1 /*
2 * CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19 /*
20 * The NIST SP 800-90 DRBGs are described in the following publication.
21 *
22 * http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
23 */
24
25 #include "common.h"
26
27 #if defined(MBEDTLS_CTR_DRBG_C)
28
29 #include "mbedtls/ctr_drbg.h"
30 #include "mbedtls/platform_util.h"
31 #include "mbedtls/error.h"
32
33 #include <string.h>
34
35 #if defined(MBEDTLS_FS_IO)
36 #include <stdio.h>
37 #endif
38
39 #if defined(MBEDTLS_SELF_TEST)
40 #if defined(MBEDTLS_PLATFORM_C)
41 #include "mbedtls/platform.h"
42 #else
43 #include <stdio.h>
44 #define mbedtls_printf printf
45 #endif /* MBEDTLS_PLATFORM_C */
46 #endif /* MBEDTLS_SELF_TEST */
47
48 /*
49 * CTR_DRBG context initialization
50 */
mbedtls_ctr_drbg_init(mbedtls_ctr_drbg_context * ctx)51 void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx )
52 {
53 memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) );
54 /* Indicate that the entropy nonce length is not set explicitly.
55 * See mbedtls_ctr_drbg_set_nonce_len(). */
56 ctx->reseed_counter = -1;
57
58 ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
59 }
60
61 /*
62 * This function resets CTR_DRBG context to the state immediately
63 * after initial call of mbedtls_ctr_drbg_init().
64 */
mbedtls_ctr_drbg_free(mbedtls_ctr_drbg_context * ctx)65 void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx )
66 {
67 if( ctx == NULL )
68 return;
69
70 #if defined(MBEDTLS_THREADING_C)
71 /* The mutex is initialized iff f_entropy is set. */
72 if( ctx->f_entropy != NULL )
73 mbedtls_mutex_free( &ctx->mutex );
74 #endif
75 mbedtls_aes_free( &ctx->aes_ctx );
76 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) );
77 ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
78 ctx->reseed_counter = -1;
79 }
80
mbedtls_ctr_drbg_set_prediction_resistance(mbedtls_ctr_drbg_context * ctx,int resistance)81 void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
82 int resistance )
83 {
84 ctx->prediction_resistance = resistance;
85 }
86
mbedtls_ctr_drbg_set_entropy_len(mbedtls_ctr_drbg_context * ctx,size_t len)87 void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx,
88 size_t len )
89 {
90 ctx->entropy_len = len;
91 }
92
mbedtls_ctr_drbg_set_nonce_len(mbedtls_ctr_drbg_context * ctx,size_t len)93 int mbedtls_ctr_drbg_set_nonce_len( mbedtls_ctr_drbg_context *ctx,
94 size_t len )
95 {
96 /* If mbedtls_ctr_drbg_seed() has already been called, it's
97 * too late. Return the error code that's closest to making sense. */
98 if( ctx->f_entropy != NULL )
99 return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
100
101 if( len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
102 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
103 #if SIZE_MAX > INT_MAX
104 /* This shouldn't be an issue because
105 * MBEDTLS_CTR_DRBG_MAX_SEED_INPUT < INT_MAX in any sensible
106 * configuration, but make sure anyway. */
107 if( len > INT_MAX )
108 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
109 #endif
110
111 /* For backward compatibility with Mbed TLS <= 2.19, store the
112 * entropy nonce length in a field that already exists, but isn't
113 * used until after the initial seeding. */
114 /* Due to the capping of len above, the value fits in an int. */
115 ctx->reseed_counter = (int) len;
116 return( 0 );
117 }
118
mbedtls_ctr_drbg_set_reseed_interval(mbedtls_ctr_drbg_context * ctx,int interval)119 void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx,
120 int interval )
121 {
122 ctx->reseed_interval = interval;
123 }
124
block_cipher_df(unsigned char * output,const unsigned char * data,size_t data_len)125 static int block_cipher_df( unsigned char *output,
126 const unsigned char *data, size_t data_len )
127 {
128 unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT +
129 MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
130 unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
131 unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
132 unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
133 unsigned char *p, *iv;
134 mbedtls_aes_context aes_ctx;
135 int ret = 0;
136
137 int i, j;
138 size_t buf_len, use_len;
139
140 if( data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
141 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
142
143 memset( buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT +
144 MBEDTLS_CTR_DRBG_BLOCKSIZE + 16 );
145 mbedtls_aes_init( &aes_ctx );
146
147 /*
148 * Construct IV (16 bytes) and S in buffer
149 * IV = Counter (in 32-bits) padded to 16 with zeroes
150 * S = Length input string (in 32-bits) || Length of output (in 32-bits) ||
151 * data || 0x80
152 * (Total is padded to a multiple of 16-bytes with zeroes)
153 */
154 p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE;
155 MBEDTLS_PUT_UINT32_BE( data_len, p, 0);
156 p += 4 + 3;
157 *p++ = MBEDTLS_CTR_DRBG_SEEDLEN;
158 memcpy( p, data, data_len );
159 p[data_len] = 0x80;
160
161 buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
162
163 for( i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++ )
164 key[i] = i;
165
166 if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, key,
167 MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
168 {
169 goto exit;
170 }
171
172 /*
173 * Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data
174 */
175 for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
176 {
177 p = buf;
178 memset( chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE );
179 use_len = buf_len;
180
181 while( use_len > 0 )
182 {
183 for( i = 0; i < MBEDTLS_CTR_DRBG_BLOCKSIZE; i++ )
184 chain[i] ^= p[i];
185 p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
186 use_len -= ( use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE ) ?
187 MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
188
189 if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT,
190 chain, chain ) ) != 0 )
191 {
192 goto exit;
193 }
194 }
195
196 memcpy( tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE );
197
198 /*
199 * Update IV
200 */
201 buf[3]++;
202 }
203
204 /*
205 * Do final encryption with reduced data
206 */
207 if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, tmp,
208 MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
209 {
210 goto exit;
211 }
212 iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
213 p = output;
214
215 for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
216 {
217 if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT,
218 iv, iv ) ) != 0 )
219 {
220 goto exit;
221 }
222 memcpy( p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE );
223 p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
224 }
225 exit:
226 mbedtls_aes_free( &aes_ctx );
227 /*
228 * tidy up the stack
229 */
230 mbedtls_platform_zeroize( buf, sizeof( buf ) );
231 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
232 mbedtls_platform_zeroize( key, sizeof( key ) );
233 mbedtls_platform_zeroize( chain, sizeof( chain ) );
234 if( 0 != ret )
235 {
236 /*
237 * wipe partial seed from memory
238 */
239 mbedtls_platform_zeroize( output, MBEDTLS_CTR_DRBG_SEEDLEN );
240 }
241
242 return( ret );
243 }
244
245 /* CTR_DRBG_Update (SP 800-90A §10.2.1.2)
246 * ctr_drbg_update_internal(ctx, provided_data)
247 * implements
248 * CTR_DRBG_Update(provided_data, Key, V)
249 * with inputs and outputs
250 * ctx->aes_ctx = Key
251 * ctx->counter = V
252 */
ctr_drbg_update_internal(mbedtls_ctr_drbg_context * ctx,const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN])253 static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
254 const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN] )
255 {
256 unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
257 unsigned char *p = tmp;
258 int i, j;
259 int ret = 0;
260
261 memset( tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
262
263 for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
264 {
265 /*
266 * Increase counter
267 */
268 for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
269 if( ++ctx->counter[i - 1] != 0 )
270 break;
271
272 /*
273 * Crypt counter block
274 */
275 if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
276 ctx->counter, p ) ) != 0 )
277 {
278 goto exit;
279 }
280
281 p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
282 }
283
284 for( i = 0; i < MBEDTLS_CTR_DRBG_SEEDLEN; i++ )
285 tmp[i] ^= data[i];
286
287 /*
288 * Update key and counter
289 */
290 if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp,
291 MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
292 {
293 goto exit;
294 }
295 memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE,
296 MBEDTLS_CTR_DRBG_BLOCKSIZE );
297
298 exit:
299 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
300 return( ret );
301 }
302
303 /* CTR_DRBG_Instantiate with derivation function (SP 800-90A §10.2.1.3.2)
304 * mbedtls_ctr_drbg_update(ctx, additional, add_len)
305 * implements
306 * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
307 * security_strength) -> initial_working_state
308 * with inputs
309 * ctx->counter = all-bits-0
310 * ctx->aes_ctx = context from all-bits-0 key
311 * additional[:add_len] = entropy_input || nonce || personalization_string
312 * and with outputs
313 * ctx = initial_working_state
314 */
mbedtls_ctr_drbg_update_ret(mbedtls_ctr_drbg_context * ctx,const unsigned char * additional,size_t add_len)315 int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
316 const unsigned char *additional,
317 size_t add_len )
318 {
319 unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
320 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
321
322 if( add_len == 0 )
323 return( 0 );
324
325 if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
326 goto exit;
327 if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
328 goto exit;
329
330 exit:
331 mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
332 return( ret );
333 }
334
335 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_ctr_drbg_update(mbedtls_ctr_drbg_context * ctx,const unsigned char * additional,size_t add_len)336 void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
337 const unsigned char *additional,
338 size_t add_len )
339 {
340 /* MAX_INPUT would be more logical here, but we have to match
341 * block_cipher_df()'s limits since we can't propagate errors */
342 if( add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
343 add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT;
344 (void) mbedtls_ctr_drbg_update_ret( ctx, additional, add_len );
345 }
346 #endif /* MBEDTLS_DEPRECATED_REMOVED */
347
348 /* CTR_DRBG_Reseed with derivation function (SP 800-90A §10.2.1.4.2)
349 * mbedtls_ctr_drbg_reseed(ctx, additional, len, nonce_len)
350 * implements
351 * CTR_DRBG_Reseed(working_state, entropy_input, additional_input)
352 * -> new_working_state
353 * with inputs
354 * ctx contains working_state
355 * additional[:len] = additional_input
356 * and entropy_input comes from calling ctx->f_entropy
357 * for (ctx->entropy_len + nonce_len) bytes
358 * and with output
359 * ctx contains new_working_state
360 */
mbedtls_ctr_drbg_reseed_internal(mbedtls_ctr_drbg_context * ctx,const unsigned char * additional,size_t len,size_t nonce_len)361 static int mbedtls_ctr_drbg_reseed_internal( mbedtls_ctr_drbg_context *ctx,
362 const unsigned char *additional,
363 size_t len,
364 size_t nonce_len )
365 {
366 unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
367 size_t seedlen = 0;
368 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
369
370 if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
371 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
372 if( nonce_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len )
373 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
374 if( len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len - nonce_len )
375 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
376
377 memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );
378
379 /* Gather entropy_len bytes of entropy to seed state. */
380 if( 0 != ctx->f_entropy( ctx->p_entropy, seed, ctx->entropy_len ) )
381 {
382 return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
383 }
384 seedlen += ctx->entropy_len;
385
386 /* Gather entropy for a nonce if requested. */
387 if( nonce_len != 0 )
388 {
389 if( 0 != ctx->f_entropy( ctx->p_entropy, seed + seedlen, nonce_len ) )
390 {
391 return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
392 }
393 seedlen += nonce_len;
394 }
395
396 /* Add additional data if provided. */
397 if( additional != NULL && len != 0 )
398 {
399 memcpy( seed + seedlen, additional, len );
400 seedlen += len;
401 }
402
403 /* Reduce to 384 bits. */
404 if( ( ret = block_cipher_df( seed, seed, seedlen ) ) != 0 )
405 goto exit;
406
407 /* Update state. */
408 if( ( ret = ctr_drbg_update_internal( ctx, seed ) ) != 0 )
409 goto exit;
410 ctx->reseed_counter = 1;
411
412 exit:
413 mbedtls_platform_zeroize( seed, sizeof( seed ) );
414 return( ret );
415 }
416
mbedtls_ctr_drbg_reseed(mbedtls_ctr_drbg_context * ctx,const unsigned char * additional,size_t len)417 int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
418 const unsigned char *additional, size_t len )
419 {
420 return( mbedtls_ctr_drbg_reseed_internal( ctx, additional, len, 0 ) );
421 }
422
423 /* Return a "good" nonce length for CTR_DRBG. The chosen nonce length
424 * is sufficient to achieve the maximum security strength given the key
425 * size and entropy length. If there is enough entropy in the initial
426 * call to the entropy function to serve as both the entropy input and
427 * the nonce, don't make a second call to get a nonce. */
good_nonce_len(size_t entropy_len)428 static size_t good_nonce_len( size_t entropy_len )
429 {
430 if( entropy_len >= MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2 )
431 return( 0 );
432 else
433 return( ( entropy_len + 1 ) / 2 );
434 }
435
436 /* CTR_DRBG_Instantiate with derivation function (SP 800-90A §10.2.1.3.2)
437 * mbedtls_ctr_drbg_seed(ctx, f_entropy, p_entropy, custom, len)
438 * implements
439 * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
440 * security_strength) -> initial_working_state
441 * with inputs
442 * custom[:len] = nonce || personalization_string
443 * where entropy_input comes from f_entropy for ctx->entropy_len bytes
444 * and with outputs
445 * ctx = initial_working_state
446 */
mbedtls_ctr_drbg_seed(mbedtls_ctr_drbg_context * ctx,int (* f_entropy)(void *,unsigned char *,size_t),void * p_entropy,const unsigned char * custom,size_t len)447 int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
448 int (*f_entropy)(void *, unsigned char *, size_t),
449 void *p_entropy,
450 const unsigned char *custom,
451 size_t len )
452 {
453 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
454 unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
455 size_t nonce_len;
456
457 memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );
458
459 /* The mutex is initialized iff f_entropy is set. */
460 #if defined(MBEDTLS_THREADING_C)
461 mbedtls_mutex_init( &ctx->mutex );
462 #endif
463
464 mbedtls_aes_init( &ctx->aes_ctx );
465
466 ctx->f_entropy = f_entropy;
467 ctx->p_entropy = p_entropy;
468
469 if( ctx->entropy_len == 0 )
470 ctx->entropy_len = MBEDTLS_CTR_DRBG_ENTROPY_LEN;
471 /* ctx->reseed_counter contains the desired amount of entropy to
472 * grab for a nonce (see mbedtls_ctr_drbg_set_nonce_len()).
473 * If it's -1, indicating that the entropy nonce length was not set
474 * explicitly, use a sufficiently large nonce for security. */
475 nonce_len = ( ctx->reseed_counter >= 0 ?
476 (size_t) ctx->reseed_counter :
477 good_nonce_len( ctx->entropy_len ) );
478
479 /* Initialize with an empty key. */
480 if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key,
481 MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
482 {
483 return( ret );
484 }
485
486 /* Do the initial seeding. */
487 if( ( ret = mbedtls_ctr_drbg_reseed_internal( ctx, custom, len,
488 nonce_len ) ) != 0 )
489 {
490 return( ret );
491 }
492 return( 0 );
493 }
494
495 /* CTR_DRBG_Generate with derivation function (SP 800-90A §10.2.1.5.2)
496 * mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, additional, add_len)
497 * implements
498 * CTR_DRBG_Reseed(working_state, entropy_input, additional[:add_len])
499 * -> working_state_after_reseed
500 * if required, then
501 * CTR_DRBG_Generate(working_state_after_reseed,
502 * requested_number_of_bits, additional_input)
503 * -> status, returned_bits, new_working_state
504 * with inputs
505 * ctx contains working_state
506 * requested_number_of_bits = 8 * output_len
507 * additional[:add_len] = additional_input
508 * and entropy_input comes from calling ctx->f_entropy
509 * and with outputs
510 * status = SUCCESS (this function does the reseed internally)
511 * returned_bits = output[:output_len]
512 * ctx contains new_working_state
513 */
mbedtls_ctr_drbg_random_with_add(void * p_rng,unsigned char * output,size_t output_len,const unsigned char * additional,size_t add_len)514 int mbedtls_ctr_drbg_random_with_add( void *p_rng,
515 unsigned char *output, size_t output_len,
516 const unsigned char *additional, size_t add_len )
517 {
518 int ret = 0;
519 mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
520 unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
521 unsigned char *p = output;
522 unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
523 int i;
524 size_t use_len;
525
526 if( output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST )
527 return( MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG );
528
529 if( add_len > MBEDTLS_CTR_DRBG_MAX_INPUT )
530 return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
531
532 memset( add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
533
534 if( ctx->reseed_counter > ctx->reseed_interval ||
535 ctx->prediction_resistance )
536 {
537 if( ( ret = mbedtls_ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 )
538 {
539 return( ret );
540 }
541 add_len = 0;
542 }
543
544 if( add_len > 0 )
545 {
546 if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
547 goto exit;
548 if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
549 goto exit;
550 }
551
552 while( output_len > 0 )
553 {
554 /*
555 * Increase counter
556 */
557 for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
558 if( ++ctx->counter[i - 1] != 0 )
559 break;
560
561 /*
562 * Crypt counter block
563 */
564 if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
565 ctx->counter, tmp ) ) != 0 )
566 {
567 goto exit;
568 }
569
570 use_len = ( output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE )
571 ? MBEDTLS_CTR_DRBG_BLOCKSIZE : output_len;
572 /*
573 * Copy random block to destination
574 */
575 memcpy( p, tmp, use_len );
576 p += use_len;
577 output_len -= use_len;
578 }
579
580 if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
581 goto exit;
582
583 ctx->reseed_counter++;
584
585 exit:
586 mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
587 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
588 return( ret );
589 }
590
mbedtls_ctr_drbg_random(void * p_rng,unsigned char * output,size_t output_len)591 int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output,
592 size_t output_len )
593 {
594 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
595 mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
596
597 #if defined(MBEDTLS_THREADING_C)
598 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
599 return( ret );
600 #endif
601
602 ret = mbedtls_ctr_drbg_random_with_add( ctx, output, output_len, NULL, 0 );
603
604 #if defined(MBEDTLS_THREADING_C)
605 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
606 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
607 #endif
608
609 return( ret );
610 }
611
612 #if defined(MBEDTLS_FS_IO)
mbedtls_ctr_drbg_write_seed_file(mbedtls_ctr_drbg_context * ctx,const char * path)613 int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx,
614 const char *path )
615 {
616 int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
617 FILE *f;
618 unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
619
620 if( ( f = fopen( path, "wb" ) ) == NULL )
621 return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
622
623 if( ( ret = mbedtls_ctr_drbg_random( ctx, buf,
624 MBEDTLS_CTR_DRBG_MAX_INPUT ) ) != 0 )
625 goto exit;
626
627 if( fwrite( buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f ) !=
628 MBEDTLS_CTR_DRBG_MAX_INPUT )
629 {
630 ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
631 }
632 else
633 {
634 ret = 0;
635 }
636
637 exit:
638 mbedtls_platform_zeroize( buf, sizeof( buf ) );
639
640 fclose( f );
641 return( ret );
642 }
643
mbedtls_ctr_drbg_update_seed_file(mbedtls_ctr_drbg_context * ctx,const char * path)644 int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx,
645 const char *path )
646 {
647 int ret = 0;
648 FILE *f = NULL;
649 size_t n;
650 unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
651 unsigned char c;
652
653 if( ( f = fopen( path, "rb" ) ) == NULL )
654 return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
655
656 n = fread( buf, 1, sizeof( buf ), f );
657 if( fread( &c, 1, 1, f ) != 0 )
658 {
659 ret = MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
660 goto exit;
661 }
662 if( n == 0 || ferror( f ) )
663 {
664 ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
665 goto exit;
666 }
667 fclose( f );
668 f = NULL;
669
670 ret = mbedtls_ctr_drbg_update_ret( ctx, buf, n );
671
672 exit:
673 mbedtls_platform_zeroize( buf, sizeof( buf ) );
674 if( f != NULL )
675 fclose( f );
676 if( ret != 0 )
677 return( ret );
678 return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) );
679 }
680 #endif /* MBEDTLS_FS_IO */
681
682 #if defined(MBEDTLS_SELF_TEST)
683
684 /* The CTR_DRBG NIST test vectors used here are available at
685 * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/drbg/drbgtestvectors.zip
686 *
687 * The parameters used to derive the test data are:
688 *
689 * [AES-128 use df]
690 * [PredictionResistance = True/False]
691 * [EntropyInputLen = 128]
692 * [NonceLen = 64]
693 * [PersonalizationStringLen = 128]
694 * [AdditionalInputLen = 0]
695 * [ReturnedBitsLen = 512]
696 *
697 * [AES-256 use df]
698 * [PredictionResistance = True/False]
699 * [EntropyInputLen = 256]
700 * [NonceLen = 128]
701 * [PersonalizationStringLen = 256]
702 * [AdditionalInputLen = 0]
703 * [ReturnedBitsLen = 512]
704 *
705 */
706
707 #if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
708 static const unsigned char entropy_source_pr[] =
709 { 0x04, 0xd9, 0x49, 0xa6, 0xdc, 0xe8, 0x6e, 0xbb,
710 0xf1, 0x08, 0x77, 0x2b, 0x9e, 0x08, 0xca, 0x92,
711 0x65, 0x16, 0xda, 0x99, 0xa2, 0x59, 0xf3, 0xe8,
712 0x38, 0x7e, 0x3f, 0x6b, 0x51, 0x70, 0x7b, 0x20,
713 0xec, 0x53, 0xd0, 0x66, 0xc3, 0x0f, 0xe3, 0xb0,
714 0xe0, 0x86, 0xa6, 0xaa, 0x5f, 0x72, 0x2f, 0xad,
715 0xf7, 0xef, 0x06, 0xb8, 0xd6, 0x9c, 0x9d, 0xe8 };
716
717 static const unsigned char entropy_source_nopr[] =
718 { 0x07, 0x0d, 0x59, 0x63, 0x98, 0x73, 0xa5, 0x45,
719 0x27, 0x38, 0x22, 0x7b, 0x76, 0x85, 0xd1, 0xa9,
720 0x74, 0x18, 0x1f, 0x3c, 0x22, 0xf6, 0x49, 0x20,
721 0x4a, 0x47, 0xc2, 0xf3, 0x85, 0x16, 0xb4, 0x6f,
722 0x00, 0x2e, 0x71, 0xda, 0xed, 0x16, 0x9b, 0x5c };
723
724 static const unsigned char pers_pr[] =
725 { 0xbf, 0xa4, 0x9a, 0x8f, 0x7b, 0xd8, 0xb1, 0x7a,
726 0x9d, 0xfa, 0x45, 0xed, 0x21, 0x52, 0xb3, 0xad };
727
728 static const unsigned char pers_nopr[] =
729 { 0x4e, 0x61, 0x79, 0xd4, 0xc2, 0x72, 0xa1, 0x4c,
730 0xf1, 0x3d, 0xf6, 0x5e, 0xa3, 0xa6, 0xe5, 0x0f };
731
732 static const unsigned char result_pr[] =
733 { 0xc9, 0x0a, 0xaf, 0x85, 0x89, 0x71, 0x44, 0x66,
734 0x4f, 0x25, 0x0b, 0x2b, 0xde, 0xd8, 0xfa, 0xff,
735 0x52, 0x5a, 0x1b, 0x32, 0x5e, 0x41, 0x7a, 0x10,
736 0x1f, 0xef, 0x1e, 0x62, 0x23, 0xe9, 0x20, 0x30,
737 0xc9, 0x0d, 0xad, 0x69, 0xb4, 0x9c, 0x5b, 0xf4,
738 0x87, 0x42, 0xd5, 0xae, 0x5e, 0x5e, 0x43, 0xcc,
739 0xd9, 0xfd, 0x0b, 0x93, 0x4a, 0xe3, 0xd4, 0x06,
740 0x37, 0x36, 0x0f, 0x3f, 0x72, 0x82, 0x0c, 0xcf };
741
742 static const unsigned char result_nopr[] =
743 { 0x31, 0xc9, 0x91, 0x09, 0xf8, 0xc5, 0x10, 0x13,
744 0x3c, 0xd3, 0x96, 0xf9, 0xbc, 0x2c, 0x12, 0xc0,
745 0x7c, 0xc1, 0x61, 0x5f, 0xa3, 0x09, 0x99, 0xaf,
746 0xd7, 0xf2, 0x36, 0xfd, 0x40, 0x1a, 0x8b, 0xf2,
747 0x33, 0x38, 0xee, 0x1d, 0x03, 0x5f, 0x83, 0xb7,
748 0xa2, 0x53, 0xdc, 0xee, 0x18, 0xfc, 0xa7, 0xf2,
749 0xee, 0x96, 0xc6, 0xc2, 0xcd, 0x0c, 0xff, 0x02,
750 0x76, 0x70, 0x69, 0xaa, 0x69, 0xd1, 0x3b, 0xe8 };
751 #else /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
752
753 static const unsigned char entropy_source_pr[] =
754 { 0xca, 0x58, 0xfd, 0xf2, 0xb9, 0x77, 0xcb, 0x49,
755 0xd4, 0xe0, 0x5b, 0xe2, 0x39, 0x50, 0xd9, 0x8a,
756 0x6a, 0xb3, 0xc5, 0x2f, 0xdf, 0x74, 0xd5, 0x85,
757 0x8f, 0xd1, 0xba, 0x64, 0x54, 0x7b, 0xdb, 0x1e,
758 0xc5, 0xea, 0x24, 0xc0, 0xfa, 0x0c, 0x90, 0x15,
759 0x09, 0x20, 0x92, 0x42, 0x32, 0x36, 0x45, 0x45,
760 0x7d, 0x20, 0x76, 0x6b, 0xcf, 0xa2, 0x15, 0xc8,
761 0x2f, 0x9f, 0xbc, 0x88, 0x3f, 0x80, 0xd1, 0x2c,
762 0xb7, 0x16, 0xd1, 0x80, 0x9e, 0xe1, 0xc9, 0xb3,
763 0x88, 0x1b, 0x21, 0x45, 0xef, 0xa1, 0x7f, 0xce,
764 0xc8, 0x92, 0x35, 0x55, 0x2a, 0xd9, 0x1d, 0x8e,
765 0x12, 0x38, 0xac, 0x01, 0x4e, 0x38, 0x18, 0x76,
766 0x9c, 0xf2, 0xb6, 0xd4, 0x13, 0xb6, 0x2c, 0x77,
767 0xc0, 0xe7, 0xe6, 0x0c, 0x47, 0x44, 0x95, 0xbe };
768
769 static const unsigned char entropy_source_nopr[] =
770 { 0x4c, 0xfb, 0x21, 0x86, 0x73, 0x34, 0x6d, 0x9d,
771 0x50, 0xc9, 0x22, 0xe4, 0x9b, 0x0d, 0xfc, 0xd0,
772 0x90, 0xad, 0xf0, 0x4f, 0x5c, 0x3b, 0xa4, 0x73,
773 0x27, 0xdf, 0xcd, 0x6f, 0xa6, 0x3a, 0x78, 0x5c,
774 0x01, 0x69, 0x62, 0xa7, 0xfd, 0x27, 0x87, 0xa2,
775 0x4b, 0xf6, 0xbe, 0x47, 0xef, 0x37, 0x83, 0xf1,
776 0xb7, 0xec, 0x46, 0x07, 0x23, 0x63, 0x83, 0x4a,
777 0x1b, 0x01, 0x33, 0xf2, 0xc2, 0x38, 0x91, 0xdb,
778 0x4f, 0x11, 0xa6, 0x86, 0x51, 0xf2, 0x3e, 0x3a,
779 0x8b, 0x1f, 0xdc, 0x03, 0xb1, 0x92, 0xc7, 0xe7 };
780
781 static const unsigned char pers_pr[] =
782 { 0x5a, 0x70, 0x95, 0xe9, 0x81, 0x40, 0x52, 0x33,
783 0x91, 0x53, 0x7e, 0x75, 0xd6, 0x19, 0x9d, 0x1e,
784 0xad, 0x0d, 0xc6, 0xa7, 0xde, 0x6c, 0x1f, 0xe0,
785 0xea, 0x18, 0x33, 0xa8, 0x7e, 0x06, 0x20, 0xe9 };
786
787 static const unsigned char pers_nopr[] =
788 { 0x88, 0xee, 0xb8, 0xe0, 0xe8, 0x3b, 0xf3, 0x29,
789 0x4b, 0xda, 0xcd, 0x60, 0x99, 0xeb, 0xe4, 0xbf,
790 0x55, 0xec, 0xd9, 0x11, 0x3f, 0x71, 0xe5, 0xeb,
791 0xcb, 0x45, 0x75, 0xf3, 0xd6, 0xa6, 0x8a, 0x6b };
792
793 static const unsigned char result_pr[] =
794 { 0xce, 0x2f, 0xdb, 0xb6, 0xd9, 0xb7, 0x39, 0x85,
795 0x04, 0xc5, 0xc0, 0x42, 0xc2, 0x31, 0xc6, 0x1d,
796 0x9b, 0x5a, 0x59, 0xf8, 0x7e, 0x0d, 0xcc, 0x62,
797 0x7b, 0x65, 0x11, 0x55, 0x10, 0xeb, 0x9e, 0x3d,
798 0xa4, 0xfb, 0x1c, 0x6a, 0x18, 0xc0, 0x74, 0xdb,
799 0xdd, 0xe7, 0x02, 0x23, 0x63, 0x21, 0xd0, 0x39,
800 0xf9, 0xa7, 0xc4, 0x52, 0x84, 0x3b, 0x49, 0x40,
801 0x72, 0x2b, 0xb0, 0x6c, 0x9c, 0xdb, 0xc3, 0x43 };
802
803 static const unsigned char result_nopr[] =
804 { 0xa5, 0x51, 0x80, 0xa1, 0x90, 0xbe, 0xf3, 0xad,
805 0xaf, 0x28, 0xf6, 0xb7, 0x95, 0xe9, 0xf1, 0xf3,
806 0xd6, 0xdf, 0xa1, 0xb2, 0x7d, 0xd0, 0x46, 0x7b,
807 0x0c, 0x75, 0xf5, 0xfa, 0x93, 0x1e, 0x97, 0x14,
808 0x75, 0xb2, 0x7c, 0xae, 0x03, 0xa2, 0x96, 0x54,
809 0xe2, 0xf4, 0x09, 0x66, 0xea, 0x33, 0x64, 0x30,
810 0x40, 0xd1, 0x40, 0x0f, 0xe6, 0x77, 0x87, 0x3a,
811 0xf8, 0x09, 0x7c, 0x1f, 0xe9, 0xf0, 0x02, 0x98 };
812 #endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
813
814 static size_t test_offset;
ctr_drbg_self_test_entropy(void * data,unsigned char * buf,size_t len)815 static int ctr_drbg_self_test_entropy( void *data, unsigned char *buf,
816 size_t len )
817 {
818 const unsigned char *p = data;
819 memcpy( buf, p + test_offset, len );
820 test_offset += len;
821 return( 0 );
822 }
823
824 #define CHK( c ) if( (c) != 0 ) \
825 { \
826 if( verbose != 0 ) \
827 mbedtls_printf( "failed\n" ); \
828 return( 1 ); \
829 }
830
831 #define SELF_TEST_OUTPUT_DISCARD_LENGTH 64
832
833 /*
834 * Checkup routine
835 */
mbedtls_ctr_drbg_self_test(int verbose)836 int mbedtls_ctr_drbg_self_test( int verbose )
837 {
838 mbedtls_ctr_drbg_context ctx;
839 unsigned char buf[ sizeof( result_pr ) ];
840
841 mbedtls_ctr_drbg_init( &ctx );
842
843 /*
844 * Based on a NIST CTR_DRBG test vector (PR = True)
845 */
846 if( verbose != 0 )
847 mbedtls_printf( " CTR_DRBG (PR = TRUE) : " );
848
849 test_offset = 0;
850 mbedtls_ctr_drbg_set_entropy_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE );
851 mbedtls_ctr_drbg_set_nonce_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2 );
852 CHK( mbedtls_ctr_drbg_seed( &ctx,
853 ctr_drbg_self_test_entropy,
854 (void *) entropy_source_pr,
855 pers_pr, MBEDTLS_CTR_DRBG_KEYSIZE ) );
856 mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
857 CHK( mbedtls_ctr_drbg_random( &ctx, buf, SELF_TEST_OUTPUT_DISCARD_LENGTH ) );
858 CHK( mbedtls_ctr_drbg_random( &ctx, buf, sizeof( result_pr ) ) );
859 CHK( memcmp( buf, result_pr, sizeof( result_pr ) ) );
860
861 mbedtls_ctr_drbg_free( &ctx );
862
863 if( verbose != 0 )
864 mbedtls_printf( "passed\n" );
865
866 /*
867 * Based on a NIST CTR_DRBG test vector (PR = FALSE)
868 */
869 if( verbose != 0 )
870 mbedtls_printf( " CTR_DRBG (PR = FALSE): " );
871
872 mbedtls_ctr_drbg_init( &ctx );
873
874 test_offset = 0;
875 mbedtls_ctr_drbg_set_entropy_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE);
876 mbedtls_ctr_drbg_set_nonce_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2 );
877 CHK( mbedtls_ctr_drbg_seed( &ctx,
878 ctr_drbg_self_test_entropy,
879 (void *) entropy_source_nopr,
880 pers_nopr, MBEDTLS_CTR_DRBG_KEYSIZE ) );
881 CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) );
882 CHK( mbedtls_ctr_drbg_random( &ctx, buf, SELF_TEST_OUTPUT_DISCARD_LENGTH ) );
883 CHK( mbedtls_ctr_drbg_random( &ctx, buf, sizeof( result_nopr ) ) );
884 CHK( memcmp( buf, result_nopr, sizeof( result_nopr ) ) );
885
886 mbedtls_ctr_drbg_free( &ctx );
887
888 if( verbose != 0 )
889 mbedtls_printf( "passed\n" );
890
891 if( verbose != 0 )
892 mbedtls_printf( "\n" );
893
894 return( 0 );
895 }
896 #endif /* MBEDTLS_SELF_TEST */
897
898 #endif /* MBEDTLS_CTR_DRBG_C */
899