/* * Entropy accumulator implementation * * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved * SPDX-License-Identifier: GPL-2.0 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. * * This file is part of mbed TLS (https://tls.mbed.org) */ #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else #include MBEDTLS_CONFIG_FILE #endif #if defined(MBEDTLS_ENTROPY_C) #if defined(MBEDTLS_TEST_NULL_ENTROPY) #warning "**** WARNING! MBEDTLS_TEST_NULL_ENTROPY defined! " #warning "**** THIS BUILD HAS NO DEFINED ENTROPY SOURCES " #warning "**** THIS BUILD IS *NOT* SUITABLE FOR PRODUCTION USE " #endif #include "mbedtls/entropy.h" #include "mbedtls/entropy_poll.h" #include "mbedtls/platform_util.h" #include #if defined(MBEDTLS_FS_IO) #include #endif #if defined(MBEDTLS_ENTROPY_NV_SEED) #include "mbedtls/platform.h" #endif #if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" #else #include #define mbedtls_printf printf #endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST */ #if defined(MBEDTLS_HAVEGE_C) #include "mbedtls/havege.h" #endif #define ENTROPY_MAX_LOOP 256 /**< Maximum amount to loop before error */ void mbedtls_entropy_init(mbedtls_entropy_context *ctx) { ctx->source_count = 0; memset(ctx->source, 0, sizeof(ctx->source)); #if defined(MBEDTLS_THREADING_C) mbedtls_mutex_init(&ctx->mutex); #endif ctx->accumulator_started = 0; #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) mbedtls_sha512_init(&ctx->accumulator); #else mbedtls_sha256_init(&ctx->accumulator); #endif #if defined(MBEDTLS_HAVEGE_C) mbedtls_havege_init(&ctx->havege_data); #endif /* Reminder: Update ENTROPY_HAVE_STRONG in the test files * when adding more strong entropy sources here. */ #if defined(MBEDTLS_TEST_NULL_ENTROPY) mbedtls_entropy_add_source(ctx, mbedtls_null_entropy_poll, NULL, 1, MBEDTLS_ENTROPY_SOURCE_STRONG); #endif #if !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) #if !defined(MBEDTLS_NO_PLATFORM_ENTROPY) mbedtls_entropy_add_source(ctx, mbedtls_platform_entropy_poll, NULL, MBEDTLS_ENTROPY_MIN_PLATFORM, MBEDTLS_ENTROPY_SOURCE_STRONG); #endif #if defined(MBEDTLS_TIMING_C) mbedtls_entropy_add_source(ctx, mbedtls_hardclock_poll, NULL, MBEDTLS_ENTROPY_MIN_HARDCLOCK, MBEDTLS_ENTROPY_SOURCE_WEAK); #endif #if defined(MBEDTLS_HAVEGE_C) mbedtls_entropy_add_source(ctx, mbedtls_havege_poll, &ctx->havege_data, MBEDTLS_ENTROPY_MIN_HAVEGE, MBEDTLS_ENTROPY_SOURCE_STRONG); #endif #if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) mbedtls_entropy_add_source(ctx, mbedtls_hardware_poll, NULL, MBEDTLS_ENTROPY_MIN_HARDWARE, MBEDTLS_ENTROPY_SOURCE_STRONG); #endif #if defined(MBEDTLS_ENTROPY_NV_SEED) mbedtls_entropy_add_source(ctx, mbedtls_nv_seed_poll, NULL, MBEDTLS_ENTROPY_BLOCK_SIZE, MBEDTLS_ENTROPY_SOURCE_STRONG); ctx->initial_entropy_run = 0; #endif #endif /* MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES */ } void mbedtls_entropy_free(mbedtls_entropy_context *ctx) { #if defined(MBEDTLS_HAVEGE_C) mbedtls_havege_free(&ctx->havege_data); #endif #if defined(MBEDTLS_THREADING_C) mbedtls_mutex_free(&ctx->mutex); #endif #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) mbedtls_sha512_free(&ctx->accumulator); #else mbedtls_sha256_free(&ctx->accumulator); #endif #if defined(MBEDTLS_ENTROPY_NV_SEED) ctx->initial_entropy_run = 0; #endif ctx->source_count = 0; mbedtls_platform_zeroize(ctx->source, sizeof(ctx->source)); ctx->accumulator_started = 0; } int mbedtls_entropy_add_source(mbedtls_entropy_context *ctx, mbedtls_entropy_f_source_ptr f_source, void *p_source, size_t threshold, int strong) { int idx, ret = 0; #if defined(MBEDTLS_THREADING_C) if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) return (ret); #endif idx = ctx->source_count; if (idx >= MBEDTLS_ENTROPY_MAX_SOURCES) { ret = MBEDTLS_ERR_ENTROPY_MAX_SOURCES; goto exit; } ctx->source[idx].f_source = f_source; ctx->source[idx].p_source = p_source; ctx->source[idx].threshold = threshold; ctx->source[idx].strong = strong; ctx->source_count++; exit: #if defined(MBEDTLS_THREADING_C) if (mbedtls_mutex_unlock(&ctx->mutex) != 0) return (MBEDTLS_ERR_THREADING_MUTEX_ERROR); #endif return (ret); } /* * Entropy accumulator update */ static int entropy_update(mbedtls_entropy_context *ctx, unsigned char source_id, const unsigned char *data, size_t len) { unsigned char header[2]; unsigned char tmp[MBEDTLS_ENTROPY_BLOCK_SIZE]; size_t use_len = len; const unsigned char *p = data; int ret = 0; if (use_len > MBEDTLS_ENTROPY_BLOCK_SIZE) { #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) if ((ret = mbedtls_sha512_ret(data, len, tmp, 0)) != 0) goto cleanup; #else if ((ret = mbedtls_sha256_ret(data, len, tmp, 0)) != 0) goto cleanup; #endif p = tmp; use_len = MBEDTLS_ENTROPY_BLOCK_SIZE; } header[0] = source_id; header[1] = use_len & 0xFF; /* * Start the accumulator if this has not already happened. Note that * it is sufficient to start the accumulator here only because all calls to * gather entropy eventually execute this code. */ #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) if (ctx->accumulator_started == 0 && (ret = mbedtls_sha512_starts_ret(&ctx->accumulator, 0)) != 0) goto cleanup; else ctx->accumulator_started = 1; if ((ret = mbedtls_sha512_update_ret(&ctx->accumulator, header, 2)) != 0) goto cleanup; ret = mbedtls_sha512_update_ret(&ctx->accumulator, p, use_len); #else if (ctx->accumulator_started == 0 && (ret = mbedtls_sha256_starts_ret(&ctx->accumulator, 0)) != 0) goto cleanup; else ctx->accumulator_started = 1; if ((ret = mbedtls_sha256_update_ret(&ctx->accumulator, header, 2)) != 0) goto cleanup; ret = mbedtls_sha256_update_ret(&ctx->accumulator, p, use_len); #endif cleanup: mbedtls_platform_zeroize(tmp, sizeof(tmp)); return (ret); } int mbedtls_entropy_update_manual(mbedtls_entropy_context *ctx, const unsigned char *data, size_t len) { int ret; #if defined(MBEDTLS_THREADING_C) if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) return (ret); #endif ret = entropy_update(ctx, MBEDTLS_ENTROPY_SOURCE_MANUAL, data, len); #if defined(MBEDTLS_THREADING_C) if (mbedtls_mutex_unlock(&ctx->mutex) != 0) return (MBEDTLS_ERR_THREADING_MUTEX_ERROR); #endif return (ret); } /* * Run through the different sources to add entropy to our accumulator */ static int entropy_gather_internal(mbedtls_entropy_context *ctx) { int ret, i, have_one_strong = 0; unsigned char buf[MBEDTLS_ENTROPY_MAX_GATHER]; size_t olen; if (ctx->source_count == 0) return (MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED); /* * Run through our entropy sources */ for (i = 0; i < ctx->source_count; i++) { if (ctx->source[i].strong == MBEDTLS_ENTROPY_SOURCE_STRONG) have_one_strong = 1; olen = 0; if ((ret = ctx->source[i].f_source(ctx->source[i].p_source, buf, MBEDTLS_ENTROPY_MAX_GATHER, &olen)) != 0) { goto cleanup; } /* * Add if we actually gathered something */ if (olen > 0) { if ((ret = entropy_update(ctx, (unsigned char) i, buf, olen)) != 0) return (ret); ctx->source[i].size += olen; } } if (have_one_strong == 0) ret = MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE; cleanup: mbedtls_platform_zeroize(buf, sizeof(buf)); return (ret); } /* * Thread-safe wrapper for entropy_gather_internal() */ int mbedtls_entropy_gather(mbedtls_entropy_context *ctx) { int ret; #if defined(MBEDTLS_THREADING_C) if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) return (ret); #endif ret = entropy_gather_internal(ctx); #if defined(MBEDTLS_THREADING_C) if (mbedtls_mutex_unlock(&ctx->mutex) != 0) return (MBEDTLS_ERR_THREADING_MUTEX_ERROR); #endif return (ret); } int mbedtls_entropy_func(void *data, unsigned char *output, size_t len) { int ret, count = 0, i, done; mbedtls_entropy_context *ctx = (mbedtls_entropy_context *) data; unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE]; if (len > MBEDTLS_ENTROPY_BLOCK_SIZE) return (MBEDTLS_ERR_ENTROPY_SOURCE_FAILED); #if defined(MBEDTLS_ENTROPY_NV_SEED) /* Update the NV entropy seed before generating any entropy for outside * use. */ if (ctx->initial_entropy_run == 0) { ctx->initial_entropy_run = 1; if ((ret = mbedtls_entropy_update_nv_seed(ctx)) != 0) return (ret); } #endif #if defined(MBEDTLS_THREADING_C) if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) return (ret); #endif /* * Always gather extra entropy before a call */ do { if (count++ > ENTROPY_MAX_LOOP) { ret = MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; goto exit; } if ((ret = entropy_gather_internal(ctx)) != 0) goto exit; done = 1; for (i = 0; i < ctx->source_count; i++) if (ctx->source[i].size < ctx->source[i].threshold) done = 0; } while (! done); memset(buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE); #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) /* * Note that at this stage it is assumed that the accumulator was started * in a previous call to entropy_update(). If this is not guaranteed, the * code below will fail. */ if ((ret = mbedtls_sha512_finish_ret(&ctx->accumulator, buf)) != 0) goto exit; /* * Reset accumulator and counters and recycle existing entropy */ mbedtls_sha512_free(&ctx->accumulator); mbedtls_sha512_init(&ctx->accumulator); if ((ret = mbedtls_sha512_starts_ret(&ctx->accumulator, 0)) != 0) goto exit; if ((ret = mbedtls_sha512_update_ret(&ctx->accumulator, buf, MBEDTLS_ENTROPY_BLOCK_SIZE)) != 0) goto exit; /* * Perform second SHA-512 on entropy */ if ((ret = mbedtls_sha512_ret(buf, MBEDTLS_ENTROPY_BLOCK_SIZE, buf, 0)) != 0) goto exit; #else /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */ if ((ret = mbedtls_sha256_finish_ret(&ctx->accumulator, buf)) != 0) goto exit; /* * Reset accumulator and counters and recycle existing entropy */ mbedtls_sha256_free(&ctx->accumulator); mbedtls_sha256_init(&ctx->accumulator); if ((ret = mbedtls_sha256_starts_ret(&ctx->accumulator, 0)) != 0) goto exit; if ((ret = mbedtls_sha256_update_ret(&ctx->accumulator, buf, MBEDTLS_ENTROPY_BLOCK_SIZE)) != 0) goto exit; /* * Perform second SHA-256 on entropy */ if ((ret = mbedtls_sha256_ret(buf, MBEDTLS_ENTROPY_BLOCK_SIZE, buf, 0)) != 0) goto exit; #endif /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */ for (i = 0; i < ctx->source_count; i++) ctx->source[i].size = 0; memcpy(output, buf, len); ret = 0; exit: mbedtls_platform_zeroize(buf, sizeof(buf)); #if defined(MBEDTLS_THREADING_C) if (mbedtls_mutex_unlock(&ctx->mutex) != 0) return (MBEDTLS_ERR_THREADING_MUTEX_ERROR); #endif return (ret); } #if defined(MBEDTLS_ENTROPY_NV_SEED) int mbedtls_entropy_update_nv_seed(mbedtls_entropy_context *ctx) { int ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR; unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE]; /* Read new seed and write it to NV */ if ((ret = mbedtls_entropy_func(ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE)) != 0) return (ret); if (mbedtls_nv_seed_write(buf, MBEDTLS_ENTROPY_BLOCK_SIZE) < 0) return (MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR); /* Manually update the remaining stream with a separator value to diverge */ memset(buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE); ret = mbedtls_entropy_update_manual(ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE); return (ret); } #endif /* MBEDTLS_ENTROPY_NV_SEED */ #if defined(MBEDTLS_FS_IO) int mbedtls_entropy_write_seed_file(mbedtls_entropy_context *ctx, const char *path) { int ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR; FILE *f; unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE]; if ((f = fopen(path, "wb")) == NULL) return (MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR); if ((ret = mbedtls_entropy_func(ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE)) != 0) goto exit; if (fwrite(buf, 1, MBEDTLS_ENTROPY_BLOCK_SIZE, f) != MBEDTLS_ENTROPY_BLOCK_SIZE) { ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR; goto exit; } ret = 0; exit: mbedtls_platform_zeroize(buf, sizeof(buf)); fclose(f); return (ret); } int mbedtls_entropy_update_seed_file(mbedtls_entropy_context *ctx, const char *path) { int ret = 0; FILE *f; size_t n; unsigned char buf[ MBEDTLS_ENTROPY_MAX_SEED_SIZE ]; if ((f = fopen(path, "rb")) == NULL) return (MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR); fseek(f, 0, SEEK_END); n = (size_t) ftell(f); fseek(f, 0, SEEK_SET); if (n > MBEDTLS_ENTROPY_MAX_SEED_SIZE) n = MBEDTLS_ENTROPY_MAX_SEED_SIZE; if (fread(buf, 1, n, f) != n) ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR; else ret = mbedtls_entropy_update_manual(ctx, buf, n); fclose(f); mbedtls_platform_zeroize(buf, sizeof(buf)); if (ret != 0) return (ret); return (mbedtls_entropy_write_seed_file(ctx, path)); } #endif /* MBEDTLS_FS_IO */ #if defined(MBEDTLS_SELF_TEST) #if !defined(MBEDTLS_TEST_NULL_ENTROPY) /* * Dummy source function */ static int entropy_dummy_source(void *data, unsigned char *output, size_t len, size_t *olen) { ((void) data); memset(output, 0x2a, len); *olen = len; return (0); } #endif /* !MBEDTLS_TEST_NULL_ENTROPY */ #if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) static int mbedtls_entropy_source_self_test_gather(unsigned char *buf, size_t buf_len) { int ret = 0; size_t entropy_len = 0; size_t olen = 0; size_t attempts = buf_len; while (attempts > 0 && entropy_len < buf_len) { if ((ret = mbedtls_hardware_poll(NULL, buf + entropy_len, buf_len - entropy_len, &olen)) != 0) return (ret); entropy_len += olen; attempts--; } if (entropy_len < buf_len) { ret = 1; } return (ret); } static int mbedtls_entropy_source_self_test_check_bits(const unsigned char *buf, size_t buf_len) { unsigned char set = 0xFF; unsigned char unset = 0x00; size_t i; for (i = 0; i < buf_len; i++) { set &= buf[i]; unset |= buf[i]; } return (set == 0xFF || unset == 0x00); } /* * A test to ensure hat the entropy sources are functioning correctly * and there is no obvious failure. The test performs the following checks: * - The entropy source is not providing only 0s (all bits unset) or 1s (all * bits set). * - The entropy source is not providing values in a pattern. Because the * hardware could be providing data in an arbitrary length, this check polls * the hardware entropy source twice and compares the result to ensure they * are not equal. * - The error code returned by the entropy source is not an error. */ int mbedtls_entropy_source_self_test(int verbose) { int ret = 0; unsigned char buf0[2 * sizeof(unsigned long long int)]; unsigned char buf1[2 * sizeof(unsigned long long int)]; if (verbose != 0) mbedtls_printf(" ENTROPY_BIAS test: "); memset(buf0, 0x00, sizeof(buf0)); memset(buf1, 0x00, sizeof(buf1)); if ((ret = mbedtls_entropy_source_self_test_gather(buf0, sizeof(buf0))) != 0) goto cleanup; if ((ret = mbedtls_entropy_source_self_test_gather(buf1, sizeof(buf1))) != 0) goto cleanup; /* Make sure that the returned values are not all 0 or 1 */ if ((ret = mbedtls_entropy_source_self_test_check_bits(buf0, sizeof(buf0))) != 0) goto cleanup; if ((ret = mbedtls_entropy_source_self_test_check_bits(buf1, sizeof(buf1))) != 0) goto cleanup; /* Make sure that the entropy source is not returning values in a * pattern */ ret = memcmp(buf0, buf1, sizeof(buf0)) == 0; cleanup: if (verbose != 0) { if (ret != 0) mbedtls_printf("failed\n"); else mbedtls_printf("passed\n"); mbedtls_printf("\n"); } return (ret != 0); } #endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */ /* * The actual entropy quality is hard to test, but we can at least * test that the functions don't cause errors and write the correct * amount of data to buffers. */ int mbedtls_entropy_self_test(int verbose) { int ret = 1; #if !defined(MBEDTLS_TEST_NULL_ENTROPY) mbedtls_entropy_context ctx; unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 }; unsigned char acc[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 }; size_t i, j; #endif /* !MBEDTLS_TEST_NULL_ENTROPY */ if (verbose != 0) mbedtls_printf(" ENTROPY test: "); #if !defined(MBEDTLS_TEST_NULL_ENTROPY) mbedtls_entropy_init(&ctx); /* First do a gather to make sure we have default sources */ if ((ret = mbedtls_entropy_gather(&ctx)) != 0) goto cleanup; ret = mbedtls_entropy_add_source(&ctx, entropy_dummy_source, NULL, 16, MBEDTLS_ENTROPY_SOURCE_WEAK); if (ret != 0) goto cleanup; if ((ret = mbedtls_entropy_update_manual(&ctx, buf, sizeof buf)) != 0) goto cleanup; /* * To test that mbedtls_entropy_func writes correct number of bytes: * - use the whole buffer and rely on ASan to detect overruns * - collect entropy 8 times and OR the result in an accumulator: * any byte should then be 0 with probably 2^(-64), so requiring * each of the 32 or 64 bytes to be non-zero has a false failure rate * of at most 2^(-58) which is acceptable. */ for (i = 0; i < 8; i++) { if ((ret = mbedtls_entropy_func(&ctx, buf, sizeof(buf))) != 0) goto cleanup; for (j = 0; j < sizeof(buf); j++) acc[j] |= buf[j]; } for (j = 0; j < sizeof(buf); j++) { if (acc[j] == 0) { ret = 1; goto cleanup; } } #if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) if ((ret = mbedtls_entropy_source_self_test(0)) != 0) goto cleanup; #endif cleanup: mbedtls_entropy_free(&ctx); #endif /* !MBEDTLS_TEST_NULL_ENTROPY */ if (verbose != 0) { if (ret != 0) mbedtls_printf("failed\n"); else mbedtls_printf("passed\n"); mbedtls_printf("\n"); } return (ret != 0); } #endif /* MBEDTLS_SELF_TEST */ #endif /* MBEDTLS_ENTROPY_C */