Coverage Report

Created: 2024-11-21 07:03

/src/libgcrypt/random/random-drbg.c
Line
Count
Source (jump to first uncovered line)
1
/* random-drbg.c - Deterministic Random Bits Generator
2
 * Copyright 2014 Stephan Mueller <smueller@chronox.de>
3
 *
4
 * DRBG: Deterministic Random Bits Generator
5
 *       Based on NIST Recommended DRBG from NIST SP800-90A with the following
6
 *       properties:
7
 *    * CTR DRBG with DF with AES-128, AES-192, AES-256 cores
8
 *    * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
9
 *    * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
10
 *    * with and without prediction resistance
11
 *
12
 * Redistribution and use in source and binary forms, with or without
13
 * modification, are permitted provided that the following conditions
14
 * are met:
15
 * 1. Redistributions of source code must retain the above copyright
16
 *    notice, and the entire permission notice in its entirety,
17
 *    including the disclaimer of warranties.
18
 * 2. Redistributions in binary form must reproduce the above copyright
19
 *    notice, this list of conditions and the following disclaimer in the
20
 *    documentation and/or other materials provided with the distribution.
21
 * 3. The name of the author may not be used to endorse or promote
22
 *    products derived from this software without specific prior
23
 *    written permission.
24
 *
25
 * ALTERNATIVELY, this product may be distributed under the terms of
26
 * LGPLv2+, in which case the provisions of the LGPL are
27
 * required INSTEAD OF the above restrictions.  (This clause is
28
 * necessary due to a potential bad interaction between the LGPL and
29
 * the restrictions contained in a BSD-style copyright.)
30
 *
31
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
32
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
33
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
34
 * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
35
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
36
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
37
 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
38
 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
39
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
40
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
41
 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
42
 * DAMAGE.
43
 *
44
 *
45
 * gcry_control GCRYCTL_DRBG_REINIT
46
 * ================================
47
 * This control request re-initializes the DRBG completely, i.e. the entire
48
 * state of the DRBG is zeroized (with two exceptions listed in
49
 * GCRYCTL_DRBG_SET_ENTROPY).
50
 *
51
 * The control request takes the following values which influences how
52
 * the DRBG is re-initialized:
53
 *
54
 *  - const char *flagstr
55
 *
56
 *      This variable specifies the DRBG type to be used for the next
57
 *  initialization.  If set to NULL, the previous DRBG type is
58
 *  used for the initialization.  If not NULL a space separated
59
 *  list of tokens with associated flag values is expected which
60
 *  are ORed to form the mandatory flags of the requested DRBG
61
 *  strength and cipher type.  Optionally, the prediction
62
 *  resistance flag can be ORed into the flags variable.
63
 *
64
 *      | String token | Flag value             |
65
 *      |--------------+------------------------|
66
 *      | aes          | DRBG_CTRAES            |
67
 *      | serpent      | DRBG_CTRSERPENT        |
68
 *      | twofish      | DRBG_CTRTWOFISH        |
69
 *      | sha1         | DRBG_HASHSHA1          |
70
 *      | sha256       | DRBG_HASHSHA256        |
71
 *      | sha512       | DRBG_HASHSHA512        |
72
 *      | hmac         | DRBG_HMAC              |
73
 *      | sym128       | DRBG_SYM128            |
74
 *      | sym192       | DRBG_SYM192            |
75
 *      | sym256       | DRBG_SYM256            |
76
 *      | pr           | DRBG_PREDICTION_RESIST |
77
 *
78
 *    For example:
79
 *
80
 *  - CTR-DRBG with AES-128 without prediction resistance:
81
 *      "aes sym128"
82
 *  - HMAC-DRBG with SHA-512 with prediction resistance:
83
 *      "hmac sha512 pr"
84
 *
85
 *  - gcry_buffer_t *pers
86
 *
87
 *      NULL terminated array with personalization strings to be used
88
 *  for initialization.
89
 *
90
 *  - int npers
91
 *
92
 *     Size of PERS.
93
 *
94
 *  - void *guard
95
 *
96
 *      A value of NULL must be passed for this.
97
 *
98
 * The variable of flags is independent from the pers/perslen variables. If
99
 * flags is set to 0 and perslen is set to 0, the current DRBG type is
100
 * completely reset without using a personalization string.
101
 *
102
 * DRBG Usage
103
 * ==========
104
 * The SP 800-90A DRBG allows the user to specify a personalization string
105
 * for initialization as well as an additional information string for each
106
 * random number request.  The following code fragments show how a caller
107
 * uses the API to use the full functionality of the DRBG.
108
 *
109
 * Usage without any additional data
110
 * ---------------------------------
111
 * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);
112
 *
113
 *
114
 * Usage with personalization string during initialization
115
 * -------------------------------------------------------
116
 * drbg_string_t pers;
117
 * char personalization[11] = "some-string";
118
 *
119
 * drbg_string_fill(&pers, personalization, strlen(personalization));
120
 * // The reset completely re-initializes the DRBG with the provided
121
 * // personalization string without changing the DRBG type
122
 * ret = gcry_control(GCRYCTL_DRBG_REINIT, 0, &pers);
123
 * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);
124
 *
125
 *
126
 * Usage with additional information string during random number request
127
 * ---------------------------------------------------------------------
128
 * drbg_string_t addtl;
129
 * char addtl_string[11] = "some-string";
130
 *
131
 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
132
 * // The following call is a wrapper to gcry_randomize() and returns
133
 * // the same error codes.
134
 * gcry_randomize_drbg(outbuf, OUTLEN, GCRY_STRONG_RANDOM, &addtl);
135
 *
136
 *
137
 * Usage with personalization and additional information strings
138
 * -------------------------------------------------------------
139
 * Just mix both scenarios above.
140
 *
141
 *
142
 * Switch the DRBG type to some other type
143
 * ---------------------------------------
144
 * // Switch to CTR DRBG AES-128 without prediction resistance
145
 * ret = gcry_control(GCRYCTL_DRBG_REINIT, DRBG_NOPR_CTRAES128, NULL);
146
 * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);
147
 */
148
149
#include <config.h>
150
151
#include <string.h>
152
#include <unistd.h>
153
#include <stdint.h>
154
155
#include "g10lib.h"
156
#include "random.h"
157
#include "rand-internal.h"
158
#include "../cipher/bufhelp.h"
159
160
161

162
/******************************************************************
163
 * Constants
164
 ******************************************************************/
165
166
/*
167
 * DRBG flags bitmasks
168
 *
169
 * 31 (B) 28      19         (A)         0
170
 *  +-+-+-+--------+---+-----------+-----+
171
 *  |~|~|u|~~~~~~~~| 3 |     2     |  1  |
172
 *  +-+-+-+--------+- -+-----------+-----+
173
 * ctl flg|        |drbg use selection flags
174
 *
175
 */
176
177
/* Internal state control flags (B) */
178
0
#define DRBG_PREDICTION_RESIST  ((u32)1<<28)
179
180
/* CTR type modifiers (A.1)*/
181
0
#define DRBG_CTRAES   ((u32)1<<0)
182
0
#define DRBG_CTRSERPENT   ((u32)1<<1)
183
0
#define DRBG_CTRTWOFISH   ((u32)1<<2)
184
0
#define DRBG_CTR_MASK         (DRBG_CTRAES | DRBG_CTRSERPENT \
185
0
                                 | DRBG_CTRTWOFISH)
186
187
/* HASH type modifiers (A.2)*/
188
0
#define DRBG_HASHSHA1   ((u32)1<<4)
189
0
#define DRBG_HASHSHA224   ((u32)1<<5)
190
0
#define DRBG_HASHSHA256   ((u32)1<<6)
191
0
#define DRBG_HASHSHA512   ((u32)1<<8)
192
0
#define DRBG_HASH_MASK    (DRBG_HASHSHA1 | DRBG_HASHSHA224 \
193
0
         | DRBG_HASHSHA256 | DRBG_HASHSHA512)
194
/* type modifiers (A.3)*/
195
0
#define DRBG_HMAC   ((u32)1<<12)
196
0
#define DRBG_SYM128   ((u32)1<<13)
197
0
#define DRBG_SYM192   ((u32)1<<14)
198
0
#define DRBG_SYM256   ((u32)1<<15)
199
0
#define DRBG_TYPE_MASK    (DRBG_HMAC | DRBG_SYM128 | DRBG_SYM192 \
200
0
         | DRBG_SYM256)
201
0
#define DRBG_CIPHER_MASK        (DRBG_CTR_MASK | DRBG_HASH_MASK \
202
0
                                 | DRBG_TYPE_MASK)
203
204
#define DRBG_PR_CTRAES128   (DRBG_PREDICTION_RESIST | DRBG_CTRAES | DRBG_SYM128)
205
#define DRBG_PR_CTRAES192   (DRBG_PREDICTION_RESIST | DRBG_CTRAES | DRBG_SYM192)
206
#define DRBG_PR_CTRAES256   (DRBG_PREDICTION_RESIST | DRBG_CTRAES | DRBG_SYM256)
207
#define DRBG_NOPR_CTRAES128 (DRBG_CTRAES | DRBG_SYM128)
208
#define DRBG_NOPR_CTRAES192 (DRBG_CTRAES | DRBG_SYM192)
209
#define DRBG_NOPR_CTRAES256 (DRBG_CTRAES | DRBG_SYM256)
210
#define DRBG_PR_HASHSHA1     (DRBG_PREDICTION_RESIST | DRBG_HASHSHA1)
211
#define DRBG_PR_HASHSHA256   (DRBG_PREDICTION_RESIST | DRBG_HASHSHA256)
212
#define DRBG_PR_HASHSHA512   (DRBG_PREDICTION_RESIST | DRBG_HASHSHA512)
213
#define DRBG_NOPR_HASHSHA1   (DRBG_HASHSHA1)
214
#define DRBG_NOPR_HASHSHA256 (DRBG_HASHSHA256)
215
#define DRBG_NOPR_HASHSHA512 (DRBG_HASHSHA512)
216
#define DRBG_PR_HMACSHA1     (DRBG_PREDICTION_RESIST | DRBG_HASHSHA1 \
217
                              | DRBG_HMAC)
218
#define DRBG_PR_HMACSHA256   (DRBG_PREDICTION_RESIST | DRBG_HASHSHA256 \
219
                              | DRBG_HMAC)
220
#define DRBG_PR_HMACSHA512   (DRBG_PREDICTION_RESIST | DRBG_HASHSHA512 \
221
                              | DRBG_HMAC)
222
#define DRBG_NOPR_HMACSHA1   (DRBG_HASHSHA1 | DRBG_HMAC)
223
0
#define DRBG_NOPR_HMACSHA256 (DRBG_HASHSHA256 | DRBG_HMAC)
224
#define DRBG_NOPR_HMACSHA512 (DRBG_HASHSHA512 | DRBG_HMAC)
225
226
227
/* The default DRGB type.  */
228
0
#define DRBG_DEFAULT_TYPE    DRBG_NOPR_HMACSHA256
229
230
231
#define DRBG_CTR_NULL_LEN 128
232
233

234
/******************************************************************
235
 * Common data structures
236
 ******************************************************************/
237
238
/*
239
 * SP800-90A requires the concatenation of different data. To avoid copying
240
 * buffers around or allocate additional memory, the following data structure
241
 * is used to point to the original memory with its size. In addition, it
242
 * is used to build a linked list. The linked list defines the concatenation
243
 * of individual buffers. The order of memory block referenced in that
244
 * linked list determines the order of concatenation.
245
 */
246
struct drbg_string_s
247
{
248
  const unsigned char *buf;
249
  size_t len;
250
  struct drbg_string_s *next;
251
};
252
typedef struct drbg_string_s drbg_string_t;
253
254
255
/* DRBG input data structure for DRBG generate with additional
256
 * information string.  */
257
struct drbg_gen_s
258
{
259
  unsigned char *outbuf;  /* output buffer for random numbers */
260
  unsigned int outlen;          /* size of output buffer */
261
  drbg_string_t *addtl;         /* input buffer for
262
         * additional information string */
263
};
264
typedef struct drbg_gen_s drbg_gen_t;
265
266
267
/* Forward declaration of the state object pointer.  */
268
struct drbg_state_s;
269
typedef struct drbg_state_s *drbg_state_t;
270
271
272
struct drbg_core_s
273
{
274
  u32 flags;      /* flags for the cipher */
275
  ushort statelen;    /* maximum state length */
276
  ushort blocklen_bytes;  /* block size of output in bytes */
277
  int backend_cipher;   /* libgcrypt backend cipher */
278
};
279
280
struct drbg_state_ops_s
281
{
282
  gpg_err_code_t (*update) (drbg_state_t drbg,
283
          drbg_string_t *seed, int reseed);
284
  gpg_err_code_t (*generate) (drbg_state_t drbg,
285
            unsigned char *buf, unsigned int buflen,
286
            drbg_string_t *addtl);
287
  gpg_err_code_t (*crypto_init) (drbg_state_t drbg);
288
  void     (*crypto_fini) (drbg_state_t drbg);
289
};
290
291
struct drbg_test_data_s
292
{
293
  drbg_string_t *testentropy; /* TEST PARAMETER: test entropy */
294
  unsigned int fail_seed_source:1; /* If set, the seed function will
295
                                 * return an error. */
296
};
297
298
299
/* This state object keeps the state of an DRBG instance.  */
300
struct drbg_state_s
301
{
302
  unsigned char *V;   /* internal state 10.1.1.1 1a) */
303
  unsigned char *C;   /* hash: static value 10.1.1.1 1b)
304
         * hmac / ctr: key */
305
  size_t reseed_ctr;    /* Number of RNG requests since last reseed --
306
         * 10.1.1.1 1c) */
307
  unsigned char *scratchpad;  /* some memory the DRBG can use for its
308
         * operation -- allocated during init */
309
  void *priv_data;    /* Cipher handle */
310
  gcry_cipher_hd_t ctr_handle;  /* CTR mode cipher handle */
311
  unsigned int seeded:1;  /* DRBG fully seeded? */
312
  unsigned int pr:1;    /* Prediction resistance enabled? */
313
  /* Taken from libgcrypt ANSI X9.31 DRNG: We need to keep track of the
314
   * process which did the initialization so that we can detect a fork.
315
   * The volatile modifier is required so that the compiler does not
316
   * optimize it away in case the getpid function is badly attributed. */
317
  pid_t seed_init_pid;
318
  const struct drbg_state_ops_s *d_ops;
319
  const struct drbg_core_s *core;
320
  struct drbg_test_data_s *test_data;
321
};
322
323
enum drbg_prefixes
324
{
325
  DRBG_PREFIX0 = 0x00,
326
  DRBG_PREFIX1,
327
  DRBG_PREFIX2,
328
  DRBG_PREFIX3
329
};
330
331
0
#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
332
333
/***************************************************************
334
 * Global variables
335
 ***************************************************************/
336
337
/* The instance of the DRBG, to be refereed by drbg_state.  */
338
static struct drbg_state_s drbg_instance;
339
340
/* Global state variable holding the current instance of the DRBG.  */
341
static drbg_state_t drbg_state;
342
343
/* This is the lock variable we use to serialize access to this RNG. */
344
GPGRT_LOCK_DEFINE(drbg_lock_var);
345
346
347
/***************************************************************
348
 * Backend cipher definitions available to DRBG
349
 ***************************************************************/
350
351
static const struct drbg_core_s drbg_cores[] = {
352
  /* Hash DRBGs */
353
  {DRBG_HASHSHA1, 55, 20, GCRY_MD_SHA1},
354
  {DRBG_HASHSHA256, 55, 32, GCRY_MD_SHA256},
355
  {DRBG_HASHSHA512, 111, 64, GCRY_MD_SHA512},
356
  /* HMAC DRBGs */
357
  {DRBG_HASHSHA1   | DRBG_HMAC, 20, 20, GCRY_MD_SHA1},
358
  {DRBG_HASHSHA256 | DRBG_HMAC, 32, 32, GCRY_MD_SHA256},
359
  {DRBG_HASHSHA512 | DRBG_HMAC, 64, 64, GCRY_MD_SHA512},
360
  /* block ciphers */
361
  {DRBG_CTRAES | DRBG_SYM128, 32, 16, GCRY_CIPHER_AES128},
362
  {DRBG_CTRAES | DRBG_SYM192, 40, 16, GCRY_CIPHER_AES192},
363
  {DRBG_CTRAES | DRBG_SYM256, 48, 16, GCRY_CIPHER_AES256}
364
};
365
366
static gpg_err_code_t drbg_hash_init (drbg_state_t drbg);
367
static gpg_err_code_t drbg_hmac_init (drbg_state_t drbg);
368
static gpg_err_code_t drbg_hmac_setkey (drbg_state_t drbg,
369
          const unsigned char *key);
370
static void drbg_hash_fini (drbg_state_t drbg);
371
static byte *drbg_hash (drbg_state_t drbg, const drbg_string_t *buf);
372
static gpg_err_code_t drbg_sym_init (drbg_state_t drbg);
373
static void drbg_sym_fini (drbg_state_t drbg);
374
static gpg_err_code_t drbg_sym_setkey (drbg_state_t drbg,
375
               const unsigned char *key);
376
static gpg_err_code_t drbg_sym (drbg_state_t drbg, unsigned char *outval,
377
        const drbg_string_t *buf);
378
static gpg_err_code_t drbg_sym_ctr (drbg_state_t drbg,
379
      const unsigned char *inbuf, unsigned int inbuflen,
380
      unsigned char *outbuf, unsigned int outbuflen);
381
382
/******************************************************************
383
 ******************************************************************
384
 ******************************************************************
385
 * Generic DRBG code
386
 ******************************************************************
387
 ******************************************************************
388
 ******************************************************************/
389
390
/******************************************************************
391
 * Generic helper functions
392
 ******************************************************************/
393
394
#if 0
395
#define dbg(x) do { log_debug x; } while(0)
396
#else
397
#define dbg(x)
398
#endif
399
400
/*
401
 * Parse a string of flags and store the flag values at R_FLAGS.
402
 * Return 0 on success.
403
 */
404
static gpg_err_code_t
405
parse_flag_string (const char *string, u32 *r_flags)
406
0
{
407
0
  struct {
408
0
    const char *name;
409
0
    u32 flag;
410
0
  } table[] = {
411
0
    { "aes",     DRBG_CTRAES            },
412
0
    { "serpent", DRBG_CTRSERPENT        },
413
0
    { "twofish", DRBG_CTRTWOFISH        },
414
0
    { "sha1",    DRBG_HASHSHA1          },
415
0
    { "sha256",  DRBG_HASHSHA256        },
416
0
    { "sha512",  DRBG_HASHSHA512        },
417
0
    { "hmac",    DRBG_HMAC              },
418
0
    { "sym128",  DRBG_SYM128            },
419
0
    { "sym192",  DRBG_SYM192            },
420
0
    { "sym256",  DRBG_SYM256            },
421
0
    { "pr",      DRBG_PREDICTION_RESIST }
422
0
  };
423
424
0
  *r_flags = 0;
425
0
  if (string)
426
0
    {
427
0
      char **tl;
428
0
      const char *s;
429
0
      int i, j;
430
431
0
      tl = _gcry_strtokenize (string, NULL);
432
0
      if (!tl)
433
0
        return gpg_err_code_from_syserror ();
434
0
      for (i=0; (s=tl[i]); i++)
435
0
        {
436
0
          for (j=0; j < DIM (table); j++)
437
0
            if (!strcmp (s, table[j].name))
438
0
              {
439
0
                *r_flags |= table[j].flag;
440
0
                break;
441
0
              }
442
0
          if (!(j < DIM (table)))
443
0
            {
444
0
              xfree (tl);
445
0
              return GPG_ERR_INV_FLAG;
446
0
            }
447
0
        }
448
0
      xfree (tl);
449
0
    }
450
451
0
  return 0;
452
0
}
453
454
static inline void
455
drbg_string_fill (drbg_string_t *string,
456
                       const unsigned char *buf, size_t len)
457
0
{
458
0
  string->buf = buf;
459
0
  string->len = len;
460
0
  string->next = NULL;
461
0
}
462
463
static inline ushort
464
drbg_statelen (drbg_state_t drbg)
465
0
{
466
0
  if (drbg && drbg->core)
467
0
    return drbg->core->statelen;
468
0
  return 0;
469
0
}
470
471
static inline ushort
472
drbg_blocklen (drbg_state_t drbg)
473
0
{
474
0
  if (drbg && drbg->core)
475
0
    return drbg->core->blocklen_bytes;
476
0
  return 0;
477
0
}
478
479
static inline ushort
480
drbg_keylen (drbg_state_t drbg)
481
0
{
482
0
  if (drbg && drbg->core)
483
0
    return (drbg->core->statelen - drbg->core->blocklen_bytes);
484
0
  return 0;
485
0
}
486
487
static inline size_t
488
drbg_max_request_bytes (void)
489
0
{
490
  /* SP800-90A requires the limit 2**19 bits, but we return bytes */
491
0
  return (1 << 16);
492
0
}
493
494
static inline size_t
495
drbg_max_addtl (void)
496
0
{
497
  /* SP800-90A requires 2**35 bytes additional info str / pers str */
498
0
#ifdef __LP64__
499
0
  return (1UL << 35);
500
#else
501
  /*
502
   * SP800-90A allows smaller maximum numbers to be returned -- we
503
   * return SIZE_MAX - 1 to allow the verification of the enforcement
504
   * of this value in drbg_healthcheck_sanity.
505
   */
506
  return (SIZE_MAX - 1);
507
#endif
508
0
}
509
510
static inline size_t
511
drbg_max_requests (void)
512
0
{
513
  /* SP800-90A requires 2**48 maximum requests before reseeding */
514
0
#ifdef __LP64__
515
0
  return (1UL << 48);
516
#else
517
  return SIZE_MAX;
518
#endif
519
0
}
520
521
/*
522
 * Return strength of DRBG according to SP800-90A section 8.4
523
 *
524
 * flags: DRBG flags reference
525
 *
526
 * Return: normalized strength value or 32 as a default to counter
527
 *     programming errors
528
 */
529
static inline unsigned short
530
drbg_sec_strength (u32 flags)
531
0
{
532
0
  if ((flags & DRBG_HASHSHA1) || (flags & DRBG_SYM128))
533
0
    return 16;
534
0
  else if (flags & DRBG_SYM192)
535
0
    return 24;
536
0
  else if ((flags & DRBG_SYM256) || (flags & DRBG_HASHSHA256) ||
537
0
     (flags & DRBG_HASHSHA512))
538
0
    return 32;
539
0
  else
540
0
    return 32;
541
0
}
542
543
static void
544
drbg_add_buf (unsigned char *dst, size_t dstlen,
545
              unsigned char *add, size_t addlen)
546
0
{
547
  /* implied: dstlen > addlen */
548
0
  unsigned char *dstptr, *addptr;
549
0
  unsigned int remainder = 0;
550
0
  size_t len = addlen;
551
552
0
  dstptr = dst + (dstlen - 1);
553
0
  addptr = add + (addlen - 1);
554
0
  while (len)
555
0
    {
556
0
      remainder += *dstptr + *addptr;
557
0
      *dstptr = remainder & 0xff;
558
0
      remainder >>= 8;
559
0
      len--;
560
0
      dstptr--;
561
0
      addptr--;
562
0
    }
563
0
  len = dstlen - addlen;
564
0
  while (len && remainder > 0)
565
0
    {
566
0
      remainder = *dstptr + 1;
567
0
      *dstptr = remainder & 0xff;
568
0
      remainder >>= 8;
569
0
      len--;
570
0
      dstptr--;
571
0
    }
572
0
}
573
574
/* Helper variables for read_cb().
575
 *
576
 *   The _gcry_rnd*_gather_random interface does not allow to provide a
577
 *   data pointer.  Thus we need to use a global variable for
578
 *   communication.  However, the then required locking is anyway a good
579
 *   idea because it does not make sense to have several readers of (say
580
 *   /dev/random).  It is easier to serve them one after the other.
581
 */
582
static unsigned char *read_cb_buffer; /* The buffer.  */
583
static size_t read_cb_size;         /* Size of the buffer.  */
584
static size_t read_cb_len;          /* Used length.  */
585
586
/* Callback for generating seed from kernel device. */
587
static void
588
drbg_read_cb (const void *buffer, size_t length,
589
              enum random_origins origin)
590
0
{
591
0
  const unsigned char *p = buffer;
592
593
0
  (void) origin;
594
0
  gcry_assert (read_cb_buffer);
595
596
  /* Note that we need to protect against gatherers returning more
597
   * than the requested bytes (e.g. rndw32).  */
598
0
  while (length-- && read_cb_len < read_cb_size)
599
0
    read_cb_buffer[read_cb_len++] = *p++;
600
0
}
601
602
static inline int
603
drbg_get_entropy (drbg_state_t drbg, unsigned char *buffer,
604
           size_t len)
605
0
{
606
0
  int rc = 0;
607
608
  /* Perform testing as defined in 11.3.2 */
609
0
  if (drbg->test_data && drbg->test_data->fail_seed_source)
610
0
    return -1;
611
612
0
  read_cb_buffer = buffer;
613
0
  read_cb_size = len;
614
0
  read_cb_len = 0;
615
0
#if USE_RNDGETENTROPY
616
0
  rc = _gcry_rndgetentropy_gather_random (drbg_read_cb, 0, len,
617
0
                                          GCRY_VERY_STRONG_RANDOM);
618
#elif USE_RNDOLDLINUX
619
  rc = _gcry_rndoldlinux_gather_random (drbg_read_cb, 0, len,
620
                                        GCRY_VERY_STRONG_RANDOM);
621
#elif USE_RNDUNIX
622
  rc = _gcry_rndunix_gather_random (drbg_read_cb, 0, len,
623
            GCRY_VERY_STRONG_RANDOM);
624
#elif USE_RNDW32
625
  do
626
    {
627
      rc = _gcry_rndw32_gather_random (drbg_read_cb, 0, len,
628
               GCRY_VERY_STRONG_RANDOM);
629
    }
630
  while (rc >= 0 && read_cb_len < read_cb_size);
631
#else
632
  rc = -1;
633
#endif
634
0
  return rc;
635
0
}
636
637
/******************************************************************
638
 * CTR DRBG callback functions
639
 ******************************************************************/
640
641
/* BCC function for CTR DRBG as defined in 10.4.3 */
642
static gpg_err_code_t
643
drbg_ctr_bcc (drbg_state_t drbg,
644
              unsigned char *out, const unsigned char *key,
645
              drbg_string_t *in)
646
0
{
647
0
  gpg_err_code_t ret = GPG_ERR_GENERAL;
648
0
  drbg_string_t *curr = in;
649
0
  size_t inpos = curr->len;
650
0
  const unsigned char *pos = curr->buf;
651
0
  drbg_string_t data;
652
653
0
  drbg_string_fill (&data, out, drbg_blocklen (drbg));
654
655
  /* 10.4.3 step 1 */
656
0
  memset (out, 0, drbg_blocklen (drbg));
657
658
0
  ret = drbg_sym_setkey(drbg, key);
659
0
  if (ret)
660
0
    return ret;
661
662
  /* 10.4.3 step 2 / 4 */
663
0
  while (inpos)
664
0
    {
665
0
      short cnt = 0;
666
      /* 10.4.3 step 4.1 */
667
0
      for (cnt = 0; cnt < drbg_blocklen (drbg); cnt++)
668
0
  {
669
0
    out[cnt] ^= *pos;
670
0
    pos++;
671
0
    inpos--;
672
    /* the following branch implements the linked list
673
     * iteration. If we are at the end of the current data
674
     * set, we have to start using the next data set if
675
     * available -- the inpos value always points to the
676
     * current byte and will be zero if we have processed
677
     * the last byte of the last linked list member */
678
0
    if (0 == inpos)
679
0
      {
680
0
        curr = curr->next;
681
0
        if (NULL != curr)
682
0
    {
683
0
      pos = curr->buf;
684
0
      inpos = curr->len;
685
0
    }
686
0
        else
687
0
    {
688
0
      inpos = 0;
689
0
      break;
690
0
    }
691
0
      }
692
0
  }
693
      /* 10.4.3 step 4.2 */
694
0
      ret = drbg_sym (drbg, out, &data);
695
0
      if (ret)
696
0
  return ret;
697
      /* 10.4.3 step 2 */
698
0
    }
699
0
  return 0;
700
0
}
701
702
703
/*
704
 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df
705
 * (and drbg_ctr_bcc, but this function does not need any temporary buffers),
706
 * the scratchpad is used as follows:
707
 * drbg_ctr_update:
708
 *  temp
709
 *    start: drbg->scratchpad
710
 *    length: drbg_statelen(drbg) + drbg_blocklen(drbg)
711
 *      note: the cipher writing into this variable works
712
 *      blocklen-wise. Now, when the statelen is not a multiple
713
 *      of blocklen, the generateion loop below "spills over"
714
 *      by at most blocklen. Thus, we need to give sufficient
715
 *      memory.
716
 *  df_data
717
 *    start: drbg->scratchpad +
718
 *        drbg_statelen(drbg) +
719
 *        drbg_blocklen(drbg)
720
 *    length: drbg_statelen(drbg)
721
 *
722
 * drbg_ctr_df:
723
 *  pad
724
 *    start: df_data + drbg_statelen(drbg)
725
 *    length: drbg_blocklen(drbg)
726
 *  iv
727
 *    start: pad + drbg_blocklen(drbg)
728
 *    length: drbg_blocklen(drbg)
729
 *  temp
730
 *    start: iv + drbg_blocklen(drbg)
731
 *    length: drbg_satelen(drbg) + drbg_blocklen(drbg)
732
 *      note: temp is the buffer that the BCC function operates
733
 *      on. BCC operates blockwise. drbg_statelen(drbg)
734
 *      is sufficient when the DRBG state length is a multiple
735
 *      of the block size. For AES192 (and maybe other ciphers)
736
 *      this is not correct and the length for temp is
737
 *      insufficient (yes, that also means for such ciphers,
738
 *      the final output of all BCC rounds are truncated).
739
 *      Therefore, add drbg_blocklen(drbg) to cover all
740
 *      possibilities.
741
 */
742
743
/* Derivation Function for CTR DRBG as defined in 10.4.2 */
744
static gpg_err_code_t
745
drbg_ctr_df (drbg_state_t drbg, unsigned char *df_data,
746
             size_t bytes_to_return, drbg_string_t *addtl)
747
0
{
748
0
  gpg_err_code_t ret = GPG_ERR_GENERAL;
749
0
  unsigned char L_N[8];
750
  /* S3 is input */
751
0
  drbg_string_t S1, S2, S4, cipherin;
752
0
  drbg_string_t *tempstr = addtl;
753
0
  unsigned char *pad = df_data + drbg_statelen (drbg);
754
0
  unsigned char *iv = pad + drbg_blocklen (drbg);
755
0
  unsigned char *temp = iv + drbg_blocklen (drbg);
756
0
  size_t padlen = 0;
757
0
  unsigned int templen = 0;
758
  /* 10.4.2 step 7 */
759
0
  unsigned int i = 0;
760
  /* 10.4.2 step 8 */
761
0
  const unsigned char *K = (unsigned char *)
762
0
    "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
763
0
    "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
764
0
  unsigned char *X;
765
0
  size_t generated_len = 0;
766
0
  size_t inputlen = 0;
767
768
0
  memset (pad, 0, drbg_blocklen (drbg));
769
0
  memset (iv, 0, drbg_blocklen (drbg));
770
0
  memset (temp, 0, drbg_statelen (drbg));
771
772
  /* 10.4.2 step 1 is implicit as we work byte-wise */
773
774
  /* 10.4.2 step 2 */
775
0
  if ((512 / 8) < bytes_to_return)
776
0
    return GPG_ERR_INV_ARG;
777
778
  /* 10.4.2 step 2 -- calculate the entire length of all input data */
779
0
  for (; NULL != tempstr; tempstr = tempstr->next)
780
0
    inputlen += tempstr->len;
781
0
  buf_put_be32 (&L_N[0], inputlen);
782
783
  /* 10.4.2 step 3 */
784
0
  buf_put_be32 (&L_N[4], bytes_to_return);
785
786
  /* 10.4.2 step 5: length is size of L_N, input_string, one byte, padding */
787
0
  padlen = (inputlen + sizeof (L_N) + 1) % (drbg_blocklen (drbg));
788
  /* wrap the padlen appropriately */
789
0
  if (padlen)
790
0
    padlen = drbg_blocklen (drbg) - padlen;
791
  /* pad / padlen contains the 0x80 byte and the following zero bytes, so
792
   * add one for byte for 0x80 */
793
0
  padlen++;
794
0
  pad[0] = 0x80;
795
796
  /* 10.4.2 step 4 -- first fill the linked list and then order it */
797
0
  drbg_string_fill (&S1, iv, drbg_blocklen (drbg));
798
0
  drbg_string_fill (&S2, L_N, sizeof (L_N));
799
0
  drbg_string_fill (&S4, pad, padlen);
800
0
  S1.next = &S2;
801
0
  S2.next = addtl;
802
803
  /* Splice in addtl between S2 and S4 -- we place S4 at the end of the
804
   * input data chain. As this code is only triggered when addtl is not
805
   * NULL, no NULL checks are necessary.*/
806
0
  tempstr = addtl;
807
0
  while (tempstr->next)
808
0
    tempstr = tempstr->next;
809
0
  tempstr->next = &S4;
810
811
  /* 10.4.2 step 9 */
812
0
  while (templen < (drbg_keylen (drbg) + (drbg_blocklen (drbg))))
813
0
    {
814
      /* 10.4.2 step 9.1 - the padding is implicit as the buffer
815
       * holds zeros after allocation -- even the increment of i
816
       * is irrelevant as the increment remains within length of i */
817
0
      buf_put_be32 (iv, i);
818
      /* 10.4.2 step 9.2 -- BCC and concatenation with temp */
819
0
      ret = drbg_ctr_bcc (drbg, temp + templen, K, &S1);
820
0
      if (ret)
821
0
  goto out;
822
      /* 10.4.2 step 9.3 */
823
0
      i++;
824
0
      templen += drbg_blocklen (drbg);
825
0
    }
826
827
  /* 10.4.2 step 11 */
828
  /* implicit key len with seedlen - blocklen according to table 3 */
829
0
  X = temp + (drbg_keylen (drbg));
830
0
  drbg_string_fill (&cipherin, X, drbg_blocklen (drbg));
831
832
  /* 10.4.2 step 12: overwriting of outval */
833
834
  /* 10.4.2 step 13 */
835
0
  ret = drbg_sym_setkey(drbg, temp);
836
0
  if (ret)
837
0
    goto out;
838
0
  while (generated_len < bytes_to_return)
839
0
    {
840
0
      short blocklen = 0;
841
      /* 10.4.2 step 13.1 */
842
      /* the truncation of the key length is implicit as the key
843
       * is only drbg_blocklen in size -- check for the implementation
844
       * of the cipher function callback */
845
0
      ret = drbg_sym (drbg, X, &cipherin);
846
0
      if (ret)
847
0
  goto out;
848
0
      blocklen = (drbg_blocklen (drbg) < (bytes_to_return - generated_len)) ?
849
0
  drbg_blocklen (drbg) : (bytes_to_return - generated_len);
850
      /* 10.4.2 step 13.2 and 14 */
851
0
      memcpy (df_data + generated_len, X, blocklen);
852
0
      generated_len += blocklen;
853
0
    }
854
855
0
  ret = 0;
856
857
0
 out:
858
0
  memset (iv, 0, drbg_blocklen (drbg));
859
0
  memset (temp, 0, drbg_statelen (drbg));
860
0
  memset (pad, 0, drbg_blocklen (drbg));
861
0
  return ret;
862
0
}
863
864
/*
865
 * Update function of CTR DRBG as defined in 10.2.1.2
866
 *
867
 * The reseed variable has an enhanced meaning compared to the update
868
 * functions of the other DRBGs as follows:
869
 * 0 => initial seed from initialization
870
 * 1 => reseed via drbg_seed
871
 * 2 => first invocation from drbg_ctr_update when addtl is present. In
872
 *      this case, the df_data scratchpad is not deleted so that it is
873
 *      available for another calls to prevent calling the DF function
874
 *      again.
875
 * 3 => second invocation from drbg_ctr_update. When the update function
876
 *      was called with addtl, the df_data memory already contains the
877
 *      DFed addtl information and we do not need to call DF again.
878
 */
879
static gpg_err_code_t
880
drbg_ctr_update (drbg_state_t drbg, drbg_string_t *addtl, int reseed)
881
0
{
882
0
  gpg_err_code_t ret = GPG_ERR_GENERAL;
883
  /* 10.2.1.2 step 1 */
884
0
  unsigned char *temp = drbg->scratchpad;
885
0
  unsigned char *df_data = drbg->scratchpad +
886
0
    drbg_statelen (drbg) + drbg_blocklen (drbg);
887
0
  unsigned char prefix = DRBG_PREFIX1;
888
889
0
  memset (temp, 0, drbg_statelen (drbg) + drbg_blocklen (drbg));
890
0
  if (3 > reseed)
891
0
    memset (df_data, 0, drbg_statelen (drbg));
892
893
0
  if (!reseed)
894
0
    {
895
      /*
896
       * The DRBG uses the CTR mode of the underlying AES cipher. The
897
       * CTR mode increments the counter value after the AES operation
898
       * but SP800-90A requires that the counter is incremented before
899
       * the AES operation. Hence, we increment it at the time we set
900
       * it by one.
901
       */
902
0
      drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1);
903
904
0
      ret = _gcry_cipher_setkey (drbg->ctr_handle, drbg->C, drbg_keylen (drbg));
905
0
      if (ret)
906
0
        goto out;
907
0
    }
908
909
  /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
910
0
  if (addtl && 0 < addtl->len)
911
0
    {
912
0
      ret =
913
0
  drbg_ctr_df (drbg, df_data, drbg_statelen (drbg), addtl);
914
0
      if (ret)
915
0
  goto out;
916
0
    }
917
918
0
  ret = drbg_sym_ctr (drbg, df_data, drbg_statelen(drbg),
919
0
          temp, drbg_statelen(drbg));
920
0
  if (ret)
921
0
    goto out;
922
923
  /* 10.2.1.2 step 5 */
924
0
  ret = _gcry_cipher_setkey (drbg->ctr_handle, temp, drbg_keylen (drbg));
925
0
  if (ret)
926
0
    goto out;
927
928
  /* 10.2.1.2 step 6 */
929
0
  memcpy (drbg->V, temp + drbg_keylen (drbg), drbg_blocklen (drbg));
930
  /* See above: increment counter by one to compensate timing of CTR op */
931
0
  drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1);
932
0
  ret = 0;
933
934
0
 out:
935
0
  memset (temp, 0, drbg_statelen (drbg) + drbg_blocklen (drbg));
936
0
  if (2 != reseed)
937
0
    memset (df_data, 0, drbg_statelen (drbg));
938
0
  return ret;
939
0
}
940
941
/*
942
 * scratchpad use: drbg_ctr_update is called independently from
943
 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
944
 */
945
/* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
946
static gpg_err_code_t
947
drbg_ctr_generate (drbg_state_t drbg,
948
                   unsigned char *buf, unsigned int buflen,
949
                   drbg_string_t *addtl)
950
0
{
951
0
  static const unsigned char drbg_ctr_null[DRBG_CTR_NULL_LEN] = { 0, };
952
0
  gpg_err_code_t ret = 0;
953
954
0
  memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
955
956
  /* 10.2.1.5.2 step 2 */
957
0
  if (addtl && 0 < addtl->len)
958
0
    {
959
0
      addtl->next = NULL;
960
0
      ret = drbg_ctr_update (drbg, addtl, 2);
961
0
      if (ret)
962
0
  return ret;
963
0
    }
964
965
  /* 10.2.1.5.2 step 4.1 */
966
0
  ret = drbg_sym_ctr (drbg, drbg_ctr_null, sizeof(drbg_ctr_null), buf, buflen);
967
0
  if (ret)
968
0
    goto out;
969
970
  /* 10.2.1.5.2 step 6 */
971
0
  if (addtl)
972
0
    addtl->next = NULL;
973
0
  ret = drbg_ctr_update (drbg, addtl, 3);
974
975
0
 out:
976
0
  return ret;
977
0
}
978
979
static struct drbg_state_ops_s drbg_ctr_ops = {
980
  drbg_ctr_update,
981
  drbg_ctr_generate,
982
  drbg_sym_init,
983
  drbg_sym_fini,
984
};
985
986
/******************************************************************
987
 * HMAC DRBG callback functions
988
 ******************************************************************/
989
990
static gpg_err_code_t
991
drbg_hmac_update (drbg_state_t drbg, drbg_string_t *seed, int reseed)
992
0
{
993
0
  gpg_err_code_t ret = GPG_ERR_GENERAL;
994
0
  int i = 0;
995
0
  drbg_string_t seed1, seed2, cipherin;
996
997
0
  if (!reseed)
998
0
    {
999
      /* 10.1.2.3 step 2 already implicitly covered with
1000
       * the initial memset(0) of drbg->C */
1001
0
      memset (drbg->V, 1, drbg_statelen (drbg));
1002
0
      ret = drbg_hmac_setkey (drbg, drbg->C);
1003
0
      if (ret)
1004
0
  return ret;
1005
0
    }
1006
1007
  /* build linked list which implements the concatenation and fill
1008
   * first part*/
1009
0
  drbg_string_fill (&seed1, drbg->V, drbg_statelen (drbg));
1010
  /* buffer will be filled in for loop below with one byte */
1011
0
  drbg_string_fill (&seed2, NULL, 1);
1012
0
  seed1.next = &seed2;
1013
  /* seed may be NULL */
1014
0
  seed2.next = seed;
1015
1016
0
  drbg_string_fill (&cipherin, drbg->V, drbg_statelen (drbg));
1017
  /* we execute two rounds of V/K massaging */
1018
0
  for (i = 2; 0 < i; i--)
1019
0
    {
1020
0
      byte *retval;
1021
      /* first round uses 0x0, second 0x1 */
1022
0
      unsigned char prefix = DRBG_PREFIX0;
1023
0
      if (1 == i)
1024
0
  prefix = DRBG_PREFIX1;
1025
      /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
1026
0
      seed2.buf = &prefix;
1027
0
      retval = drbg_hash (drbg, &seed1);
1028
0
      ret = drbg_hmac_setkey (drbg, retval);
1029
0
      if (ret)
1030
0
  return ret;
1031
1032
      /* 10.1.2.2 step 2 and 5 -- HMAC for V */
1033
0
      retval = drbg_hash (drbg, &cipherin);
1034
0
      memcpy(drbg->V, retval, drbg_blocklen (drbg));
1035
1036
      /* 10.1.2.2 step 3 */
1037
0
      if (!seed || 0 == seed->len)
1038
0
  return ret;
1039
0
    }
1040
0
  return 0;
1041
0
}
1042
1043
/* generate function of HMAC DRBG as defined in 10.1.2.5 */
1044
static gpg_err_code_t
1045
drbg_hmac_generate (drbg_state_t drbg, unsigned char *buf, unsigned int buflen,
1046
                    drbg_string_t *addtl)
1047
0
{
1048
0
  gpg_err_code_t ret = 0;
1049
0
  unsigned int len = 0;
1050
0
  drbg_string_t data;
1051
1052
  /* 10.1.2.5 step 2 */
1053
0
  if (addtl && 0 < addtl->len)
1054
0
    {
1055
0
      addtl->next = NULL;
1056
0
      ret = drbg_hmac_update (drbg, addtl, 1);
1057
0
      if (ret)
1058
0
  return ret;
1059
0
    }
1060
1061
0
  drbg_string_fill (&data, drbg->V, drbg_statelen (drbg));
1062
0
  while (len < buflen)
1063
0
    {
1064
0
      unsigned int outlen = 0;
1065
      /* 10.1.2.5 step 4.1 */
1066
0
      byte *retval = drbg_hash (drbg, &data);
1067
0
      memcpy(drbg->V, retval, drbg_blocklen (drbg));
1068
0
      outlen = (drbg_blocklen (drbg) < (buflen - len)) ?
1069
0
  drbg_blocklen (drbg) : (buflen - len);
1070
1071
      /* 10.1.2.5 step 4.2 */
1072
0
      memcpy (buf + len, drbg->V, outlen);
1073
0
      len += outlen;
1074
0
    }
1075
1076
  /* 10.1.2.5 step 6 */
1077
0
  if (addtl)
1078
0
    addtl->next = NULL;
1079
0
  ret = drbg_hmac_update (drbg, addtl, 1);
1080
1081
0
  return ret;
1082
0
}
1083
1084
static struct drbg_state_ops_s drbg_hmac_ops = {
1085
  drbg_hmac_update,
1086
  drbg_hmac_generate,
1087
  drbg_hmac_init,
1088
  drbg_hash_fini,
1089
};
1090
1091
/******************************************************************
1092
 * Hash DRBG callback functions
1093
 ******************************************************************/
1094
1095
/*
1096
 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
1097
 * interlinked, the scratchpad is used as follows:
1098
 * drbg_hash_update
1099
 *  start: drbg->scratchpad
1100
 *  length: drbg_statelen(drbg)
1101
 * drbg_hash_df:
1102
 *  start: drbg->scratchpad + drbg_statelen(drbg)
1103
 *  length: drbg_blocklen(drbg)
1104
 */
1105
/* Derivation Function for Hash DRBG as defined in 10.4.1 */
1106
static gpg_err_code_t
1107
drbg_hash_df (drbg_state_t drbg,
1108
              unsigned char *outval, size_t outlen,
1109
              drbg_string_t *entropy)
1110
0
{
1111
0
  size_t len = 0;
1112
0
  unsigned char input[5];
1113
0
  drbg_string_t data1;
1114
1115
  /* 10.4.1 step 3 */
1116
0
  input[0] = 1;
1117
0
  buf_put_be32 (&input[1], (outlen * 8));
1118
1119
  /* 10.4.1 step 4.1 -- concatenation of data for input into hash */
1120
0
  drbg_string_fill (&data1, input, 5);
1121
0
  data1.next = entropy;
1122
1123
  /* 10.4.1 step 4 */
1124
0
  while (len < outlen)
1125
0
    {
1126
0
      short blocklen = 0;
1127
      /* 10.4.1 step 4.1 */
1128
0
      byte *retval = drbg_hash (drbg, &data1);
1129
      /* 10.4.1 step 4.2 */
1130
0
      input[0]++;
1131
0
      blocklen = (drbg_blocklen (drbg) < (outlen - len)) ?
1132
0
  drbg_blocklen (drbg) : (outlen - len);
1133
0
      memcpy (outval + len, retval, blocklen);
1134
0
      len += blocklen;
1135
0
    }
1136
1137
0
  return 0;
1138
0
}
1139
1140
/* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
1141
static gpg_err_code_t
1142
drbg_hash_update (drbg_state_t drbg, drbg_string_t *seed, int reseed)
1143
0
{
1144
0
  gpg_err_code_t ret = 0;
1145
0
  drbg_string_t data1, data2;
1146
0
  unsigned char *V = drbg->scratchpad;
1147
0
  unsigned char prefix = DRBG_PREFIX1;
1148
1149
0
  memset (drbg->scratchpad, 0, drbg_statelen (drbg));
1150
0
  if (!seed)
1151
0
    return GPG_ERR_INV_ARG;
1152
1153
0
  if (reseed)
1154
0
    {
1155
      /* 10.1.1.3 step 1: string length is concatenation of
1156
       * 1 byte, V and seed (which is concatenated entropy/addtl
1157
       * input)
1158
       */
1159
0
      memcpy (V, drbg->V, drbg_statelen (drbg));
1160
0
      drbg_string_fill (&data1, &prefix, 1);
1161
0
      drbg_string_fill (&data2, V, drbg_statelen (drbg));
1162
0
      data1.next = &data2;
1163
0
      data2.next = seed;
1164
0
    }
1165
0
  else
1166
0
    {
1167
0
      drbg_string_fill (&data1, seed->buf, seed->len);
1168
0
      data1.next = seed->next;
1169
0
    }
1170
1171
  /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
1172
0
  ret = drbg_hash_df (drbg, drbg->V, drbg_statelen (drbg), &data1);
1173
0
  if (ret)
1174
0
    goto out;
1175
1176
  /* 10.1.1.2 / 10.1.1.3 step 4 -- concatenation  */
1177
0
  prefix = DRBG_PREFIX0;
1178
0
  drbg_string_fill (&data1, &prefix, 1);
1179
0
  drbg_string_fill (&data2, drbg->V, drbg_statelen (drbg));
1180
0
  data1.next = &data2;
1181
  /* 10.1.1.2 / 10.1.1.3 step 4 -- df operation */
1182
0
  ret = drbg_hash_df (drbg, drbg->C, drbg_statelen (drbg), &data1);
1183
1184
0
 out:
1185
0
  memset (drbg->scratchpad, 0, drbg_statelen (drbg));
1186
0
  return ret;
1187
0
}
1188
1189
/* Processing of additional information string for Hash DRBG.  */
1190
static gpg_err_code_t
1191
drbg_hash_process_addtl (drbg_state_t drbg, drbg_string_t *addtl)
1192
0
{
1193
0
  drbg_string_t data1, data2;
1194
0
  drbg_string_t *data3;
1195
0
  unsigned char prefix = DRBG_PREFIX2;
1196
0
  byte *retval;
1197
1198
  /* 10.1.1.4 step 2 */
1199
0
  if (!addtl || 0 == addtl->len)
1200
0
    return 0;
1201
1202
  /* 10.1.1.4 step 2a -- concatenation */
1203
0
  drbg_string_fill (&data1, &prefix, 1);
1204
0
  drbg_string_fill (&data2, drbg->V, drbg_statelen (drbg));
1205
0
  data3 = addtl;
1206
0
  data1.next = &data2;
1207
0
  data2.next = data3;
1208
0
  data3->next = NULL;
1209
  /* 10.1.1.4 step 2a -- cipher invocation */
1210
0
  retval = drbg_hash (drbg, &data1);
1211
1212
  /* 10.1.1.4 step 2b */
1213
0
  drbg_add_buf (drbg->V, drbg_statelen (drbg), retval, drbg_blocklen (drbg));
1214
1215
0
  return 0;
1216
0
}
1217
1218
/*
1219
 * Hashgen defined in 10.1.1.4
1220
 */
1221
static gpg_err_code_t
1222
drbg_hash_hashgen (drbg_state_t drbg, unsigned char *buf, unsigned int buflen)
1223
0
{
1224
0
  unsigned int len = 0;
1225
0
  unsigned char *src = drbg->scratchpad;
1226
0
  drbg_string_t data;
1227
0
  unsigned char prefix = DRBG_PREFIX1;
1228
1229
  /* 10.1.1.4 step hashgen 2 */
1230
0
  memcpy (src, drbg->V, drbg_statelen (drbg));
1231
1232
0
  drbg_string_fill (&data, src, drbg_statelen (drbg));
1233
0
  while (len < buflen)
1234
0
    {
1235
0
      unsigned int outlen = 0;
1236
      /* 10.1.1.4 step hashgen 4.1 */
1237
0
      byte *retval = drbg_hash (drbg, &data);
1238
0
      outlen = (drbg_blocklen (drbg) < (buflen - len)) ?
1239
0
  drbg_blocklen (drbg) : (buflen - len);
1240
      /* 10.1.1.4 step hashgen 4.2 */
1241
0
      memcpy (buf + len, retval, outlen);
1242
0
      len += outlen;
1243
      /* 10.1.1.4 hashgen step 4.3 */
1244
0
      if (len < buflen)
1245
0
  drbg_add_buf (src, drbg_statelen (drbg), &prefix, 1);
1246
0
    }
1247
1248
0
  memset (drbg->scratchpad, 0, drbg_statelen (drbg));
1249
0
  return 0;
1250
0
}
1251
1252
/* Generate function for Hash DRBG as defined in 10.1.1.4  */
1253
static gpg_err_code_t
1254
drbg_hash_generate (drbg_state_t drbg, unsigned char *buf, unsigned int buflen,
1255
        drbg_string_t *addtl)
1256
0
{
1257
0
  gpg_err_code_t ret;
1258
0
  unsigned char prefix = DRBG_PREFIX3;
1259
0
  drbg_string_t data1, data2;
1260
0
  byte *retval;
1261
0
  union
1262
0
  {
1263
0
    unsigned char req[8];
1264
0
    u64 req_int;
1265
0
  } u;
1266
1267
  /* 10.1.1.4 step 2 */
1268
0
  ret = drbg_hash_process_addtl (drbg, addtl);
1269
0
  if (ret)
1270
0
    return ret;
1271
  /* 10.1.1.4 step 3 -- invocation of the Hashgen function defined in
1272
   * 10.1.1.4 */
1273
0
  ret = drbg_hash_hashgen (drbg, buf, buflen);
1274
0
  if (ret)
1275
0
    return ret;
1276
1277
  /* 10.1.1.4 step 4 */
1278
0
  drbg_string_fill (&data1, &prefix, 1);
1279
0
  drbg_string_fill (&data2, drbg->V, drbg_statelen (drbg));
1280
0
  data1.next = &data2;
1281
1282
  /* this is the value H as documented in 10.1.1.4 */
1283
0
  retval = drbg_hash (drbg, &data1);
1284
1285
  /* 10.1.1.4 step 5 */
1286
0
  drbg_add_buf (drbg->V, drbg_statelen (drbg), retval, drbg_blocklen (drbg));
1287
0
  drbg_add_buf (drbg->V, drbg_statelen (drbg), drbg->C, drbg_statelen (drbg));
1288
0
  u.req_int = be_bswap64 (drbg->reseed_ctr);
1289
0
  drbg_add_buf (drbg->V, drbg_statelen (drbg), u.req, sizeof (u.req));
1290
1291
0
  return ret;
1292
0
}
1293
1294
/*
1295
 * scratchpad usage: as update and generate are used isolated, both
1296
 * can use the scratchpad
1297
 */
1298
static struct drbg_state_ops_s drbg_hash_ops = {
1299
  drbg_hash_update,
1300
  drbg_hash_generate,
1301
  drbg_hash_init,
1302
  drbg_hash_fini,
1303
};
1304
1305
/******************************************************************
1306
 * Functions common for DRBG implementations
1307
 ******************************************************************/
1308
1309
/*
1310
 * Seeding or reseeding of the DRBG
1311
 *
1312
 * @drbg: DRBG state struct
1313
 * @pers: personalization / additional information buffer
1314
 * @reseed: 0 for initial seed process, 1 for reseeding
1315
 *
1316
 * return:
1317
 *  0 on success
1318
 *  error value otherwise
1319
 */
1320
static gpg_err_code_t
1321
drbg_seed (drbg_state_t drbg, drbg_string_t *pers, int reseed)
1322
0
{
1323
0
  gpg_err_code_t ret = 0;
1324
0
  unsigned char *entropy = NULL;
1325
0
  size_t entropylen = 0;
1326
0
  drbg_string_t data1;
1327
1328
  /* 9.1 / 9.2 / 9.3.1 step 3 */
1329
0
  if (pers && pers->len > (drbg_max_addtl ()))
1330
0
    {
1331
0
      dbg (("DRBG: personalization string too long %lu\n", pers->len));
1332
0
      return GPG_ERR_INV_ARG;
1333
0
    }
1334
0
  if (drbg->test_data && drbg->test_data->testentropy)
1335
0
    {
1336
0
      drbg_string_fill (&data1, drbg->test_data->testentropy->buf,
1337
0
           drbg->test_data->testentropy->len);
1338
0
      dbg (("DRBG: using test entropy\n"));
1339
0
    }
1340
0
  else
1341
0
    {
1342
      /* Gather entropy equal to the security strength of the DRBG.
1343
       * With a derivation function, a nonce is required in addition
1344
       * to the entropy. A nonce must be at least 1/2 of the security
1345
       * strength of the DRBG in size. Thus, entropy * nonce is 3/2
1346
       * of the strength. The consideration of a nonce is only
1347
       * applicable during initial seeding. */
1348
0
      entropylen = drbg_sec_strength (drbg->core->flags);
1349
0
      if (!entropylen)
1350
0
  return GPG_ERR_GENERAL;
1351
0
      if (0 == reseed)
1352
  /* make sure we round up strength/2 in
1353
   * case it is not divisible by 2 */
1354
0
  entropylen = ((entropylen + 1) / 2) * 3;
1355
0
      dbg (("DRBG: (re)seeding with %lu bytes of entropy\n", entropylen));
1356
0
      entropy = xcalloc_secure (1, entropylen);
1357
0
      if (!entropy)
1358
0
  return GPG_ERR_ENOMEM;
1359
0
      ret = drbg_get_entropy (drbg, entropy, entropylen);
1360
0
      if (ret)
1361
0
  goto out;
1362
0
      drbg_string_fill (&data1, entropy, entropylen);
1363
0
    }
1364
1365
  /* concatenation of entropy with personalization str / addtl input)
1366
   * the variable pers is directly handed by the caller, check its
1367
   * contents whether it is appropriate */
1368
0
  if (pers && pers->buf && 0 < pers->len && NULL == pers->next)
1369
0
    {
1370
0
      data1.next = pers;
1371
0
      dbg (("DRBG: using personalization string\n"));
1372
0
    }
1373
1374
0
  ret = drbg->d_ops->update (drbg, &data1, reseed);
1375
0
  dbg (("DRBG: state updated with seed\n"));
1376
0
  if (ret)
1377
0
    goto out;
1378
0
  drbg->seeded = 1;
1379
  /* 10.1.1.2 / 10.1.1.3 step 5 */
1380
0
  drbg->reseed_ctr = 1;
1381
1382
0
 out:
1383
0
  xfree (entropy);
1384
0
  return ret;
1385
0
}
1386
1387

1388
/*************************************************************************
1389
 * Exported interfaces.
1390
 *************************************************************************/
1391
1392
/*
1393
 * DRBG generate function as required by SP800-90A - this function
1394
 * generates random numbers
1395
 *
1396
 * @drbg   DRBG state handle
1397
 * @buf    Buffer where to store the random numbers -- the buffer must already
1398
 *         be pre-allocated by caller
1399
 * @buflen Length of output buffer - this value defines the number of random
1400
 *     bytes pulled from DRBG
1401
 * @addtl  Additional input that is mixed into state, may be NULL -- note
1402
 *     the entropy is pulled by the DRBG internally unconditionally
1403
 *     as defined in SP800-90A. The additional input is mixed into
1404
 *     the state in addition to the pulled entropy.
1405
 *
1406
 * return: Generated number of bytes.
1407
 */
1408
static gpg_err_code_t
1409
drbg_generate (drbg_state_t drbg,
1410
               unsigned char *buf, unsigned int buflen,
1411
               drbg_string_t *addtl)
1412
0
{
1413
0
  gpg_err_code_t ret = GPG_ERR_INV_ARG;
1414
1415
0
  if (0 == buflen || !buf)
1416
0
    {
1417
0
      dbg (("DRBG: no buffer provided\n"));
1418
0
      return ret;
1419
0
    }
1420
0
  if (addtl && NULL == addtl->buf && 0 < addtl->len)
1421
0
    {
1422
0
      dbg (("DRBG: wrong format of additional information\n"));
1423
0
      return ret;
1424
0
    }
1425
1426
  /* 9.3.1 step 2 */
1427
0
  if (buflen > (drbg_max_request_bytes ()))
1428
0
    {
1429
0
      dbg (("DRBG: requested random numbers too large %u\n", buflen));
1430
0
      return ret;
1431
0
    }
1432
  /* 9.3.1 step 3 is implicit with the chosen DRBG */
1433
  /* 9.3.1 step 4 */
1434
0
  if (addtl && addtl->len > (drbg_max_addtl ()))
1435
0
    {
1436
0
      dbg (("DRBG: additional information string too long %lu\n",
1437
0
      addtl->len));
1438
0
      return ret;
1439
0
    }
1440
  /* 9.3.1 step 5 is implicit with the chosen DRBG */
1441
  /* 9.3.1 step 6 and 9 supplemented by 9.3.2 step c -- the spec is a
1442
   * bit convoluted here, we make it simpler */
1443
0
  if ((drbg_max_requests ()) < drbg->reseed_ctr)
1444
0
    drbg->seeded = 0;
1445
1446
0
  if (drbg->pr || !drbg->seeded)
1447
0
    {
1448
0
      dbg (("DRBG: reseeding before generation (prediction resistance: %s, state %s)\n", drbg->pr ? "true" : "false", drbg->seeded ? "seeded" : "unseeded"));
1449
      /* 9.3.1 steps 7.1 through 7.3 */
1450
0
      ret = drbg_seed (drbg, addtl, 1);
1451
0
      if (ret)
1452
0
  return ret;
1453
      /* 9.3.1 step 7.4 */
1454
0
      addtl = NULL;
1455
0
    }
1456
1457
0
  if (addtl && addtl->buf)
1458
0
    {
1459
0
      dbg (("DRBG: using additional information string\n"));
1460
0
    }
1461
1462
  /* 9.3.1 step 8 and 10 */
1463
0
  ret = drbg->d_ops->generate (drbg, buf, buflen, addtl);
1464
1465
  /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
1466
0
  drbg->reseed_ctr++;
1467
0
  if (ret)
1468
0
    return ret;
1469
1470
  /* 11.3.3 -- re-perform self tests after some generated random
1471
   * numbers, the chosen value after which self test is performed
1472
   * is arbitrary, but it should be reasonable */
1473
  /* Here we do not perform the self tests because of the following
1474
   * reasons: it is mathematically impossible that the initial self tests
1475
   * were successfully and the following are not. If the initial would
1476
   * pass and the following would not, the system integrity is violated.
1477
   * In this case, the entire system operation is questionable and it
1478
   * is unlikely that the integrity violation only affects to the
1479
   * correct operation of the DRBG.
1480
   */
1481
#if 0
1482
  if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096))
1483
    {
1484
      dbg (("DRBG: start to perform self test\n"));
1485
      ret = drbg_healthcheck ();
1486
      if (ret)
1487
  {
1488
    log_fatal (("DRBG: self test failed\n"));
1489
    return ret;
1490
  }
1491
      else
1492
  {
1493
    dbg (("DRBG: self test successful\n"));
1494
  }
1495
    }
1496
#endif
1497
1498
0
  return ret;
1499
0
}
1500
1501
/*
1502
 * Wrapper around drbg_generate which can pull arbitrary long strings
1503
 * from the DRBG without hitting the maximum request limitation.
1504
 *
1505
 * Parameters: see drbg_generate
1506
 * Return codes: see drbg_generate -- if one drbg_generate request fails,
1507
 *     the entire drbg_generate_long request fails
1508
 */
1509
static gpg_err_code_t
1510
drbg_generate_long (drbg_state_t drbg,
1511
                    unsigned char *buf, unsigned int buflen,
1512
                    drbg_string_t *addtl)
1513
0
{
1514
0
  gpg_err_code_t ret = 0;
1515
0
  unsigned int slice = 0;
1516
0
  unsigned char *buf_p = buf;
1517
0
  unsigned len = 0;
1518
0
  do
1519
0
    {
1520
0
      unsigned int chunk = 0;
1521
0
      slice = ((buflen - len) / drbg_max_request_bytes ());
1522
0
      chunk = slice ? drbg_max_request_bytes () : (buflen - len);
1523
0
      ret = drbg_generate (drbg, buf_p, chunk, addtl);
1524
0
      if (ret)
1525
0
  return ret;
1526
0
      buf_p += chunk;
1527
0
      len += chunk;
1528
0
    }
1529
0
  while (slice > 0 && (len < buflen));
1530
0
  return ret;
1531
0
}
1532
1533
/*
1534
 * DRBG uninstantiate function as required by SP800-90A - this function
1535
 * frees all buffers and the DRBG handle
1536
 *
1537
 * @drbg DRBG state handle
1538
 *
1539
 * return
1540
 *  0 on success
1541
 */
1542
static gpg_err_code_t
1543
drbg_uninstantiate (drbg_state_t drbg)
1544
0
{
1545
0
  if (!drbg)
1546
0
    return GPG_ERR_INV_ARG;
1547
0
  drbg->d_ops->crypto_fini(drbg);
1548
0
  xfree (drbg->V);
1549
0
  drbg->V = NULL;
1550
0
  xfree (drbg->C);
1551
0
  drbg->C = NULL;
1552
0
  drbg->reseed_ctr = 0;
1553
0
  xfree (drbg->scratchpad);
1554
0
  drbg->scratchpad = NULL;
1555
0
  drbg->seeded = 0;
1556
0
  drbg->pr = 0;
1557
0
  drbg->seed_init_pid = 0;
1558
0
  return 0;
1559
0
}
1560
1561
/*
1562
 * DRBG instantiation function as required by SP800-90A - this function
1563
 * sets up the DRBG handle, performs the initial seeding and all sanity
1564
 * checks required by SP800-90A
1565
 *
1566
 * @drbg memory of state -- if NULL, new memory is allocated
1567
 * @pers Personalization string that is mixed into state, may be NULL -- note
1568
 *   the entropy is pulled by the DRBG internally unconditionally
1569
 *   as defined in SP800-90A. The additional input is mixed into
1570
 *   the state in addition to the pulled entropy.
1571
 * @coreref reference to core
1572
 * @flags Flags defining the requested DRBG type and cipher type. The flags
1573
 *    are defined in drbg.h and may be XORed. Beware, if you XOR multiple
1574
 *    cipher types together, the code picks the core on a first come first
1575
 *    serve basis as it iterates through the available cipher cores and
1576
 *    uses the one with the first match. The minimum required flags are:
1577
 *    cipher type flag
1578
 *
1579
 * return
1580
 *  0 on success
1581
 *  error value otherwise
1582
 */
1583
static gpg_err_code_t
1584
drbg_instantiate (drbg_state_t drbg,
1585
                  drbg_string_t *pers, int coreref, int pr)
1586
0
{
1587
0
  gpg_err_code_t ret = GPG_ERR_ENOMEM;
1588
0
  unsigned int sb_size = 0;
1589
1590
0
  if (!drbg)
1591
0
    return GPG_ERR_INV_ARG;
1592
1593
0
  dbg (("DRBG: Initializing DRBG core %d with prediction resistance %s\n",
1594
0
  coreref, pr ? "enabled" : "disabled"));
1595
0
  drbg->core = &drbg_cores[coreref];
1596
0
  drbg->pr = pr;
1597
0
  drbg->seeded = 0;
1598
0
  if (drbg->core->flags & DRBG_HMAC)
1599
0
    drbg->d_ops = &drbg_hmac_ops;
1600
0
  else if (drbg->core->flags & DRBG_HASH_MASK)
1601
0
    drbg->d_ops = &drbg_hash_ops;
1602
0
  else if (drbg->core->flags & DRBG_CTR_MASK)
1603
0
    drbg->d_ops = &drbg_ctr_ops;
1604
0
  else
1605
0
    return GPG_ERR_GENERAL;
1606
  /* 9.1 step 1 is implicit with the selected DRBG type -- see
1607
   * drbg_sec_strength() */
1608
1609
  /* 9.1 step 2 is implicit as caller can select prediction resistance
1610
   * and the flag is copied into drbg->flags --
1611
   * all DRBG types support prediction resistance */
1612
1613
  /* 9.1 step 4 is implicit in  drbg_sec_strength */
1614
1615
0
  ret = drbg->d_ops->crypto_init(drbg);
1616
0
  if (ret)
1617
0
    goto err;
1618
1619
0
  drbg->V = xcalloc_secure (1, drbg_statelen (drbg));
1620
0
  if (!drbg->V)
1621
0
    goto fini;
1622
0
  drbg->C = xcalloc_secure (1, drbg_statelen (drbg));
1623
0
  if (!drbg->C)
1624
0
    goto fini;
1625
  /* scratchpad is only generated for CTR and Hash */
1626
0
  if (drbg->core->flags & DRBG_HMAC)
1627
0
    sb_size = 0;
1628
0
  else if (drbg->core->flags & DRBG_CTR_MASK)
1629
0
    sb_size = drbg_statelen (drbg) + drbg_blocklen (drbg) + /* temp */
1630
0
      drbg_statelen (drbg) +  /* df_data */
1631
0
      drbg_blocklen (drbg) +  /* pad */
1632
0
      drbg_blocklen (drbg) +  /* iv */
1633
0
      drbg_statelen (drbg) + drbg_blocklen (drbg); /* temp */
1634
0
  else
1635
0
    sb_size = drbg_statelen (drbg);
1636
1637
0
  if (0 < sb_size)
1638
0
    {
1639
0
      drbg->scratchpad = xcalloc_secure (1, sb_size);
1640
0
      if (!drbg->scratchpad)
1641
0
  goto fini;
1642
0
    }
1643
0
  dbg (("DRBG: state allocated with scratchpad size %u bytes\n", sb_size));
1644
1645
  /* 9.1 step 6 through 11 */
1646
0
  ret = drbg_seed (drbg, pers, 0);
1647
0
  if (ret)
1648
0
    goto fini;
1649
1650
0
  dbg (("DRBG: core %d %s prediction resistance successfully initialized\n",
1651
0
  coreref, pr ? "with" : "without"));
1652
0
  return 0;
1653
1654
0
 fini:
1655
0
  drbg->d_ops->crypto_fini(drbg);
1656
0
 err:
1657
0
  drbg_uninstantiate (drbg);
1658
0
  return ret;
1659
0
}
1660
1661
/*
1662
 * DRBG reseed function as required by SP800-90A
1663
 *
1664
 * @drbg DRBG state handle
1665
 * @addtl Additional input that is mixed into state, may be NULL -- note
1666
 *    the entropy is pulled by the DRBG internally unconditionally
1667
 *    as defined in SP800-90A. The additional input is mixed into
1668
 *    the state in addition to the pulled entropy.
1669
 *
1670
 * return
1671
 *  0 on success
1672
 *  error value otherwise
1673
 */
1674
static gpg_err_code_t
1675
drbg_reseed (drbg_state_t drbg,drbg_string_t *addtl)
1676
0
{
1677
0
  gpg_err_code_t ret = 0;
1678
0
  ret = drbg_seed (drbg, addtl, 1);
1679
0
  return ret;
1680
0
}
1681
1682
1683

1684
/******************************************************************
1685
 * Libgcrypt integration code.
1686
 ******************************************************************/
1687
1688
/***************************************************
1689
 * Libgcrypt backend functions to the RNG API code.
1690
 ***************************************************/
1691
1692
static inline void
1693
drbg_lock (void)
1694
0
{
1695
0
  gpg_err_code_t ec;
1696
1697
0
  ec = gpgrt_lock_lock (&drbg_lock_var);
1698
0
  if (ec)
1699
0
    log_fatal ("failed to acquire the RNG lock: %s\n", gpg_strerror (ec));
1700
0
}
1701
1702
static inline void
1703
drbg_unlock (void)
1704
0
{
1705
0
  gpg_err_code_t ec;
1706
1707
0
  ec = gpgrt_lock_unlock (&drbg_lock_var);
1708
0
  if (ec)
1709
0
    log_fatal ("failed to release the RNG lock: %s\n", gpg_strerror (ec));
1710
0
}
1711
1712
/* Basic initialization is required to initialize mutexes and
1713
   do a few checks on the implementation.  */
1714
static void
1715
basic_initialization (void)
1716
0
{
1717
0
  static int initialized;
1718
1719
0
  if (initialized)
1720
0
    return;
1721
0
  initialized = 1;
1722
1723
  /* Make sure that we are still using the values we have
1724
     traditionally used for the random levels.  */
1725
0
  gcry_assert (GCRY_WEAK_RANDOM == 0
1726
0
               && GCRY_STRONG_RANDOM == 1
1727
0
               && GCRY_VERY_STRONG_RANDOM == 2);
1728
0
}
1729
1730
/****** helper functions where lock must be held by caller *****/
1731
1732
/* Check whether given flags are known to point to an applicable DRBG */
1733
static gpg_err_code_t
1734
drbg_algo_available (u32 flags, int *coreref)
1735
0
{
1736
0
  int i = 0;
1737
0
  for (i = 0; ARRAY_SIZE (drbg_cores) > i; i++)
1738
0
    {
1739
0
      if ((drbg_cores[i].flags & DRBG_CIPHER_MASK) ==
1740
0
    (flags & DRBG_CIPHER_MASK))
1741
0
  {
1742
0
    *coreref = i;
1743
0
    return 0;
1744
0
  }
1745
0
    }
1746
0
  return GPG_ERR_GENERAL;
1747
0
}
1748
1749
static gpg_err_code_t
1750
_drbg_init_internal (u32 flags, drbg_string_t *pers)
1751
0
{
1752
0
  static u32 oldflags;
1753
0
  gpg_err_code_t ret = 0;
1754
0
  int coreref = 0;
1755
0
  int pr = 0;
1756
1757
  /* If a caller provides 0 as flags, use the flags of the previous
1758
   * initialization, otherwise use the current flags and remember them
1759
   * for the next invocation.  If no flag is given and no global state
1760
   * is set this is the first initialization and we set the default
1761
   * type.
1762
   */
1763
0
  if (!flags && !drbg_state)
1764
0
    flags = oldflags = DRBG_DEFAULT_TYPE;
1765
0
  else if (!flags)
1766
0
    flags = oldflags;
1767
0
  else
1768
0
    oldflags = flags;
1769
1770
0
  ret = drbg_algo_available (flags, &coreref);
1771
0
  if (ret)
1772
0
    return ret;
1773
1774
0
  if (drbg_state)
1775
0
    {
1776
0
      drbg_uninstantiate (drbg_state);
1777
0
    }
1778
0
  else
1779
0
    {
1780
0
      drbg_state = &drbg_instance;
1781
0
    }
1782
0
  if (flags & DRBG_PREDICTION_RESIST)
1783
0
    pr = 1;
1784
0
  ret = drbg_instantiate (drbg_state, pers, coreref, pr);
1785
0
  if (ret)
1786
0
    fips_signal_error ("DRBG cannot be initialized");
1787
0
  else
1788
0
    drbg_state->seed_init_pid = getpid ();
1789
0
  return ret;
1790
0
}
1791
1792
/************* calls available to common RNG code **************/
1793
1794
/*
1795
 * Initialize one DRBG invoked by the libgcrypt API
1796
 */
1797
void
1798
_gcry_rngdrbg_inititialize (int full)
1799
0
{
1800
0
  basic_initialization ();
1801
0
  if (!full)
1802
0
      return;
1803
0
  drbg_lock ();
1804
0
  if (!drbg_state)
1805
0
    _drbg_init_internal (0, NULL);
1806
0
  drbg_unlock ();
1807
0
}
1808
1809
/*
1810
 * Backend handler function for GCRYCTL_DRBG_REINIT
1811
 *
1812
 * Select a different DRBG type and initialize it.
1813
 * Function checks whether requested DRBG type exists and returns an error in
1814
 * case it does not. In case of an error, the previous instantiated DRBG is
1815
 * left untouched and alive. Thus, in case of an error, a DRBG is always
1816
 * available, even if it is not the chosen one.
1817
 *
1818
 * Re-initialization will be performed in any case regardless whether flags
1819
 * or personalization string are set.
1820
 *
1821
 * If flags is NULL, do not change current DRBG.  If PERS is NULL and
1822
 * NPERS is 0, re-initialize without personalization string.  If PERS
1823
 * is not NULL NPERS must be one and PERS and the first ietm from the
1824
 * bufer is take as personalization string.
1825
 */
1826
gpg_err_code_t
1827
_gcry_rngdrbg_reinit (const char *flagstr, gcry_buffer_t *pers, int npers)
1828
0
{
1829
0
  gpg_err_code_t ret;
1830
0
  unsigned int flags;
1831
1832
  /* If PERS is not given we expect NPERS to be zero; if given we
1833
     expect a one-item array.  */
1834
0
  if ((!pers && npers) || (pers && npers != 1))
1835
0
    return GPG_ERR_INV_ARG;
1836
1837
0
  ret = parse_flag_string (flagstr, &flags);
1838
0
  if (!ret)
1839
0
    {
1840
0
      dbg (("DRBG: reinitialize internal DRBG state with flags %u\n", flags));
1841
0
      drbg_lock ();
1842
0
      if (pers)
1843
0
        {
1844
0
          drbg_string_t persbuf;
1845
1846
0
          drbg_string_fill
1847
0
            (&persbuf, (const unsigned char *)pers[0].data + pers[0].off,
1848
0
             pers[0].len);
1849
0
          ret = _drbg_init_internal (flags, &persbuf);
1850
0
        }
1851
0
      else
1852
0
        ret = _drbg_init_internal (flags, NULL);
1853
0
      drbg_unlock ();
1854
0
    }
1855
0
  return ret;
1856
0
}
1857
1858
/* Release resources used by this DRBG module.  That is, close the FDs
1859
 * of the random gather module (if any), and release memory used.
1860
 */
1861
void
1862
_gcry_rngdrbg_close_fds (void)
1863
0
{
1864
0
  drbg_lock ();
1865
0
#if USE_RNDGETENTROPY
1866
0
  _gcry_rndgetentropy_gather_random (NULL, 0, 0, 0);
1867
0
#endif
1868
#if USE_RNDOLDLINUX
1869
  _gcry_rndoldlinux_gather_random (NULL, 0, 0, 0);
1870
#endif
1871
0
  if (drbg_state)
1872
0
    {
1873
0
      drbg_uninstantiate (drbg_state);
1874
0
      drbg_state = NULL;
1875
0
    }
1876
0
  drbg_unlock ();
1877
0
}
1878
1879
/* Print some statistics about the RNG.  */
1880
void
1881
_gcry_rngdrbg_dump_stats (void)
1882
0
{
1883
  /* Not yet implemented.  */
1884
  /* Maybe dumping of reseed counter? */
1885
0
}
1886
1887
/* This function returns true if no real RNG is available or the
1888
 * quality of the RNG has been degraded for test purposes.  */
1889
int
1890
_gcry_rngdrbg_is_faked (void)
1891
0
{
1892
0
  return 0;     /* Faked random is not allowed.  */
1893
0
}
1894
1895
/* Add BUFLEN bytes from BUF to the internal random pool.  QUALITY
1896
 * should be in the range of 0..100 to indicate the goodness of the
1897
 * entropy added, or -1 for goodness not known. */
1898
gcry_error_t
1899
_gcry_rngdrbg_add_bytes (const void *buf, size_t buflen, int quality)
1900
0
{
1901
0
  gpg_err_code_t ret = 0;
1902
0
  drbg_string_t seed;
1903
0
  (void) quality;
1904
0
  _gcry_rngdrbg_inititialize (1); /* Auto-initialize if needed */
1905
0
  if (!drbg_state)
1906
0
    return GPG_ERR_GENERAL;
1907
0
  drbg_string_fill (&seed, (unsigned char *) buf, buflen);
1908
0
  drbg_lock ();
1909
0
  ret = drbg_reseed (drbg_state, &seed);
1910
0
  drbg_unlock ();
1911
0
  return ret;
1912
0
}
1913
1914
/* This function is to be used for all types of random numbers, including
1915
 * nonces
1916
 */
1917
void
1918
_gcry_rngdrbg_randomize (void *buffer, size_t length,
1919
          enum gcry_random_level level)
1920
0
{
1921
0
  (void) level;
1922
0
  _gcry_rngdrbg_inititialize (1); /* Auto-initialize if needed */
1923
0
  drbg_lock ();
1924
0
  if (!drbg_state)
1925
0
    {
1926
0
      fips_signal_error ("DRBG is not initialized");
1927
0
      goto bailout;
1928
0
    }
1929
1930
  /* As reseeding changes the entire state of the DRBG, including any
1931
   * key, either a re-init or a reseed is sufficient for a fork */
1932
0
  if (drbg_state->seed_init_pid != getpid ())
1933
0
    {
1934
      /* Update the PID recorded.  */
1935
0
      drbg_state->seed_init_pid = getpid ();
1936
1937
      /* We are in a child of us. Perform a reseeding. */
1938
0
      if (drbg_reseed (drbg_state, NULL))
1939
0
  {
1940
0
    fips_signal_error ("reseeding upon fork failed");
1941
0
    log_fatal ("severe error getting random\n");
1942
0
    goto bailout;
1943
0
  }
1944
0
    }
1945
  /* potential integer overflow is covered by drbg_generate which
1946
   * ensures that length cannot overflow an unsigned int */
1947
0
  if (0 < length)
1948
0
    {
1949
0
      if (!buffer)
1950
0
  goto bailout;
1951
0
      if (drbg_generate_long (drbg_state, buffer, (unsigned int) length, NULL))
1952
0
  log_fatal ("No random numbers generated\n");
1953
0
    }
1954
0
  else
1955
0
    {
1956
0
      drbg_gen_t *data = (drbg_gen_t *)buffer;
1957
      /* catch NULL pointer */
1958
0
      if (!data || !data->outbuf)
1959
0
  {
1960
0
    fips_signal_error ("No output buffer provided");
1961
0
    goto bailout;
1962
0
  }
1963
0
      if (drbg_generate_long (drbg_state, data->outbuf, data->outlen,
1964
0
                              data->addtl))
1965
0
  log_fatal ("No random numbers generated\n");
1966
0
    }
1967
1968
0
 bailout:
1969
0
  drbg_unlock ();
1970
0
  return;
1971
1972
0
}
1973
1974
/***************************************************************
1975
 * Self-test code
1976
 ***************************************************************/
1977
1978
/*
1979
 * Test vectors from
1980
 * http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgtestvectors.zip
1981
 */
1982
struct gcry_drbg_test_vector drbg_test_pr[] = {
1983
  {
1984
    /* .flags = */ "sha256 pr" /* DRBG_PR_HASHSHA256 */,
1985
    /* .entropy = */ (unsigned char *)
1986
    "\x5d\xf2\x14\xbc\xf6\xb5\x4e\x0b\xf0\x0d\x6f\x2d"
1987
    "\xe2\x01\x66\x7b\xd0\xa4\x73\xa4\x21\xdd\xb0\xc0"
1988
    "\x51\x79\x09\xf4\xea\xa9\x08\xfa\xa6\x67\xe0\xe1"
1989
    "\xd1\x88\xa8\xad\xee\x69\x74\xb3\x55\x06\x9b\xf6",
1990
    /* .entropylen = */ 48,
1991
    /* .entpra = */ (unsigned char *)
1992
    "\xef\x48\x06\xa2\xc2\x45\xf1\x44\xfa\x34\x2c\xeb"
1993
    "\x8d\x78\x3c\x09\x8f\x34\x72\x20\xf2\xe7\xfd\x13"
1994
    "\x76\x0a\xf6\xdc\x3c\xf5\xc0\x15",
1995
    /* .entprb = */ (unsigned char *)
1996
    "\x4b\xbe\xe5\x24\xed\x6a\x2d\x0c\xdb\x73\x5e\x09"
1997
    "\xf9\xad\x67\x7c\x51\x47\x8b\x6b\x30\x2a\xc6\xde"
1998
    "\x76\xaa\x55\x04\x8b\x0a\x72\x95",
1999
    /* .entprlen = */ 32,
2000
    /* .addtla = */ (unsigned char *)
2001
    "\xbe\x13\xdb\x2a\xe9\xa8\xfe\x09\x97\xe1\xce\x5d"
2002
    "\xe8\xbb\xc0\x7c\x4f\xcb\x62\x19\x3f\x0f\xd2\xad"
2003
    "\xa9\xd0\x1d\x59\x02\xc4\xff\x70",
2004
    /* .addtlb = */ (unsigned char *)
2005
    "\x6f\x96\x13\xe2\xa7\xf5\x6c\xfe\xdf\x66\xe3\x31"
2006
    "\x63\x76\xbf\x20\x27\x06\x49\xf1\xf3\x01\x77\x41"
2007
    "\x9f\xeb\xe4\x38\xfe\x67\x00\xcd",
2008
    /* .addtllen = */ 32,
2009
    /* .pers = */ NULL,
2010
    /* .perslen = */ 0,
2011
    /* .expected = */ (unsigned char *)
2012
    "\x3b\x14\x71\x99\xa1\xda\xa0\x42\xe6\xc8\x85\x32"
2013
    "\x70\x20\x32\x53\x9a\xbe\xd1\x1e\x15\xef\xfb\x4c"
2014
    "\x25\x6e\x19\x3a\xf0\xb9\xcb\xde\xf0\x3b\xc6\x18"
2015
    "\x4d\x85\x5a\x9b\xf1\xe3\xc2\x23\x03\x93\x08\xdb"
2016
    "\xa7\x07\x4b\x33\x78\x40\x4d\xeb\x24\xf5\x6e\x81"
2017
    "\x4a\x1b\x6e\xa3\x94\x52\x43\xb0\xaf\x2e\x21\xf4"
2018
    "\x42\x46\x8e\x90\xed\x34\x21\x75\xea\xda\x67\xb6"
2019
    "\xe4\xf6\xff\xc6\x31\x6c\x9a\x5a\xdb\xb3\x97\x13"
2020
    "\x09\xd3\x20\x98\x33\x2d\x6d\xd7\xb5\x6a\xa8\xa9"
2021
    "\x9a\x5b\xd6\x87\x52\xa1\x89\x2b\x4b\x9c\x64\x60"
2022
    "\x50\x47\xa3\x63\x81\x16\xaf\x19",
2023
    /* .expectedlen = */ 128,
2024
    /* .entropyreseed = */ NULL,
2025
    /* .entropyreseed_len = */ 0,
2026
    /* .addtl_reseed = */ NULL,
2027
    /* .addtl_reseed_len = */ 0
2028
  },
2029
  {
2030
    /* flags = */ "hmac sha256 pr" /* DRBG_PR_HMACSHA256 */,
2031
    /* .entropy = */ (unsigned char *)
2032
    "\x13\x54\x96\xfc\x1b\x7d\x28\xf3\x18\xc9\xa7\x89"
2033
    "\xb6\xb3\xc8\x72\xac\x00\xd4\x59\x36\x25\x05\xaf"
2034
    "\xa5\xdb\x96\xcb\x3c\x58\x46\x87\xa5\xaa\xbf\x20"
2035
    "\x3b\xfe\x23\x0e\xd1\xc7\x41\x0f\x3f\xc9\xb3\x67",
2036
    /* .entropylen = */ 48,
2037
    /* .entpra = */ (unsigned char *)
2038
    "\xe2\xbd\xb7\x48\x08\x06\xf3\xe1\x93\x3c\xac\x79"
2039
    "\xa7\x2b\x11\xda\xe3\x2e\xe1\x91\xa5\x02\x19\x57"
2040
    "\x20\x28\xad\xf2\x60\xd7\xcd\x45",
2041
    /* .entprb = */ (unsigned char *)
2042
    "\x8b\xd4\x69\xfc\xff\x59\x95\x95\xc6\x51\xde\x71"
2043
    "\x68\x5f\xfc\xf9\x4a\xab\xec\x5a\xcb\xbe\xd3\x66"
2044
    "\x1f\xfa\x74\xd3\xac\xa6\x74\x60",
2045
    /* .entprlen = */ 32,
2046
    /* .addtla = */ NULL,
2047
    /* .addtlb = */ NULL,
2048
    /* .addtllen = */ 0,
2049
    /* .pers = */ (unsigned char *)
2050
    "\x64\xb6\xfc\x60\xbc\x61\x76\x23\x6d\x3f\x4a\x0f"
2051
    "\xe1\xb4\xd5\x20\x9e\x70\xdd\x03\x53\x6d\xbf\xce"
2052
    "\xcd\x56\x80\xbc\xb8\x15\xc8\xaa",
2053
    /* .perslen = */ 32,
2054
    /* .expected = */ (unsigned char *)
2055
    "\x1f\x9e\xaf\xe4\xd2\x46\xb7\x47\x41\x4c\x65\x99"
2056
    "\x01\xe9\x3b\xbb\x83\x0c\x0a\xb0\xc1\x3a\xe2\xb3"
2057
    "\x31\x4e\xeb\x93\x73\xee\x0b\x26\xc2\x63\xa5\x75"
2058
    "\x45\x99\xd4\x5c\x9f\xa1\xd4\x45\x87\x6b\x20\x61"
2059
    "\x40\xea\x78\xa5\x32\xdf\x9e\x66\x17\xaf\xb1\x88"
2060
    "\x9e\x2e\x23\xdd\xc1\xda\x13\x97\x88\xa5\xb6\x5e"
2061
    "\x90\x14\x4e\xef\x13\xab\x5c\xd9\x2c\x97\x9e\x7c"
2062
    "\xd7\xf8\xce\xea\x81\xf5\xcd\x71\x15\x49\x44\xce"
2063
    "\x83\xb6\x05\xfb\x7d\x30\xb5\x57\x2c\x31\x4f\xfc"
2064
    "\xfe\x80\xb6\xc0\x13\x0c\x5b\x9b\x2e\x8f\x3d\xfc"
2065
    "\xc2\xa3\x0c\x11\x1b\x80\x5f\xf3",
2066
    /* .expectedlen = */ 128,
2067
    /* .entropyreseed = */ NULL,
2068
    /* .entropyreseed_len = */ 0,
2069
    /* .addtl_reseed = */ NULL,
2070
    /* .addtl_reseed_len = */ 0
2071
  },
2072
  {
2073
    /* .flags = */ "aes sym128 pr", /* DRBG_PR_CTRAES128 */
2074
    /* .entropy = */ (unsigned char *)
2075
    "\x92\x89\x8f\x31\xfa\x1c\xff\x6d\x18\x2f\x26\x06"
2076
    "\x43\xdf\xf8\x18\xc2\xa4\xd9\x72\xc3\xb9\xb6\x97",
2077
    /* .entropylen = */ 24,
2078
    /* .entpra = */ (unsigned char *)
2079
    "\x20\x72\x8a\x06\xf8\x6f\x8d\xd4\x41\xe2\x72\xb7"
2080
    "\xc4\x2c\xe8\x10",
2081
    /* .entprb = */ (unsigned char *)
2082
    "\x3d\xb0\xf0\x94\xf3\x05\x50\x33\x17\x86\x3e\x22"
2083
    "\x08\xf7\xa5\x01",
2084
    /* .entprlen = */ 16,
2085
    /* .addtla = */ (unsigned char *)
2086
    "\x1a\x40\xfa\xe3\xcc\x6c\x7c\xa0\xf8\xda\xba\x59"
2087
    "\x23\x6d\xad\x1d",
2088
    /* .addtlb = */ (unsigned char *)
2089
    "\x9f\x72\x76\x6c\xc7\x46\xe5\xed\x2e\x53\x20\x12"
2090
    "\xbc\x59\x31\x8c",
2091
    /* .addtllen = */ 16,
2092
    /* .pers = */ (unsigned char *)
2093
    "\xea\x65\xee\x60\x26\x4e\x7e\xb6\x0e\x82\x68\xc4"
2094
    "\x37\x3c\x5c\x0b",
2095
    /* .perslen = */ 16,
2096
    /* .expected = */ (unsigned char *)
2097
    "\x5a\x35\x39\x87\x0f\x4d\x22\xa4\x09\x24\xee\x71"
2098
    "\xc9\x6f\xac\x72\x0a\xd6\xf0\x88\x82\xd0\x83\x28"
2099
    "\x73\xec\x3f\x93\xd8\xab\x45\x23\xf0\x7e\xac\x45"
2100
    "\x14\x5e\x93\x9f\xb1\xd6\x76\x43\x3d\xb6\xe8\x08"
2101
    "\x88\xf6\xda\x89\x08\x77\x42\xfe\x1a\xf4\x3f\xc4"
2102
    "\x23\xc5\x1f\x68",
2103
    /* .expectedlen = */ 64,
2104
    /* .entropyreseed = */ NULL,
2105
    /* .entropyreseed_len = */ 0,
2106
    /* .addtl_reseed = */ NULL,
2107
    /* .addtl_reseed_len = */ 0
2108
   }
2109
};
2110
2111
struct gcry_drbg_test_vector drbg_test_nopr[] = {
2112
  {
2113
    /* .flags = */ "sha256" /* DRBG_NOPR_HASHSHA256 */,
2114
    /* .entropy = */ (unsigned char *)
2115
    "\x73\xd3\xfb\xa3\x94\x5f\x2b\x5f\xb9\x8f\xf6\x9c"
2116
    "\x8a\x93\x17\xae\x19\xc3\x4c\xc3\xd6\xca\xa3\x2d"
2117
    "\x16\xfc\x42\xd2\x2d\xd5\x6f\x56\xcc\x1d\x30\xff"
2118
    "\x9e\x06\x3e\x09\xce\x58\xe6\x9a\x35\xb3\xa6\x56",
2119
    /* .entropylen = */ 48,
2120
    /* .entpra = */ NULL,
2121
    /* .entprb = */ NULL,
2122
    /* .entprlen = */ 0,
2123
    /* .addtla = */ (unsigned char *)
2124
    "\xf4\xd5\x98\x3d\xa8\xfc\xfa\x37\xb7\x54\x67\x73"
2125
    "\xc7\xc3\xdd\x47\x34\x71\x02\x5d\xc1\xa0\xd3\x10"
2126
    "\xc1\x8b\xbd\xf5\x66\x34\x6f\xdd",
2127
    /* .addtlb = */ (unsigned char *)
2128
    "\xf7\x9e\x6a\x56\x0e\x73\xe9\xd9\x7a\xd1\x69\xe0"
2129
    "\x6f\x8c\x55\x1c\x44\xd1\xce\x6f\x28\xcc\xa4\x4d"
2130
    "\xa8\xc0\x85\xd1\x5a\x0c\x59\x40",
2131
    /* .addtllen = */ 32,
2132
    /* .pers = */ NULL,
2133
    /* .perslen = */ 0,
2134
    /* .expected = */ (unsigned char *)
2135
    "\x71\x7b\x93\x46\x1a\x40\xaa\x35\xa4\xaa\xc5\xe7"
2136
    "\x6d\x5b\x5b\x8a\xa0\xdf\x39\x7d\xae\x71\x58\x5b"
2137
    "\x3c\x7c\xb4\xf0\x89\xfa\x4a\x8c\xa9\x5c\x54\xc0"
2138
    "\x40\xdf\xbc\xce\x26\x81\x34\xf8\xba\x7d\x1c\xe8"
2139
    "\xad\x21\xe0\x74\xcf\x48\x84\x30\x1f\xa1\xd5\x4f"
2140
    "\x81\x42\x2f\xf4\xdb\x0b\x23\xf8\x73\x27\xb8\x1d"
2141
    "\x42\xf8\x44\x58\xd8\x5b\x29\x27\x0a\xf8\x69\x59"
2142
    "\xb5\x78\x44\xeb\x9e\xe0\x68\x6f\x42\x9a\xb0\x5b"
2143
    "\xe0\x4e\xcb\x6a\xaa\xe2\xd2\xd5\x33\x25\x3e\xe0"
2144
    "\x6c\xc7\x6a\x07\xa5\x03\x83\x9f\xe2\x8b\xd1\x1c"
2145
    "\x70\xa8\x07\x59\x97\xeb\xf6\xbe",
2146
    /* .expectedlen = */ 128,
2147
    /* .entropyreseed = */ NULL,
2148
    /* .entropyreseed_len = */ 0,
2149
    /* .addtl_reseed = */ NULL,
2150
    /* .addtl_reseed_len = */ 0
2151
  },
2152
  {
2153
    /* .flags = */ "hmac sha256" /* DRBG_NOPR_HMACSHA256 */,
2154
    /* .entropy = */ (unsigned char *)
2155
    "\x8d\xf0\x13\xb4\xd1\x03\x52\x30\x73\x91\x7d\xdf"
2156
    "\x6a\x86\x97\x93\x05\x9e\x99\x43\xfc\x86\x54\x54"
2157
    "\x9e\x7a\xb2\x2f\x7c\x29\xf1\x22\xda\x26\x25\xaf"
2158
    "\x2d\xdd\x4a\xbc\xce\x3c\xf4\xfa\x46\x59\xd8\x4e",
2159
    /* .entropylen = */ 48,
2160
    /* .entpra = */ NULL,
2161
    /* .entprb = */ NULL,
2162
    /* .entprlen = */ 0,
2163
    /* .addtla = */ NULL,
2164
    /* .addtlb = */ NULL,
2165
    /* .addtllen = */ 0,
2166
    /* .pers = */ (unsigned char *)
2167
    "\xb5\x71\xe6\x6d\x7c\x33\x8b\xc0\x7b\x76\xad\x37"
2168
    "\x57\xbb\x2f\x94\x52\xbf\x7e\x07\x43\x7a\xe8\x58"
2169
    "\x1c\xe7\xbc\x7c\x3a\xc6\x51\xa9",
2170
    /* .perslen = */ 32,
2171
    /* .expected = */ (unsigned char *)
2172
    "\xb9\x1c\xba\x4c\xc8\x4f\xa2\x5d\xf8\x61\x0b\x81"
2173
    "\xb6\x41\x40\x27\x68\xa2\x09\x72\x34\x93\x2e\x37"
2174
    "\xd5\x90\xb1\x15\x4c\xbd\x23\xf9\x74\x52\xe3\x10"
2175
    "\xe2\x91\xc4\x51\x46\x14\x7f\x0d\xa2\xd8\x17\x61"
2176
    "\xfe\x90\xfb\xa6\x4f\x94\x41\x9c\x0f\x66\x2b\x28"
2177
    "\xc1\xed\x94\xda\x48\x7b\xb7\xe7\x3e\xec\x79\x8f"
2178
    "\xbc\xf9\x81\xb7\x91\xd1\xbe\x4f\x17\x7a\x89\x07"
2179
    "\xaa\x3c\x40\x16\x43\xa5\xb6\x2b\x87\xb8\x9d\x66"
2180
    "\xb3\xa6\x0e\x40\xd4\xa8\xe4\xe9\xd8\x2a\xf6\xd2"
2181
    "\x70\x0e\x6f\x53\x5c\xdb\x51\xf7\x5c\x32\x17\x29"
2182
    "\x10\x37\x41\x03\x0c\xcc\x3a\x56",
2183
    /* .expectedlen = */ 128,
2184
    /* .entropyreseed = */ NULL,
2185
    /* .entropyreseed_len = */ 0,
2186
    /* .addtl_reseed = */ NULL,
2187
    /* .addtl_reseed_len = */ 0
2188
  },
2189
  {
2190
    /* .flags = */ "aes sym128" /* DRBG_NOPR_CTRAES128 */,
2191
    /* .entropy = */ (unsigned char *)
2192
    "\xc0\x70\x1f\x92\x50\x75\x8f\xcd\xf2\xbe\x73\x98"
2193
    "\x80\xdb\x66\xeb\x14\x68\xb4\xa5\x87\x9c\x2d\xa6",
2194
    /* .entropylen = */ 24,
2195
    /* .entpra = */ NULL,
2196
    /* .entprb = */ NULL,
2197
    /* .entprlen = */ 0,
2198
    /* .addtla = */ (unsigned char *)
2199
    "\xf9\x01\xf8\x16\x7a\x1d\xff\xde\x8e\x3c\x83\xe2"
2200
    "\x44\x85\xe7\xfe",
2201
    /* .addtlb = */ (unsigned char *)
2202
    "\x17\x1c\x09\x38\xc2\x38\x9f\x97\x87\x60\x55\xb4"
2203
    "\x82\x16\x62\x7f",
2204
    /* .addtllen = */ 16,
2205
    /* .pers = */ (unsigned char *)
2206
    "\x80\x08\xae\xe8\xe9\x69\x40\xc5\x08\x73\xc7\x9f"
2207
    "\x8e\xcf\xe0\x02",
2208
    /* .perslen = */ 16,
2209
    /* .expected = */ (unsigned char *)
2210
    "\x97\xc0\xc0\xe5\xa0\xcc\xf2\x4f\x33\x63\x48\x8a"
2211
    "\xdb\x13\x0a\x35\x89\xbf\x80\x65\x62\xee\x13\x95"
2212
    "\x7c\x33\xd3\x7d\xf4\x07\x77\x7a\x2b\x65\x0b\x5f"
2213
    "\x45\x5c\x13\xf1\x90\x77\x7f\xc5\x04\x3f\xcc\x1a"
2214
    "\x38\xf8\xcd\x1b\xbb\xd5\x57\xd1\x4a\x4c\x2e\x8a"
2215
    "\x2b\x49\x1e\x5c",
2216
    /* .expectedlen = */ 64,
2217
    /* .entropyreseed = */ NULL,
2218
    /* .entropyreseed_len = */ 0,
2219
    /* .addtl_reseed = */ NULL,
2220
    /* .addtl_reseed_len = */ 0
2221
  },
2222
  {
2223
    /* .flags = */ "sha1" /* DRBG_NOPR_HASHSHA1 */,
2224
    /* .entropy = */ (unsigned char *)
2225
    "\x16\x10\xb8\x28\xcc\xd2\x7d\xe0\x8c\xee\xa0\x32"
2226
    "\xa2\x0e\x92\x08\x49\x2c\xf1\x70\x92\x42\xf6\xb5",
2227
    /* .entropylen = */ 24,
2228
    /* .entpra = */ NULL,
2229
    /* .entprb = */ NULL,
2230
    /* .entprlen = */ 0,
2231
    /* .addtla = */ NULL,
2232
    /* .addtlb = */ NULL,
2233
    /* .addtllen = */ 0,
2234
    /* .pers = */ NULL,
2235
    /* .perslen = */ 0,
2236
    /* .expected = */ (unsigned char *)
2237
    "\x56\xf3\x3d\x4f\xdb\xb9\xa5\xb6\x4d\x26\x23\x44"
2238
    "\x97\xe9\xdc\xb8\x77\x98\xc6\x8d\x08\xf7\xc4\x11"
2239
    "\x99\xd4\xbd\xdf\x97\xeb\xbf\x6c\xb5\x55\x0e\x5d"
2240
    "\x14\x9f\xf4\xd5\xbd\x0f\x05\xf2\x5a\x69\x88\xc1"
2241
    "\x74\x36\x39\x62\x27\x18\x4a\xf8\x4a\x56\x43\x35"
2242
    "\x65\x8e\x2f\x85\x72\xbe\xa3\x33\xee\xe2\xab\xff"
2243
    "\x22\xff\xa6\xde\x3e\x22\xac\xa2",
2244
    /* .expectedlen = */ 80,
2245
    /* .entropyreseed = */ (unsigned char *)
2246
    "\x72\xd2\x8c\x90\x8e\xda\xf9\xa4\xd1\xe5\x26\xd8"
2247
    "\xf2\xde\xd5\x44",
2248
    /* .entropyreseed_len = */ 16,
2249
    /* .addtl_reseed = */ NULL,
2250
    /* .addtl_reseed_len = */ 0
2251
  },
2252
  {
2253
    /* .flags = */ "sha1" /* DRBG_NOPR_HASHSHA1 */,
2254
    /* .entropy = */ (unsigned char *)
2255
    "\xd9\xba\xb5\xce\xdc\xa9\x6f\x61\x78\xd6\x45\x09"
2256
    "\xa0\xdf\xdc\x5e\xda\xd8\x98\x94\x14\x45\x0e\x01",
2257
    /* .entropylen = */ 24,
2258
    /* .entpra = */ NULL,
2259
    /* .entprb = */ NULL,
2260
    /* .entprlen = */ 0,
2261
    /* .addtla = */ (unsigned char *)
2262
    "\x04\xfa\x28\x95\xaa\x5a\x6f\x8c\x57\x43\x34\x3b"
2263
    "\x80\x5e\x5e\xa4",
2264
    /* .addtlb = */ (unsigned char *)
2265
    "\xdf\x5d\xc4\x59\xdf\xf0\x2a\xa2\xf0\x52\xd7\x21"
2266
    "\xec\x60\x72\x30",
2267
    /* .addtllen = */ 16,
2268
    /* .pers = */ NULL,
2269
    /* .perslen = */ 0,
2270
    /* .expected = */ (unsigned char *)
2271
    "\xc4\x8b\x89\xf9\xda\x3f\x74\x82\x45\x55\x5d\x5d"
2272
    "\x03\x3b\x69\x3d\xd7\x1a\x4d\xf5\x69\x02\x05\xce"
2273
    "\xfc\xd7\x20\x11\x3c\xc2\x4e\x09\x89\x36\xff\x5e"
2274
    "\x77\xb5\x41\x53\x58\x70\xb3\x39\x46\x8c\xdd\x8d"
2275
    "\x6f\xaf\x8c\x56\x16\x3a\x70\x0a\x75\xb2\x3e\x59"
2276
    "\x9b\x5a\xec\xf1\x6f\x3b\xaf\x6d\x5f\x24\x19\x97"
2277
    "\x1f\x24\xf4\x46\x72\x0f\xea\xbe",
2278
    /* .expectedlen = */ 80,
2279
    /* .entropyreseed = */ (unsigned char *)
2280
    "\xc6\xba\xd0\x74\xc5\x90\x67\x86\xf5\xe1\xf3\x20"
2281
    "\x99\xf5\xb4\x91",
2282
    /* .entropyreseed_len = */ 16,
2283
    /* .addtl_reseed = */ (unsigned char *)
2284
    "\x3e\x6b\xf4\x6f\x4d\xaa\x38\x25\xd7\x19\x4e\x69"
2285
    "\x4e\x77\x52\xf7",
2286
    /* .addtl_reseed_len = */ 16
2287
  }
2288
};
2289
2290
2291
/*
2292
 * Tests implement the CAVS test approach as documented in
2293
 * http://csrc.nist.gov/groups/STM/cavp/documents/drbg/DRBGVS.pdf
2294
 */
2295
2296
/*
2297
 * CAVS test
2298
 *
2299
 * This function is not static as it is needed for as a private API
2300
 * call for the CAVS test tool.
2301
 */
2302
gpg_err_code_t
2303
_gcry_rngdrbg_cavs_test (struct gcry_drbg_test_vector *test, unsigned char *buf)
2304
0
{
2305
0
  gpg_err_code_t ret = 0;
2306
0
  drbg_state_t drbg = NULL;
2307
0
  struct drbg_test_data_s test_data;
2308
0
  drbg_string_t addtl, pers, testentropy;
2309
0
  int coreref = 0;
2310
0
  int pr = 0;
2311
0
  u32 flags;
2312
2313
0
  ret = parse_flag_string (test->flagstr, &flags);
2314
0
  if (ret)
2315
0
    goto outbuf;
2316
2317
0
  ret = drbg_algo_available (flags, &coreref);
2318
0
  if (ret)
2319
0
    goto outbuf;
2320
2321
0
  drbg = xtrycalloc_secure (1, sizeof *drbg);
2322
0
  if (!drbg)
2323
0
    {
2324
0
      ret = gpg_err_code_from_syserror ();
2325
0
      goto outbuf;
2326
0
    }
2327
2328
0
  if ((flags & DRBG_PREDICTION_RESIST))
2329
0
    pr = 1;
2330
2331
0
  test_data.testentropy = &testentropy;
2332
0
  drbg_string_fill (&testentropy, test->entropy, test->entropylen);
2333
0
  drbg->test_data = &test_data;
2334
0
  drbg_string_fill (&pers, test->pers, test->perslen);
2335
0
  ret = drbg_instantiate (drbg, &pers, coreref, pr);
2336
0
  if (ret)
2337
0
    goto outbuf;
2338
2339
0
  if (test->entropyreseed)
2340
0
    {
2341
0
      drbg_string_fill (&testentropy, test->entropyreseed,
2342
0
           test->entropyreseed_len);
2343
0
      drbg_string_fill (&addtl, test->addtl_reseed,
2344
0
           test->addtl_reseed_len);
2345
0
      if (drbg_reseed (drbg, &addtl))
2346
0
  goto outbuf;
2347
0
    }
2348
2349
0
  drbg_string_fill (&addtl, test->addtla, test->addtllen);
2350
0
  if (test->entpra)
2351
0
    {
2352
0
      drbg_string_fill (&testentropy, test->entpra, test->entprlen);
2353
0
      drbg->test_data = &test_data;
2354
0
    }
2355
0
  drbg_generate_long (drbg, buf, test->expectedlen, &addtl);
2356
2357
0
  drbg_string_fill (&addtl, test->addtlb, test->addtllen);
2358
0
  if (test->entprb)
2359
0
    {
2360
0
      drbg_string_fill (&testentropy, test->entprb, test->entprlen);
2361
0
      drbg->test_data = &test_data;
2362
0
    }
2363
0
  drbg_generate_long (drbg, buf, test->expectedlen, &addtl);
2364
0
  drbg_uninstantiate (drbg);
2365
2366
0
 outbuf:
2367
0
  xfree (drbg);
2368
0
  return ret;
2369
0
}
2370
2371
/*
2372
 * Invoke the CAVS test and perform the final check whether the
2373
 * calculated random value matches the expected one.
2374
 *
2375
 * This function is not static as it is needed for as a private API
2376
 * call for the CAVS test tool.
2377
 */
2378
gpg_err_code_t
2379
_gcry_rngdrbg_healthcheck_one (struct gcry_drbg_test_vector * test)
2380
0
{
2381
0
  gpg_err_code_t ret = GPG_ERR_ENOMEM;
2382
0
  unsigned char *buf = xcalloc_secure (1, test->expectedlen);
2383
0
  if (!buf)
2384
0
    return GPG_ERR_ENOMEM;
2385
2386
0
  ret = _gcry_rngdrbg_cavs_test (test, buf);
2387
  /* FIXME: The next line is wrong.   */
2388
0
  ret = memcmp (test->expected, buf, test->expectedlen);
2389
2390
0
  xfree (buf);
2391
0
  return ret;
2392
0
}
2393
2394
/*
2395
 * Tests as defined in 11.3.2 in addition to the cipher tests: testing
2396
 * of the error handling.
2397
 *
2398
 * Note, testing the reseed counter is not done as an automatic reseeding
2399
 * is performed in drbg_generate when the reseed counter is too large.
2400
 */
2401
static gpg_err_code_t
2402
drbg_healthcheck_sanity (struct gcry_drbg_test_vector *test)
2403
0
{
2404
0
  unsigned int len = 0;
2405
0
  drbg_state_t drbg = NULL;
2406
0
  gpg_err_code_t ret = GPG_ERR_GENERAL;
2407
0
  gpg_err_code_t tmpret = GPG_ERR_GENERAL;
2408
0
  struct drbg_test_data_s test_data;
2409
0
  drbg_string_t addtl, testentropy;
2410
0
  int coreref = 0;
2411
0
  unsigned char *buf = NULL;
2412
0
  size_t max_addtllen, max_request_bytes;
2413
0
  u32 flags;
2414
2415
  /* only perform test in FIPS mode */
2416
0
  if (0 == fips_mode ())
2417
0
    return 0;
2418
2419
0
  ret = parse_flag_string (test->flagstr, &flags);
2420
0
  if (ret)
2421
0
    return ret;
2422
0
  ret = GPG_ERR_GENERAL; /* Fixme: Improve handling of RET.  */
2423
2424
0
  buf = xtrycalloc_secure (1, test->expectedlen);
2425
0
  if (!buf)
2426
0
    return gpg_err_code_from_syserror ();
2427
0
  tmpret = drbg_algo_available (flags, &coreref);
2428
0
  if (tmpret)
2429
0
    goto outbuf;
2430
0
  drbg = xtrycalloc_secure (1, sizeof *drbg);
2431
0
  if (!drbg)
2432
0
    {
2433
0
      ret = gpg_err_code_from_syserror ();
2434
0
      goto outbuf;
2435
0
    }
2436
2437
  /* if the following tests fail, it is likely that there is a buffer
2438
   * overflow and we get a SIGSEV */
2439
0
  ret = drbg_instantiate (drbg, NULL, coreref, 1);
2440
0
  if (ret)
2441
0
    goto outbuf;
2442
0
  max_addtllen = drbg_max_addtl ();
2443
0
  max_request_bytes = drbg_max_request_bytes ();
2444
  /* overflow addtllen with additional info string */
2445
0
  drbg_string_fill (&addtl, test->addtla, (max_addtllen + 1));
2446
0
  len = drbg_generate (drbg, buf, test->expectedlen, &addtl);
2447
0
  if (len)
2448
0
    goto outdrbg;
2449
2450
  /* overflow max_bits */
2451
0
  len = drbg_generate (drbg, buf, (max_request_bytes + 1), NULL);
2452
0
  if (len)
2453
0
    goto outdrbg;
2454
0
  drbg_uninstantiate (drbg);
2455
2456
  /* test failing entropy source as defined in 11.3.2 */
2457
0
  test_data.testentropy = NULL;
2458
0
  test_data.fail_seed_source = 1;
2459
0
  drbg->test_data = &test_data;
2460
0
  tmpret = drbg_instantiate (drbg, NULL, coreref, 0);
2461
0
  if (!tmpret)
2462
0
    goto outdrbg;
2463
0
  test_data.fail_seed_source = 0;
2464
2465
0
  test_data.testentropy = &testentropy;
2466
0
  drbg_string_fill (&testentropy, test->entropy, test->entropylen);
2467
  /* overflow max addtllen with personalization string */
2468
0
  tmpret = drbg_instantiate (drbg, &addtl, coreref, 0);
2469
0
  if (!tmpret)
2470
0
    goto outdrbg;
2471
2472
0
  dbg (("DRBG: Sanity tests for failure code paths successfully completed\n"));
2473
0
  ret = 0;
2474
2475
0
 outdrbg:
2476
0
  drbg_uninstantiate (drbg);
2477
0
 outbuf:
2478
0
  xfree (buf);
2479
0
  xfree (drbg);
2480
0
  return ret;
2481
0
}
2482
2483
/*
2484
 * DRBG Healthcheck function as required in SP800-90A
2485
 *
2486
 * return:
2487
 *  0 on success (all tests pass)
2488
 *  >0 on error (return code indicate the number of failures)
2489
 */
2490
static int
2491
drbg_healthcheck (void)
2492
0
{
2493
0
  int ret = 0;
2494
0
  ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[0]);
2495
0
  ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[1]);
2496
0
  ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[2]);
2497
0
  ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[3]);
2498
0
  ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[4]);
2499
0
  ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_pr[0]);
2500
0
  ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_pr[1]);
2501
0
  ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_pr[2]);
2502
0
  ret += drbg_healthcheck_sanity (&drbg_test_nopr[0]);
2503
0
  return ret;
2504
0
}
2505
2506
/* Run the self-tests.  */
2507
gcry_error_t
2508
_gcry_rngdrbg_selftest (selftest_report_func_t report)
2509
0
{
2510
0
  gcry_err_code_t ec;
2511
0
  const char *errtxt = NULL;
2512
0
  drbg_lock ();
2513
0
  if (0 != drbg_healthcheck ())
2514
0
    errtxt = "RNG output does not match known value";
2515
0
  drbg_unlock ();
2516
0
  if (report && errtxt)
2517
0
    report ("random", 0, "KAT", errtxt);
2518
0
  ec = errtxt ? GPG_ERR_SELFTEST_FAILED : 0;
2519
0
  return gpg_error (ec);
2520
0
}
2521
2522
/***************************************************************
2523
 * Cipher invocations requested by DRBG
2524
 ***************************************************************/
2525
2526
static gpg_err_code_t
2527
drbg_hash_init (drbg_state_t drbg)
2528
0
{
2529
0
  gcry_md_hd_t hd;
2530
0
  gpg_error_t err;
2531
2532
0
  err = _gcry_md_open (&hd, drbg->core->backend_cipher, 0);
2533
0
  if (err)
2534
0
    return err;
2535
2536
0
  drbg->priv_data = hd;
2537
2538
0
  return 0;
2539
0
}
2540
2541
static gpg_err_code_t
2542
drbg_hmac_init (drbg_state_t drbg)
2543
0
{
2544
0
  gcry_md_hd_t hd;
2545
0
  gpg_error_t err;
2546
2547
0
  err = _gcry_md_open (&hd, drbg->core->backend_cipher, GCRY_MD_FLAG_HMAC);
2548
0
  if (err)
2549
0
    return err;
2550
2551
0
  drbg->priv_data = hd;
2552
2553
0
  return 0;
2554
0
}
2555
2556
static gpg_err_code_t
2557
drbg_hmac_setkey (drbg_state_t drbg, const unsigned char *key)
2558
0
{
2559
0
  gcry_md_hd_t hd = (gcry_md_hd_t)drbg->priv_data;
2560
2561
0
  return _gcry_md_setkey (hd, key, drbg_statelen (drbg));
2562
0
}
2563
2564
static void
2565
drbg_hash_fini (drbg_state_t drbg)
2566
0
{
2567
0
  gcry_md_hd_t hd = (gcry_md_hd_t)drbg->priv_data;
2568
2569
0
  _gcry_md_close (hd);
2570
0
}
2571
2572
static byte *
2573
drbg_hash (drbg_state_t drbg, const drbg_string_t *buf)
2574
0
{
2575
0
  gcry_md_hd_t hd = (gcry_md_hd_t)drbg->priv_data;
2576
2577
0
  _gcry_md_reset(hd);
2578
0
  for (; NULL != buf; buf = buf->next)
2579
0
    _gcry_md_write (hd, buf->buf, buf->len);
2580
0
  _gcry_md_final (hd);
2581
0
  return _gcry_md_read (hd, drbg->core->backend_cipher);
2582
0
}
2583
2584
static void
2585
drbg_sym_fini (drbg_state_t drbg)
2586
0
{
2587
0
  gcry_cipher_hd_t hd = (gcry_cipher_hd_t)drbg->priv_data;
2588
2589
0
  if (hd)
2590
0
    _gcry_cipher_close (hd);
2591
0
  if (drbg->ctr_handle)
2592
0
    _gcry_cipher_close (drbg->ctr_handle);
2593
0
}
2594
2595
static gpg_err_code_t
2596
drbg_sym_init (drbg_state_t drbg)
2597
0
{
2598
0
  gcry_cipher_hd_t hd;
2599
0
  gpg_error_t err;
2600
2601
0
  err = _gcry_cipher_open (&hd, drbg->core->backend_cipher,
2602
0
         GCRY_CIPHER_MODE_ECB, 0);
2603
0
  if (err)
2604
0
    {
2605
0
      drbg_sym_fini (drbg);
2606
0
      return err;
2607
0
    }
2608
0
  drbg->priv_data = hd;
2609
2610
0
  err = _gcry_cipher_open (&drbg->ctr_handle, drbg->core->backend_cipher,
2611
0
         GCRY_CIPHER_MODE_CTR, 0);
2612
0
  if (err)
2613
0
    {
2614
0
      drbg_sym_fini (drbg);
2615
0
      return err;
2616
0
    }
2617
2618
2619
0
  if (drbg_blocklen (drbg) !=
2620
0
      _gcry_cipher_get_algo_blklen (drbg->core->backend_cipher))
2621
0
    {
2622
0
      drbg_sym_fini (drbg);
2623
0
      return -GPG_ERR_NO_ERROR;
2624
0
    }
2625
2626
0
  return 0;
2627
0
}
2628
2629
static gpg_err_code_t
2630
drbg_sym_setkey (drbg_state_t drbg, const unsigned char *key)
2631
0
{
2632
0
  gcry_cipher_hd_t hd = (gcry_cipher_hd_t)drbg->priv_data;
2633
2634
0
  return _gcry_cipher_setkey (hd, key, drbg_keylen (drbg));
2635
0
}
2636
2637
static gpg_err_code_t
2638
drbg_sym (drbg_state_t drbg, unsigned char *outval, const drbg_string_t *buf)
2639
0
{
2640
0
  gcry_cipher_hd_t hd = (gcry_cipher_hd_t)drbg->priv_data;
2641
2642
0
  _gcry_cipher_reset(hd);
2643
0
  if (drbg_blocklen (drbg) < buf->len)
2644
0
    return -GPG_ERR_NO_ERROR;
2645
  /* in is only component */
2646
0
  return _gcry_cipher_encrypt (hd, outval, drbg_blocklen (drbg), buf->buf,
2647
0
             buf->len);
2648
0
}
2649
2650
static gpg_err_code_t
2651
drbg_sym_ctr (drbg_state_t drbg,
2652
        const unsigned char *inbuf, unsigned int inbuflen,
2653
        unsigned char *outbuf, unsigned int outbuflen)
2654
0
{
2655
0
  gpg_error_t err;
2656
2657
0
  _gcry_cipher_reset(drbg->ctr_handle);
2658
0
  err = _gcry_cipher_setctr(drbg->ctr_handle, drbg->V, drbg_blocklen (drbg));
2659
0
  if (err)
2660
0
    return err;
2661
2662
0
  while (outbuflen)
2663
0
    {
2664
0
       unsigned int cryptlen = (inbuflen > outbuflen) ? outbuflen : inbuflen;
2665
2666
0
       err = _gcry_cipher_encrypt (drbg->ctr_handle, outbuf, cryptlen, inbuf,
2667
0
           cryptlen);
2668
0
       if (err)
2669
0
         return err;
2670
2671
0
       outbuflen -= cryptlen;
2672
0
       outbuf += cryptlen;
2673
0
    }
2674
0
  return _gcry_cipher_getctr(drbg->ctr_handle, drbg->V, drbg_blocklen (drbg));
2675
0
}