hmac_drbg.c 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529
  1. /*
  2. * HMAC_DRBG implementation (NIST SP 800-90)
  3. *
  4. * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
  5. * SPDX-License-Identifier: Apache-2.0
  6. *
  7. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  8. * not use this file except in compliance with the License.
  9. * You may obtain a copy of the License at
  10. *
  11. * http://www.apache.org/licenses/LICENSE-2.0
  12. *
  13. * Unless required by applicable law or agreed to in writing, software
  14. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  15. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16. * See the License for the specific language governing permissions and
  17. * limitations under the License.
  18. *
  19. * This file is part of mbed TLS (https://tls.mbed.org)
  20. */
  21. /*
  22. * The NIST SP 800-90A DRBGs are described in the following publication.
  23. * http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
  24. * References below are based on rev. 1 (January 2012).
  25. */
  26. #if !defined(MBEDTLS_CONFIG_FILE)
  27. #include "mbedtls/config.h"
  28. #else
  29. #include MBEDTLS_CONFIG_FILE
  30. #endif
  31. #if defined(MBEDTLS_HMAC_DRBG_C)
  32. #include "mbedtls/hmac_drbg.h"
  33. #include <string.h>
  34. #if defined(MBEDTLS_FS_IO)
  35. #include <stdio.h>
  36. #endif
  37. #if defined(MBEDTLS_SELF_TEST)
  38. #if defined(MBEDTLS_PLATFORM_C)
  39. #include "mbedtls/platform.h"
  40. #else
  41. #include <stdio.h>
  42. #define mbedtls_printf printf
  43. #endif /* MBEDTLS_SELF_TEST */
  44. #endif /* MBEDTLS_PLATFORM_C */
  45. /* Implementation that should never be optimized out by the compiler */
  46. static void mbedtls_zeroize( void *v, size_t n ) {
  47. volatile unsigned char *p = v; while( n-- ) *p++ = 0;
  48. }
  49. /*
  50. * HMAC_DRBG context initialization
  51. */
  52. void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx )
  53. {
  54. memset( ctx, 0, sizeof( mbedtls_hmac_drbg_context ) );
  55. #if defined(MBEDTLS_THREADING_C)
  56. mbedtls_mutex_init( &ctx->mutex );
  57. #endif
  58. }
  59. /*
  60. * HMAC_DRBG update, using optional additional data (10.1.2.2)
  61. */
  62. void mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx,
  63. const unsigned char *additional, size_t add_len )
  64. {
  65. size_t md_len = mbedtls_md_get_size( ctx->md_ctx.md_info );
  66. unsigned char rounds = ( additional != NULL && add_len != 0 ) ? 2 : 1;
  67. unsigned char sep[1];
  68. unsigned char K[MBEDTLS_MD_MAX_SIZE];
  69. for( sep[0] = 0; sep[0] < rounds; sep[0]++ )
  70. {
  71. /* Step 1 or 4 */
  72. mbedtls_md_hmac_reset( &ctx->md_ctx );
  73. mbedtls_md_hmac_update( &ctx->md_ctx, ctx->V, md_len );
  74. mbedtls_md_hmac_update( &ctx->md_ctx, sep, 1 );
  75. if( rounds == 2 )
  76. mbedtls_md_hmac_update( &ctx->md_ctx, additional, add_len );
  77. mbedtls_md_hmac_finish( &ctx->md_ctx, K );
  78. /* Step 2 or 5 */
  79. mbedtls_md_hmac_starts( &ctx->md_ctx, K, md_len );
  80. mbedtls_md_hmac_update( &ctx->md_ctx, ctx->V, md_len );
  81. mbedtls_md_hmac_finish( &ctx->md_ctx, ctx->V );
  82. }
  83. }
  84. /*
  85. * Simplified HMAC_DRBG initialisation (for use with deterministic ECDSA)
  86. */
  87. int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
  88. const mbedtls_md_info_t * md_info,
  89. const unsigned char *data, size_t data_len )
  90. {
  91. int ret;
  92. if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
  93. return( ret );
  94. /*
  95. * Set initial working state.
  96. * Use the V memory location, which is currently all 0, to initialize the
  97. * MD context with an all-zero key. Then set V to its initial value.
  98. */
  99. mbedtls_md_hmac_starts( &ctx->md_ctx, ctx->V, mbedtls_md_get_size( md_info ) );
  100. memset( ctx->V, 0x01, mbedtls_md_get_size( md_info ) );
  101. mbedtls_hmac_drbg_update( ctx, data, data_len );
  102. return( 0 );
  103. }
  104. /*
  105. * HMAC_DRBG reseeding: 10.1.2.4 (arabic) + 9.2 (Roman)
  106. */
  107. int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
  108. const unsigned char *additional, size_t len )
  109. {
  110. unsigned char seed[MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT];
  111. size_t seedlen;
  112. /* III. Check input length */
  113. if( len > MBEDTLS_HMAC_DRBG_MAX_INPUT ||
  114. ctx->entropy_len + len > MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT )
  115. {
  116. return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG );
  117. }
  118. memset( seed, 0, MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT );
  119. /* IV. Gather entropy_len bytes of entropy for the seed */
  120. if( ctx->f_entropy( ctx->p_entropy, seed, ctx->entropy_len ) != 0 )
  121. return( MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED );
  122. seedlen = ctx->entropy_len;
  123. /* 1. Concatenate entropy and additional data if any */
  124. if( additional != NULL && len != 0 )
  125. {
  126. memcpy( seed + seedlen, additional, len );
  127. seedlen += len;
  128. }
  129. /* 2. Update state */
  130. mbedtls_hmac_drbg_update( ctx, seed, seedlen );
  131. /* 3. Reset reseed_counter */
  132. ctx->reseed_counter = 1;
  133. /* 4. Done */
  134. return( 0 );
  135. }
  136. /*
  137. * HMAC_DRBG initialisation (10.1.2.3 + 9.1)
  138. */
  139. int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
  140. const mbedtls_md_info_t * md_info,
  141. int (*f_entropy)(void *, unsigned char *, size_t),
  142. void *p_entropy,
  143. const unsigned char *custom,
  144. size_t len )
  145. {
  146. int ret;
  147. size_t entropy_len, md_size;
  148. if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
  149. return( ret );
  150. md_size = mbedtls_md_get_size( md_info );
  151. /*
  152. * Set initial working state.
  153. * Use the V memory location, which is currently all 0, to initialize the
  154. * MD context with an all-zero key. Then set V to its initial value.
  155. */
  156. mbedtls_md_hmac_starts( &ctx->md_ctx, ctx->V, md_size );
  157. memset( ctx->V, 0x01, md_size );
  158. ctx->f_entropy = f_entropy;
  159. ctx->p_entropy = p_entropy;
  160. ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
  161. /*
  162. * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by
  163. * each hash function, then according to SP800-90A rev1 10.1 table 2,
  164. * min_entropy_len (in bits) is security_strength.
  165. *
  166. * (This also matches the sizes used in the NIST test vectors.)
  167. */
  168. entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */
  169. md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */
  170. 32; /* better (256+) -> 256 bits */
  171. /*
  172. * For initialisation, use more entropy to emulate a nonce
  173. * (Again, matches test vectors.)
  174. */
  175. ctx->entropy_len = entropy_len * 3 / 2;
  176. if( ( ret = mbedtls_hmac_drbg_reseed( ctx, custom, len ) ) != 0 )
  177. return( ret );
  178. ctx->entropy_len = entropy_len;
  179. return( 0 );
  180. }
  181. /*
  182. * Set prediction resistance
  183. */
  184. void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx,
  185. int resistance )
  186. {
  187. ctx->prediction_resistance = resistance;
  188. }
  189. /*
  190. * Set entropy length grabbed for reseeds
  191. */
  192. void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx, size_t len )
  193. {
  194. ctx->entropy_len = len;
  195. }
  196. /*
  197. * Set reseed interval
  198. */
  199. void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx, int interval )
  200. {
  201. ctx->reseed_interval = interval;
  202. }
  203. /*
  204. * HMAC_DRBG random function with optional additional data:
  205. * 10.1.2.5 (arabic) + 9.3 (Roman)
  206. */
  207. int mbedtls_hmac_drbg_random_with_add( void *p_rng,
  208. unsigned char *output, size_t out_len,
  209. const unsigned char *additional, size_t add_len )
  210. {
  211. int ret;
  212. mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
  213. size_t md_len = mbedtls_md_get_size( ctx->md_ctx.md_info );
  214. size_t left = out_len;
  215. unsigned char *out = output;
  216. /* II. Check request length */
  217. if( out_len > MBEDTLS_HMAC_DRBG_MAX_REQUEST )
  218. return( MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG );
  219. /* III. Check input length */
  220. if( add_len > MBEDTLS_HMAC_DRBG_MAX_INPUT )
  221. return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG );
  222. /* 1. (aka VII and IX) Check reseed counter and PR */
  223. if( ctx->f_entropy != NULL && /* For no-reseeding instances */
  224. ( ctx->prediction_resistance == MBEDTLS_HMAC_DRBG_PR_ON ||
  225. ctx->reseed_counter > ctx->reseed_interval ) )
  226. {
  227. if( ( ret = mbedtls_hmac_drbg_reseed( ctx, additional, add_len ) ) != 0 )
  228. return( ret );
  229. add_len = 0; /* VII.4 */
  230. }
  231. /* 2. Use additional data if any */
  232. if( additional != NULL && add_len != 0 )
  233. mbedtls_hmac_drbg_update( ctx, additional, add_len );
  234. /* 3, 4, 5. Generate bytes */
  235. while( left != 0 )
  236. {
  237. size_t use_len = left > md_len ? md_len : left;
  238. mbedtls_md_hmac_reset( &ctx->md_ctx );
  239. mbedtls_md_hmac_update( &ctx->md_ctx, ctx->V, md_len );
  240. mbedtls_md_hmac_finish( &ctx->md_ctx, ctx->V );
  241. memcpy( out, ctx->V, use_len );
  242. out += use_len;
  243. left -= use_len;
  244. }
  245. /* 6. Update */
  246. mbedtls_hmac_drbg_update( ctx, additional, add_len );
  247. /* 7. Update reseed counter */
  248. ctx->reseed_counter++;
  249. /* 8. Done */
  250. return( 0 );
  251. }
  252. /*
  253. * HMAC_DRBG random function
  254. */
  255. int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len )
  256. {
  257. int ret;
  258. mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
  259. #if defined(MBEDTLS_THREADING_C)
  260. if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
  261. return( ret );
  262. #endif
  263. ret = mbedtls_hmac_drbg_random_with_add( ctx, output, out_len, NULL, 0 );
  264. #if defined(MBEDTLS_THREADING_C)
  265. if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
  266. return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
  267. #endif
  268. return( ret );
  269. }
  270. /*
  271. * Free an HMAC_DRBG context
  272. */
  273. void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx )
  274. {
  275. if( ctx == NULL )
  276. return;
  277. #if defined(MBEDTLS_THREADING_C)
  278. mbedtls_mutex_free( &ctx->mutex );
  279. #endif
  280. mbedtls_md_free( &ctx->md_ctx );
  281. mbedtls_zeroize( ctx, sizeof( mbedtls_hmac_drbg_context ) );
  282. }
  283. #if defined(MBEDTLS_FS_IO)
  284. int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path )
  285. {
  286. int ret;
  287. FILE *f;
  288. unsigned char buf[ MBEDTLS_HMAC_DRBG_MAX_INPUT ];
  289. if( ( f = fopen( path, "wb" ) ) == NULL )
  290. return( MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR );
  291. if( ( ret = mbedtls_hmac_drbg_random( ctx, buf, sizeof( buf ) ) ) != 0 )
  292. goto exit;
  293. if( fwrite( buf, 1, sizeof( buf ), f ) != sizeof( buf ) )
  294. {
  295. ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
  296. goto exit;
  297. }
  298. ret = 0;
  299. exit:
  300. fclose( f );
  301. return( ret );
  302. }
  303. int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path )
  304. {
  305. FILE *f;
  306. size_t n;
  307. unsigned char buf[ MBEDTLS_HMAC_DRBG_MAX_INPUT ];
  308. if( ( f = fopen( path, "rb" ) ) == NULL )
  309. return( MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR );
  310. fseek( f, 0, SEEK_END );
  311. n = (size_t) ftell( f );
  312. fseek( f, 0, SEEK_SET );
  313. if( n > MBEDTLS_HMAC_DRBG_MAX_INPUT )
  314. {
  315. fclose( f );
  316. return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG );
  317. }
  318. if( fread( buf, 1, n, f ) != n )
  319. {
  320. fclose( f );
  321. return( MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR );
  322. }
  323. fclose( f );
  324. mbedtls_hmac_drbg_update( ctx, buf, n );
  325. return( mbedtls_hmac_drbg_write_seed_file( ctx, path ) );
  326. }
  327. #endif /* MBEDTLS_FS_IO */
  328. #if defined(MBEDTLS_SELF_TEST)
  329. #if !defined(MBEDTLS_SHA1_C)
  330. /* Dummy checkup routine */
  331. int mbedtls_hmac_drbg_self_test( int verbose )
  332. {
  333. (void) verbose;
  334. return( 0 );
  335. }
  336. #else
  337. #define OUTPUT_LEN 80
  338. /* From a NIST PR=true test vector */
  339. static const unsigned char entropy_pr[] = {
  340. 0xa0, 0xc9, 0xab, 0x58, 0xf1, 0xe2, 0xe5, 0xa4, 0xde, 0x3e, 0xbd, 0x4f,
  341. 0xf7, 0x3e, 0x9c, 0x5b, 0x64, 0xef, 0xd8, 0xca, 0x02, 0x8c, 0xf8, 0x11,
  342. 0x48, 0xa5, 0x84, 0xfe, 0x69, 0xab, 0x5a, 0xee, 0x42, 0xaa, 0x4d, 0x42,
  343. 0x17, 0x60, 0x99, 0xd4, 0x5e, 0x13, 0x97, 0xdc, 0x40, 0x4d, 0x86, 0xa3,
  344. 0x7b, 0xf5, 0x59, 0x54, 0x75, 0x69, 0x51, 0xe4 };
  345. static const unsigned char result_pr[OUTPUT_LEN] = {
  346. 0x9a, 0x00, 0xa2, 0xd0, 0x0e, 0xd5, 0x9b, 0xfe, 0x31, 0xec, 0xb1, 0x39,
  347. 0x9b, 0x60, 0x81, 0x48, 0xd1, 0x96, 0x9d, 0x25, 0x0d, 0x3c, 0x1e, 0x94,
  348. 0x10, 0x10, 0x98, 0x12, 0x93, 0x25, 0xca, 0xb8, 0xfc, 0xcc, 0x2d, 0x54,
  349. 0x73, 0x19, 0x70, 0xc0, 0x10, 0x7a, 0xa4, 0x89, 0x25, 0x19, 0x95, 0x5e,
  350. 0x4b, 0xc6, 0x00, 0x1d, 0x7f, 0x4e, 0x6a, 0x2b, 0xf8, 0xa3, 0x01, 0xab,
  351. 0x46, 0x05, 0x5c, 0x09, 0xa6, 0x71, 0x88, 0xf1, 0xa7, 0x40, 0xee, 0xf3,
  352. 0xe1, 0x5c, 0x02, 0x9b, 0x44, 0xaf, 0x03, 0x44 };
  353. /* From a NIST PR=false test vector */
  354. static const unsigned char entropy_nopr[] = {
  355. 0x79, 0x34, 0x9b, 0xbf, 0x7c, 0xdd, 0xa5, 0x79, 0x95, 0x57, 0x86, 0x66,
  356. 0x21, 0xc9, 0x13, 0x83, 0x11, 0x46, 0x73, 0x3a, 0xbf, 0x8c, 0x35, 0xc8,
  357. 0xc7, 0x21, 0x5b, 0x5b, 0x96, 0xc4, 0x8e, 0x9b, 0x33, 0x8c, 0x74, 0xe3,
  358. 0xe9, 0x9d, 0xfe, 0xdf };
  359. static const unsigned char result_nopr[OUTPUT_LEN] = {
  360. 0xc6, 0xa1, 0x6a, 0xb8, 0xd4, 0x20, 0x70, 0x6f, 0x0f, 0x34, 0xab, 0x7f,
  361. 0xec, 0x5a, 0xdc, 0xa9, 0xd8, 0xca, 0x3a, 0x13, 0x3e, 0x15, 0x9c, 0xa6,
  362. 0xac, 0x43, 0xc6, 0xf8, 0xa2, 0xbe, 0x22, 0x83, 0x4a, 0x4c, 0x0a, 0x0a,
  363. 0xff, 0xb1, 0x0d, 0x71, 0x94, 0xf1, 0xc1, 0xa5, 0xcf, 0x73, 0x22, 0xec,
  364. 0x1a, 0xe0, 0x96, 0x4e, 0xd4, 0xbf, 0x12, 0x27, 0x46, 0xe0, 0x87, 0xfd,
  365. 0xb5, 0xb3, 0xe9, 0x1b, 0x34, 0x93, 0xd5, 0xbb, 0x98, 0xfa, 0xed, 0x49,
  366. 0xe8, 0x5f, 0x13, 0x0f, 0xc8, 0xa4, 0x59, 0xb7 };
  367. /* "Entropy" from buffer */
  368. static size_t test_offset;
  369. static int hmac_drbg_self_test_entropy( void *data,
  370. unsigned char *buf, size_t len )
  371. {
  372. const unsigned char *p = data;
  373. memcpy( buf, p + test_offset, len );
  374. test_offset += len;
  375. return( 0 );
  376. }
  377. #define CHK( c ) if( (c) != 0 ) \
  378. { \
  379. if( verbose != 0 ) \
  380. mbedtls_printf( "failed\n" ); \
  381. return( 1 ); \
  382. }
  383. /*
  384. * Checkup routine for HMAC_DRBG with SHA-1
  385. */
  386. int mbedtls_hmac_drbg_self_test( int verbose )
  387. {
  388. mbedtls_hmac_drbg_context ctx;
  389. unsigned char buf[OUTPUT_LEN];
  390. const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 );
  391. mbedtls_hmac_drbg_init( &ctx );
  392. /*
  393. * PR = True
  394. */
  395. if( verbose != 0 )
  396. mbedtls_printf( " HMAC_DRBG (PR = True) : " );
  397. test_offset = 0;
  398. CHK( mbedtls_hmac_drbg_seed( &ctx, md_info,
  399. hmac_drbg_self_test_entropy, (void *) entropy_pr,
  400. NULL, 0 ) );
  401. mbedtls_hmac_drbg_set_prediction_resistance( &ctx, MBEDTLS_HMAC_DRBG_PR_ON );
  402. CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
  403. CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
  404. CHK( memcmp( buf, result_pr, OUTPUT_LEN ) );
  405. mbedtls_hmac_drbg_free( &ctx );
  406. mbedtls_hmac_drbg_free( &ctx );
  407. if( verbose != 0 )
  408. mbedtls_printf( "passed\n" );
  409. /*
  410. * PR = False
  411. */
  412. if( verbose != 0 )
  413. mbedtls_printf( " HMAC_DRBG (PR = False) : " );
  414. mbedtls_hmac_drbg_init( &ctx );
  415. test_offset = 0;
  416. CHK( mbedtls_hmac_drbg_seed( &ctx, md_info,
  417. hmac_drbg_self_test_entropy, (void *) entropy_nopr,
  418. NULL, 0 ) );
  419. CHK( mbedtls_hmac_drbg_reseed( &ctx, NULL, 0 ) );
  420. CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
  421. CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
  422. CHK( memcmp( buf, result_nopr, OUTPUT_LEN ) );
  423. mbedtls_hmac_drbg_free( &ctx );
  424. mbedtls_hmac_drbg_free( &ctx );
  425. if( verbose != 0 )
  426. mbedtls_printf( "passed\n" );
  427. if( verbose != 0 )
  428. mbedtls_printf( "\n" );
  429. return( 0 );
  430. }
  431. #endif /* MBEDTLS_SHA1_C */
  432. #endif /* MBEDTLS_SELF_TEST */
  433. #endif /* MBEDTLS_HMAC_DRBG_C */