0x2f, 0xdb, 0xb6, 0xd9, 0xb7, 0x39, 0x85,
  690. 0x04, 0xc5, 0xc0, 0x42, 0xc2, 0x31, 0xc6, 0x1d,
  691. 0x9b, 0x5a, 0x59, 0xf8, 0x7e, 0x0d, 0xcc, 0x62,
  692. 0x7b, 0x65, 0x11, 0x55, 0x10, 0xeb, 0x9e, 0x3d,
  693. 0xa4, 0xfb, 0x1c, 0x6a, 0x18, 0xc0, 0x74, 0xdb,
  694. 0xdd, 0xe7, 0x02, 0x23, 0x63, 0x21, 0xd0, 0x39,
  695. 0xf9, 0xa7, 0xc4, 0x52, 0x84, 0x3b, 0x49, 0x40,
  696. 0x72, 0x2b, 0xb0, 0x6c, 0x9c, 0xdb, 0xc3, 0x43 };
  697. static const unsigned char result_nopr[] =
  698. { 0xa5, 0x51, 0x80, 0xa1, 0x90, 0xbe, 0xf3, 0xad,
  699. 0xaf, 0x28, 0xf6, 0xb7, 0x95, 0xe9, 0xf1, 0xf3,
  700. 0xd6, 0xdf, 0xa1, 0xb2, 0x7d, 0xd0, 0x46, 0x7b,
  701. 0x0c, 0x75, 0xf5, 0xfa, 0x93, 0x1e, 0x97, 0x14,
  702. 0x75, 0xb2, 0x7c, 0xae, 0x03, 0xa2, 0x96, 0x54,
  703. 0xe2, 0xf4, 0x09, 0x66, 0xea, 0x33, 0x64, 0x30,
  704. 0x40, 0xd1, 0x40, 0x0f, 0xe6, 0x77, 0x87, 0x3a,
  705. 0xf8, 0x09, 0x7c, 0x1f, 0xe9, 0xf0, 0x02, 0x98 };
  706. #endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
  707. static size_t test_offset;
  708. static int ctr_drbg_self_test_entropy( void *data, unsigned char *buf,
  709. size_t len )
  710. {
  711. const unsigned char *p = data;
  712. memcpy( buf, p + test_offset, len );
  713. test_offset += len;
  714. return( 0 );
  715. }
  716. #define CHK( c ) if( (c) != 0 ) \
  717. { \
  718. if( verbose != 0 ) \
  719. mbedtls_printf( "failed\n" ); \
  720. return( 1 ); \
  721. }
  722. #define SELF_TEST_OUPUT_DISCARD_LENGTH 64
  723. /*
  724. * Checkup routine
  725. */
  726. int mbedtls_ctr_drbg_self_test( int verbose )
  727. {
  728. mbedtls_ctr_drbg_context ctx;
  729. unsigned char buf[ sizeof( result_pr ) ];
  730. mbedtls_ctr_drbg_init( &ctx );
  731. /*
  732. * Based on a NIST CTR_DRBG test vector (PR = True)
  733. */
  734. if( verbose != 0 )
  735. mbedtls_printf( " CTR_DRBG (PR = TRUE) : " );
  736. test_offset = 0;
  737. mbedtls_ctr_drbg_set_entropy_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE );
  738. mbedtls_ctr_drbg_set_nonce_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2 );
  739. CHK( mbedtls_ctr_drbg_seed( &ctx,
  740. ctr_drbg_self_test_entropy,
  741. (void *) entropy_source_pr,
  742. pers_pr, MBEDTLS_CTR_DRBG_KEYSIZE ) );
  743. mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
  744. CHK( mbedtls_ctr_drbg_random( &ctx, buf, SELF_TEST_OUPUT_DISCARD_LENGTH ) );
  745. CHK( mbedtls_ctr_drbg_random( &ctx, buf, sizeof( result_pr ) ) );
  746. CHK( memcmp( buf, result_pr, sizeof( result_pr ) ) );
  747. mbedtls_ctr_drbg_free( &ctx );
  748. if( verbose != 0 )
  749. mbedtls_printf( "passed\n" );
  750. /*
  751. * Based on a NIST CTR_DRBG test vector (PR = FALSE)
  752. */
  753. if( verbose != 0 )
  754. mbedtls_printf( " CTR_DRBG (PR = FALSE): " );
  755. mbedtls_ctr_drbg_init( &ctx );
  756. test_offset = 0;
  757. mbedtls_ctr_drbg_set_entropy_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE);
  758. mbedtls_ctr_drbg_set_nonce_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2 );
  759. CHK( mbedtls_ctr_drbg_seed( &ctx,
  760. ctr_drbg_self_test_entropy,
  761. (void *) entropy_source_nopr,
  762. pers_nopr, MBEDTLS_CTR_DRBG_KEYSIZE ) );
  763. CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) );
  764. CHK( mbedtls_ctr_drbg_random( &ctx, buf, SELF_TEST_OUPUT_DISCARD_LENGTH ) );
  765. CHK( mbedtls_ctr_drbg_random( &ctx, buf, sizeof( result_nopr ) ) );
  766. CHK( memcmp( buf, result_nopr, sizeof( result_nopr ) ) );
  767. mbedtls_ctr_drbg_free( &ctx );
  768. if( verbose != 0 )
  769. mbedtls_printf( "passed\n" );
  770. if( verbose != 0 )
  771. mbedtls_printf( "\n" );
  772. return( 0 );
  773. }
  774. #endif /* MBEDTLS_SELF_TEST */
  775. #endif /* MBEDTLS_CTR_DRBG_C */