/src/libgcrypt/random/random-drbg.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* random-drbg.c - Deterministic Random Bits Generator |
2 | | * Copyright 2014 Stephan Mueller <smueller@chronox.de> |
3 | | * |
4 | | * DRBG: Deterministic Random Bits Generator |
5 | | * Based on NIST Recommended DRBG from NIST SP800-90A with the following |
6 | | * properties: |
7 | | * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores |
8 | | * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores |
9 | | * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores |
10 | | * * with and without prediction resistance |
11 | | * |
12 | | * Redistribution and use in source and binary forms, with or without |
13 | | * modification, are permitted provided that the following conditions |
14 | | * are met: |
15 | | * 1. Redistributions of source code must retain the above copyright |
16 | | * notice, and the entire permission notice in its entirety, |
17 | | * including the disclaimer of warranties. |
18 | | * 2. Redistributions in binary form must reproduce the above copyright |
19 | | * notice, this list of conditions and the following disclaimer in the |
20 | | * documentation and/or other materials provided with the distribution. |
21 | | * 3. The name of the author may not be used to endorse or promote |
22 | | * products derived from this software without specific prior |
23 | | * written permission. |
24 | | * |
25 | | * ALTERNATIVELY, this product may be distributed under the terms of |
26 | | * LGPLv2+, in which case the provisions of the LGPL are |
27 | | * required INSTEAD OF the above restrictions. (This clause is |
28 | | * necessary due to a potential bad interaction between the LGPL and |
29 | | * the restrictions contained in a BSD-style copyright.) |
30 | | * |
31 | | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED |
32 | | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
33 | | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF |
34 | | * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE |
35 | | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
36 | | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT |
37 | | * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR |
38 | | * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF |
39 | | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
40 | | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE |
41 | | * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH |
42 | | * DAMAGE. |
43 | | * |
44 | | * |
45 | | * gcry_control GCRYCTL_DRBG_REINIT |
46 | | * ================================ |
47 | | * This control request re-initializes the DRBG completely, i.e. the entire |
48 | | * state of the DRBG is zeroized (with two exceptions listed in |
49 | | * GCRYCTL_DRBG_SET_ENTROPY). |
50 | | * |
51 | | * The control request takes the following values which influences how |
52 | | * the DRBG is re-initialized: |
53 | | * |
54 | | * - const char *flagstr |
55 | | * |
56 | | * This variable specifies the DRBG type to be used for the next |
57 | | * initialization. If set to NULL, the previous DRBG type is |
58 | | * used for the initialization. If not NULL a space separated |
59 | | * list of tokens with associated flag values is expected which |
60 | | * are ORed to form the mandatory flags of the requested DRBG |
61 | | * strength and cipher type. Optionally, the prediction |
62 | | * resistance flag can be ORed into the flags variable. |
63 | | * |
64 | | * | String token | Flag value | |
65 | | * |--------------+------------------------| |
66 | | * | aes | DRBG_CTRAES | |
67 | | * | serpent | DRBG_CTRSERPENT | |
68 | | * | twofish | DRBG_CTRTWOFISH | |
69 | | * | sha1 | DRBG_HASHSHA1 | |
70 | | * | sha256 | DRBG_HASHSHA256 | |
71 | | * | sha512 | DRBG_HASHSHA512 | |
72 | | * | hmac | DRBG_HMAC | |
73 | | * | sym128 | DRBG_SYM128 | |
74 | | * | sym192 | DRBG_SYM192 | |
75 | | * | sym256 | DRBG_SYM256 | |
76 | | * | pr | DRBG_PREDICTION_RESIST | |
77 | | * |
78 | | * For example: |
79 | | * |
80 | | * - CTR-DRBG with AES-128 without prediction resistance: |
81 | | * "aes sym128" |
82 | | * - HMAC-DRBG with SHA-512 with prediction resistance: |
83 | | * "hmac sha512 pr" |
84 | | * |
85 | | * - gcry_buffer_t *pers |
86 | | * |
87 | | * NULL terminated array with personalization strings to be used |
88 | | * for initialization. |
89 | | * |
90 | | * - int npers |
91 | | * |
92 | | * Size of PERS. |
93 | | * |
94 | | * - void *guard |
95 | | * |
96 | | * A value of NULL must be passed for this. |
97 | | * |
98 | | * The variable of flags is independent from the pers/perslen variables. If |
99 | | * flags is set to 0 and perslen is set to 0, the current DRBG type is |
100 | | * completely reset without using a personalization string. |
101 | | * |
102 | | * DRBG Usage |
103 | | * ========== |
104 | | * The SP 800-90A DRBG allows the user to specify a personalization string |
105 | | * for initialization as well as an additional information string for each |
106 | | * random number request. The following code fragments show how a caller |
107 | | * uses the API to use the full functionality of the DRBG. |
108 | | * |
109 | | * Usage without any additional data |
110 | | * --------------------------------- |
111 | | * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM); |
112 | | * |
113 | | * |
114 | | * Usage with personalization string during initialization |
115 | | * ------------------------------------------------------- |
116 | | * drbg_string_t pers; |
117 | | * char personalization[11] = "some-string"; |
118 | | * |
119 | | * drbg_string_fill(&pers, personalization, strlen(personalization)); |
120 | | * // The reset completely re-initializes the DRBG with the provided |
121 | | * // personalization string without changing the DRBG type |
122 | | * ret = gcry_control(GCRYCTL_DRBG_REINIT, 0, &pers); |
123 | | * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM); |
124 | | * |
125 | | * |
126 | | * Usage with additional information string during random number request |
127 | | * --------------------------------------------------------------------- |
128 | | * drbg_string_t addtl; |
129 | | * char addtl_string[11] = "some-string"; |
130 | | * |
131 | | * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); |
132 | | * // The following call is a wrapper to gcry_randomize() and returns |
133 | | * // the same error codes. |
134 | | * gcry_randomize_drbg(outbuf, OUTLEN, GCRY_STRONG_RANDOM, &addtl); |
135 | | * |
136 | | * |
137 | | * Usage with personalization and additional information strings |
138 | | * ------------------------------------------------------------- |
139 | | * Just mix both scenarios above. |
140 | | * |
141 | | * |
142 | | * Switch the DRBG type to some other type |
143 | | * --------------------------------------- |
144 | | * // Switch to CTR DRBG AES-128 without prediction resistance |
145 | | * ret = gcry_control(GCRYCTL_DRBG_REINIT, DRBG_NOPR_CTRAES128, NULL); |
146 | | * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM); |
147 | | */ |
148 | | |
149 | | #include <config.h> |
150 | | |
151 | | #include <string.h> |
152 | | #include <unistd.h> |
153 | | #include <stdint.h> |
154 | | |
155 | | #include "g10lib.h" |
156 | | #include "random.h" |
157 | | #include "rand-internal.h" |
158 | | #include "../cipher/bufhelp.h" |
159 | | |
160 | | |
161 | | |
162 | | /****************************************************************** |
163 | | * Constants |
164 | | ******************************************************************/ |
165 | | |
166 | | /* |
167 | | * DRBG flags bitmasks |
168 | | * |
169 | | * 31 (B) 28 19 (A) 0 |
170 | | * +-+-+-+--------+---+-----------+-----+ |
171 | | * |~|~|u|~~~~~~~~| 3 | 2 | 1 | |
172 | | * +-+-+-+--------+- -+-----------+-----+ |
173 | | * ctl flg| |drbg use selection flags |
174 | | * |
175 | | */ |
176 | | |
177 | | /* Internal state control flags (B) */ |
178 | 0 | #define DRBG_PREDICTION_RESIST ((u32)1<<28) |
179 | | |
180 | | /* CTR type modifiers (A.1)*/ |
181 | 0 | #define DRBG_CTRAES ((u32)1<<0) |
182 | 0 | #define DRBG_CTRSERPENT ((u32)1<<1) |
183 | 0 | #define DRBG_CTRTWOFISH ((u32)1<<2) |
184 | 0 | #define DRBG_CTR_MASK (DRBG_CTRAES | DRBG_CTRSERPENT \ |
185 | 0 | | DRBG_CTRTWOFISH) |
186 | | |
187 | | /* HASH type modifiers (A.2)*/ |
188 | 0 | #define DRBG_HASHSHA1 ((u32)1<<4) |
189 | 0 | #define DRBG_HASHSHA224 ((u32)1<<5) |
190 | 0 | #define DRBG_HASHSHA256 ((u32)1<<6) |
191 | 0 | #define DRBG_HASHSHA512 ((u32)1<<8) |
192 | 0 | #define DRBG_HASH_MASK (DRBG_HASHSHA1 | DRBG_HASHSHA224 \ |
193 | 0 | | DRBG_HASHSHA256 | DRBG_HASHSHA512) |
194 | | /* type modifiers (A.3)*/ |
195 | 0 | #define DRBG_HMAC ((u32)1<<12) |
196 | 0 | #define DRBG_SYM128 ((u32)1<<13) |
197 | 0 | #define DRBG_SYM192 ((u32)1<<14) |
198 | 0 | #define DRBG_SYM256 ((u32)1<<15) |
199 | 0 | #define DRBG_TYPE_MASK (DRBG_HMAC | DRBG_SYM128 | DRBG_SYM192 \ |
200 | 0 | | DRBG_SYM256) |
201 | 0 | #define DRBG_CIPHER_MASK (DRBG_CTR_MASK | DRBG_HASH_MASK \ |
202 | 0 | | DRBG_TYPE_MASK) |
203 | | |
204 | | #define DRBG_PR_CTRAES128 (DRBG_PREDICTION_RESIST | DRBG_CTRAES | DRBG_SYM128) |
205 | | #define DRBG_PR_CTRAES192 (DRBG_PREDICTION_RESIST | DRBG_CTRAES | DRBG_SYM192) |
206 | | #define DRBG_PR_CTRAES256 (DRBG_PREDICTION_RESIST | DRBG_CTRAES | DRBG_SYM256) |
207 | | #define DRBG_NOPR_CTRAES128 (DRBG_CTRAES | DRBG_SYM128) |
208 | | #define DRBG_NOPR_CTRAES192 (DRBG_CTRAES | DRBG_SYM192) |
209 | | #define DRBG_NOPR_CTRAES256 (DRBG_CTRAES | DRBG_SYM256) |
210 | | #define DRBG_PR_HASHSHA1 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA1) |
211 | | #define DRBG_PR_HASHSHA256 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA256) |
212 | | #define DRBG_PR_HASHSHA512 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA512) |
213 | | #define DRBG_NOPR_HASHSHA1 (DRBG_HASHSHA1) |
214 | | #define DRBG_NOPR_HASHSHA256 (DRBG_HASHSHA256) |
215 | | #define DRBG_NOPR_HASHSHA512 (DRBG_HASHSHA512) |
216 | | #define DRBG_PR_HMACSHA1 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA1 \ |
217 | | | DRBG_HMAC) |
218 | | #define DRBG_PR_HMACSHA256 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA256 \ |
219 | | | DRBG_HMAC) |
220 | | #define DRBG_PR_HMACSHA512 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA512 \ |
221 | | | DRBG_HMAC) |
222 | | #define DRBG_NOPR_HMACSHA1 (DRBG_HASHSHA1 | DRBG_HMAC) |
223 | 0 | #define DRBG_NOPR_HMACSHA256 (DRBG_HASHSHA256 | DRBG_HMAC) |
224 | | #define DRBG_NOPR_HMACSHA512 (DRBG_HASHSHA512 | DRBG_HMAC) |
225 | | |
226 | | |
227 | | /* The default DRGB type. */ |
228 | 0 | #define DRBG_DEFAULT_TYPE DRBG_NOPR_HMACSHA256 |
229 | | |
230 | | |
231 | | #define DRBG_CTR_NULL_LEN 128 |
232 | | |
233 | | |
234 | | /****************************************************************** |
235 | | * Common data structures |
236 | | ******************************************************************/ |
237 | | |
238 | | /* |
239 | | * SP800-90A requires the concatenation of different data. To avoid copying |
240 | | * buffers around or allocate additional memory, the following data structure |
241 | | * is used to point to the original memory with its size. In addition, it |
242 | | * is used to build a linked list. The linked list defines the concatenation |
243 | | * of individual buffers. The order of memory block referenced in that |
244 | | * linked list determines the order of concatenation. |
245 | | */ |
246 | | struct drbg_string_s |
247 | | { |
248 | | const unsigned char *buf; |
249 | | size_t len; |
250 | | struct drbg_string_s *next; |
251 | | }; |
252 | | typedef struct drbg_string_s drbg_string_t; |
253 | | |
254 | | |
255 | | /* DRBG input data structure for DRBG generate with additional |
256 | | * information string. */ |
257 | | struct drbg_gen_s |
258 | | { |
259 | | unsigned char *outbuf; /* output buffer for random numbers */ |
260 | | unsigned int outlen; /* size of output buffer */ |
261 | | drbg_string_t *addtl; /* input buffer for |
262 | | * additional information string */ |
263 | | }; |
264 | | typedef struct drbg_gen_s drbg_gen_t; |
265 | | |
266 | | |
267 | | /* Forward declaration of the state object pointer. */ |
268 | | struct drbg_state_s; |
269 | | typedef struct drbg_state_s *drbg_state_t; |
270 | | |
271 | | |
272 | | struct drbg_core_s |
273 | | { |
274 | | u32 flags; /* flags for the cipher */ |
275 | | ushort statelen; /* maximum state length */ |
276 | | ushort blocklen_bytes; /* block size of output in bytes */ |
277 | | int backend_cipher; /* libgcrypt backend cipher */ |
278 | | }; |
279 | | |
280 | | struct drbg_state_ops_s |
281 | | { |
282 | | gpg_err_code_t (*update) (drbg_state_t drbg, |
283 | | drbg_string_t *seed, int reseed); |
284 | | gpg_err_code_t (*generate) (drbg_state_t drbg, |
285 | | unsigned char *buf, unsigned int buflen, |
286 | | drbg_string_t *addtl); |
287 | | gpg_err_code_t (*crypto_init) (drbg_state_t drbg); |
288 | | void (*crypto_fini) (drbg_state_t drbg); |
289 | | }; |
290 | | |
291 | | struct drbg_test_data_s |
292 | | { |
293 | | drbg_string_t *testentropy; /* TEST PARAMETER: test entropy */ |
294 | | unsigned int fail_seed_source:1; /* If set, the seed function will |
295 | | * return an error. */ |
296 | | }; |
297 | | |
298 | | |
299 | | /* This state object keeps the state of an DRBG instance. */ |
300 | | struct drbg_state_s |
301 | | { |
302 | | unsigned char *V; /* internal state 10.1.1.1 1a) */ |
303 | | unsigned char *C; /* hash: static value 10.1.1.1 1b) |
304 | | * hmac / ctr: key */ |
305 | | size_t reseed_ctr; /* Number of RNG requests since last reseed -- |
306 | | * 10.1.1.1 1c) */ |
307 | | unsigned char *scratchpad; /* some memory the DRBG can use for its |
308 | | * operation -- allocated during init */ |
309 | | void *priv_data; /* Cipher handle */ |
310 | | gcry_cipher_hd_t ctr_handle; /* CTR mode cipher handle */ |
311 | | unsigned int seeded:1; /* DRBG fully seeded? */ |
312 | | unsigned int pr:1; /* Prediction resistance enabled? */ |
313 | | /* Taken from libgcrypt ANSI X9.31 DRNG: We need to keep track of the |
314 | | * process which did the initialization so that we can detect a fork. |
315 | | * The volatile modifier is required so that the compiler does not |
316 | | * optimize it away in case the getpid function is badly attributed. */ |
317 | | pid_t seed_init_pid; |
318 | | const struct drbg_state_ops_s *d_ops; |
319 | | const struct drbg_core_s *core; |
320 | | struct drbg_test_data_s *test_data; |
321 | | }; |
322 | | |
323 | | enum drbg_prefixes |
324 | | { |
325 | | DRBG_PREFIX0 = 0x00, |
326 | | DRBG_PREFIX1, |
327 | | DRBG_PREFIX2, |
328 | | DRBG_PREFIX3 |
329 | | }; |
330 | | |
331 | 0 | #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0])) |
332 | | |
333 | | /*************************************************************** |
334 | | * Global variables |
335 | | ***************************************************************/ |
336 | | |
337 | | /* The instance of the DRBG, to be refereed by drbg_state. */ |
338 | | static struct drbg_state_s drbg_instance; |
339 | | |
340 | | /* Global state variable holding the current instance of the DRBG. */ |
341 | | static drbg_state_t drbg_state; |
342 | | |
343 | | /* This is the lock variable we use to serialize access to this RNG. */ |
344 | | GPGRT_LOCK_DEFINE(drbg_lock_var); |
345 | | |
346 | | |
347 | | /*************************************************************** |
348 | | * Backend cipher definitions available to DRBG |
349 | | ***************************************************************/ |
350 | | |
351 | | static const struct drbg_core_s drbg_cores[] = { |
352 | | /* Hash DRBGs */ |
353 | | {DRBG_HASHSHA1, 55, 20, GCRY_MD_SHA1}, |
354 | | {DRBG_HASHSHA256, 55, 32, GCRY_MD_SHA256}, |
355 | | {DRBG_HASHSHA512, 111, 64, GCRY_MD_SHA512}, |
356 | | /* HMAC DRBGs */ |
357 | | {DRBG_HASHSHA1 | DRBG_HMAC, 20, 20, GCRY_MD_SHA1}, |
358 | | {DRBG_HASHSHA256 | DRBG_HMAC, 32, 32, GCRY_MD_SHA256}, |
359 | | {DRBG_HASHSHA512 | DRBG_HMAC, 64, 64, GCRY_MD_SHA512}, |
360 | | /* block ciphers */ |
361 | | {DRBG_CTRAES | DRBG_SYM128, 32, 16, GCRY_CIPHER_AES128}, |
362 | | {DRBG_CTRAES | DRBG_SYM192, 40, 16, GCRY_CIPHER_AES192}, |
363 | | {DRBG_CTRAES | DRBG_SYM256, 48, 16, GCRY_CIPHER_AES256} |
364 | | }; |
365 | | |
366 | | static gpg_err_code_t drbg_hash_init (drbg_state_t drbg); |
367 | | static gpg_err_code_t drbg_hmac_init (drbg_state_t drbg); |
368 | | static gpg_err_code_t drbg_hmac_setkey (drbg_state_t drbg, |
369 | | const unsigned char *key); |
370 | | static void drbg_hash_fini (drbg_state_t drbg); |
371 | | static byte *drbg_hash (drbg_state_t drbg, const drbg_string_t *buf); |
372 | | static gpg_err_code_t drbg_sym_init (drbg_state_t drbg); |
373 | | static void drbg_sym_fini (drbg_state_t drbg); |
374 | | static gpg_err_code_t drbg_sym_setkey (drbg_state_t drbg, |
375 | | const unsigned char *key); |
376 | | static gpg_err_code_t drbg_sym (drbg_state_t drbg, unsigned char *outval, |
377 | | const drbg_string_t *buf); |
378 | | static gpg_err_code_t drbg_sym_ctr (drbg_state_t drbg, |
379 | | const unsigned char *inbuf, unsigned int inbuflen, |
380 | | unsigned char *outbuf, unsigned int outbuflen); |
381 | | |
382 | | /****************************************************************** |
383 | | ****************************************************************** |
384 | | ****************************************************************** |
385 | | * Generic DRBG code |
386 | | ****************************************************************** |
387 | | ****************************************************************** |
388 | | ******************************************************************/ |
389 | | |
390 | | /****************************************************************** |
391 | | * Generic helper functions |
392 | | ******************************************************************/ |
393 | | |
394 | | #if 0 |
395 | | #define dbg(x) do { log_debug x; } while(0) |
396 | | #else |
397 | | #define dbg(x) |
398 | | #endif |
399 | | |
400 | | /* |
401 | | * Parse a string of flags and store the flag values at R_FLAGS. |
402 | | * Return 0 on success. |
403 | | */ |
404 | | static gpg_err_code_t |
405 | | parse_flag_string (const char *string, u32 *r_flags) |
406 | 0 | { |
407 | 0 | struct { |
408 | 0 | const char *name; |
409 | 0 | u32 flag; |
410 | 0 | } table[] = { |
411 | 0 | { "aes", DRBG_CTRAES }, |
412 | 0 | { "serpent", DRBG_CTRSERPENT }, |
413 | 0 | { "twofish", DRBG_CTRTWOFISH }, |
414 | 0 | { "sha1", DRBG_HASHSHA1 }, |
415 | 0 | { "sha256", DRBG_HASHSHA256 }, |
416 | 0 | { "sha512", DRBG_HASHSHA512 }, |
417 | 0 | { "hmac", DRBG_HMAC }, |
418 | 0 | { "sym128", DRBG_SYM128 }, |
419 | 0 | { "sym192", DRBG_SYM192 }, |
420 | 0 | { "sym256", DRBG_SYM256 }, |
421 | 0 | { "pr", DRBG_PREDICTION_RESIST } |
422 | 0 | }; |
423 | |
|
424 | 0 | *r_flags = 0; |
425 | 0 | if (string) |
426 | 0 | { |
427 | 0 | char **tl; |
428 | 0 | const char *s; |
429 | 0 | int i, j; |
430 | |
|
431 | 0 | tl = _gcry_strtokenize (string, NULL); |
432 | 0 | if (!tl) |
433 | 0 | return gpg_err_code_from_syserror (); |
434 | 0 | for (i=0; (s=tl[i]); i++) |
435 | 0 | { |
436 | 0 | for (j=0; j < DIM (table); j++) |
437 | 0 | if (!strcmp (s, table[j].name)) |
438 | 0 | { |
439 | 0 | *r_flags |= table[j].flag; |
440 | 0 | break; |
441 | 0 | } |
442 | 0 | if (!(j < DIM (table))) |
443 | 0 | { |
444 | 0 | xfree (tl); |
445 | 0 | return GPG_ERR_INV_FLAG; |
446 | 0 | } |
447 | 0 | } |
448 | 0 | xfree (tl); |
449 | 0 | } |
450 | | |
451 | 0 | return 0; |
452 | 0 | } |
453 | | |
454 | | static inline void |
455 | | drbg_string_fill (drbg_string_t *string, |
456 | | const unsigned char *buf, size_t len) |
457 | 0 | { |
458 | 0 | string->buf = buf; |
459 | 0 | string->len = len; |
460 | 0 | string->next = NULL; |
461 | 0 | } |
462 | | |
463 | | static inline ushort |
464 | | drbg_statelen (drbg_state_t drbg) |
465 | 0 | { |
466 | 0 | if (drbg && drbg->core) |
467 | 0 | return drbg->core->statelen; |
468 | 0 | return 0; |
469 | 0 | } |
470 | | |
471 | | static inline ushort |
472 | | drbg_blocklen (drbg_state_t drbg) |
473 | 0 | { |
474 | 0 | if (drbg && drbg->core) |
475 | 0 | return drbg->core->blocklen_bytes; |
476 | 0 | return 0; |
477 | 0 | } |
478 | | |
479 | | static inline ushort |
480 | | drbg_keylen (drbg_state_t drbg) |
481 | 0 | { |
482 | 0 | if (drbg && drbg->core) |
483 | 0 | return (drbg->core->statelen - drbg->core->blocklen_bytes); |
484 | 0 | return 0; |
485 | 0 | } |
486 | | |
487 | | static inline size_t |
488 | | drbg_max_request_bytes (void) |
489 | 0 | { |
490 | | /* SP800-90A requires the limit 2**19 bits, but we return bytes */ |
491 | 0 | return (1 << 16); |
492 | 0 | } |
493 | | |
494 | | static inline size_t |
495 | | drbg_max_addtl (void) |
496 | 0 | { |
497 | | /* SP800-90A requires 2**35 bytes additional info str / pers str */ |
498 | 0 | #ifdef __LP64__ |
499 | 0 | return (1UL << 35); |
500 | | #else |
501 | | /* |
502 | | * SP800-90A allows smaller maximum numbers to be returned -- we |
503 | | * return SIZE_MAX - 1 to allow the verification of the enforcement |
504 | | * of this value in drbg_healthcheck_sanity. |
505 | | */ |
506 | | return (SIZE_MAX - 1); |
507 | | #endif |
508 | 0 | } |
509 | | |
510 | | static inline size_t |
511 | | drbg_max_requests (void) |
512 | 0 | { |
513 | | /* SP800-90A requires 2**48 maximum requests before reseeding */ |
514 | 0 | #ifdef __LP64__ |
515 | 0 | return (1UL << 48); |
516 | | #else |
517 | | return SIZE_MAX; |
518 | | #endif |
519 | 0 | } |
520 | | |
521 | | /* |
522 | | * Return strength of DRBG according to SP800-90A section 8.4 |
523 | | * |
524 | | * flags: DRBG flags reference |
525 | | * |
526 | | * Return: normalized strength value or 32 as a default to counter |
527 | | * programming errors |
528 | | */ |
529 | | static inline unsigned short |
530 | | drbg_sec_strength (u32 flags) |
531 | 0 | { |
532 | 0 | if ((flags & DRBG_HASHSHA1) || (flags & DRBG_SYM128)) |
533 | 0 | return 16; |
534 | 0 | else if (flags & DRBG_SYM192) |
535 | 0 | return 24; |
536 | 0 | else if ((flags & DRBG_SYM256) || (flags & DRBG_HASHSHA256) || |
537 | 0 | (flags & DRBG_HASHSHA512)) |
538 | 0 | return 32; |
539 | 0 | else |
540 | 0 | return 32; |
541 | 0 | } |
542 | | |
543 | | static void |
544 | | drbg_add_buf (unsigned char *dst, size_t dstlen, |
545 | | unsigned char *add, size_t addlen) |
546 | 0 | { |
547 | | /* implied: dstlen > addlen */ |
548 | 0 | unsigned char *dstptr, *addptr; |
549 | 0 | unsigned int remainder = 0; |
550 | 0 | size_t len = addlen; |
551 | |
|
552 | 0 | dstptr = dst + (dstlen - 1); |
553 | 0 | addptr = add + (addlen - 1); |
554 | 0 | while (len) |
555 | 0 | { |
556 | 0 | remainder += *dstptr + *addptr; |
557 | 0 | *dstptr = remainder & 0xff; |
558 | 0 | remainder >>= 8; |
559 | 0 | len--; |
560 | 0 | dstptr--; |
561 | 0 | addptr--; |
562 | 0 | } |
563 | 0 | len = dstlen - addlen; |
564 | 0 | while (len && remainder > 0) |
565 | 0 | { |
566 | 0 | remainder = *dstptr + 1; |
567 | 0 | *dstptr = remainder & 0xff; |
568 | 0 | remainder >>= 8; |
569 | 0 | len--; |
570 | 0 | dstptr--; |
571 | 0 | } |
572 | 0 | } |
573 | | |
574 | | /* Helper variables for read_cb(). |
575 | | * |
576 | | * The _gcry_rnd*_gather_random interface does not allow to provide a |
577 | | * data pointer. Thus we need to use a global variable for |
578 | | * communication. However, the then required locking is anyway a good |
579 | | * idea because it does not make sense to have several readers of (say |
580 | | * /dev/random). It is easier to serve them one after the other. |
581 | | */ |
582 | | static unsigned char *read_cb_buffer; /* The buffer. */ |
583 | | static size_t read_cb_size; /* Size of the buffer. */ |
584 | | static size_t read_cb_len; /* Used length. */ |
585 | | |
586 | | /* Callback for generating seed from kernel device. */ |
587 | | static void |
588 | | drbg_read_cb (const void *buffer, size_t length, |
589 | | enum random_origins origin) |
590 | 0 | { |
591 | 0 | const unsigned char *p = buffer; |
592 | |
|
593 | 0 | (void) origin; |
594 | 0 | gcry_assert (read_cb_buffer); |
595 | | |
596 | | /* Note that we need to protect against gatherers returning more |
597 | | * than the requested bytes (e.g. rndw32). */ |
598 | 0 | while (length-- && read_cb_len < read_cb_size) |
599 | 0 | read_cb_buffer[read_cb_len++] = *p++; |
600 | 0 | } |
601 | | |
602 | | static inline int |
603 | | drbg_get_entropy (drbg_state_t drbg, unsigned char *buffer, |
604 | | size_t len) |
605 | 0 | { |
606 | 0 | int rc = 0; |
607 | | |
608 | | /* Perform testing as defined in 11.3.2 */ |
609 | 0 | if (drbg->test_data && drbg->test_data->fail_seed_source) |
610 | 0 | return -1; |
611 | | |
612 | 0 | read_cb_buffer = buffer; |
613 | 0 | read_cb_size = len; |
614 | 0 | read_cb_len = 0; |
615 | 0 | #if USE_RNDGETENTROPY |
616 | 0 | rc = _gcry_rndgetentropy_gather_random (drbg_read_cb, 0, len, |
617 | 0 | GCRY_VERY_STRONG_RANDOM); |
618 | | #elif USE_RNDOLDLINUX |
619 | | rc = _gcry_rndoldlinux_gather_random (drbg_read_cb, 0, len, |
620 | | GCRY_VERY_STRONG_RANDOM); |
621 | | #elif USE_RNDUNIX |
622 | | rc = _gcry_rndunix_gather_random (drbg_read_cb, 0, len, |
623 | | GCRY_VERY_STRONG_RANDOM); |
624 | | #elif USE_RNDW32 |
625 | | do |
626 | | { |
627 | | rc = _gcry_rndw32_gather_random (drbg_read_cb, 0, len, |
628 | | GCRY_VERY_STRONG_RANDOM); |
629 | | } |
630 | | while (rc >= 0 && read_cb_len < read_cb_size); |
631 | | #else |
632 | | rc = -1; |
633 | | #endif |
634 | 0 | return rc; |
635 | 0 | } |
636 | | |
637 | | /****************************************************************** |
638 | | * CTR DRBG callback functions |
639 | | ******************************************************************/ |
640 | | |
641 | | /* BCC function for CTR DRBG as defined in 10.4.3 */ |
642 | | static gpg_err_code_t |
643 | | drbg_ctr_bcc (drbg_state_t drbg, |
644 | | unsigned char *out, const unsigned char *key, |
645 | | drbg_string_t *in) |
646 | 0 | { |
647 | 0 | gpg_err_code_t ret = GPG_ERR_GENERAL; |
648 | 0 | drbg_string_t *curr = in; |
649 | 0 | size_t inpos = curr->len; |
650 | 0 | const unsigned char *pos = curr->buf; |
651 | 0 | drbg_string_t data; |
652 | |
|
653 | 0 | drbg_string_fill (&data, out, drbg_blocklen (drbg)); |
654 | | |
655 | | /* 10.4.3 step 1 */ |
656 | 0 | memset (out, 0, drbg_blocklen (drbg)); |
657 | |
|
658 | 0 | ret = drbg_sym_setkey(drbg, key); |
659 | 0 | if (ret) |
660 | 0 | return ret; |
661 | | |
662 | | /* 10.4.3 step 2 / 4 */ |
663 | 0 | while (inpos) |
664 | 0 | { |
665 | 0 | short cnt = 0; |
666 | | /* 10.4.3 step 4.1 */ |
667 | 0 | for (cnt = 0; cnt < drbg_blocklen (drbg); cnt++) |
668 | 0 | { |
669 | 0 | out[cnt] ^= *pos; |
670 | 0 | pos++; |
671 | 0 | inpos--; |
672 | | /* the following branch implements the linked list |
673 | | * iteration. If we are at the end of the current data |
674 | | * set, we have to start using the next data set if |
675 | | * available -- the inpos value always points to the |
676 | | * current byte and will be zero if we have processed |
677 | | * the last byte of the last linked list member */ |
678 | 0 | if (0 == inpos) |
679 | 0 | { |
680 | 0 | curr = curr->next; |
681 | 0 | if (NULL != curr) |
682 | 0 | { |
683 | 0 | pos = curr->buf; |
684 | 0 | inpos = curr->len; |
685 | 0 | } |
686 | 0 | else |
687 | 0 | { |
688 | 0 | inpos = 0; |
689 | 0 | break; |
690 | 0 | } |
691 | 0 | } |
692 | 0 | } |
693 | | /* 10.4.3 step 4.2 */ |
694 | 0 | ret = drbg_sym (drbg, out, &data); |
695 | 0 | if (ret) |
696 | 0 | return ret; |
697 | | /* 10.4.3 step 2 */ |
698 | 0 | } |
699 | 0 | return 0; |
700 | 0 | } |
701 | | |
702 | | |
703 | | /* |
704 | | * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df |
705 | | * (and drbg_ctr_bcc, but this function does not need any temporary buffers), |
706 | | * the scratchpad is used as follows: |
707 | | * drbg_ctr_update: |
708 | | * temp |
709 | | * start: drbg->scratchpad |
710 | | * length: drbg_statelen(drbg) + drbg_blocklen(drbg) |
711 | | * note: the cipher writing into this variable works |
712 | | * blocklen-wise. Now, when the statelen is not a multiple |
713 | | * of blocklen, the generateion loop below "spills over" |
714 | | * by at most blocklen. Thus, we need to give sufficient |
715 | | * memory. |
716 | | * df_data |
717 | | * start: drbg->scratchpad + |
718 | | * drbg_statelen(drbg) + |
719 | | * drbg_blocklen(drbg) |
720 | | * length: drbg_statelen(drbg) |
721 | | * |
722 | | * drbg_ctr_df: |
723 | | * pad |
724 | | * start: df_data + drbg_statelen(drbg) |
725 | | * length: drbg_blocklen(drbg) |
726 | | * iv |
727 | | * start: pad + drbg_blocklen(drbg) |
728 | | * length: drbg_blocklen(drbg) |
729 | | * temp |
730 | | * start: iv + drbg_blocklen(drbg) |
731 | | * length: drbg_satelen(drbg) + drbg_blocklen(drbg) |
732 | | * note: temp is the buffer that the BCC function operates |
733 | | * on. BCC operates blockwise. drbg_statelen(drbg) |
734 | | * is sufficient when the DRBG state length is a multiple |
735 | | * of the block size. For AES192 (and maybe other ciphers) |
736 | | * this is not correct and the length for temp is |
737 | | * insufficient (yes, that also means for such ciphers, |
738 | | * the final output of all BCC rounds are truncated). |
739 | | * Therefore, add drbg_blocklen(drbg) to cover all |
740 | | * possibilities. |
741 | | */ |
742 | | |
743 | | /* Derivation Function for CTR DRBG as defined in 10.4.2 */ |
744 | | static gpg_err_code_t |
745 | | drbg_ctr_df (drbg_state_t drbg, unsigned char *df_data, |
746 | | size_t bytes_to_return, drbg_string_t *addtl) |
747 | 0 | { |
748 | 0 | gpg_err_code_t ret = GPG_ERR_GENERAL; |
749 | 0 | unsigned char L_N[8]; |
750 | | /* S3 is input */ |
751 | 0 | drbg_string_t S1, S2, S4, cipherin; |
752 | 0 | drbg_string_t *tempstr = addtl; |
753 | 0 | unsigned char *pad = df_data + drbg_statelen (drbg); |
754 | 0 | unsigned char *iv = pad + drbg_blocklen (drbg); |
755 | 0 | unsigned char *temp = iv + drbg_blocklen (drbg); |
756 | 0 | size_t padlen = 0; |
757 | 0 | unsigned int templen = 0; |
758 | | /* 10.4.2 step 7 */ |
759 | 0 | unsigned int i = 0; |
760 | | /* 10.4.2 step 8 */ |
761 | 0 | const unsigned char *K = (unsigned char *) |
762 | 0 | "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" |
763 | 0 | "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; |
764 | 0 | unsigned char *X; |
765 | 0 | size_t generated_len = 0; |
766 | 0 | size_t inputlen = 0; |
767 | |
|
768 | 0 | memset (pad, 0, drbg_blocklen (drbg)); |
769 | 0 | memset (iv, 0, drbg_blocklen (drbg)); |
770 | 0 | memset (temp, 0, drbg_statelen (drbg)); |
771 | | |
772 | | /* 10.4.2 step 1 is implicit as we work byte-wise */ |
773 | | |
774 | | /* 10.4.2 step 2 */ |
775 | 0 | if ((512 / 8) < bytes_to_return) |
776 | 0 | return GPG_ERR_INV_ARG; |
777 | | |
778 | | /* 10.4.2 step 2 -- calculate the entire length of all input data */ |
779 | 0 | for (; NULL != tempstr; tempstr = tempstr->next) |
780 | 0 | inputlen += tempstr->len; |
781 | 0 | buf_put_be32 (&L_N[0], inputlen); |
782 | | |
783 | | /* 10.4.2 step 3 */ |
784 | 0 | buf_put_be32 (&L_N[4], bytes_to_return); |
785 | | |
786 | | /* 10.4.2 step 5: length is size of L_N, input_string, one byte, padding */ |
787 | 0 | padlen = (inputlen + sizeof (L_N) + 1) % (drbg_blocklen (drbg)); |
788 | | /* wrap the padlen appropriately */ |
789 | 0 | if (padlen) |
790 | 0 | padlen = drbg_blocklen (drbg) - padlen; |
791 | | /* pad / padlen contains the 0x80 byte and the following zero bytes, so |
792 | | * add one for byte for 0x80 */ |
793 | 0 | padlen++; |
794 | 0 | pad[0] = 0x80; |
795 | | |
796 | | /* 10.4.2 step 4 -- first fill the linked list and then order it */ |
797 | 0 | drbg_string_fill (&S1, iv, drbg_blocklen (drbg)); |
798 | 0 | drbg_string_fill (&S2, L_N, sizeof (L_N)); |
799 | 0 | drbg_string_fill (&S4, pad, padlen); |
800 | 0 | S1.next = &S2; |
801 | 0 | S2.next = addtl; |
802 | | |
803 | | /* Splice in addtl between S2 and S4 -- we place S4 at the end of the |
804 | | * input data chain. As this code is only triggered when addtl is not |
805 | | * NULL, no NULL checks are necessary.*/ |
806 | 0 | tempstr = addtl; |
807 | 0 | while (tempstr->next) |
808 | 0 | tempstr = tempstr->next; |
809 | 0 | tempstr->next = &S4; |
810 | | |
811 | | /* 10.4.2 step 9 */ |
812 | 0 | while (templen < (drbg_keylen (drbg) + (drbg_blocklen (drbg)))) |
813 | 0 | { |
814 | | /* 10.4.2 step 9.1 - the padding is implicit as the buffer |
815 | | * holds zeros after allocation -- even the increment of i |
816 | | * is irrelevant as the increment remains within length of i */ |
817 | 0 | buf_put_be32 (iv, i); |
818 | | /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ |
819 | 0 | ret = drbg_ctr_bcc (drbg, temp + templen, K, &S1); |
820 | 0 | if (ret) |
821 | 0 | goto out; |
822 | | /* 10.4.2 step 9.3 */ |
823 | 0 | i++; |
824 | 0 | templen += drbg_blocklen (drbg); |
825 | 0 | } |
826 | | |
827 | | /* 10.4.2 step 11 */ |
828 | | /* implicit key len with seedlen - blocklen according to table 3 */ |
829 | 0 | X = temp + (drbg_keylen (drbg)); |
830 | 0 | drbg_string_fill (&cipherin, X, drbg_blocklen (drbg)); |
831 | | |
832 | | /* 10.4.2 step 12: overwriting of outval */ |
833 | | |
834 | | /* 10.4.2 step 13 */ |
835 | 0 | ret = drbg_sym_setkey(drbg, temp); |
836 | 0 | if (ret) |
837 | 0 | goto out; |
838 | 0 | while (generated_len < bytes_to_return) |
839 | 0 | { |
840 | 0 | short blocklen = 0; |
841 | | /* 10.4.2 step 13.1 */ |
842 | | /* the truncation of the key length is implicit as the key |
843 | | * is only drbg_blocklen in size -- check for the implementation |
844 | | * of the cipher function callback */ |
845 | 0 | ret = drbg_sym (drbg, X, &cipherin); |
846 | 0 | if (ret) |
847 | 0 | goto out; |
848 | 0 | blocklen = (drbg_blocklen (drbg) < (bytes_to_return - generated_len)) ? |
849 | 0 | drbg_blocklen (drbg) : (bytes_to_return - generated_len); |
850 | | /* 10.4.2 step 13.2 and 14 */ |
851 | 0 | memcpy (df_data + generated_len, X, blocklen); |
852 | 0 | generated_len += blocklen; |
853 | 0 | } |
854 | | |
855 | 0 | ret = 0; |
856 | |
|
857 | 0 | out: |
858 | 0 | memset (iv, 0, drbg_blocklen (drbg)); |
859 | 0 | memset (temp, 0, drbg_statelen (drbg)); |
860 | 0 | memset (pad, 0, drbg_blocklen (drbg)); |
861 | 0 | return ret; |
862 | 0 | } |
863 | | |
864 | | /* |
865 | | * Update function of CTR DRBG as defined in 10.2.1.2 |
866 | | * |
867 | | * The reseed variable has an enhanced meaning compared to the update |
868 | | * functions of the other DRBGs as follows: |
869 | | * 0 => initial seed from initialization |
870 | | * 1 => reseed via drbg_seed |
871 | | * 2 => first invocation from drbg_ctr_update when addtl is present. In |
872 | | * this case, the df_data scratchpad is not deleted so that it is |
873 | | * available for another calls to prevent calling the DF function |
874 | | * again. |
875 | | * 3 => second invocation from drbg_ctr_update. When the update function |
876 | | * was called with addtl, the df_data memory already contains the |
877 | | * DFed addtl information and we do not need to call DF again. |
878 | | */ |
879 | | static gpg_err_code_t |
880 | | drbg_ctr_update (drbg_state_t drbg, drbg_string_t *addtl, int reseed) |
881 | 0 | { |
882 | 0 | gpg_err_code_t ret = GPG_ERR_GENERAL; |
883 | | /* 10.2.1.2 step 1 */ |
884 | 0 | unsigned char *temp = drbg->scratchpad; |
885 | 0 | unsigned char *df_data = drbg->scratchpad + |
886 | 0 | drbg_statelen (drbg) + drbg_blocklen (drbg); |
887 | 0 | unsigned char prefix = DRBG_PREFIX1; |
888 | |
|
889 | 0 | memset (temp, 0, drbg_statelen (drbg) + drbg_blocklen (drbg)); |
890 | 0 | if (3 > reseed) |
891 | 0 | memset (df_data, 0, drbg_statelen (drbg)); |
892 | |
|
893 | 0 | if (!reseed) |
894 | 0 | { |
895 | | /* |
896 | | * The DRBG uses the CTR mode of the underlying AES cipher. The |
897 | | * CTR mode increments the counter value after the AES operation |
898 | | * but SP800-90A requires that the counter is incremented before |
899 | | * the AES operation. Hence, we increment it at the time we set |
900 | | * it by one. |
901 | | */ |
902 | 0 | drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1); |
903 | |
|
904 | 0 | ret = _gcry_cipher_setkey (drbg->ctr_handle, drbg->C, drbg_keylen (drbg)); |
905 | 0 | if (ret) |
906 | 0 | goto out; |
907 | 0 | } |
908 | | |
909 | | /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ |
910 | 0 | if (addtl && 0 < addtl->len) |
911 | 0 | { |
912 | 0 | ret = |
913 | 0 | drbg_ctr_df (drbg, df_data, drbg_statelen (drbg), addtl); |
914 | 0 | if (ret) |
915 | 0 | goto out; |
916 | 0 | } |
917 | | |
918 | 0 | ret = drbg_sym_ctr (drbg, df_data, drbg_statelen(drbg), |
919 | 0 | temp, drbg_statelen(drbg)); |
920 | 0 | if (ret) |
921 | 0 | goto out; |
922 | | |
923 | | /* 10.2.1.2 step 5 */ |
924 | 0 | ret = _gcry_cipher_setkey (drbg->ctr_handle, temp, drbg_keylen (drbg)); |
925 | 0 | if (ret) |
926 | 0 | goto out; |
927 | | |
928 | | /* 10.2.1.2 step 6 */ |
929 | 0 | memcpy (drbg->V, temp + drbg_keylen (drbg), drbg_blocklen (drbg)); |
930 | | /* See above: increment counter by one to compensate timing of CTR op */ |
931 | 0 | drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1); |
932 | 0 | ret = 0; |
933 | |
|
934 | 0 | out: |
935 | 0 | memset (temp, 0, drbg_statelen (drbg) + drbg_blocklen (drbg)); |
936 | 0 | if (2 != reseed) |
937 | 0 | memset (df_data, 0, drbg_statelen (drbg)); |
938 | 0 | return ret; |
939 | 0 | } |
940 | | |
941 | | /* |
942 | | * scratchpad use: drbg_ctr_update is called independently from |
943 | | * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused |
944 | | */ |
945 | | /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ |
946 | | static gpg_err_code_t |
947 | | drbg_ctr_generate (drbg_state_t drbg, |
948 | | unsigned char *buf, unsigned int buflen, |
949 | | drbg_string_t *addtl) |
950 | 0 | { |
951 | 0 | static const unsigned char drbg_ctr_null[DRBG_CTR_NULL_LEN] = { 0, }; |
952 | 0 | gpg_err_code_t ret = 0; |
953 | |
|
954 | 0 | memset (drbg->scratchpad, 0, drbg_blocklen (drbg)); |
955 | | |
956 | | /* 10.2.1.5.2 step 2 */ |
957 | 0 | if (addtl && 0 < addtl->len) |
958 | 0 | { |
959 | 0 | addtl->next = NULL; |
960 | 0 | ret = drbg_ctr_update (drbg, addtl, 2); |
961 | 0 | if (ret) |
962 | 0 | return ret; |
963 | 0 | } |
964 | | |
965 | | /* 10.2.1.5.2 step 4.1 */ |
966 | 0 | ret = drbg_sym_ctr (drbg, drbg_ctr_null, sizeof(drbg_ctr_null), buf, buflen); |
967 | 0 | if (ret) |
968 | 0 | goto out; |
969 | | |
970 | | /* 10.2.1.5.2 step 6 */ |
971 | 0 | if (addtl) |
972 | 0 | addtl->next = NULL; |
973 | 0 | ret = drbg_ctr_update (drbg, addtl, 3); |
974 | |
|
975 | 0 | out: |
976 | 0 | return ret; |
977 | 0 | } |
978 | | |
979 | | static struct drbg_state_ops_s drbg_ctr_ops = { |
980 | | drbg_ctr_update, |
981 | | drbg_ctr_generate, |
982 | | drbg_sym_init, |
983 | | drbg_sym_fini, |
984 | | }; |
985 | | |
986 | | /****************************************************************** |
987 | | * HMAC DRBG callback functions |
988 | | ******************************************************************/ |
989 | | |
990 | | static gpg_err_code_t |
991 | | drbg_hmac_update (drbg_state_t drbg, drbg_string_t *seed, int reseed) |
992 | 0 | { |
993 | 0 | gpg_err_code_t ret = GPG_ERR_GENERAL; |
994 | 0 | int i = 0; |
995 | 0 | drbg_string_t seed1, seed2, cipherin; |
996 | |
|
997 | 0 | if (!reseed) |
998 | 0 | { |
999 | | /* 10.1.2.3 step 2 already implicitly covered with |
1000 | | * the initial memset(0) of drbg->C */ |
1001 | 0 | memset (drbg->V, 1, drbg_statelen (drbg)); |
1002 | 0 | ret = drbg_hmac_setkey (drbg, drbg->C); |
1003 | 0 | if (ret) |
1004 | 0 | return ret; |
1005 | 0 | } |
1006 | | |
1007 | | /* build linked list which implements the concatenation and fill |
1008 | | * first part*/ |
1009 | 0 | drbg_string_fill (&seed1, drbg->V, drbg_statelen (drbg)); |
1010 | | /* buffer will be filled in for loop below with one byte */ |
1011 | 0 | drbg_string_fill (&seed2, NULL, 1); |
1012 | 0 | seed1.next = &seed2; |
1013 | | /* seed may be NULL */ |
1014 | 0 | seed2.next = seed; |
1015 | |
|
1016 | 0 | drbg_string_fill (&cipherin, drbg->V, drbg_statelen (drbg)); |
1017 | | /* we execute two rounds of V/K massaging */ |
1018 | 0 | for (i = 2; 0 < i; i--) |
1019 | 0 | { |
1020 | 0 | byte *retval; |
1021 | | /* first round uses 0x0, second 0x1 */ |
1022 | 0 | unsigned char prefix = DRBG_PREFIX0; |
1023 | 0 | if (1 == i) |
1024 | 0 | prefix = DRBG_PREFIX1; |
1025 | | /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ |
1026 | 0 | seed2.buf = &prefix; |
1027 | 0 | retval = drbg_hash (drbg, &seed1); |
1028 | 0 | ret = drbg_hmac_setkey (drbg, retval); |
1029 | 0 | if (ret) |
1030 | 0 | return ret; |
1031 | | |
1032 | | /* 10.1.2.2 step 2 and 5 -- HMAC for V */ |
1033 | 0 | retval = drbg_hash (drbg, &cipherin); |
1034 | 0 | memcpy(drbg->V, retval, drbg_blocklen (drbg)); |
1035 | | |
1036 | | /* 10.1.2.2 step 3 */ |
1037 | 0 | if (!seed || 0 == seed->len) |
1038 | 0 | return ret; |
1039 | 0 | } |
1040 | 0 | return 0; |
1041 | 0 | } |
1042 | | |
1043 | | /* generate function of HMAC DRBG as defined in 10.1.2.5 */ |
1044 | | static gpg_err_code_t |
1045 | | drbg_hmac_generate (drbg_state_t drbg, unsigned char *buf, unsigned int buflen, |
1046 | | drbg_string_t *addtl) |
1047 | 0 | { |
1048 | 0 | gpg_err_code_t ret = 0; |
1049 | 0 | unsigned int len = 0; |
1050 | 0 | drbg_string_t data; |
1051 | | |
1052 | | /* 10.1.2.5 step 2 */ |
1053 | 0 | if (addtl && 0 < addtl->len) |
1054 | 0 | { |
1055 | 0 | addtl->next = NULL; |
1056 | 0 | ret = drbg_hmac_update (drbg, addtl, 1); |
1057 | 0 | if (ret) |
1058 | 0 | return ret; |
1059 | 0 | } |
1060 | | |
1061 | 0 | drbg_string_fill (&data, drbg->V, drbg_statelen (drbg)); |
1062 | 0 | while (len < buflen) |
1063 | 0 | { |
1064 | 0 | unsigned int outlen = 0; |
1065 | | /* 10.1.2.5 step 4.1 */ |
1066 | 0 | byte *retval = drbg_hash (drbg, &data); |
1067 | 0 | memcpy(drbg->V, retval, drbg_blocklen (drbg)); |
1068 | 0 | outlen = (drbg_blocklen (drbg) < (buflen - len)) ? |
1069 | 0 | drbg_blocklen (drbg) : (buflen - len); |
1070 | | |
1071 | | /* 10.1.2.5 step 4.2 */ |
1072 | 0 | memcpy (buf + len, drbg->V, outlen); |
1073 | 0 | len += outlen; |
1074 | 0 | } |
1075 | | |
1076 | | /* 10.1.2.5 step 6 */ |
1077 | 0 | if (addtl) |
1078 | 0 | addtl->next = NULL; |
1079 | 0 | ret = drbg_hmac_update (drbg, addtl, 1); |
1080 | |
|
1081 | 0 | return ret; |
1082 | 0 | } |
1083 | | |
1084 | | static struct drbg_state_ops_s drbg_hmac_ops = { |
1085 | | drbg_hmac_update, |
1086 | | drbg_hmac_generate, |
1087 | | drbg_hmac_init, |
1088 | | drbg_hash_fini, |
1089 | | }; |
1090 | | |
1091 | | /****************************************************************** |
1092 | | * Hash DRBG callback functions |
1093 | | ******************************************************************/ |
1094 | | |
1095 | | /* |
1096 | | * scratchpad usage: as drbg_hash_update and drbg_hash_df are used |
1097 | | * interlinked, the scratchpad is used as follows: |
1098 | | * drbg_hash_update |
1099 | | * start: drbg->scratchpad |
1100 | | * length: drbg_statelen(drbg) |
1101 | | * drbg_hash_df: |
1102 | | * start: drbg->scratchpad + drbg_statelen(drbg) |
1103 | | * length: drbg_blocklen(drbg) |
1104 | | */ |
1105 | | /* Derivation Function for Hash DRBG as defined in 10.4.1 */ |
1106 | | static gpg_err_code_t |
1107 | | drbg_hash_df (drbg_state_t drbg, |
1108 | | unsigned char *outval, size_t outlen, |
1109 | | drbg_string_t *entropy) |
1110 | 0 | { |
1111 | 0 | size_t len = 0; |
1112 | 0 | unsigned char input[5]; |
1113 | 0 | drbg_string_t data1; |
1114 | | |
1115 | | /* 10.4.1 step 3 */ |
1116 | 0 | input[0] = 1; |
1117 | 0 | buf_put_be32 (&input[1], (outlen * 8)); |
1118 | | |
1119 | | /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ |
1120 | 0 | drbg_string_fill (&data1, input, 5); |
1121 | 0 | data1.next = entropy; |
1122 | | |
1123 | | /* 10.4.1 step 4 */ |
1124 | 0 | while (len < outlen) |
1125 | 0 | { |
1126 | 0 | short blocklen = 0; |
1127 | | /* 10.4.1 step 4.1 */ |
1128 | 0 | byte *retval = drbg_hash (drbg, &data1); |
1129 | | /* 10.4.1 step 4.2 */ |
1130 | 0 | input[0]++; |
1131 | 0 | blocklen = (drbg_blocklen (drbg) < (outlen - len)) ? |
1132 | 0 | drbg_blocklen (drbg) : (outlen - len); |
1133 | 0 | memcpy (outval + len, retval, blocklen); |
1134 | 0 | len += blocklen; |
1135 | 0 | } |
1136 | |
|
1137 | 0 | return 0; |
1138 | 0 | } |
1139 | | |
1140 | | /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ |
1141 | | static gpg_err_code_t |
1142 | | drbg_hash_update (drbg_state_t drbg, drbg_string_t *seed, int reseed) |
1143 | 0 | { |
1144 | 0 | gpg_err_code_t ret = 0; |
1145 | 0 | drbg_string_t data1, data2; |
1146 | 0 | unsigned char *V = drbg->scratchpad; |
1147 | 0 | unsigned char prefix = DRBG_PREFIX1; |
1148 | |
|
1149 | 0 | memset (drbg->scratchpad, 0, drbg_statelen (drbg)); |
1150 | 0 | if (!seed) |
1151 | 0 | return GPG_ERR_INV_ARG; |
1152 | | |
1153 | 0 | if (reseed) |
1154 | 0 | { |
1155 | | /* 10.1.1.3 step 1: string length is concatenation of |
1156 | | * 1 byte, V and seed (which is concatenated entropy/addtl |
1157 | | * input) |
1158 | | */ |
1159 | 0 | memcpy (V, drbg->V, drbg_statelen (drbg)); |
1160 | 0 | drbg_string_fill (&data1, &prefix, 1); |
1161 | 0 | drbg_string_fill (&data2, V, drbg_statelen (drbg)); |
1162 | 0 | data1.next = &data2; |
1163 | 0 | data2.next = seed; |
1164 | 0 | } |
1165 | 0 | else |
1166 | 0 | { |
1167 | 0 | drbg_string_fill (&data1, seed->buf, seed->len); |
1168 | 0 | data1.next = seed->next; |
1169 | 0 | } |
1170 | | |
1171 | | /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ |
1172 | 0 | ret = drbg_hash_df (drbg, drbg->V, drbg_statelen (drbg), &data1); |
1173 | 0 | if (ret) |
1174 | 0 | goto out; |
1175 | | |
1176 | | /* 10.1.1.2 / 10.1.1.3 step 4 -- concatenation */ |
1177 | 0 | prefix = DRBG_PREFIX0; |
1178 | 0 | drbg_string_fill (&data1, &prefix, 1); |
1179 | 0 | drbg_string_fill (&data2, drbg->V, drbg_statelen (drbg)); |
1180 | 0 | data1.next = &data2; |
1181 | | /* 10.1.1.2 / 10.1.1.3 step 4 -- df operation */ |
1182 | 0 | ret = drbg_hash_df (drbg, drbg->C, drbg_statelen (drbg), &data1); |
1183 | |
|
1184 | 0 | out: |
1185 | 0 | memset (drbg->scratchpad, 0, drbg_statelen (drbg)); |
1186 | 0 | return ret; |
1187 | 0 | } |
1188 | | |
1189 | | /* Processing of additional information string for Hash DRBG. */ |
1190 | | static gpg_err_code_t |
1191 | | drbg_hash_process_addtl (drbg_state_t drbg, drbg_string_t *addtl) |
1192 | 0 | { |
1193 | 0 | drbg_string_t data1, data2; |
1194 | 0 | drbg_string_t *data3; |
1195 | 0 | unsigned char prefix = DRBG_PREFIX2; |
1196 | 0 | byte *retval; |
1197 | | |
1198 | | /* 10.1.1.4 step 2 */ |
1199 | 0 | if (!addtl || 0 == addtl->len) |
1200 | 0 | return 0; |
1201 | | |
1202 | | /* 10.1.1.4 step 2a -- concatenation */ |
1203 | 0 | drbg_string_fill (&data1, &prefix, 1); |
1204 | 0 | drbg_string_fill (&data2, drbg->V, drbg_statelen (drbg)); |
1205 | 0 | data3 = addtl; |
1206 | 0 | data1.next = &data2; |
1207 | 0 | data2.next = data3; |
1208 | 0 | data3->next = NULL; |
1209 | | /* 10.1.1.4 step 2a -- cipher invocation */ |
1210 | 0 | retval = drbg_hash (drbg, &data1); |
1211 | | |
1212 | | /* 10.1.1.4 step 2b */ |
1213 | 0 | drbg_add_buf (drbg->V, drbg_statelen (drbg), retval, drbg_blocklen (drbg)); |
1214 | |
|
1215 | 0 | return 0; |
1216 | 0 | } |
1217 | | |
1218 | | /* |
1219 | | * Hashgen defined in 10.1.1.4 |
1220 | | */ |
1221 | | static gpg_err_code_t |
1222 | | drbg_hash_hashgen (drbg_state_t drbg, unsigned char *buf, unsigned int buflen) |
1223 | 0 | { |
1224 | 0 | unsigned int len = 0; |
1225 | 0 | unsigned char *src = drbg->scratchpad; |
1226 | 0 | drbg_string_t data; |
1227 | 0 | unsigned char prefix = DRBG_PREFIX1; |
1228 | | |
1229 | | /* 10.1.1.4 step hashgen 2 */ |
1230 | 0 | memcpy (src, drbg->V, drbg_statelen (drbg)); |
1231 | |
|
1232 | 0 | drbg_string_fill (&data, src, drbg_statelen (drbg)); |
1233 | 0 | while (len < buflen) |
1234 | 0 | { |
1235 | 0 | unsigned int outlen = 0; |
1236 | | /* 10.1.1.4 step hashgen 4.1 */ |
1237 | 0 | byte *retval = drbg_hash (drbg, &data); |
1238 | 0 | outlen = (drbg_blocklen (drbg) < (buflen - len)) ? |
1239 | 0 | drbg_blocklen (drbg) : (buflen - len); |
1240 | | /* 10.1.1.4 step hashgen 4.2 */ |
1241 | 0 | memcpy (buf + len, retval, outlen); |
1242 | 0 | len += outlen; |
1243 | | /* 10.1.1.4 hashgen step 4.3 */ |
1244 | 0 | if (len < buflen) |
1245 | 0 | drbg_add_buf (src, drbg_statelen (drbg), &prefix, 1); |
1246 | 0 | } |
1247 | |
|
1248 | 0 | memset (drbg->scratchpad, 0, drbg_statelen (drbg)); |
1249 | 0 | return 0; |
1250 | 0 | } |
1251 | | |
1252 | | /* Generate function for Hash DRBG as defined in 10.1.1.4 */ |
1253 | | static gpg_err_code_t |
1254 | | drbg_hash_generate (drbg_state_t drbg, unsigned char *buf, unsigned int buflen, |
1255 | | drbg_string_t *addtl) |
1256 | 0 | { |
1257 | 0 | gpg_err_code_t ret; |
1258 | 0 | unsigned char prefix = DRBG_PREFIX3; |
1259 | 0 | drbg_string_t data1, data2; |
1260 | 0 | byte *retval; |
1261 | 0 | union |
1262 | 0 | { |
1263 | 0 | unsigned char req[8]; |
1264 | 0 | u64 req_int; |
1265 | 0 | } u; |
1266 | | |
1267 | | /* 10.1.1.4 step 2 */ |
1268 | 0 | ret = drbg_hash_process_addtl (drbg, addtl); |
1269 | 0 | if (ret) |
1270 | 0 | return ret; |
1271 | | /* 10.1.1.4 step 3 -- invocation of the Hashgen function defined in |
1272 | | * 10.1.1.4 */ |
1273 | 0 | ret = drbg_hash_hashgen (drbg, buf, buflen); |
1274 | 0 | if (ret) |
1275 | 0 | return ret; |
1276 | | |
1277 | | /* 10.1.1.4 step 4 */ |
1278 | 0 | drbg_string_fill (&data1, &prefix, 1); |
1279 | 0 | drbg_string_fill (&data2, drbg->V, drbg_statelen (drbg)); |
1280 | 0 | data1.next = &data2; |
1281 | | |
1282 | | /* this is the value H as documented in 10.1.1.4 */ |
1283 | 0 | retval = drbg_hash (drbg, &data1); |
1284 | | |
1285 | | /* 10.1.1.4 step 5 */ |
1286 | 0 | drbg_add_buf (drbg->V, drbg_statelen (drbg), retval, drbg_blocklen (drbg)); |
1287 | 0 | drbg_add_buf (drbg->V, drbg_statelen (drbg), drbg->C, drbg_statelen (drbg)); |
1288 | 0 | u.req_int = be_bswap64 (drbg->reseed_ctr); |
1289 | 0 | drbg_add_buf (drbg->V, drbg_statelen (drbg), u.req, sizeof (u.req)); |
1290 | |
|
1291 | 0 | return ret; |
1292 | 0 | } |
1293 | | |
1294 | | /* |
1295 | | * scratchpad usage: as update and generate are used isolated, both |
1296 | | * can use the scratchpad |
1297 | | */ |
1298 | | static struct drbg_state_ops_s drbg_hash_ops = { |
1299 | | drbg_hash_update, |
1300 | | drbg_hash_generate, |
1301 | | drbg_hash_init, |
1302 | | drbg_hash_fini, |
1303 | | }; |
1304 | | |
1305 | | /****************************************************************** |
1306 | | * Functions common for DRBG implementations |
1307 | | ******************************************************************/ |
1308 | | |
1309 | | /* |
1310 | | * Seeding or reseeding of the DRBG |
1311 | | * |
1312 | | * @drbg: DRBG state struct |
1313 | | * @pers: personalization / additional information buffer |
1314 | | * @reseed: 0 for initial seed process, 1 for reseeding |
1315 | | * |
1316 | | * return: |
1317 | | * 0 on success |
1318 | | * error value otherwise |
1319 | | */ |
1320 | | static gpg_err_code_t |
1321 | | drbg_seed (drbg_state_t drbg, drbg_string_t *pers, int reseed) |
1322 | 0 | { |
1323 | 0 | gpg_err_code_t ret = 0; |
1324 | 0 | unsigned char *entropy = NULL; |
1325 | 0 | size_t entropylen = 0; |
1326 | 0 | drbg_string_t data1; |
1327 | | |
1328 | | /* 9.1 / 9.2 / 9.3.1 step 3 */ |
1329 | 0 | if (pers && pers->len > (drbg_max_addtl ())) |
1330 | 0 | { |
1331 | 0 | dbg (("DRBG: personalization string too long %lu\n", pers->len)); |
1332 | 0 | return GPG_ERR_INV_ARG; |
1333 | 0 | } |
1334 | 0 | if (drbg->test_data && drbg->test_data->testentropy) |
1335 | 0 | { |
1336 | 0 | drbg_string_fill (&data1, drbg->test_data->testentropy->buf, |
1337 | 0 | drbg->test_data->testentropy->len); |
1338 | 0 | dbg (("DRBG: using test entropy\n")); |
1339 | 0 | } |
1340 | 0 | else |
1341 | 0 | { |
1342 | | /* Gather entropy equal to the security strength of the DRBG. |
1343 | | * With a derivation function, a nonce is required in addition |
1344 | | * to the entropy. A nonce must be at least 1/2 of the security |
1345 | | * strength of the DRBG in size. Thus, entropy * nonce is 3/2 |
1346 | | * of the strength. The consideration of a nonce is only |
1347 | | * applicable during initial seeding. */ |
1348 | 0 | entropylen = drbg_sec_strength (drbg->core->flags); |
1349 | 0 | if (!entropylen) |
1350 | 0 | return GPG_ERR_GENERAL; |
1351 | 0 | if (0 == reseed) |
1352 | | /* make sure we round up strength/2 in |
1353 | | * case it is not divisible by 2 */ |
1354 | 0 | entropylen = ((entropylen + 1) / 2) * 3; |
1355 | 0 | dbg (("DRBG: (re)seeding with %lu bytes of entropy\n", entropylen)); |
1356 | 0 | entropy = xcalloc_secure (1, entropylen); |
1357 | 0 | if (!entropy) |
1358 | 0 | return GPG_ERR_ENOMEM; |
1359 | 0 | ret = drbg_get_entropy (drbg, entropy, entropylen); |
1360 | 0 | if (ret) |
1361 | 0 | goto out; |
1362 | 0 | drbg_string_fill (&data1, entropy, entropylen); |
1363 | 0 | } |
1364 | | |
1365 | | /* concatenation of entropy with personalization str / addtl input) |
1366 | | * the variable pers is directly handed by the caller, check its |
1367 | | * contents whether it is appropriate */ |
1368 | 0 | if (pers && pers->buf && 0 < pers->len && NULL == pers->next) |
1369 | 0 | { |
1370 | 0 | data1.next = pers; |
1371 | 0 | dbg (("DRBG: using personalization string\n")); |
1372 | 0 | } |
1373 | |
|
1374 | 0 | ret = drbg->d_ops->update (drbg, &data1, reseed); |
1375 | 0 | dbg (("DRBG: state updated with seed\n")); |
1376 | 0 | if (ret) |
1377 | 0 | goto out; |
1378 | 0 | drbg->seeded = 1; |
1379 | | /* 10.1.1.2 / 10.1.1.3 step 5 */ |
1380 | 0 | drbg->reseed_ctr = 1; |
1381 | |
|
1382 | 0 | out: |
1383 | 0 | xfree (entropy); |
1384 | 0 | return ret; |
1385 | 0 | } |
1386 | | |
1387 | | |
1388 | | /************************************************************************* |
1389 | | * Exported interfaces. |
1390 | | *************************************************************************/ |
1391 | | |
1392 | | /* |
1393 | | * DRBG generate function as required by SP800-90A - this function |
1394 | | * generates random numbers |
1395 | | * |
1396 | | * @drbg DRBG state handle |
1397 | | * @buf Buffer where to store the random numbers -- the buffer must already |
1398 | | * be pre-allocated by caller |
1399 | | * @buflen Length of output buffer - this value defines the number of random |
1400 | | * bytes pulled from DRBG |
1401 | | * @addtl Additional input that is mixed into state, may be NULL -- note |
1402 | | * the entropy is pulled by the DRBG internally unconditionally |
1403 | | * as defined in SP800-90A. The additional input is mixed into |
1404 | | * the state in addition to the pulled entropy. |
1405 | | * |
1406 | | * return: Generated number of bytes. |
1407 | | */ |
1408 | | static gpg_err_code_t |
1409 | | drbg_generate (drbg_state_t drbg, |
1410 | | unsigned char *buf, unsigned int buflen, |
1411 | | drbg_string_t *addtl) |
1412 | 0 | { |
1413 | 0 | gpg_err_code_t ret = GPG_ERR_INV_ARG; |
1414 | |
|
1415 | 0 | if (0 == buflen || !buf) |
1416 | 0 | { |
1417 | 0 | dbg (("DRBG: no buffer provided\n")); |
1418 | 0 | return ret; |
1419 | 0 | } |
1420 | 0 | if (addtl && NULL == addtl->buf && 0 < addtl->len) |
1421 | 0 | { |
1422 | 0 | dbg (("DRBG: wrong format of additional information\n")); |
1423 | 0 | return ret; |
1424 | 0 | } |
1425 | | |
1426 | | /* 9.3.1 step 2 */ |
1427 | 0 | if (buflen > (drbg_max_request_bytes ())) |
1428 | 0 | { |
1429 | 0 | dbg (("DRBG: requested random numbers too large %u\n", buflen)); |
1430 | 0 | return ret; |
1431 | 0 | } |
1432 | | /* 9.3.1 step 3 is implicit with the chosen DRBG */ |
1433 | | /* 9.3.1 step 4 */ |
1434 | 0 | if (addtl && addtl->len > (drbg_max_addtl ())) |
1435 | 0 | { |
1436 | 0 | dbg (("DRBG: additional information string too long %lu\n", |
1437 | 0 | addtl->len)); |
1438 | 0 | return ret; |
1439 | 0 | } |
1440 | | /* 9.3.1 step 5 is implicit with the chosen DRBG */ |
1441 | | /* 9.3.1 step 6 and 9 supplemented by 9.3.2 step c -- the spec is a |
1442 | | * bit convoluted here, we make it simpler */ |
1443 | 0 | if ((drbg_max_requests ()) < drbg->reseed_ctr) |
1444 | 0 | drbg->seeded = 0; |
1445 | |
|
1446 | 0 | if (drbg->pr || !drbg->seeded) |
1447 | 0 | { |
1448 | 0 | dbg (("DRBG: reseeding before generation (prediction resistance: %s, state %s)\n", drbg->pr ? "true" : "false", drbg->seeded ? "seeded" : "unseeded")); |
1449 | | /* 9.3.1 steps 7.1 through 7.3 */ |
1450 | 0 | ret = drbg_seed (drbg, addtl, 1); |
1451 | 0 | if (ret) |
1452 | 0 | return ret; |
1453 | | /* 9.3.1 step 7.4 */ |
1454 | 0 | addtl = NULL; |
1455 | 0 | } |
1456 | | |
1457 | 0 | if (addtl && addtl->buf) |
1458 | 0 | { |
1459 | 0 | dbg (("DRBG: using additional information string\n")); |
1460 | 0 | } |
1461 | | |
1462 | | /* 9.3.1 step 8 and 10 */ |
1463 | 0 | ret = drbg->d_ops->generate (drbg, buf, buflen, addtl); |
1464 | | |
1465 | | /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ |
1466 | 0 | drbg->reseed_ctr++; |
1467 | 0 | if (ret) |
1468 | 0 | return ret; |
1469 | | |
1470 | | /* 11.3.3 -- re-perform self tests after some generated random |
1471 | | * numbers, the chosen value after which self test is performed |
1472 | | * is arbitrary, but it should be reasonable */ |
1473 | | /* Here we do not perform the self tests because of the following |
1474 | | * reasons: it is mathematically impossible that the initial self tests |
1475 | | * were successfully and the following are not. If the initial would |
1476 | | * pass and the following would not, the system integrity is violated. |
1477 | | * In this case, the entire system operation is questionable and it |
1478 | | * is unlikely that the integrity violation only affects to the |
1479 | | * correct operation of the DRBG. |
1480 | | */ |
1481 | | #if 0 |
1482 | | if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) |
1483 | | { |
1484 | | dbg (("DRBG: start to perform self test\n")); |
1485 | | ret = drbg_healthcheck (); |
1486 | | if (ret) |
1487 | | { |
1488 | | log_fatal (("DRBG: self test failed\n")); |
1489 | | return ret; |
1490 | | } |
1491 | | else |
1492 | | { |
1493 | | dbg (("DRBG: self test successful\n")); |
1494 | | } |
1495 | | } |
1496 | | #endif |
1497 | | |
1498 | 0 | return ret; |
1499 | 0 | } |
1500 | | |
1501 | | /* |
1502 | | * Wrapper around drbg_generate which can pull arbitrary long strings |
1503 | | * from the DRBG without hitting the maximum request limitation. |
1504 | | * |
1505 | | * Parameters: see drbg_generate |
1506 | | * Return codes: see drbg_generate -- if one drbg_generate request fails, |
1507 | | * the entire drbg_generate_long request fails |
1508 | | */ |
1509 | | static gpg_err_code_t |
1510 | | drbg_generate_long (drbg_state_t drbg, |
1511 | | unsigned char *buf, unsigned int buflen, |
1512 | | drbg_string_t *addtl) |
1513 | 0 | { |
1514 | 0 | gpg_err_code_t ret = 0; |
1515 | 0 | unsigned int slice = 0; |
1516 | 0 | unsigned char *buf_p = buf; |
1517 | 0 | unsigned len = 0; |
1518 | 0 | do |
1519 | 0 | { |
1520 | 0 | unsigned int chunk = 0; |
1521 | 0 | slice = ((buflen - len) / drbg_max_request_bytes ()); |
1522 | 0 | chunk = slice ? drbg_max_request_bytes () : (buflen - len); |
1523 | 0 | ret = drbg_generate (drbg, buf_p, chunk, addtl); |
1524 | 0 | if (ret) |
1525 | 0 | return ret; |
1526 | 0 | buf_p += chunk; |
1527 | 0 | len += chunk; |
1528 | 0 | } |
1529 | 0 | while (slice > 0 && (len < buflen)); |
1530 | 0 | return ret; |
1531 | 0 | } |
1532 | | |
1533 | | /* |
1534 | | * DRBG uninstantiate function as required by SP800-90A - this function |
1535 | | * frees all buffers and the DRBG handle |
1536 | | * |
1537 | | * @drbg DRBG state handle |
1538 | | * |
1539 | | * return |
1540 | | * 0 on success |
1541 | | */ |
1542 | | static gpg_err_code_t |
1543 | | drbg_uninstantiate (drbg_state_t drbg) |
1544 | 0 | { |
1545 | 0 | if (!drbg) |
1546 | 0 | return GPG_ERR_INV_ARG; |
1547 | 0 | drbg->d_ops->crypto_fini(drbg); |
1548 | 0 | xfree (drbg->V); |
1549 | 0 | drbg->V = NULL; |
1550 | 0 | xfree (drbg->C); |
1551 | 0 | drbg->C = NULL; |
1552 | 0 | drbg->reseed_ctr = 0; |
1553 | 0 | xfree (drbg->scratchpad); |
1554 | 0 | drbg->scratchpad = NULL; |
1555 | 0 | drbg->seeded = 0; |
1556 | 0 | drbg->pr = 0; |
1557 | 0 | drbg->seed_init_pid = 0; |
1558 | 0 | return 0; |
1559 | 0 | } |
1560 | | |
1561 | | /* |
1562 | | * DRBG instantiation function as required by SP800-90A - this function |
1563 | | * sets up the DRBG handle, performs the initial seeding and all sanity |
1564 | | * checks required by SP800-90A |
1565 | | * |
1566 | | * @drbg memory of state -- if NULL, new memory is allocated |
1567 | | * @pers Personalization string that is mixed into state, may be NULL -- note |
1568 | | * the entropy is pulled by the DRBG internally unconditionally |
1569 | | * as defined in SP800-90A. The additional input is mixed into |
1570 | | * the state in addition to the pulled entropy. |
1571 | | * @coreref reference to core |
1572 | | * @flags Flags defining the requested DRBG type and cipher type. The flags |
1573 | | * are defined in drbg.h and may be XORed. Beware, if you XOR multiple |
1574 | | * cipher types together, the code picks the core on a first come first |
1575 | | * serve basis as it iterates through the available cipher cores and |
1576 | | * uses the one with the first match. The minimum required flags are: |
1577 | | * cipher type flag |
1578 | | * |
1579 | | * return |
1580 | | * 0 on success |
1581 | | * error value otherwise |
1582 | | */ |
1583 | | static gpg_err_code_t |
1584 | | drbg_instantiate (drbg_state_t drbg, |
1585 | | drbg_string_t *pers, int coreref, int pr) |
1586 | 0 | { |
1587 | 0 | gpg_err_code_t ret = GPG_ERR_ENOMEM; |
1588 | 0 | unsigned int sb_size = 0; |
1589 | |
|
1590 | 0 | if (!drbg) |
1591 | 0 | return GPG_ERR_INV_ARG; |
1592 | | |
1593 | 0 | dbg (("DRBG: Initializing DRBG core %d with prediction resistance %s\n", |
1594 | 0 | coreref, pr ? "enabled" : "disabled")); |
1595 | 0 | drbg->core = &drbg_cores[coreref]; |
1596 | 0 | drbg->pr = pr; |
1597 | 0 | drbg->seeded = 0; |
1598 | 0 | if (drbg->core->flags & DRBG_HMAC) |
1599 | 0 | drbg->d_ops = &drbg_hmac_ops; |
1600 | 0 | else if (drbg->core->flags & DRBG_HASH_MASK) |
1601 | 0 | drbg->d_ops = &drbg_hash_ops; |
1602 | 0 | else if (drbg->core->flags & DRBG_CTR_MASK) |
1603 | 0 | drbg->d_ops = &drbg_ctr_ops; |
1604 | 0 | else |
1605 | 0 | return GPG_ERR_GENERAL; |
1606 | | /* 9.1 step 1 is implicit with the selected DRBG type -- see |
1607 | | * drbg_sec_strength() */ |
1608 | | |
1609 | | /* 9.1 step 2 is implicit as caller can select prediction resistance |
1610 | | * and the flag is copied into drbg->flags -- |
1611 | | * all DRBG types support prediction resistance */ |
1612 | | |
1613 | | /* 9.1 step 4 is implicit in drbg_sec_strength */ |
1614 | | |
1615 | 0 | ret = drbg->d_ops->crypto_init(drbg); |
1616 | 0 | if (ret) |
1617 | 0 | goto err; |
1618 | | |
1619 | 0 | drbg->V = xcalloc_secure (1, drbg_statelen (drbg)); |
1620 | 0 | if (!drbg->V) |
1621 | 0 | goto fini; |
1622 | 0 | drbg->C = xcalloc_secure (1, drbg_statelen (drbg)); |
1623 | 0 | if (!drbg->C) |
1624 | 0 | goto fini; |
1625 | | /* scratchpad is only generated for CTR and Hash */ |
1626 | 0 | if (drbg->core->flags & DRBG_HMAC) |
1627 | 0 | sb_size = 0; |
1628 | 0 | else if (drbg->core->flags & DRBG_CTR_MASK) |
1629 | 0 | sb_size = drbg_statelen (drbg) + drbg_blocklen (drbg) + /* temp */ |
1630 | 0 | drbg_statelen (drbg) + /* df_data */ |
1631 | 0 | drbg_blocklen (drbg) + /* pad */ |
1632 | 0 | drbg_blocklen (drbg) + /* iv */ |
1633 | 0 | drbg_statelen (drbg) + drbg_blocklen (drbg); /* temp */ |
1634 | 0 | else |
1635 | 0 | sb_size = drbg_statelen (drbg); |
1636 | |
|
1637 | 0 | if (0 < sb_size) |
1638 | 0 | { |
1639 | 0 | drbg->scratchpad = xcalloc_secure (1, sb_size); |
1640 | 0 | if (!drbg->scratchpad) |
1641 | 0 | goto fini; |
1642 | 0 | } |
1643 | 0 | dbg (("DRBG: state allocated with scratchpad size %u bytes\n", sb_size)); |
1644 | | |
1645 | | /* 9.1 step 6 through 11 */ |
1646 | 0 | ret = drbg_seed (drbg, pers, 0); |
1647 | 0 | if (ret) |
1648 | 0 | goto fini; |
1649 | | |
1650 | 0 | dbg (("DRBG: core %d %s prediction resistance successfully initialized\n", |
1651 | 0 | coreref, pr ? "with" : "without")); |
1652 | 0 | return 0; |
1653 | | |
1654 | 0 | fini: |
1655 | 0 | drbg->d_ops->crypto_fini(drbg); |
1656 | 0 | err: |
1657 | 0 | drbg_uninstantiate (drbg); |
1658 | 0 | return ret; |
1659 | 0 | } |
1660 | | |
1661 | | /* |
1662 | | * DRBG reseed function as required by SP800-90A |
1663 | | * |
1664 | | * @drbg DRBG state handle |
1665 | | * @addtl Additional input that is mixed into state, may be NULL -- note |
1666 | | * the entropy is pulled by the DRBG internally unconditionally |
1667 | | * as defined in SP800-90A. The additional input is mixed into |
1668 | | * the state in addition to the pulled entropy. |
1669 | | * |
1670 | | * return |
1671 | | * 0 on success |
1672 | | * error value otherwise |
1673 | | */ |
1674 | | static gpg_err_code_t |
1675 | | drbg_reseed (drbg_state_t drbg,drbg_string_t *addtl) |
1676 | 0 | { |
1677 | 0 | gpg_err_code_t ret = 0; |
1678 | 0 | ret = drbg_seed (drbg, addtl, 1); |
1679 | 0 | return ret; |
1680 | 0 | } |
1681 | | |
1682 | | |
1683 | | |
1684 | | /****************************************************************** |
1685 | | * Libgcrypt integration code. |
1686 | | ******************************************************************/ |
1687 | | |
1688 | | /*************************************************** |
1689 | | * Libgcrypt backend functions to the RNG API code. |
1690 | | ***************************************************/ |
1691 | | |
1692 | | static inline void |
1693 | | drbg_lock (void) |
1694 | 0 | { |
1695 | 0 | gpg_err_code_t ec; |
1696 | |
|
1697 | 0 | ec = gpgrt_lock_lock (&drbg_lock_var); |
1698 | 0 | if (ec) |
1699 | 0 | log_fatal ("failed to acquire the RNG lock: %s\n", gpg_strerror (ec)); |
1700 | 0 | } |
1701 | | |
1702 | | static inline void |
1703 | | drbg_unlock (void) |
1704 | 0 | { |
1705 | 0 | gpg_err_code_t ec; |
1706 | |
|
1707 | 0 | ec = gpgrt_lock_unlock (&drbg_lock_var); |
1708 | 0 | if (ec) |
1709 | 0 | log_fatal ("failed to release the RNG lock: %s\n", gpg_strerror (ec)); |
1710 | 0 | } |
1711 | | |
1712 | | /* Basic initialization is required to initialize mutexes and |
1713 | | do a few checks on the implementation. */ |
1714 | | static void |
1715 | | basic_initialization (void) |
1716 | 0 | { |
1717 | 0 | static int initialized; |
1718 | |
|
1719 | 0 | if (initialized) |
1720 | 0 | return; |
1721 | 0 | initialized = 1; |
1722 | | |
1723 | | /* Make sure that we are still using the values we have |
1724 | | traditionally used for the random levels. */ |
1725 | 0 | gcry_assert (GCRY_WEAK_RANDOM == 0 |
1726 | 0 | && GCRY_STRONG_RANDOM == 1 |
1727 | 0 | && GCRY_VERY_STRONG_RANDOM == 2); |
1728 | 0 | } |
1729 | | |
1730 | | /****** helper functions where lock must be held by caller *****/ |
1731 | | |
1732 | | /* Check whether given flags are known to point to an applicable DRBG */ |
1733 | | static gpg_err_code_t |
1734 | | drbg_algo_available (u32 flags, int *coreref) |
1735 | 0 | { |
1736 | 0 | int i = 0; |
1737 | 0 | for (i = 0; ARRAY_SIZE (drbg_cores) > i; i++) |
1738 | 0 | { |
1739 | 0 | if ((drbg_cores[i].flags & DRBG_CIPHER_MASK) == |
1740 | 0 | (flags & DRBG_CIPHER_MASK)) |
1741 | 0 | { |
1742 | 0 | *coreref = i; |
1743 | 0 | return 0; |
1744 | 0 | } |
1745 | 0 | } |
1746 | 0 | return GPG_ERR_GENERAL; |
1747 | 0 | } |
1748 | | |
1749 | | static gpg_err_code_t |
1750 | | _drbg_init_internal (u32 flags, drbg_string_t *pers) |
1751 | 0 | { |
1752 | 0 | static u32 oldflags; |
1753 | 0 | gpg_err_code_t ret = 0; |
1754 | 0 | int coreref = 0; |
1755 | 0 | int pr = 0; |
1756 | | |
1757 | | /* If a caller provides 0 as flags, use the flags of the previous |
1758 | | * initialization, otherwise use the current flags and remember them |
1759 | | * for the next invocation. If no flag is given and no global state |
1760 | | * is set this is the first initialization and we set the default |
1761 | | * type. |
1762 | | */ |
1763 | 0 | if (!flags && !drbg_state) |
1764 | 0 | flags = oldflags = DRBG_DEFAULT_TYPE; |
1765 | 0 | else if (!flags) |
1766 | 0 | flags = oldflags; |
1767 | 0 | else |
1768 | 0 | oldflags = flags; |
1769 | |
|
1770 | 0 | ret = drbg_algo_available (flags, &coreref); |
1771 | 0 | if (ret) |
1772 | 0 | return ret; |
1773 | | |
1774 | 0 | if (drbg_state) |
1775 | 0 | { |
1776 | 0 | drbg_uninstantiate (drbg_state); |
1777 | 0 | } |
1778 | 0 | else |
1779 | 0 | { |
1780 | 0 | drbg_state = &drbg_instance; |
1781 | 0 | } |
1782 | 0 | if (flags & DRBG_PREDICTION_RESIST) |
1783 | 0 | pr = 1; |
1784 | 0 | ret = drbg_instantiate (drbg_state, pers, coreref, pr); |
1785 | 0 | if (ret) |
1786 | 0 | fips_signal_error ("DRBG cannot be initialized"); |
1787 | 0 | else |
1788 | 0 | drbg_state->seed_init_pid = getpid (); |
1789 | 0 | return ret; |
1790 | 0 | } |
1791 | | |
1792 | | /************* calls available to common RNG code **************/ |
1793 | | |
1794 | | /* |
1795 | | * Initialize one DRBG invoked by the libgcrypt API |
1796 | | */ |
1797 | | void |
1798 | | _gcry_rngdrbg_inititialize (int full) |
1799 | 0 | { |
1800 | 0 | basic_initialization (); |
1801 | 0 | if (!full) |
1802 | 0 | return; |
1803 | 0 | drbg_lock (); |
1804 | 0 | if (!drbg_state) |
1805 | 0 | _drbg_init_internal (0, NULL); |
1806 | 0 | drbg_unlock (); |
1807 | 0 | } |
1808 | | |
1809 | | /* |
1810 | | * Backend handler function for GCRYCTL_DRBG_REINIT |
1811 | | * |
1812 | | * Select a different DRBG type and initialize it. |
1813 | | * Function checks whether requested DRBG type exists and returns an error in |
1814 | | * case it does not. In case of an error, the previous instantiated DRBG is |
1815 | | * left untouched and alive. Thus, in case of an error, a DRBG is always |
1816 | | * available, even if it is not the chosen one. |
1817 | | * |
1818 | | * Re-initialization will be performed in any case regardless whether flags |
1819 | | * or personalization string are set. |
1820 | | * |
1821 | | * If flags is NULL, do not change current DRBG. If PERS is NULL and |
1822 | | * NPERS is 0, re-initialize without personalization string. If PERS |
1823 | | * is not NULL NPERS must be one and PERS and the first ietm from the |
1824 | | * bufer is take as personalization string. |
1825 | | */ |
1826 | | gpg_err_code_t |
1827 | | _gcry_rngdrbg_reinit (const char *flagstr, gcry_buffer_t *pers, int npers) |
1828 | 0 | { |
1829 | 0 | gpg_err_code_t ret; |
1830 | 0 | unsigned int flags; |
1831 | | |
1832 | | /* If PERS is not given we expect NPERS to be zero; if given we |
1833 | | expect a one-item array. */ |
1834 | 0 | if ((!pers && npers) || (pers && npers != 1)) |
1835 | 0 | return GPG_ERR_INV_ARG; |
1836 | | |
1837 | 0 | ret = parse_flag_string (flagstr, &flags); |
1838 | 0 | if (!ret) |
1839 | 0 | { |
1840 | 0 | dbg (("DRBG: reinitialize internal DRBG state with flags %u\n", flags)); |
1841 | 0 | drbg_lock (); |
1842 | 0 | if (pers) |
1843 | 0 | { |
1844 | 0 | drbg_string_t persbuf; |
1845 | |
|
1846 | 0 | drbg_string_fill |
1847 | 0 | (&persbuf, (const unsigned char *)pers[0].data + pers[0].off, |
1848 | 0 | pers[0].len); |
1849 | 0 | ret = _drbg_init_internal (flags, &persbuf); |
1850 | 0 | } |
1851 | 0 | else |
1852 | 0 | ret = _drbg_init_internal (flags, NULL); |
1853 | 0 | drbg_unlock (); |
1854 | 0 | } |
1855 | 0 | return ret; |
1856 | 0 | } |
1857 | | |
1858 | | /* Release resources used by this DRBG module. That is, close the FDs |
1859 | | * of the random gather module (if any), and release memory used. |
1860 | | */ |
1861 | | void |
1862 | | _gcry_rngdrbg_close_fds (void) |
1863 | 0 | { |
1864 | 0 | drbg_lock (); |
1865 | 0 | #if USE_RNDGETENTROPY |
1866 | 0 | _gcry_rndgetentropy_gather_random (NULL, 0, 0, 0); |
1867 | 0 | #endif |
1868 | | #if USE_RNDOLDLINUX |
1869 | | _gcry_rndoldlinux_gather_random (NULL, 0, 0, 0); |
1870 | | #endif |
1871 | 0 | if (drbg_state) |
1872 | 0 | { |
1873 | 0 | drbg_uninstantiate (drbg_state); |
1874 | 0 | drbg_state = NULL; |
1875 | 0 | } |
1876 | 0 | drbg_unlock (); |
1877 | 0 | } |
1878 | | |
1879 | | /* Print some statistics about the RNG. */ |
1880 | | void |
1881 | | _gcry_rngdrbg_dump_stats (void) |
1882 | 0 | { |
1883 | | /* Not yet implemented. */ |
1884 | | /* Maybe dumping of reseed counter? */ |
1885 | 0 | } |
1886 | | |
1887 | | /* This function returns true if no real RNG is available or the |
1888 | | * quality of the RNG has been degraded for test purposes. */ |
1889 | | int |
1890 | | _gcry_rngdrbg_is_faked (void) |
1891 | 0 | { |
1892 | 0 | return 0; /* Faked random is not allowed. */ |
1893 | 0 | } |
1894 | | |
1895 | | /* Add BUFLEN bytes from BUF to the internal random pool. QUALITY |
1896 | | * should be in the range of 0..100 to indicate the goodness of the |
1897 | | * entropy added, or -1 for goodness not known. */ |
1898 | | gcry_error_t |
1899 | | _gcry_rngdrbg_add_bytes (const void *buf, size_t buflen, int quality) |
1900 | 0 | { |
1901 | 0 | gpg_err_code_t ret = 0; |
1902 | 0 | drbg_string_t seed; |
1903 | 0 | (void) quality; |
1904 | 0 | _gcry_rngdrbg_inititialize (1); /* Auto-initialize if needed */ |
1905 | 0 | if (!drbg_state) |
1906 | 0 | return GPG_ERR_GENERAL; |
1907 | 0 | drbg_string_fill (&seed, (unsigned char *) buf, buflen); |
1908 | 0 | drbg_lock (); |
1909 | 0 | ret = drbg_reseed (drbg_state, &seed); |
1910 | 0 | drbg_unlock (); |
1911 | 0 | return ret; |
1912 | 0 | } |
1913 | | |
1914 | | /* This function is to be used for all types of random numbers, including |
1915 | | * nonces |
1916 | | */ |
1917 | | void |
1918 | | _gcry_rngdrbg_randomize (void *buffer, size_t length, |
1919 | | enum gcry_random_level level) |
1920 | 0 | { |
1921 | 0 | (void) level; |
1922 | 0 | _gcry_rngdrbg_inititialize (1); /* Auto-initialize if needed */ |
1923 | 0 | drbg_lock (); |
1924 | 0 | if (!drbg_state) |
1925 | 0 | { |
1926 | 0 | fips_signal_error ("DRBG is not initialized"); |
1927 | 0 | goto bailout; |
1928 | 0 | } |
1929 | | |
1930 | | /* As reseeding changes the entire state of the DRBG, including any |
1931 | | * key, either a re-init or a reseed is sufficient for a fork */ |
1932 | 0 | if (drbg_state->seed_init_pid != getpid ()) |
1933 | 0 | { |
1934 | | /* Update the PID recorded. */ |
1935 | 0 | drbg_state->seed_init_pid = getpid (); |
1936 | | |
1937 | | /* We are in a child of us. Perform a reseeding. */ |
1938 | 0 | if (drbg_reseed (drbg_state, NULL)) |
1939 | 0 | { |
1940 | 0 | fips_signal_error ("reseeding upon fork failed"); |
1941 | 0 | log_fatal ("severe error getting random\n"); |
1942 | 0 | goto bailout; |
1943 | 0 | } |
1944 | 0 | } |
1945 | | /* potential integer overflow is covered by drbg_generate which |
1946 | | * ensures that length cannot overflow an unsigned int */ |
1947 | 0 | if (0 < length) |
1948 | 0 | { |
1949 | 0 | if (!buffer) |
1950 | 0 | goto bailout; |
1951 | 0 | if (drbg_generate_long (drbg_state, buffer, (unsigned int) length, NULL)) |
1952 | 0 | log_fatal ("No random numbers generated\n"); |
1953 | 0 | } |
1954 | 0 | else |
1955 | 0 | { |
1956 | 0 | drbg_gen_t *data = (drbg_gen_t *)buffer; |
1957 | | /* catch NULL pointer */ |
1958 | 0 | if (!data || !data->outbuf) |
1959 | 0 | { |
1960 | 0 | fips_signal_error ("No output buffer provided"); |
1961 | 0 | goto bailout; |
1962 | 0 | } |
1963 | 0 | if (drbg_generate_long (drbg_state, data->outbuf, data->outlen, |
1964 | 0 | data->addtl)) |
1965 | 0 | log_fatal ("No random numbers generated\n"); |
1966 | 0 | } |
1967 | | |
1968 | 0 | bailout: |
1969 | 0 | drbg_unlock (); |
1970 | 0 | return; |
1971 | |
|
1972 | 0 | } |
1973 | | |
1974 | | /*************************************************************** |
1975 | | * Self-test code |
1976 | | ***************************************************************/ |
1977 | | |
1978 | | /* |
1979 | | * Test vectors from |
1980 | | * http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgtestvectors.zip |
1981 | | */ |
1982 | | struct gcry_drbg_test_vector drbg_test_pr[] = { |
1983 | | { |
1984 | | /* .flags = */ "sha256 pr" /* DRBG_PR_HASHSHA256 */, |
1985 | | /* .entropy = */ (unsigned char *) |
1986 | | "\x5d\xf2\x14\xbc\xf6\xb5\x4e\x0b\xf0\x0d\x6f\x2d" |
1987 | | "\xe2\x01\x66\x7b\xd0\xa4\x73\xa4\x21\xdd\xb0\xc0" |
1988 | | "\x51\x79\x09\xf4\xea\xa9\x08\xfa\xa6\x67\xe0\xe1" |
1989 | | "\xd1\x88\xa8\xad\xee\x69\x74\xb3\x55\x06\x9b\xf6", |
1990 | | /* .entropylen = */ 48, |
1991 | | /* .entpra = */ (unsigned char *) |
1992 | | "\xef\x48\x06\xa2\xc2\x45\xf1\x44\xfa\x34\x2c\xeb" |
1993 | | "\x8d\x78\x3c\x09\x8f\x34\x72\x20\xf2\xe7\xfd\x13" |
1994 | | "\x76\x0a\xf6\xdc\x3c\xf5\xc0\x15", |
1995 | | /* .entprb = */ (unsigned char *) |
1996 | | "\x4b\xbe\xe5\x24\xed\x6a\x2d\x0c\xdb\x73\x5e\x09" |
1997 | | "\xf9\xad\x67\x7c\x51\x47\x8b\x6b\x30\x2a\xc6\xde" |
1998 | | "\x76\xaa\x55\x04\x8b\x0a\x72\x95", |
1999 | | /* .entprlen = */ 32, |
2000 | | /* .addtla = */ (unsigned char *) |
2001 | | "\xbe\x13\xdb\x2a\xe9\xa8\xfe\x09\x97\xe1\xce\x5d" |
2002 | | "\xe8\xbb\xc0\x7c\x4f\xcb\x62\x19\x3f\x0f\xd2\xad" |
2003 | | "\xa9\xd0\x1d\x59\x02\xc4\xff\x70", |
2004 | | /* .addtlb = */ (unsigned char *) |
2005 | | "\x6f\x96\x13\xe2\xa7\xf5\x6c\xfe\xdf\x66\xe3\x31" |
2006 | | "\x63\x76\xbf\x20\x27\x06\x49\xf1\xf3\x01\x77\x41" |
2007 | | "\x9f\xeb\xe4\x38\xfe\x67\x00\xcd", |
2008 | | /* .addtllen = */ 32, |
2009 | | /* .pers = */ NULL, |
2010 | | /* .perslen = */ 0, |
2011 | | /* .expected = */ (unsigned char *) |
2012 | | "\x3b\x14\x71\x99\xa1\xda\xa0\x42\xe6\xc8\x85\x32" |
2013 | | "\x70\x20\x32\x53\x9a\xbe\xd1\x1e\x15\xef\xfb\x4c" |
2014 | | "\x25\x6e\x19\x3a\xf0\xb9\xcb\xde\xf0\x3b\xc6\x18" |
2015 | | "\x4d\x85\x5a\x9b\xf1\xe3\xc2\x23\x03\x93\x08\xdb" |
2016 | | "\xa7\x07\x4b\x33\x78\x40\x4d\xeb\x24\xf5\x6e\x81" |
2017 | | "\x4a\x1b\x6e\xa3\x94\x52\x43\xb0\xaf\x2e\x21\xf4" |
2018 | | "\x42\x46\x8e\x90\xed\x34\x21\x75\xea\xda\x67\xb6" |
2019 | | "\xe4\xf6\xff\xc6\x31\x6c\x9a\x5a\xdb\xb3\x97\x13" |
2020 | | "\x09\xd3\x20\x98\x33\x2d\x6d\xd7\xb5\x6a\xa8\xa9" |
2021 | | "\x9a\x5b\xd6\x87\x52\xa1\x89\x2b\x4b\x9c\x64\x60" |
2022 | | "\x50\x47\xa3\x63\x81\x16\xaf\x19", |
2023 | | /* .expectedlen = */ 128, |
2024 | | /* .entropyreseed = */ NULL, |
2025 | | /* .entropyreseed_len = */ 0, |
2026 | | /* .addtl_reseed = */ NULL, |
2027 | | /* .addtl_reseed_len = */ 0 |
2028 | | }, |
2029 | | { |
2030 | | /* flags = */ "hmac sha256 pr" /* DRBG_PR_HMACSHA256 */, |
2031 | | /* .entropy = */ (unsigned char *) |
2032 | | "\x13\x54\x96\xfc\x1b\x7d\x28\xf3\x18\xc9\xa7\x89" |
2033 | | "\xb6\xb3\xc8\x72\xac\x00\xd4\x59\x36\x25\x05\xaf" |
2034 | | "\xa5\xdb\x96\xcb\x3c\x58\x46\x87\xa5\xaa\xbf\x20" |
2035 | | "\x3b\xfe\x23\x0e\xd1\xc7\x41\x0f\x3f\xc9\xb3\x67", |
2036 | | /* .entropylen = */ 48, |
2037 | | /* .entpra = */ (unsigned char *) |
2038 | | "\xe2\xbd\xb7\x48\x08\x06\xf3\xe1\x93\x3c\xac\x79" |
2039 | | "\xa7\x2b\x11\xda\xe3\x2e\xe1\x91\xa5\x02\x19\x57" |
2040 | | "\x20\x28\xad\xf2\x60\xd7\xcd\x45", |
2041 | | /* .entprb = */ (unsigned char *) |
2042 | | "\x8b\xd4\x69\xfc\xff\x59\x95\x95\xc6\x51\xde\x71" |
2043 | | "\x68\x5f\xfc\xf9\x4a\xab\xec\x5a\xcb\xbe\xd3\x66" |
2044 | | "\x1f\xfa\x74\xd3\xac\xa6\x74\x60", |
2045 | | /* .entprlen = */ 32, |
2046 | | /* .addtla = */ NULL, |
2047 | | /* .addtlb = */ NULL, |
2048 | | /* .addtllen = */ 0, |
2049 | | /* .pers = */ (unsigned char *) |
2050 | | "\x64\xb6\xfc\x60\xbc\x61\x76\x23\x6d\x3f\x4a\x0f" |
2051 | | "\xe1\xb4\xd5\x20\x9e\x70\xdd\x03\x53\x6d\xbf\xce" |
2052 | | "\xcd\x56\x80\xbc\xb8\x15\xc8\xaa", |
2053 | | /* .perslen = */ 32, |
2054 | | /* .expected = */ (unsigned char *) |
2055 | | "\x1f\x9e\xaf\xe4\xd2\x46\xb7\x47\x41\x4c\x65\x99" |
2056 | | "\x01\xe9\x3b\xbb\x83\x0c\x0a\xb0\xc1\x3a\xe2\xb3" |
2057 | | "\x31\x4e\xeb\x93\x73\xee\x0b\x26\xc2\x63\xa5\x75" |
2058 | | "\x45\x99\xd4\x5c\x9f\xa1\xd4\x45\x87\x6b\x20\x61" |
2059 | | "\x40\xea\x78\xa5\x32\xdf\x9e\x66\x17\xaf\xb1\x88" |
2060 | | "\x9e\x2e\x23\xdd\xc1\xda\x13\x97\x88\xa5\xb6\x5e" |
2061 | | "\x90\x14\x4e\xef\x13\xab\x5c\xd9\x2c\x97\x9e\x7c" |
2062 | | "\xd7\xf8\xce\xea\x81\xf5\xcd\x71\x15\x49\x44\xce" |
2063 | | "\x83\xb6\x05\xfb\x7d\x30\xb5\x57\x2c\x31\x4f\xfc" |
2064 | | "\xfe\x80\xb6\xc0\x13\x0c\x5b\x9b\x2e\x8f\x3d\xfc" |
2065 | | "\xc2\xa3\x0c\x11\x1b\x80\x5f\xf3", |
2066 | | /* .expectedlen = */ 128, |
2067 | | /* .entropyreseed = */ NULL, |
2068 | | /* .entropyreseed_len = */ 0, |
2069 | | /* .addtl_reseed = */ NULL, |
2070 | | /* .addtl_reseed_len = */ 0 |
2071 | | }, |
2072 | | { |
2073 | | /* .flags = */ "aes sym128 pr", /* DRBG_PR_CTRAES128 */ |
2074 | | /* .entropy = */ (unsigned char *) |
2075 | | "\x92\x89\x8f\x31\xfa\x1c\xff\x6d\x18\x2f\x26\x06" |
2076 | | "\x43\xdf\xf8\x18\xc2\xa4\xd9\x72\xc3\xb9\xb6\x97", |
2077 | | /* .entropylen = */ 24, |
2078 | | /* .entpra = */ (unsigned char *) |
2079 | | "\x20\x72\x8a\x06\xf8\x6f\x8d\xd4\x41\xe2\x72\xb7" |
2080 | | "\xc4\x2c\xe8\x10", |
2081 | | /* .entprb = */ (unsigned char *) |
2082 | | "\x3d\xb0\xf0\x94\xf3\x05\x50\x33\x17\x86\x3e\x22" |
2083 | | "\x08\xf7\xa5\x01", |
2084 | | /* .entprlen = */ 16, |
2085 | | /* .addtla = */ (unsigned char *) |
2086 | | "\x1a\x40\xfa\xe3\xcc\x6c\x7c\xa0\xf8\xda\xba\x59" |
2087 | | "\x23\x6d\xad\x1d", |
2088 | | /* .addtlb = */ (unsigned char *) |
2089 | | "\x9f\x72\x76\x6c\xc7\x46\xe5\xed\x2e\x53\x20\x12" |
2090 | | "\xbc\x59\x31\x8c", |
2091 | | /* .addtllen = */ 16, |
2092 | | /* .pers = */ (unsigned char *) |
2093 | | "\xea\x65\xee\x60\x26\x4e\x7e\xb6\x0e\x82\x68\xc4" |
2094 | | "\x37\x3c\x5c\x0b", |
2095 | | /* .perslen = */ 16, |
2096 | | /* .expected = */ (unsigned char *) |
2097 | | "\x5a\x35\x39\x87\x0f\x4d\x22\xa4\x09\x24\xee\x71" |
2098 | | "\xc9\x6f\xac\x72\x0a\xd6\xf0\x88\x82\xd0\x83\x28" |
2099 | | "\x73\xec\x3f\x93\xd8\xab\x45\x23\xf0\x7e\xac\x45" |
2100 | | "\x14\x5e\x93\x9f\xb1\xd6\x76\x43\x3d\xb6\xe8\x08" |
2101 | | "\x88\xf6\xda\x89\x08\x77\x42\xfe\x1a\xf4\x3f\xc4" |
2102 | | "\x23\xc5\x1f\x68", |
2103 | | /* .expectedlen = */ 64, |
2104 | | /* .entropyreseed = */ NULL, |
2105 | | /* .entropyreseed_len = */ 0, |
2106 | | /* .addtl_reseed = */ NULL, |
2107 | | /* .addtl_reseed_len = */ 0 |
2108 | | } |
2109 | | }; |
2110 | | |
2111 | | struct gcry_drbg_test_vector drbg_test_nopr[] = { |
2112 | | { |
2113 | | /* .flags = */ "sha256" /* DRBG_NOPR_HASHSHA256 */, |
2114 | | /* .entropy = */ (unsigned char *) |
2115 | | "\x73\xd3\xfb\xa3\x94\x5f\x2b\x5f\xb9\x8f\xf6\x9c" |
2116 | | "\x8a\x93\x17\xae\x19\xc3\x4c\xc3\xd6\xca\xa3\x2d" |
2117 | | "\x16\xfc\x42\xd2\x2d\xd5\x6f\x56\xcc\x1d\x30\xff" |
2118 | | "\x9e\x06\x3e\x09\xce\x58\xe6\x9a\x35\xb3\xa6\x56", |
2119 | | /* .entropylen = */ 48, |
2120 | | /* .entpra = */ NULL, |
2121 | | /* .entprb = */ NULL, |
2122 | | /* .entprlen = */ 0, |
2123 | | /* .addtla = */ (unsigned char *) |
2124 | | "\xf4\xd5\x98\x3d\xa8\xfc\xfa\x37\xb7\x54\x67\x73" |
2125 | | "\xc7\xc3\xdd\x47\x34\x71\x02\x5d\xc1\xa0\xd3\x10" |
2126 | | "\xc1\x8b\xbd\xf5\x66\x34\x6f\xdd", |
2127 | | /* .addtlb = */ (unsigned char *) |
2128 | | "\xf7\x9e\x6a\x56\x0e\x73\xe9\xd9\x7a\xd1\x69\xe0" |
2129 | | "\x6f\x8c\x55\x1c\x44\xd1\xce\x6f\x28\xcc\xa4\x4d" |
2130 | | "\xa8\xc0\x85\xd1\x5a\x0c\x59\x40", |
2131 | | /* .addtllen = */ 32, |
2132 | | /* .pers = */ NULL, |
2133 | | /* .perslen = */ 0, |
2134 | | /* .expected = */ (unsigned char *) |
2135 | | "\x71\x7b\x93\x46\x1a\x40\xaa\x35\xa4\xaa\xc5\xe7" |
2136 | | "\x6d\x5b\x5b\x8a\xa0\xdf\x39\x7d\xae\x71\x58\x5b" |
2137 | | "\x3c\x7c\xb4\xf0\x89\xfa\x4a\x8c\xa9\x5c\x54\xc0" |
2138 | | "\x40\xdf\xbc\xce\x26\x81\x34\xf8\xba\x7d\x1c\xe8" |
2139 | | "\xad\x21\xe0\x74\xcf\x48\x84\x30\x1f\xa1\xd5\x4f" |
2140 | | "\x81\x42\x2f\xf4\xdb\x0b\x23\xf8\x73\x27\xb8\x1d" |
2141 | | "\x42\xf8\x44\x58\xd8\x5b\x29\x27\x0a\xf8\x69\x59" |
2142 | | "\xb5\x78\x44\xeb\x9e\xe0\x68\x6f\x42\x9a\xb0\x5b" |
2143 | | "\xe0\x4e\xcb\x6a\xaa\xe2\xd2\xd5\x33\x25\x3e\xe0" |
2144 | | "\x6c\xc7\x6a\x07\xa5\x03\x83\x9f\xe2\x8b\xd1\x1c" |
2145 | | "\x70\xa8\x07\x59\x97\xeb\xf6\xbe", |
2146 | | /* .expectedlen = */ 128, |
2147 | | /* .entropyreseed = */ NULL, |
2148 | | /* .entropyreseed_len = */ 0, |
2149 | | /* .addtl_reseed = */ NULL, |
2150 | | /* .addtl_reseed_len = */ 0 |
2151 | | }, |
2152 | | { |
2153 | | /* .flags = */ "hmac sha256" /* DRBG_NOPR_HMACSHA256 */, |
2154 | | /* .entropy = */ (unsigned char *) |
2155 | | "\x8d\xf0\x13\xb4\xd1\x03\x52\x30\x73\x91\x7d\xdf" |
2156 | | "\x6a\x86\x97\x93\x05\x9e\x99\x43\xfc\x86\x54\x54" |
2157 | | "\x9e\x7a\xb2\x2f\x7c\x29\xf1\x22\xda\x26\x25\xaf" |
2158 | | "\x2d\xdd\x4a\xbc\xce\x3c\xf4\xfa\x46\x59\xd8\x4e", |
2159 | | /* .entropylen = */ 48, |
2160 | | /* .entpra = */ NULL, |
2161 | | /* .entprb = */ NULL, |
2162 | | /* .entprlen = */ 0, |
2163 | | /* .addtla = */ NULL, |
2164 | | /* .addtlb = */ NULL, |
2165 | | /* .addtllen = */ 0, |
2166 | | /* .pers = */ (unsigned char *) |
2167 | | "\xb5\x71\xe6\x6d\x7c\x33\x8b\xc0\x7b\x76\xad\x37" |
2168 | | "\x57\xbb\x2f\x94\x52\xbf\x7e\x07\x43\x7a\xe8\x58" |
2169 | | "\x1c\xe7\xbc\x7c\x3a\xc6\x51\xa9", |
2170 | | /* .perslen = */ 32, |
2171 | | /* .expected = */ (unsigned char *) |
2172 | | "\xb9\x1c\xba\x4c\xc8\x4f\xa2\x5d\xf8\x61\x0b\x81" |
2173 | | "\xb6\x41\x40\x27\x68\xa2\x09\x72\x34\x93\x2e\x37" |
2174 | | "\xd5\x90\xb1\x15\x4c\xbd\x23\xf9\x74\x52\xe3\x10" |
2175 | | "\xe2\x91\xc4\x51\x46\x14\x7f\x0d\xa2\xd8\x17\x61" |
2176 | | "\xfe\x90\xfb\xa6\x4f\x94\x41\x9c\x0f\x66\x2b\x28" |
2177 | | "\xc1\xed\x94\xda\x48\x7b\xb7\xe7\x3e\xec\x79\x8f" |
2178 | | "\xbc\xf9\x81\xb7\x91\xd1\xbe\x4f\x17\x7a\x89\x07" |
2179 | | "\xaa\x3c\x40\x16\x43\xa5\xb6\x2b\x87\xb8\x9d\x66" |
2180 | | "\xb3\xa6\x0e\x40\xd4\xa8\xe4\xe9\xd8\x2a\xf6\xd2" |
2181 | | "\x70\x0e\x6f\x53\x5c\xdb\x51\xf7\x5c\x32\x17\x29" |
2182 | | "\x10\x37\x41\x03\x0c\xcc\x3a\x56", |
2183 | | /* .expectedlen = */ 128, |
2184 | | /* .entropyreseed = */ NULL, |
2185 | | /* .entropyreseed_len = */ 0, |
2186 | | /* .addtl_reseed = */ NULL, |
2187 | | /* .addtl_reseed_len = */ 0 |
2188 | | }, |
2189 | | { |
2190 | | /* .flags = */ "aes sym128" /* DRBG_NOPR_CTRAES128 */, |
2191 | | /* .entropy = */ (unsigned char *) |
2192 | | "\xc0\x70\x1f\x92\x50\x75\x8f\xcd\xf2\xbe\x73\x98" |
2193 | | "\x80\xdb\x66\xeb\x14\x68\xb4\xa5\x87\x9c\x2d\xa6", |
2194 | | /* .entropylen = */ 24, |
2195 | | /* .entpra = */ NULL, |
2196 | | /* .entprb = */ NULL, |
2197 | | /* .entprlen = */ 0, |
2198 | | /* .addtla = */ (unsigned char *) |
2199 | | "\xf9\x01\xf8\x16\x7a\x1d\xff\xde\x8e\x3c\x83\xe2" |
2200 | | "\x44\x85\xe7\xfe", |
2201 | | /* .addtlb = */ (unsigned char *) |
2202 | | "\x17\x1c\x09\x38\xc2\x38\x9f\x97\x87\x60\x55\xb4" |
2203 | | "\x82\x16\x62\x7f", |
2204 | | /* .addtllen = */ 16, |
2205 | | /* .pers = */ (unsigned char *) |
2206 | | "\x80\x08\xae\xe8\xe9\x69\x40\xc5\x08\x73\xc7\x9f" |
2207 | | "\x8e\xcf\xe0\x02", |
2208 | | /* .perslen = */ 16, |
2209 | | /* .expected = */ (unsigned char *) |
2210 | | "\x97\xc0\xc0\xe5\xa0\xcc\xf2\x4f\x33\x63\x48\x8a" |
2211 | | "\xdb\x13\x0a\x35\x89\xbf\x80\x65\x62\xee\x13\x95" |
2212 | | "\x7c\x33\xd3\x7d\xf4\x07\x77\x7a\x2b\x65\x0b\x5f" |
2213 | | "\x45\x5c\x13\xf1\x90\x77\x7f\xc5\x04\x3f\xcc\x1a" |
2214 | | "\x38\xf8\xcd\x1b\xbb\xd5\x57\xd1\x4a\x4c\x2e\x8a" |
2215 | | "\x2b\x49\x1e\x5c", |
2216 | | /* .expectedlen = */ 64, |
2217 | | /* .entropyreseed = */ NULL, |
2218 | | /* .entropyreseed_len = */ 0, |
2219 | | /* .addtl_reseed = */ NULL, |
2220 | | /* .addtl_reseed_len = */ 0 |
2221 | | }, |
2222 | | { |
2223 | | /* .flags = */ "sha1" /* DRBG_NOPR_HASHSHA1 */, |
2224 | | /* .entropy = */ (unsigned char *) |
2225 | | "\x16\x10\xb8\x28\xcc\xd2\x7d\xe0\x8c\xee\xa0\x32" |
2226 | | "\xa2\x0e\x92\x08\x49\x2c\xf1\x70\x92\x42\xf6\xb5", |
2227 | | /* .entropylen = */ 24, |
2228 | | /* .entpra = */ NULL, |
2229 | | /* .entprb = */ NULL, |
2230 | | /* .entprlen = */ 0, |
2231 | | /* .addtla = */ NULL, |
2232 | | /* .addtlb = */ NULL, |
2233 | | /* .addtllen = */ 0, |
2234 | | /* .pers = */ NULL, |
2235 | | /* .perslen = */ 0, |
2236 | | /* .expected = */ (unsigned char *) |
2237 | | "\x56\xf3\x3d\x4f\xdb\xb9\xa5\xb6\x4d\x26\x23\x44" |
2238 | | "\x97\xe9\xdc\xb8\x77\x98\xc6\x8d\x08\xf7\xc4\x11" |
2239 | | "\x99\xd4\xbd\xdf\x97\xeb\xbf\x6c\xb5\x55\x0e\x5d" |
2240 | | "\x14\x9f\xf4\xd5\xbd\x0f\x05\xf2\x5a\x69\x88\xc1" |
2241 | | "\x74\x36\x39\x62\x27\x18\x4a\xf8\x4a\x56\x43\x35" |
2242 | | "\x65\x8e\x2f\x85\x72\xbe\xa3\x33\xee\xe2\xab\xff" |
2243 | | "\x22\xff\xa6\xde\x3e\x22\xac\xa2", |
2244 | | /* .expectedlen = */ 80, |
2245 | | /* .entropyreseed = */ (unsigned char *) |
2246 | | "\x72\xd2\x8c\x90\x8e\xda\xf9\xa4\xd1\xe5\x26\xd8" |
2247 | | "\xf2\xde\xd5\x44", |
2248 | | /* .entropyreseed_len = */ 16, |
2249 | | /* .addtl_reseed = */ NULL, |
2250 | | /* .addtl_reseed_len = */ 0 |
2251 | | }, |
2252 | | { |
2253 | | /* .flags = */ "sha1" /* DRBG_NOPR_HASHSHA1 */, |
2254 | | /* .entropy = */ (unsigned char *) |
2255 | | "\xd9\xba\xb5\xce\xdc\xa9\x6f\x61\x78\xd6\x45\x09" |
2256 | | "\xa0\xdf\xdc\x5e\xda\xd8\x98\x94\x14\x45\x0e\x01", |
2257 | | /* .entropylen = */ 24, |
2258 | | /* .entpra = */ NULL, |
2259 | | /* .entprb = */ NULL, |
2260 | | /* .entprlen = */ 0, |
2261 | | /* .addtla = */ (unsigned char *) |
2262 | | "\x04\xfa\x28\x95\xaa\x5a\x6f\x8c\x57\x43\x34\x3b" |
2263 | | "\x80\x5e\x5e\xa4", |
2264 | | /* .addtlb = */ (unsigned char *) |
2265 | | "\xdf\x5d\xc4\x59\xdf\xf0\x2a\xa2\xf0\x52\xd7\x21" |
2266 | | "\xec\x60\x72\x30", |
2267 | | /* .addtllen = */ 16, |
2268 | | /* .pers = */ NULL, |
2269 | | /* .perslen = */ 0, |
2270 | | /* .expected = */ (unsigned char *) |
2271 | | "\xc4\x8b\x89\xf9\xda\x3f\x74\x82\x45\x55\x5d\x5d" |
2272 | | "\x03\x3b\x69\x3d\xd7\x1a\x4d\xf5\x69\x02\x05\xce" |
2273 | | "\xfc\xd7\x20\x11\x3c\xc2\x4e\x09\x89\x36\xff\x5e" |
2274 | | "\x77\xb5\x41\x53\x58\x70\xb3\x39\x46\x8c\xdd\x8d" |
2275 | | "\x6f\xaf\x8c\x56\x16\x3a\x70\x0a\x75\xb2\x3e\x59" |
2276 | | "\x9b\x5a\xec\xf1\x6f\x3b\xaf\x6d\x5f\x24\x19\x97" |
2277 | | "\x1f\x24\xf4\x46\x72\x0f\xea\xbe", |
2278 | | /* .expectedlen = */ 80, |
2279 | | /* .entropyreseed = */ (unsigned char *) |
2280 | | "\xc6\xba\xd0\x74\xc5\x90\x67\x86\xf5\xe1\xf3\x20" |
2281 | | "\x99\xf5\xb4\x91", |
2282 | | /* .entropyreseed_len = */ 16, |
2283 | | /* .addtl_reseed = */ (unsigned char *) |
2284 | | "\x3e\x6b\xf4\x6f\x4d\xaa\x38\x25\xd7\x19\x4e\x69" |
2285 | | "\x4e\x77\x52\xf7", |
2286 | | /* .addtl_reseed_len = */ 16 |
2287 | | } |
2288 | | }; |
2289 | | |
2290 | | |
2291 | | /* |
2292 | | * Tests implement the CAVS test approach as documented in |
2293 | | * http://csrc.nist.gov/groups/STM/cavp/documents/drbg/DRBGVS.pdf |
2294 | | */ |
2295 | | |
2296 | | /* |
2297 | | * CAVS test |
2298 | | * |
2299 | | * This function is not static as it is needed for as a private API |
2300 | | * call for the CAVS test tool. |
2301 | | */ |
2302 | | gpg_err_code_t |
2303 | | _gcry_rngdrbg_cavs_test (struct gcry_drbg_test_vector *test, unsigned char *buf) |
2304 | 0 | { |
2305 | 0 | gpg_err_code_t ret = 0; |
2306 | 0 | drbg_state_t drbg = NULL; |
2307 | 0 | struct drbg_test_data_s test_data; |
2308 | 0 | drbg_string_t addtl, pers, testentropy; |
2309 | 0 | int coreref = 0; |
2310 | 0 | int pr = 0; |
2311 | 0 | u32 flags; |
2312 | |
|
2313 | 0 | ret = parse_flag_string (test->flagstr, &flags); |
2314 | 0 | if (ret) |
2315 | 0 | goto outbuf; |
2316 | | |
2317 | 0 | ret = drbg_algo_available (flags, &coreref); |
2318 | 0 | if (ret) |
2319 | 0 | goto outbuf; |
2320 | | |
2321 | 0 | drbg = xtrycalloc_secure (1, sizeof *drbg); |
2322 | 0 | if (!drbg) |
2323 | 0 | { |
2324 | 0 | ret = gpg_err_code_from_syserror (); |
2325 | 0 | goto outbuf; |
2326 | 0 | } |
2327 | | |
2328 | 0 | if ((flags & DRBG_PREDICTION_RESIST)) |
2329 | 0 | pr = 1; |
2330 | |
|
2331 | 0 | test_data.testentropy = &testentropy; |
2332 | 0 | drbg_string_fill (&testentropy, test->entropy, test->entropylen); |
2333 | 0 | drbg->test_data = &test_data; |
2334 | 0 | drbg_string_fill (&pers, test->pers, test->perslen); |
2335 | 0 | ret = drbg_instantiate (drbg, &pers, coreref, pr); |
2336 | 0 | if (ret) |
2337 | 0 | goto outbuf; |
2338 | | |
2339 | 0 | if (test->entropyreseed) |
2340 | 0 | { |
2341 | 0 | drbg_string_fill (&testentropy, test->entropyreseed, |
2342 | 0 | test->entropyreseed_len); |
2343 | 0 | drbg_string_fill (&addtl, test->addtl_reseed, |
2344 | 0 | test->addtl_reseed_len); |
2345 | 0 | if (drbg_reseed (drbg, &addtl)) |
2346 | 0 | goto outbuf; |
2347 | 0 | } |
2348 | | |
2349 | 0 | drbg_string_fill (&addtl, test->addtla, test->addtllen); |
2350 | 0 | if (test->entpra) |
2351 | 0 | { |
2352 | 0 | drbg_string_fill (&testentropy, test->entpra, test->entprlen); |
2353 | 0 | drbg->test_data = &test_data; |
2354 | 0 | } |
2355 | 0 | drbg_generate_long (drbg, buf, test->expectedlen, &addtl); |
2356 | |
|
2357 | 0 | drbg_string_fill (&addtl, test->addtlb, test->addtllen); |
2358 | 0 | if (test->entprb) |
2359 | 0 | { |
2360 | 0 | drbg_string_fill (&testentropy, test->entprb, test->entprlen); |
2361 | 0 | drbg->test_data = &test_data; |
2362 | 0 | } |
2363 | 0 | drbg_generate_long (drbg, buf, test->expectedlen, &addtl); |
2364 | 0 | drbg_uninstantiate (drbg); |
2365 | |
|
2366 | 0 | outbuf: |
2367 | 0 | xfree (drbg); |
2368 | 0 | return ret; |
2369 | 0 | } |
2370 | | |
2371 | | /* |
2372 | | * Invoke the CAVS test and perform the final check whether the |
2373 | | * calculated random value matches the expected one. |
2374 | | * |
2375 | | * This function is not static as it is needed for as a private API |
2376 | | * call for the CAVS test tool. |
2377 | | */ |
2378 | | gpg_err_code_t |
2379 | | _gcry_rngdrbg_healthcheck_one (struct gcry_drbg_test_vector * test) |
2380 | 0 | { |
2381 | 0 | gpg_err_code_t ret = GPG_ERR_ENOMEM; |
2382 | 0 | unsigned char *buf = xcalloc_secure (1, test->expectedlen); |
2383 | 0 | if (!buf) |
2384 | 0 | return GPG_ERR_ENOMEM; |
2385 | | |
2386 | 0 | ret = _gcry_rngdrbg_cavs_test (test, buf); |
2387 | | /* FIXME: The next line is wrong. */ |
2388 | 0 | ret = memcmp (test->expected, buf, test->expectedlen); |
2389 | |
|
2390 | 0 | xfree (buf); |
2391 | 0 | return ret; |
2392 | 0 | } |
2393 | | |
2394 | | /* |
2395 | | * Tests as defined in 11.3.2 in addition to the cipher tests: testing |
2396 | | * of the error handling. |
2397 | | * |
2398 | | * Note, testing the reseed counter is not done as an automatic reseeding |
2399 | | * is performed in drbg_generate when the reseed counter is too large. |
2400 | | */ |
2401 | | static gpg_err_code_t |
2402 | | drbg_healthcheck_sanity (struct gcry_drbg_test_vector *test) |
2403 | 0 | { |
2404 | 0 | unsigned int len = 0; |
2405 | 0 | drbg_state_t drbg = NULL; |
2406 | 0 | gpg_err_code_t ret = GPG_ERR_GENERAL; |
2407 | 0 | gpg_err_code_t tmpret = GPG_ERR_GENERAL; |
2408 | 0 | struct drbg_test_data_s test_data; |
2409 | 0 | drbg_string_t addtl, testentropy; |
2410 | 0 | int coreref = 0; |
2411 | 0 | unsigned char *buf = NULL; |
2412 | 0 | size_t max_addtllen, max_request_bytes; |
2413 | 0 | u32 flags; |
2414 | | |
2415 | | /* only perform test in FIPS mode */ |
2416 | 0 | if (0 == fips_mode ()) |
2417 | 0 | return 0; |
2418 | | |
2419 | 0 | ret = parse_flag_string (test->flagstr, &flags); |
2420 | 0 | if (ret) |
2421 | 0 | return ret; |
2422 | 0 | ret = GPG_ERR_GENERAL; /* Fixme: Improve handling of RET. */ |
2423 | |
|
2424 | 0 | buf = xtrycalloc_secure (1, test->expectedlen); |
2425 | 0 | if (!buf) |
2426 | 0 | return gpg_err_code_from_syserror (); |
2427 | 0 | tmpret = drbg_algo_available (flags, &coreref); |
2428 | 0 | if (tmpret) |
2429 | 0 | goto outbuf; |
2430 | 0 | drbg = xtrycalloc_secure (1, sizeof *drbg); |
2431 | 0 | if (!drbg) |
2432 | 0 | { |
2433 | 0 | ret = gpg_err_code_from_syserror (); |
2434 | 0 | goto outbuf; |
2435 | 0 | } |
2436 | | |
2437 | | /* if the following tests fail, it is likely that there is a buffer |
2438 | | * overflow and we get a SIGSEV */ |
2439 | 0 | ret = drbg_instantiate (drbg, NULL, coreref, 1); |
2440 | 0 | if (ret) |
2441 | 0 | goto outbuf; |
2442 | 0 | max_addtllen = drbg_max_addtl (); |
2443 | 0 | max_request_bytes = drbg_max_request_bytes (); |
2444 | | /* overflow addtllen with additional info string */ |
2445 | 0 | drbg_string_fill (&addtl, test->addtla, (max_addtllen + 1)); |
2446 | 0 | len = drbg_generate (drbg, buf, test->expectedlen, &addtl); |
2447 | 0 | if (len) |
2448 | 0 | goto outdrbg; |
2449 | | |
2450 | | /* overflow max_bits */ |
2451 | 0 | len = drbg_generate (drbg, buf, (max_request_bytes + 1), NULL); |
2452 | 0 | if (len) |
2453 | 0 | goto outdrbg; |
2454 | 0 | drbg_uninstantiate (drbg); |
2455 | | |
2456 | | /* test failing entropy source as defined in 11.3.2 */ |
2457 | 0 | test_data.testentropy = NULL; |
2458 | 0 | test_data.fail_seed_source = 1; |
2459 | 0 | drbg->test_data = &test_data; |
2460 | 0 | tmpret = drbg_instantiate (drbg, NULL, coreref, 0); |
2461 | 0 | if (!tmpret) |
2462 | 0 | goto outdrbg; |
2463 | 0 | test_data.fail_seed_source = 0; |
2464 | |
|
2465 | 0 | test_data.testentropy = &testentropy; |
2466 | 0 | drbg_string_fill (&testentropy, test->entropy, test->entropylen); |
2467 | | /* overflow max addtllen with personalization string */ |
2468 | 0 | tmpret = drbg_instantiate (drbg, &addtl, coreref, 0); |
2469 | 0 | if (!tmpret) |
2470 | 0 | goto outdrbg; |
2471 | | |
2472 | 0 | dbg (("DRBG: Sanity tests for failure code paths successfully completed\n")); |
2473 | 0 | ret = 0; |
2474 | |
|
2475 | 0 | outdrbg: |
2476 | 0 | drbg_uninstantiate (drbg); |
2477 | 0 | outbuf: |
2478 | 0 | xfree (buf); |
2479 | 0 | xfree (drbg); |
2480 | 0 | return ret; |
2481 | 0 | } |
2482 | | |
2483 | | /* |
2484 | | * DRBG Healthcheck function as required in SP800-90A |
2485 | | * |
2486 | | * return: |
2487 | | * 0 on success (all tests pass) |
2488 | | * >0 on error (return code indicate the number of failures) |
2489 | | */ |
2490 | | static int |
2491 | | drbg_healthcheck (void) |
2492 | 0 | { |
2493 | 0 | int ret = 0; |
2494 | 0 | ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[0]); |
2495 | 0 | ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[1]); |
2496 | 0 | ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[2]); |
2497 | 0 | ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[3]); |
2498 | 0 | ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[4]); |
2499 | 0 | ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_pr[0]); |
2500 | 0 | ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_pr[1]); |
2501 | 0 | ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_pr[2]); |
2502 | 0 | ret += drbg_healthcheck_sanity (&drbg_test_nopr[0]); |
2503 | 0 | return ret; |
2504 | 0 | } |
2505 | | |
2506 | | /* Run the self-tests. */ |
2507 | | gcry_error_t |
2508 | | _gcry_rngdrbg_selftest (selftest_report_func_t report) |
2509 | 0 | { |
2510 | 0 | gcry_err_code_t ec; |
2511 | 0 | const char *errtxt = NULL; |
2512 | 0 | drbg_lock (); |
2513 | 0 | if (0 != drbg_healthcheck ()) |
2514 | 0 | errtxt = "RNG output does not match known value"; |
2515 | 0 | drbg_unlock (); |
2516 | 0 | if (report && errtxt) |
2517 | 0 | report ("random", 0, "KAT", errtxt); |
2518 | 0 | ec = errtxt ? GPG_ERR_SELFTEST_FAILED : 0; |
2519 | 0 | return gpg_error (ec); |
2520 | 0 | } |
2521 | | |
2522 | | /*************************************************************** |
2523 | | * Cipher invocations requested by DRBG |
2524 | | ***************************************************************/ |
2525 | | |
2526 | | static gpg_err_code_t |
2527 | | drbg_hash_init (drbg_state_t drbg) |
2528 | 0 | { |
2529 | 0 | gcry_md_hd_t hd; |
2530 | 0 | gpg_error_t err; |
2531 | |
|
2532 | 0 | err = _gcry_md_open (&hd, drbg->core->backend_cipher, 0); |
2533 | 0 | if (err) |
2534 | 0 | return err; |
2535 | | |
2536 | 0 | drbg->priv_data = hd; |
2537 | |
|
2538 | 0 | return 0; |
2539 | 0 | } |
2540 | | |
2541 | | static gpg_err_code_t |
2542 | | drbg_hmac_init (drbg_state_t drbg) |
2543 | 0 | { |
2544 | 0 | gcry_md_hd_t hd; |
2545 | 0 | gpg_error_t err; |
2546 | |
|
2547 | 0 | err = _gcry_md_open (&hd, drbg->core->backend_cipher, GCRY_MD_FLAG_HMAC); |
2548 | 0 | if (err) |
2549 | 0 | return err; |
2550 | | |
2551 | 0 | drbg->priv_data = hd; |
2552 | |
|
2553 | 0 | return 0; |
2554 | 0 | } |
2555 | | |
2556 | | static gpg_err_code_t |
2557 | | drbg_hmac_setkey (drbg_state_t drbg, const unsigned char *key) |
2558 | 0 | { |
2559 | 0 | gcry_md_hd_t hd = (gcry_md_hd_t)drbg->priv_data; |
2560 | |
|
2561 | 0 | return _gcry_md_setkey (hd, key, drbg_statelen (drbg)); |
2562 | 0 | } |
2563 | | |
2564 | | static void |
2565 | | drbg_hash_fini (drbg_state_t drbg) |
2566 | 0 | { |
2567 | 0 | gcry_md_hd_t hd = (gcry_md_hd_t)drbg->priv_data; |
2568 | |
|
2569 | 0 | _gcry_md_close (hd); |
2570 | 0 | } |
2571 | | |
2572 | | static byte * |
2573 | | drbg_hash (drbg_state_t drbg, const drbg_string_t *buf) |
2574 | 0 | { |
2575 | 0 | gcry_md_hd_t hd = (gcry_md_hd_t)drbg->priv_data; |
2576 | |
|
2577 | 0 | _gcry_md_reset(hd); |
2578 | 0 | for (; NULL != buf; buf = buf->next) |
2579 | 0 | _gcry_md_write (hd, buf->buf, buf->len); |
2580 | 0 | _gcry_md_final (hd); |
2581 | 0 | return _gcry_md_read (hd, drbg->core->backend_cipher); |
2582 | 0 | } |
2583 | | |
2584 | | static void |
2585 | | drbg_sym_fini (drbg_state_t drbg) |
2586 | 0 | { |
2587 | 0 | gcry_cipher_hd_t hd = (gcry_cipher_hd_t)drbg->priv_data; |
2588 | |
|
2589 | 0 | if (hd) |
2590 | 0 | _gcry_cipher_close (hd); |
2591 | 0 | if (drbg->ctr_handle) |
2592 | 0 | _gcry_cipher_close (drbg->ctr_handle); |
2593 | 0 | } |
2594 | | |
2595 | | static gpg_err_code_t |
2596 | | drbg_sym_init (drbg_state_t drbg) |
2597 | 0 | { |
2598 | 0 | gcry_cipher_hd_t hd; |
2599 | 0 | gpg_error_t err; |
2600 | |
|
2601 | 0 | err = _gcry_cipher_open (&hd, drbg->core->backend_cipher, |
2602 | 0 | GCRY_CIPHER_MODE_ECB, 0); |
2603 | 0 | if (err) |
2604 | 0 | { |
2605 | 0 | drbg_sym_fini (drbg); |
2606 | 0 | return err; |
2607 | 0 | } |
2608 | 0 | drbg->priv_data = hd; |
2609 | |
|
2610 | 0 | err = _gcry_cipher_open (&drbg->ctr_handle, drbg->core->backend_cipher, |
2611 | 0 | GCRY_CIPHER_MODE_CTR, 0); |
2612 | 0 | if (err) |
2613 | 0 | { |
2614 | 0 | drbg_sym_fini (drbg); |
2615 | 0 | return err; |
2616 | 0 | } |
2617 | | |
2618 | | |
2619 | 0 | if (drbg_blocklen (drbg) != |
2620 | 0 | _gcry_cipher_get_algo_blklen (drbg->core->backend_cipher)) |
2621 | 0 | { |
2622 | 0 | drbg_sym_fini (drbg); |
2623 | 0 | return -GPG_ERR_NO_ERROR; |
2624 | 0 | } |
2625 | | |
2626 | 0 | return 0; |
2627 | 0 | } |
2628 | | |
2629 | | static gpg_err_code_t |
2630 | | drbg_sym_setkey (drbg_state_t drbg, const unsigned char *key) |
2631 | 0 | { |
2632 | 0 | gcry_cipher_hd_t hd = (gcry_cipher_hd_t)drbg->priv_data; |
2633 | |
|
2634 | 0 | return _gcry_cipher_setkey (hd, key, drbg_keylen (drbg)); |
2635 | 0 | } |
2636 | | |
2637 | | static gpg_err_code_t |
2638 | | drbg_sym (drbg_state_t drbg, unsigned char *outval, const drbg_string_t *buf) |
2639 | 0 | { |
2640 | 0 | gcry_cipher_hd_t hd = (gcry_cipher_hd_t)drbg->priv_data; |
2641 | |
|
2642 | 0 | _gcry_cipher_reset(hd); |
2643 | 0 | if (drbg_blocklen (drbg) < buf->len) |
2644 | 0 | return -GPG_ERR_NO_ERROR; |
2645 | | /* in is only component */ |
2646 | 0 | return _gcry_cipher_encrypt (hd, outval, drbg_blocklen (drbg), buf->buf, |
2647 | 0 | buf->len); |
2648 | 0 | } |
2649 | | |
2650 | | static gpg_err_code_t |
2651 | | drbg_sym_ctr (drbg_state_t drbg, |
2652 | | const unsigned char *inbuf, unsigned int inbuflen, |
2653 | | unsigned char *outbuf, unsigned int outbuflen) |
2654 | 0 | { |
2655 | 0 | gpg_error_t err; |
2656 | |
|
2657 | 0 | _gcry_cipher_reset(drbg->ctr_handle); |
2658 | 0 | err = _gcry_cipher_setctr(drbg->ctr_handle, drbg->V, drbg_blocklen (drbg)); |
2659 | 0 | if (err) |
2660 | 0 | return err; |
2661 | | |
2662 | 0 | while (outbuflen) |
2663 | 0 | { |
2664 | 0 | unsigned int cryptlen = (inbuflen > outbuflen) ? outbuflen : inbuflen; |
2665 | |
|
2666 | 0 | err = _gcry_cipher_encrypt (drbg->ctr_handle, outbuf, cryptlen, inbuf, |
2667 | 0 | cryptlen); |
2668 | 0 | if (err) |
2669 | 0 | return err; |
2670 | | |
2671 | 0 | outbuflen -= cryptlen; |
2672 | 0 | outbuf += cryptlen; |
2673 | 0 | } |
2674 | 0 | return _gcry_cipher_getctr(drbg->ctr_handle, drbg->V, drbg_blocklen (drbg)); |
2675 | 0 | } |