/* * CTR_DRBG implementation based on AES-256 (NIST SP 800-90) * * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ /* * The NIST SP 800-90 DRBGs are described in the following publication. * * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-90r.pdf */ #include "common.h" #if defined(MBEDTLS_CTR_DRBG_C) #include "ctr.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" #include <string.h> #if defined(MBEDTLS_FS_IO) #include <stdio.h> #endif /* Using error translation functions from PSA to MbedTLS */ #if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) #include "psa_util_internal.h" #endif #include "mbedtls/platform.h" #if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) static psa_status_t ctr_drbg_setup_psa_context(mbedtls_ctr_drbg_psa_context *psa_ctx, unsigned char *key, size_t key_len) { psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; psa_status_t status; psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_ENCRYPT); psa_set_key_algorithm(&key_attr, PSA_ALG_ECB_NO_PADDING); psa_set_key_type(&key_attr, PSA_KEY_TYPE_AES); status = psa_import_key(&key_attr, key, key_len, &psa_ctx->key_id); if (status != PSA_SUCCESS) { goto exit; } status = psa_cipher_encrypt_setup(&psa_ctx->operation, psa_ctx->key_id, PSA_ALG_ECB_NO_PADDING); if (status != PSA_SUCCESS) { goto exit; } exit: psa_reset_key_attributes(&key_attr); return status; } static void ctr_drbg_destroy_psa_contex(mbedtls_ctr_drbg_psa_context *psa_ctx) { psa_cipher_abort(&psa_ctx->operation); psa_destroy_key(psa_ctx->key_id); psa_ctx->operation = psa_cipher_operation_init(); psa_ctx->key_id = MBEDTLS_SVC_KEY_ID_INIT; } #endif /* * CTR_DRBG context initialization */ void mbedtls_ctr_drbg_init(mbedtls_ctr_drbg_context *ctx) { … } /* * This function resets CTR_DRBG context to the state immediately * after initial call of mbedtls_ctr_drbg_init(). */ void mbedtls_ctr_drbg_free(mbedtls_ctr_drbg_context *ctx) { … } void mbedtls_ctr_drbg_set_prediction_resistance(mbedtls_ctr_drbg_context *ctx, int resistance) { … } void mbedtls_ctr_drbg_set_entropy_len(mbedtls_ctr_drbg_context *ctx, size_t len) { … } int mbedtls_ctr_drbg_set_nonce_len(mbedtls_ctr_drbg_context *ctx, size_t len) { … } void mbedtls_ctr_drbg_set_reseed_interval(mbedtls_ctr_drbg_context *ctx, int interval) { … } static int block_cipher_df(unsigned char *output, const unsigned char *data, size_t data_len) { … } /* CTR_DRBG_Update (SP 800-90A §10.2.1.2) * ctr_drbg_update_internal(ctx, provided_data) * implements * CTR_DRBG_Update(provided_data, Key, V) * with inputs and outputs * ctx->aes_ctx = Key * ctx->counter = V */ static int ctr_drbg_update_internal(mbedtls_ctr_drbg_context *ctx, const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN]) { … } /* CTR_DRBG_Instantiate with derivation function (SP 800-90A §10.2.1.3.2) * mbedtls_ctr_drbg_update(ctx, additional, add_len) * implements * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string, * security_strength) -> initial_working_state * with inputs * ctx->counter = all-bits-0 * ctx->aes_ctx = context from all-bits-0 key * additional[:add_len] = entropy_input || nonce || personalization_string * and with outputs * ctx = initial_working_state */ int mbedtls_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx, const unsigned char *additional, size_t add_len) { … } /* CTR_DRBG_Reseed with derivation function (SP 800-90A §10.2.1.4.2) * mbedtls_ctr_drbg_reseed(ctx, additional, len, nonce_len) * implements * CTR_DRBG_Reseed(working_state, entropy_input, additional_input) * -> new_working_state * with inputs * ctx contains working_state * additional[:len] = additional_input * and entropy_input comes from calling ctx->f_entropy * for (ctx->entropy_len + nonce_len) bytes * and with output * ctx contains new_working_state */ static int mbedtls_ctr_drbg_reseed_internal(mbedtls_ctr_drbg_context *ctx, const unsigned char *additional, size_t len, size_t nonce_len) { … } int mbedtls_ctr_drbg_reseed(mbedtls_ctr_drbg_context *ctx, const unsigned char *additional, size_t len) { … } /* Return a "good" nonce length for CTR_DRBG. The chosen nonce length * is sufficient to achieve the maximum security strength given the key * size and entropy length. If there is enough entropy in the initial * call to the entropy function to serve as both the entropy input and * the nonce, don't make a second call to get a nonce. */ static size_t good_nonce_len(size_t entropy_len) { … } /* CTR_DRBG_Instantiate with derivation function (SP 800-90A §10.2.1.3.2) * mbedtls_ctr_drbg_seed(ctx, f_entropy, p_entropy, custom, len) * implements * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string, * security_strength) -> initial_working_state * with inputs * custom[:len] = nonce || personalization_string * where entropy_input comes from f_entropy for ctx->entropy_len bytes * and with outputs * ctx = initial_working_state */ int mbedtls_ctr_drbg_seed(mbedtls_ctr_drbg_context *ctx, int (*f_entropy)(void *, unsigned char *, size_t), void *p_entropy, const unsigned char *custom, size_t len) { … } /* CTR_DRBG_Generate with derivation function (SP 800-90A §10.2.1.5.2) * mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, additional, add_len) * implements * CTR_DRBG_Reseed(working_state, entropy_input, additional[:add_len]) * -> working_state_after_reseed * if required, then * CTR_DRBG_Generate(working_state_after_reseed, * requested_number_of_bits, additional_input) * -> status, returned_bits, new_working_state * with inputs * ctx contains working_state * requested_number_of_bits = 8 * output_len * additional[:add_len] = additional_input * and entropy_input comes from calling ctx->f_entropy * and with outputs * status = SUCCESS (this function does the reseed internally) * returned_bits = output[:output_len] * ctx contains new_working_state */ int mbedtls_ctr_drbg_random_with_add(void *p_rng, unsigned char *output, size_t output_len, const unsigned char *additional, size_t add_len) { … } int mbedtls_ctr_drbg_random(void *p_rng, unsigned char *output, size_t output_len) { … } #if defined(MBEDTLS_FS_IO) int mbedtls_ctr_drbg_write_seed_file(mbedtls_ctr_drbg_context *ctx, const char *path) { … } int mbedtls_ctr_drbg_update_seed_file(mbedtls_ctr_drbg_context *ctx, const char *path) { … } #endif /* MBEDTLS_FS_IO */ #if defined(MBEDTLS_SELF_TEST) /* The CTR_DRBG NIST test vectors used here are available at * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/drbg/drbgtestvectors.zip * * The parameters used to derive the test data are: * * [AES-128 use df] * [PredictionResistance = True/False] * [EntropyInputLen = 128] * [NonceLen = 64] * [PersonalizationStringLen = 128] * [AdditionalInputLen = 0] * [ReturnedBitsLen = 512] * * [AES-256 use df] * [PredictionResistance = True/False] * [EntropyInputLen = 256] * [NonceLen = 128] * [PersonalizationStringLen = 256] * [AdditionalInputLen = 0] * [ReturnedBitsLen = 512] * */ #if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) static const unsigned char entropy_source_pr[] = { 0x04, 0xd9, 0x49, 0xa6, 0xdc, 0xe8, 0x6e, 0xbb, 0xf1, 0x08, 0x77, 0x2b, 0x9e, 0x08, 0xca, 0x92, 0x65, 0x16, 0xda, 0x99, 0xa2, 0x59, 0xf3, 0xe8, 0x38, 0x7e, 0x3f, 0x6b, 0x51, 0x70, 0x7b, 0x20, 0xec, 0x53, 0xd0, 0x66, 0xc3, 0x0f, 0xe3, 0xb0, 0xe0, 0x86, 0xa6, 0xaa, 0x5f, 0x72, 0x2f, 0xad, 0xf7, 0xef, 0x06, 0xb8, 0xd6, 0x9c, 0x9d, 0xe8 }; static const unsigned char entropy_source_nopr[] = { 0x07, 0x0d, 0x59, 0x63, 0x98, 0x73, 0xa5, 0x45, 0x27, 0x38, 0x22, 0x7b, 0x76, 0x85, 0xd1, 0xa9, 0x74, 0x18, 0x1f, 0x3c, 0x22, 0xf6, 0x49, 0x20, 0x4a, 0x47, 0xc2, 0xf3, 0x85, 0x16, 0xb4, 0x6f, 0x00, 0x2e, 0x71, 0xda, 0xed, 0x16, 0x9b, 0x5c }; static const unsigned char pers_pr[] = { 0xbf, 0xa4, 0x9a, 0x8f, 0x7b, 0xd8, 0xb1, 0x7a, 0x9d, 0xfa, 0x45, 0xed, 0x21, 0x52, 0xb3, 0xad }; static const unsigned char pers_nopr[] = { 0x4e, 0x61, 0x79, 0xd4, 0xc2, 0x72, 0xa1, 0x4c, 0xf1, 0x3d, 0xf6, 0x5e, 0xa3, 0xa6, 0xe5, 0x0f }; static const unsigned char result_pr[] = { 0xc9, 0x0a, 0xaf, 0x85, 0x89, 0x71, 0x44, 0x66, 0x4f, 0x25, 0x0b, 0x2b, 0xde, 0xd8, 0xfa, 0xff, 0x52, 0x5a, 0x1b, 0x32, 0x5e, 0x41, 0x7a, 0x10, 0x1f, 0xef, 0x1e, 0x62, 0x23, 0xe9, 0x20, 0x30, 0xc9, 0x0d, 0xad, 0x69, 0xb4, 0x9c, 0x5b, 0xf4, 0x87, 0x42, 0xd5, 0xae, 0x5e, 0x5e, 0x43, 0xcc, 0xd9, 0xfd, 0x0b, 0x93, 0x4a, 0xe3, 0xd4, 0x06, 0x37, 0x36, 0x0f, 0x3f, 0x72, 0x82, 0x0c, 0xcf }; static const unsigned char result_nopr[] = { 0x31, 0xc9, 0x91, 0x09, 0xf8, 0xc5, 0x10, 0x13, 0x3c, 0xd3, 0x96, 0xf9, 0xbc, 0x2c, 0x12, 0xc0, 0x7c, 0xc1, 0x61, 0x5f, 0xa3, 0x09, 0x99, 0xaf, 0xd7, 0xf2, 0x36, 0xfd, 0x40, 0x1a, 0x8b, 0xf2, 0x33, 0x38, 0xee, 0x1d, 0x03, 0x5f, 0x83, 0xb7, 0xa2, 0x53, 0xdc, 0xee, 0x18, 0xfc, 0xa7, 0xf2, 0xee, 0x96, 0xc6, 0xc2, 0xcd, 0x0c, 0xff, 0x02, 0x76, 0x70, 0x69, 0xaa, 0x69, 0xd1, 0x3b, 0xe8 }; #else /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */ static const unsigned char entropy_source_pr[] = …; static const unsigned char entropy_source_nopr[] = …; static const unsigned char pers_pr[] = …; static const unsigned char pers_nopr[] = …; static const unsigned char result_pr[] = …; static const unsigned char result_nopr[] = …; #endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */ static size_t test_offset; static int ctr_drbg_self_test_entropy(void *data, unsigned char *buf, size_t len) { … } #define CHK(c) … #define SELF_TEST_OUTPUT_DISCARD_LENGTH … /* * Checkup routine */ int mbedtls_ctr_drbg_self_test(int verbose) { … } #endif /* MBEDTLS_SELF_TEST */ #endif /* MBEDTLS_CTR_DRBG_C */
Codebase Browser
godot