Merge pull request #3 from chris-morrison/feature/add-ctr-prng

Feature/add car prng,

.gitignore

@@ -0,0 +1,2 @@
+*.o
+*~

VERSION

@@ -1 +1 @@
-0.2.0
+0.3.0

documentation/tinycrypt.rst

@@ -31,7 +31,7 @@ corresponding header file.
 
 * HMAC-PRNG:
 
-  * Type of primitive: Pseudo-random number generator.
+  * Type of primitive: Pseudo-random number generator (256-bit strength).
   * Standard Specification: NIST SP 800-90A.
   * Requires: SHA-256 and HMAC-SHA256.
 
@@ -65,6 +65,12 @@ corresponding header file.
   * Standard Specification: NIST SP 800-38C.
   * Requires: AES-128.
 
+* CTR-PRNG:
+
+  * Type of primitive: Pseudo-random number generator (128-bit strength).
+  * Standard Specification: NIST SP 800-90A.
+  * Requires: AES-128.
+
 * ECC-DH:
 
   * Type of primitive: Key exchange.
@@ -151,6 +157,13 @@ Specific Remarks
   * The AES-CTR mode limits the size of a data message they encrypt to 2^32
     blocks. If you need to encrypt larger data sets, your application would
     need to replace the key after 2^32 block encryptions.
+
+* CTR-PRNG:
+
+  * Before using CTR-PRNG, you *must* find an entropy source to produce a seed.
+    PRNGs only stretch the seed into a seemingly random output of arbitrary
+    length. The security of the output is exactly equal to the
+    unpredictability of the seed.
 
 * CBC mode:
 
@@ -243,7 +256,7 @@ of cryptography usages:
 
  * Construct random mappings (HMAC-SHA256);
 
- * Construct nonces and challenges (HMAC-PRNG);
+ * Construct nonces and challenges (HMAC-PRNG, CTR-PRNG);
 
  * Authenticate using a shared secret (HMAC-SHA256);
 

lib/Makefile

@@ -14,6 +14,7 @@ OBJS =	utils.o \
 	aes_encrypt.o \
 	cbc_mode.o \
 	ctr_mode.o \
+	ctr_prng.o \
 	ccm_mode.o \
 	cmac_mode.o \
 	hmac.o \
@@ -33,6 +34,7 @@ aes_decrypt.o:		aes_decrypt.c aes.h utils.o
 aes_encrypt.o:		aes_encrypt.c aes.h utils.o
 cbc_mode.o:		cbc_mode.c cbc_mode.h utils.o
 ctr_mode.o:	        ctr_mode.c ctr_mode.h utils.o
+ctr_prng.o:		ctr_prng.c ctr_prng.h
 ccm_mode.o:	        ccm_mode.c ccm_mode.h utils.o
 cmac_mode.o:	        ccm_mode.c ccm_mode.h utils.o
 hmac.o:		        hmac.c hmac.h utils.o

lib/include/tinycrypt/ctr_prng.h

@@ -0,0 +1,165 @@
+/* ctr_prng.h - TinyCrypt interface to a CTR-PRNG implementation */
+
+/*
+ * Copyright (c) 2016, Chris Morrison
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice, this
+ *   list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ *   this list of conditions and the following disclaimer in the documentation
+ *   and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * @file
+ * @brief Interface to a CTR-PRNG implementation.
+ *
+ *  Overview:   A pseudo-random number generator (PRNG) generates a sequence
+ *              of numbers that have a distribution close to the one expected
+ *              for a sequence of truly random numbers. The NIST Special
+ *              Publication 800-90A specifies several mechanisms to generate
+ *              sequences of pseudo random numbers, including the CTR-PRNG one
+ *              which is based on AES. TinyCrypt implements CTR-PRNG with
+ *              AES-128.
+ *
+ *  Security:   A cryptographically secure PRNG depends on the existence of an
+ *              entropy source to provide a truly random seed as well as the
+ *              security of the primitives used as the building blocks (AES-128
+ *              in this instance).
+ *
+ *  Requires:   - AES-128
+ *
+ *  Usage:      1) call tc_ctr_prng_init to seed the prng context
+ *
+ *              2) call tc_ctr_prng_reseed to mix in additional entropy into
+ *              the prng context
+ *
+ *              3) call tc_ctr_prng_generate to output the pseudo-random data
+ *
+ *              4) call tc_ctr_prng_uninstantiate to zero out the prng context
+ */
+
+#ifndef __TC_CTR_PRNG_H__
+#define __TC_CTR_PRNG_H__
+
+#include <tinycrypt/aes.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct
+{
+	/* updated each time another BLOCKLEN_BYTES bytes are produced */
+	uint8_t V[TC_AES_BLOCK_SIZE]; 
+
+	/* updated whenever the PRNG is reseeded */
+	struct tc_aes_key_sched_struct key;
+
+	/* number of requests since initialization/reseeding */
+	uint64_t reseedCount;
+} TCCtrPrng_t;
+
+
+/**
+ *  @brief CTR-PRNG initialization procedure
+ *  Initializes prng context with entropy and personalization string (if any)
+ *  @return returns TC_SUCCESS (1)
+ *          returns TC_FAIL (0) if:
+ *                ctx == NULL,
+ *                entropy == NULL,
+ *                entropyLen < (TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE)
+ *  @note       Only the first (TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE) bytes of
+ *              both the entropy and personalization inputs are used -
+ *              supplying additional bytes has no effect.
+ *  @param ctx IN/OUT -- the PRNG context to initialize
+ *  @param entropy IN -- entropy used to seed the PRNG
+ *  @param entropyLen IN -- entropy length in bytes
+ *  @param personalization IN -- personalization string used to seed the PRNG
+ *  (may be null)
+ *  @param plen IN -- personalization length in bytes
+ *
+ */
+int32_t tc_ctr_prng_init(TCCtrPrng_t * const ctx, 
+			uint8_t const * const entropy,
+			uint32_t entropyLen, 
+			uint8_t const * const personalization,
+			uint32_t pLen);
+
+/**
+ *  @brief CTR-PRNG reseed procedure
+ *  Mixes entropy and additional_input into the prng context
+ *  @return returns  TC_SUCCESS (1)
+ *  returns TC_FAIL (0) if:
+ *          ctx == NULL,
+ *          entropy == NULL,
+ *          entropylen < (TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE)
+ *  @note It is better to reseed an existing prng context rather than
+ *        re-initialise, so that any existing entropy in the context is
+ *        presereved.  This offers some protection against undetected failures
+ *        of the entropy source.
+ *  @note Assumes tc_ctr_prng_init has been called for ctx
+ *  @param ctx IN/OUT -- the PRNG state
+ *  @param entropy IN -- entropy to mix into the prng
+ *  @param entropylen IN -- length of entropy in bytes
+ *  @param additional_input IN -- additional input to the prng (may be null)
+ *  @param additionallen IN -- additional input length in bytes
+ */
+int32_t tc_ctr_prng_reseed(TCCtrPrng_t * const ctx, 
+			uint8_t const * const entropy,
+			uint32_t entropyLen,
+			uint8_t const * const additional_input,
+			uint32_t additionallen);
+
+/**
+ *  @brief CTR-PRNG generate procedure
+ *  Generates outlen pseudo-random bytes into out buffer, updates prng
+ *  @return returns TC_SUCCESS (1)
+ *          returns TC_RESEED_REQ (-1) if a reseed is needed
+ *             returns TC_FAIL (0) if:
+ *                ctx == NULL,
+ *                out == NULL,
+ *                outlen >= 2^16
+ *  @note Assumes tc_ctr_prng_init has been called for ctx
+ *  @param ctx IN/OUT -- the PRNG context
+ *  @param additional_input IN -- additional input to the prng (may be null)
+ *  @param additionallen IN -- additional input length in bytes
+ *  @param out IN/OUT -- buffer to receive output
+ *  @param outlen IN -- size of out buffer in bytes
+ */
+int32_t tc_ctr_prng_generate(TCCtrPrng_t * const ctx,
+			uint8_t const * const additional_input,
+			uint32_t additionallen,
+			uint8_t * const out,
+			uint32_t outlen);
+
+/**
+ *  @brief CTR-PRNG uninstantiate procedure
+ *  Zeroes the internal state of the supplied prng context
+ *  @return none
+ *  @param ctx IN/OUT -- the PRNG context
+ */
+void tc_ctr_prng_uninstantiate(TCCtrPrng_t * const ctx);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif