Home Explore Help
Register Sign In
haitaowang1001
/
hisi3518_lora1302
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
hisi3518_lor...
/
mqtt
/
mbedtls
/
library
/
ctr_drbg.c

ctr_drbg.c 22 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721 
  1. /*
    2. 

  2.  *  CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
    3. 

  3.  *
    4. 

  4.  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
    5. 

  5.  *  SPDX-License-Identifier: Apache-2.0
    6. 

  6.  *
    7. 

  7.  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
    8. 

  8.  *  not use this file except in compliance with the License.
    9. 

  9.  *  You may obtain a copy of the License at
    10. 

  10.  *
    11. 

  11.  *  http://www.apache.org/licenses/LICENSE-2.0
    12. 

  12.  *
    13. 

  13.  *  Unless required by applicable law or agreed to in writing, software
    14. 

  14.  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    15. 

  15.  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    16. 

  16.  *  See the License for the specific language governing permissions and
    17. 

  17.  *  limitations under the License.
    18. 

  18.  *
    19. 

  19.  *  This file is part of mbed TLS (https://tls.mbed.org)
    20. 

  20.  */
    21. 

  21. /*
    22. 

  22.  *  The NIST SP 800-90 DRBGs are described in the following publication.
    23. 

  23.  *
    24. 

  24.  *  http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
    25. 

  25.  */
    26. 

  26. 

  27. #if !defined(MBEDTLS_CONFIG_FILE)
    28. 

  28. #include "mbedtls/config.h"
    29. 

  29. #else
    30. 

  30. #include MBEDTLS_CONFIG_FILE
    31. 

  31. #endif
    32. 

  32. 

  33. #if defined(MBEDTLS_CTR_DRBG_C)
    34. 

  34. 

  35. #include "mbedtls/ctr_drbg.h"
    36. 

  36. #include "mbedtls/platform_util.h"
    37. 

  37. 

  38. #include <string.h>
    39. 

  39. 

  40. #if defined(MBEDTLS_FS_IO)
    41. 

  41. #include <stdio.h>
    42. 

  42. #endif
    43. 

  43. 

  44. #if defined(MBEDTLS_SELF_TEST)
    45. 

  45. #if defined(MBEDTLS_PLATFORM_C)
    46. 

  46. #include "mbedtls/platform.h"
    47. 

  47. #else
    48. 

  48. #include <stdio.h>
    49. 

  49. #define mbedtls_printf printf
    50. 

  50. #endif /* MBEDTLS_PLATFORM_C */
    51. 

  51. #endif /* MBEDTLS_SELF_TEST */
    52. 

  52. 

  53. /*
    54. 

  54.  * CTR_DRBG context initialization
    55. 

  55.  */
    56. 

  56. void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx )
    57. 

  57. {
    58. 

  58.     memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) );
    59. 

  59. 

  60. #if defined(MBEDTLS_THREADING_C)
    61. 

  61.     mbedtls_mutex_init( &ctx->mutex );
    62. 

  62. #endif
    63. 

  63. }
    64. 

  64. 

  65. /*
    66. 

  66.  * Non-public function wrapped by mbedtls_ctr_drbg_seed(). Necessary to allow
    67. 

  67.  * NIST tests to succeed (which require known length fixed entropy)
    68. 

  68.  */
    69. 

  69. /* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
    70. 

  70.  * mbedtls_ctr_drbg_seed_entropy_len(ctx, f_entropy, p_entropy,
    71. 

  71.  *                                   custom, len, entropy_len)
    72. 

  72.  * implements
    73. 

  73.  * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
    74. 

  74.  *                      security_strength) -> initial_working_state
    75. 

  75.  * with inputs
    76. 

  76.  *   custom[:len] = nonce || personalization_string
    77. 

  77.  * where entropy_input comes from f_entropy for entropy_len bytes
    78. 

  78.  * and with outputs
    79. 

  79.  *   ctx = initial_working_state
    80. 

  80.  */
    81. 

  81. int mbedtls_ctr_drbg_seed_entropy_len(
    82. 

  82.                    mbedtls_ctr_drbg_context *ctx,
    83. 

  83.                    int (*f_entropy)(void *, unsigned char *, size_t),
    84. 

  84.                    void *p_entropy,
    85. 

  85.                    const unsigned char *custom,
    86. 

  86.                    size_t len,
    87. 

  87.                    size_t entropy_len )
    88. 

  88. {
    89. 

  89.     int ret;
    90. 

  90.     unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
    91. 

  91. 

  92.     memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );
    93. 

  93. 

  94.     mbedtls_aes_init( &ctx->aes_ctx );
    95. 

  95. 

  96.     ctx->f_entropy = f_entropy;
    97. 

  97.     ctx->p_entropy = p_entropy;
    98. 

  98. 

  99.     ctx->entropy_len = entropy_len;
    100. 

  100.     ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
    101. 

  101. 

  102.     /*
    103. 

  103.      * Initialize with an empty key
    104. 

  104.      */
    105. 

  105.     if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
    106. 

  106.     {
    107. 

  107.         return( ret );
    108. 

  108.     }
    109. 

  109. 

  110.     if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 )
    111. 

  111.     {
    112. 

  112.         return( ret );
    113. 

  113.     }
    114. 

  114.     return( 0 );
    115. 

  115. }
    116. 

  116. 

  117. int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
    118. 

  118.                    int (*f_entropy)(void *, unsigned char *, size_t),
    119. 

  119.                    void *p_entropy,
    120. 

  120.                    const unsigned char *custom,
    121. 

  121.                    size_t len )
    122. 

  122. {
    123. 

  123.     return( mbedtls_ctr_drbg_seed_entropy_len( ctx, f_entropy, p_entropy, custom, len,
    124. 

  124.                                        MBEDTLS_CTR_DRBG_ENTROPY_LEN ) );
    125. 

  125. }
    126. 

  126. 

  127. void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx )
    128. 

  128. {
    129. 

  129.     if( ctx == NULL )
    130. 

  130.         return;
    131. 

  131. 

  132. #if defined(MBEDTLS_THREADING_C)
    133. 

  133.     mbedtls_mutex_free( &ctx->mutex );
    134. 

  134. #endif
    135. 

  135.     mbedtls_aes_free( &ctx->aes_ctx );
    136. 

  136.     mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) );
    137. 

  137. }
    138. 

  138. 

  139. void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx, int resistance )
    140. 

  140. {
    141. 

  141.     ctx->prediction_resistance = resistance;
    142. 

  142. }
    143. 

  143. 

  144. void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx, size_t len )
    145. 

  145. {
    146. 

  146.     ctx->entropy_len = len;
    147. 

  147. }
    148. 

  148. 

  149. void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx, int interval )
    150. 

  150. {
    151. 

  151.     ctx->reseed_interval = interval;
    152. 

  152. }
    153. 

  153. 

  154. static int block_cipher_df( unsigned char *output,
    155. 

  155.                             const unsigned char *data, size_t data_len )
    156. 

  156. {
    157. 

  157.     unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
    158. 

  158.     unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
    159. 

  159.     unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
    160. 

  160.     unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
    161. 

  161.     unsigned char *p, *iv;
    162. 

  162.     mbedtls_aes_context aes_ctx;
    163. 

  163.     int ret = 0;
    164. 

  164. 

  165.     int i, j;
    166. 

  166.     size_t buf_len, use_len;
    167. 

  167. 

  168.     if( data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
    169. 

  169.         return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
    170. 

  170. 

  171.     memset( buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16 );
    172. 

  172.     mbedtls_aes_init( &aes_ctx );
    173. 

  173. 

  174.     /*
    175. 

  175.      * Construct IV (16 bytes) and S in buffer
    176. 

  176.      * IV = Counter (in 32-bits) padded to 16 with zeroes
    177. 

  177.      * S = Length input string (in 32-bits) || Length of output (in 32-bits) ||
    178. 

  178.      *     data || 0x80
    179. 

  179.      *     (Total is padded to a multiple of 16-bytes with zeroes)
    180. 

  180.      */
    181. 

  181.     p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE;
    182. 

  182.     *p++ = ( data_len >> 24 ) & 0xff;
    183. 

  183.     *p++ = ( data_len >> 16 ) & 0xff;
    184. 

  184.     *p++ = ( data_len >> 8  ) & 0xff;
    185. 

  185.     *p++ = ( data_len       ) & 0xff;
    186. 

  186.     p += 3;
    187. 

  187.     *p++ = MBEDTLS_CTR_DRBG_SEEDLEN;
    188. 

  188.     memcpy( p, data, data_len );
    189. 

  189.     p[data_len] = 0x80;
    190. 

  190. 

  191.     buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
    192. 

  192. 

  193.     for( i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++ )
    194. 

  194.         key[i] = i;
    195. 

  195. 

  196.     if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
    197. 

  197.     {
    198. 

  198.         goto exit;
    199. 

  199.     }
    200. 

  200. 

  201.     /*
    202. 

  202.      * Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data
    203. 

  203.      */
    204. 

  204.     for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
    205. 

  205.     {
    206. 

  206.         p = buf;
    207. 

  207.         memset( chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE );
    208. 

  208.         use_len = buf_len;
    209. 

  209. 

  210.         while( use_len > 0 )
    211. 

  211.         {
    212. 

  212.             for( i = 0; i < MBEDTLS_CTR_DRBG_BLOCKSIZE; i++ )
    213. 

  213.                 chain[i] ^= p[i];
    214. 

  214.             p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
    215. 

  215.             use_len -= ( use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE ) ?
    216. 

  216.                        MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
    217. 

  217. 

  218.             if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, chain, chain ) ) != 0 )
    219. 

  219.             {
    220. 

  220.                 goto exit;
    221. 

  221.             }
    222. 

  222.         }
    223. 

  223. 

  224.         memcpy( tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE );
    225. 

  225. 

  226.         /*
    227. 

  227.          * Update IV
    228. 

  228.          */
    229. 

  229.         buf[3]++;
    230. 

  230.     }
    231. 

  231. 

  232.     /*
    233. 

  233.      * Do final encryption with reduced data
    234. 

  234.      */
    235. 

  235.     if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
    236. 

  236.     {
    237. 

  237.         goto exit;
    238. 

  238.     }
    239. 

  239.     iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
    240. 

  240.     p = output;
    241. 

  241. 

  242.     for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
    243. 

  243.     {
    244. 

  244.         if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, iv, iv ) ) != 0 )
    245. 

  245.         {
    246. 

  246.             goto exit;
    247. 

  247.         }
    248. 

  248.         memcpy( p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE );
    249. 

  249.         p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
    250. 

  250.     }
    251. 

  251. exit:
    252. 

  252.     mbedtls_aes_free( &aes_ctx );
    253. 

  253.     /*
    254. 

  254.     * tidy up the stack
    255. 

  255.     */
    256. 

  256.     mbedtls_platform_zeroize( buf, sizeof( buf ) );
    257. 

  257.     mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
    258. 

  258.     mbedtls_platform_zeroize( key, sizeof( key ) );
    259. 

  259.     mbedtls_platform_zeroize( chain, sizeof( chain ) );
    260. 

  260.     if( 0 != ret )
    261. 

  261.     {
    262. 

  262.         /*
    263. 

  263.         * wipe partial seed from memory
    264. 

  264.         */
    265. 

  265.         mbedtls_platform_zeroize( output, MBEDTLS_CTR_DRBG_SEEDLEN );
    266. 

  266.     }
    267. 

  267. 

  268.     return( ret );
    269. 

  269. }
    270. 

  270. 

  271. /* CTR_DRBG_Update (SP 800-90A &sect;10.2.1.2)
    272. 

  272.  * ctr_drbg_update_internal(ctx, provided_data)
    273. 

  273.  * implements
    274. 

  274.  * CTR_DRBG_Update(provided_data, Key, V)
    275. 

  275.  * with inputs and outputs
    276. 

  276.  *   ctx->aes_ctx = Key
    277. 

  277.  *   ctx->counter = V
    278. 

  278.  */
    279. 

  279. static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
    280. 

  280.                               const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN] )
    281. 

  281. {
    282. 

  282.     unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
    283. 

  283.     unsigned char *p = tmp;
    284. 

  284.     int i, j;
    285. 

  285.     int ret = 0;
    286. 

  286. 

  287.     memset( tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
    288. 

  288. 

  289.     for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
    290. 

  290.     {
    291. 

  291.         /*
    292. 

  292.          * Increase counter
    293. 

  293.          */
    294. 

  294.         for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
    295. 

  295.             if( ++ctx->counter[i - 1] != 0 )
    296. 

  296.                 break;
    297. 

  297. 

  298.         /*
    299. 

  299.          * Crypt counter block
    300. 

  300.          */
    301. 

  301.         if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, p ) ) != 0 )
    302. 

  302.             goto exit;
    303. 

  303. 

  304.         p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
    305. 

  305.     }
    306. 

  306. 

  307.     for( i = 0; i < MBEDTLS_CTR_DRBG_SEEDLEN; i++ )
    308. 

  308.         tmp[i] ^= data[i];
    309. 

  309. 

  310.     /*
    311. 

  311.      * Update key and counter
    312. 

  312.      */
    313. 

  313.     if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
    314. 

  314.         goto exit;
    315. 

  315.     memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE );
    316. 

  316. 

  317. exit:
    318. 

  318.     mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
    319. 

  319.     return( ret );
    320. 

  320. }
    321. 

  321. 

  322. /* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
    323. 

  323.  * mbedtls_ctr_drbg_update(ctx, additional, add_len)
    324. 

  324.  * implements
    325. 

  325.  * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
    326. 

  326.  *                      security_strength) -> initial_working_state
    327. 

  327.  * with inputs
    328. 

  328.  *   ctx->counter = all-bits-0
    329. 

  329.  *   ctx->aes_ctx = context from all-bits-0 key
    330. 

  330.  *   additional[:add_len] = entropy_input || nonce || personalization_string
    331. 

  331.  * and with outputs
    332. 

  332.  *   ctx = initial_working_state
    333. 

  333.  */
    334. 

  334. int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
    335. 

  335.                                  const unsigned char *additional,
    336. 

  336.                                  size_t add_len )
    337. 

  337. {
    338. 

  338.     unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
    339. 

  339.     int ret;
    340. 

  340. 

  341.     if( add_len == 0 )
    342. 

  342.         return( 0 );
    343. 

  343. 

  344.     if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
    345. 

  345.         goto exit;
    346. 

  346.     if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
    347. 

  347.         goto exit;
    348. 

  348. 

  349. exit:
    350. 

  350.     mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
    351. 

  351.     return( ret );
    352. 

  352. }
    353. 

  353. 

  354. #if !defined(MBEDTLS_DEPRECATED_REMOVED)
    355. 

  355. void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
    356. 

  356.                               const unsigned char *additional,
    357. 

  357.                               size_t add_len )
    358. 

  358. {
    359. 

  359.     /* MAX_INPUT would be more logical here, but we have to match
    360. 

  360.      * block_cipher_df()'s limits since we can't propagate errors */
    361. 

  361.     if( add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
    362. 

  362.         add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT;
    363. 

  363.     (void) mbedtls_ctr_drbg_update_ret( ctx, additional, add_len );
    364. 

  364. }
    365. 

  365. #endif /* MBEDTLS_DEPRECATED_REMOVED */
    366. 

  366. 

  367. /* CTR_DRBG_Reseed with derivation function (SP 800-90A &sect;10.2.1.4.2)
    368. 

  368.  * mbedtls_ctr_drbg_reseed(ctx, additional, len)
    369. 

  369.  * implements
    370. 

  370.  * CTR_DRBG_Reseed(working_state, entropy_input, additional_input)
    371. 

  371.  *                -> new_working_state
    372. 

  372.  * with inputs
    373. 

  373.  *   ctx contains working_state
    374. 

  374.  *   additional[:len] = additional_input
    375. 

  375.  * and entropy_input comes from calling ctx->f_entropy
    376. 

  376.  * and with output
    377. 

  377.  *   ctx contains new_working_state
    378. 

  378.  */
    379. 

  379. int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
    380. 

  380.                      const unsigned char *additional, size_t len )
    381. 

  381. {
    382. 

  382.     unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
    383. 

  383.     size_t seedlen = 0;
    384. 

  384.     int ret;
    385. 

  385. 

  386.     if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ||
    387. 

  387.         len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len )
    388. 

  388.         return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
    389. 

  389. 

  390.     memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );
    391. 

  391. 

  392.     /*
    393. 

  393.      * Gather entropy_len bytes of entropy to seed state
    394. 

  394.      */
    395. 

  395.     if( 0 != ctx->f_entropy( ctx->p_entropy, seed,
    396. 

  396.                              ctx->entropy_len ) )
    397. 

  397.     {
    398. 

  398.         return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
    399. 

  399.     }
    400. 

  400. 

  401.     seedlen += ctx->entropy_len;
    402. 

  402. 

  403.     /*
    404. 

  404.      * Add additional data
    405. 

  405.      */
    406. 

  406.     if( additional && len )
    407. 

  407.     {
    408. 

  408.         memcpy( seed + seedlen, additional, len );
    409. 

  409.         seedlen += len;
    410. 

  410.     }
    411. 

  411. 

  412.     /*
    413. 

  413.      * Reduce to 384 bits
    414. 

  414.      */
    415. 

  415.     if( ( ret = block_cipher_df( seed, seed, seedlen ) ) != 0 )
    416. 

  416.         goto exit;
    417. 

  417. 

  418.     /*
    419. 

  419.      * Update state
    420. 

  420.      */
    421. 

  421.     if( ( ret = ctr_drbg_update_internal( ctx, seed ) ) != 0 )
    422. 

  422.         goto exit;
    423. 

  423.     ctx->reseed_counter = 1;
    424. 

  424. 

  425. exit:
    426. 

  426.     mbedtls_platform_zeroize( seed, sizeof( seed ) );
    427. 

  427.     return( ret );
    428. 

  428. }
    429. 

  429. 

  430. /* CTR_DRBG_Generate with derivation function (SP 800-90A &sect;10.2.1.5.2)
    431. 

  431.  * mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, additional, add_len)
    432. 

  432.  * implements
    433. 

  433.  * CTR_DRBG_Reseed(working_state, entropy_input, additional[:add_len])
    434. 

  434.  *                -> working_state_after_reseed
    435. 

  435.  *                if required, then
    436. 

  436.  * CTR_DRBG_Generate(working_state_after_reseed,
    437. 

  437.  *                   requested_number_of_bits, additional_input)
    438. 

  438.  *                -> status, returned_bits, new_working_state
    439. 

  439.  * with inputs
    440. 

  440.  *   ctx contains working_state
    441. 

  441.  *   requested_number_of_bits = 8 * output_len
    442. 

  442.  *   additional[:add_len] = additional_input
    443. 

  443.  * and entropy_input comes from calling ctx->f_entropy
    444. 

  444.  * and with outputs
    445. 

  445.  *   status = SUCCESS (this function does the reseed internally)
    446. 

  446.  *   returned_bits = output[:output_len]
    447. 

  447.  *   ctx contains new_working_state
    448. 

  448.  */
    449. 

  449. int mbedtls_ctr_drbg_random_with_add( void *p_rng,
    450. 

  450.                               unsigned char *output, size_t output_len,
    451. 

  451.                               const unsigned char *additional, size_t add_len )
    452. 

  452. {
    453. 

  453.     int ret = 0;
    454. 

  454.     mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
    455. 

  455.     unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
    456. 

  456.     unsigned char *p = output;
    457. 

  457.     unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
    458. 

  458.     int i;
    459. 

  459.     size_t use_len;
    460. 

  460. 

  461.     if( output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST )
    462. 

  462.         return( MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG );
    463. 

  463. 

  464.     if( add_len > MBEDTLS_CTR_DRBG_MAX_INPUT )
    465. 

  465.         return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
    466. 

  466. 

  467.     memset( add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
    468. 

  468. 

  469.     if( ctx->reseed_counter > ctx->reseed_interval ||
    470. 

  470.         ctx->prediction_resistance )
    471. 

  471.     {
    472. 

  472.         if( ( ret = mbedtls_ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 )
    473. 

  473.         {
    474. 

  474.             return( ret );
    475. 

  475.         }
    476. 

  476.         add_len = 0;
    477. 

  477.     }
    478. 

  478. 

  479.     if( add_len > 0 )
    480. 

  480.     {
    481. 

  481.         if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
    482. 

  482.             goto exit;
    483. 

  483.         if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
    484. 

  484.             goto exit;
    485. 

  485.     }
    486. 

  486. 

  487.     while( output_len > 0 )
    488. 

  488.     {
    489. 

  489.         /*
    490. 

  490.          * Increase counter
    491. 

  491.          */
    492. 

  492.         for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
    493. 

  493.             if( ++ctx->counter[i - 1] != 0 )
    494. 

  494.                 break;
    495. 

  495. 

  496.         /*
    497. 

  497.          * Crypt counter block
    498. 

  498.          */
    499. 

  499.         if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, tmp ) ) != 0 )
    500. 

  500.             goto exit;
    501. 

  501. 

  502.         use_len = ( output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE ) ? MBEDTLS_CTR_DRBG_BLOCKSIZE :
    503. 

  503.                                                        output_len;
    504. 

  504.         /*
    505. 

  505.          * Copy random block to destination
    506. 

  506.          */
    507. 

  507.         memcpy( p, tmp, use_len );
    508. 

  508.         p += use_len;
    509. 

  509.         output_len -= use_len;
    510. 

  510.     }
    511. 

  511. 

  512.     if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
    513. 

  513.         goto exit;
    514. 

  514. 

  515.     ctx->reseed_counter++;
    516. 

  516. 

  517. exit:
    518. 

  518.     mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
    519. 

  519.     mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
    520. 

  520.     return( 0 );
    521. 

  521. }
    522. 

  522. 

  523. int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )
    524. 

  524. {
    525. 

  525.     int ret;
    526. 

  526.     mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
    527. 

  527. 

  528. #if defined(MBEDTLS_THREADING_C)
    529. 

  529.     if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
    530. 

  530.         return( ret );
    531. 

  531. #endif
    532. 

  532. 

  533.     ret = mbedtls_ctr_drbg_random_with_add( ctx, output, output_len, NULL, 0 );
    534. 

  534. 

  535. #if defined(MBEDTLS_THREADING_C)
    536. 

  536.     if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
    537. 

  537.         return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
    538. 

  538. #endif
    539. 

  539. 

  540.     return( ret );
    541. 

  541. }
    542. 

  542. 

  543. #if defined(MBEDTLS_FS_IO)
    544. 

  544. int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path )
    545. 

  545. {
    546. 

  546.     int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
    547. 

  547.     FILE *f;
    548. 

  548.     unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
    549. 

  549. 

  550.     if( ( f = fopen( path, "wb" ) ) == NULL )
    551. 

  551.         return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
    552. 

  552. 

  553.     if( ( ret = mbedtls_ctr_drbg_random( ctx, buf, MBEDTLS_CTR_DRBG_MAX_INPUT ) ) != 0 )
    554. 

  554.         goto exit;
    555. 

  555. 

  556.     if( fwrite( buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f ) != MBEDTLS_CTR_DRBG_MAX_INPUT )
    557. 

  557.         ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
    558. 

  558.     else
    559. 

  559.         ret = 0;
    560. 

  560. 

  561. exit:
    562. 

  562.     mbedtls_platform_zeroize( buf, sizeof( buf ) );
    563. 

  563. 

  564.     fclose( f );
    565. 

  565.     return( ret );
    566. 

  566. }
    567. 

  567. 

  568. int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path )
    569. 

  569. {
    570. 

  570.     int ret = 0;
    571. 

  571.     FILE *f = NULL;
    572. 

  572.     size_t n;
    573. 

  573.     unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
    574. 

  574.     unsigned char c;
    575. 

  575. 

  576.     if( ( f = fopen( path, "rb" ) ) == NULL )
    577. 

  577.         return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
    578. 

  578. 

  579.     n = fread( buf, 1, sizeof( buf ), f );
    580. 

  580.     if( fread( &c, 1, 1, f ) != 0 )
    581. 

  581.     {
    582. 

  582.         ret = MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
    583. 

  583.         goto exit;
    584. 

  584.     }
    585. 

  585.     if( n == 0 || ferror( f ) )
    586. 

  586.     {
    587. 

  587.         ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
    588. 

  588.         goto exit;
    589. 

  589.     }
    590. 

  590.     fclose( f );
    591. 

  591.     f = NULL;
    592. 

  592. 

  593.     ret = mbedtls_ctr_drbg_update_ret( ctx, buf, n );
    594. 

  594. 

  595. exit:
    596. 

  596.     mbedtls_platform_zeroize( buf, sizeof( buf ) );
    597. 

  597.     if( f != NULL )
    598. 

  598.         fclose( f );
    599. 

  599.     if( ret != 0 )
    600. 

  600.         return( ret );
    601. 

  601.     return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) );
    602. 

  602. }
    603. 

  603. #endif /* MBEDTLS_FS_IO */
    604. 

  604. 

  605. #if defined(MBEDTLS_SELF_TEST)
    606. 

  606. 

  607. static const unsigned char entropy_source_pr[96] =
    608. 

  608.     { 0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16,
    609. 

  609.       0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02,
    610. 

  610.       0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b,
    611. 

  611.       0x6e, 0xa6, 0x62, 0x52, 0x6d, 0x51, 0xb1, 0xcb,
    612. 

  612.       0x58, 0x3b, 0xfa, 0xd5, 0x37, 0x5f, 0xfb, 0xc9,
    613. 

  613.       0xff, 0x46, 0xd2, 0x19, 0xc7, 0x22, 0x3e, 0x95,
    614. 

  614.       0x45, 0x9d, 0x82, 0xe1, 0xe7, 0x22, 0x9f, 0x63,
    615. 

  615.       0x31, 0x69, 0xd2, 0x6b, 0x57, 0x47, 0x4f, 0xa3,
    616. 

  616.       0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31,
    617. 

  617.       0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4,
    618. 

  618.       0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56,
    619. 

  619.       0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68 };
    620. 

  620. 

  621. static const unsigned char entropy_source_nopr[64] =
    622. 

  622.     { 0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14,
    623. 

  623.       0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe,
    624. 

  624.       0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d,
    625. 

  625.       0x03, 0x21, 0x7c, 0x68, 0xd8, 0x03, 0x38, 0x20,
    626. 

  626.       0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9,
    627. 

  627.       0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46,
    628. 

  628.       0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e,
    629. 

  629.       0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e };
    630. 

  630. 

  631. static const unsigned char nonce_pers_pr[16] =
    632. 

  632.     { 0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2,
    633. 

  633.       0x29, 0xc9, 0xcf, 0xad, 0x85, 0xfa, 0x48, 0x6c };
    634. 

  634. 

  635. static const unsigned char nonce_pers_nopr[16] =
    636. 

  636.     { 0x1b, 0x54, 0xb8, 0xff, 0x06, 0x42, 0xbf, 0xf5,
    637. 

  637.       0x21, 0xf1, 0x5c, 0x1c, 0x0b, 0x66, 0x5f, 0x3f };
    638. 

  638. 

  639. static const unsigned char result_pr[16] =
    640. 

  640.     { 0x34, 0x01, 0x16, 0x56, 0xb4, 0x29, 0x00, 0x8f,
    641. 

  641.       0x35, 0x63, 0xec, 0xb5, 0xf2, 0x59, 0x07, 0x23 };
    642. 

  642. 

  643. static const unsigned char result_nopr[16] =
    644. 

  644.     { 0xa0, 0x54, 0x30, 0x3d, 0x8a, 0x7e, 0xa9, 0x88,
    645. 

  645.       0x9d, 0x90, 0x3e, 0x07, 0x7c, 0x6f, 0x21, 0x8f };
    646. 

  646. 

  647. static size_t test_offset;
    648. 

  648. static int ctr_drbg_self_test_entropy( void *data, unsigned char *buf,
    649. 

  649.                                        size_t len )
    650. 

  650. {
    651. 

  651.     const unsigned char *p = data;
    652. 

  652.     memcpy( buf, p + test_offset, len );
    653. 

  653.     test_offset += len;
    654. 

  654.     return( 0 );
    655. 

  655. }
    656. 

  656. 

  657. #define CHK( c )    if( (c) != 0 )                          \
    658. 

  658.                     {                                       \
    659. 

  659.                         if( verbose != 0 )                  \
    660. 

  660.                             mbedtls_printf( "failed\n" );  \
    661. 

  661.                         return( 1 );                        \
    662. 

  662.                     }
    663. 

  663. 

  664. /*
    665. 

  665.  * Checkup routine
    666. 

  666.  */
    667. 

  667. int mbedtls_ctr_drbg_self_test( int verbose )
    668. 

  668. {
    669. 

  669.     mbedtls_ctr_drbg_context ctx;
    670. 

  670.     unsigned char buf[16];
    671. 

  671. 

  672.     mbedtls_ctr_drbg_init( &ctx );
    673. 

  673. 

  674.     /*
    675. 

  675.      * Based on a NIST CTR_DRBG test vector (PR = True)
    676. 

  676.      */
    677. 

  677.     if( verbose != 0 )
    678. 

  678.         mbedtls_printf( "  CTR_DRBG (PR = TRUE) : " );
    679. 

  679. 

  680.     test_offset = 0;
    681. 

  681.     CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy,
    682. 

  682.                                 (void *) entropy_source_pr, nonce_pers_pr, 16, 32 ) );
    683. 

  683.     mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
    684. 

  684.     CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
    685. 

  685.     CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
    686. 

  686.     CHK( memcmp( buf, result_pr, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
    687. 

  687. 

  688.     mbedtls_ctr_drbg_free( &ctx );
    689. 

  689. 

  690.     if( verbose != 0 )
    691. 

  691.         mbedtls_printf( "passed\n" );
    692. 

  692. 

  693.     /*
    694. 

  694.      * Based on a NIST CTR_DRBG test vector (PR = FALSE)
    695. 

  695.      */
    696. 

  696.     if( verbose != 0 )
    697. 

  697.         mbedtls_printf( "  CTR_DRBG (PR = FALSE): " );
    698. 

  698. 

  699.     mbedtls_ctr_drbg_init( &ctx );
    700. 

  700. 

  701.     test_offset = 0;
    702. 

  702.     CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy,
    703. 

  703.                             (void *) entropy_source_nopr, nonce_pers_nopr, 16, 32 ) );
    704. 

  704.     CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
    705. 

  705.     CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) );
    706. 

  706.     CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
    707. 

  707.     CHK( memcmp( buf, result_nopr, 16 ) );
    708. 

  708. 

  709.     mbedtls_ctr_drbg_free( &ctx );
    710. 

  710. 

  711.     if( verbose != 0 )
    712. 

  712.         mbedtls_printf( "passed\n" );
    713. 

  713. 

  714.     if( verbose != 0 )
    715. 

  715.             mbedtls_printf( "\n" );
    716. 

  716. 

  717.     return( 0 );
    718. 

  718. }
    719. 

  719. #endif /* MBEDTLS_SELF_TEST */
    720. 

  720. 

  721. #endif /* MBEDTLS_CTR_DRBG_C */
    722.