1 /*
2 * CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19 /*
20 * The NIST SP 800-90 DRBGs are described in the following publication.
21 *
22 * http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
23 */
24
25 #include "common.h"
26
27 #if defined(MBEDTLS_CTR_DRBG_C)
28
29 #include "mbedtls/ctr_drbg.h"
30 #include "mbedtls/platform_util.h"
31 #include "mbedtls/error.h"
32
33 #include <string.h>
34
35 #if defined(MBEDTLS_FS_IO)
36 #include <stdio.h>
37 #endif
38
39 #if defined(MBEDTLS_SELF_TEST)
40 #if defined(MBEDTLS_PLATFORM_C)
41 #include "mbedtls/platform.h"
42 #else
43 #include <stdio.h>
44 #define mbedtls_printf printf
45 #endif /* MBEDTLS_PLATFORM_C */
46 #endif /* MBEDTLS_SELF_TEST */
47
48 /*
49 * CTR_DRBG context initialization
50 */
mbedtls_ctr_drbg_init(mbedtls_ctr_drbg_context * ctx)51 void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx )
52 {
53 memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) );
54 /* Indicate that the entropy nonce length is not set explicitly.
55 * See mbedtls_ctr_drbg_set_nonce_len(). */
56 ctx->reseed_counter = -1;
57
58 ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
59 }
60
61 /*
62 * This function resets CTR_DRBG context to the state immediately
63 * after initial call of mbedtls_ctr_drbg_init().
64 */
mbedtls_ctr_drbg_free(mbedtls_ctr_drbg_context * ctx)65 void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx )
66 {
67 if( ctx == NULL )
68 return;
69
70 #if defined(MBEDTLS_THREADING_C)
71 /* The mutex is initialized iff f_entropy is set. */
72 if( ctx->f_entropy != NULL )
73 mbedtls_mutex_free( &ctx->mutex );
74 #endif
75 mbedtls_aes_free( &ctx->aes_ctx );
76 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) );
77 ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
78 ctx->reseed_counter = -1;
79 }
80
mbedtls_ctr_drbg_set_prediction_resistance(mbedtls_ctr_drbg_context * ctx,int resistance)81 void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
82 int resistance )
83 {
84 ctx->prediction_resistance = resistance;
85 }
86
mbedtls_ctr_drbg_set_entropy_len(mbedtls_ctr_drbg_context * ctx,size_t len)87 void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx,
88 size_t len )
89 {
90 ctx->entropy_len = len;
91 }
92
mbedtls_ctr_drbg_set_nonce_len(mbedtls_ctr_drbg_context * ctx,size_t len)93 int mbedtls_ctr_drbg_set_nonce_len( mbedtls_ctr_drbg_context *ctx,
94 size_t len )
95 {
96 /* If mbedtls_ctr_drbg_seed() has already been called, it's
97 * too late. Return the error code that's closest to making sense. */
98 if( ctx->f_entropy != NULL )
99 return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
100
101 if( len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
102 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
103 #if SIZE_MAX > INT_MAX
104 /* This shouldn't be an issue because
105 * MBEDTLS_CTR_DRBG_MAX_SEED_INPUT < INT_MAX in any sensible
106 * configuration, but make sure anyway. */
107 if( len > INT_MAX )
108 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
109 #endif
110
111 /* For backward compatibility with Mbed TLS <= 2.19, store the
112 * entropy nonce length in a field that already exists, but isn't
113 * used until after the initial seeding. */
114 /* Due to the capping of len above, the value fits in an int. */
115 ctx->reseed_counter = (int) len;
116 return( 0 );
117 }
118
mbedtls_ctr_drbg_set_reseed_interval(mbedtls_ctr_drbg_context * ctx,int interval)119 void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx,
120 int interval )
121 {
122 ctx->reseed_interval = interval;
123 }
124
block_cipher_df(unsigned char * output,const unsigned char * data,size_t data_len)125 static int block_cipher_df( unsigned char *output,
126 const unsigned char *data, size_t data_len )
127 {
128 unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT +
129 MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
130 unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
131 unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
132 unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
133 unsigned char *p, *iv;
134 mbedtls_aes_context aes_ctx;
135 int ret = 0;
136
137 int i, j;
138 size_t buf_len, use_len;
139
140 if( data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
141 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
142
143 memset( buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT +
144 MBEDTLS_CTR_DRBG_BLOCKSIZE + 16 );
145 mbedtls_aes_init( &aes_ctx );
146
147 /*
148 * Construct IV (16 bytes) and S in buffer
149 * IV = Counter (in 32-bits) padded to 16 with zeroes
150 * S = Length input string (in 32-bits) || Length of output (in 32-bits) ||
151 * data || 0x80
152 * (Total is padded to a multiple of 16-bytes with zeroes)
153 */
154 p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE;
155 *p++ = ( data_len >> 24 ) & 0xff;
156 *p++ = ( data_len >> 16 ) & 0xff;
157 *p++ = ( data_len >> 8 ) & 0xff;
158 *p++ = ( data_len ) & 0xff;
159 p += 3;
160 *p++ = MBEDTLS_CTR_DRBG_SEEDLEN;
161 memcpy( p, data, data_len );
162 p[data_len] = 0x80;
163
164 buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
165
166 for( i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++ )
167 key[i] = i;
168
169 if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, key,
170 MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
171 {
172 goto exit;
173 }
174
175 /*
176 * Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data
177 */
178 for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
179 {
180 p = buf;
181 memset( chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE );
182 use_len = buf_len;
183
184 while( use_len > 0 )
185 {
186 for( i = 0; i < MBEDTLS_CTR_DRBG_BLOCKSIZE; i++ )
187 chain[i] ^= p[i];
188 p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
189 use_len -= ( use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE ) ?
190 MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
191
192 if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT,
193 chain, chain ) ) != 0 )
194 {
195 goto exit;
196 }
197 }
198
199 memcpy( tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE );
200
201 /*
202 * Update IV
203 */
204 buf[3]++;
205 }
206
207 /*
208 * Do final encryption with reduced data
209 */
210 if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, tmp,
211 MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
212 {
213 goto exit;
214 }
215 iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
216 p = output;
217
218 for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
219 {
220 if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT,
221 iv, iv ) ) != 0 )
222 {
223 goto exit;
224 }
225 memcpy( p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE );
226 p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
227 }
228 exit:
229 mbedtls_aes_free( &aes_ctx );
230 /*
231 * tidy up the stack
232 */
233 mbedtls_platform_zeroize( buf, sizeof( buf ) );
234 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
235 mbedtls_platform_zeroize( key, sizeof( key ) );
236 mbedtls_platform_zeroize( chain, sizeof( chain ) );
237 if( 0 != ret )
238 {
239 /*
240 * wipe partial seed from memory
241 */
242 mbedtls_platform_zeroize( output, MBEDTLS_CTR_DRBG_SEEDLEN );
243 }
244
245 return( ret );
246 }
247
248 /* CTR_DRBG_Update (SP 800-90A §10.2.1.2)
249 * ctr_drbg_update_internal(ctx, provided_data)
250 * implements
251 * CTR_DRBG_Update(provided_data, Key, V)
252 * with inputs and outputs
253 * ctx->aes_ctx = Key
254 * ctx->counter = V
255 */
ctr_drbg_update_internal(mbedtls_ctr_drbg_context * ctx,const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN])256 static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
257 const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN] )
258 {
259 unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
260 unsigned char *p = tmp;
261 int i, j;
262 int ret = 0;
263
264 memset( tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
265
266 for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
267 {
268 /*
269 * Increase counter
270 */
271 for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
272 if( ++ctx->counter[i - 1] != 0 )
273 break;
274
275 /*
276 * Crypt counter block
277 */
278 if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
279 ctx->counter, p ) ) != 0 )
280 {
281 goto exit;
282 }
283
284 p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
285 }
286
287 for( i = 0; i < MBEDTLS_CTR_DRBG_SEEDLEN; i++ )
288 tmp[i] ^= data[i];
289
290 /*
291 * Update key and counter
292 */
293 if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp,
294 MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
295 {
296 goto exit;
297 }
298 memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE,
299 MBEDTLS_CTR_DRBG_BLOCKSIZE );
300
301 exit:
302 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
303 return( ret );
304 }
305
306 /* CTR_DRBG_Instantiate with derivation function (SP 800-90A §10.2.1.3.2)
307 * mbedtls_ctr_drbg_update(ctx, additional, add_len)
308 * implements
309 * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
310 * security_strength) -> initial_working_state
311 * with inputs
312 * ctx->counter = all-bits-0
313 * ctx->aes_ctx = context from all-bits-0 key
314 * additional[:add_len] = entropy_input || nonce || personalization_string
315 * and with outputs
316 * ctx = initial_working_state
317 */
mbedtls_ctr_drbg_update_ret(mbedtls_ctr_drbg_context * ctx,const unsigned char * additional,size_t add_len)318 int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
319 const unsigned char *additional,
320 size_t add_len )
321 {
322 unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
323 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
324
325 if( add_len == 0 )
326 return( 0 );
327
328 if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
329 goto exit;
330 if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
331 goto exit;
332
333 exit:
334 mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
335 return( ret );
336 }
337
338 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_ctr_drbg_update(mbedtls_ctr_drbg_context * ctx,const unsigned char * additional,size_t add_len)339 void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
340 const unsigned char *additional,
341 size_t add_len )
342 {
343 /* MAX_INPUT would be more logical here, but we have to match
344 * block_cipher_df()'s limits since we can't propagate errors */
345 if( add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
346 add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT;
347 (void) mbedtls_ctr_drbg_update_ret( ctx, additional, add_len );
348 }
349 #endif /* MBEDTLS_DEPRECATED_REMOVED */
350
351 /* CTR_DRBG_Reseed with derivation function (SP 800-90A §10.2.1.4.2)
352 * mbedtls_ctr_drbg_reseed(ctx, additional, len, nonce_len)
353 * implements
354 * CTR_DRBG_Reseed(working_state, entropy_input, additional_input)
355 * -> new_working_state
356 * with inputs
357 * ctx contains working_state
358 * additional[:len] = additional_input
359 * and entropy_input comes from calling ctx->f_entropy
360 * for (ctx->entropy_len + nonce_len) bytes
361 * and with output
362 * ctx contains new_working_state
363 */
mbedtls_ctr_drbg_reseed_internal(mbedtls_ctr_drbg_context * ctx,const unsigned char * additional,size_t len,size_t nonce_len)364 static int mbedtls_ctr_drbg_reseed_internal( mbedtls_ctr_drbg_context *ctx,
365 const unsigned char *additional,
366 size_t len,
367 size_t nonce_len )
368 {
369 unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
370 size_t seedlen = 0;
371 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
372
373 if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
374 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
375 if( nonce_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len )
376 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
377 if( len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len - nonce_len )
378 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
379
380 memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );
381
382 /* Gather entropy_len bytes of entropy to seed state. */
383 if( 0 != ctx->f_entropy( ctx->p_entropy, seed, ctx->entropy_len ) )
384 {
385 return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
386 }
387 seedlen += ctx->entropy_len;
388
389 /* Gather entropy for a nonce if requested. */
390 if( nonce_len != 0 )
391 {
392 if( 0 != ctx->f_entropy( ctx->p_entropy, seed + seedlen, nonce_len ) )
393 {
394 return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
395 }
396 seedlen += nonce_len;
397 }
398
399 /* Add additional data if provided. */
400 if( additional != NULL && len != 0 )
401 {
402 memcpy( seed + seedlen, additional, len );
403 seedlen += len;
404 }
405
406 /* Reduce to 384 bits. */
407 if( ( ret = block_cipher_df( seed, seed, seedlen ) ) != 0 )
408 goto exit;
409
410 /* Update state. */
411 if( ( ret = ctr_drbg_update_internal( ctx, seed ) ) != 0 )
412 goto exit;
413 ctx->reseed_counter = 1;
414
415 exit:
416 mbedtls_platform_zeroize( seed, sizeof( seed ) );
417 return( ret );
418 }
419
mbedtls_ctr_drbg_reseed(mbedtls_ctr_drbg_context * ctx,const unsigned char * additional,size_t len)420 int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
421 const unsigned char *additional, size_t len )
422 {
423 return( mbedtls_ctr_drbg_reseed_internal( ctx, additional, len, 0 ) );
424 }
425
426 /* Return a "good" nonce length for CTR_DRBG. The chosen nonce length
427 * is sufficient to achieve the maximum security strength given the key
428 * size and entropy length. If there is enough entropy in the initial
429 * call to the entropy function to serve as both the entropy input and
430 * the nonce, don't make a second call to get a nonce. */
good_nonce_len(size_t entropy_len)431 static size_t good_nonce_len( size_t entropy_len )
432 {
433 if( entropy_len >= MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2 )
434 return( 0 );
435 else
436 return( ( entropy_len + 1 ) / 2 );
437 }
438
439 /* CTR_DRBG_Instantiate with derivation function (SP 800-90A §10.2.1.3.2)
440 * mbedtls_ctr_drbg_seed(ctx, f_entropy, p_entropy, custom, len)
441 * implements
442 * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
443 * security_strength) -> initial_working_state
444 * with inputs
445 * custom[:len] = nonce || personalization_string
446 * where entropy_input comes from f_entropy for ctx->entropy_len bytes
447 * and with outputs
448 * ctx = initial_working_state
449 */
mbedtls_ctr_drbg_seed(mbedtls_ctr_drbg_context * ctx,int (* f_entropy)(void *,unsigned char *,size_t),void * p_entropy,const unsigned char * custom,size_t len)450 int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
451 int (*f_entropy)(void *, unsigned char *, size_t),
452 void *p_entropy,
453 const unsigned char *custom,
454 size_t len )
455 {
456 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
457 unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
458 size_t nonce_len;
459
460 memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );
461
462 /* The mutex is initialized iff f_entropy is set. */
463 #if defined(MBEDTLS_THREADING_C)
464 mbedtls_mutex_init( &ctx->mutex );
465 #endif
466
467 mbedtls_aes_init( &ctx->aes_ctx );
468
469 ctx->f_entropy = f_entropy;
470 ctx->p_entropy = p_entropy;
471
472 if( ctx->entropy_len == 0 )
473 ctx->entropy_len = MBEDTLS_CTR_DRBG_ENTROPY_LEN;
474 /* ctx->reseed_counter contains the desired amount of entropy to
475 * grab for a nonce (see mbedtls_ctr_drbg_set_nonce_len()).
476 * If it's -1, indicating that the entropy nonce length was not set
477 * explicitly, use a sufficiently large nonce for security. */
478 nonce_len = ( ctx->reseed_counter >= 0 ?
479 (size_t) ctx->reseed_counter :
480 good_nonce_len( ctx->entropy_len ) );
481
482 /* Initialize with an empty key. */
483 if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key,
484 MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
485 {
486 return( ret );
487 }
488
489 /* Do the initial seeding. */
490 if( ( ret = mbedtls_ctr_drbg_reseed_internal( ctx, custom, len,
491 nonce_len ) ) != 0 )
492 {
493 return( ret );
494 }
495 return( 0 );
496 }
497
498 /* CTR_DRBG_Generate with derivation function (SP 800-90A §10.2.1.5.2)
499 * mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, additional, add_len)
500 * implements
501 * CTR_DRBG_Reseed(working_state, entropy_input, additional[:add_len])
502 * -> working_state_after_reseed
503 * if required, then
504 * CTR_DRBG_Generate(working_state_after_reseed,
505 * requested_number_of_bits, additional_input)
506 * -> status, returned_bits, new_working_state
507 * with inputs
508 * ctx contains working_state
509 * requested_number_of_bits = 8 * output_len
510 * additional[:add_len] = additional_input
511 * and entropy_input comes from calling ctx->f_entropy
512 * and with outputs
513 * status = SUCCESS (this function does the reseed internally)
514 * returned_bits = output[:output_len]
515 * ctx contains new_working_state
516 */
mbedtls_ctr_drbg_random_with_add(void * p_rng,unsigned char * output,size_t output_len,const unsigned char * additional,size_t add_len)517 int mbedtls_ctr_drbg_random_with_add( void *p_rng,
518 unsigned char *output, size_t output_len,
519 const unsigned char *additional, size_t add_len )
520 {
521 int ret = 0;
522 mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
523 unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
524 unsigned char *p = output;
525 unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
526 int i;
527 size_t use_len;
528
529 if( output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST )
530 return( MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG );
531
532 if( add_len > MBEDTLS_CTR_DRBG_MAX_INPUT )
533 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
534
535 memset( add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
536
537 if( ctx->reseed_counter > ctx->reseed_interval ||
538 ctx->prediction_resistance )
539 {
540 if( ( ret = mbedtls_ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 )
541 {
542 return( ret );
543 }
544 add_len = 0;
545 }
546
547 if( add_len > 0 )
548 {
549 if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
550 goto exit;
551 if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
552 goto exit;
553 }
554
555 while( output_len > 0 )
556 {
557 /*
558 * Increase counter
559 */
560 for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
561 if( ++ctx->counter[i - 1] != 0 )
562 break;
563
564 /*
565 * Crypt counter block
566 */
567 if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
568 ctx->counter, tmp ) ) != 0 )
569 {
570 goto exit;
571 }
572
573 use_len = ( output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE )
574 ? MBEDTLS_CTR_DRBG_BLOCKSIZE : output_len;
575 /*
576 * Copy random block to destination
577 */
578 memcpy( p, tmp, use_len );
579 p += use_len;
580 output_len -= use_len;
581 }
582
583 if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
584 goto exit;
585
586 ctx->reseed_counter++;
587
588 exit:
589 mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
590 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
591 return( ret );
592 }
593
mbedtls_ctr_drbg_random(void * p_rng,unsigned char * output,size_t output_len)594 int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output,
595 size_t output_len )
596 {
597 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
598 mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
599
600 #if defined(MBEDTLS_THREADING_C)
601 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
602 return( ret );
603 #endif
604
605 ret = mbedtls_ctr_drbg_random_with_add( ctx, output, output_len, NULL, 0 );
606
607 #if defined(MBEDTLS_THREADING_C)
608 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
609 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
610 #endif
611
612 return( ret );
613 }
614
615 #if defined(MBEDTLS_FS_IO)
mbedtls_ctr_drbg_write_seed_file(mbedtls_ctr_drbg_context * ctx,const char * path)616 int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx,
617 const char *path )
618 {
619 int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
620 FILE *f;
621 unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
622
623 if( ( f = fopen( path, "wb" ) ) == NULL )
624 return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
625
626 if( ( ret = mbedtls_ctr_drbg_random( ctx, buf,
627 MBEDTLS_CTR_DRBG_MAX_INPUT ) ) != 0 )
628 goto exit;
629
630 if( fwrite( buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f ) !=
631 MBEDTLS_CTR_DRBG_MAX_INPUT )
632 {
633 ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
634 }
635 else
636 {
637 ret = 0;
638 }
639
640 exit:
641 mbedtls_platform_zeroize( buf, sizeof( buf ) );
642
643 fclose( f );
644 return( ret );
645 }
646
mbedtls_ctr_drbg_update_seed_file(mbedtls_ctr_drbg_context * ctx,const char * path)647 int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx,
648 const char *path )
649 {
650 int ret = 0;
651 FILE *f = NULL;
652 size_t n;
653 unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
654 unsigned char c;
655
656 if( ( f = fopen( path, "rb" ) ) == NULL )
657 return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
658
659 n = fread( buf, 1, sizeof( buf ), f );
660 if( fread( &c, 1, 1, f ) != 0 )
661 {
662 ret = MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
663 goto exit;
664 }
665 if( n == 0 || ferror( f ) )
666 {
667 ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
668 goto exit;
669 }
670 fclose( f );
671 f = NULL;
672
673 ret = mbedtls_ctr_drbg_update_ret( ctx, buf, n );
674
675 exit:
676 mbedtls_platform_zeroize( buf, sizeof( buf ) );
677 if( f != NULL )
678 fclose( f );
679 if( ret != 0 )
680 return( ret );
681 return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) );
682 }
683 #endif /* MBEDTLS_FS_IO */
684
685 #if defined(MBEDTLS_SELF_TEST)
686
687 /* The CTR_DRBG NIST test vectors used here are available at
688 * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/drbg/drbgtestvectors.zip
689 *
690 * The parameters used to derive the test data are:
691 *
692 * [AES-128 use df]
693 * [PredictionResistance = True/False]
694 * [EntropyInputLen = 128]
695 * [NonceLen = 64]
696 * [PersonalizationStringLen = 128]
697 * [AdditionalInputLen = 0]
698 * [ReturnedBitsLen = 512]
699 *
700 * [AES-256 use df]
701 * [PredictionResistance = True/False]
702 * [EntropyInputLen = 256]
703 * [NonceLen = 128]
704 * [PersonalizationStringLen = 256]
705 * [AdditionalInputLen = 0]
706 * [ReturnedBitsLen = 512]
707 *
708 */
709
710 #if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
711 static const unsigned char entropy_source_pr[] =
712 { 0x04, 0xd9, 0x49, 0xa6, 0xdc, 0xe8, 0x6e, 0xbb,
713 0xf1, 0x08, 0x77, 0x2b, 0x9e, 0x08, 0xca, 0x92,
714 0x65, 0x16, 0xda, 0x99, 0xa2, 0x59, 0xf3, 0xe8,
715 0x38, 0x7e, 0x3f, 0x6b, 0x51, 0x70, 0x7b, 0x20,
716 0xec, 0x53, 0xd0, 0x66, 0xc3, 0x0f, 0xe3, 0xb0,
717 0xe0, 0x86, 0xa6, 0xaa, 0x5f, 0x72, 0x2f, 0xad,
718 0xf7, 0xef, 0x06, 0xb8, 0xd6, 0x9c, 0x9d, 0xe8 };
719
720 static const unsigned char entropy_source_nopr[] =
721 { 0x07, 0x0d, 0x59, 0x63, 0x98, 0x73, 0xa5, 0x45,
722 0x27, 0x38, 0x22, 0x7b, 0x76, 0x85, 0xd1, 0xa9,
723 0x74, 0x18, 0x1f, 0x3c, 0x22, 0xf6, 0x49, 0x20,
724 0x4a, 0x47, 0xc2, 0xf3, 0x85, 0x16, 0xb4, 0x6f,
725 0x00, 0x2e, 0x71, 0xda, 0xed, 0x16, 0x9b, 0x5c };
726
727 static const unsigned char pers_pr[] =
728 { 0xbf, 0xa4, 0x9a, 0x8f, 0x7b, 0xd8, 0xb1, 0x7a,
729 0x9d, 0xfa, 0x45, 0xed, 0x21, 0x52, 0xb3, 0xad };
730
731 static const unsigned char pers_nopr[] =
732 { 0x4e, 0x61, 0x79, 0xd4, 0xc2, 0x72, 0xa1, 0x4c,
733 0xf1, 0x3d, 0xf6, 0x5e, 0xa3, 0xa6, 0xe5, 0x0f };
734
735 static const unsigned char result_pr[] =
736 { 0xc9, 0x0a, 0xaf, 0x85, 0x89, 0x71, 0x44, 0x66,
737 0x4f, 0x25, 0x0b, 0x2b, 0xde, 0xd8, 0xfa, 0xff,
738 0x52, 0x5a, 0x1b, 0x32, 0x5e, 0x41, 0x7a, 0x10,
739 0x1f, 0xef, 0x1e, 0x62, 0x23, 0xe9, 0x20, 0x30,
740 0xc9, 0x0d, 0xad, 0x69, 0xb4, 0x9c, 0x5b, 0xf4,
741 0x87, 0x42, 0xd5, 0xae, 0x5e, 0x5e, 0x43, 0xcc,
742 0xd9, 0xfd, 0x0b, 0x93, 0x4a, 0xe3, 0xd4, 0x06,
743 0x37, 0x36, 0x0f, 0x3f, 0x72, 0x82, 0x0c, 0xcf };
744
745 static const unsigned char result_nopr[] =
746 { 0x31, 0xc9, 0x91, 0x09, 0xf8, 0xc5, 0x10, 0x13,
747 0x3c, 0xd3, 0x96, 0xf9, 0xbc, 0x2c, 0x12, 0xc0,
748 0x7c, 0xc1, 0x61, 0x5f, 0xa3, 0x09, 0x99, 0xaf,
749 0xd7, 0xf2, 0x36, 0xfd, 0x40, 0x1a, 0x8b, 0xf2,
750 0x33, 0x38, 0xee, 0x1d, 0x03, 0x5f, 0x83, 0xb7,
751 0xa2, 0x53, 0xdc, 0xee, 0x18, 0xfc, 0xa7, 0xf2,
752 0xee, 0x96, 0xc6, 0xc2, 0xcd, 0x0c, 0xff, 0x02,
753 0x76, 0x70, 0x69, 0xaa, 0x69, 0xd1, 0x3b, 0xe8 };
754 #else /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
755
756 static const unsigned char entropy_source_pr[] =
757 { 0xca, 0x58, 0xfd, 0xf2, 0xb9, 0x77, 0xcb, 0x49,
758 0xd4, 0xe0, 0x5b, 0xe2, 0x39, 0x50, 0xd9, 0x8a,
759 0x6a, 0xb3, 0xc5, 0x2f, 0xdf, 0x74, 0xd5, 0x85,
760 0x8f, 0xd1, 0xba, 0x64, 0x54, 0x7b, 0xdb, 0x1e,
761 0xc5, 0xea, 0x24, 0xc0, 0xfa, 0x0c, 0x90, 0x15,
762 0x09, 0x20, 0x92, 0x42, 0x32, 0x36, 0x45, 0x45,
763 0x7d, 0x20, 0x76, 0x6b, 0xcf, 0xa2, 0x15, 0xc8,
764 0x2f, 0x9f, 0xbc, 0x88, 0x3f, 0x80, 0xd1, 0x2c,
765 0xb7, 0x16, 0xd1, 0x80, 0x9e, 0xe1, 0xc9, 0xb3,
766 0x88, 0x1b, 0x21, 0x45, 0xef, 0xa1, 0x7f, 0xce,
767 0xc8, 0x92, 0x35, 0x55, 0x2a, 0xd9, 0x1d, 0x8e,
768 0x12, 0x38, 0xac, 0x01, 0x4e, 0x38, 0x18, 0x76,
769 0x9c, 0xf2, 0xb6, 0xd4, 0x13, 0xb6, 0x2c, 0x77,
770 0xc0, 0xe7, 0xe6, 0x0c, 0x47, 0x44, 0x95, 0xbe };
771
772 static const unsigned char entropy_source_nopr[] =
773 { 0x4c, 0xfb, 0x21, 0x86, 0x73, 0x34, 0x6d, 0x9d,
774 0x50, 0xc9, 0x22, 0xe4, 0x9b, 0x0d, 0xfc, 0xd0,
775 0x90, 0xad, 0xf0, 0x4f, 0x5c, 0x3b, 0xa4, 0x73,
776 0x27, 0xdf, 0xcd, 0x6f, 0xa6, 0x3a, 0x78, 0x5c,
777 0x01, 0x69, 0x62, 0xa7, 0xfd, 0x27, 0x87, 0xa2,
778 0x4b, 0xf6, 0xbe, 0x47, 0xef, 0x37, 0x83, 0xf1,
779 0xb7, 0xec, 0x46, 0x07, 0x23, 0x63, 0x83, 0x4a,
780 0x1b, 0x01, 0x33, 0xf2, 0xc2, 0x38, 0x91, 0xdb,
781 0x4f, 0x11, 0xa6, 0x86, 0x51, 0xf2, 0x3e, 0x3a,
782 0x8b, 0x1f, 0xdc, 0x03, 0xb1, 0x92, 0xc7, 0xe7 };
783
784 static const unsigned char pers_pr[] =
785 { 0x5a, 0x70, 0x95, 0xe9, 0x81, 0x40, 0x52, 0x33,
786 0x91, 0x53, 0x7e, 0x75, 0xd6, 0x19, 0x9d, 0x1e,
787 0xad, 0x0d, 0xc6, 0xa7, 0xde, 0x6c, 0x1f, 0xe0,
788 0xea, 0x18, 0x33, 0xa8, 0x7e, 0x06, 0x20, 0xe9 };
789
790 static const unsigned char pers_nopr[] =
791 { 0x88, 0xee, 0xb8, 0xe0, 0xe8, 0x3b, 0xf3, 0x29,
792 0x4b, 0xda, 0xcd, 0x60, 0x99, 0xeb, 0xe4, 0xbf,
793 0x55, 0xec, 0xd9, 0x11, 0x3f, 0x71, 0xe5, 0xeb,
794 0xcb, 0x45, 0x75, 0xf3, 0xd6, 0xa6, 0x8a, 0x6b };
795
796 static const unsigned char result_pr[] =
797 { 0xce, 0x2f, 0xdb, 0xb6, 0xd9, 0xb7, 0x39, 0x85,
798 0x04, 0xc5, 0xc0, 0x42, 0xc2, 0x31, 0xc6, 0x1d,
799 0x9b, 0x5a, 0x59, 0xf8, 0x7e, 0x0d, 0xcc, 0x62,
800 0x7b, 0x65, 0x11, 0x55, 0x10, 0xeb, 0x9e, 0x3d,
801 0xa4, 0xfb, 0x1c, 0x6a, 0x18, 0xc0, 0x74, 0xdb,
802 0xdd, 0xe7, 0x02, 0x23, 0x63, 0x21, 0xd0, 0x39,
803 0xf9, 0xa7, 0xc4, 0x52, 0x84, 0x3b, 0x49, 0x40,
804 0x72, 0x2b, 0xb0, 0x6c, 0x9c, 0xdb, 0xc3, 0x43 };
805
806 static const unsigned char result_nopr[] =
807 { 0xa5, 0x51, 0x80, 0xa1, 0x90, 0xbe, 0xf3, 0xad,
808 0xaf, 0x28, 0xf6, 0xb7, 0x95, 0xe9, 0xf1, 0xf3,
809 0xd6, 0xdf, 0xa1, 0xb2, 0x7d, 0xd0, 0x46, 0x7b,
810 0x0c, 0x75, 0xf5, 0xfa, 0x93, 0x1e, 0x97, 0x14,
811 0x75, 0xb2, 0x7c, 0xae, 0x03, 0xa2, 0x96, 0x54,
812 0xe2, 0xf4, 0x09, 0x66, 0xea, 0x33, 0x64, 0x30,
813 0x40, 0xd1, 0x40, 0x0f, 0xe6, 0x77, 0x87, 0x3a,
814 0xf8, 0x09, 0x7c, 0x1f, 0xe9, 0xf0, 0x02, 0x98 };
815 #endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
816
817 static size_t test_offset;
ctr_drbg_self_test_entropy(void * data,unsigned char * buf,size_t len)818 static int ctr_drbg_self_test_entropy( void *data, unsigned char *buf,
819 size_t len )
820 {
821 const unsigned char *p = data;
822 memcpy( buf, p + test_offset, len );
823 test_offset += len;
824 return( 0 );
825 }
826
827 #define CHK( c ) if( (c) != 0 ) \
828 { \
829 if( verbose != 0 ) \
830 mbedtls_printf( "failed\n" ); \
831 return( 1 ); \
832 }
833
834 #define SELF_TEST_OUPUT_DISCARD_LENGTH 64
835
836 /*
837 * Checkup routine
838 */
mbedtls_ctr_drbg_self_test(int verbose)839 int mbedtls_ctr_drbg_self_test( int verbose )
840 {
841 mbedtls_ctr_drbg_context ctx;
842 unsigned char buf[ sizeof( result_pr ) ];
843
844 mbedtls_ctr_drbg_init( &ctx );
845
846 /*
847 * Based on a NIST CTR_DRBG test vector (PR = True)
848 */
849 if( verbose != 0 )
850 mbedtls_printf( " CTR_DRBG (PR = TRUE) : " );
851
852 test_offset = 0;
853 mbedtls_ctr_drbg_set_entropy_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE );
854 mbedtls_ctr_drbg_set_nonce_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2 );
855 CHK( mbedtls_ctr_drbg_seed( &ctx,
856 ctr_drbg_self_test_entropy,
857 (void *) entropy_source_pr,
858 pers_pr, MBEDTLS_CTR_DRBG_KEYSIZE ) );
859 mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
860 CHK( mbedtls_ctr_drbg_random( &ctx, buf, SELF_TEST_OUPUT_DISCARD_LENGTH ) );
861 CHK( mbedtls_ctr_drbg_random( &ctx, buf, sizeof( result_pr ) ) );
862 CHK( memcmp( buf, result_pr, sizeof( result_pr ) ) );
863
864 mbedtls_ctr_drbg_free( &ctx );
865
866 if( verbose != 0 )
867 mbedtls_printf( "passed\n" );
868
869 /*
870 * Based on a NIST CTR_DRBG test vector (PR = FALSE)
871 */
872 if( verbose != 0 )
873 mbedtls_printf( " CTR_DRBG (PR = FALSE): " );
874
875 mbedtls_ctr_drbg_init( &ctx );
876
877 test_offset = 0;
878 mbedtls_ctr_drbg_set_entropy_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE);
879 mbedtls_ctr_drbg_set_nonce_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2 );
880 CHK( mbedtls_ctr_drbg_seed( &ctx,
881 ctr_drbg_self_test_entropy,
882 (void *) entropy_source_nopr,
883 pers_nopr, MBEDTLS_CTR_DRBG_KEYSIZE ) );
884 CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) );
885 CHK( mbedtls_ctr_drbg_random( &ctx, buf, SELF_TEST_OUPUT_DISCARD_LENGTH ) );
886 CHK( mbedtls_ctr_drbg_random( &ctx, buf, sizeof( result_nopr ) ) );
887 CHK( memcmp( buf, result_nopr, sizeof( result_nopr ) ) );
888
889 mbedtls_ctr_drbg_free( &ctx );
890
891 if( verbose != 0 )
892 mbedtls_printf( "passed\n" );
893
894 if( verbose != 0 )
895 mbedtls_printf( "\n" );
896
897 return( 0 );
898 }
899 #endif /* MBEDTLS_SELF_TEST */
900
901 #endif /* MBEDTLS_CTR_DRBG_C */
902