1 /* 2 * CTR_DRBG implementation based on AES-256 (NIST SP 800-90) 3 * 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 5 * SPDX-License-Identifier: GPL-2.0 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License along 18 * with this program; if not, write to the Free Software Foundation, Inc., 19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * This file is part of mbed TLS (https://tls.mbed.org) 22 */ 23 /* 24 * The NIST SP 800-90 DRBGs are described in the following publication. 25 * 26 * http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf 27 */ 28 29 #if !defined(MBEDTLS_CONFIG_FILE) 30 #include "mbedtls/config.h" 31 #else 32 #include MBEDTLS_CONFIG_FILE 33 #endif 34 35 #if defined(MBEDTLS_CTR_DRBG_C) 36 37 #include "mbedtls/ctr_drbg.h" 38 39 #include <string.h> 40 41 #if defined(MBEDTLS_FS_IO) 42 #include <stdio.h> 43 #endif 44 45 #if defined(MBEDTLS_SELF_TEST) 46 #if defined(MBEDTLS_PLATFORM_C) 47 #include "mbedtls/platform.h" 48 #else 49 #include <stdio.h> 50 #define mbedtls_printf printf 51 #endif /* MBEDTLS_PLATFORM_C */ 52 #endif /* MBEDTLS_SELF_TEST */ 53 54 /* Implementation that should never be optimized out by the compiler */ 55 static void mbedtls_zeroize( void *v, size_t n ) { 56 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 57 } 58 59 /* 60 * CTR_DRBG context initialization 61 */ 62 void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx ) 63 { 64 memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) ); 65 66 #if defined(MBEDTLS_THREADING_C) 67 mbedtls_mutex_init( &ctx->mutex ); 68 #endif 69 } 70 71 /* 72 * Non-public function wrapped by mbedtls_ctr_drbg_seed(). Necessary to allow 73 * NIST tests to succeed (which require known length fixed entropy) 74 */ 75 int mbedtls_ctr_drbg_seed_entropy_len( 76 mbedtls_ctr_drbg_context *ctx, 77 int (*f_entropy)(void *, unsigned char *, size_t), 78 void *p_entropy, 79 const unsigned char *custom, 80 size_t len, 81 size_t entropy_len ) 82 { 83 int ret; 84 unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE]; 85 86 memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE ); 87 88 mbedtls_aes_init( &ctx->aes_ctx ); 89 90 ctx->f_entropy = f_entropy; 91 ctx->p_entropy = p_entropy; 92 93 ctx->entropy_len = entropy_len; 94 ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL; 95 96 /* 97 * Initialize with an empty key 98 */ 99 if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 ) 100 { 101 return( ret ); 102 } 103 104 if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 ) 105 { 106 return( ret ); 107 } 108 return( 0 ); 109 } 110 111 int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx, 112 int (*f_entropy)(void *, unsigned char *, size_t), 113 void *p_entropy, 114 const unsigned char *custom, 115 size_t len ) 116 { 117 return( mbedtls_ctr_drbg_seed_entropy_len( ctx, f_entropy, p_entropy, custom, len, 118 MBEDTLS_CTR_DRBG_ENTROPY_LEN ) ); 119 } 120 121 void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx ) 122 { 123 if( ctx == NULL ) 124 return; 125 126 #if defined(MBEDTLS_THREADING_C) 127 mbedtls_mutex_free( &ctx->mutex ); 128 #endif 129 mbedtls_aes_free( &ctx->aes_ctx ); 130 mbedtls_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) ); 131 } 132 133 void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx, int resistance ) 134 { 135 ctx->prediction_resistance = resistance; 136 } 137 138 void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx, size_t len ) 139 { 140 ctx->entropy_len = len; 141 } 142 143 void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx, int interval ) 144 { 145 ctx->reseed_interval = interval; 146 } 147 148 static int block_cipher_df( unsigned char *output, 149 const unsigned char *data, size_t data_len ) 150 { 151 unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16]; 152 unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN]; 153 unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE]; 154 unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE]; 155 unsigned char *p, *iv; 156 mbedtls_aes_context aes_ctx; 157 int ret = 0; 158 159 int i, j; 160 size_t buf_len, use_len; 161 162 if( data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ) 163 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG ); 164 165 memset( buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16 ); 166 mbedtls_aes_init( &aes_ctx ); 167 168 /* 169 * Construct IV (16 bytes) and S in buffer 170 * IV = Counter (in 32-bits) padded to 16 with zeroes 171 * S = Length input string (in 32-bits) || Length of output (in 32-bits) || 172 * data || 0x80 173 * (Total is padded to a multiple of 16-bytes with zeroes) 174 */ 175 p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE; 176 *p++ = ( data_len >> 24 ) & 0xff; 177 *p++ = ( data_len >> 16 ) & 0xff; 178 *p++ = ( data_len >> 8 ) & 0xff; 179 *p++ = ( data_len ) & 0xff; 180 p += 3; 181 *p++ = MBEDTLS_CTR_DRBG_SEEDLEN; 182 memcpy( p, data, data_len ); 183 p[data_len] = 0x80; 184 185 buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1; 186 187 for( i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++ ) 188 key[i] = i; 189 190 if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 ) 191 { 192 goto exit; 193 } 194 195 /* 196 * Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data 197 */ 198 for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE ) 199 { 200 p = buf; 201 memset( chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE ); 202 use_len = buf_len; 203 204 while( use_len > 0 ) 205 { 206 for( i = 0; i < MBEDTLS_CTR_DRBG_BLOCKSIZE; i++ ) 207 chain[i] ^= p[i]; 208 p += MBEDTLS_CTR_DRBG_BLOCKSIZE; 209 use_len -= ( use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE ) ? 210 MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len; 211 212 if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, chain, chain ) ) != 0 ) 213 { 214 goto exit; 215 } 216 } 217 218 memcpy( tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE ); 219 220 /* 221 * Update IV 222 */ 223 buf[3]++; 224 } 225 226 /* 227 * Do final encryption with reduced data 228 */ 229 if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 ) 230 { 231 goto exit; 232 } 233 iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE; 234 p = output; 235 236 for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE ) 237 { 238 if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, iv, iv ) ) != 0 ) 239 { 240 goto exit; 241 } 242 memcpy( p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE ); 243 p += MBEDTLS_CTR_DRBG_BLOCKSIZE; 244 } 245 exit: 246 mbedtls_aes_free( &aes_ctx ); 247 /* 248 * tidy up the stack 249 */ 250 mbedtls_zeroize( buf, sizeof( buf ) ); 251 mbedtls_zeroize( tmp, sizeof( tmp ) ); 252 mbedtls_zeroize( key, sizeof( key ) ); 253 mbedtls_zeroize( chain, sizeof( chain ) ); 254 if( 0 != ret ) 255 { 256 /* 257 * wipe partial seed from memory 258 */ 259 mbedtls_zeroize( output, MBEDTLS_CTR_DRBG_SEEDLEN ); 260 } 261 262 return( ret ); 263 } 264 265 static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx, 266 const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN] ) 267 { 268 unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN]; 269 unsigned char *p = tmp; 270 int i, j; 271 int ret = 0; 272 273 memset( tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN ); 274 275 for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE ) 276 { 277 /* 278 * Increase counter 279 */ 280 for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- ) 281 if( ++ctx->counter[i - 1] != 0 ) 282 break; 283 284 /* 285 * Crypt counter block 286 */ 287 if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, p ) ) != 0 ) 288 goto exit; 289 290 p += MBEDTLS_CTR_DRBG_BLOCKSIZE; 291 } 292 293 for( i = 0; i < MBEDTLS_CTR_DRBG_SEEDLEN; i++ ) 294 tmp[i] ^= data[i]; 295 296 /* 297 * Update key and counter 298 */ 299 if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 ) 300 goto exit; 301 memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE ); 302 303 exit: 304 mbedtls_zeroize( tmp, sizeof( tmp ) ); 305 return( ret ); 306 } 307 308 int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx, 309 const unsigned char *additional, 310 size_t add_len ) 311 { 312 unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN]; 313 int ret; 314 315 if( add_len == 0 ) 316 return( 0 ); 317 318 if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 ) 319 goto exit; 320 if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 ) 321 goto exit; 322 323 exit: 324 mbedtls_zeroize( add_input, sizeof( add_input ) ); 325 return( ret ); 326 } 327 328 /* Deprecated function, kept for backward compatibility. */ 329 void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx, 330 const unsigned char *additional, 331 size_t add_len ) 332 { 333 /* MAX_INPUT would be more logical here, but we have to match 334 * block_cipher_df()'s limits since we can't propagate errors */ 335 if( add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ) 336 add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT; 337 (void) mbedtls_ctr_drbg_update_ret( ctx, additional, add_len ); 338 } 339 340 int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx, 341 const unsigned char *additional, size_t len ) 342 { 343 unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT]; 344 size_t seedlen = 0; 345 int ret; 346 347 if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT || 348 len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len ) 349 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG ); 350 351 memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ); 352 353 /* 354 * Gather entropy_len bytes of entropy to seed state 355 */ 356 if( 0 != ctx->f_entropy( ctx->p_entropy, seed, 357 ctx->entropy_len ) ) 358 { 359 return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED ); 360 } 361 362 seedlen += ctx->entropy_len; 363 364 /* 365 * Add additional data 366 */ 367 if( additional && len ) 368 { 369 memcpy( seed + seedlen, additional, len ); 370 seedlen += len; 371 } 372 373 /* 374 * Reduce to 384 bits 375 */ 376 if( ( ret = block_cipher_df( seed, seed, seedlen ) ) != 0 ) 377 goto exit; 378 379 /* 380 * Update state 381 */ 382 if( ( ret = ctr_drbg_update_internal( ctx, seed ) ) != 0 ) 383 goto exit; 384 ctx->reseed_counter = 1; 385 386 exit: 387 mbedtls_zeroize( seed, sizeof( seed ) ); 388 return( ret ); 389 } 390 391 int mbedtls_ctr_drbg_random_with_add( void *p_rng, 392 unsigned char *output, size_t output_len, 393 const unsigned char *additional, size_t add_len ) 394 { 395 int ret = 0; 396 mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng; 397 unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN]; 398 unsigned char *p = output; 399 unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE]; 400 int i; 401 size_t use_len; 402 403 if( output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST ) 404 return( MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG ); 405 406 if( add_len > MBEDTLS_CTR_DRBG_MAX_INPUT ) 407 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG ); 408 409 memset( add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN ); 410 411 if( ctx->reseed_counter > ctx->reseed_interval || 412 ctx->prediction_resistance ) 413 { 414 if( ( ret = mbedtls_ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 ) 415 { 416 return( ret ); 417 } 418 add_len = 0; 419 } 420 421 if( add_len > 0 ) 422 { 423 if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 ) 424 goto exit; 425 if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 ) 426 goto exit; 427 } 428 429 while( output_len > 0 ) 430 { 431 /* 432 * Increase counter 433 */ 434 for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- ) 435 if( ++ctx->counter[i - 1] != 0 ) 436 break; 437 438 /* 439 * Crypt counter block 440 */ 441 if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, tmp ) ) != 0 ) 442 goto exit; 443 444 use_len = ( output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE ) ? MBEDTLS_CTR_DRBG_BLOCKSIZE : 445 output_len; 446 /* 447 * Copy random block to destination 448 */ 449 memcpy( p, tmp, use_len ); 450 p += use_len; 451 output_len -= use_len; 452 } 453 454 if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 ) 455 goto exit; 456 457 ctx->reseed_counter++; 458 459 exit: 460 mbedtls_zeroize( add_input, sizeof( add_input ) ); 461 mbedtls_zeroize( tmp, sizeof( tmp ) ); 462 return( 0 ); 463 } 464 465 int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len ) 466 { 467 int ret; 468 mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng; 469 470 #if defined(MBEDTLS_THREADING_C) 471 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 472 return( ret ); 473 #endif 474 475 ret = mbedtls_ctr_drbg_random_with_add( ctx, output, output_len, NULL, 0 ); 476 477 #if defined(MBEDTLS_THREADING_C) 478 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 479 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 480 #endif 481 482 return( ret ); 483 } 484 485 #if defined(MBEDTLS_FS_IO) 486 int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path ) 487 { 488 int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR; 489 FILE *f; 490 unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ]; 491 492 if( ( f = fopen( path, "wb" ) ) == NULL ) 493 return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR ); 494 495 if( ( ret = mbedtls_ctr_drbg_random( ctx, buf, MBEDTLS_CTR_DRBG_MAX_INPUT ) ) != 0 ) 496 goto exit; 497 498 if( fwrite( buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f ) != MBEDTLS_CTR_DRBG_MAX_INPUT ) 499 ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR; 500 else 501 ret = 0; 502 503 exit: 504 mbedtls_zeroize( buf, sizeof( buf ) ); 505 506 fclose( f ); 507 return( ret ); 508 } 509 510 int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path ) 511 { 512 int ret = 0; 513 FILE *f; 514 size_t n; 515 unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ]; 516 517 if( ( f = fopen( path, "rb" ) ) == NULL ) 518 return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR ); 519 520 fseek( f, 0, SEEK_END ); 521 n = (size_t) ftell( f ); 522 fseek( f, 0, SEEK_SET ); 523 524 if( n > MBEDTLS_CTR_DRBG_MAX_INPUT ) 525 { 526 fclose( f ); 527 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG ); 528 } 529 530 if( fread( buf, 1, n, f ) != n ) 531 ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR; 532 else 533 ret = mbedtls_ctr_drbg_update_ret( ctx, buf, n ); 534 535 fclose( f ); 536 537 mbedtls_zeroize( buf, sizeof( buf ) ); 538 539 if( ret != 0 ) 540 return( ret ); 541 542 return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) ); 543 } 544 #endif /* MBEDTLS_FS_IO */ 545 546 #if defined(MBEDTLS_SELF_TEST) 547 548 static const unsigned char entropy_source_pr[96] = 549 { 0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16, 550 0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02, 551 0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b, 552 0x6e, 0xa6, 0x62, 0x52, 0x6d, 0x51, 0xb1, 0xcb, 553 0x58, 0x3b, 0xfa, 0xd5, 0x37, 0x5f, 0xfb, 0xc9, 554 0xff, 0x46, 0xd2, 0x19, 0xc7, 0x22, 0x3e, 0x95, 555 0x45, 0x9d, 0x82, 0xe1, 0xe7, 0x22, 0x9f, 0x63, 556 0x31, 0x69, 0xd2, 0x6b, 0x57, 0x47, 0x4f, 0xa3, 557 0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31, 558 0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4, 559 0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56, 560 0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68 }; 561 562 static const unsigned char entropy_source_nopr[64] = 563 { 0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14, 564 0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe, 565 0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d, 566 0x03, 0x21, 0x7c, 0x68, 0xd8, 0x03, 0x38, 0x20, 567 0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9, 568 0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46, 569 0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e, 570 0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e }; 571 572 static const unsigned char nonce_pers_pr[16] = 573 { 0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2, 574 0x29, 0xc9, 0xcf, 0xad, 0x85, 0xfa, 0x48, 0x6c }; 575 576 static const unsigned char nonce_pers_nopr[16] = 577 { 0x1b, 0x54, 0xb8, 0xff, 0x06, 0x42, 0xbf, 0xf5, 578 0x21, 0xf1, 0x5c, 0x1c, 0x0b, 0x66, 0x5f, 0x3f }; 579 580 static const unsigned char result_pr[16] = 581 { 0x34, 0x01, 0x16, 0x56, 0xb4, 0x29, 0x00, 0x8f, 582 0x35, 0x63, 0xec, 0xb5, 0xf2, 0x59, 0x07, 0x23 }; 583 584 static const unsigned char result_nopr[16] = 585 { 0xa0, 0x54, 0x30, 0x3d, 0x8a, 0x7e, 0xa9, 0x88, 586 0x9d, 0x90, 0x3e, 0x07, 0x7c, 0x6f, 0x21, 0x8f }; 587 588 static size_t test_offset; 589 static int ctr_drbg_self_test_entropy( void *data, unsigned char *buf, 590 size_t len ) 591 { 592 const unsigned char *p = data; 593 memcpy( buf, p + test_offset, len ); 594 test_offset += len; 595 return( 0 ); 596 } 597 598 #define CHK( c ) if( (c) != 0 ) \ 599 { \ 600 if( verbose != 0 ) \ 601 mbedtls_printf( "failed\n" ); \ 602 return( 1 ); \ 603 } 604 605 /* 606 * Checkup routine 607 */ 608 int mbedtls_ctr_drbg_self_test( int verbose ) 609 { 610 mbedtls_ctr_drbg_context ctx; 611 unsigned char buf[16]; 612 613 mbedtls_ctr_drbg_init( &ctx ); 614 615 /* 616 * Based on a NIST CTR_DRBG test vector (PR = True) 617 */ 618 if( verbose != 0 ) 619 mbedtls_printf( " CTR_DRBG (PR = TRUE) : " ); 620 621 test_offset = 0; 622 CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy, 623 (void *) entropy_source_pr, nonce_pers_pr, 16, 32 ) ); 624 mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON ); 625 CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) ); 626 CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) ); 627 CHK( memcmp( buf, result_pr, MBEDTLS_CTR_DRBG_BLOCKSIZE ) ); 628 629 mbedtls_ctr_drbg_free( &ctx ); 630 631 if( verbose != 0 ) 632 mbedtls_printf( "passed\n" ); 633 634 /* 635 * Based on a NIST CTR_DRBG test vector (PR = FALSE) 636 */ 637 if( verbose != 0 ) 638 mbedtls_printf( " CTR_DRBG (PR = FALSE): " ); 639 640 mbedtls_ctr_drbg_init( &ctx ); 641 642 test_offset = 0; 643 CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy, 644 (void *) entropy_source_nopr, nonce_pers_nopr, 16, 32 ) ); 645 CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) ); 646 CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) ); 647 CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) ); 648 CHK( memcmp( buf, result_nopr, 16 ) ); 649 650 mbedtls_ctr_drbg_free( &ctx ); 651 652 if( verbose != 0 ) 653 mbedtls_printf( "passed\n" ); 654 655 if( verbose != 0 ) 656 mbedtls_printf( "\n" ); 657 658 return( 0 ); 659 } 660 #endif /* MBEDTLS_SELF_TEST */ 661 662 #endif /* MBEDTLS_CTR_DRBG_C */ 663