Kezdőlap Felfedezés Súgó
Bejelentkezés
OWEALs
/
wolfssl
tükrözi: https://github.com/wolfSSL/wolfssl.git
2
0
Másolás 0
Fájlok Problémák 8 Wiki
Fa: 0e57e9858f
Branch-ok Tag-ek
wolfssl
/
wolfcrypt
/
src
/
random.c

random.c 80 KB
Előzmények Nyers

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953 
  1. /* random.c
    2. 

  2.  *
    3. 

  3.  * Copyright (C) 2006-2022 wolfSSL Inc.
    4. 

  4.  *
    5. 

  5.  * This file is part of wolfSSL.
    6. 

  6.  *
    7. 

  7.  * wolfSSL is free software; you can redistribute it and/or modify
    8. 

  8.  * it under the terms of the GNU General Public License as published by
    9. 

  9.  * the Free Software Foundation; either version 2 of the License, or
    10. 

  10.  * (at your option) any later version.
    11. 

  11.  *
    12. 

  12.  * wolfSSL is distributed in the hope that it will be useful,
    13. 

  13.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    14. 

  14.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    15. 

  15.  * GNU General Public License for more details.
    16. 

  16.  *
    17. 

  17.  * You should have received a copy of the GNU General Public License
    18. 

  18.  * along with this program; if not, write to the Free Software
    19. 

  19.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
    20. 

  20.  */
    21. 

  21. 

  22. /*
    23. 

  23. 

  24. DESCRIPTION
    25. 

  25. This library contains implementation for the random number generator.
    26. 

  26. 

  27. */
    28. 

  28. #ifdef HAVE_CONFIG_H
    29. 

  29.     #include <config.h>
    30. 

  30. #endif
    31. 

  31. 

  32. #include <wolfssl/wolfcrypt/settings.h>
    33. 

  33. #include <wolfssl/wolfcrypt/error-crypt.h>
    34. 

  34. 

  35. /* on HPUX 11 you may need to install /dev/random see
    36. 

  36.    http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRNG11I
    37. 

  37. 

  38. */
    39. 

  39. 

  40. #if defined(HAVE_FIPS) && \
    41. 

  41.     defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
    42. 

  42. 

  43.     /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
    44. 

  44.     #define FIPS_NO_WRAPPERS
    45. 

  45. 

  46.     #ifdef USE_WINDOWS_API
    47. 

  47.         #pragma code_seg(".fipsA$c")
    48. 

  48.         #pragma const_seg(".fipsB$c")
    49. 

  49.     #endif
    50. 

  50. #endif
    51. 

  51. 

  52. 

  53. #include <wolfssl/wolfcrypt/random.h>
    54. 

  54. #include <wolfssl/wolfcrypt/cpuid.h>
    55. 

  55. 

  56. 

  57. /* If building for old FIPS. */
    58. 

  58. #if defined(HAVE_FIPS) && \
    59. 

  59.     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
    60. 

  60. 

  61. int wc_GenerateSeed(OS_Seed* os, byte* seed, word32 sz)
    62. 

  62. {
    63. 

  63.     return GenerateSeed(os, seed, sz);
    64. 

  64. }
    65. 

  65. 

  66. int wc_InitRng_ex(WC_RNG* rng, void* heap, int devId)
    67. 

  67. {
    68. 

  68.     (void)heap;
    69. 

  69.     (void)devId;
    70. 

  70.     return InitRng_fips(rng);
    71. 

  71. }
    72. 

  72. 

  73. WOLFSSL_ABI
    74. 

  74. int wc_InitRng(WC_RNG* rng)
    75. 

  75. {
    76. 

  76.     return InitRng_fips(rng);
    77. 

  77. }
    78. 

  78. 

  79. 

  80. int wc_RNG_GenerateBlock(WC_RNG* rng, byte* b, word32 sz)
    81. 

  81. {
    82. 

  82.     return RNG_GenerateBlock_fips(rng, b, sz);
    83. 

  83. }
    84. 

  84. 

  85. 

  86. int wc_RNG_GenerateByte(WC_RNG* rng, byte* b)
    87. 

  87. {
    88. 

  88.     return RNG_GenerateByte(rng, b);
    89. 

  89. }
    90. 

  90. 

  91. #ifdef HAVE_HASHDRBG
    92. 

  92. 

  93.     int wc_FreeRng(WC_RNG* rng)
    94. 

  94.     {
    95. 

  95.         return FreeRng_fips(rng);
    96. 

  96.     }
    97. 

  97. 

  98.     int wc_RNG_HealthTest(int reseed, const byte* seedA, word32 seedASz,
    99. 

  99.                                       const byte* seedB, word32 seedBSz,
    100. 

  100.                                       byte* output, word32 outputSz)
    101. 

  101.     {
    102. 

  102.         return RNG_HealthTest_fips(reseed, seedA, seedASz,
    103. 

  103.                               seedB, seedBSz, output, outputSz);
    104. 

  104.    }
    105. 

  105. #endif /* HAVE_HASHDRBG */
    106. 

  106. 

  107. #else /* else build without fips, or for new fips */
    108. 

  108. 

  109. #ifndef WC_NO_RNG /* if not FIPS and RNG is disabled then do not compile */
    110. 

  110. 

  111. #include <wolfssl/wolfcrypt/sha256.h>
    112. 

  112. 

  113. #ifdef WOLF_CRYPTO_CB
    114. 

  114.     #include <wolfssl/wolfcrypt/cryptocb.h>
    115. 

  115. #endif
    116. 

  116. 

  117. #ifdef NO_INLINE
    118. 

  118.     #include <wolfssl/wolfcrypt/misc.h>
    119. 

  119. #else
    120. 

  120.     #define WOLFSSL_MISC_INCLUDED
    121. 

  121.     #include <wolfcrypt/src/misc.c>
    122. 

  122. #endif
    123. 

  123. 

  124. #if defined(WOLFSSL_SGX)
    125. 

  125.     #include <sgx_trts.h>
    126. 

  126. #elif defined(USE_WINDOWS_API)
    127. 

  127.     #ifndef _WIN32_WINNT
    128. 

  128.         #define _WIN32_WINNT 0x0400
    129. 

  129.     #endif
    130. 

  130.     #include <windows.h>
    131. 

  131.     #include <wincrypt.h>
    132. 

  132. #elif defined(HAVE_WNR)
    133. 

  133.     #include <wnr.h>
    134. 

  134.     #include <wolfssl/wolfcrypt/logging.h>
    135. 

  135.     wolfSSL_Mutex wnr_mutex;    /* global netRandom mutex */
    136. 

  136.     int wnr_timeout     = 0;    /* entropy timeout, milliseconds */
    137. 

  137.     int wnr_mutex_init  = 0;    /* flag for mutex init */
    138. 

  138.     wnr_context*  wnr_ctx;      /* global netRandom context */
    139. 

  139. #elif defined(FREESCALE_KSDK_2_0_TRNG)
    140. 

  140.     #include "fsl_trng.h"
    141. 

  141. #elif defined(FREESCALE_KSDK_2_0_RNGA)
    142. 

  142.     #include "fsl_rnga.h"
    143. 

  143. #elif defined(WOLFSSL_WICED)
    144. 

  144.     #include "wiced_crypto.h"
    145. 

  145. #elif defined(WOLFSSL_NETBURNER)
    146. 

  146.     #include <predef.h>
    147. 

  147.     #include <basictypes.h>
    148. 

  148.     #include <random.h>
    149. 

  149. #elif defined(WOLFSSL_XILINX_CRYPT_VERSAL)
    150. 

  150. #include "wolfssl/wolfcrypt/port/xilinx/xil-versal-trng.h"
    151. 

  151. #elif defined(NO_DEV_RANDOM)
    152. 

  152. #elif defined(CUSTOM_RAND_GENERATE)
    153. 

  153. #elif defined(CUSTOM_RAND_GENERATE_BLOCK)
    154. 

  154. #elif defined(CUSTOM_RAND_GENERATE_SEED)
    155. 

  155. #elif defined(WOLFSSL_GENSEED_FORTEST)
    156. 

  156. #elif defined(WOLFSSL_MDK_ARM)
    157. 

  157. #elif defined(WOLFSSL_IAR_ARM)
    158. 

  158. #elif defined(WOLFSSL_ROWLEY_ARM)
    159. 

  159. #elif defined(WOLFSSL_EMBOS)
    160. 

  160. #elif defined(WOLFSSL_DEOS)
    161. 

  161. #elif defined(MICRIUM)
    162. 

  162. #elif defined(WOLFSSL_NUCLEUS)
    163. 

  163. #elif defined(WOLFSSL_PB)
    164. 

  164. #elif defined(WOLFSSL_ZEPHYR)
    165. 

  165. #elif defined(WOLFSSL_TELIT_M2MB)
    166. 

  166. #elif defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_TRNG)
    167. 

  167. #elif defined(WOLFSSL_GETRANDOM)
    168. 

  168.     #include <errno.h>
    169. 

  169.     #include <sys/random.h>
    170. 

  170. #else
    171. 

  171.     /* include headers that may be needed to get good seed */
    172. 

  172.     #include <fcntl.h>
    173. 

  173.     #ifndef EBSNET
    174. 

  174.         #include <unistd.h>
    175. 

  175.     #endif
    176. 

  176. #endif
    177. 

  177. 

  178. #if defined(WOLFSSL_SILABS_SE_ACCEL)
    179. 

  179. #include <wolfssl/wolfcrypt/port/silabs/silabs_random.h>
    180. 

  180. #endif
    181. 

  181. 

  182. #if defined(WOLFSSL_IOTSAFE) && defined(HAVE_IOTSAFE_HWRNG)
    183. 

  183. #include <wolfssl/wolfcrypt/port/iotsafe/iotsafe.h>
    184. 

  184. #endif
    185. 

  185. 

  186. #if defined(WOLFSSL_HAVE_PSA) && !defined(WOLFSSL_PSA_NO_RNG)
    187. 

  187. #include <wolfssl/wolfcrypt/port/psa/psa.h>
    188. 

  188. #endif
    189. 

  189. 

  190. #if defined(HAVE_INTEL_RDRAND) || defined(HAVE_INTEL_RDSEED) || \
    191. 

  191.     defined(HAVE_AMD_RDSEED)
    192. 

  192.     static word32 intel_flags = 0;
    193. 

  193.     static void wc_InitRng_IntelRD(void)
    194. 

  194.     {
    195. 

  195.         intel_flags = cpuid_get_flags();
    196. 

  196.     }
    197. 

  197.     #if (defined(HAVE_INTEL_RDSEED) || defined(HAVE_AMD_RDSEED)) && \
    198. 

  198.         !defined(WOLFSSL_LINUXKM)
    199. 

  199.     static int wc_GenerateSeed_IntelRD(OS_Seed* os, byte* output, word32 sz);
    200. 

  200.     #endif
    201. 

  201.     #ifdef HAVE_INTEL_RDRAND
    202. 

  202.     static int wc_GenerateRand_IntelRD(OS_Seed* os, byte* output, word32 sz);
    203. 

  203.     #endif
    204. 

  204. 

  205. #ifdef USE_WINDOWS_API
    206. 

  206.     #define USE_INTEL_INTRINSICS
    207. 

  207. #elif !defined __GNUC__ || defined __clang__ || __GNUC__ > 4
    208. 

  208.     #define USE_INTEL_INTRINSICS
    209. 

  209. #else
    210. 

  210.     #undef USE_INTEL_INTRINSICS
    211. 

  211. #endif
    212. 

  212. 

  213. #ifdef USE_INTEL_INTRINSICS
    214. 

  214.     #include <immintrin.h>
    215. 

  215.     /* Before clang 7 or GCC 9, immintrin.h did not define _rdseed64_step() */
    216. 

  216.     #ifndef HAVE_INTEL_RDSEED
    217. 

  217.     #elif defined __clang__ && __clang_major__ > 6
    218. 

  218.     #elif !defined __GNUC__
    219. 

  219.     #elif __GNUC__ > 8
    220. 

  220.     #else
    221. 

  221.         #ifndef __clang__
    222. 

  222.             #pragma GCC push_options
    223. 

  223.             #pragma GCC target("rdseed")
    224. 

  224.         #else
    225. 

  225.             #define __RDSEED__
    226. 

  226.         #endif
    227. 

  227.         #include <x86intrin.h>
    228. 

  228.         #ifndef __clang__
    229. 

  229.             #pragma GCC pop_options
    230. 

  230.         #endif
    231. 

  231.     #endif
    232. 

  232. #endif /* USE_WINDOWS_API */
    233. 

  233. #endif
    234. 

  234. 

  235. /* Start NIST DRBG code */
    236. 

  236. #ifdef HAVE_HASHDRBG
    237. 

  237. 

  238. #define OUTPUT_BLOCK_LEN  (WC_SHA256_DIGEST_SIZE)
    239. 

  239. #define MAX_REQUEST_LEN   (0x10000)
    240. 

  240. #define RESEED_INTERVAL   WC_RESEED_INTERVAL
    241. 

  241. 

  242. 

  243. /* The security strength for the RNG is the target number of bits of
    244. 

  244.  * entropy you are looking for in a seed. */
    245. 

  245. #ifndef RNG_SECURITY_STRENGTH
    246. 

  246.     /* SHA-256 requires a minimum of 256-bits of entropy. */
    247. 

  247.     #define RNG_SECURITY_STRENGTH (256)
    248. 

  248. #endif
    249. 

  249. 

  250. #ifndef ENTROPY_SCALE_FACTOR
    251. 

  251.     /* The entropy scale factor should be the whole number inverse of the
    252. 

  252.      * minimum bits of entropy per bit of NDRNG output. */
    253. 

  253.     #if defined(HAVE_AMD_RDSEED)
    254. 

  254.         /* This will yield a SEED_SZ of 16kb. Since nonceSz will be 0,
    255. 

  255.          * we'll add an additional 8kb on top. */
    256. 

  256.         #define ENTROPY_SCALE_FACTOR  (512)
    257. 

  257.     #elif defined(HAVE_INTEL_RDSEED) || defined(HAVE_INTEL_RDRAND)
    258. 

  258.         /* The value of 2 applies to Intel's RDSEED which provides about
    259. 

  259.          * 0.5 bits minimum of entropy per bit. The value of 4 gives a
    260. 

  260.          * conservative margin for FIPS. */
    261. 

  261.         #if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
    262. 

  262.             (HAVE_FIPS_VERSION >= 2)
    263. 

  263.             #define ENTROPY_SCALE_FACTOR (2*4)
    264. 

  264.         #else
    265. 

  265.             /* Not FIPS, but Intel RDSEED, only double. */
    266. 

  266.             #define ENTROPY_SCALE_FACTOR (2)
    267. 

  267.         #endif
    268. 

  268.     #elif defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
    269. 

  269.         (HAVE_FIPS_VERSION >= 2)
    270. 

  270.         /* If doing a FIPS build without a specific scale factor, default
    271. 

  271.          * to 4. This will give 1024 bits of entropy. More is better, but
    272. 

  272.          * more is also slower. */
    273. 

  273.         #define ENTROPY_SCALE_FACTOR (4)
    274. 

  274.     #else
    275. 

  275.         /* Setting the default to 1. */
    276. 

  276.         #define ENTROPY_SCALE_FACTOR (1)
    277. 

  277.     #endif
    278. 

  278. #endif
    279. 

  279. 

  280. #ifndef SEED_BLOCK_SZ
    281. 

  281.     /* The seed block size, is the size of the output of the underlying NDRNG.
    282. 

  282.      * This value is used for testing the output of the NDRNG. */
    283. 

  283.     #if defined(HAVE_AMD_RDSEED)
    284. 

  284.         /* AMD's RDSEED instruction works in 128-bit blocks read 64-bits
    285. 

  285.         * at a time. */
    286. 

  286.         #define SEED_BLOCK_SZ (sizeof(word64)*2)
    287. 

  287.     #elif defined(HAVE_INTEL_RDSEED) || defined(HAVE_INTEL_RDRAND)
    288. 

  288.         /* RDSEED outputs in blocks of 64-bits. */
    289. 

  289.         #define SEED_BLOCK_SZ sizeof(word64)
    290. 

  290.     #else
    291. 

  291.         /* Setting the default to 4. */
    292. 

  292.         #define SEED_BLOCK_SZ 4
    293. 

  293.     #endif
    294. 

  294. #endif
    295. 

  295. 

  296. #define SEED_SZ        (RNG_SECURITY_STRENGTH*ENTROPY_SCALE_FACTOR/8)
    297. 

  297. 

  298. /* The maximum seed size will be the seed size plus a seed block for the
    299. 

  299.  * test, and an additional half of the seed size. This additional half
    300. 

  300.  * is in case the user does not supply a nonce. A nonce will be obtained
    301. 

  301.  * from the NDRNG. */
    302. 

  302. #define MAX_SEED_SZ    (SEED_SZ + SEED_SZ/2 + SEED_BLOCK_SZ)
    303. 

  303. 

  304. 

  305. #ifdef WC_RNG_SEED_CB
    306. 

  306. 

  307. static wc_RngSeed_Cb seedCb = NULL;
    308. 

  308. 

  309. int wc_SetSeed_Cb(wc_RngSeed_Cb cb)
    310. 

  310. {
    311. 

  311.     seedCb = cb;
    312. 

  312.     return 0;
    313. 

  313. }
    314. 

  314. 

  315. #endif
    316. 

  316. 

  317. 

  318. /* Internal return codes */
    319. 

  319. #define DRBG_SUCCESS      0
    320. 

  320. #define DRBG_FAILURE      1
    321. 

  321. #define DRBG_NEED_RESEED  2
    322. 

  322. #define DRBG_CONT_FAILURE 3
    323. 

  323. #define DRBG_NO_SEED_CB   4
    324. 

  324. 

  325. /* RNG health states */
    326. 

  326. #define DRBG_NOT_INIT     0
    327. 

  327. #define DRBG_OK           1
    328. 

  328. #define DRBG_FAILED       2
    329. 

  329. #define DRBG_CONT_FAILED  3
    330. 

  330. 

  331. #define RNG_HEALTH_TEST_CHECK_SIZE (WC_SHA256_DIGEST_SIZE * 4)
    332. 

  332. 

  333. /* Verify max gen block len */
    334. 

  334. #if RNG_MAX_BLOCK_LEN > MAX_REQUEST_LEN
    335. 

  335.     #error RNG_MAX_BLOCK_LEN is larger than NIST DBRG max request length
    336. 

  336. #endif
    337. 

  337. 

  338. enum {
    339. 

  339.     drbgInitC     = 0,
    340. 

  340.     drbgReseed    = 1,
    341. 

  341.     drbgGenerateW = 2,
    342. 

  342.     drbgGenerateH = 3,
    343. 

  343.     drbgInitV     = 4
    344. 

  344. };
    345. 

  345. 

  346. typedef struct DRBG_internal DRBG_internal;
    347. 

  347. 

  348. static int wc_RNG_HealthTestLocal(int reseed);
    349. 

  349. 

  350. /* Hash Derivation Function */
    351. 

  351. /* Returns: DRBG_SUCCESS or DRBG_FAILURE */
    352. 

  352. static int Hash_df(DRBG_internal* drbg, byte* out, word32 outSz, byte type,
    353. 

  353.                                                   const byte* inA, word32 inASz,
    354. 

  354.                                                   const byte* inB, word32 inBSz)
    355. 

  355. {
    356. 

  356.     int ret = DRBG_FAILURE;
    357. 

  357.     byte ctr;
    358. 

  358.     int i;
    359. 

  359.     int len;
    360. 

  360.     word32 bits = (outSz * 8); /* reverse byte order */
    361. 

  361. #ifdef WOLFSSL_SMALL_STACK_CACHE
    362. 

  362.     wc_Sha256* sha = &drbg->sha256;
    363. 

  363. #else
    364. 

  364.     wc_Sha256 sha[1];
    365. 

  365. #endif
    366. 

  366. #ifdef WC_ASYNC_ENABLE_SHA256
    367. 

  367.     WC_DECLARE_VAR(digest, byte, WC_SHA256_DIGEST_SIZE, drbg->heap);
    368. 

  368.     if (digest == NULL)
    369. 

  369.         return MEMORY_E;
    370. 

  370. #else
    371. 

  371.     byte digest[WC_SHA256_DIGEST_SIZE];
    372. 

  372. #endif
    373. 

  373. 

  374.     (void)drbg;
    375. 

  375. #ifdef WC_ASYNC_ENABLE_SHA256
    376. 

  376.     if (digest == NULL)
    377. 

  377.         return DRBG_FAILURE;
    378. 

  378. #endif
    379. 

  379. 

  380. #ifdef LITTLE_ENDIAN_ORDER
    381. 

  381.     bits = ByteReverseWord32(bits);
    382. 

  382. #endif
    383. 

  383.     len = (outSz / OUTPUT_BLOCK_LEN)
    384. 

  384.         + ((outSz % OUTPUT_BLOCK_LEN) ? 1 : 0);
    385. 

  385. 

  386.     ctr = 1;
    387. 

  387.     for (i = 0; i < len; i++) {
    388. 

  388. #ifndef WOLFSSL_SMALL_STACK_CACHE
    389. 

  389.     #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
    390. 

  390.         ret = wc_InitSha256_ex(sha, drbg->heap, drbg->devId);
    391. 

  391.     #else
    392. 

  392.         ret = wc_InitSha256(sha);
    393. 

  393.     #endif
    394. 

  394.         if (ret != 0)
    395. 

  395.             break;
    396. 

  396. #endif
    397. 

  397.         ret = wc_Sha256Update(sha, &ctr, sizeof(ctr));
    398. 

  398.         if (ret == 0) {
    399. 

  399.             ctr++;
    400. 

  400.             ret = wc_Sha256Update(sha, (byte*)&bits, sizeof(bits));
    401. 

  401.         }
    402. 

  402. 

  403.         if (ret == 0) {
    404. 

  404.             /* churning V is the only string that doesn't have the type added */
    405. 

  405.             if (type != drbgInitV)
    406. 

  406.                 ret = wc_Sha256Update(sha, &type, sizeof(type));
    407. 

  407.         }
    408. 

  408.         if (ret == 0)
    409. 

  409.             ret = wc_Sha256Update(sha, inA, inASz);
    410. 

  410.         if (ret == 0) {
    411. 

  411.             if (inB != NULL && inBSz > 0)
    412. 

  412.                 ret = wc_Sha256Update(sha, inB, inBSz);
    413. 

  413.         }
    414. 

  414.         if (ret == 0)
    415. 

  415.             ret = wc_Sha256Final(sha, digest);
    416. 

  416. 

  417. #ifndef WOLFSSL_SMALL_STACK_CACHE
    418. 

  418.         wc_Sha256Free(sha);
    419. 

  419. #endif
    420. 

  420.         if (ret == 0) {
    421. 

  421.             if (outSz > OUTPUT_BLOCK_LEN) {
    422. 

  422.                 XMEMCPY(out, digest, OUTPUT_BLOCK_LEN);
    423. 

  423.                 outSz -= OUTPUT_BLOCK_LEN;
    424. 

  424.                 out += OUTPUT_BLOCK_LEN;
    425. 

  425.             }
    426. 

  426.             else {
    427. 

  427.                 XMEMCPY(out, digest, outSz);
    428. 

  428.             }
    429. 

  429.         }
    430. 

  430.     }
    431. 

  431. 

  432.     ForceZero(digest, WC_SHA256_DIGEST_SIZE);
    433. 

  433. 

  434. #ifdef WC_ASYNC_ENABLE_SHA256
    435. 

  435.     WC_FREE_VAR(digest, drbg->heap);
    436. 

  436. #endif
    437. 

  437. 

  438.     return (ret == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
    439. 

  439. }
    440. 

  440. 

  441. /* Returns: DRBG_SUCCESS or DRBG_FAILURE */
    442. 

  442. static int Hash_DRBG_Reseed(DRBG_internal* drbg, const byte* seed, word32 seedSz)
    443. 

  443. {
    444. 

  444.     byte newV[DRBG_SEED_LEN];
    445. 

  445. 

  446.     if (drbg == NULL) {
    447. 

  447.         return DRBG_FAILURE;
    448. 

  448.     }
    449. 

  449. 

  450.     XMEMSET(newV, 0, DRBG_SEED_LEN);
    451. 

  451. 

  452.     if (Hash_df(drbg, newV, sizeof(newV), drbgReseed,
    453. 

  453.                 drbg->V, sizeof(drbg->V), seed, seedSz) != DRBG_SUCCESS) {
    454. 

  454.         return DRBG_FAILURE;
    455. 

  455.     }
    456. 

  456. 

  457.     XMEMCPY(drbg->V, newV, sizeof(drbg->V));
    458. 

  458.     ForceZero(newV, sizeof(newV));
    459. 

  459. 

  460.     if (Hash_df(drbg, drbg->C, sizeof(drbg->C), drbgInitC, drbg->V,
    461. 

  461.                                     sizeof(drbg->V), NULL, 0) != DRBG_SUCCESS) {
    462. 

  462.         return DRBG_FAILURE;
    463. 

  463.     }
    464. 

  464. 

  465.     drbg->reseedCtr = 1;
    466. 

  466.     drbg->lastBlock = 0;
    467. 

  467.     drbg->matchCount = 0;
    468. 

  468.     return DRBG_SUCCESS;
    469. 

  469. }
    470. 

  470. 

  471. /* Returns: DRBG_SUCCESS and DRBG_FAILURE or BAD_FUNC_ARG on fail */
    472. 

  472. int wc_RNG_DRBG_Reseed(WC_RNG* rng, const byte* seed, word32 seedSz)
    473. 

  473. {
    474. 

  474.     if (rng == NULL || seed == NULL) {
    475. 

  475.         return BAD_FUNC_ARG;
    476. 

  476.     }
    477. 

  477. 

  478.     if (rng->drbg == NULL) {
    479. 

  479.     #if defined(HAVE_INTEL_RDSEED) || defined(HAVE_INTEL_RDRAND)
    480. 

  480.         if (IS_INTEL_RDRAND(intel_flags)) {
    481. 

  481.             /* using RDRAND not DRBG, so return success */
    482. 

  482.             return 0;
    483. 

  483.         }
    484. 

  484.         return BAD_FUNC_ARG;
    485. 

  485.     #endif
    486. 

  486.     }
    487. 

  487. 

  488.     return Hash_DRBG_Reseed((DRBG_internal *)rng->drbg, seed, seedSz);
    489. 

  489. }
    490. 

  490. 

  491. static WC_INLINE void array_add_one(byte* data, word32 dataSz)
    492. 

  492. {
    493. 

  493.     int i;
    494. 

  494. 

  495.     for (i = dataSz - 1; i >= 0; i--)
    496. 

  496.     {
    497. 

  497.         data[i]++;
    498. 

  498.         if (data[i] != 0) break;
    499. 

  499.     }
    500. 

  500. }
    501. 

  501. 

  502. /* Returns: DRBG_SUCCESS or DRBG_FAILURE */
    503. 

  503. static int Hash_gen(DRBG_internal* drbg, byte* out, word32 outSz, const byte* V)
    504. 

  504. {
    505. 

  505.     int ret = DRBG_FAILURE;
    506. 

  506.     byte data[DRBG_SEED_LEN];
    507. 

  507.     int i;
    508. 

  508.     int len;
    509. 

  509.     word32 checkBlock;
    510. 

  510. #ifdef WOLFSSL_SMALL_STACK_CACHE
    511. 

  511.     wc_Sha256* sha = &drbg->sha256;
    512. 

  512. #else
    513. 

  513.     wc_Sha256 sha[1];
    514. 

  514. #endif
    515. 

  515. #ifdef WC_ASYNC_ENABLE_SHA256
    516. 

  516.     WC_DECLARE_VAR(digest, byte, WC_SHA256_DIGEST_SIZE, drbg->heap);
    517. 

  517.     if (digest == NULL)
    518. 

  518.         return MEMORY_E;
    519. 

  519. #else
    520. 

  520.     byte digest[WC_SHA256_DIGEST_SIZE];
    521. 

  521. #endif
    522. 

  522. 

  523.     /* Special case: outSz is 0 and out is NULL. wc_Generate a block to save for
    524. 

  524.      * the continuous test. */
    525. 

  525. 

  526.     if (outSz == 0) outSz = 1;
    527. 

  527. 

  528.     len = (outSz / OUTPUT_BLOCK_LEN) + ((outSz % OUTPUT_BLOCK_LEN) ? 1 : 0);
    529. 

  529. 

  530.     XMEMCPY(data, V, sizeof(data));
    531. 

  531.     for (i = 0; i < len; i++) {
    532. 

  532. #ifndef WOLFSSL_SMALL_STACK_CACHE
    533. 

  533.     #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
    534. 

  534.         ret = wc_InitSha256_ex(sha, drbg->heap, drbg->devId);
    535. 

  535.     #else
    536. 

  536.         ret = wc_InitSha256(sha);
    537. 

  537.     #endif
    538. 

  538.         if (ret == 0)
    539. 

  539. #endif
    540. 

  540.             ret = wc_Sha256Update(sha, data, sizeof(data));
    541. 

  541.         if (ret == 0)
    542. 

  542.             ret = wc_Sha256Final(sha, digest);
    543. 

  543. #ifndef WOLFSSL_SMALL_STACK_CACHE
    544. 

  544.         wc_Sha256Free(sha);
    545. 

  545. #endif
    546. 

  546. 

  547.         if (ret == 0) {
    548. 

  548.             XMEMCPY(&checkBlock, digest, sizeof(word32));
    549. 

  549.             if (drbg->reseedCtr > 1 && checkBlock == drbg->lastBlock) {
    550. 

  550.                 if (drbg->matchCount == 1) {
    551. 

  551.                     return DRBG_CONT_FAILURE;
    552. 

  552.                 }
    553. 

  553.                 else {
    554. 

  554.                     if (i == (len-1)) {
    555. 

  555.                         len++;
    556. 

  556.                     }
    557. 

  557.                     drbg->matchCount = 1;
    558. 

  558.                 }
    559. 

  559.             }
    560. 

  560.             else {
    561. 

  561.                 drbg->matchCount = 0;
    562. 

  562.                 drbg->lastBlock = checkBlock;
    563. 

  563.             }
    564. 

  564. 

  565.             if (out != NULL && outSz != 0) {
    566. 

  566.                 if (outSz >= OUTPUT_BLOCK_LEN) {
    567. 

  567.                     XMEMCPY(out, digest, OUTPUT_BLOCK_LEN);
    568. 

  568.                     outSz -= OUTPUT_BLOCK_LEN;
    569. 

  569.                     out += OUTPUT_BLOCK_LEN;
    570. 

  570.                     array_add_one(data, DRBG_SEED_LEN);
    571. 

  571.                 }
    572. 

  572.                 else {
    573. 

  573.                     XMEMCPY(out, digest, outSz);
    574. 

  574.                     outSz = 0;
    575. 

  575.                 }
    576. 

  576.             }
    577. 

  577.         }
    578. 

  578.         else {
    579. 

  579.             /* wc_Sha256Update or wc_Sha256Final returned error */
    580. 

  580.             break;
    581. 

  581.         }
    582. 

  582.     }
    583. 

  583.     ForceZero(data, sizeof(data));
    584. 

  584. 

  585. #ifdef WC_ASYNC_ENABLE_SHA256
    586. 

  586.     WC_FREE_VAR(digest, drbg->heap);
    587. 

  587. #endif
    588. 

  588. 

  589.     return (ret == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
    590. 

  590. }
    591. 

  591. 

  592. static WC_INLINE void array_add(byte* d, word32 dLen, const byte* s, word32 sLen)
    593. 

  593. {
    594. 

  594.     word16 carry = 0;
    595. 

  595. 

  596.     if (dLen > 0 && sLen > 0 && dLen >= sLen) {
    597. 

  597.         int sIdx, dIdx;
    598. 

  598. 

  599.         dIdx = dLen - 1;
    600. 

  600.         for (sIdx = sLen - 1; sIdx >= 0; sIdx--) {
    601. 

  601.             carry += (word16)d[dIdx] + (word16)s[sIdx];
    602. 

  602.             d[dIdx] = (byte)carry;
    603. 

  603.             carry >>= 8;
    604. 

  604.             dIdx--;
    605. 

  605.         }
    606. 

  606. 

  607.         for (; dIdx >= 0; dIdx--) {
    608. 

  608.             carry += (word16)d[dIdx];
    609. 

  609.             d[dIdx] = (byte)carry;
    610. 

  610.             carry >>= 8;
    611. 

  611.         }
    612. 

  612.     }
    613. 

  613. }
    614. 

  614. 

  615. /* Returns: DRBG_SUCCESS, DRBG_NEED_RESEED, or DRBG_FAILURE */
    616. 

  616. static int Hash_DRBG_Generate(DRBG_internal* drbg, byte* out, word32 outSz)
    617. 

  617. {
    618. 

  618.     int ret;
    619. 

  619. #ifdef WOLFSSL_SMALL_STACK_CACHE
    620. 

  620.     wc_Sha256* sha = &drbg->sha256;
    621. 

  621. #else
    622. 

  622.     wc_Sha256 sha[1];
    623. 

  623. #endif
    624. 

  624.     byte type;
    625. 

  625.     word32 reseedCtr;
    626. 

  626. 

  627.     if (drbg == NULL) {
    628. 

  628.         return DRBG_FAILURE;
    629. 

  629.     }
    630. 

  630. 

  631.     if (drbg->reseedCtr == RESEED_INTERVAL) {
    632. 

  632.         return DRBG_NEED_RESEED;
    633. 

  633.     } else {
    634. 

  634.     #ifdef WC_ASYNC_ENABLE_SHA256
    635. 

  635.         WC_DECLARE_VAR(digest, byte, WC_SHA256_DIGEST_SIZE, drbg->heap);
    636. 

  636.         if (digest == NULL)
    637. 

  637.             return MEMORY_E;
    638. 

  638.     #else
    639. 

  639.         byte digest[WC_SHA256_DIGEST_SIZE];
    640. 

  640.     #endif
    641. 

  641.         type = drbgGenerateH;
    642. 

  642.         reseedCtr = drbg->reseedCtr;
    643. 

  643. 

  644.         ret = Hash_gen(drbg, out, outSz, drbg->V);
    645. 

  645.         if (ret == DRBG_SUCCESS) {
    646. 

  646. #ifndef WOLFSSL_SMALL_STACK_CACHE
    647. 

  647.         #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
    648. 

  648.             ret = wc_InitSha256_ex(sha, drbg->heap, drbg->devId);
    649. 

  649.         #else
    650. 

  650.             ret = wc_InitSha256(sha);
    651. 

  651.         #endif
    652. 

  652.             if (ret == 0)
    653. 

  653. #endif
    654. 

  654.                 ret = wc_Sha256Update(sha, &type, sizeof(type));
    655. 

  655.             if (ret == 0)
    656. 

  656.                 ret = wc_Sha256Update(sha, drbg->V, sizeof(drbg->V));
    657. 

  657.             if (ret == 0)
    658. 

  658.                 ret = wc_Sha256Final(sha, digest);
    659. 

  659. 

  660. #ifndef WOLFSSL_SMALL_STACK_CACHE
    661. 

  661.             wc_Sha256Free(sha);
    662. 

  662. #endif
    663. 

  663. 

  664.             if (ret == 0) {
    665. 

  665.                 array_add(drbg->V, sizeof(drbg->V), digest, WC_SHA256_DIGEST_SIZE);
    666. 

  666.                 array_add(drbg->V, sizeof(drbg->V), drbg->C, sizeof(drbg->C));
    667. 

  667.             #ifdef LITTLE_ENDIAN_ORDER
    668. 

  668.                 reseedCtr = ByteReverseWord32(reseedCtr);
    669. 

  669.             #endif
    670. 

  670.                 array_add(drbg->V, sizeof(drbg->V),
    671. 

  671.                                           (byte*)&reseedCtr, sizeof(reseedCtr));
    672. 

  672.                 ret = DRBG_SUCCESS;
    673. 

  673.             }
    674. 

  674.             drbg->reseedCtr++;
    675. 

  675.         }
    676. 

  676.         ForceZero(digest, WC_SHA256_DIGEST_SIZE);
    677. 

  677.     #ifdef WC_ASYNC_ENABLE_SHA256
    678. 

  678.         WC_FREE_VAR(digest, drbg->heap);
    679. 

  679.     #endif
    680. 

  680.     }
    681. 

  681. 

  682.     return (ret == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
    683. 

  683. }
    684. 

  684. 

  685. /* Returns: DRBG_SUCCESS or DRBG_FAILURE */
    686. 

  686. static int Hash_DRBG_Instantiate(DRBG_internal* drbg, const byte* seed, word32 seedSz,
    687. 

  687.                                              const byte* nonce, word32 nonceSz,
    688. 

  688.                                              void* heap, int devId)
    689. 

  689. {
    690. 

  690.     int ret = DRBG_FAILURE;
    691. 

  691. 

  692.     XMEMSET(drbg, 0, sizeof(DRBG_internal));
    693. 

  693. #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
    694. 

  694.     drbg->heap = heap;
    695. 

  695.     drbg->devId = devId;
    696. 

  696. #else
    697. 

  697.     (void)heap;
    698. 

  698.     (void)devId;
    699. 

  699. #endif
    700. 

  700. 

  701. #ifdef WOLFSSL_SMALL_STACK_CACHE
    702. 

  702.     #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
    703. 

  703.         ret = wc_InitSha256_ex(&drbg->sha256, drbg->heap, drbg->devId);
    704. 

  704.     #else
    705. 

  705.         ret = wc_InitSha256(&drbg->sha256);
    706. 

  706.     #endif
    707. 

  707.     if (ret != 0)
    708. 

  708.         return ret;
    709. 

  709. #endif
    710. 

  710. 

  711.     if (Hash_df(drbg, drbg->V, sizeof(drbg->V), drbgInitV, seed, seedSz,
    712. 

  712.                                               nonce, nonceSz) == DRBG_SUCCESS &&
    713. 

  713.         Hash_df(drbg, drbg->C, sizeof(drbg->C), drbgInitC, drbg->V,
    714. 

  714.                                     sizeof(drbg->V), NULL, 0) == DRBG_SUCCESS) {
    715. 

  715. 

  716.         drbg->reseedCtr = 1;
    717. 

  717.         drbg->lastBlock = 0;
    718. 

  718.         drbg->matchCount = 0;
    719. 

  719.         ret = DRBG_SUCCESS;
    720. 

  720.     }
    721. 

  721. 

  722.     return ret;
    723. 

  723. }
    724. 

  724. 

  725. /* Returns: DRBG_SUCCESS or DRBG_FAILURE */
    726. 

  726. static int Hash_DRBG_Uninstantiate(DRBG_internal* drbg)
    727. 

  727. {
    728. 

  728.     word32 i;
    729. 

  729.     int    compareSum = 0;
    730. 

  730.     byte*  compareDrbg = (byte*)drbg;
    731. 

  731. 

  732. #ifdef WOLFSSL_SMALL_STACK_CACHE
    733. 

  733.     wc_Sha256Free(&drbg->sha256);
    734. 

  734. #endif
    735. 

  735. 

  736.     ForceZero(drbg, sizeof(DRBG_internal));
    737. 

  737. 

  738.     for (i = 0; i < sizeof(DRBG_internal); i++)
    739. 

  739.         compareSum |= compareDrbg[i] ^ 0;
    740. 

  740. 

  741.     return (compareSum == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
    742. 

  742. }
    743. 

  743. 

  744. 

  745. int wc_RNG_TestSeed(const byte* seed, word32 seedSz)
    746. 

  746. {
    747. 

  747.     int ret = 0;
    748. 

  748. 

  749.     /* Check the seed for duplicate words. */
    750. 

  750.     word32 seedIdx = 0;
    751. 

  751.     word32 scratchSz = min(SEED_BLOCK_SZ, seedSz - SEED_BLOCK_SZ);
    752. 

  752. 

  753.     while (seedIdx < seedSz - SEED_BLOCK_SZ) {
    754. 

  754.         if (ConstantCompare(seed + seedIdx,
    755. 

  755.                             seed + seedIdx + scratchSz,
    756. 

  756.                             scratchSz) == 0) {
    757. 

  757. 

  758.             ret = DRBG_CONT_FAILURE;
    759. 

  759.         }
    760. 

  760.         seedIdx += SEED_BLOCK_SZ;
    761. 

  761.         scratchSz = min(SEED_BLOCK_SZ, (seedSz - seedIdx));
    762. 

  762.     }
    763. 

  763. 

  764.     return ret;
    765. 

  765. }
    766. 

  766. #endif /* HAVE_HASHDRBG */
    767. 

  767. /* End NIST DRBG Code */
    768. 

  768. 

  769. 

  770. static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz,
    771. 

  771.                     void* heap, int devId)
    772. 

  772. {
    773. 

  773.     int ret = 0;
    774. 

  774. #ifdef HAVE_HASHDRBG
    775. 

  775.     word32 seedSz = SEED_SZ + SEED_BLOCK_SZ;
    776. 

  776. #endif
    777. 

  777. 

  778.     (void)nonce;
    779. 

  779.     (void)nonceSz;
    780. 

  780. 

  781.     if (rng == NULL)
    782. 

  782.         return BAD_FUNC_ARG;
    783. 

  783.     if (nonce == NULL && nonceSz != 0)
    784. 

  784.         return BAD_FUNC_ARG;
    785. 

  785. 

  786. #ifdef WOLFSSL_HEAP_TEST
    787. 

  787.     rng->heap = (void*)WOLFSSL_HEAP_TEST;
    788. 

  788.     (void)heap;
    789. 

  789. #else
    790. 

  790.     rng->heap = heap;
    791. 

  791. #endif
    792. 

  792. #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
    793. 

  793.     rng->devId = devId;
    794. 

  794.     #if defined(WOLF_CRYPTO_CB)
    795. 

  795.         rng->seed.devId = devId;
    796. 

  796.     #endif
    797. 

  797. #else
    798. 

  798.     (void)devId;
    799. 

  799. #endif
    800. 

  800. 

  801. #ifdef HAVE_HASHDRBG
    802. 

  802.     /* init the DBRG to known values */
    803. 

  803.     rng->drbg = NULL;
    804. 

  804.     rng->status = DRBG_NOT_INIT;
    805. 

  805. #endif
    806. 

  806. 

  807. #if defined(HAVE_INTEL_RDSEED) || defined(HAVE_INTEL_RDRAND) || \
    808. 

  808.     defined(HAVE_AMD_RDSEED)
    809. 

  809.     /* init the intel RD seed and/or rand */
    810. 

  810.     wc_InitRng_IntelRD();
    811. 

  811. #endif
    812. 

  812. 

  813.     /* configure async RNG source if available */
    814. 

  814. #ifdef WOLFSSL_ASYNC_CRYPT
    815. 

  815.     ret = wolfAsync_DevCtxInit(&rng->asyncDev, WOLFSSL_ASYNC_MARKER_RNG,
    816. 

  816.                                                         rng->heap, rng->devId);
    817. 

  817.     if (ret != 0)
    818. 

  818.         return ret;
    819. 

  819. #endif
    820. 

  820. 

  821. #ifdef HAVE_INTEL_RDRAND
    822. 

  822.     /* if CPU supports RDRAND, use it directly and by-pass DRBG init */
    823. 

  823.     if (IS_INTEL_RDRAND(intel_flags))
    824. 

  824.         return 0;
    825. 

  825. #endif
    826. 

  826. 

  827. #ifdef WOLFSSL_XILINX_CRYPT_VERSAL
    828. 

  828.     ret = wc_VersalTrngInit(nonce, nonceSz);
    829. 

  829.     if (ret)
    830. 

  830.         return ret;
    831. 

  831. #endif
    832. 

  832. 

  833. #ifdef CUSTOM_RAND_GENERATE_BLOCK
    834. 

  834.     ret = 0; /* success */
    835. 

  835. #else
    836. 

  836. #ifdef HAVE_HASHDRBG
    837. 

  837.     if (nonceSz == 0)
    838. 

  838.         seedSz = MAX_SEED_SZ;
    839. 

  839. 

  840.     if (wc_RNG_HealthTestLocal(0) == 0) {
    841. 

  841.     #ifdef WC_ASYNC_ENABLE_SHA256
    842. 

  842.         WC_DECLARE_VAR(seed, byte, MAX_SEED_SZ, rng->heap);
    843. 

  843.         if (seed == NULL)
    844. 

  844.             return MEMORY_E;
    845. 

  845.     #else
    846. 

  846.         byte seed[MAX_SEED_SZ];
    847. 

  847.     #endif
    848. 

  848. 

  849. #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
    850. 

  850.         rng->drbg =
    851. 

  851.                 (struct DRBG*)XMALLOC(sizeof(DRBG_internal), rng->heap,
    852. 

  852.                                                           DYNAMIC_TYPE_RNG);
    853. 

  853.         if (rng->drbg == NULL) {
    854. 

  854.             ret = MEMORY_E;
    855. 

  855.             rng->status = DRBG_FAILED;
    856. 

  856.         }
    857. 

  857. #else
    858. 

  858.         rng->drbg = (struct DRBG*)&rng->drbg_data;
    859. 

  859. #endif
    860. 

  860.         if (ret == 0) {
    861. 

  861. #ifdef WC_RNG_SEED_CB
    862. 

  862.             if (seedCb == NULL) {
    863. 

  863.                 ret = DRBG_NO_SEED_CB;
    864. 

  864.             }
    865. 

  865.             else {
    866. 

  866.                 ret = seedCb(&rng->seed, seed, seedSz);
    867. 

  867.                 if (ret != 0) {
    868. 

  868.                     ret = DRBG_FAILURE;
    869. 

  869.                 }
    870. 

  870.             }
    871. 

  871. #else
    872. 

  872.             ret = wc_GenerateSeed(&rng->seed, seed, seedSz);
    873. 

  873. #endif
    874. 

  874.             if (ret == 0)
    875. 

  875.                 ret = wc_RNG_TestSeed(seed, seedSz);
    876. 

  876.             else {
    877. 

  877.                 ret = DRBG_FAILURE;
    878. 

  878.                 rng->status = DRBG_FAILED;
    879. 

  879.             }
    880. 

  880. 

  881.             if (ret == DRBG_SUCCESS)
    882. 

  882.                 ret = Hash_DRBG_Instantiate((DRBG_internal *)rng->drbg,
    883. 

  883.                             seed + SEED_BLOCK_SZ, seedSz - SEED_BLOCK_SZ,
    884. 

  884.                             nonce, nonceSz, rng->heap, devId);
    885. 

  885. 

  886.             if (ret != DRBG_SUCCESS) {
    887. 

  887.             #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
    888. 

  888.                 XFREE(rng->drbg, rng->heap, DYNAMIC_TYPE_RNG);
    889. 

  889.             #endif
    890. 

  890.                 rng->drbg = NULL;
    891. 

  891.             }
    892. 

  892.         }
    893. 

  893. 

  894.         ForceZero(seed, seedSz);
    895. 

  895.     #ifdef WC_ASYNC_ENABLE_SHA256
    896. 

  896.         WC_FREE_VAR(seed, rng->heap);
    897. 

  897.     #endif
    898. 

  898.     }
    899. 

  899.     else
    900. 

  900.         ret = DRBG_CONT_FAILURE;
    901. 

  901. 

  902.     if (ret == DRBG_SUCCESS) {
    903. 

  903. #ifdef WOLFSSL_CHECK_MEM_ZERO
    904. 

  904. #ifdef HAVE_HASHDRBG
    905. 

  905.         struct DRBG_internal* drbg = (struct DRBG_internal*)rng->drbg;
    906. 

  906.         wc_MemZero_Add("DRBG V", &drbg->V, sizeof(drbg->V));
    907. 

  907.         wc_MemZero_Add("DRBG C", &drbg->C, sizeof(drbg->C));
    908. 

  908. #endif
    909. 

  909. #endif
    910. 

  910. 

  911.         rng->status = DRBG_OK;
    912. 

  912.         ret = 0;
    913. 

  913.     }
    914. 

  914.     else if (ret == DRBG_CONT_FAILURE) {
    915. 

  915.         rng->status = DRBG_CONT_FAILED;
    916. 

  916.         ret = DRBG_CONT_FIPS_E;
    917. 

  917.     }
    918. 

  918.     else if (ret == DRBG_FAILURE) {
    919. 

  919.         rng->status = DRBG_FAILED;
    920. 

  920.         ret = RNG_FAILURE_E;
    921. 

  921.     }
    922. 

  922.     else {
    923. 

  923.         rng->status = DRBG_FAILED;
    924. 

  924.     }
    925. 

  925. #endif /* HAVE_HASHDRBG */
    926. 

  926. #endif /* CUSTOM_RAND_GENERATE_BLOCK */
    927. 

  927. 

  928.     return ret;
    929. 

  929. }
    930. 

  930. 

  931. 

  932. WOLFSSL_ABI
    933. 

  933. WC_RNG* wc_rng_new(byte* nonce, word32 nonceSz, void* heap)
    934. 

  934. {
    935. 

  935.     WC_RNG* rng;
    936. 

  936. 

  937.     rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), heap, DYNAMIC_TYPE_RNG);
    938. 

  938.     if (rng) {
    939. 

  939.         int error = _InitRng(rng, nonce, nonceSz, heap, INVALID_DEVID) != 0;
    940. 

  940.         if (error) {
    941. 

  941.             XFREE(rng, heap, DYNAMIC_TYPE_RNG);
    942. 

  942.             rng = NULL;
    943. 

  943.         }
    944. 

  944.     }
    945. 

  945. 

  946.     return rng;
    947. 

  947. }
    948. 

  948. 

  949. 

  950. WOLFSSL_ABI
    951. 

  951. void wc_rng_free(WC_RNG* rng)
    952. 

  952. {
    953. 

  953.     if (rng) {
    954. 

  954.         void* heap = rng->heap;
    955. 

  955. 

  956.         wc_FreeRng(rng);
    957. 

  957.         ForceZero(rng, sizeof(WC_RNG));
    958. 

  958.         XFREE(rng, heap, DYNAMIC_TYPE_RNG);
    959. 

  959.         (void)heap;
    960. 

  960.     }
    961. 

  961. }
    962. 

  962. 

  963. WOLFSSL_ABI
    964. 

  964. int wc_InitRng(WC_RNG* rng)
    965. 

  965. {
    966. 

  966.     return _InitRng(rng, NULL, 0, NULL, INVALID_DEVID);
    967. 

  967. }
    968. 

  968. 

  969. 

  970. int wc_InitRng_ex(WC_RNG* rng, void* heap, int devId)
    971. 

  971. {
    972. 

  972.     return _InitRng(rng, NULL, 0, heap, devId);
    973. 

  973. }
    974. 

  974. 

  975. 

  976. int wc_InitRngNonce(WC_RNG* rng, byte* nonce, word32 nonceSz)
    977. 

  977. {
    978. 

  978.     return _InitRng(rng, nonce, nonceSz, NULL, INVALID_DEVID);
    979. 

  979. }
    980. 

  980. 

  981. 

  982. int wc_InitRngNonce_ex(WC_RNG* rng, byte* nonce, word32 nonceSz,
    983. 

  983.                        void* heap, int devId)
    984. 

  984. {
    985. 

  985.     return _InitRng(rng, nonce, nonceSz, heap, devId);
    986. 

  986. }
    987. 

  987. 

  988. 

  989. /* place a generated block in output */
    990. 

  990. WOLFSSL_ABI
    991. 

  991. int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz)
    992. 

  992. {
    993. 

  993.     int ret;
    994. 

  994. 

  995.     if (rng == NULL || output == NULL)
    996. 

  996.         return BAD_FUNC_ARG;
    997. 

  997. 

  998.     if (sz == 0)
    999. 

  999.         return 0;
    1000. 

  1000. 

  1001. #ifdef WOLF_CRYPTO_CB
    1002. 

  1002.     if (rng->devId != INVALID_DEVID) {
    1003. 

  1003.         ret = wc_CryptoCb_RandomBlock(rng, output, sz);
    1004. 

  1004.         if (ret != CRYPTOCB_UNAVAILABLE)
    1005. 

  1005.             return ret;
    1006. 

  1006.         /* fall-through when unavailable */
    1007. 

  1007.     }
    1008. 

  1008. #endif
    1009. 

  1009. 

  1010. #ifdef HAVE_INTEL_RDRAND
    1011. 

  1011.     if (IS_INTEL_RDRAND(intel_flags))
    1012. 

  1012.         return wc_GenerateRand_IntelRD(NULL, output, sz);
    1013. 

  1013. #endif
    1014. 

  1014. 

  1015. #if defined(WOLFSSL_SILABS_SE_ACCEL) && defined(WOLFSSL_SILABS_TRNG)
    1016. 

  1016.     return silabs_GenerateRand(output, sz);
    1017. 

  1017. #endif
    1018. 

  1018. 

  1019. #if defined(WOLFSSL_ASYNC_CRYPT)
    1020. 

  1020.     if (rng->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RNG) {
    1021. 

  1021.         /* these are blocking */
    1022. 

  1022.     #ifdef HAVE_CAVIUM
    1023. 

  1023.         return NitroxRngGenerateBlock(rng, output, sz);
    1024. 

  1024.     #elif defined(HAVE_INTEL_QA) && defined(QAT_ENABLE_RNG)
    1025. 

  1025.         return IntelQaDrbg(&rng->asyncDev, output, sz);
    1026. 

  1026.     #else
    1027. 

  1027.         /* simulator not supported */
    1028. 

  1028.     #endif
    1029. 

  1029.     }
    1030. 

  1030. #endif
    1031. 

  1031. 

  1032. #ifdef CUSTOM_RAND_GENERATE_BLOCK
    1033. 

  1033.     XMEMSET(output, 0, sz);
    1034. 

  1034.     ret = CUSTOM_RAND_GENERATE_BLOCK(output, sz);
    1035. 

  1035. #else
    1036. 

  1036. 

  1037. #ifdef HAVE_HASHDRBG
    1038. 

  1038.     if (sz > RNG_MAX_BLOCK_LEN)
    1039. 

  1039.         return BAD_FUNC_ARG;
    1040. 

  1040. 

  1041.     if (rng->status != DRBG_OK)
    1042. 

  1042.         return RNG_FAILURE_E;
    1043. 

  1043. 

  1044.     ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz);
    1045. 

  1045.     if (ret == DRBG_NEED_RESEED) {
    1046. 

  1046.         if (wc_RNG_HealthTestLocal(1) == 0) {
    1047. 

  1047.             byte newSeed[SEED_SZ + SEED_BLOCK_SZ];
    1048. 

  1048. 

  1049.             ret = wc_GenerateSeed(&rng->seed, newSeed,
    1050. 

  1050.                                   SEED_SZ + SEED_BLOCK_SZ);
    1051. 

  1051.             if (ret != 0)
    1052. 

  1052.                 ret = DRBG_FAILURE;
    1053. 

  1053.             else
    1054. 

  1054.                 ret = wc_RNG_TestSeed(newSeed, SEED_SZ + SEED_BLOCK_SZ);
    1055. 

  1055. 

  1056.             if (ret == DRBG_SUCCESS)
    1057. 

  1057.                 ret = Hash_DRBG_Reseed((DRBG_internal *)rng->drbg,
    1058. 

  1058.                                        newSeed + SEED_BLOCK_SZ, SEED_SZ);
    1059. 

  1059.             if (ret == DRBG_SUCCESS)
    1060. 

  1060.                 ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz);
    1061. 

  1061. 

  1062.             ForceZero(newSeed, sizeof(newSeed));
    1063. 

  1063.         }
    1064. 

  1064.         else
    1065. 

  1065.             ret = DRBG_CONT_FAILURE;
    1066. 

  1066.     }
    1067. 

  1067. 

  1068.     if (ret == DRBG_SUCCESS) {
    1069. 

  1069.         ret = 0;
    1070. 

  1070.     }
    1071. 

  1071.     else if (ret == DRBG_CONT_FAILURE) {
    1072. 

  1072.         ret = DRBG_CONT_FIPS_E;
    1073. 

  1073.         rng->status = DRBG_CONT_FAILED;
    1074. 

  1074.     }
    1075. 

  1075.     else {
    1076. 

  1076.         ret = RNG_FAILURE_E;
    1077. 

  1077.         rng->status = DRBG_FAILED;
    1078. 

  1078.     }
    1079. 

  1079. #else
    1080. 

  1080. 

  1081.     /* if we get here then there is an RNG configuration error */
    1082. 

  1082.     ret = RNG_FAILURE_E;
    1083. 

  1083. 

  1084. #endif /* HAVE_HASHDRBG */
    1085. 

  1085. #endif /* CUSTOM_RAND_GENERATE_BLOCK */
    1086. 

  1086. 

  1087.     return ret;
    1088. 

  1088. }
    1089. 

  1089. 

  1090. 

  1091. int wc_RNG_GenerateByte(WC_RNG* rng, byte* b)
    1092. 

  1092. {
    1093. 

  1093.     return wc_RNG_GenerateBlock(rng, b, 1);
    1094. 

  1094. }
    1095. 

  1095. 

  1096. 

  1097. int wc_FreeRng(WC_RNG* rng)
    1098. 

  1098. {
    1099. 

  1099.     int ret = 0;
    1100. 

  1100. 

  1101.     if (rng == NULL)
    1102. 

  1102.         return BAD_FUNC_ARG;
    1103. 

  1103. 

  1104. #if defined(WOLFSSL_ASYNC_CRYPT)
    1105. 

  1105.     wolfAsync_DevCtxFree(&rng->asyncDev, WOLFSSL_ASYNC_MARKER_RNG);
    1106. 

  1106. #endif
    1107. 

  1107. 

  1108. #ifdef HAVE_HASHDRBG
    1109. 

  1109.     if (rng->drbg != NULL) {
    1110. 

  1110.       if (Hash_DRBG_Uninstantiate((DRBG_internal *)rng->drbg) != DRBG_SUCCESS)
    1111. 

  1111.             ret = RNG_FAILURE_E;
    1112. 

  1112. 

  1113.     #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
    1114. 

  1114.         XFREE(rng->drbg, rng->heap, DYNAMIC_TYPE_RNG);
    1115. 

  1115.     #elif defined(WOLFSSL_CHECK_MEM_ZERO)
    1116. 

  1116.         wc_MemZero_Check(rng->drbg, sizeof(DRBG_internal));
    1117. 

  1117.     #endif
    1118. 

  1118.         rng->drbg = NULL;
    1119. 

  1119.     }
    1120. 

  1120. 

  1121.     rng->status = DRBG_NOT_INIT;
    1122. 

  1122. #endif /* HAVE_HASHDRBG */
    1123. 

  1123. 

  1124. #ifdef WOLFSSL_XILINX_CRYPT_VERSAL\
    1125. 

  1125.     /* don't overwrite previously set error */
    1126. 

  1126.     if (wc_VersalTrngReset() && !ret)
    1127. 

  1127.         ret = WC_HW_E;
    1128. 

  1128. #endif
    1129. 

  1129. 

  1130.     return ret;
    1131. 

  1131. }
    1132. 

  1132. 

  1133. #ifdef HAVE_HASHDRBG
    1134. 

  1134. int wc_RNG_HealthTest(int reseed, const byte* seedA, word32 seedASz,
    1135. 

  1135.                                   const byte* seedB, word32 seedBSz,
    1136. 

  1136.                                   byte* output, word32 outputSz)
    1137. 

  1137. {
    1138. 

  1138.     return wc_RNG_HealthTest_ex(reseed, NULL, 0,
    1139. 

  1139.                                 seedA, seedASz, seedB, seedBSz,
    1140. 

  1140.                                 output, outputSz,
    1141. 

  1141.                                 NULL, INVALID_DEVID);
    1142. 

  1142. }
    1143. 

  1143. 

  1144. 

  1145. int wc_RNG_HealthTest_ex(int reseed, const byte* nonce, word32 nonceSz,
    1146. 

  1146.                                   const byte* seedA, word32 seedASz,
    1147. 

  1147.                                   const byte* seedB, word32 seedBSz,
    1148. 

  1148.                                   byte* output, word32 outputSz,
    1149. 

  1149.                                   void* heap, int devId)
    1150. 

  1150. {
    1151. 

  1151.     int ret = -1;
    1152. 

  1152.     DRBG_internal* drbg;
    1153. 

  1153. #ifndef WOLFSSL_SMALL_STACK
    1154. 

  1154.     DRBG_internal  drbg_var;
    1155. 

  1155. #endif
    1156. 

  1156. 

  1157.     if (seedA == NULL || output == NULL) {
    1158. 

  1158.         return BAD_FUNC_ARG;
    1159. 

  1159.     }
    1160. 

  1160. 

  1161.     if (reseed != 0 && seedB == NULL) {
    1162. 

  1162.         return BAD_FUNC_ARG;
    1163. 

  1163.     }
    1164. 

  1164. 

  1165.     if (outputSz != RNG_HEALTH_TEST_CHECK_SIZE) {
    1166. 

  1166.         return ret;
    1167. 

  1167.     }
    1168. 

  1168. 

  1169. #ifdef WOLFSSL_SMALL_STACK
    1170. 

  1170.     drbg = (DRBG_internal*)XMALLOC(sizeof(DRBG_internal), NULL, DYNAMIC_TYPE_RNG);
    1171. 

  1171.     if (drbg == NULL) {
    1172. 

  1172.         return MEMORY_E;
    1173. 

  1173.     }
    1174. 

  1174. #else
    1175. 

  1175.     drbg = &drbg_var;
    1176. 

  1176. #endif
    1177. 

  1177. 

  1178.     if (Hash_DRBG_Instantiate(drbg, seedA, seedASz, nonce, nonceSz,
    1179. 

  1179.                               heap, devId) != 0) {
    1180. 

  1180.         goto exit_rng_ht;
    1181. 

  1181.     }
    1182. 

  1182. 

  1183.     if (reseed) {
    1184. 

  1184.         if (Hash_DRBG_Reseed(drbg, seedB, seedBSz) != 0) {
    1185. 

  1185.             goto exit_rng_ht;
    1186. 

  1186.         }
    1187. 

  1187.     }
    1188. 

  1188. 

  1189.     /* This call to generate is prescribed by the NIST DRBGVS
    1190. 

  1190.      * procedure. The results are thrown away. The known
    1191. 

  1191.      * answer test checks the second block of DRBG out of
    1192. 

  1192.      * the generator to ensure the internal state is updated
    1193. 

  1193.      * as expected. */
    1194. 

  1194.     if (Hash_DRBG_Generate(drbg, output, outputSz) != 0) {
    1195. 

  1195.         goto exit_rng_ht;
    1196. 

  1196.     }
    1197. 

  1197. 

  1198.     if (Hash_DRBG_Generate(drbg, output, outputSz) != 0) {
    1199. 

  1199.         goto exit_rng_ht;
    1200. 

  1200.     }
    1201. 

  1201. 

  1202.     /* Mark success */
    1203. 

  1203.     ret = 0;
    1204. 

  1204. 

  1205. exit_rng_ht:
    1206. 

  1206. 

  1207.     /* This is safe to call even if Hash_DRBG_Instantiate fails */
    1208. 

  1208.     if (Hash_DRBG_Uninstantiate(drbg) != 0) {
    1209. 

  1209.         ret = -1;
    1210. 

  1210.     }
    1211. 

  1211. 

  1212. #ifdef WOLFSSL_SMALL_STACK
    1213. 

  1213.     XFREE(drbg, NULL, DYNAMIC_TYPE_RNG);
    1214. 

  1214. #endif
    1215. 

  1215. 

  1216.     return ret;
    1217. 

  1217. }
    1218. 

  1218. 

  1219. 

  1220. const FLASH_QUALIFIER byte seedA_data[] = {
    1221. 

  1221.     0x63, 0x36, 0x33, 0x77, 0xe4, 0x1e, 0x86, 0x46, 0x8d, 0xeb, 0x0a, 0xb4,
    1222. 

  1222.     0xa8, 0xed, 0x68, 0x3f, 0x6a, 0x13, 0x4e, 0x47, 0xe0, 0x14, 0xc7, 0x00,
    1223. 

  1223.     0x45, 0x4e, 0x81, 0xe9, 0x53, 0x58, 0xa5, 0x69, 0x80, 0x8a, 0xa3, 0x8f,
    1224. 

  1224.     0x2a, 0x72, 0xa6, 0x23, 0x59, 0x91, 0x5a, 0x9f, 0x8a, 0x04, 0xca, 0x68
    1225. 

  1225. };
    1226. 

  1226. 

  1227. const FLASH_QUALIFIER byte reseedSeedA_data[] = {
    1228. 

  1228.     0xe6, 0x2b, 0x8a, 0x8e, 0xe8, 0xf1, 0x41, 0xb6, 0x98, 0x05, 0x66, 0xe3,
    1229. 

  1229.     0xbf, 0xe3, 0xc0, 0x49, 0x03, 0xda, 0xd4, 0xac, 0x2c, 0xdf, 0x9f, 0x22,
    1230. 

  1230.     0x80, 0x01, 0x0a, 0x67, 0x39, 0xbc, 0x83, 0xd3
    1231. 

  1231. };
    1232. 

  1232. 

  1233. const FLASH_QUALIFIER byte outputA_data[] = {
    1234. 

  1234.     0x04, 0xee, 0xc6, 0x3b, 0xb2, 0x31, 0xdf, 0x2c, 0x63, 0x0a, 0x1a, 0xfb,
    1235. 

  1235.     0xe7, 0x24, 0x94, 0x9d, 0x00, 0x5a, 0x58, 0x78, 0x51, 0xe1, 0xaa, 0x79,
    1236. 

  1236.     0x5e, 0x47, 0x73, 0x47, 0xc8, 0xb0, 0x56, 0x62, 0x1c, 0x18, 0xbd, 0xdc,
    1237. 

  1237.     0xdd, 0x8d, 0x99, 0xfc, 0x5f, 0xc2, 0xb9, 0x20, 0x53, 0xd8, 0xcf, 0xac,
    1238. 

  1238.     0xfb, 0x0b, 0xb8, 0x83, 0x12, 0x05, 0xfa, 0xd1, 0xdd, 0xd6, 0xc0, 0x71,
    1239. 

  1239.     0x31, 0x8a, 0x60, 0x18, 0xf0, 0x3b, 0x73, 0xf5, 0xed, 0xe4, 0xd4, 0xd0,
    1240. 

  1240.     0x71, 0xf9, 0xde, 0x03, 0xfd, 0x7a, 0xea, 0x10, 0x5d, 0x92, 0x99, 0xb8,
    1241. 

  1241.     0xaf, 0x99, 0xaa, 0x07, 0x5b, 0xdb, 0x4d, 0xb9, 0xaa, 0x28, 0xc1, 0x8d,
    1242. 

  1242.     0x17, 0x4b, 0x56, 0xee, 0x2a, 0x01, 0x4d, 0x09, 0x88, 0x96, 0xff, 0x22,
    1243. 

  1243.     0x82, 0xc9, 0x55, 0xa8, 0x19, 0x69, 0xe0, 0x69, 0xfa, 0x8c, 0xe0, 0x07,
    1244. 

  1244.     0xa1, 0x80, 0x18, 0x3a, 0x07, 0xdf, 0xae, 0x17
    1245. 

  1245. };
    1246. 

  1246. 

  1247. const FLASH_QUALIFIER byte seedB_data[] = {
    1248. 

  1248.     0xa6, 0x5a, 0xd0, 0xf3, 0x45, 0xdb, 0x4e, 0x0e, 0xff, 0xe8, 0x75, 0xc3,
    1249. 

  1249.     0xa2, 0xe7, 0x1f, 0x42, 0xc7, 0x12, 0x9d, 0x62, 0x0f, 0xf5, 0xc1, 0x19,
    1250. 

  1250.     0xa9, 0xef, 0x55, 0xf0, 0x51, 0x85, 0xe0, 0xfb, /* nonce next */
    1251. 

  1251.     0x85, 0x81, 0xf9, 0x31, 0x75, 0x17, 0x27, 0x6e, 0x06, 0xe9, 0x60, 0x7d,
    1252. 

  1252.     0xdb, 0xcb, 0xcc, 0x2e
    1253. 

  1253. };
    1254. 

  1254. 

  1255. const FLASH_QUALIFIER byte outputB_data[] = {
    1256. 

  1256.     0xd3, 0xe1, 0x60, 0xc3, 0x5b, 0x99, 0xf3, 0x40, 0xb2, 0x62, 0x82, 0x64,
    1257. 

  1257.     0xd1, 0x75, 0x10, 0x60, 0xe0, 0x04, 0x5d, 0xa3, 0x83, 0xff, 0x57, 0xa5,
    1258. 

  1258.     0x7d, 0x73, 0xa6, 0x73, 0xd2, 0xb8, 0xd8, 0x0d, 0xaa, 0xf6, 0xa6, 0xc3,
    1259. 

  1259.     0x5a, 0x91, 0xbb, 0x45, 0x79, 0xd7, 0x3f, 0xd0, 0xc8, 0xfe, 0xd1, 0x11,
    1260. 

  1260.     0xb0, 0x39, 0x13, 0x06, 0x82, 0x8a, 0xdf, 0xed, 0x52, 0x8f, 0x01, 0x81,
    1261. 

  1261.     0x21, 0xb3, 0xfe, 0xbd, 0xc3, 0x43, 0xe7, 0x97, 0xb8, 0x7d, 0xbb, 0x63,
    1262. 

  1262.     0xdb, 0x13, 0x33, 0xde, 0xd9, 0xd1, 0xec, 0xe1, 0x77, 0xcf, 0xa6, 0xb7,
    1263. 

  1263.     0x1f, 0xe8, 0xab, 0x1d, 0xa4, 0x66, 0x24, 0xed, 0x64, 0x15, 0xe5, 0x1c,
    1264. 

  1264.     0xcd, 0xe2, 0xc7, 0xca, 0x86, 0xe2, 0x83, 0x99, 0x0e, 0xea, 0xeb, 0x91,
    1265. 

  1265.     0x12, 0x04, 0x15, 0x52, 0x8b, 0x22, 0x95, 0x91, 0x02, 0x81, 0xb0, 0x2d,
    1266. 

  1266.     0xd4, 0x31, 0xf4, 0xc9, 0xf7, 0x04, 0x27, 0xdf
    1267. 

  1267. };
    1268. 

  1268. 

  1269. 

  1270. static int wc_RNG_HealthTestLocal(int reseed)
    1271. 

  1271. {
    1272. 

  1272.     int ret = 0;
    1273. 

  1273. #ifdef WOLFSSL_SMALL_STACK
    1274. 

  1274.     byte* check;
    1275. 

  1275. #else
    1276. 

  1276.     byte  check[RNG_HEALTH_TEST_CHECK_SIZE];
    1277. 

  1277. #endif
    1278. 

  1278. 

  1279. #ifdef WOLFSSL_SMALL_STACK
    1280. 

  1280.     check = (byte*)XMALLOC(RNG_HEALTH_TEST_CHECK_SIZE, NULL,
    1281. 

  1281.                            DYNAMIC_TYPE_TMP_BUFFER);
    1282. 

  1282.     if (check == NULL) {
    1283. 

  1283.         return MEMORY_E;
    1284. 

  1284.     }
    1285. 

  1285. #endif
    1286. 

  1286. 

  1287.     if (reseed) {
    1288. 

  1288. #ifdef WOLFSSL_USE_FLASHMEM
    1289. 

  1289.         byte* seedA = (byte*)XMALLOC(sizeof(seedA_data), NULL,
    1290. 

  1290.                              DYNAMIC_TYPE_TMP_BUFFER);
    1291. 

  1291.         byte* reseedSeedA = (byte*)XMALLOC(sizeof(reseedSeedA_data), NULL,
    1292. 

  1292.                              DYNAMIC_TYPE_TMP_BUFFER);
    1293. 

  1293.         byte* outputA = (byte*)XMALLOC(sizeof(outputA_data), NULL,
    1294. 

  1294.                              DYNAMIC_TYPE_TMP_BUFFER);
    1295. 

  1295. 

  1296.         if (!seedA || !reseedSeedA || !outputA) {
    1297. 

  1297.             XFREE(seedA, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    1298. 

  1298.             XFREE(reseedSeedA, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    1299. 

  1299.             XFREE(outputA, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    1300. 

  1300.             ret = MEMORY_E;
    1301. 

  1301.         }
    1302. 

  1302.         else {
    1303. 

  1303.             XMEMCPY_P(seedA, seedA_data, sizeof(seedA_data));
    1304. 

  1304.             XMEMCPY_P(reseedSeedA, reseedSeedA_data, sizeof(reseedSeedA_data));
    1305. 

  1305.             XMEMCPY_P(outputA, outputA_data, sizeof(outputA_data));
    1306. 

  1306. #else
    1307. 

  1307.         const byte* seedA = seedA_data;
    1308. 

  1308.         const byte* reseedSeedA = reseedSeedA_data;
    1309. 

  1309.         const byte* outputA = outputA_data;
    1310. 

  1310. #endif
    1311. 

  1311.         ret = wc_RNG_HealthTest(1, seedA, sizeof(seedA_data),
    1312. 

  1312.                                 reseedSeedA, sizeof(reseedSeedA_data),
    1313. 

  1313.                                 check, RNG_HEALTH_TEST_CHECK_SIZE);
    1314. 

  1314.         if (ret == 0) {
    1315. 

  1315.             if (ConstantCompare(check, outputA,
    1316. 

  1316.                                 RNG_HEALTH_TEST_CHECK_SIZE) != 0)
    1317. 

  1317.                 ret = -1;
    1318. 

  1318.         }
    1319. 

  1319. 

  1320. #ifdef WOLFSSL_USE_FLASHMEM
    1321. 

  1321.             XFREE(seedA, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    1322. 

  1322.             XFREE(reseedSeedA, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    1323. 

  1323.             XFREE(outputA, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    1324. 

  1324.         }
    1325. 

  1325. #endif
    1326. 

  1326.     }
    1327. 

  1327.     else {
    1328. 

  1328. #ifdef WOLFSSL_USE_FLASHMEM
    1329. 

  1329.         byte* seedB = (byte*)XMALLOC(sizeof(seedB_data), NULL,
    1330. 

  1330.                              DYNAMIC_TYPE_TMP_BUFFER);
    1331. 

  1331.         byte* outputB = (byte*)XMALLOC(sizeof(outputB_data), NULL,
    1332. 

  1332.                                DYNAMIC_TYPE_TMP_BUFFER);
    1333. 

  1333. 

  1334.         if (!seedB || !outputB) {
    1335. 

  1335.             XFREE(seedB, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    1336. 

  1336.             XFREE(outputB, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    1337. 

  1337.             ret = MEMORY_E;
    1338. 

  1338.         }
    1339. 

  1339.         else {
    1340. 

  1340.             XMEMCPY_P(seedB, seedB_data, sizeof(seedB_data));
    1341. 

  1341.             XMEMCPY_P(outputB, outputB_data, sizeof(outputB_data));
    1342. 

  1342. #else
    1343. 

  1343.         const byte* seedB = seedB_data;
    1344. 

  1344.         const byte* outputB = outputB_data;
    1345. 

  1345. #endif
    1346. 

  1346.         ret = wc_RNG_HealthTest(0, seedB, sizeof(seedB_data),
    1347. 

  1347.                                 NULL, 0,
    1348. 

  1348.                                 check, RNG_HEALTH_TEST_CHECK_SIZE);
    1349. 

  1349.         if (ret == 0) {
    1350. 

  1350.             if (ConstantCompare(check, outputB,
    1351. 

  1351.                                 RNG_HEALTH_TEST_CHECK_SIZE) != 0)
    1352. 

  1352.                 ret = -1;
    1353. 

  1353.         }
    1354. 

  1354. 

  1355.         /* The previous test cases use a large seed instead of a seed and nonce.
    1356. 

  1356.          * seedB is actually from a test case with a seed and nonce, and
    1357. 

  1357.          * just concatenates them. The pivot point between seed and nonce is
    1358. 

  1358.          * byte 32, feed them into the health test separately. */
    1359. 

  1359.         if (ret == 0) {
    1360. 

  1360.             ret = wc_RNG_HealthTest_ex(0,
    1361. 

  1361.                                     seedB + 32, sizeof(seedB_data) - 32,
    1362. 

  1362.                                     seedB, 32,
    1363. 

  1363.                                     NULL, 0,
    1364. 

  1364.                                     check, RNG_HEALTH_TEST_CHECK_SIZE,
    1365. 

  1365.                                     NULL, INVALID_DEVID);
    1366. 

  1366.             if (ret == 0) {
    1367. 

  1367.                 if (ConstantCompare(check, outputB, sizeof(outputB_data)) != 0)
    1368. 

  1368.                     ret = -1;
    1369. 

  1369.             }
    1370. 

  1370.         }
    1371. 

  1371. 

  1372. #ifdef WOLFSSL_USE_FLASHMEM
    1373. 

  1373.             XFREE(seedB, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    1374. 

  1374.             XFREE(outputB, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    1375. 

  1375.         }
    1376. 

  1376. #endif
    1377. 

  1377.     }
    1378. 

  1378. 

  1379. #ifdef WOLFSSL_SMALL_STACK
    1380. 

  1380.     XFREE(check, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    1381. 

  1381. #endif
    1382. 

  1382. 

  1383.     return ret;
    1384. 

  1384. }
    1385. 

  1385. 

  1386. #endif /* HAVE_HASHDRBG */
    1387. 

  1387. 

  1388. 

  1389. #ifdef HAVE_WNR
    1390. 

  1390. 

  1391. /*
    1392. 

  1392.  * Init global Whitewood netRandom context
    1393. 

  1393.  * Returns 0 on success, negative on error
    1394. 

  1394.  */
    1395. 

  1395. int wc_InitNetRandom(const char* configFile, wnr_hmac_key hmac_cb, int timeout)
    1396. 

  1396. {
    1397. 

  1397.     if (configFile == NULL || timeout < 0)
    1398. 

  1398.         return BAD_FUNC_ARG;
    1399. 

  1399. 

  1400.     if (wnr_mutex_init > 0) {
    1401. 

  1401.         WOLFSSL_MSG("netRandom context already created, skipping");
    1402. 

  1402.         return 0;
    1403. 

  1403.     }
    1404. 

  1404. 

  1405.     if (wc_InitMutex(&wnr_mutex) != 0) {
    1406. 

  1406.         WOLFSSL_MSG("Bad Init Mutex wnr_mutex");
    1407. 

  1407.         return BAD_MUTEX_E;
    1408. 

  1408.     }
    1409. 

  1409.     wnr_mutex_init = 1;
    1410. 

  1410. 

  1411.     if (wc_LockMutex(&wnr_mutex) != 0) {
    1412. 

  1412.         WOLFSSL_MSG("Bad Lock Mutex wnr_mutex");
    1413. 

  1413.         return BAD_MUTEX_E;
    1414. 

  1414.     }
    1415. 

  1415. 

  1416.     /* store entropy timeout */
    1417. 

  1417.     wnr_timeout = timeout;
    1418. 

  1418. 

  1419.     /* create global wnr_context struct */
    1420. 

  1420.     if (wnr_create(&wnr_ctx) != WNR_ERROR_NONE) {
    1421. 

  1421.         WOLFSSL_MSG("Error creating global netRandom context");
    1422. 

  1422.         return RNG_FAILURE_E;
    1423. 

  1423.     }
    1424. 

  1424. 

  1425.     /* load config file */
    1426. 

  1426.     if (wnr_config_loadf(wnr_ctx, (char*)configFile) != WNR_ERROR_NONE) {
    1427. 

  1427.         WOLFSSL_MSG("Error loading config file into netRandom context");
    1428. 

  1428.         wnr_destroy(wnr_ctx);
    1429. 

  1429.         wnr_ctx = NULL;
    1430. 

  1430.         return RNG_FAILURE_E;
    1431. 

  1431.     }
    1432. 

  1432. 

  1433.     /* create/init polling mechanism */
    1434. 

  1434.     if (wnr_poll_create() != WNR_ERROR_NONE) {
    1435. 

  1435.         WOLFSSL_MSG("Error initializing netRandom polling mechanism");
    1436. 

  1436.         wnr_destroy(wnr_ctx);
    1437. 

  1437.         wnr_ctx = NULL;
    1438. 

  1438.         return RNG_FAILURE_E;
    1439. 

  1439.     }
    1440. 

  1440. 

  1441.     /* validate config, set HMAC callback (optional) */
    1442. 

  1442.     if (wnr_setup(wnr_ctx, hmac_cb) != WNR_ERROR_NONE) {
    1443. 

  1443.         WOLFSSL_MSG("Error setting up netRandom context");
    1444. 

  1444.         wnr_destroy(wnr_ctx);
    1445. 

  1445.         wnr_ctx = NULL;
    1446. 

  1446.         wnr_poll_destroy();
    1447. 

  1447.         return RNG_FAILURE_E;
    1448. 

  1448.     }
    1449. 

  1449. 

  1450.     wc_UnLockMutex(&wnr_mutex);
    1451. 

  1451. 

  1452.     return 0;
    1453. 

  1453. }
    1454. 

  1454. 

  1455. /*
    1456. 

  1456.  * Free global Whitewood netRandom context
    1457. 

  1457.  * Returns 0 on success, negative on error
    1458. 

  1458.  */
    1459. 

  1459. int wc_FreeNetRandom(void)
    1460. 

  1460. {
    1461. 

  1461.     if (wnr_mutex_init > 0) {
    1462. 

  1462. 

  1463.         if (wc_LockMutex(&wnr_mutex) != 0) {
    1464. 

  1464.             WOLFSSL_MSG("Bad Lock Mutex wnr_mutex");
    1465. 

  1465.             return BAD_MUTEX_E;
    1466. 

  1466.         }
    1467. 

  1467. 

  1468.         if (wnr_ctx != NULL) {
    1469. 

  1469.             wnr_destroy(wnr_ctx);
    1470. 

  1470.             wnr_ctx = NULL;
    1471. 

  1471.         }
    1472. 

  1472.         wnr_poll_destroy();
    1473. 

  1473. 

  1474.         wc_UnLockMutex(&wnr_mutex);
    1475. 

  1475. 

  1476.         wc_FreeMutex(&wnr_mutex);
    1477. 

  1477.         wnr_mutex_init = 0;
    1478. 

  1478.     }
    1479. 

  1479. 

  1480.     return 0;
    1481. 

  1481. }
    1482. 

  1482. 

  1483. #endif /* HAVE_WNR */
    1484. 

  1484. 

  1485. 

  1486. #if defined(HAVE_INTEL_RDRAND) || defined(HAVE_INTEL_RDSEED) || \
    1487. 

  1487.     defined(HAVE_AMD_RDSEED)
    1488. 

  1488. 

  1489. #ifdef WOLFSSL_ASYNC_CRYPT
    1490. 

  1490.     /* need more retries if multiple cores */
    1491. 

  1491.     #define INTELRD_RETRY (32 * 8)
    1492. 

  1492. #else
    1493. 

  1493.     #define INTELRD_RETRY 32
    1494. 

  1494. #endif
    1495. 

  1495. 

  1496. #if defined(HAVE_INTEL_RDSEED) || defined(HAVE_AMD_RDSEED)
    1497. 

  1497. 

  1498. #ifndef USE_INTEL_INTRINSICS
    1499. 

  1499. 

  1500.     /* return 0 on success */
    1501. 

  1501.     static WC_INLINE int IntelRDseed64(word64* seed)
    1502. 

  1502.     {
    1503. 

  1503.         unsigned char ok;
    1504. 

  1504. 

  1505.         __asm__ volatile("rdseed %0; setc %1":"=r"(*seed), "=qm"(ok));
    1506. 

  1506.         return (ok) ? 0 : -1;
    1507. 

  1507.     }
    1508. 

  1508. 

  1509. #else /* USE_INTEL_INTRINSICS */
    1510. 

  1510.     /* The compiler Visual Studio uses does not allow inline assembly.
    1511. 

  1511.      * It does allow for Intel intrinsic functions. */
    1512. 

  1512. 

  1513.     /* return 0 on success */
    1514. 

  1514. # ifdef __GNUC__
    1515. 

  1515.     __attribute__((target("rdseed")))
    1516. 

  1516. # endif
    1517. 

  1517.     static WC_INLINE int IntelRDseed64(word64* seed)
    1518. 

  1518.     {
    1519. 

  1519.         int ok;
    1520. 

  1520. 

  1521.         ok = _rdseed64_step((unsigned long long*) seed);
    1522. 

  1522.         return (ok) ? 0 : -1;
    1523. 

  1523.     }
    1524. 

  1524. 

  1525. #endif /* USE_INTEL_INTRINSICS */
    1526. 

  1526. 

  1527. /* return 0 on success */
    1528. 

  1528. static WC_INLINE int IntelRDseed64_r(word64* rnd)
    1529. 

  1529. {
    1530. 

  1530.     int i;
    1531. 

  1531.     for (i = 0; i < INTELRD_RETRY; i++) {
    1532. 

  1532.         if (IntelRDseed64(rnd) == 0)
    1533. 

  1533.             return 0;
    1534. 

  1534.     }
    1535. 

  1535.     return -1;
    1536. 

  1536. }
    1537. 

  1537. 

  1538. #ifndef WOLFSSL_LINUXKM
    1539. 

  1539. /* return 0 on success */
    1540. 

  1540. static int wc_GenerateSeed_IntelRD(OS_Seed* os, byte* output, word32 sz)
    1541. 

  1541. {
    1542. 

  1542.     int ret;
    1543. 

  1543.     word64 rndTmp;
    1544. 

  1544. 

  1545.     (void)os;
    1546. 

  1546. 

  1547.     if (!IS_INTEL_RDSEED(intel_flags))
    1548. 

  1548.         return -1;
    1549. 

  1549. 

  1550.     for (; (sz / sizeof(word64)) > 0; sz -= sizeof(word64),
    1551. 

  1551.                                                     output += sizeof(word64)) {
    1552. 

  1552.         ret = IntelRDseed64_r((word64*)output);
    1553. 

  1553.         if (ret != 0)
    1554. 

  1554.             return ret;
    1555. 

  1555.     }
    1556. 

  1556.     if (sz == 0)
    1557. 

  1557.         return 0;
    1558. 

  1558. 

  1559.     /* handle unaligned remainder */
    1560. 

  1560.     ret = IntelRDseed64_r(&rndTmp);
    1561. 

  1561.     if (ret != 0)
    1562. 

  1562.         return ret;
    1563. 

  1563. 

  1564.     XMEMCPY(output, &rndTmp, sz);
    1565. 

  1565.     ForceZero(&rndTmp, sizeof(rndTmp));
    1566. 

  1566. 

  1567.     return 0;
    1568. 

  1568. }
    1569. 

  1569. #endif
    1570. 

  1570. 

  1571. #endif /* HAVE_INTEL_RDSEED || HAVE_AMD_RDSEED */
    1572. 

  1572. 

  1573. #ifdef HAVE_INTEL_RDRAND
    1574. 

  1574. 

  1575. #ifndef USE_INTEL_INTRINSICS
    1576. 

  1576. 

  1577. /* return 0 on success */
    1578. 

  1578. static WC_INLINE int IntelRDrand64(word64 *rnd)
    1579. 

  1579. {
    1580. 

  1580.     unsigned char ok;
    1581. 

  1581. 

  1582.     __asm__ volatile("rdrand %0; setc %1":"=r"(*rnd), "=qm"(ok));
    1583. 

  1583. 

  1584.     return (ok) ? 0 : -1;
    1585. 

  1585. }
    1586. 

  1586. 

  1587. #else /* USE_INTEL_INTRINSICS */
    1588. 

  1588.     /* The compiler Visual Studio uses does not allow inline assembly.
    1589. 

  1589.      * It does allow for Intel intrinsic functions. */
    1590. 

  1590. 

  1591. /* return 0 on success */
    1592. 

  1592. # ifdef __GNUC__
    1593. 

  1593. __attribute__((target("rdrnd")))
    1594. 

  1594. # endif
    1595. 

  1595. static WC_INLINE int IntelRDrand64(word64 *rnd)
    1596. 

  1596. {
    1597. 

  1597.     int ok;
    1598. 

  1598. 

  1599.     ok = _rdrand64_step((unsigned long long*) rnd);
    1600. 

  1600. 

  1601.     return (ok) ? 0 : -1;
    1602. 

  1602. }
    1603. 

  1603. 

  1604. #endif /* USE_INTEL_INTRINSICS */
    1605. 

  1605. 

  1606. /* return 0 on success */
    1607. 

  1607. static WC_INLINE int IntelRDrand64_r(word64 *rnd)
    1608. 

  1608. {
    1609. 

  1609.     int i;
    1610. 

  1610.     for (i = 0; i < INTELRD_RETRY; i++) {
    1611. 

  1611.         if (IntelRDrand64(rnd) == 0)
    1612. 

  1612.             return 0;
    1613. 

  1613.     }
    1614. 

  1614.     return -1;
    1615. 

  1615. }
    1616. 

  1616. 

  1617. /* return 0 on success */
    1618. 

  1618. static int wc_GenerateRand_IntelRD(OS_Seed* os, byte* output, word32 sz)
    1619. 

  1619. {
    1620. 

  1620.     int ret;
    1621. 

  1621.     word64 rndTmp;
    1622. 

  1622. 

  1623.     (void)os;
    1624. 

  1624. 

  1625.     if (!IS_INTEL_RDRAND(intel_flags))
    1626. 

  1626.         return -1;
    1627. 

  1627. 

  1628.     for (; (sz / sizeof(word64)) > 0; sz -= sizeof(word64),
    1629. 

  1629.                                                     output += sizeof(word64)) {
    1630. 

  1630.         ret = IntelRDrand64_r((word64 *)output);
    1631. 

  1631.         if (ret != 0)
    1632. 

  1632.             return ret;
    1633. 

  1633.     }
    1634. 

  1634.     if (sz == 0)
    1635. 

  1635.         return 0;
    1636. 

  1636. 

  1637.     /* handle unaligned remainder */
    1638. 

  1638.     ret = IntelRDrand64_r(&rndTmp);
    1639. 

  1639.     if (ret != 0)
    1640. 

  1640.         return ret;
    1641. 

  1641. 

  1642.     XMEMCPY(output, &rndTmp, sz);
    1643. 

  1643. 

  1644.     return 0;
    1645. 

  1645. }
    1646. 

  1646. 

  1647. #endif /* HAVE_INTEL_RDRAND */
    1648. 

  1648. #endif /* HAVE_INTEL_RDRAND || HAVE_INTEL_RDSEED || HAVE_AMD_RDSEED */
    1649. 

  1649. 

  1650. 

  1651. /* Begin wc_GenerateSeed Implementations */
    1652. 

  1652. #if defined(CUSTOM_RAND_GENERATE_SEED)
    1653. 

  1653. 

  1654.     /* Implement your own random generation function
    1655. 

  1655.      * Return 0 to indicate success
    1656. 

  1656.      * int rand_gen_seed(byte* output, word32 sz);
    1657. 

  1657.      * #define CUSTOM_RAND_GENERATE_SEED  rand_gen_seed */
    1658. 

  1658. 

  1659.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    1660. 

  1660.     {
    1661. 

  1661.         (void)os; /* Suppress unused arg warning */
    1662. 

  1662.         return CUSTOM_RAND_GENERATE_SEED(output, sz);
    1663. 

  1663.     }
    1664. 

  1664. 

  1665. #elif defined(CUSTOM_RAND_GENERATE_SEED_OS)
    1666. 

  1666. 

  1667.     /* Implement your own random generation function,
    1668. 

  1668.      *  which includes OS_Seed.
    1669. 

  1669.      * Return 0 to indicate success
    1670. 

  1670.      * int rand_gen_seed(OS_Seed* os, byte* output, word32 sz);
    1671. 

  1671.      * #define CUSTOM_RAND_GENERATE_SEED_OS  rand_gen_seed */
    1672. 

  1672. 

  1673.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    1674. 

  1674.     {
    1675. 

  1675.         return CUSTOM_RAND_GENERATE_SEED_OS(os, output, sz);
    1676. 

  1676.     }
    1677. 

  1677. 

  1678. #elif defined(CUSTOM_RAND_GENERATE)
    1679. 

  1679. 

  1680.    /* Implement your own random generation function
    1681. 

  1681.     * word32 rand_gen(void);
    1682. 

  1682.     * #define CUSTOM_RAND_GENERATE  rand_gen  */
    1683. 

  1683. 

  1684.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    1685. 

  1685.     {
    1686. 

  1686.         word32 i = 0;
    1687. 

  1687. 

  1688.         (void)os;
    1689. 

  1689. 

  1690.         while (i < sz)
    1691. 

  1691.         {
    1692. 

  1692.             /* If not aligned or there is odd/remainder */
    1693. 

  1693.             if( (i + sizeof(CUSTOM_RAND_TYPE)) > sz ||
    1694. 

  1694.                 ((wc_ptr_t)&output[i] % sizeof(CUSTOM_RAND_TYPE)) != 0
    1695. 

  1695.             ) {
    1696. 

  1696.                 /* Single byte at a time */
    1697. 

  1697.                 output[i++] = (byte)CUSTOM_RAND_GENERATE();
    1698. 

  1698.             }
    1699. 

  1699.             else {
    1700. 

  1700.                 /* Use native 8, 16, 32 or 64 copy instruction */
    1701. 

  1701.                 *((CUSTOM_RAND_TYPE*)&output[i]) = CUSTOM_RAND_GENERATE();
    1702. 

  1702.                 i += sizeof(CUSTOM_RAND_TYPE);
    1703. 

  1703.             }
    1704. 

  1704.         }
    1705. 

  1705. 

  1706.         return 0;
    1707. 

  1707.     }
    1708. 

  1708. 

  1709. #elif defined(WOLFSSL_SGX)
    1710. 

  1710. 

  1711. int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    1712. 

  1712. {
    1713. 

  1713.     int ret = !SGX_SUCCESS;
    1714. 

  1714.     int i, read_max = 10;
    1715. 

  1715. 

  1716.     for (i = 0; i < read_max && ret != SGX_SUCCESS; i++) {
    1717. 

  1717.         ret = sgx_read_rand(output, sz);
    1718. 

  1718.     }
    1719. 

  1719. 

  1720.     (void)os;
    1721. 

  1721.     return (ret == SGX_SUCCESS) ? 0 : 1;
    1722. 

  1722. }
    1723. 

  1723. 

  1724. #elif defined(USE_WINDOWS_API)
    1725. 

  1725. 

  1726. int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    1727. 

  1727. {
    1728. 

  1728. #ifdef WOLF_CRYPTO_CB
    1729. 

  1729.     int ret;
    1730. 

  1730. 

  1731.     if (os != NULL && os->devId != INVALID_DEVID) {
    1732. 

  1732.         ret = wc_CryptoCb_RandomSeed(os, output, sz);
    1733. 

  1733.         if (ret != CRYPTOCB_UNAVAILABLE)
    1734. 

  1734.             return ret;
    1735. 

  1735.         /* fall-through when unavailable */
    1736. 

  1736.     }
    1737. 

  1737. #endif
    1738. 

  1738. 

  1739.     #ifdef HAVE_INTEL_RDSEED
    1740. 

  1740.         if (IS_INTEL_RDSEED(intel_flags)) {
    1741. 

  1741.              if (!wc_GenerateSeed_IntelRD(NULL, output, sz)) {
    1742. 

  1742.                  /* success, we're done */
    1743. 

  1743.                  return 0;
    1744. 

  1744.              }
    1745. 

  1745.         #ifdef FORCE_FAILURE_RDSEED
    1746. 

  1746.              /* don't fall back to CryptoAPI */
    1747. 

  1747.              return READ_RAN_E;
    1748. 

  1748.         #endif
    1749. 

  1749.         }
    1750. 

  1750.     #endif /* HAVE_INTEL_RDSEED */
    1751. 

  1751. 

  1752.     if(!CryptAcquireContext(&os->handle, 0, 0, PROV_RSA_FULL,
    1753. 

  1753.                             CRYPT_VERIFYCONTEXT))
    1754. 

  1754.         return WINCRYPT_E;
    1755. 

  1755. 

  1756.     if (!CryptGenRandom(os->handle, sz, output))
    1757. 

  1757.         return CRYPTGEN_E;
    1758. 

  1758. 

  1759.     CryptReleaseContext(os->handle, 0);
    1760. 

  1760. 

  1761.     return 0;
    1762. 

  1762. }
    1763. 

  1763. 

  1764. 

  1765. #elif defined(HAVE_RTP_SYS) || defined(EBSNET)
    1766. 

  1766. 

  1767. #include "rtprand.h"   /* rtp_rand () */
    1768. 

  1768. #include "rtptime.h"   /* rtp_get_system_msec() */
    1769. 

  1769. 

  1770. int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    1771. 

  1771. {
    1772. 

  1772.     word32 i;
    1773. 

  1773. 

  1774.     rtp_srand(rtp_get_system_msec());
    1775. 

  1775.     for (i = 0; i < sz; i++ ) {
    1776. 

  1776.         output[i] = rtp_rand() % 256;
    1777. 

  1777.     }
    1778. 

  1778. 

  1779.     return 0;
    1780. 

  1780. }
    1781. 

  1781. 

  1782. #elif (defined(WOLFSSL_ATMEL) || defined(WOLFSSL_ATECC_RNG)) && \
    1783. 

  1783.       !defined(WOLFSSL_PIC32MZ_RNG)
    1784. 

  1784.     /* enable ATECC RNG unless using PIC32MZ one instead */
    1785. 

  1785.     #include <wolfssl/wolfcrypt/port/atmel/atmel.h>
    1786. 

  1786. 

  1787.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    1788. 

  1788.     {
    1789. 

  1789.         int ret = 0;
    1790. 

  1790. 

  1791.         (void)os;
    1792. 

  1792.         if (output == NULL) {
    1793. 

  1793.             return BUFFER_E;
    1794. 

  1794.         }
    1795. 

  1795. 

  1796.         ret = atmel_get_random_number(sz, output);
    1797. 

  1797. 

  1798.         return ret;
    1799. 

  1799.     }
    1800. 

  1800. 

  1801. #elif defined(MICROCHIP_PIC32)
    1802. 

  1802. 

  1803.     #ifdef MICROCHIP_MPLAB_HARMONY
    1804. 

  1804.         #ifdef MICROCHIP_MPLAB_HARMONY_3
    1805. 

  1805.             #include "system/time/sys_time.h"
    1806. 

  1806.             #define PIC32_SEED_COUNT SYS_TIME_CounterGet
    1807. 

  1807.         #else
    1808. 

  1808.             #define PIC32_SEED_COUNT _CP0_GET_COUNT
    1809. 

  1809.         #endif
    1810. 

  1810.     #else
    1811. 

  1811.         #if !defined(WOLFSSL_MICROCHIP_PIC32MZ)
    1812. 

  1812.             #include <peripheral/timer.h>
    1813. 

  1813.         #endif
    1814. 

  1814.         extern word32 ReadCoreTimer(void);
    1815. 

  1815.         #define PIC32_SEED_COUNT ReadCoreTimer
    1816. 

  1816.     #endif
    1817. 

  1817. 

  1818.     #ifdef WOLFSSL_PIC32MZ_RNG
    1819. 

  1819.         #include "xc.h"
    1820. 

  1820.         int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    1821. 

  1821.         {
    1822. 

  1822.             int i;
    1823. 

  1823.             byte rnd[8];
    1824. 

  1824.             word32 *rnd32 = (word32 *)rnd;
    1825. 

  1825.             word32 size = sz;
    1826. 

  1826.             byte* op = output;
    1827. 

  1827. 

  1828. #if ((__PIC32_FEATURE_SET0 == 'E') && (__PIC32_FEATURE_SET1 == 'C'))
    1829. 

  1829.             RNGNUMGEN1 = _CP0_GET_COUNT();
    1830. 

  1830.             RNGPOLY1 = _CP0_GET_COUNT();
    1831. 

  1831.             RNGPOLY2 = _CP0_GET_COUNT();
    1832. 

  1832.             RNGNUMGEN2 = _CP0_GET_COUNT();
    1833. 

  1833. #else
    1834. 

  1834.             /* All others can be seeded from the TRNG */
    1835. 

  1835.             RNGCONbits.TRNGMODE = 1;
    1836. 

  1836.             RNGCONbits.TRNGEN = 1;
    1837. 

  1837.             while (RNGCNT < 64);
    1838. 

  1838.             RNGCONbits.LOAD = 1;
    1839. 

  1839.             while (RNGCONbits.LOAD == 1);
    1840. 

  1840.             while (RNGCNT < 64);
    1841. 

  1841.             RNGPOLY2 = RNGSEED2;
    1842. 

  1842.             RNGPOLY1 = RNGSEED1;
    1843. 

  1843. #endif
    1844. 

  1844. 

  1845.             RNGCONbits.PLEN = 0x40;
    1846. 

  1846.             RNGCONbits.PRNGEN = 1;
    1847. 

  1847.             for (i=0; i<5; i++) { /* wait for RNGNUMGEN ready */
    1848. 

  1848.                 volatile int x, y;
    1849. 

  1849.                 x = RNGNUMGEN1;
    1850. 

  1850.                 y = RNGNUMGEN2;
    1851. 

  1851.                 (void)x;
    1852. 

  1852.                 (void)y;
    1853. 

  1853.             }
    1854. 

  1854.             do {
    1855. 

  1855.                 rnd32[0] = RNGNUMGEN1;
    1856. 

  1856.                 rnd32[1] = RNGNUMGEN2;
    1857. 

  1857. 

  1858.                 for(i=0; i<8; i++, op++) {
    1859. 

  1859.                     *op = rnd[i];
    1860. 

  1860.                     size --;
    1861. 

  1861.                     if(size==0)break;
    1862. 

  1862.                 }
    1863. 

  1863.             } while(size);
    1864. 

  1864.             return 0;
    1865. 

  1865.         }
    1866. 

  1866.     #else  /* WOLFSSL_PIC32MZ_RNG */
    1867. 

  1867.         /* uses the core timer, in nanoseconds to seed srand */
    1868. 

  1868.         int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    1869. 

  1869.         {
    1870. 

  1870.             int i;
    1871. 

  1871.             srand(PIC32_SEED_COUNT() * 25);
    1872. 

  1872. 

  1873.             for (i = 0; i < sz; i++ ) {
    1874. 

  1874.                 output[i] = rand() % 256;
    1875. 

  1875.                 if ( (i % 8) == 7)
    1876. 

  1876.                     srand(PIC32_SEED_COUNT() * 25);
    1877. 

  1877.             }
    1878. 

  1878.             return 0;
    1879. 

  1879.         }
    1880. 

  1880.     #endif /* WOLFSSL_PIC32MZ_RNG */
    1881. 

  1881. 

  1882. #elif defined(FREESCALE_K70_RNGA) || defined(FREESCALE_RNGA)
    1883. 

  1883.     /*
    1884. 

  1884.      * wc_Generates a RNG seed using the Random Number Generator Accelerator
    1885. 

  1885.      * on the Kinetis K70. Documentation located in Chapter 37 of
    1886. 

  1886.      * K70 Sub-Family Reference Manual (see Note 3 in the README for link).
    1887. 

  1887.      */
    1888. 

  1888.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    1889. 

  1889.     {
    1890. 

  1890.         word32 i;
    1891. 

  1891. 

  1892.         /* turn on RNGA module */
    1893. 

  1893.         #if defined(SIM_SCGC3_RNGA_MASK)
    1894. 

  1894.             SIM_SCGC3 |= SIM_SCGC3_RNGA_MASK;
    1895. 

  1895.         #endif
    1896. 

  1896.         #if defined(SIM_SCGC6_RNGA_MASK)
    1897. 

  1897.             /* additionally needed for at least K64F */
    1898. 

  1898.             SIM_SCGC6 |= SIM_SCGC6_RNGA_MASK;
    1899. 

  1899.         #endif
    1900. 

  1900. 

  1901.         /* set SLP bit to 0 - "RNGA is not in sleep mode" */
    1902. 

  1902.         RNG_CR &= ~RNG_CR_SLP_MASK;
    1903. 

  1903. 

  1904.         /* set HA bit to 1 - "security violations masked" */
    1905. 

  1905.         RNG_CR |= RNG_CR_HA_MASK;
    1906. 

  1906. 

  1907.         /* set GO bit to 1 - "output register loaded with data" */
    1908. 

  1908.         RNG_CR |= RNG_CR_GO_MASK;
    1909. 

  1909. 

  1910.         for (i = 0; i < sz; i++) {
    1911. 

  1911. 

  1912.             /* wait for RNG FIFO to be full */
    1913. 

  1913.             while((RNG_SR & RNG_SR_OREG_LVL(0xF)) == 0) {}
    1914. 

  1914. 

  1915.             /* get value */
    1916. 

  1916.             output[i] = RNG_OR;
    1917. 

  1917.         }
    1918. 

  1918. 

  1919.         return 0;
    1920. 

  1920.     }
    1921. 

  1921. 

  1922. #elif defined(FREESCALE_K53_RNGB) || defined(FREESCALE_RNGB)
    1923. 

  1923.     /*
    1924. 

  1924.      * wc_Generates a RNG seed using the Random Number Generator (RNGB)
    1925. 

  1925.      * on the Kinetis K53. Documentation located in Chapter 33 of
    1926. 

  1926.      * K53 Sub-Family Reference Manual (see note in the README for link).
    1927. 

  1927.      */
    1928. 

  1928.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    1929. 

  1929.     {
    1930. 

  1930.         int i;
    1931. 

  1931. 

  1932.         /* turn on RNGB module */
    1933. 

  1933.         SIM_SCGC3 |= SIM_SCGC3_RNGB_MASK;
    1934. 

  1934. 

  1935.         /* reset RNGB */
    1936. 

  1936.         RNG_CMD |= RNG_CMD_SR_MASK;
    1937. 

  1937. 

  1938.         /* FIFO generate interrupt, return all zeros on underflow,
    1939. 

  1939.          * set auto reseed */
    1940. 

  1940.         RNG_CR |= (RNG_CR_FUFMOD_MASK | RNG_CR_AR_MASK);
    1941. 

  1941. 

  1942.         /* gen seed, clear interrupts, clear errors */
    1943. 

  1943.         RNG_CMD |= (RNG_CMD_GS_MASK | RNG_CMD_CI_MASK | RNG_CMD_CE_MASK);
    1944. 

  1944. 

  1945.         /* wait for seeding to complete */
    1946. 

  1946.         while ((RNG_SR & RNG_SR_SDN_MASK) == 0) {}
    1947. 

  1947. 

  1948.         for (i = 0; i < sz; i++) {
    1949. 

  1949. 

  1950.             /* wait for a word to be available from FIFO */
    1951. 

  1951.             while((RNG_SR & RNG_SR_FIFO_LVL_MASK) == 0) {}
    1952. 

  1952. 

  1953.             /* get value */
    1954. 

  1954.             output[i] = RNG_OUT;
    1955. 

  1955.         }
    1956. 

  1956. 

  1957.         return 0;
    1958. 

  1958.     }
    1959. 

  1959. 

  1960. #elif defined(FREESCALE_KSDK_2_0_TRNG)
    1961. 

  1961.     #ifndef TRNG0
    1962. 

  1962.     #define TRNG0 TRNG
    1963. 

  1963.     #endif
    1964. 

  1964. 

  1965.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    1966. 

  1966.     {
    1967. 

  1967.         status_t status;
    1968. 

  1968.         status = TRNG_GetRandomData(TRNG0, output, sz);
    1969. 

  1969.         (void)os;
    1970. 

  1970.         if (status == kStatus_Success)
    1971. 

  1971.         {
    1972. 

  1972.             return(0);
    1973. 

  1973.         }
    1974. 

  1974.         return RAN_BLOCK_E;
    1975. 

  1975.     }
    1976. 

  1976. 

  1977. #elif defined(FREESCALE_KSDK_2_0_RNGA)
    1978. 

  1978. 

  1979.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    1980. 

  1980.     {
    1981. 

  1981.         status_t status;
    1982. 

  1982.         status = RNGA_GetRandomData(RNG, output, sz);
    1983. 

  1983.         (void)os;
    1984. 

  1984.         if (status == kStatus_Success)
    1985. 

  1985.         {
    1986. 

  1986.             return(0);
    1987. 

  1987.         }
    1988. 

  1988.         return RAN_BLOCK_E;
    1989. 

  1989.     }
    1990. 

  1990. 

  1991. 

  1992. #elif defined(FREESCALE_RNGA)
    1993. 

  1993. 

  1994.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    1995. 

  1995.     {
    1996. 

  1996.         status_t status;
    1997. 

  1997.         status = RNGA_GetRandomData(RNG, output, sz);
    1998. 

  1998.         (void)os;
    1999. 

  1999.         if (status == kStatus_Success)
    2000. 

  2000.         {
    2001. 

  2001.             return(0);
    2002. 

  2002.         }
    2003. 

  2003.         return RAN_BLOCK_E;
    2004. 

  2004.     }
    2005. 

  2005. 

  2006. #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) || \
    2007. 

  2007.     defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS)
    2008. 

  2008.     /*
    2009. 

  2009.      * Fallback to USE_TEST_GENSEED if a FREESCALE platform did not match any
    2010. 

  2010.      * of the TRNG/RNGA/RNGB support
    2011. 

  2011.      */
    2012. 

  2012.     #define USE_TEST_GENSEED
    2013. 

  2013. 

  2014. #elif defined(WOLFSSL_SILABS_SE_ACCEL)
    2015. 

  2015.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2016. 

  2016.     {
    2017. 

  2017.         (void)os;
    2018. 

  2018.         return silabs_GenerateRand(output, sz);
    2019. 

  2019.     }
    2020. 

  2020. 

  2021. #elif defined(STM32_RNG)
    2022. 

  2022.      /* Generate a RNG seed using the hardware random number generator
    2023. 

  2023.       * on the STM32F2/F4/F7/L4. */
    2024. 

  2024. 

  2025.     #ifdef WOLFSSL_STM32_CUBEMX
    2026. 

  2026.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2027. 

  2027.     {
    2028. 

  2028.         int ret;
    2029. 

  2029.         RNG_HandleTypeDef hrng;
    2030. 

  2030.         word32 i = 0;
    2031. 

  2031.         (void)os;
    2032. 

  2032. 

  2033.         ret = wolfSSL_CryptHwMutexLock();
    2034. 

  2034.         if (ret != 0) {
    2035. 

  2035.             return ret;
    2036. 

  2036.         }
    2037. 

  2037. 

  2038.         /* enable RNG clock source */
    2039. 

  2039.         __HAL_RCC_RNG_CLK_ENABLE();
    2040. 

  2040. 

  2041.         /* enable RNG peripheral */
    2042. 

  2042.         XMEMSET(&hrng, 0, sizeof(hrng));
    2043. 

  2043.         hrng.Instance = RNG;
    2044. 

  2044.         HAL_RNG_Init(&hrng);
    2045. 

  2045. 

  2046.         while (i < sz) {
    2047. 

  2047.             /* If not aligned or there is odd/remainder */
    2048. 

  2048.             if( (i + sizeof(word32)) > sz ||
    2049. 

  2049.                 ((wc_ptr_t)&output[i] % sizeof(word32)) != 0
    2050. 

  2050.             ) {
    2051. 

  2051.                 /* Single byte at a time */
    2052. 

  2052.                 uint32_t tmpRng = 0;
    2053. 

  2053.                 if (HAL_RNG_GenerateRandomNumber(&hrng, &tmpRng) != HAL_OK) {
    2054. 

  2054.                     wolfSSL_CryptHwMutexUnLock();
    2055. 

  2055.                     return RAN_BLOCK_E;
    2056. 

  2056.                 }
    2057. 

  2057.                 output[i++] = (byte)tmpRng;
    2058. 

  2058.             }
    2059. 

  2059.             else {
    2060. 

  2060.                 /* Use native 32 instruction */
    2061. 

  2061.                 if (HAL_RNG_GenerateRandomNumber(&hrng, (uint32_t*)&output[i]) != HAL_OK) {
    2062. 

  2062.                     wolfSSL_CryptHwMutexUnLock();
    2063. 

  2063.                     return RAN_BLOCK_E;
    2064. 

  2064.                 }
    2065. 

  2065.                 i += sizeof(word32);
    2066. 

  2066.             }
    2067. 

  2067.         }
    2068. 

  2068. 

  2069.         HAL_RNG_DeInit(&hrng);
    2070. 

  2070. 

  2071.         wolfSSL_CryptHwMutexUnLock();
    2072. 

  2072. 

  2073.         return 0;
    2074. 

  2074.     }
    2075. 

  2075.     #elif defined(WOLFSSL_STM32F427_RNG) || defined(WOLFSSL_STM32_RNG_NOLIB)
    2076. 

  2076. 

  2077.     /* Generate a RNG seed using the hardware RNG on the STM32F427
    2078. 

  2078.      * directly, following steps outlined in STM32F4 Reference
    2079. 

  2079.      * Manual (Chapter 24) for STM32F4xx family. */
    2080. 

  2080.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2081. 

  2081.     {
    2082. 

  2082.         int ret;
    2083. 

  2083.         word32 i;
    2084. 

  2084.         (void)os;
    2085. 

  2085. 

  2086.         ret = wolfSSL_CryptHwMutexLock();
    2087. 

  2087.         if (ret != 0) {
    2088. 

  2088.             return ret;
    2089. 

  2089.         }
    2090. 

  2090. 

  2091.         /* enable RNG peripheral clock */
    2092. 

  2092.         RCC->AHB2ENR |= RCC_AHB2ENR_RNGEN;
    2093. 

  2093. 

  2094.         /* enable RNG interrupt, set IE bit in RNG->CR register */
    2095. 

  2095.         RNG->CR |= RNG_CR_IE;
    2096. 

  2096. 

  2097.         /* enable RNG, set RNGEN bit in RNG->CR. Activates RNG,
    2098. 

  2098.          * RNG_LFSR, and error detector */
    2099. 

  2099.         RNG->CR |= RNG_CR_RNGEN;
    2100. 

  2100. 

  2101.         /* verify no errors, make sure SEIS and CEIS bits are 0
    2102. 

  2102.          * in RNG->SR register */
    2103. 

  2103.         if (RNG->SR & (RNG_SR_SECS | RNG_SR_CECS)) {
    2104. 

  2104.             wolfSSL_CryptHwMutexUnLock();
    2105. 

  2105.             return RNG_FAILURE_E;
    2106. 

  2106.         }
    2107. 

  2107. 

  2108.         for (i = 0; i < sz; i++) {
    2109. 

  2109.             /* wait until RNG number is ready */
    2110. 

  2110.             while ((RNG->SR & RNG_SR_DRDY) == 0) { }
    2111. 

  2111. 

  2112.             /* get value */
    2113. 

  2113.             output[i] = RNG->DR;
    2114. 

  2114.         }
    2115. 

  2115. 

  2116.         wolfSSL_CryptHwMutexUnLock();
    2117. 

  2117. 

  2118.         return 0;
    2119. 

  2119.     }
    2120. 

  2120. 

  2121.     #else
    2122. 

  2122. 

  2123.     /* Generate a RNG seed using the STM32 Standard Peripheral Library */
    2124. 

  2124.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2125. 

  2125.     {
    2126. 

  2126.         int ret;
    2127. 

  2127.         word32 i;
    2128. 

  2128.         (void)os;
    2129. 

  2129. 

  2130.         ret = wolfSSL_CryptHwMutexLock();
    2131. 

  2131.         if (ret != 0) {
    2132. 

  2132.             return ret;
    2133. 

  2133.         }
    2134. 

  2134. 

  2135.         /* enable RNG clock source */
    2136. 

  2136.         RCC_AHB2PeriphClockCmd(RCC_AHB2Periph_RNG, ENABLE);
    2137. 

  2137. 

  2138.         /* reset RNG */
    2139. 

  2139.         RNG_DeInit();
    2140. 

  2140. 

  2141.         /* enable RNG peripheral */
    2142. 

  2142.         RNG_Cmd(ENABLE);
    2143. 

  2143. 

  2144.         /* verify no errors with RNG_CLK or Seed */
    2145. 

  2145.         if (RNG_GetFlagStatus(RNG_FLAG_SECS | RNG_FLAG_CECS) != RESET) {
    2146. 

  2146.             wolfSSL_CryptHwMutexUnLock();
    2147. 

  2147.             return RNG_FAILURE_E;
    2148. 

  2148.         }
    2149. 

  2149. 

  2150.         for (i = 0; i < sz; i++) {
    2151. 

  2151.             /* wait until RNG number is ready */
    2152. 

  2152.             while (RNG_GetFlagStatus(RNG_FLAG_DRDY) == RESET) { }
    2153. 

  2153. 

  2154.             /* get value */
    2155. 

  2155.             output[i] = RNG_GetRandomNumber();
    2156. 

  2156.         }
    2157. 

  2157. 

  2158.         wolfSSL_CryptHwMutexUnLock();
    2159. 

  2159. 

  2160.         return 0;
    2161. 

  2161.     }
    2162. 

  2162.     #endif /* WOLFSSL_STM32_CUBEMX */
    2163. 

  2163. 

  2164. #elif defined(WOLFSSL_TIRTOS)
    2165. 

  2165.     #warning "potential for not enough entropy, currently being used for testing"
    2166. 

  2166.     #include <xdc/runtime/Timestamp.h>
    2167. 

  2167.     #include <stdlib.h>
    2168. 

  2168.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2169. 

  2169.     {
    2170. 

  2170.         int i;
    2171. 

  2171.         srand(xdc_runtime_Timestamp_get32());
    2172. 

  2172. 

  2173.         for (i = 0; i < sz; i++ ) {
    2174. 

  2174.             output[i] = rand() % 256;
    2175. 

  2175.             if ((i % 8) == 7) {
    2176. 

  2176.                 srand(xdc_runtime_Timestamp_get32());
    2177. 

  2177.             }
    2178. 

  2178.         }
    2179. 

  2179. 

  2180.         return 0;
    2181. 

  2181.     }
    2182. 

  2182. 

  2183. #elif defined(WOLFSSL_PB)
    2184. 

  2184. 

  2185.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2186. 

  2186.     {
    2187. 

  2187.         word32 i;
    2188. 

  2188.         for (i = 0; i < sz; i++)
    2189. 

  2189.             output[i] = UTL_Rand();
    2190. 

  2190. 

  2191.         (void)os;
    2192. 

  2192. 

  2193.         return 0;
    2194. 

  2194.     }
    2195. 

  2195. 

  2196. #elif defined(WOLFSSL_NUCLEUS)
    2197. 

  2197. #include "nucleus.h"
    2198. 

  2198. #include "kernel/plus_common.h"
    2199. 

  2199. 

  2200. #warning "potential for not enough entropy, currently being used for testing"
    2201. 

  2201. int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2202. 

  2202. {
    2203. 

  2203.     int i;
    2204. 

  2204.     srand(NU_Get_Time_Stamp());
    2205. 

  2205. 

  2206.     for (i = 0; i < sz; i++ ) {
    2207. 

  2207.         output[i] = rand() % 256;
    2208. 

  2208.         if ((i % 8) == 7) {
    2209. 

  2209.             srand(NU_Get_Time_Stamp());
    2210. 

  2210.         }
    2211. 

  2211.     }
    2212. 

  2212. 

  2213.     return 0;
    2214. 

  2214. }
    2215. 

  2215. #elif defined(WOLFSSL_DEOS) && !defined(CUSTOM_RAND_GENERATE)
    2216. 

  2216.     #include "stdlib.h"
    2217. 

  2217. 

  2218.     #warning "potential for not enough entropy, currently being used for testing Deos"
    2219. 

  2219.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2220. 

  2220.     {
    2221. 

  2221.         int i;
    2222. 

  2222.         int seed = XTIME(0);
    2223. 

  2223.         (void)os;
    2224. 

  2224. 

  2225.         for (i = 0; i < sz; i++ ) {
    2226. 

  2226.             output[i] = rand_r(&seed) % 256;
    2227. 

  2227.             if ((i % 8) == 7) {
    2228. 

  2228.                 seed = XTIME(0);
    2229. 

  2229.                 rand_r(&seed);
    2230. 

  2230.             }
    2231. 

  2231.         }
    2232. 

  2232. 

  2233.         return 0;
    2234. 

  2234.     }
    2235. 

  2235. #elif defined(WOLFSSL_VXWORKS)
    2236. 

  2236.     #ifdef WOLFSSL_VXWORKS_6_x
    2237. 

  2237.         #include "stdlib.h"
    2238. 

  2238.         #warning "potential for not enough entropy, currently being used for testing"
    2239. 

  2239.         int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2240. 

  2240.         {
    2241. 

  2241.             int i;
    2242. 

  2242.             unsigned int seed = (unsigned int)XTIME(0);
    2243. 

  2243.             (void)os;
    2244. 

  2244. 

  2245.             for (i = 0; i < sz; i++ ) {
    2246. 

  2246.                 output[i] = rand_r(&seed) % 256;
    2247. 

  2247.                 if ((i % 8) == 7) {
    2248. 

  2248.                     seed = (unsigned int)XTIME(0);
    2249. 

  2249.                     rand_r(&seed);
    2250. 

  2250.                 }
    2251. 

  2251.             }
    2252. 

  2252. 

  2253.             return 0;
    2254. 

  2254.         }
    2255. 

  2255.     #else
    2256. 

  2256.         #include <randomNumGen.h>
    2257. 

  2257.         #include <tickLib.h>
    2258. 

  2258. 

  2259.         int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) {
    2260. 

  2260.             STATUS                status   = ERROR;
    2261. 

  2261.             RANDOM_NUM_GEN_STATUS r_status = RANDOM_NUM_GEN_ERROR;
    2262. 

  2262.             _Vx_ticks_t           seed = 0;
    2263. 

  2263. 

  2264.             #ifdef VXWORKS_SIM
    2265. 

  2265.                 /* cannot generate true entropy with VxWorks simulator */
    2266. 

  2266.                 #warning "not enough entropy, simulator for testing only"
    2267. 

  2267.                 int i = 0;
    2268. 

  2268. 

  2269.                 for (i = 0; i < 1000; i++) {
    2270. 

  2270.                     randomAddTimeStamp();
    2271. 

  2271.                 }
    2272. 

  2272.             #endif
    2273. 

  2273. 

  2274.             /*
    2275. 

  2275.               wolfSSL can request 52 Bytes of random bytes. We need to add
    2276. 

  2276.               buffer to the entropy pool to ensure we can get more than 32 Bytes.
    2277. 

  2277.               Because VxWorks has entropy limits (ENTROPY_MIN and ENTROPY_MAX)
    2278. 

  2278.               defined as 256 and 1024 bits, see randomSWNumGenLib.c.
    2279. 

  2279. 

  2280.               randStatus() can return the following status:
    2281. 

  2281.               RANDOM_NUM_GEN_NO_ENTROPY when entropy is 0
    2282. 

  2282.               RANDOM_NUM_GEN_ERROR, entropy is not initialized
    2283. 

  2283.               RANDOM_NUM_GEN_NOT_ENOUGH_ENTROPY if entropy < 32 Bytes
    2284. 

  2284.               RANDOM_NUM_GEN_ENOUGH_ENTROPY if entropy is between 32 and 128 Bytes
    2285. 

  2285.               RANDOM_NUM_GEN_MAX_ENTROPY if entropy is greater than 128 Bytes
    2286. 

  2286.             */
    2287. 

  2287. 

  2288.             do {
    2289. 

  2289.                 seed = tickGet();
    2290. 

  2290.                 status = randAdd(&seed, sizeof(_Vx_ticks_t), 2);
    2291. 

  2291.                 if (status == OK)
    2292. 

  2292.                     r_status = randStatus();
    2293. 

  2293. 

  2294.             } while (r_status != RANDOM_NUM_GEN_MAX_ENTROPY &&
    2295. 

  2295.                      r_status != RANDOM_NUM_GEN_ERROR && status == OK);
    2296. 

  2296. 

  2297.             if (r_status == RANDOM_NUM_GEN_ERROR)
    2298. 

  2298.                 return RNG_FAILURE_E;
    2299. 

  2299. 

  2300.             status = randBytes (output, sz);
    2301. 

  2301. 

  2302.             if (status == ERROR) {
    2303. 

  2303.                 return RNG_FAILURE_E;
    2304. 

  2304.             }
    2305. 

  2305. 

  2306.             return 0;
    2307. 

  2307.         }
    2308. 

  2308.     #endif
    2309. 

  2309. #elif defined(WOLFSSL_NRF51) || defined(WOLFSSL_NRF5x)
    2310. 

  2310.     #include "app_error.h"
    2311. 

  2311.     #include "nrf_drv_rng.h"
    2312. 

  2312.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2313. 

  2313.     {
    2314. 

  2314.         int remaining = sz, length, pos = 0;
    2315. 

  2315.         word32 err_code;
    2316. 

  2316.         byte available;
    2317. 

  2317.         static byte initialized = 0;
    2318. 

  2318. 

  2319.         (void)os;
    2320. 

  2320. 

  2321.         /* Make sure RNG is running */
    2322. 

  2322.         if (!initialized) {
    2323. 

  2323.             err_code = nrf_drv_rng_init(NULL);
    2324. 

  2324.             if (err_code != NRF_SUCCESS && err_code != NRF_ERROR_INVALID_STATE
    2325. 

  2325.             #ifdef NRF_ERROR_MODULE_ALREADY_INITIALIZED
    2326. 

  2326.                 && err_code != NRF_ERROR_MODULE_ALREADY_INITIALIZED
    2327. 

  2327.             #endif
    2328. 

  2328.             ) {
    2329. 

  2329.                 return -1;
    2330. 

  2330.             }
    2331. 

  2331.             initialized = 1;
    2332. 

  2332.         }
    2333. 

  2333. 

  2334.         while (remaining > 0) {
    2335. 

  2335.             available = 0;
    2336. 

  2336.             nrf_drv_rng_bytes_available(&available); /* void func */
    2337. 

  2337.             length = (remaining < available) ? remaining : available;
    2338. 

  2338.             if (length > 0) {
    2339. 

  2339.                 err_code = nrf_drv_rng_rand(&output[pos], length);
    2340. 

  2340.                 if (err_code != NRF_SUCCESS) {
    2341. 

  2341.                     break;
    2342. 

  2342.                 }
    2343. 

  2343.                 remaining -= length;
    2344. 

  2344.                 pos += length;
    2345. 

  2345.             }
    2346. 

  2346.         }
    2347. 

  2347. 

  2348.         return (err_code == NRF_SUCCESS) ? 0 : -1;
    2349. 

  2349.     }
    2350. 

  2350. 

  2351. #elif defined(HAVE_WNR)
    2352. 

  2352. 

  2353.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2354. 

  2354.     {
    2355. 

  2355.         if (os == NULL || output == NULL || wnr_ctx == NULL ||
    2356. 

  2356.                 wnr_timeout < 0) {
    2357. 

  2357.             return BAD_FUNC_ARG;
    2358. 

  2358.         }
    2359. 

  2359. 

  2360.         if (wnr_mutex_init == 0) {
    2361. 

  2361.             WOLFSSL_MSG("netRandom context must be created before use");
    2362. 

  2362.             return RNG_FAILURE_E;
    2363. 

  2363.         }
    2364. 

  2364. 

  2365.         if (wc_LockMutex(&wnr_mutex) != 0) {
    2366. 

  2366.             WOLFSSL_MSG("Bad Lock Mutex wnr_mutex");
    2367. 

  2367.             return BAD_MUTEX_E;
    2368. 

  2368.         }
    2369. 

  2369. 

  2370.         if (wnr_get_entropy(wnr_ctx, wnr_timeout, output, sz, sz) !=
    2371. 

  2371.                 WNR_ERROR_NONE)
    2372. 

  2372.             return RNG_FAILURE_E;
    2373. 

  2373. 

  2374.         wc_UnLockMutex(&wnr_mutex);
    2375. 

  2375. 

  2376.         return 0;
    2377. 

  2377.     }
    2378. 

  2378. 

  2379. #elif defined(INTIME_RTOS)
    2380. 

  2380.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2381. 

  2381.     {
    2382. 

  2382.         uint32_t randval;
    2383. 

  2383.         word32 len;
    2384. 

  2384. 

  2385.         if (output == NULL) {
    2386. 

  2386.             return BUFFER_E;
    2387. 

  2387.         }
    2388. 

  2388. 

  2389.     #ifdef INTIMEVER
    2390. 

  2390.         /* If INTIMEVER exists then it is INTIME RTOS v6 or later */
    2391. 

  2391.         #define INTIME_RAND_FUNC arc4random
    2392. 

  2392.         len = 4;
    2393. 

  2393.     #else
    2394. 

  2394.         /* v5 and older */
    2395. 

  2395.         #define INTIME_RAND_FUNC rand
    2396. 

  2396.         srand(time(0));
    2397. 

  2397.         len = 2; /* don't use all 31 returned bits */
    2398. 

  2398.     #endif
    2399. 

  2399. 

  2400.         while (sz > 0) {
    2401. 

  2401.             if (sz < len)
    2402. 

  2402.                 len = sz;
    2403. 

  2403.             randval = INTIME_RAND_FUNC();
    2404. 

  2404.             XMEMCPY(output, &randval, len);
    2405. 

  2405.             output += len;
    2406. 

  2406.             sz -= len;
    2407. 

  2407.         }
    2408. 

  2408.         (void)os;
    2409. 

  2409. 

  2410.         return 0;
    2411. 

  2411.     }
    2412. 

  2412. 

  2413. #elif defined(WOLFSSL_WICED)
    2414. 

  2414.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2415. 

  2415.     {
    2416. 

  2416.         int ret;
    2417. 

  2417.         (void)os;
    2418. 

  2418. 

  2419.         if (output == NULL || UINT16_MAX < sz) {
    2420. 

  2420.             return BUFFER_E;
    2421. 

  2421.         }
    2422. 

  2422. 

  2423.         if ((ret = wiced_crypto_get_random((void*) output, sz) )
    2424. 

  2424.                          != WICED_SUCCESS) {
    2425. 

  2425.             return ret;
    2426. 

  2426.         }
    2427. 

  2427. 

  2428.         return ret;
    2429. 

  2429.     }
    2430. 

  2430. 

  2431. #elif defined(WOLFSSL_NETBURNER)
    2432. 

  2432.     #warning using NetBurner pseudo random GetRandomByte for seed
    2433. 

  2433.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2434. 

  2434.     {
    2435. 

  2435.         word32 i;
    2436. 

  2436.         (void)os;
    2437. 

  2437. 

  2438.         if (output == NULL) {
    2439. 

  2439.             return BUFFER_E;
    2440. 

  2440.         }
    2441. 

  2441. 

  2442.         for (i = 0; i < sz; i++) {
    2443. 

  2443.             output[i] = GetRandomByte();
    2444. 

  2444. 

  2445.             /* check if was a valid random number */
    2446. 

  2446.             if (!RandomValid())
    2447. 

  2447.                 return RNG_FAILURE_E;
    2448. 

  2448.         }
    2449. 

  2449. 

  2450.         return 0;
    2451. 

  2451.     }
    2452. 

  2452. #elif defined(IDIRECT_DEV_RANDOM)
    2453. 

  2453. 

  2454.     extern int getRandom( int sz, unsigned char *output );
    2455. 

  2455. 

  2456.     int GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2457. 

  2457.     {
    2458. 

  2458.         int num_bytes_returned = 0;
    2459. 

  2459. 

  2460.         num_bytes_returned = getRandom( (int) sz, (unsigned char *) output );
    2461. 

  2461. 

  2462.         return 0;
    2463. 

  2463.     }
    2464. 

  2464. 

  2465. #elif (defined(WOLFSSL_IMX6_CAAM) || defined(WOLFSSL_IMX6_CAAM_RNG) || \
    2466. 

  2466.        defined(WOLFSSL_SECO_CAAM) || defined(WOLFSSL_QNX_CAAM))
    2467. 

  2467. 

  2468.     #include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
    2469. 

  2469. 

  2470.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2471. 

  2471.     {
    2472. 

  2472.         unsigned int args[4] = {0};
    2473. 

  2473.         CAAM_BUFFER buf[1];
    2474. 

  2474.         int ret    = 0;
    2475. 

  2475.         int times  = 1000, i; /* 1000 is an arbitrary number chosen */
    2476. 

  2476.         word32 idx = 0;
    2477. 

  2477. 

  2478.         (void)os;
    2479. 

  2479. 

  2480.         if (output == NULL) {
    2481. 

  2481.             return BUFFER_E;
    2482. 

  2482.         }
    2483. 

  2483. 

  2484.         /* Check Waiting to make sure entropy is ready */
    2485. 

  2485.         for (i = 0; i < times; i++) {
    2486. 

  2486.             buf[0].BufferType = DataBuffer | LastBuffer;
    2487. 

  2487.             buf[0].TheAddress = (CAAM_ADDRESS)(output + idx);
    2488. 

  2488.             buf[0].Length     = ((sz - idx) < WC_CAAM_MAX_ENTROPY)?
    2489. 

  2489.                                 sz - idx : WC_CAAM_MAX_ENTROPY;
    2490. 

  2490. 

  2491.             args[0] = buf[0].Length;
    2492. 

  2492.             ret = wc_caamAddAndWait(buf, 1, args, CAAM_ENTROPY);
    2493. 

  2493.             if (ret == 0) {
    2494. 

  2494.                 idx += buf[0].Length;
    2495. 

  2495.                 if (idx == sz)
    2496. 

  2496.                     break;
    2497. 

  2497.             }
    2498. 

  2498. 

  2499.             /* driver could be waiting for entropy */
    2500. 

  2500.             if (ret != RAN_BLOCK_E && ret != 0) {
    2501. 

  2501.                 return ret;
    2502. 

  2502.             }
    2503. 

  2503.             usleep(100);
    2504. 

  2504.         }
    2505. 

  2505. 

  2506.         if (i == times && ret != 0) {
    2507. 

  2507.              return RNG_FAILURE_E;
    2508. 

  2508.         }
    2509. 

  2509.         else { /* Success case */
    2510. 

  2510.             ret = 0;
    2511. 

  2511.         }
    2512. 

  2512. 

  2513.         return ret;
    2514. 

  2514.     }
    2515. 

  2515. 

  2516. #elif defined(WOLFSSL_APACHE_MYNEWT)
    2517. 

  2517. 

  2518.     #include <stdlib.h>
    2519. 

  2519.     #include "os/os_time.h"
    2520. 

  2520.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2521. 

  2521.     {
    2522. 

  2522.         int i;
    2523. 

  2523.         srand(os_time_get());
    2524. 

  2524. 

  2525.         for (i = 0; i < sz; i++ ) {
    2526. 

  2526.             output[i] = rand() % 256;
    2527. 

  2527.             if ((i % 8) == 7) {
    2528. 

  2528.                 srand(os_time_get());
    2529. 

  2529.             }
    2530. 

  2530.         }
    2531. 

  2531. 

  2532.         return 0;
    2533. 

  2533.     }
    2534. 

  2534. 

  2535. #elif defined(WOLFSSL_ESPIDF)
    2536. 

  2536. 

  2537.     /* Espressif */
    2538. 

  2538.     #if defined(WOLFSSL_ESPWROOM32) || defined(WOLFSSL_ESPWROOM32SE)
    2539. 

  2539. 

  2540.         /* Espressif ESP32 */
    2541. 

  2541.         #include <esp_system.h>
    2542. 

  2542. 

  2543.         int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2544. 

  2544.         {
    2545. 

  2545.             word32 rand;
    2546. 

  2546.             while (sz > 0) {
    2547. 

  2547.                 word32 len = sizeof(rand);
    2548. 

  2548.                 if (sz < len)
    2549. 

  2549.                     len = sz;
    2550. 

  2550.                 /* Get one random 32-bit word from hw RNG */
    2551. 

  2551.                 rand = esp_random( );
    2552. 

  2552.                 XMEMCPY(output, &rand, len);
    2553. 

  2553.                 output += len;
    2554. 

  2554.                 sz -= len;
    2555. 

  2555.             }
    2556. 

  2556. 

  2557.             return 0;
    2558. 

  2558.         }
    2559. 

  2559. 

  2560.     #elif defined(WOLFSSL_ESP8266)
    2561. 

  2561. 

  2562.         /* Espressif ESP8266 */
    2563. 

  2563.         #include <esp_system.h>
    2564. 

  2564. 

  2565.         int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2566. 

  2566.         {
    2567. 

  2567.             word32 rand;
    2568. 

  2568.             while (sz > 0) {
    2569. 

  2569.                 word32 len = sizeof(rand);
    2570. 

  2570.                 if (sz < len)
    2571. 

  2571.                     len = sz;
    2572. 

  2572.                 /* Get one random 32-bit word from hw RNG */
    2573. 

  2573.                 rand = esp_random( );
    2574. 

  2574.                 XMEMCPY(output, &rand, len);
    2575. 

  2575.                 output += len;
    2576. 

  2576.                 sz -= len;
    2577. 

  2577.             }
    2578. 

  2578. 

  2579.             return 0;
    2580. 

  2580.         }
    2581. 

  2581.     #endif /* end WOLFSSL_ESPWROOM32 */
    2582. 

  2582. 

  2583. #elif defined(WOLFSSL_LINUXKM)
    2584. 

  2584.     #include <linux/random.h>
    2585. 

  2585.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2586. 

  2586.     {
    2587. 

  2587.         (void)os;
    2588. 

  2588. 

  2589.         get_random_bytes(output, sz);
    2590. 

  2590. 

  2591.         return 0;
    2592. 

  2592.     }
    2593. 

  2593. 

  2594. #elif defined(WOLFSSL_RENESAS_TSIP)
    2595. 

  2595. #if defined(WOLFSSL_RENESA_TSIP_IAREWRX)
    2596. 

  2596.    #include "r_bsp/mcu/all/r_rx_compiler.h"
    2597. 

  2597. #endif
    2598. 

  2598.    #include "r_bsp/platform.h"
    2599. 

  2599.     #include "r_tsip_rx_if.h"
    2600. 

  2600. 

  2601.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2602. 

  2602.     {
    2603. 

  2603.         int ret = 0;
    2604. 

  2604.         word32 buffer[4];
    2605. 

  2605. 

  2606.         while (sz > 0) {
    2607. 

  2607.             word32 len = sizeof(buffer);
    2608. 

  2608. 

  2609.             if (sz < len) {
    2610. 

  2610.                 len = sz;
    2611. 

  2611.             }
    2612. 

  2612.             /* return 4 words random number*/
    2613. 

  2613.             ret = R_TSIP_GenerateRandomNumber((uint32_t*)buffer);
    2614. 

  2614.             if(ret == TSIP_SUCCESS) {
    2615. 

  2615.                 XMEMCPY(output, &buffer, len);
    2616. 

  2616.                 output += len;
    2617. 

  2617.                 sz -= len;
    2618. 

  2618.             } else
    2619. 

  2619.                 return ret;
    2620. 

  2620.         }
    2621. 

  2621.         return ret;
    2622. 

  2622.     }
    2623. 

  2623. #elif defined(WOLFSSL_RENESAS_SCEPROTECT)
    2624. 

  2624.     #include "r_sce.h"
    2625. 

  2625. 

  2626.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2627. 

  2627.     {
    2628. 

  2628.         int ret = 0;
    2629. 

  2629.         word32 buffer[4];
    2630. 

  2630. 

  2631.         while (sz > 0) {
    2632. 

  2632.             word32 len = sizeof(buffer);
    2633. 

  2633. 

  2634.             if (sz < len) {
    2635. 

  2635.                 len = sz;
    2636. 

  2636.             }
    2637. 

  2637.             /* return 4 words random number*/
    2638. 

  2638.             ret = R_SCE_RandomNumberGenerate(buffer);
    2639. 

  2639.             if(ret == FSP_SUCCESS) {
    2640. 

  2640.                 XMEMCPY(output, &buffer, len);
    2641. 

  2641.                 output += len;
    2642. 

  2642.                 sz -= len;
    2643. 

  2643.             } else
    2644. 

  2644.                 return ret;
    2645. 

  2645.         }
    2646. 

  2646.         return ret;
    2647. 

  2647.     }
    2648. 

  2648. 

  2649. #elif defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_TRNG)
    2650. 

  2650.     #include "hal_data.h"
    2651. 

  2651. 

  2652.     #ifndef WOLFSSL_SCE_TRNG_HANDLE
    2653. 

  2653.         #define WOLFSSL_SCE_TRNG_HANDLE g_sce_trng
    2654. 

  2654.     #endif
    2655. 

  2655. 

  2656.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2657. 

  2657.     {
    2658. 

  2658.         word32 ret;
    2659. 

  2659.         word32 blocks;
    2660. 

  2660.         word32 len = sz;
    2661. 

  2661. 

  2662.         ret = WOLFSSL_SCE_TRNG_HANDLE.p_api->open(WOLFSSL_SCE_TRNG_HANDLE.p_ctrl,
    2663. 

  2663.                                                   WOLFSSL_SCE_TRNG_HANDLE.p_cfg);
    2664. 

  2664.         if (ret != SSP_SUCCESS && ret != SSP_ERR_CRYPTO_ALREADY_OPEN) {
    2665. 

  2665.             /* error opening TRNG driver */
    2666. 

  2666.             return -1;
    2667. 

  2667.         }
    2668. 

  2668. 

  2669.         blocks = sz / sizeof(word32);
    2670. 

  2670.         if (blocks > 0) {
    2671. 

  2671.             ret = WOLFSSL_SCE_TRNG_HANDLE.p_api->read(WOLFSSL_SCE_TRNG_HANDLE.p_ctrl,
    2672. 

  2672.                                                        (word32*)output, blocks);
    2673. 

  2673.             if (ret != SSP_SUCCESS) {
    2674. 

  2674.                 return -1;
    2675. 

  2675.             }
    2676. 

  2676.         }
    2677. 

  2677. 

  2678.         len = len - (blocks * sizeof(word32));
    2679. 

  2679.         if (len > 0) {
    2680. 

  2680.             word32 tmp;
    2681. 

  2681. 

  2682.             if (len > sizeof(word32)) {
    2683. 

  2683.                 return -1;
    2684. 

  2684.             }
    2685. 

  2685.             ret = WOLFSSL_SCE_TRNG_HANDLE.p_api->read(WOLFSSL_SCE_TRNG_HANDLE.p_ctrl,
    2686. 

  2686.                                                       (word32*)&tmp, 1);
    2687. 

  2687.             if (ret != SSP_SUCCESS) {
    2688. 

  2688.                 return -1;
    2689. 

  2689.             }
    2690. 

  2690.             XMEMCPY(output + (blocks * sizeof(word32)), (byte*)&tmp, len);
    2691. 

  2691.         }
    2692. 

  2692. 

  2693.         ret = WOLFSSL_SCE_TRNG_HANDLE.p_api->close(WOLFSSL_SCE_TRNG_HANDLE.p_ctrl);
    2694. 

  2694.         if (ret != SSP_SUCCESS) {
    2695. 

  2695.             /* error opening TRNG driver */
    2696. 

  2696.             return -1;
    2697. 

  2697.         }
    2698. 

  2698.         return 0;
    2699. 

  2699.     }
    2700. 

  2700. #elif defined(CUSTOM_RAND_GENERATE_BLOCK)
    2701. 

  2701.     /* #define CUSTOM_RAND_GENERATE_BLOCK myRngFunc
    2702. 

  2702.      * extern int myRngFunc(byte* output, word32 sz);
    2703. 

  2703.      */
    2704. 

  2704. 

  2705. #elif defined(WOLFSSL_SAFERTOS) || defined(WOLFSSL_LEANPSK) || \
    2706. 

  2706.       defined(WOLFSSL_IAR_ARM)  || defined(WOLFSSL_MDK_ARM) || \
    2707. 

  2707.       defined(WOLFSSL_uITRON4)  || defined(WOLFSSL_uTKERNEL2) || \
    2708. 

  2708.       defined(WOLFSSL_LPC43xx)  || defined(NO_STM32_RNG) || \
    2709. 

  2709.       defined(MBED)             || defined(WOLFSSL_EMBOS) || \
    2710. 

  2710.       defined(WOLFSSL_GENSEED_FORTEST) || defined(WOLFSSL_CHIBIOS) || \
    2711. 

  2711.       defined(WOLFSSL_CONTIKI)  || defined(WOLFSSL_AZSPHERE)
    2712. 

  2712. 

  2713.     /* these platforms do not have a default random seed and
    2714. 

  2714.        you'll need to implement your own wc_GenerateSeed or define via
    2715. 

  2715.        CUSTOM_RAND_GENERATE_BLOCK */
    2716. 

  2716. 

  2717.     #define USE_TEST_GENSEED
    2718. 

  2718. 

  2719. #elif defined(WOLFSSL_ZEPHYR)
    2720. 

  2720. 

  2721.         #include <random/rand32.h>
    2722. 

  2722.     #ifndef _POSIX_C_SOURCE
    2723. 

  2723.         #include <posix/time.h>
    2724. 

  2724.     #else
    2725. 

  2725.         #include <sys/time.h>
    2726. 

  2726.     #endif
    2727. 

  2727. 

  2728.         int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2729. 

  2729.         {
    2730. 

  2730.             sys_rand_get(output, sz);
    2731. 

  2731.             return 0;
    2732. 

  2732.         }
    2733. 

  2733. 

  2734. #elif defined(WOLFSSL_TELIT_M2MB)
    2735. 

  2735. 

  2736.         #include "stdlib.h"
    2737. 

  2737.         static long get_timestamp(void) {
    2738. 

  2738.             long myTime = 0;
    2739. 

  2739.             INT32 fd = m2mb_rtc_open("/dev/rtc0", 0);
    2740. 

  2740.             if (fd >= 0) {
    2741. 

  2741.                 M2MB_RTC_TIMEVAL_T timeval;
    2742. 

  2742.                 m2mb_rtc_ioctl(fd, M2MB_RTC_IOCTL_GET_TIMEVAL, &timeval);
    2743. 

  2743.                 myTime = timeval.msec;
    2744. 

  2744.                 m2mb_rtc_close(fd);
    2745. 

  2745.             }
    2746. 

  2746.             return myTime;
    2747. 

  2747.         }
    2748. 

  2748.         int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2749. 

  2749.         {
    2750. 

  2750.             int i;
    2751. 

  2751.             srand(get_timestamp());
    2752. 

  2752.             for (i = 0; i < sz; i++ ) {
    2753. 

  2753.                 output[i] = rand() % 256;
    2754. 

  2754.                 if ((i % 8) == 7) {
    2755. 

  2755.                     srand(get_timestamp());
    2756. 

  2756.                 }
    2757. 

  2757.             }
    2758. 

  2758.             return 0;
    2759. 

  2759.         }
    2760. 

  2760. #elif defined(WOLFSSL_SE050)
    2761. 

  2761.      #include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
    2762. 

  2762. 

  2763.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz){
    2764. 

  2764.         int ret = 0;
    2765. 

  2765. 

  2766.         (void)os;
    2767. 

  2767. 

  2768.         if (output == NULL) {
    2769. 

  2769.             return BUFFER_E;
    2770. 

  2770.         }
    2771. 

  2771.         ret = wolfSSL_CryptHwMutexLock();
    2772. 

  2772.         if (ret == 0) {
    2773. 

  2773.             ret = se050_get_random_number(sz, output);
    2774. 

  2774.             wolfSSL_CryptHwMutexUnLock();
    2775. 

  2775.         }
    2776. 

  2776.         return ret;
    2777. 

  2777.     }
    2778. 

  2778. 

  2779. #elif defined(DOLPHIN_EMULATOR)
    2780. 

  2780. 

  2781.         int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2782. 

  2782.         {
    2783. 

  2783.             word32 i;
    2784. 

  2784.             (void)os;
    2785. 

  2785.             srand(time(NULL));
    2786. 

  2786.             for (i = 0; i < sz; i++)
    2787. 

  2787.                 output[i] = (byte)rand();
    2788. 

  2788.             return 0;
    2789. 

  2789.         }
    2790. 

  2790. 

  2791. #elif defined(WOLFSSL_GETRANDOM)
    2792. 

  2792. 

  2793.     /* getrandom() was added to the Linux kernel in version 3.17.
    2794. 

  2794.      * Added to glibc in version 2.25. */
    2795. 

  2795.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2796. 

  2796.     {
    2797. 

  2797.         int ret = 0;
    2798. 

  2798.         int len = 0;
    2799. 

  2799.         (void)os;
    2800. 

  2800. 

  2801.         while (sz) {
    2802. 

  2802.             errno = 0;
    2803. 

  2803.             len = (int)getrandom(output, sz, 0);
    2804. 

  2804.             if (len == -1) {
    2805. 

  2805.                 if (errno == EINTR) {
    2806. 

  2806.                     /* interrupted, call getrandom again */
    2807. 

  2807.                     continue;
    2808. 

  2808.                 }
    2809. 

  2809.                 else {
    2810. 

  2810.                     ret = READ_RAN_E;
    2811. 

  2811.                 }
    2812. 

  2812.                 break;
    2813. 

  2813.             }
    2814. 

  2814. 

  2815.             sz     -= len;
    2816. 

  2816.             output += len;
    2817. 

  2817.         }
    2818. 

  2818.         return ret;
    2819. 

  2819.     }
    2820. 

  2820. 

  2821. #elif defined(NO_DEV_RANDOM)
    2822. 

  2822. 

  2823.     #error "you need to write an os specific wc_GenerateSeed() here"
    2824. 

  2824. 

  2825.     /*
    2826. 

  2826.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2827. 

  2827.     {
    2828. 

  2828.         return 0;
    2829. 

  2829.     }
    2830. 

  2830.     */
    2831. 

  2831. 

  2832. #else
    2833. 

  2833. 

  2834.     /* may block */
    2835. 

  2835.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2836. 

  2836.     {
    2837. 

  2837.         int ret = 0;
    2838. 

  2838. 

  2839.         if (os == NULL) {
    2840. 

  2840.             return BAD_FUNC_ARG;
    2841. 

  2841.         }
    2842. 

  2842. 

  2843.     #ifdef WOLF_CRYPTO_CB
    2844. 

  2844.         if (os->devId != INVALID_DEVID) {
    2845. 

  2845.             ret = wc_CryptoCb_RandomSeed(os, output, sz);
    2846. 

  2846.             if (ret != CRYPTOCB_UNAVAILABLE)
    2847. 

  2847.                 return ret;
    2848. 

  2848.             /* fall-through when unavailable */
    2849. 

  2849.             ret = 0; /* reset error code */
    2850. 

  2850.         }
    2851. 

  2851.     #endif
    2852. 

  2852. 

  2853.     #if defined(HAVE_INTEL_RDSEED) || defined(HAVE_AMD_RDSEED)
    2854. 

  2854.         if (IS_INTEL_RDSEED(intel_flags)) {
    2855. 

  2855.              ret = wc_GenerateSeed_IntelRD(NULL, output, sz);
    2856. 

  2856.              if (ret == 0) {
    2857. 

  2857.                  /* success, we're done */
    2858. 

  2858.                  return ret;
    2859. 

  2859.              }
    2860. 

  2860.         #ifdef FORCE_FAILURE_RDSEED
    2861. 

  2861.              /* don't fallback to /dev/urandom */
    2862. 

  2862.              return ret;
    2863. 

  2863.         #else
    2864. 

  2864.              /* reset error and fallback to using /dev/urandom */
    2865. 

  2865.              ret = 0;
    2866. 

  2866.         #endif
    2867. 

  2867.         }
    2868. 

  2868.     #endif /* HAVE_INTEL_RDSEED || HAVE_AMD_RDSEED */
    2869. 

  2869. 

  2870.     #ifndef NO_DEV_URANDOM /* way to disable use of /dev/urandom */
    2871. 

  2871.         os->fd = open("/dev/urandom", O_RDONLY);
    2872. 

  2872.         if (os->fd == -1)
    2873. 

  2873.     #endif
    2874. 

  2874.         {
    2875. 

  2875.             /* may still have /dev/random */
    2876. 

  2876.             os->fd = open("/dev/random", O_RDONLY);
    2877. 

  2877.             if (os->fd == -1)
    2878. 

  2878.                 return OPEN_RAN_E;
    2879. 

  2879.         }
    2880. 

  2880. 

  2881.         while (sz) {
    2882. 

  2882.             int len = (int)read(os->fd, output, sz);
    2883. 

  2883.             if (len == -1) {
    2884. 

  2884.                 ret = READ_RAN_E;
    2885. 

  2885.                 break;
    2886. 

  2886.             }
    2887. 

  2887. 

  2888.             sz     -= len;
    2889. 

  2889.             output += len;
    2890. 

  2890. 

  2891.             if (sz) {
    2892. 

  2892.     #if defined(BLOCKING) || defined(WC_RNG_BLOCKING)
    2893. 

  2893.                 sleep(0);             /* context switch */
    2894. 

  2894.     #else
    2895. 

  2895.                 ret = RAN_BLOCK_E;
    2896. 

  2896.                 break;
    2897. 

  2897.     #endif
    2898. 

  2898.             }
    2899. 

  2899.         }
    2900. 

  2900.         close(os->fd);
    2901. 

  2901. 

  2902.         return ret;
    2903. 

  2903.     }
    2904. 

  2904. 

  2905. #endif
    2906. 

  2906. 

  2907. #ifdef USE_TEST_GENSEED
    2908. 

  2908.     #ifndef _MSC_VER
    2909. 

  2909.         #warning "write a real random seed!!!!, just for testing now"
    2910. 

  2910.     #else
    2911. 

  2911.         #pragma message("Warning: write a real random seed!!!!, just for testing now")
    2912. 

  2912.     #endif
    2913. 

  2913.     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
    2914. 

  2914.     {
    2915. 

  2915.         word32 i;
    2916. 

  2916.         for (i = 0; i < sz; i++ )
    2917. 

  2917.             output[i] = i;
    2918. 

  2918. 

  2919.         (void)os;
    2920. 

  2920. 

  2921.         return 0;
    2922. 

  2922.     }
    2923. 

  2923. #endif
    2924. 

  2924. /* End wc_GenerateSeed */
    2925. 

  2925. 

  2926. #if defined(CUSTOM_RAND_GENERATE_BLOCK) && defined(WOLFSSL_KCAPI)
    2927. 

  2927. #include <fcntl.h>
    2928. 

  2928. int wc_hwrng_generate_block(byte *output, word32 sz)
    2929. 

  2929. {
    2930. 

  2930.     int fd;
    2931. 

  2931.     int len;
    2932. 

  2932.     int ret = 0;
    2933. 

  2933.     fd = open("/dev/hwrng", O_RDONLY);
    2934. 

  2934.     if (fd == -1)
    2935. 

  2935.         return OPEN_RAN_E;
    2936. 

  2936.     while(sz)
    2937. 

  2937.     {
    2938. 

  2938.         len = (int)read(fd, output, sz);
    2939. 

  2939.         if (len == -1)
    2940. 

  2940.         {
    2941. 

  2941.             ret = READ_RAN_E;
    2942. 

  2942.             break;
    2943. 

  2943.         }
    2944. 

  2944.         sz -= len;
    2945. 

  2945.         output += len;
    2946. 

  2946.     }
    2947. 

  2947.     close(fd);
    2948. 

  2948.     return ret;
    2949. 

  2949. }
    2950. 

  2950. #endif
    2951. 

  2951. 

  2952. #endif /* WC_NO_RNG */
    2953. 

  2953. #endif /* HAVE_FIPS */
    2954.