1 /* hmac_prng.c - TinyCrypt implementation of HMAC-PRNG */
9  *    - Redistributions of source code must retain the above copyright notice,
12  *    - Redistributions in binary form must reproduce the above copyright
16  *    - Neither the name of Intel Corporation nor the names of its contributors
22  *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
46  * SP800-90A specifies a maximum of 2^35 bits (i.e., 2^32 bytes).
52  * SP800-90A specifies a maximum of 2^35 bits (i.e., 2^32 bytes).
58  * SP800-90A specifies a maximum of 2^35 bits (i.e., 2^32 bytes).
63  * max number of generates between re-seeds;
64  * TinyCrypt accepts up to (2^32 - 1) which is the maximal value of
65  * a 32-bit unsigned int variable, while SP800-90A specifies a maximum of 2^48.
71  * SP800-90A specifies a maximum up to 2^19.
83 	/* use current state, e and separator 0 to compute a new prng key: */  in update()
84 	(void)tc_hmac_init(&prng->h);  in update()
85 	(void)tc_hmac_update(&prng->h, prng->v, sizeof(prng->v));  in update()
86 	(void)tc_hmac_update(&prng->h, &separator0, sizeof(separator0));  in update()
87 	(void)tc_hmac_update(&prng->h, e, len);  in update()
88 	(void)tc_hmac_final(prng->key, sizeof(prng->key), &prng->h);  in update()
90 	(void)tc_hmac_set_key(&prng->h, prng->key, sizeof(prng->key));  in update()
92 	/* use the new key to compute a new state variable v */  in update()
93 	(void)tc_hmac_init(&prng->h);  in update()
94 	(void)tc_hmac_update(&prng->h, prng->v, sizeof(prng->v));  in update()
95 	(void)tc_hmac_final(prng->v, sizeof(prng->v), &prng->h);  in update()
97 	/* use current state, e and separator 1 to compute a new prng key: */  in update()
98 	(void)tc_hmac_init(&prng->h);  in update()
99 	(void)tc_hmac_update(&prng->h, prng->v, sizeof(prng->v));  in update()
100 	(void)tc_hmac_update(&prng->h, &separator1, sizeof(separator1));  in update()
101 	(void)tc_hmac_update(&prng->h, e, len);  in update()
102 	(void)tc_hmac_final(prng->key, sizeof(prng->key), &prng->h);  in update()
104 	(void)tc_hmac_set_key(&prng->h, prng->key, sizeof(prng->key));  in update()
106 	/* use the new key to compute a new state variable v */  in update()
107 	(void)tc_hmac_init(&prng->h);  in update()
108 	(void)tc_hmac_update(&prng->h, prng->v, sizeof(prng->v));  in update()
109 	(void)tc_hmac_final(prng->v, sizeof(prng->v), &prng->h);  in update()
124 	/* put the generator into a known state: */  in tc_hmac_prng_init()
125 	_set(prng->key, 0x00, sizeof(prng->key));  in tc_hmac_prng_init()
126 	_set(prng->v, 0x01, sizeof(prng->v));  in tc_hmac_prng_init()
127 	tc_hmac_set_key(&prng->h, prng->key, sizeof(prng->key));  in tc_hmac_prng_init()
132 	/* force a reseed before allowing tc_hmac_prng_generate to succeed: */  in tc_hmac_prng_init()
133 	prng->countdown = 0;  in tc_hmac_prng_init()
172 	prng->countdown = MAX_GENS;  in tc_hmac_prng_reseed()
187 	} else if (prng->countdown == 0) {  in tc_hmac_prng_generate()
191 	prng->countdown--;  in tc_hmac_prng_generate()
195 		(void)tc_hmac_init(&prng->h);  in tc_hmac_prng_generate()
196 		(void)tc_hmac_update(&prng->h, prng->v, sizeof(prng->v));  in tc_hmac_prng_generate()
197 		(void)tc_hmac_final(prng->v, sizeof(prng->v), &prng->h);  in tc_hmac_prng_generate()
201 		(void)_copy(out, bufferlen, prng->v, bufferlen);  in tc_hmac_prng_generate()
205 			(outlen - TC_SHA256_DIGEST_SIZE) : 0;  in tc_hmac_prng_generate()
209 	update(prng, prng->v, TC_SHA256_DIGEST_SIZE);  in tc_hmac_prng_generate()