mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-23 11:42:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

- Cleaned up and further documented CTR_DRBG code

Browse Source
This commit is contained in:
Paul Bakker 2011-11-29 10:50:51 +00:00
parent a3d195c41f
commit 2bc7cf16fe
2 changed files with 54 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
include/polarssl/ctr_drbg.h
View File

@ -35,11 +35,15 @@
#define POLARSSL_ERR_CTR_DRBG_REQUEST_TOO_BIG -0x0036 /**< Too many random requested in single call. */ #define POLARSSL_ERR_CTR_DRBG_REQUEST_TOO_BIG -0x0036 /**< Too many random requested in single call. */
#define POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG -0x0038 /**< Input too large (Entropy + additional). */ #define POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG -0x0038 /**< Input too large (Entropy + additional). */
#define CTR_DRBG_SEEDLEN 48 /**< The seed length (counter + AES key) */ #define CTR_DRBG_BLOCKSIZE 16 /**< Block size used by the cipher */
#define CTR_DRBG_KEYSIZE 32 /**< Key size used by the cipher */
#define CTR_DRBG_KEYBITS ( CTR_DRBG_KEYSIZE * 8 )
#define CTR_DRBG_SEEDLEN ( CTR_DRBG_KEYSIZE + CTR_DRBG_BLOCKSIZE )
/**< The seed length (counter + AES key) */
#define CTR_DRBG_ENTROPY_LEN 32 /**< Amount of entropy used per seed by default */ #define CTR_DRBG_ENTROPY_LEN 32 /**< Amount of entropy used per seed by default */
#define CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ #define CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
#define CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ #define CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
#define CTR_DRBG_MAX_REQUEST 500 /**< Maximum number of requested bytes per call */ #define CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
#define CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ #define CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
#define CTR_DRBG_PR_OFF 0 /**< No prediction resistance */ #define CTR_DRBG_PR_OFF 0 /**< No prediction resistance */
@ -83,6 +87,7 @@ ctr_drbg_context;
* length) * length)
* \param p_entropy Entropy context * \param p_entropy Entropy context
* \param custom Personalization data (Device specific identifiers) * \param custom Personalization data (Device specific identifiers)
* (Can be NULL)
* \param len Length of personalization data * \param len Length of personalization data
* *
* \return 0 if successful, or * \return 0 if successful, or
@ -130,7 +135,7 @@ void ctr_drbg_set_reseed_interval( ctr_drbg_context *ctx,
* \brief CTR_DRBG reseeding (extracts data from entropy source) * \brief CTR_DRBG reseeding (extracts data from entropy source)
* *
* \param ctx CTR_DRBG context * \param ctx CTR_DRBG context
* \param additional Additional data to add to state * \param additional Additional data to add to state (Can be NULL)
* \param len Length of additional data * \param len Length of additional data
* *
* \return 0 if successful, or * \return 0 if successful, or
@ -158,7 +163,7 @@ int ctr_drbg_update( ctr_drbg_context *ctx,
* \param p_rng CTR_DRBG context * \param p_rng CTR_DRBG context
* \param output Buffer to fill * \param output Buffer to fill
* \param output_len Length of the buffer * \param output_len Length of the buffer
* \param additional Additional data to update with * \param additional Additional data to update with (Can be NULL)
* \param add_len Length of additional data * \param add_len Length of additional data
* *
* \return 0 if successful, or * \return 0 if successful, or

88
library/ctr_drbg.c
View File

@ -41,10 +41,10 @@ int ctr_drbg_init( ctr_drbg_context *ctx,
size_t len ) size_t len )
{ {
int ret; int ret;
unsigned char key[32]; unsigned char key[CTR_DRBG_KEYSIZE];
memset( ctx, 0, sizeof(ctr_drbg_context) ); memset( ctx, 0, sizeof(ctr_drbg_context) );
memset( key, 0, 32 ); memset( key, 0, CTR_DRBG_KEYSIZE );
ctx->f_entropy = f_entropy; ctx->f_entropy = f_entropy;
ctx->p_entropy = p_entropy; ctx->p_entropy = p_entropy;
@ -55,7 +55,7 @@ int ctr_drbg_init( ctr_drbg_context *ctx,
/* /*
* Initialize with an empty key * Initialize with an empty key
*/ */
aes_setkey_enc( &ctx->aes_ctx, key, 256 ); aes_setkey_enc( &ctx->aes_ctx, key, CTR_DRBG_KEYBITS );
if( ( ret = ctr_drbg_reseed( ctx, custom, len ) ) != 0 ) if( ( ret = ctr_drbg_reseed( ctx, custom, len ) ) != 0 )
return( ret ); return( ret );
@ -80,16 +80,16 @@ void ctr_drbg_set_reseed_interval( ctr_drbg_context *ctx, int interval )
int block_cipher_df( unsigned char *output, unsigned char *data, size_t data_len ) int block_cipher_df( unsigned char *output, unsigned char *data, size_t data_len )
{ {
unsigned char buf[CTR_DRBG_MAX_INPUT + 32]; unsigned char buf[CTR_DRBG_MAX_SEED_INPUT + CTR_DRBG_BLOCKSIZE + 16];
unsigned char tmp[CTR_DRBG_SEEDLEN]; unsigned char tmp[CTR_DRBG_SEEDLEN];
unsigned char key[32]; unsigned char key[CTR_DRBG_KEYSIZE];
unsigned char chain[16]; unsigned char chain[CTR_DRBG_BLOCKSIZE];
unsigned char *p, *iv; unsigned char *p = buf, *iv;
aes_context aes_ctx; aes_context aes_ctx;
int i, j, buf_len, use_len; int i, j, buf_len, use_len;
memset( buf, 0, CTR_DRBG_MAX_INPUT + 32 ); memset( buf, 0, CTR_DRBG_MAX_SEED_INPUT + CTR_DRBG_BLOCKSIZE + 16 );
/* /*
* Construct IV (16 bytes) and S in buffer * Construct IV (16 bytes) and S in buffer
@ -98,41 +98,43 @@ int block_cipher_df( unsigned char *output, unsigned char *data, size_t data_len
* data || 0x80 * data || 0x80
* (Total is padded to a multiple of 16-bytes with zeroes) * (Total is padded to a multiple of 16-bytes with zeroes)
*/ */
buf[16] = ( data_len >> 24 ) & 0xff; p = buf + CTR_DRBG_BLOCKSIZE;
buf[17] = ( data_len >> 16 ) & 0xff; *p++ = ( data_len >> 24 ) & 0xff;
buf[18] = ( data_len >> 8 ) & 0xff; *p++ = ( data_len >> 16 ) & 0xff;
buf[19] = ( data_len ) & 0xff; *p++ = ( data_len >> 8 ) & 0xff;
buf[23] = CTR_DRBG_SEEDLEN; *p++ = ( data_len ) & 0xff;
memcpy( buf + 24, data, data_len ); p += 3;
buf[24 + data_len] = 0x80; *p++ = CTR_DRBG_SEEDLEN;
memcpy( p, data, data_len );
p[data_len] = 0x80;
buf_len = 24 + data_len + 1; buf_len = CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
for( i = 0; i < 32; i++ ) for( i = 0; i < CTR_DRBG_KEYSIZE; i++ )
key[i] = i; key[i] = i;
aes_setkey_enc( &aes_ctx, key, 256 ); aes_setkey_enc( &aes_ctx, key, CTR_DRBG_KEYBITS );
/* /*
* Reduce data to POLARSSL_CTR_DRBG_SEEDLEN bytes of data * Reduce data to POLARSSL_CTR_DRBG_SEEDLEN bytes of data
*/ */
for( j = 0; j < CTR_DRBG_SEEDLEN; j += 16 ) for( j = 0; j < CTR_DRBG_SEEDLEN; j += CTR_DRBG_BLOCKSIZE )
{ {
p = buf; p = buf;
memset( chain, 0, 16 ); memset( chain, 0, CTR_DRBG_BLOCKSIZE );
use_len = buf_len; use_len = buf_len;
while( use_len > 0 ) while( use_len > 0 )
{ {
for( i = 0; i < 16; i++ ) for( i = 0; i < CTR_DRBG_BLOCKSIZE; i++ )
chain[i] ^= p[i]; chain[i] ^= p[i];
p += 16; p += CTR_DRBG_BLOCKSIZE;
use_len -= 16; use_len -= CTR_DRBG_BLOCKSIZE;
aes_crypt_ecb( &aes_ctx, AES_ENCRYPT, chain, chain ); aes_crypt_ecb( &aes_ctx, AES_ENCRYPT, chain, chain );
} }
memcpy( tmp + j, chain, 16 ); memcpy( tmp + j, chain, CTR_DRBG_BLOCKSIZE );
/* /*
* Update IV * Update IV
@ -143,15 +145,15 @@ int block_cipher_df( unsigned char *output, unsigned char *data, size_t data_len
/* /*
* Do final encryption with reduced data * Do final encryption with reduced data
*/ */
aes_setkey_enc( &aes_ctx, tmp, 256 ); aes_setkey_enc( &aes_ctx, tmp, CTR_DRBG_KEYBITS );
iv = tmp + 32; iv = tmp + CTR_DRBG_KEYSIZE;
p = output; p = output;
for( j = 0; j < CTR_DRBG_SEEDLEN; j += 16 ) for( j = 0; j < CTR_DRBG_SEEDLEN; j += CTR_DRBG_BLOCKSIZE )
{ {
aes_crypt_ecb( &aes_ctx, AES_ENCRYPT, iv, iv ); aes_crypt_ecb( &aes_ctx, AES_ENCRYPT, iv, iv );
memcpy( p, iv, 16 ); memcpy( p, iv, CTR_DRBG_BLOCKSIZE );
p += 16; p += CTR_DRBG_BLOCKSIZE;
} }
return( 0 ); return( 0 );
@ -162,7 +164,7 @@ int ctr_drbg_reseed( ctr_drbg_context *ctx, unsigned char *additional, size_t le
unsigned char seed[CTR_DRBG_MAX_SEED_INPUT]; unsigned char seed[CTR_DRBG_MAX_SEED_INPUT];
size_t seedlen = 0; size_t seedlen = 0;
if( ctx->entropy_len + len > CTR_DRBG_MAX_INPUT ) if( ctx->entropy_len + len > CTR_DRBG_MAX_SEED_INPUT )
return( POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG ); return( POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG );
memset( seed, 0, CTR_DRBG_MAX_SEED_INPUT ); memset( seed, 0, CTR_DRBG_MAX_SEED_INPUT );
@ -210,12 +212,12 @@ int ctr_drbg_update( ctr_drbg_context *ctx,
memset( tmp, 0, CTR_DRBG_SEEDLEN ); memset( tmp, 0, CTR_DRBG_SEEDLEN );
for( j = 0; j < CTR_DRBG_SEEDLEN; j += 16 ) for( j = 0; j < CTR_DRBG_SEEDLEN; j += CTR_DRBG_BLOCKSIZE )
{ {
/* /*
* Increase counter * Increase counter
*/ */
i = 15; i = CTR_DRBG_BLOCKSIZE - 1;
do { do {
ctx->counter[i]++; ctx->counter[i]++;
cb = ctx->counter[i] == 0; cb = ctx->counter[i] == 0;
@ -226,7 +228,7 @@ int ctr_drbg_update( ctr_drbg_context *ctx,
*/ */
aes_crypt_ecb( &ctx->aes_ctx, AES_ENCRYPT, ctx->counter, p ); aes_crypt_ecb( &ctx->aes_ctx, AES_ENCRYPT, ctx->counter, p );
p += 16; p += CTR_DRBG_BLOCKSIZE;
} }
for( i = 0; i < CTR_DRBG_SEEDLEN; i++ ) for( i = 0; i < CTR_DRBG_SEEDLEN; i++ )
@ -235,8 +237,8 @@ int ctr_drbg_update( ctr_drbg_context *ctx,
/* /*
* Update key and counter * Update key and counter
*/ */
aes_setkey_enc( &ctx->aes_ctx, tmp, 256 ); aes_setkey_enc( &ctx->aes_ctx, tmp, CTR_DRBG_KEYBITS );
memcpy( ctx->counter, tmp + 32, 16 ); memcpy( ctx->counter, tmp + CTR_DRBG_KEYSIZE, CTR_DRBG_BLOCKSIZE );
return( 0 ); return( 0 );
} }
@ -249,7 +251,7 @@ int ctr_drbg_random_with_add( void *p_rng,
ctr_drbg_context *ctx = (ctr_drbg_context *) p_rng; ctr_drbg_context *ctx = (ctr_drbg_context *) p_rng;
unsigned char add_input[CTR_DRBG_SEEDLEN]; unsigned char add_input[CTR_DRBG_SEEDLEN];
unsigned char *p = output; unsigned char *p = output;
unsigned char tmp[16]; unsigned char tmp[CTR_DRBG_BLOCKSIZE];
int cb, i; int cb, i;
if( output_len > CTR_DRBG_MAX_REQUEST ) if( output_len > CTR_DRBG_MAX_REQUEST )
@ -280,7 +282,7 @@ int ctr_drbg_random_with_add( void *p_rng,
/* /*
* Increase counter * Increase counter
*/ */
i = 15; i = CTR_DRBG_BLOCKSIZE - 1;
do { do {
ctx->counter[i]++; ctx->counter[i]++;
cb = ctx->counter[i] == 0; cb = ctx->counter[i] == 0;
@ -294,9 +296,9 @@ int ctr_drbg_random_with_add( void *p_rng,
/* /*
* Copy random block to destination * Copy random block to destination
*/ */
memcpy( p, tmp, (output_len > 16 ) ? 16 : output_len ); memcpy( p, tmp, (output_len > CTR_DRBG_BLOCKSIZE ) ? CTR_DRBG_BLOCKSIZE : output_len );
p += 16; p += CTR_DRBG_BLOCKSIZE;
output_len -= 16; output_len -= CTR_DRBG_BLOCKSIZE;
} }
ctr_drbg_update( ctx, add_input ); ctr_drbg_update( ctx, add_input );
@ -387,7 +389,7 @@ int ctr_drbg_self_test( int verbose )
} }
ctr_drbg_set_prediction_resistance( &ctx, CTR_DRBG_PR_ON ); ctr_drbg_set_prediction_resistance( &ctx, CTR_DRBG_PR_ON );
if( ctr_drbg_random( &ctx, buf, 16 ) != 0 ) if( ctr_drbg_random( &ctx, buf, CTR_DRBG_BLOCKSIZE ) != 0 )
{ {
if( verbose != 0 ) if( verbose != 0 )
printf( "failed\n" ); printf( "failed\n" );
@ -395,7 +397,7 @@ int ctr_drbg_self_test( int verbose )
return( 1 ); return( 1 );
} }
if( ctr_drbg_random( &ctx, buf, 16 ) != 0 ) if( ctr_drbg_random( &ctx, buf, CTR_DRBG_BLOCKSIZE ) != 0 )
{ {
if( verbose != 0 ) if( verbose != 0 )
printf( "failed\n" ); printf( "failed\n" );
@ -403,7 +405,7 @@ int ctr_drbg_self_test( int verbose )
return( 1 ); return( 1 );
} }
if( memcmp( buf, result_pr, 16 ) != 0 ) if( memcmp( buf, result_pr, CTR_DRBG_BLOCKSIZE ) != 0 )
{ {
if( verbose != 0 ) if( verbose != 0 )
printf( "failed\n" ); printf( "failed\n" );