ctr_drbg.c 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594
  1. /*
  2. * CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
  3. *
  4. * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
  5. * SPDX-License-Identifier: Apache-2.0
  6. *
  7. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  8. * not use this file except in compliance with the License.
  9. * You may obtain a copy of the License at
  10. *
  11. * http://www.apache.org/licenses/LICENSE-2.0
  12. *
  13. * Unless required by applicable law or agreed to in writing, software
  14. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  15. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16. * See the License for the specific language governing permissions and
  17. * limitations under the License.
  18. *
  19. * This file is part of mbed TLS (https://tls.mbed.org)
  20. */
  21. /*
  22. * The NIST SP 800-90 DRBGs are described in the following publucation.
  23. *
  24. * http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
  25. */
  26. #if !defined(MBEDTLS_CONFIG_FILE)
  27. #include "mbedtls/config.h"
  28. #else
  29. #include MBEDTLS_CONFIG_FILE
  30. #endif
  31. #if defined(MBEDTLS_CTR_DRBG_C)
  32. #include "mbedtls/ctr_drbg.h"
  33. #include <string.h>
  34. #if defined(MBEDTLS_FS_IO)
  35. #include <stdio.h>
  36. #endif
  37. #if defined(MBEDTLS_SELF_TEST)
  38. #if defined(MBEDTLS_PLATFORM_C)
  39. #include "mbedtls/platform.h"
  40. #else
  41. #include <stdio.h>
  42. #define mbedtls_printf printf
  43. #endif /* MBEDTLS_PLATFORM_C */
  44. #endif /* MBEDTLS_SELF_TEST */
  45. /* Implementation that should never be optimized out by the compiler */
  46. static void mbedtls_zeroize( void *v, size_t n ) {
  47. volatile unsigned char *p = v; while( n-- ) *p++ = 0;
  48. }
  49. /*
  50. * CTR_DRBG context initialization
  51. */
  52. void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx )
  53. {
  54. memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) );
  55. #if defined(MBEDTLS_THREADING_C)
  56. mbedtls_mutex_init( &ctx->mutex );
  57. #endif
  58. }
  59. /*
  60. * Non-public function wrapped by mbedtls_ctr_drbg_seed(). Necessary to allow
  61. * NIST tests to succeed (which require known length fixed entropy)
  62. */
  63. int mbedtls_ctr_drbg_seed_entropy_len(
  64. mbedtls_ctr_drbg_context *ctx,
  65. int (*f_entropy)(void *, unsigned char *, size_t),
  66. void *p_entropy,
  67. const unsigned char *custom,
  68. size_t len,
  69. size_t entropy_len )
  70. {
  71. int ret;
  72. unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
  73. memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );
  74. mbedtls_aes_init( &ctx->aes_ctx );
  75. ctx->f_entropy = f_entropy;
  76. ctx->p_entropy = p_entropy;
  77. ctx->entropy_len = entropy_len;
  78. ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
  79. /*
  80. * Initialize with an empty key
  81. */
  82. mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS );
  83. if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 )
  84. return( ret );
  85. return( 0 );
  86. }
  87. int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
  88. int (*f_entropy)(void *, unsigned char *, size_t),
  89. void *p_entropy,
  90. const unsigned char *custom,
  91. size_t len )
  92. {
  93. return( mbedtls_ctr_drbg_seed_entropy_len( ctx, f_entropy, p_entropy, custom, len,
  94. MBEDTLS_CTR_DRBG_ENTROPY_LEN ) );
  95. }
  96. void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx )
  97. {
  98. if( ctx == NULL )
  99. return;
  100. #if defined(MBEDTLS_THREADING_C)
  101. mbedtls_mutex_free( &ctx->mutex );
  102. #endif
  103. mbedtls_aes_free( &ctx->aes_ctx );
  104. mbedtls_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) );
  105. }
  106. void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx, int resistance )
  107. {
  108. ctx->prediction_resistance = resistance;
  109. }
  110. void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx, size_t len )
  111. {
  112. ctx->entropy_len = len;
  113. }
  114. void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx, int interval )
  115. {
  116. ctx->reseed_interval = interval;
  117. }
  118. static int block_cipher_df( unsigned char *output,
  119. const unsigned char *data, size_t data_len )
  120. {
  121. unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
  122. unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
  123. unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
  124. unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
  125. unsigned char *p, *iv;
  126. mbedtls_aes_context aes_ctx;
  127. int i, j;
  128. size_t buf_len, use_len;
  129. if( data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
  130. return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
  131. memset( buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16 );
  132. mbedtls_aes_init( &aes_ctx );
  133. /*
  134. * Construct IV (16 bytes) and S in buffer
  135. * IV = Counter (in 32-bits) padded to 16 with zeroes
  136. * S = Length input string (in 32-bits) || Length of output (in 32-bits) ||
  137. * data || 0x80
  138. * (Total is padded to a multiple of 16-bytes with zeroes)
  139. */
  140. p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE;
  141. *p++ = ( data_len >> 24 ) & 0xff;
  142. *p++ = ( data_len >> 16 ) & 0xff;
  143. *p++ = ( data_len >> 8 ) & 0xff;
  144. *p++ = ( data_len ) & 0xff;
  145. p += 3;
  146. *p++ = MBEDTLS_CTR_DRBG_SEEDLEN;
  147. memcpy( p, data, data_len );
  148. p[data_len] = 0x80;
  149. buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
  150. for( i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++ )
  151. key[i] = i;
  152. mbedtls_aes_setkey_enc( &aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS );
  153. /*
  154. * Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data
  155. */
  156. for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
  157. {
  158. p = buf;
  159. memset( chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE );
  160. use_len = buf_len;
  161. while( use_len > 0 )
  162. {
  163. for( i = 0; i < MBEDTLS_CTR_DRBG_BLOCKSIZE; i++ )
  164. chain[i] ^= p[i];
  165. p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
  166. use_len -= ( use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE ) ?
  167. MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
  168. mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, chain, chain );
  169. }
  170. memcpy( tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE );
  171. /*
  172. * Update IV
  173. */
  174. buf[3]++;
  175. }
  176. /*
  177. * Do final encryption with reduced data
  178. */
  179. mbedtls_aes_setkey_enc( &aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS );
  180. iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
  181. p = output;
  182. for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
  183. {
  184. mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
  185. memcpy( p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE );
  186. p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
  187. }
  188. mbedtls_aes_free( &aes_ctx );
  189. return( 0 );
  190. }
  191. static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
  192. const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN] )
  193. {
  194. unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
  195. unsigned char *p = tmp;
  196. int i, j;
  197. memset( tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
  198. for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
  199. {
  200. /*
  201. * Increase counter
  202. */
  203. for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
  204. if( ++ctx->counter[i - 1] != 0 )
  205. break;
  206. /*
  207. * Crypt counter block
  208. */
  209. mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, p );
  210. p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
  211. }
  212. for( i = 0; i < MBEDTLS_CTR_DRBG_SEEDLEN; i++ )
  213. tmp[i] ^= data[i];
  214. /*
  215. * Update key and counter
  216. */
  217. mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS );
  218. memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE );
  219. return( 0 );
  220. }
  221. void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
  222. const unsigned char *additional, size_t add_len )
  223. {
  224. unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
  225. if( add_len > 0 )
  226. {
  227. /* MAX_INPUT would be more logical here, but we have to match
  228. * block_cipher_df()'s limits since we can't propagate errors */
  229. if( add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
  230. add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT;
  231. block_cipher_df( add_input, additional, add_len );
  232. ctr_drbg_update_internal( ctx, add_input );
  233. }
  234. }
  235. int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
  236. const unsigned char *additional, size_t len )
  237. {
  238. unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
  239. size_t seedlen = 0;
  240. if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ||
  241. len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len )
  242. return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
  243. memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );
  244. /*
  245. * Gather entropy_len bytes of entropy to seed state
  246. */
  247. if( 0 != ctx->f_entropy( ctx->p_entropy, seed,
  248. ctx->entropy_len ) )
  249. {
  250. return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
  251. }
  252. seedlen += ctx->entropy_len;
  253. /*
  254. * Add additional data
  255. */
  256. if( additional && len )
  257. {
  258. memcpy( seed + seedlen, additional, len );
  259. seedlen += len;
  260. }
  261. /*
  262. * Reduce to 384 bits
  263. */
  264. block_cipher_df( seed, seed, seedlen );
  265. /*
  266. * Update state
  267. */
  268. ctr_drbg_update_internal( ctx, seed );
  269. ctx->reseed_counter = 1;
  270. return( 0 );
  271. }
  272. int mbedtls_ctr_drbg_random_with_add( void *p_rng,
  273. unsigned char *output, size_t output_len,
  274. const unsigned char *additional, size_t add_len )
  275. {
  276. int ret = 0;
  277. mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
  278. unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
  279. unsigned char *p = output;
  280. unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
  281. int i;
  282. size_t use_len;
  283. if( output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST )
  284. return( MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG );
  285. if( add_len > MBEDTLS_CTR_DRBG_MAX_INPUT )
  286. return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
  287. memset( add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
  288. if( ctx->reseed_counter > ctx->reseed_interval ||
  289. ctx->prediction_resistance )
  290. {
  291. if( ( ret = mbedtls_ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 )
  292. return( ret );
  293. add_len = 0;
  294. }
  295. if( add_len > 0 )
  296. {
  297. block_cipher_df( add_input, additional, add_len );
  298. ctr_drbg_update_internal( ctx, add_input );
  299. }
  300. while( output_len > 0 )
  301. {
  302. /*
  303. * Increase counter
  304. */
  305. for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
  306. if( ++ctx->counter[i - 1] != 0 )
  307. break;
  308. /*
  309. * Crypt counter block
  310. */
  311. mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, tmp );
  312. use_len = ( output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE ) ? MBEDTLS_CTR_DRBG_BLOCKSIZE :
  313. output_len;
  314. /*
  315. * Copy random block to destination
  316. */
  317. memcpy( p, tmp, use_len );
  318. p += use_len;
  319. output_len -= use_len;
  320. }
  321. ctr_drbg_update_internal( ctx, add_input );
  322. ctx->reseed_counter++;
  323. return( 0 );
  324. }
  325. int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )
  326. {
  327. int ret;
  328. mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
  329. #if defined(MBEDTLS_THREADING_C)
  330. if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
  331. return( ret );
  332. #endif
  333. ret = mbedtls_ctr_drbg_random_with_add( ctx, output, output_len, NULL, 0 );
  334. #if defined(MBEDTLS_THREADING_C)
  335. if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
  336. return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
  337. #endif
  338. return( ret );
  339. }
  340. #if defined(MBEDTLS_FS_IO)
  341. int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path )
  342. {
  343. int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
  344. FILE *f;
  345. unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
  346. if( ( f = fopen( path, "wb" ) ) == NULL )
  347. return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
  348. if( ( ret = mbedtls_ctr_drbg_random( ctx, buf, MBEDTLS_CTR_DRBG_MAX_INPUT ) ) != 0 )
  349. goto exit;
  350. if( fwrite( buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f ) != MBEDTLS_CTR_DRBG_MAX_INPUT )
  351. {
  352. ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
  353. goto exit;
  354. }
  355. ret = 0;
  356. exit:
  357. fclose( f );
  358. return( ret );
  359. }
  360. int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path )
  361. {
  362. FILE *f;
  363. size_t n;
  364. unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
  365. if( ( f = fopen( path, "rb" ) ) == NULL )
  366. return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
  367. fseek( f, 0, SEEK_END );
  368. n = (size_t) ftell( f );
  369. fseek( f, 0, SEEK_SET );
  370. if( n > MBEDTLS_CTR_DRBG_MAX_INPUT )
  371. {
  372. fclose( f );
  373. return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
  374. }
  375. if( fread( buf, 1, n, f ) != n )
  376. {
  377. fclose( f );
  378. return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
  379. }
  380. fclose( f );
  381. mbedtls_ctr_drbg_update( ctx, buf, n );
  382. return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) );
  383. }
  384. #endif /* MBEDTLS_FS_IO */
  385. #if defined(MBEDTLS_SELF_TEST)
  386. static const unsigned char entropy_source_pr[96] =
  387. { 0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16,
  388. 0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02,
  389. 0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b,
  390. 0x6e, 0xa6, 0x62, 0x52, 0x6d, 0x51, 0xb1, 0xcb,
  391. 0x58, 0x3b, 0xfa, 0xd5, 0x37, 0x5f, 0xfb, 0xc9,
  392. 0xff, 0x46, 0xd2, 0x19, 0xc7, 0x22, 0x3e, 0x95,
  393. 0x45, 0x9d, 0x82, 0xe1, 0xe7, 0x22, 0x9f, 0x63,
  394. 0x31, 0x69, 0xd2, 0x6b, 0x57, 0x47, 0x4f, 0xa3,
  395. 0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31,
  396. 0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4,
  397. 0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56,
  398. 0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68 };
  399. static const unsigned char entropy_source_nopr[64] =
  400. { 0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14,
  401. 0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe,
  402. 0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d,
  403. 0x03, 0x21, 0x7c, 0x68, 0xd8, 0x03, 0x38, 0x20,
  404. 0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9,
  405. 0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46,
  406. 0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e,
  407. 0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e };
  408. static const unsigned char nonce_pers_pr[16] =
  409. { 0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2,
  410. 0x29, 0xc9, 0xcf, 0xad, 0x85, 0xfa, 0x48, 0x6c };
  411. static const unsigned char nonce_pers_nopr[16] =
  412. { 0x1b, 0x54, 0xb8, 0xff, 0x06, 0x42, 0xbf, 0xf5,
  413. 0x21, 0xf1, 0x5c, 0x1c, 0x0b, 0x66, 0x5f, 0x3f };
  414. static const unsigned char result_pr[16] =
  415. { 0x34, 0x01, 0x16, 0x56, 0xb4, 0x29, 0x00, 0x8f,
  416. 0x35, 0x63, 0xec, 0xb5, 0xf2, 0x59, 0x07, 0x23 };
  417. static const unsigned char result_nopr[16] =
  418. { 0xa0, 0x54, 0x30, 0x3d, 0x8a, 0x7e, 0xa9, 0x88,
  419. 0x9d, 0x90, 0x3e, 0x07, 0x7c, 0x6f, 0x21, 0x8f };
  420. static size_t test_offset;
  421. static int ctr_drbg_self_test_entropy( void *data, unsigned char *buf,
  422. size_t len )
  423. {
  424. const unsigned char *p = data;
  425. memcpy( buf, p + test_offset, len );
  426. test_offset += len;
  427. return( 0 );
  428. }
  429. #define CHK( c ) if( (c) != 0 ) \
  430. { \
  431. if( verbose != 0 ) \
  432. mbedtls_printf( "failed\n" ); \
  433. return( 1 ); \
  434. }
  435. /*
  436. * Checkup routine
  437. */
  438. int mbedtls_ctr_drbg_self_test( int verbose )
  439. {
  440. mbedtls_ctr_drbg_context ctx;
  441. unsigned char buf[16];
  442. mbedtls_ctr_drbg_init( &ctx );
  443. /*
  444. * Based on a NIST CTR_DRBG test vector (PR = True)
  445. */
  446. if( verbose != 0 )
  447. mbedtls_printf( " CTR_DRBG (PR = TRUE) : " );
  448. test_offset = 0;
  449. CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy,
  450. (void *) entropy_source_pr, nonce_pers_pr, 16, 32 ) );
  451. mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
  452. CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
  453. CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
  454. CHK( memcmp( buf, result_pr, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
  455. mbedtls_ctr_drbg_free( &ctx );
  456. if( verbose != 0 )
  457. mbedtls_printf( "passed\n" );
  458. /*
  459. * Based on a NIST CTR_DRBG test vector (PR = FALSE)
  460. */
  461. if( verbose != 0 )
  462. mbedtls_printf( " CTR_DRBG (PR = FALSE): " );
  463. mbedtls_ctr_drbg_init( &ctx );
  464. test_offset = 0;
  465. CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy,
  466. (void *) entropy_source_nopr, nonce_pers_nopr, 16, 32 ) );
  467. CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
  468. CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) );
  469. CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
  470. CHK( memcmp( buf, result_nopr, 16 ) );
  471. mbedtls_ctr_drbg_free( &ctx );
  472. if( verbose != 0 )
  473. mbedtls_printf( "passed\n" );
  474. if( verbose != 0 )
  475. mbedtls_printf( "\n" );
  476. return( 0 );
  477. }
  478. #endif /* MBEDTLS_SELF_TEST */
  479. #endif /* MBEDTLS_CTR_DRBG_C */