Line data Source code
1 : /* random-drbg.c - Deterministic Random Bits Generator
2 : * Copyright 2014 Stephan Mueller <smueller@chronox.de>
3 : *
4 : * DRBG: Deterministic Random Bits Generator
5 : * Based on NIST Recommended DRBG from NIST SP800-90A with the following
6 : * properties:
7 : * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores
8 : * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
9 : * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
10 : * * with and without prediction resistance
11 : *
12 : * Redistribution and use in source and binary forms, with or without
13 : * modification, are permitted provided that the following conditions
14 : * are met:
15 : * 1. Redistributions of source code must retain the above copyright
16 : * notice, and the entire permission notice in its entirety,
17 : * including the disclaimer of warranties.
18 : * 2. Redistributions in binary form must reproduce the above copyright
19 : * notice, this list of conditions and the following disclaimer in the
20 : * documentation and/or other materials provided with the distribution.
21 : * 3. The name of the author may not be used to endorse or promote
22 : * products derived from this software without specific prior
23 : * written permission.
24 : *
25 : * ALTERNATIVELY, this product may be distributed under the terms of
26 : * LGPLv2+, in which case the provisions of the LGPL are
27 : * required INSTEAD OF the above restrictions. (This clause is
28 : * necessary due to a potential bad interaction between the LGPL and
29 : * the restrictions contained in a BSD-style copyright.)
30 : *
31 : * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
32 : * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
33 : * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
34 : * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
35 : * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
36 : * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
37 : * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
38 : * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
39 : * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
40 : * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
41 : * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
42 : * DAMAGE.
43 : *
44 : *
45 : * gcry_control GCRYCTL_DRBG_REINIT
46 : * ================================
47 : * This control request re-initializes the DRBG completely, i.e. the entire
48 : * state of the DRBG is zeroized (with two exceptions listed in
49 : * GCRYCTL_DRBG_SET_ENTROPY).
50 : *
51 : * The control request takes the following values which influences how
52 : * the DRBG is re-initialized:
53 : *
54 : * - const char *flagstr
55 : *
56 : * This variable specifies the DRBG type to be used for the next
57 : * initialization. If set to NULL, the previous DRBG type is
58 : * used for the initialization. If not NULL a space separated
59 : * list of tokens with associated flag values is expected which
60 : * are ORed to form the mandatory flags of the requested DRBG
61 : * strength and cipher type. Optionally, the prediction
62 : * resistance flag can be ORed into the flags variable.
63 : *
64 : * | String token | Flag value |
65 : * |--------------+------------------------|
66 : * | aes | DRBG_CTRAES |
67 : * | serpent | DRBG_CTRSERPENT |
68 : * | twofish | DRBG_CTRTWOFISH |
69 : * | sha1 | DRBG_HASHSHA1 |
70 : * | sha256 | DRBG_HASHSHA256 |
71 : * | sha512 | DRBG_HASHSHA512 |
72 : * | hmac | DRBG_HMAC |
73 : * | sym128 | DRBG_SYM128 |
74 : * | sym192 | DRBG_SYM192 |
75 : * | sym256 | DRBG_SYM256 |
76 : * | pr | DRBG_PREDICTION_RESIST |
77 : *
78 : * For example:
79 : *
80 : * - CTR-DRBG with AES-128 without prediction resistance:
81 : * "aes sym128"
82 : * - HMAC-DRBG with SHA-512 with prediction resistance:
83 : * "hmac sha512 pr"
84 : *
85 : * - gcry_buffer_t *pers
86 : *
87 : * NULL terminated array with personalization strings to be used
88 : * for initialization.
89 : *
90 : * - int npers
91 : *
92 : * Size of PERS.
93 : *
94 : * - void *guard
95 : *
96 : * A value of NULL must be passed for this.
97 : *
98 : * The variable of flags is independent from the pers/perslen variables. If
99 : * flags is set to 0 and perslen is set to 0, the current DRBG type is
100 : * completely reset without using a personalization string.
101 : *
102 : * DRBG Usage
103 : * ==========
104 : * The SP 800-90A DRBG allows the user to specify a personalization string
105 : * for initialization as well as an additional information string for each
106 : * random number request. The following code fragments show how a caller
107 : * uses the API to use the full functionality of the DRBG.
108 : *
109 : * Usage without any additional data
110 : * ---------------------------------
111 : * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);
112 : *
113 : *
114 : * Usage with personalization string during initialization
115 : * -------------------------------------------------------
116 : * drbg_string_t pers;
117 : * char personalization[11] = "some-string";
118 : *
119 : * drbg_string_fill(&pers, personalization, strlen(personalization));
120 : * // The reset completely re-initializes the DRBG with the provided
121 : * // personalization string without changing the DRBG type
122 : * ret = gcry_control(GCRYCTL_DRBG_REINIT, 0, &pers);
123 : * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);
124 : *
125 : *
126 : * Usage with additional information string during random number request
127 : * ---------------------------------------------------------------------
128 : * drbg_string_t addtl;
129 : * char addtl_string[11] = "some-string";
130 : *
131 : * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
132 : * // The following call is a wrapper to gcry_randomize() and returns
133 : * // the same error codes.
134 : * gcry_randomize_drbg(outbuf, OUTLEN, GCRY_STRONG_RANDOM, &addtl);
135 : *
136 : *
137 : * Usage with personalization and additional information strings
138 : * -------------------------------------------------------------
139 : * Just mix both scenarios above.
140 : *
141 : *
142 : * Switch the DRBG type to some other type
143 : * ---------------------------------------
144 : * // Switch to CTR DRBG AES-128 without prediction resistance
145 : * ret = gcry_control(GCRYCTL_DRBG_REINIT, DRBG_NOPR_CTRAES128, NULL);
146 : * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);
147 : */
148 :
149 : #include <string.h>
150 : #include <unistd.h>
151 : #include <stdint.h>
152 :
153 : #include <config.h>
154 :
155 : #include "g10lib.h"
156 : #include "random.h"
157 : #include "rand-internal.h"
158 : #include "../cipher/bithelp.h"
159 :
160 :
161 :
162 : /******************************************************************
163 : * Constants
164 : ******************************************************************/
165 :
166 : /*
167 : * DRBG flags bitmasks
168 : *
169 : * 31 (B) 28 19 (A) 0
170 : * +-+-+-+--------+---+-----------+-----+
171 : * |~|~|u|~~~~~~~~| 3 | 2 | 1 |
172 : * +-+-+-+--------+- -+-----------+-----+
173 : * ctl flg| |drbg use selection flags
174 : *
175 : */
176 :
177 : /* Internal state control flags (B) */
178 : #define DRBG_PREDICTION_RESIST ((u32)1<<28)
179 :
180 : /* CTR type modifiers (A.1)*/
181 : #define DRBG_CTRAES ((u32)1<<0)
182 : #define DRBG_CTRSERPENT ((u32)1<<1)
183 : #define DRBG_CTRTWOFISH ((u32)1<<2)
184 : #define DRBG_CTR_MASK (DRBG_CTRAES | DRBG_CTRSERPENT \
185 : | DRBG_CTRTWOFISH)
186 :
187 : /* HASH type modifiers (A.2)*/
188 : #define DRBG_HASHSHA1 ((u32)1<<4)
189 : #define DRBG_HASHSHA224 ((u32)1<<5)
190 : #define DRBG_HASHSHA256 ((u32)1<<6)
191 : #define DRBG_HASHSHA384 ((u32)1<<7)
192 : #define DRBG_HASHSHA512 ((u32)1<<8)
193 : #define DRBG_HASH_MASK (DRBG_HASHSHA1 | DRBG_HASHSHA224 \
194 : | DRBG_HASHSHA256 | DRBG_HASHSHA384 \
195 : | DRBG_HASHSHA512)
196 : /* type modifiers (A.3)*/
197 : #define DRBG_HMAC ((u32)1<<12)
198 : #define DRBG_SYM128 ((u32)1<<13)
199 : #define DRBG_SYM192 ((u32)1<<14)
200 : #define DRBG_SYM256 ((u32)1<<15)
201 : #define DRBG_TYPE_MASK (DRBG_HMAC | DRBG_SYM128 | DRBG_SYM192 \
202 : | DRBG_SYM256)
203 : #define DRBG_CIPHER_MASK (DRBG_CTR_MASK | DRBG_HASH_MASK \
204 : | DRBG_TYPE_MASK)
205 :
206 : #define DRBG_PR_CTRAES128 (DRBG_PREDICTION_RESIST | DRBG_CTRAES | DRBG_SYM128)
207 : #define DRBG_PR_CTRAES192 (DRBG_PREDICTION_RESIST | DRBG_CTRAES | DRBG_SYM192)
208 : #define DRBG_PR_CTRAES256 (DRBG_PREDICTION_RESIST | DRBG_CTRAES | DRBG_SYM256)
209 : #define DRBG_NOPR_CTRAES128 (DRBG_CTRAES | DRBG_SYM128)
210 : #define DRBG_NOPR_CTRAES192 (DRBG_CTRAES | DRBG_SYM192)
211 : #define DRBG_NOPR_CTRAES256 (DRBG_CTRAES | DRBG_SYM256)
212 : #define DRBG_PR_HASHSHA1 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA1)
213 : #define DRBG_PR_HASHSHA256 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA256)
214 : #define DRBG_PR_HASHSHA384 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA384)
215 : #define DRBG_PR_HASHSHA512 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA512)
216 : #define DRBG_NOPR_HASHSHA1 (DRBG_HASHSHA1)
217 : #define DRBG_NOPR_HASHSHA256 (DRBG_HASHSHA256)
218 : #define DRBG_NOPR_HASHSHA384 (DRBG_HASHSHA384)
219 : #define DRBG_NOPR_HASHSHA512 (DRBG_HASHSHA512)
220 : #define DRBG_PR_HMACSHA1 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA1 \
221 : | DRBG_HMAC)
222 : #define DRBG_PR_HMACSHA256 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA256 \
223 : | DRBG_HMAC)
224 : #define DRBG_PR_HMACSHA384 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA384 \
225 : | DRBG_HMAC)
226 : #define DRBG_PR_HMACSHA512 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA512 \
227 : | DRBG_HMAC)
228 : #define DRBG_NOPR_HMACSHA1 (DRBG_HASHSHA1 | DRBG_HMAC)
229 : #define DRBG_NOPR_HMACSHA256 (DRBG_HASHSHA256 | DRBG_HMAC)
230 : #define DRBG_NOPR_HMACSHA384 (DRBG_HASHSHA384 | DRBG_HMAC)
231 : #define DRBG_NOPR_HMACSHA512 (DRBG_HASHSHA512 | DRBG_HMAC)
232 :
233 :
234 : /* The default DRGB type. */
235 : #define DRBG_DEFAULT_TYPE DRBG_NOPR_HMACSHA256
236 :
237 :
238 :
239 : /******************************************************************
240 : * Common data structures
241 : ******************************************************************/
242 :
243 : /*
244 : * SP800-90A requires the concatenation of different data. To avoid copying
245 : * buffers around or allocate additional memory, the following data structure
246 : * is used to point to the original memory with its size. In addition, it
247 : * is used to build a linked list. The linked list defines the concatenation
248 : * of individual buffers. The order of memory block referenced in that
249 : * linked list determines the order of concatenation.
250 : */
251 : struct drbg_string_s
252 : {
253 : const unsigned char *buf;
254 : size_t len;
255 : struct drbg_string_s *next;
256 : };
257 : typedef struct drbg_string_s drbg_string_t;
258 :
259 :
260 : /* DRBG input data structure for DRBG generate with additional
261 : * information string. */
262 : struct drbg_gen_s
263 : {
264 : unsigned char *outbuf; /* output buffer for random numbers */
265 : unsigned int outlen; /* size of output buffer */
266 : drbg_string_t *addtl; /* input buffer for
267 : * additional information string */
268 : };
269 : typedef struct drbg_gen_s drbg_gen_t;
270 :
271 :
272 : /* Forward declaration of the state object pointer. */
273 : struct drbg_state_s;
274 : typedef struct drbg_state_s *drbg_state_t;
275 :
276 :
277 : struct drbg_core_s
278 : {
279 : u32 flags; /* flags for the cipher */
280 : ushort statelen; /* maximum state length */
281 : ushort blocklen_bytes; /* block size of output in bytes */
282 : int backend_cipher; /* libgcrypt backend cipher */
283 : };
284 :
285 : struct drbg_state_ops_s
286 : {
287 : gpg_err_code_t (*update) (drbg_state_t drbg,
288 : drbg_string_t *seed, int reseed);
289 : gpg_err_code_t (*generate) (drbg_state_t drbg,
290 : unsigned char *buf, unsigned int buflen,
291 : drbg_string_t *addtl);
292 : };
293 :
294 : struct drbg_test_data_s
295 : {
296 : drbg_string_t *testentropy; /* TEST PARAMETER: test entropy */
297 : int fail_seed_source:1; /* If set, the seed function will
298 : * return an error. */
299 : };
300 :
301 :
302 : /* This state object keeps the state of an DRBG instance. */
303 : struct drbg_state_s
304 : {
305 : unsigned char *V; /* internal state 10.1.1.1 1a) */
306 : unsigned char *C; /* hash: static value 10.1.1.1 1b)
307 : * hmac / ctr: key */
308 : size_t reseed_ctr; /* Number of RNG requests since last reseed --
309 : * 10.1.1.1 1c) */
310 : unsigned char *scratchpad; /* some memory the DRBG can use for its
311 : * operation -- allocated during init */
312 : int seeded:1; /* DRBG fully seeded? */
313 : int pr:1; /* Prediction resistance enabled? */
314 : /* Taken from libgcrypt ANSI X9.31 DRNG: We need to keep track of the
315 : * process which did the initialization so that we can detect a fork.
316 : * The volatile modifier is required so that the compiler does not
317 : * optimize it away in case the getpid function is badly attributed. */
318 : pid_t seed_init_pid;
319 : const struct drbg_state_ops_s *d_ops;
320 : const struct drbg_core_s *core;
321 : struct drbg_test_data_s *test_data;
322 : };
323 :
324 : enum drbg_prefixes
325 : {
326 : DRBG_PREFIX0 = 0x00,
327 : DRBG_PREFIX1,
328 : DRBG_PREFIX2,
329 : DRBG_PREFIX3
330 : };
331 :
332 : #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
333 :
334 : /***************************************************************
335 : * Global variables
336 : ***************************************************************/
337 :
338 : /* Global state variable holding the current instance of the DRBG. */
339 : static drbg_state_t drbg_state;
340 :
341 : /* This is the lock variable we use to serialize access to this RNG. */
342 : GPGRT_LOCK_DEFINE(drbg_lock_var);
343 :
344 :
345 : /***************************************************************
346 : * Backend cipher definitions available to DRBG
347 : ***************************************************************/
348 :
349 : static const struct drbg_core_s drbg_cores[] = {
350 : /* Hash DRBGs */
351 : {DRBG_HASHSHA1, 55, 20, GCRY_MD_SHA1},
352 : {DRBG_HASHSHA256, 55, 32, GCRY_MD_SHA256},
353 : {DRBG_HASHSHA384, 111, 48, GCRY_MD_SHA384},
354 : {DRBG_HASHSHA512, 111, 64, GCRY_MD_SHA512},
355 : /* HMAC DRBGs */
356 : {DRBG_HASHSHA1 | DRBG_HMAC, 20, 20, GCRY_MD_SHA1},
357 : {DRBG_HASHSHA256 | DRBG_HMAC, 32, 32, GCRY_MD_SHA256},
358 : {DRBG_HASHSHA384 | DRBG_HMAC, 48, 48, GCRY_MD_SHA384},
359 : {DRBG_HASHSHA512 | DRBG_HMAC, 64, 64, GCRY_MD_SHA512},
360 : /* block ciphers */
361 : {DRBG_CTRAES | DRBG_SYM128, 32, 16, GCRY_CIPHER_AES128},
362 : {DRBG_CTRAES | DRBG_SYM192, 40, 16, GCRY_CIPHER_AES192},
363 : {DRBG_CTRAES | DRBG_SYM256, 48, 16, GCRY_CIPHER_AES256}
364 : };
365 :
366 : static gpg_err_code_t drbg_sym (drbg_state_t drbg,
367 : const unsigned char *key,
368 : unsigned char *outval,
369 : const drbg_string_t *buf);
370 : static gpg_err_code_t drbg_hmac (drbg_state_t drbg,
371 : const unsigned char *key,
372 : unsigned char *outval,
373 : const drbg_string_t *buf);
374 :
375 : /******************************************************************
376 : ******************************************************************
377 : ******************************************************************
378 : * Generic DRBG code
379 : ******************************************************************
380 : ******************************************************************
381 : ******************************************************************/
382 :
383 : /******************************************************************
384 : * Generic helper functions
385 : ******************************************************************/
386 :
387 : #if 0
388 : #define dbg(x) do { log_debug x; } while(0)
389 : #else
390 : #define dbg(x)
391 : #endif
392 :
393 : /*
394 : * Parse a string of flags and store the flag values at R_FLAGS.
395 : * Return 0 on success.
396 : */
397 : static gpg_err_code_t
398 0 : parse_flag_string (const char *string, u32 *r_flags)
399 : {
400 : struct {
401 : const char *name;
402 : u32 flag;
403 0 : } table[] = {
404 : { "aes", DRBG_CTRAES },
405 : { "serpent", DRBG_CTRSERPENT },
406 : { "twofish", DRBG_CTRTWOFISH },
407 : { "sha1", DRBG_HASHSHA1 },
408 : { "sha256", DRBG_HASHSHA256 },
409 : { "sha512", DRBG_HASHSHA512 },
410 : { "hmac", DRBG_HMAC },
411 : { "sym128", DRBG_SYM128 },
412 : { "sym192", DRBG_SYM192 },
413 : { "sym256", DRBG_SYM256 },
414 : { "pr", DRBG_PREDICTION_RESIST }
415 : };
416 :
417 0 : *r_flags = 0;
418 0 : if (string)
419 : {
420 : char **tl;
421 : const char *s;
422 : int i, j;
423 :
424 0 : tl = _gcry_strtokenize (string, NULL);
425 0 : if (!tl)
426 0 : return gpg_err_code_from_syserror ();
427 0 : for (i=0; (s=tl[i]); i++)
428 : {
429 0 : for (j=0; j < DIM (table); j++)
430 0 : if (!strcmp (s, table[j].name))
431 : {
432 0 : *r_flags |= table[j].flag;
433 0 : break;
434 : }
435 0 : if (!(j < DIM (table)))
436 : {
437 0 : xfree (tl);
438 0 : return GPG_ERR_INV_FLAG;
439 : }
440 : }
441 0 : xfree (tl);
442 : }
443 :
444 0 : return 0;
445 : }
446 :
447 : static inline void
448 32 : drbg_string_fill (drbg_string_t *string,
449 : const unsigned char *buf, size_t len)
450 : {
451 32 : string->buf = buf;
452 32 : string->len = len;
453 32 : string->next = NULL;
454 32 : }
455 :
456 : static inline ushort
457 54 : drbg_statelen (drbg_state_t drbg)
458 : {
459 54 : if (drbg && drbg->core)
460 54 : return drbg->core->statelen;
461 0 : return 0;
462 : }
463 :
464 : static inline ushort
465 32 : drbg_blocklen (drbg_state_t drbg)
466 : {
467 32 : if (drbg && drbg->core)
468 32 : return drbg->core->blocklen_bytes;
469 0 : return 0;
470 : }
471 :
472 : static inline ushort
473 0 : drbg_keylen (drbg_state_t drbg)
474 : {
475 0 : if (drbg && drbg->core)
476 0 : return (drbg->core->statelen - drbg->core->blocklen_bytes);
477 0 : return 0;
478 : }
479 :
480 : static inline size_t
481 12 : drbg_max_request_bytes (void)
482 : {
483 : /* SP800-90A requires the limit 2**19 bits, but we return bytes */
484 12 : return (1 << 16);
485 : }
486 :
487 : static inline size_t
488 0 : drbg_max_addtl (void)
489 : {
490 : /* SP800-90A requires 2**35 bytes additional info str / pers str */
491 : #ifdef __LP64__
492 0 : return (1UL << 35);
493 : #else
494 : /*
495 : * SP800-90A allows smaller maximum numbers to be returned -- we
496 : * return SIZE_MAX - 1 to allow the verification of the enforcement
497 : * of this value in drbg_healthcheck_sanity.
498 : */
499 : return (SIZE_MAX - 1);
500 : #endif
501 : }
502 :
503 : static inline size_t
504 6 : drbg_max_requests (void)
505 : {
506 : /* SP800-90A requires 2**48 maximum requests before reseeding */
507 : #ifdef __LP64__
508 6 : return (1UL << 48);
509 : #else
510 : return SIZE_MAX;
511 : #endif
512 : }
513 :
514 : /*
515 : * Return strength of DRBG according to SP800-90A section 8.4
516 : *
517 : * flags: DRBG flags reference
518 : *
519 : * Return: normalized strength value or 32 as a default to counter
520 : * programming errors
521 : */
522 : static inline unsigned short
523 2 : drbg_sec_strength (u32 flags)
524 : {
525 2 : if ((flags & DRBG_HASHSHA1) || (flags & DRBG_SYM128))
526 0 : return 16;
527 2 : else if (flags & DRBG_SYM192)
528 0 : return 24;
529 2 : else if ((flags & DRBG_SYM256) || (flags & DRBG_HASHSHA256) ||
530 0 : (flags & DRBG_HASHSHA384) || (flags & DRBG_HASHSHA512))
531 2 : return 32;
532 : else
533 0 : return 32;
534 : }
535 :
536 : /*
537 : * Convert an integer into a byte representation of this integer.
538 : * The byte representation is big-endian
539 : *
540 : * @val value to be converted
541 : * @buf buffer holding the converted integer -- caller must ensure that
542 : * buffer size is at least 32 bit
543 : */
544 : static inline void
545 0 : drbg_cpu_to_be32 (u32 val, unsigned char *buf)
546 : {
547 : /* FIXME: This may raise a bus error. */
548 : struct s
549 : {
550 : u32 conv;
551 : };
552 0 : struct s *conversion = (struct s *) buf;
553 :
554 0 : conversion->conv = be_bswap32 (val);
555 0 : }
556 :
557 : static void
558 0 : drbg_add_buf (unsigned char *dst, size_t dstlen,
559 : unsigned char *add, size_t addlen)
560 : {
561 : /* implied: dstlen > addlen */
562 : unsigned char *dstptr, *addptr;
563 0 : unsigned int remainder = 0;
564 0 : size_t len = addlen;
565 :
566 0 : dstptr = dst + (dstlen - 1);
567 0 : addptr = add + (addlen - 1);
568 0 : while (len)
569 : {
570 0 : remainder += *dstptr + *addptr;
571 0 : *dstptr = remainder & 0xff;
572 0 : remainder >>= 8;
573 0 : len--;
574 0 : dstptr--;
575 0 : addptr--;
576 : }
577 0 : len = dstlen - addlen;
578 0 : while (len && remainder > 0)
579 : {
580 0 : remainder = *dstptr + 1;
581 0 : *dstptr = remainder & 0xff;
582 0 : remainder >>= 8;
583 0 : len--;
584 0 : dstptr--;
585 : }
586 0 : }
587 :
588 : /* Helper variables for read_cb().
589 : *
590 : * The _gcry_rnd*_gather_random interface does not allow to provide a
591 : * data pointer. Thus we need to use a global variable for
592 : * communication. However, the then required locking is anyway a good
593 : * idea because it does not make sense to have several readers of (say
594 : * /dev/random). It is easier to serve them one after the other.
595 : */
596 : static unsigned char *read_cb_buffer; /* The buffer. */
597 : static size_t read_cb_size; /* Size of the buffer. */
598 : static size_t read_cb_len; /* Used length. */
599 :
600 : /* Callback for generating seed from kernel device. */
601 : static void
602 16 : drbg_read_cb (const void *buffer, size_t length,
603 : enum random_origins origin)
604 : {
605 16 : const unsigned char *p = buffer;
606 :
607 : (void) origin;
608 16 : gcry_assert (read_cb_buffer);
609 :
610 : /* Note that we need to protect against gatherers returning more
611 : * than the requested bytes (e.g. rndw32). */
612 128 : while (length-- && read_cb_len < read_cb_size)
613 96 : read_cb_buffer[read_cb_len++] = *p++;
614 16 : }
615 :
616 : static inline int
617 2 : drbg_get_entropy (drbg_state_t drbg, unsigned char *buffer,
618 : size_t len)
619 : {
620 2 : int rc = 0;
621 :
622 : /* Perform testing as defined in 11.3.2 */
623 2 : if (drbg->test_data && drbg->test_data->fail_seed_source)
624 0 : return -1;
625 :
626 2 : read_cb_buffer = buffer;
627 2 : read_cb_size = len;
628 2 : read_cb_len = 0;
629 : #if USE_RNDLINUX
630 2 : rc = _gcry_rndlinux_gather_random (drbg_read_cb, 0, len,
631 : GCRY_VERY_STRONG_RANDOM);
632 : #elif USE_RNDUNIX
633 : rc = _gcry_rndunix_gather_random (drbg_read_cb, 0, len,
634 : GCRY_VERY_STRONG_RANDOM);
635 : #elif USE_RNDW32
636 : do
637 : {
638 : rc = _gcry_rndw32_gather_random (drbg_read_cb, 0, len,
639 : GCRY_VERY_STRONG_RANDOM);
640 : }
641 : while (rc >= 0 && read_cb_len < read_cb_size);
642 : #else
643 : rc = -1;
644 : #endif
645 2 : return rc;
646 : }
647 :
648 : /******************************************************************
649 : * CTR DRBG callback functions
650 : ******************************************************************/
651 :
652 : /* BCC function for CTR DRBG as defined in 10.4.3 */
653 : static gpg_err_code_t
654 0 : drbg_ctr_bcc (drbg_state_t drbg,
655 : unsigned char *out, const unsigned char *key,
656 : drbg_string_t *in)
657 : {
658 0 : gpg_err_code_t ret = GPG_ERR_GENERAL;
659 0 : drbg_string_t *curr = in;
660 0 : size_t inpos = curr->len;
661 0 : const unsigned char *pos = curr->buf;
662 : drbg_string_t data;
663 :
664 0 : drbg_string_fill (&data, out, drbg_blocklen (drbg));
665 :
666 : /* 10.4.3 step 1 */
667 0 : memset (out, 0, drbg_blocklen (drbg));
668 :
669 : /* 10.4.3 step 2 / 4 */
670 0 : while (inpos)
671 : {
672 0 : short cnt = 0;
673 : /* 10.4.3 step 4.1 */
674 0 : for (cnt = 0; cnt < drbg_blocklen (drbg); cnt++)
675 : {
676 0 : out[cnt] ^= *pos;
677 0 : pos++;
678 0 : inpos--;
679 : /* the following branch implements the linked list
680 : * iteration. If we are at the end of the current data
681 : * set, we have to start using the next data set if
682 : * available -- the inpos value always points to the
683 : * current byte and will be zero if we have processed
684 : * the last byte of the last linked list member */
685 0 : if (0 == inpos)
686 : {
687 0 : curr = curr->next;
688 0 : if (NULL != curr)
689 : {
690 0 : pos = curr->buf;
691 0 : inpos = curr->len;
692 : }
693 : else
694 : {
695 0 : inpos = 0;
696 0 : break;
697 : }
698 : }
699 : }
700 : /* 10.4.3 step 4.2 */
701 0 : ret = drbg_sym (drbg, key, out, &data);
702 0 : if (ret)
703 0 : return ret;
704 : /* 10.4.3 step 2 */
705 : }
706 0 : return 0;
707 : }
708 :
709 :
710 : /*
711 : * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df
712 : * (and drbg_ctr_bcc, but this function does not need any temporary buffers),
713 : * the scratchpad is used as follows:
714 : * drbg_ctr_update:
715 : * temp
716 : * start: drbg->scratchpad
717 : * length: drbg_statelen(drbg) + drbg_blocklen(drbg)
718 : * note: the cipher writing into this variable works
719 : * blocklen-wise. Now, when the statelen is not a multiple
720 : * of blocklen, the generateion loop below "spills over"
721 : * by at most blocklen. Thus, we need to give sufficient
722 : * memory.
723 : * df_data
724 : * start: drbg->scratchpad +
725 : * drbg_statelen(drbg) +
726 : * drbg_blocklen(drbg)
727 : * length: drbg_statelen(drbg)
728 : *
729 : * drbg_ctr_df:
730 : * pad
731 : * start: df_data + drbg_statelen(drbg)
732 : * length: drbg_blocklen(drbg)
733 : * iv
734 : * start: pad + drbg_blocklen(drbg)
735 : * length: drbg_blocklen(drbg)
736 : * temp
737 : * start: iv + drbg_blocklen(drbg)
738 : * length: drbg_satelen(drbg) + drbg_blocklen(drbg)
739 : * note: temp is the buffer that the BCC function operates
740 : * on. BCC operates blockwise. drbg_statelen(drbg)
741 : * is sufficient when the DRBG state length is a multiple
742 : * of the block size. For AES192 (and maybe other ciphers)
743 : * this is not correct and the length for temp is
744 : * insufficient (yes, that also means for such ciphers,
745 : * the final output of all BCC rounds are truncated).
746 : * Therefore, add drbg_blocklen(drbg) to cover all
747 : * possibilities.
748 : */
749 :
750 : /* Derivation Function for CTR DRBG as defined in 10.4.2 */
751 : static gpg_err_code_t
752 0 : drbg_ctr_df (drbg_state_t drbg, unsigned char *df_data,
753 : size_t bytes_to_return, drbg_string_t *addtl)
754 : {
755 0 : gpg_err_code_t ret = GPG_ERR_GENERAL;
756 : unsigned char L_N[8];
757 : /* S3 is input */
758 : drbg_string_t S1, S2, S4, cipherin;
759 0 : drbg_string_t *tempstr = addtl;
760 0 : unsigned char *pad = df_data + drbg_statelen (drbg);
761 0 : unsigned char *iv = pad + drbg_blocklen (drbg);
762 0 : unsigned char *temp = iv + drbg_blocklen (drbg);
763 0 : size_t padlen = 0;
764 0 : unsigned int templen = 0;
765 : /* 10.4.2 step 7 */
766 0 : unsigned int i = 0;
767 : /* 10.4.2 step 8 */
768 0 : const unsigned char *K = (unsigned char *)
769 : "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
770 : "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
771 : unsigned char *X;
772 0 : size_t generated_len = 0;
773 0 : size_t inputlen = 0;
774 :
775 0 : memset (pad, 0, drbg_blocklen (drbg));
776 0 : memset (iv, 0, drbg_blocklen (drbg));
777 0 : memset (temp, 0, drbg_statelen (drbg));
778 :
779 : /* 10.4.2 step 1 is implicit as we work byte-wise */
780 :
781 : /* 10.4.2 step 2 */
782 0 : if ((512 / 8) < bytes_to_return)
783 0 : return GPG_ERR_INV_ARG;
784 :
785 : /* 10.4.2 step 2 -- calculate the entire length of all input data */
786 0 : for (; NULL != tempstr; tempstr = tempstr->next)
787 0 : inputlen += tempstr->len;
788 0 : drbg_cpu_to_be32 (inputlen, &L_N[0]);
789 :
790 : /* 10.4.2 step 3 */
791 0 : drbg_cpu_to_be32 (bytes_to_return, &L_N[4]);
792 :
793 : /* 10.4.2 step 5: length is size of L_N, input_string, one byte, padding */
794 0 : padlen = (inputlen + sizeof (L_N) + 1) % (drbg_blocklen (drbg));
795 : /* wrap the padlen appropriately */
796 0 : if (padlen)
797 0 : padlen = drbg_blocklen (drbg) - padlen;
798 : /* pad / padlen contains the 0x80 byte and the following zero bytes, so
799 : * add one for byte for 0x80 */
800 0 : padlen++;
801 0 : pad[0] = 0x80;
802 :
803 : /* 10.4.2 step 4 -- first fill the linked list and then order it */
804 0 : drbg_string_fill (&S1, iv, drbg_blocklen (drbg));
805 0 : drbg_string_fill (&S2, L_N, sizeof (L_N));
806 0 : drbg_string_fill (&S4, pad, padlen);
807 0 : S1.next = &S2;
808 0 : S2.next = addtl;
809 :
810 : /* Splice in addtl between S2 and S4 -- we place S4 at the end of the
811 : * input data chain. As this code is only triggered when addtl is not
812 : * NULL, no NULL checks are necessary.*/
813 0 : tempstr = addtl;
814 0 : while (tempstr->next)
815 0 : tempstr = tempstr->next;
816 0 : tempstr->next = &S4;
817 :
818 : /* 10.4.2 step 9 */
819 0 : while (templen < (drbg_keylen (drbg) + (drbg_blocklen (drbg))))
820 : {
821 : /* 10.4.2 step 9.1 - the padding is implicit as the buffer
822 : * holds zeros after allocation -- even the increment of i
823 : * is irrelevant as the increment remains within length of i */
824 0 : drbg_cpu_to_be32 (i, iv);
825 : /* 10.4.2 step 9.2 -- BCC and concatenation with temp */
826 0 : ret = drbg_ctr_bcc (drbg, temp + templen, K, &S1);
827 0 : if (ret)
828 0 : goto out;
829 : /* 10.4.2 step 9.3 */
830 0 : i++;
831 0 : templen += drbg_blocklen (drbg);
832 : }
833 :
834 : /* 10.4.2 step 11 */
835 : /* implicit key len with seedlen - blocklen according to table 3 */
836 0 : X = temp + (drbg_keylen (drbg));
837 0 : drbg_string_fill (&cipherin, X, drbg_blocklen (drbg));
838 :
839 : /* 10.4.2 step 12: overwriting of outval */
840 :
841 : /* 10.4.2 step 13 */
842 0 : while (generated_len < bytes_to_return)
843 : {
844 0 : short blocklen = 0;
845 : /* 10.4.2 step 13.1 */
846 : /* the truncation of the key length is implicit as the key
847 : * is only drbg_blocklen in size -- check for the implementation
848 : * of the cipher function callback */
849 0 : ret = drbg_sym (drbg, temp, X, &cipherin);
850 0 : if (ret)
851 0 : goto out;
852 0 : blocklen = (drbg_blocklen (drbg) <
853 0 : (bytes_to_return - generated_len)) ?
854 0 : drbg_blocklen (drbg) : (bytes_to_return - generated_len);
855 : /* 10.4.2 step 13.2 and 14 */
856 0 : memcpy (df_data + generated_len, X, blocklen);
857 0 : generated_len += blocklen;
858 : }
859 :
860 0 : ret = 0;
861 :
862 : out:
863 0 : memset (iv, 0, drbg_blocklen (drbg));
864 0 : memset (temp, 0, drbg_statelen (drbg));
865 0 : memset (pad, 0, drbg_blocklen (drbg));
866 0 : return ret;
867 : }
868 :
869 : /*
870 : * Update function of CTR DRBG as defined in 10.2.1.2
871 : *
872 : * The reseed variable has an enhanced meaning compared to the update
873 : * functions of the other DRBGs as follows:
874 : * 0 => initial seed from initialization
875 : * 1 => reseed via drbg_seed
876 : * 2 => first invocation from drbg_ctr_update when addtl is present. In
877 : * this case, the df_data scratchpad is not deleted so that it is
878 : * available for another calls to prevent calling the DF function
879 : * again.
880 : * 3 => second invocation from drbg_ctr_update. When the update function
881 : * was called with addtl, the df_data memory already contains the
882 : * DFed addtl information and we do not need to call DF again.
883 : */
884 : static gpg_err_code_t
885 0 : drbg_ctr_update (drbg_state_t drbg, drbg_string_t *addtl, int reseed)
886 : {
887 0 : gpg_err_code_t ret = GPG_ERR_GENERAL;
888 : /* 10.2.1.2 step 1 */
889 0 : unsigned char *temp = drbg->scratchpad;
890 0 : unsigned char *df_data = drbg->scratchpad +
891 0 : drbg_statelen (drbg) + drbg_blocklen (drbg);
892 : unsigned char *temp_p, *df_data_p; /* pointer to iterate over buffers */
893 0 : unsigned int len = 0;
894 : drbg_string_t cipherin;
895 0 : unsigned char prefix = DRBG_PREFIX1;
896 :
897 0 : memset (temp, 0, drbg_statelen (drbg) + drbg_blocklen (drbg));
898 0 : if (3 > reseed)
899 0 : memset (df_data, 0, drbg_statelen (drbg));
900 :
901 : /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
902 : /* TODO use reseed variable to avoid re-doing DF operation */
903 : (void) reseed;
904 0 : if (addtl && 0 < addtl->len)
905 : {
906 0 : ret =
907 0 : drbg_ctr_df (drbg, df_data, drbg_statelen (drbg), addtl);
908 0 : if (ret)
909 0 : goto out;
910 : }
911 :
912 0 : drbg_string_fill (&cipherin, drbg->V, drbg_blocklen (drbg));
913 : /* 10.2.1.3.2 step 2 and 3 -- are already covered as we memset(0)
914 : * all memory during initialization */
915 0 : while (len < (drbg_statelen (drbg)))
916 : {
917 : /* 10.2.1.2 step 2.1 */
918 0 : drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1);
919 : /* 10.2.1.2 step 2.2 */
920 : /* using target of temp + len: 10.2.1.2 step 2.3 and 3 */
921 0 : ret = drbg_sym (drbg, drbg->C, temp + len, &cipherin);
922 0 : if (ret)
923 0 : goto out;
924 : /* 10.2.1.2 step 2.3 and 3 */
925 0 : len += drbg_blocklen (drbg);
926 : }
927 :
928 : /* 10.2.1.2 step 4 */
929 0 : temp_p = temp;
930 0 : df_data_p = df_data;
931 0 : for (len = 0; len < drbg_statelen (drbg); len++)
932 : {
933 0 : *temp_p ^= *df_data_p;
934 0 : df_data_p++;
935 0 : temp_p++;
936 : }
937 :
938 : /* 10.2.1.2 step 5 */
939 0 : memcpy (drbg->C, temp, drbg_keylen (drbg));
940 : /* 10.2.1.2 step 6 */
941 0 : memcpy (drbg->V, temp + drbg_keylen (drbg), drbg_blocklen (drbg));
942 0 : ret = 0;
943 :
944 : out:
945 0 : memset (temp, 0, drbg_statelen (drbg) + drbg_blocklen (drbg));
946 0 : if (2 != reseed)
947 0 : memset (df_data, 0, drbg_statelen (drbg));
948 0 : return ret;
949 : }
950 :
951 : /*
952 : * scratchpad use: drbg_ctr_update is called independently from
953 : * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
954 : */
955 : /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
956 : static gpg_err_code_t
957 0 : drbg_ctr_generate (drbg_state_t drbg,
958 : unsigned char *buf, unsigned int buflen,
959 : drbg_string_t *addtl)
960 : {
961 0 : gpg_err_code_t ret = 0;
962 0 : unsigned int len = 0;
963 : drbg_string_t data;
964 0 : unsigned char prefix = DRBG_PREFIX1;
965 :
966 0 : memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
967 :
968 : /* 10.2.1.5.2 step 2 */
969 0 : if (addtl && 0 < addtl->len)
970 : {
971 0 : addtl->next = NULL;
972 0 : ret = drbg_ctr_update (drbg, addtl, 2);
973 0 : if (ret)
974 0 : return ret;
975 : }
976 :
977 : /* 10.2.1.5.2 step 4.1 */
978 0 : drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1);
979 0 : drbg_string_fill (&data, drbg->V, drbg_blocklen (drbg));
980 0 : while (len < buflen)
981 : {
982 0 : unsigned int outlen = 0;
983 : /* 10.2.1.5.2 step 4.2 */
984 0 : ret = drbg_sym (drbg, drbg->C, drbg->scratchpad, &data);
985 0 : if (ret)
986 0 : goto out;
987 0 : outlen = (drbg_blocklen (drbg) < (buflen - len)) ?
988 0 : drbg_blocklen (drbg) : (buflen - len);
989 : /* 10.2.1.5.2 step 4.3 */
990 0 : memcpy (buf + len, drbg->scratchpad, outlen);
991 0 : len += outlen;
992 : /* 10.2.1.5.2 step 6 */
993 0 : if (len < buflen)
994 0 : drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1);
995 : }
996 :
997 : /* 10.2.1.5.2 step 6 */
998 0 : if (addtl)
999 0 : addtl->next = NULL;
1000 0 : ret = drbg_ctr_update (drbg, addtl, 3);
1001 :
1002 : out:
1003 0 : memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
1004 0 : return ret;
1005 : }
1006 :
1007 : static struct drbg_state_ops_s drbg_ctr_ops = {
1008 : drbg_ctr_update,
1009 : drbg_ctr_generate
1010 : };
1011 :
1012 : /******************************************************************
1013 : * HMAC DRBG callback functions
1014 : ******************************************************************/
1015 :
1016 : static gpg_err_code_t
1017 8 : drbg_hmac_update (drbg_state_t drbg, drbg_string_t *seed, int reseed)
1018 : {
1019 8 : gpg_err_code_t ret = GPG_ERR_GENERAL;
1020 8 : int i = 0;
1021 : drbg_string_t seed1, seed2, cipherin;
1022 :
1023 8 : if (!reseed)
1024 : {
1025 : /* 10.1.2.3 step 2 already implicitly covered with
1026 : * the initial memset(0) of drbg->C */
1027 2 : memset (drbg->V, 1, drbg_statelen (drbg));
1028 : }
1029 :
1030 : /* build linked list which implements the concatenation and fill
1031 : * first part*/
1032 8 : drbg_string_fill (&seed1, drbg->V, drbg_statelen (drbg));
1033 : /* buffer will be filled in for loop below with one byte */
1034 8 : drbg_string_fill (&seed2, NULL, 1);
1035 8 : seed1.next = &seed2;
1036 : /* seed may be NULL */
1037 8 : seed2.next = seed;
1038 :
1039 8 : drbg_string_fill (&cipherin, drbg->V, drbg_statelen (drbg));
1040 : /* we execute two rounds of V/K massaging */
1041 24 : for (i = 2; 0 < i; i--)
1042 : {
1043 : /* first round uses 0x0, second 0x1 */
1044 10 : unsigned char prefix = DRBG_PREFIX0;
1045 10 : if (1 == i)
1046 2 : prefix = DRBG_PREFIX1;
1047 : /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
1048 10 : seed2.buf = &prefix;
1049 10 : ret = drbg_hmac (drbg, drbg->C, drbg->C, &seed1);
1050 10 : if (ret)
1051 6 : return ret;
1052 :
1053 : /* 10.1.2.2 step 2 and 5 -- HMAC for V */
1054 10 : ret = drbg_hmac (drbg, drbg->C, drbg->V, &cipherin);
1055 10 : if (ret)
1056 0 : return ret;
1057 :
1058 : /* 10.1.2.2 step 3 */
1059 10 : if (!seed || 0 == seed->len)
1060 6 : return ret;
1061 : }
1062 2 : return 0;
1063 : }
1064 :
1065 : /* generate function of HMAC DRBG as defined in 10.1.2.5 */
1066 : static gpg_err_code_t
1067 6 : drbg_hmac_generate (drbg_state_t drbg, unsigned char *buf, unsigned int buflen,
1068 : drbg_string_t *addtl)
1069 : {
1070 6 : gpg_err_code_t ret = 0;
1071 6 : unsigned int len = 0;
1072 : drbg_string_t data;
1073 :
1074 : /* 10.1.2.5 step 2 */
1075 6 : if (addtl && 0 < addtl->len)
1076 : {
1077 0 : addtl->next = NULL;
1078 0 : ret = drbg_hmac_update (drbg, addtl, 1);
1079 0 : if (ret)
1080 0 : return ret;
1081 : }
1082 :
1083 6 : drbg_string_fill (&data, drbg->V, drbg_statelen (drbg));
1084 18 : while (len < buflen)
1085 : {
1086 6 : unsigned int outlen = 0;
1087 : /* 10.1.2.5 step 4.1 */
1088 6 : ret = drbg_hmac (drbg, drbg->C, drbg->V, &data);
1089 6 : if (ret)
1090 0 : return ret;
1091 12 : outlen = (drbg_blocklen (drbg) < (buflen - len)) ?
1092 6 : drbg_blocklen (drbg) : (buflen - len);
1093 :
1094 : /* 10.1.2.5 step 4.2 */
1095 6 : memcpy (buf + len, drbg->V, outlen);
1096 6 : len += outlen;
1097 : }
1098 :
1099 : /* 10.1.2.5 step 6 */
1100 6 : if (addtl)
1101 0 : addtl->next = NULL;
1102 6 : ret = drbg_hmac_update (drbg, addtl, 1);
1103 :
1104 6 : return ret;
1105 : }
1106 :
1107 : static struct drbg_state_ops_s drbg_hmac_ops = {
1108 : drbg_hmac_update,
1109 : drbg_hmac_generate
1110 : };
1111 :
1112 : /******************************************************************
1113 : * Hash DRBG callback functions
1114 : ******************************************************************/
1115 :
1116 : /*
1117 : * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
1118 : * interlinked, the scratchpad is used as follows:
1119 : * drbg_hash_update
1120 : * start: drbg->scratchpad
1121 : * length: drbg_statelen(drbg)
1122 : * drbg_hash_df:
1123 : * start: drbg->scratchpad + drbg_statelen(drbg)
1124 : * length: drbg_blocklen(drbg)
1125 : */
1126 : /* Derivation Function for Hash DRBG as defined in 10.4.1 */
1127 : static gpg_err_code_t
1128 0 : drbg_hash_df (drbg_state_t drbg,
1129 : unsigned char *outval, size_t outlen,
1130 : drbg_string_t *entropy)
1131 : {
1132 0 : gpg_err_code_t ret = 0;
1133 0 : size_t len = 0;
1134 : unsigned char input[5];
1135 0 : unsigned char *tmp = drbg->scratchpad + drbg_statelen (drbg);
1136 : drbg_string_t data1;
1137 :
1138 0 : memset (tmp, 0, drbg_blocklen (drbg));
1139 :
1140 : /* 10.4.1 step 3 */
1141 0 : input[0] = 1;
1142 0 : drbg_cpu_to_be32 ((outlen * 8), &input[1]);
1143 :
1144 : /* 10.4.1 step 4.1 -- concatenation of data for input into hash */
1145 0 : drbg_string_fill (&data1, input, 5);
1146 0 : data1.next = entropy;
1147 :
1148 : /* 10.4.1 step 4 */
1149 0 : while (len < outlen)
1150 : {
1151 0 : short blocklen = 0;
1152 : /* 10.4.1 step 4.1 */
1153 0 : ret = drbg_hmac (drbg, NULL, tmp, &data1);
1154 0 : if (ret)
1155 0 : goto out;
1156 : /* 10.4.1 step 4.2 */
1157 0 : input[0]++;
1158 0 : blocklen = (drbg_blocklen (drbg) < (outlen - len)) ?
1159 0 : drbg_blocklen (drbg) : (outlen - len);
1160 0 : memcpy (outval + len, tmp, blocklen);
1161 0 : len += blocklen;
1162 : }
1163 :
1164 : out:
1165 0 : memset (tmp, 0, drbg_blocklen (drbg));
1166 0 : return ret;
1167 : }
1168 :
1169 : /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
1170 : static gpg_err_code_t
1171 0 : drbg_hash_update (drbg_state_t drbg, drbg_string_t *seed, int reseed)
1172 : {
1173 0 : gpg_err_code_t ret = 0;
1174 : drbg_string_t data1, data2;
1175 0 : unsigned char *V = drbg->scratchpad;
1176 0 : unsigned char prefix = DRBG_PREFIX1;
1177 :
1178 0 : memset (drbg->scratchpad, 0, drbg_statelen (drbg));
1179 0 : if (!seed)
1180 0 : return GPG_ERR_INV_ARG;
1181 :
1182 0 : if (reseed)
1183 : {
1184 : /* 10.1.1.3 step 1: string length is concatenation of
1185 : * 1 byte, V and seed (which is concatenated entropy/addtl
1186 : * input)
1187 : */
1188 0 : memcpy (V, drbg->V, drbg_statelen (drbg));
1189 0 : drbg_string_fill (&data1, &prefix, 1);
1190 0 : drbg_string_fill (&data2, V, drbg_statelen (drbg));
1191 0 : data1.next = &data2;
1192 0 : data2.next = seed;
1193 : }
1194 : else
1195 : {
1196 0 : drbg_string_fill (&data1, seed->buf, seed->len);
1197 0 : data1.next = seed->next;
1198 : }
1199 :
1200 : /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
1201 0 : ret = drbg_hash_df (drbg, drbg->V, drbg_statelen (drbg), &data1);
1202 0 : if (ret)
1203 0 : goto out;
1204 :
1205 : /* 10.1.1.2 / 10.1.1.3 step 4 -- concatenation */
1206 0 : prefix = DRBG_PREFIX0;
1207 0 : drbg_string_fill (&data1, &prefix, 1);
1208 0 : drbg_string_fill (&data2, drbg->V, drbg_statelen (drbg));
1209 0 : data1.next = &data2;
1210 : /* 10.1.1.2 / 10.1.1.3 step 4 -- df operation */
1211 0 : ret = drbg_hash_df (drbg, drbg->C, drbg_statelen (drbg), &data1);
1212 :
1213 : out:
1214 0 : memset (drbg->scratchpad, 0, drbg_statelen (drbg));
1215 0 : return ret;
1216 : }
1217 :
1218 : /* Processing of additional information string for Hash DRBG. */
1219 : static gpg_err_code_t
1220 0 : drbg_hash_process_addtl (drbg_state_t drbg, drbg_string_t *addtl)
1221 : {
1222 0 : gpg_err_code_t ret = 0;
1223 : drbg_string_t data1, data2;
1224 : drbg_string_t *data3;
1225 0 : unsigned char prefix = DRBG_PREFIX2;
1226 :
1227 : /* this is value w as per documentation */
1228 0 : memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
1229 :
1230 : /* 10.1.1.4 step 2 */
1231 0 : if (!addtl || 0 == addtl->len)
1232 0 : return 0;
1233 :
1234 : /* 10.1.1.4 step 2a -- concatenation */
1235 0 : drbg_string_fill (&data1, &prefix, 1);
1236 0 : drbg_string_fill (&data2, drbg->V, drbg_statelen (drbg));
1237 0 : data3 = addtl;
1238 0 : data1.next = &data2;
1239 0 : data2.next = data3;
1240 0 : data3->next = NULL;
1241 : /* 10.1.1.4 step 2a -- cipher invocation */
1242 0 : ret = drbg_hmac (drbg, NULL, drbg->scratchpad, &data1);
1243 0 : if (ret)
1244 0 : goto out;
1245 :
1246 : /* 10.1.1.4 step 2b */
1247 0 : drbg_add_buf (drbg->V, drbg_statelen (drbg),
1248 0 : drbg->scratchpad, drbg_blocklen (drbg));
1249 :
1250 : out:
1251 0 : memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
1252 0 : return ret;
1253 : }
1254 :
1255 : /*
1256 : * Hashgen defined in 10.1.1.4
1257 : */
1258 : static gpg_err_code_t
1259 0 : drbg_hash_hashgen (drbg_state_t drbg,
1260 : unsigned char *buf, unsigned int buflen)
1261 : {
1262 0 : gpg_err_code_t ret = 0;
1263 0 : unsigned int len = 0;
1264 0 : unsigned char *src = drbg->scratchpad;
1265 0 : unsigned char *dst = drbg->scratchpad + drbg_statelen (drbg);
1266 : drbg_string_t data;
1267 0 : unsigned char prefix = DRBG_PREFIX1;
1268 :
1269 : /* use the scratchpad as a lookaside buffer */
1270 0 : memset (src, 0, drbg_statelen (drbg));
1271 0 : memset (dst, 0, drbg_blocklen (drbg));
1272 :
1273 : /* 10.1.1.4 step hashgen 2 */
1274 0 : memcpy (src, drbg->V, drbg_statelen (drbg));
1275 :
1276 0 : drbg_string_fill (&data, src, drbg_statelen (drbg));
1277 0 : while (len < buflen)
1278 : {
1279 0 : unsigned int outlen = 0;
1280 : /* 10.1.1.4 step hashgen 4.1 */
1281 0 : ret = drbg_hmac (drbg, NULL, dst, &data);
1282 0 : if (ret)
1283 0 : goto out;
1284 0 : outlen = (drbg_blocklen (drbg) < (buflen - len)) ?
1285 0 : drbg_blocklen (drbg) : (buflen - len);
1286 : /* 10.1.1.4 step hashgen 4.2 */
1287 0 : memcpy (buf + len, dst, outlen);
1288 0 : len += outlen;
1289 : /* 10.1.1.4 hashgen step 4.3 */
1290 0 : if (len < buflen)
1291 0 : drbg_add_buf (src, drbg_statelen (drbg), &prefix, 1);
1292 : }
1293 :
1294 : out:
1295 0 : memset (drbg->scratchpad, 0,
1296 0 : (drbg_statelen (drbg) + drbg_blocklen (drbg)));
1297 0 : return ret;
1298 : }
1299 :
1300 : /* Generate function for Hash DRBG as defined in 10.1.1.4 */
1301 : static gpg_err_code_t
1302 0 : drbg_hash_generate (drbg_state_t drbg,
1303 : unsigned char *buf, unsigned int buflen,
1304 : drbg_string_t *addtl)
1305 : {
1306 0 : gpg_err_code_t ret = 0;
1307 0 : unsigned char prefix = DRBG_PREFIX3;
1308 : drbg_string_t data1, data2;
1309 : union
1310 : {
1311 : unsigned char req[8];
1312 : u64 req_int;
1313 : } u;
1314 :
1315 : /*
1316 : * scratchpad usage: drbg_hash_process_addtl uses the scratchpad, but
1317 : * fully completes before returning. Thus, we can reuse the scratchpad
1318 : */
1319 : /* 10.1.1.4 step 2 */
1320 0 : ret = drbg_hash_process_addtl (drbg, addtl);
1321 0 : if (ret)
1322 0 : return ret;
1323 : /* 10.1.1.4 step 3 -- invocation of the Hashgen function defined in
1324 : * 10.1.1.4 */
1325 0 : ret = drbg_hash_hashgen (drbg, buf, buflen);
1326 0 : if (ret)
1327 0 : return ret;
1328 :
1329 : /* this is the value H as documented in 10.1.1.4 */
1330 0 : memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
1331 : /* 10.1.1.4 step 4 */
1332 0 : drbg_string_fill (&data1, &prefix, 1);
1333 0 : drbg_string_fill (&data2, drbg->V, drbg_statelen (drbg));
1334 0 : data1.next = &data2;
1335 0 : ret = drbg_hmac (drbg, NULL, drbg->scratchpad, &data1);
1336 0 : if (ret)
1337 0 : goto out;
1338 :
1339 : /* 10.1.1.4 step 5 */
1340 0 : drbg_add_buf (drbg->V, drbg_statelen (drbg),
1341 0 : drbg->scratchpad, drbg_blocklen (drbg));
1342 0 : drbg_add_buf (drbg->V, drbg_statelen (drbg), drbg->C,
1343 0 : drbg_statelen (drbg));
1344 0 : u.req_int = be_bswap64 (drbg->reseed_ctr);
1345 0 : drbg_add_buf (drbg->V, drbg_statelen (drbg), u.req,
1346 : sizeof (u.req));
1347 :
1348 : out:
1349 0 : memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
1350 0 : return ret;
1351 : }
1352 :
1353 : /*
1354 : * scratchpad usage: as update and generate are used isolated, both
1355 : * can use the scratchpad
1356 : */
1357 : static struct drbg_state_ops_s drbg_hash_ops = {
1358 : drbg_hash_update,
1359 : drbg_hash_generate
1360 : };
1361 :
1362 : /******************************************************************
1363 : * Functions common for DRBG implementations
1364 : ******************************************************************/
1365 :
1366 : /*
1367 : * Seeding or reseeding of the DRBG
1368 : *
1369 : * @drbg: DRBG state struct
1370 : * @pers: personalization / additional information buffer
1371 : * @reseed: 0 for initial seed process, 1 for reseeding
1372 : *
1373 : * return:
1374 : * 0 on success
1375 : * error value otherwise
1376 : */
1377 : static gpg_err_code_t
1378 2 : drbg_seed (drbg_state_t drbg, drbg_string_t *pers, int reseed)
1379 : {
1380 2 : gpg_err_code_t ret = 0;
1381 2 : unsigned char *entropy = NULL;
1382 2 : size_t entropylen = 0;
1383 : drbg_string_t data1;
1384 :
1385 : /* 9.1 / 9.2 / 9.3.1 step 3 */
1386 2 : if (pers && pers->len > (drbg_max_addtl ()))
1387 : {
1388 : dbg (("DRBG: personalization string too long %lu\n", pers->len));
1389 0 : return GPG_ERR_INV_ARG;
1390 : }
1391 2 : if (drbg->test_data && drbg->test_data->testentropy)
1392 : {
1393 0 : drbg_string_fill (&data1, drbg->test_data->testentropy->buf,
1394 0 : drbg->test_data->testentropy->len);
1395 : dbg (("DRBG: using test entropy\n"));
1396 : }
1397 : else
1398 : {
1399 : /* Gather entropy equal to the security strength of the DRBG.
1400 : * With a derivation function, a nonce is required in addition
1401 : * to the entropy. A nonce must be at least 1/2 of the security
1402 : * strength of the DRBG in size. Thus, entropy * nonce is 3/2
1403 : * of the strength. The consideration of a nonce is only
1404 : * applicable during initial seeding. */
1405 2 : entropylen = drbg_sec_strength (drbg->core->flags);
1406 2 : if (!entropylen)
1407 0 : return GPG_ERR_GENERAL;
1408 2 : if (0 == reseed)
1409 : /* make sure we round up strength/2 in
1410 : * case it is not divisible by 2 */
1411 2 : entropylen = ((entropylen + 1) / 2) * 3;
1412 : dbg (("DRBG: (re)seeding with %lu bytes of entropy\n", entropylen));
1413 2 : entropy = xcalloc_secure (1, entropylen);
1414 2 : if (!entropy)
1415 0 : return GPG_ERR_ENOMEM;
1416 2 : ret = drbg_get_entropy (drbg, entropy, entropylen);
1417 2 : if (ret)
1418 0 : goto out;
1419 2 : drbg_string_fill (&data1, entropy, entropylen);
1420 : }
1421 :
1422 : /* concatenation of entropy with personalization str / addtl input)
1423 : * the variable pers is directly handed by the caller, check its
1424 : * contents whether it is appropriate */
1425 2 : if (pers && pers->buf && 0 < pers->len && NULL == pers->next)
1426 : {
1427 0 : data1.next = pers;
1428 : dbg (("DRBG: using personalization string\n"));
1429 : }
1430 :
1431 2 : ret = drbg->d_ops->update (drbg, &data1, reseed);
1432 : dbg (("DRBG: state updated with seed\n"));
1433 2 : if (ret)
1434 0 : goto out;
1435 2 : drbg->seeded = 1;
1436 : /* 10.1.1.2 / 10.1.1.3 step 5 */
1437 2 : drbg->reseed_ctr = 1;
1438 :
1439 : out:
1440 2 : xfree (entropy);
1441 2 : return ret;
1442 : }
1443 :
1444 :
1445 : /*************************************************************************
1446 : * Exported interfaces.
1447 : *************************************************************************/
1448 :
1449 : /*
1450 : * DRBG generate function as required by SP800-90A - this function
1451 : * generates random numbers
1452 : *
1453 : * @drbg DRBG state handle
1454 : * @buf Buffer where to store the random numbers -- the buffer must already
1455 : * be pre-allocated by caller
1456 : * @buflen Length of output buffer - this value defines the number of random
1457 : * bytes pulled from DRBG
1458 : * @addtl Additional input that is mixed into state, may be NULL -- note
1459 : * the entropy is pulled by the DRBG internally unconditionally
1460 : * as defined in SP800-90A. The additional input is mixed into
1461 : * the state in addition to the pulled entropy.
1462 : *
1463 : * return: Generated number of bytes.
1464 : */
1465 : static gpg_err_code_t
1466 6 : drbg_generate (drbg_state_t drbg,
1467 : unsigned char *buf, unsigned int buflen,
1468 : drbg_string_t *addtl)
1469 : {
1470 6 : gpg_err_code_t ret = GPG_ERR_INV_ARG;
1471 :
1472 6 : if (0 == buflen || !buf)
1473 : {
1474 : dbg (("DRBG: no buffer provided\n"));
1475 0 : return ret;
1476 : }
1477 6 : if (addtl && NULL == addtl->buf && 0 < addtl->len)
1478 : {
1479 : dbg (("DRBG: wrong format of additional information\n"));
1480 0 : return ret;
1481 : }
1482 :
1483 : /* 9.3.1 step 2 */
1484 6 : if (buflen > (drbg_max_request_bytes ()))
1485 : {
1486 : dbg (("DRBG: requested random numbers too large %u\n", buflen));
1487 0 : return ret;
1488 : }
1489 : /* 9.3.1 step 3 is implicit with the chosen DRBG */
1490 : /* 9.3.1 step 4 */
1491 6 : if (addtl && addtl->len > (drbg_max_addtl ()))
1492 : {
1493 : dbg (("DRBG: additional information string too long %lu\n",
1494 : addtl->len));
1495 0 : return ret;
1496 : }
1497 : /* 9.3.1 step 5 is implicit with the chosen DRBG */
1498 : /* 9.3.1 step 6 and 9 supplemented by 9.3.2 step c -- the spec is a
1499 : * bit convoluted here, we make it simpler */
1500 6 : if ((drbg_max_requests ()) < drbg->reseed_ctr)
1501 0 : drbg->seeded = 0;
1502 :
1503 6 : if (drbg->pr || !drbg->seeded)
1504 : {
1505 : dbg (("DRBG: reseeding before generation (prediction resistance: %s, state %s)\n", drbg->pr ? "true" : "false", drbg->seeded ? "seeded" : "unseeded"));
1506 : /* 9.3.1 steps 7.1 through 7.3 */
1507 0 : ret = drbg_seed (drbg, addtl, 1);
1508 0 : if (ret)
1509 0 : return ret;
1510 : /* 9.3.1 step 7.4 */
1511 0 : addtl = NULL;
1512 : }
1513 :
1514 6 : if (addtl && addtl->buf)
1515 : {
1516 : dbg (("DRBG: using additional information string\n"));
1517 : }
1518 :
1519 : /* 9.3.1 step 8 and 10 */
1520 6 : ret = drbg->d_ops->generate (drbg, buf, buflen, addtl);
1521 :
1522 : /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
1523 6 : drbg->reseed_ctr++;
1524 6 : if (ret)
1525 0 : return ret;
1526 :
1527 : /* 11.3.3 -- re-perform self tests after some generated random
1528 : * numbers, the chosen value after which self test is performed
1529 : * is arbitrary, but it should be reasonable */
1530 : /* Here we do not perform the self tests because of the following
1531 : * reasons: it is mathematically impossible that the initial self tests
1532 : * were successfully and the following are not. If the initial would
1533 : * pass and the following would not, the system integrity is violated.
1534 : * In this case, the entire system operation is questionable and it
1535 : * is unlikely that the integrity violation only affects to the
1536 : * correct operation of the DRBG.
1537 : */
1538 : #if 0
1539 : if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096))
1540 : {
1541 : dbg (("DRBG: start to perform self test\n"));
1542 : ret = drbg_healthcheck ();
1543 : if (ret)
1544 : {
1545 : log_fatal (("DRBG: self test failed\n"));
1546 : return ret;
1547 : }
1548 : else
1549 : {
1550 : dbg (("DRBG: self test successful\n"));
1551 : }
1552 : }
1553 : #endif
1554 :
1555 6 : return ret;
1556 : }
1557 :
1558 : /*
1559 : * Wrapper around drbg_generate which can pull arbitrary long strings
1560 : * from the DRBG without hitting the maximum request limitation.
1561 : *
1562 : * Parameters: see drbg_generate
1563 : * Return codes: see drbg_generate -- if one drbg_generate request fails,
1564 : * the entire drbg_generate_long request fails
1565 : */
1566 : static gpg_err_code_t
1567 6 : drbg_generate_long (drbg_state_t drbg,
1568 : unsigned char *buf, unsigned int buflen,
1569 : drbg_string_t *addtl)
1570 : {
1571 6 : gpg_err_code_t ret = 0;
1572 6 : unsigned int slice = 0;
1573 6 : unsigned char *buf_p = buf;
1574 6 : unsigned len = 0;
1575 : do
1576 : {
1577 6 : unsigned int chunk = 0;
1578 6 : slice = ((buflen - len) / drbg_max_request_bytes ());
1579 6 : chunk = slice ? drbg_max_request_bytes () : (buflen - len);
1580 6 : ret = drbg_generate (drbg, buf_p, chunk, addtl);
1581 6 : if (ret)
1582 0 : return ret;
1583 6 : buf_p += chunk;
1584 6 : len += chunk;
1585 : }
1586 6 : while (slice > 0 && (len < buflen));
1587 6 : return ret;
1588 : }
1589 :
1590 : /*
1591 : * DRBG uninstantiate function as required by SP800-90A - this function
1592 : * frees all buffers and the DRBG handle
1593 : *
1594 : * @drbg DRBG state handle
1595 : *
1596 : * return
1597 : * 0 on success
1598 : */
1599 : static gpg_err_code_t
1600 0 : drbg_uninstantiate (drbg_state_t drbg)
1601 : {
1602 0 : if (!drbg)
1603 0 : return GPG_ERR_INV_ARG;
1604 0 : xfree (drbg->V);
1605 0 : drbg->V = NULL;
1606 0 : xfree (drbg->C);
1607 0 : drbg->C = NULL;
1608 0 : drbg->reseed_ctr = 0;
1609 0 : xfree (drbg->scratchpad);
1610 0 : drbg->scratchpad = NULL;
1611 0 : drbg->seeded = 0;
1612 0 : drbg->pr = 0;
1613 0 : drbg->seed_init_pid = 0;
1614 0 : return 0;
1615 : }
1616 :
1617 : /*
1618 : * DRBG instantiation function as required by SP800-90A - this function
1619 : * sets up the DRBG handle, performs the initial seeding and all sanity
1620 : * checks required by SP800-90A
1621 : *
1622 : * @drbg memory of state -- if NULL, new memory is allocated
1623 : * @pers Personalization string that is mixed into state, may be NULL -- note
1624 : * the entropy is pulled by the DRBG internally unconditionally
1625 : * as defined in SP800-90A. The additional input is mixed into
1626 : * the state in addition to the pulled entropy.
1627 : * @coreref reference to core
1628 : * @flags Flags defining the requested DRBG type and cipher type. The flags
1629 : * are defined in drbg.h and may be XORed. Beware, if you XOR multiple
1630 : * cipher types together, the code picks the core on a first come first
1631 : * serve basis as it iterates through the available cipher cores and
1632 : * uses the one with the first match. The minimum required flags are:
1633 : * cipher type flag
1634 : *
1635 : * return
1636 : * 0 on success
1637 : * error value otherwise
1638 : */
1639 : static gpg_err_code_t
1640 2 : drbg_instantiate (drbg_state_t drbg,
1641 : drbg_string_t *pers, int coreref, int pr)
1642 : {
1643 2 : gpg_err_code_t ret = GPG_ERR_ENOMEM;
1644 2 : unsigned int sb_size = 0;
1645 :
1646 2 : if (!drbg)
1647 0 : return GPG_ERR_INV_ARG;
1648 :
1649 : dbg (("DRBG: Initializing DRBG core %d with prediction resistance %s\n",
1650 : coreref, pr ? "enabled" : "disabled"));
1651 2 : drbg->core = &drbg_cores[coreref];
1652 2 : drbg->pr = pr;
1653 2 : drbg->seeded = 0;
1654 2 : if (drbg->core->flags & DRBG_HMAC)
1655 2 : drbg->d_ops = &drbg_hmac_ops;
1656 0 : else if (drbg->core->flags & DRBG_HASH_MASK)
1657 0 : drbg->d_ops = &drbg_hash_ops;
1658 0 : else if (drbg->core->flags & DRBG_CTR_MASK)
1659 0 : drbg->d_ops = &drbg_ctr_ops;
1660 : else
1661 0 : return GPG_ERR_GENERAL;
1662 : /* 9.1 step 1 is implicit with the selected DRBG type -- see
1663 : * drbg_sec_strength() */
1664 :
1665 : /* 9.1 step 2 is implicit as caller can select prediction resistance
1666 : * and the flag is copied into drbg->flags --
1667 : * all DRBG types support prediction resistance */
1668 :
1669 : /* 9.1 step 4 is implicit in drbg_sec_strength */
1670 :
1671 : /* no allocation of drbg as this is done by the kernel crypto API */
1672 2 : drbg->V = xcalloc_secure (1, drbg_statelen (drbg));
1673 2 : if (!drbg->V)
1674 0 : goto err;
1675 2 : drbg->C = xcalloc_secure (1, drbg_statelen (drbg));
1676 2 : if (!drbg->C)
1677 0 : goto err;
1678 : /* scratchpad is only generated for CTR and Hash */
1679 2 : if (drbg->core->flags & DRBG_HMAC)
1680 2 : sb_size = 0;
1681 0 : else if (drbg->core->flags & DRBG_CTR_MASK)
1682 0 : sb_size = drbg_statelen (drbg) + drbg_blocklen (drbg) + /* temp */
1683 0 : drbg_statelen (drbg) + /* df_data */
1684 0 : drbg_blocklen (drbg) + /* pad */
1685 0 : drbg_blocklen (drbg) + /* iv */
1686 0 : drbg_statelen (drbg) + drbg_blocklen (drbg); /* temp */
1687 : else
1688 0 : sb_size = drbg_statelen (drbg) + drbg_blocklen (drbg);
1689 :
1690 2 : if (0 < sb_size)
1691 : {
1692 0 : drbg->scratchpad = xcalloc_secure (1, sb_size);
1693 0 : if (!drbg->scratchpad)
1694 0 : goto err;
1695 : }
1696 : dbg (("DRBG: state allocated with scratchpad size %u bytes\n", sb_size));
1697 :
1698 : /* 9.1 step 6 through 11 */
1699 2 : ret = drbg_seed (drbg, pers, 0);
1700 2 : if (ret)
1701 0 : goto err;
1702 :
1703 : dbg (("DRBG: core %d %s prediction resistance successfully initialized\n",
1704 : coreref, pr ? "with" : "without"));
1705 2 : return 0;
1706 :
1707 : err:
1708 0 : drbg_uninstantiate (drbg);
1709 0 : return ret;
1710 : }
1711 :
1712 : /*
1713 : * DRBG reseed function as required by SP800-90A
1714 : *
1715 : * @drbg DRBG state handle
1716 : * @addtl Additional input that is mixed into state, may be NULL -- note
1717 : * the entropy is pulled by the DRBG internally unconditionally
1718 : * as defined in SP800-90A. The additional input is mixed into
1719 : * the state in addition to the pulled entropy.
1720 : *
1721 : * return
1722 : * 0 on success
1723 : * error value otherwise
1724 : */
1725 : static gpg_err_code_t
1726 0 : drbg_reseed (drbg_state_t drbg,drbg_string_t *addtl)
1727 : {
1728 0 : gpg_err_code_t ret = 0;
1729 0 : ret = drbg_seed (drbg, addtl, 1);
1730 0 : return ret;
1731 : }
1732 :
1733 :
1734 :
1735 : /******************************************************************
1736 : * Libgcrypt integration code.
1737 : ******************************************************************/
1738 :
1739 : /***************************************************
1740 : * Libgcrypt backend functions to the RNG API code.
1741 : ***************************************************/
1742 :
1743 : static inline void
1744 12 : drbg_lock (void)
1745 : {
1746 : gpg_err_code_t ec;
1747 :
1748 12 : ec = gpgrt_lock_lock (&drbg_lock_var);
1749 12 : if (ec)
1750 0 : log_fatal ("failed to acquire the RNG lock: %s\n", gpg_strerror (ec));
1751 12 : }
1752 :
1753 : static inline void
1754 12 : drbg_unlock (void)
1755 : {
1756 : gpg_err_code_t ec;
1757 :
1758 12 : ec = gpgrt_lock_unlock (&drbg_lock_var);
1759 12 : if (ec)
1760 0 : log_fatal ("failed to release the RNG lock: %s\n", gpg_strerror (ec));
1761 12 : }
1762 :
1763 : /* Basic initialization is required to initialize mutexes and
1764 : do a few checks on the implementation. */
1765 : static void
1766 8 : basic_initialization (void)
1767 : {
1768 : static int initialized;
1769 :
1770 8 : if (initialized)
1771 14 : return;
1772 2 : initialized = 1;
1773 :
1774 : /* Make sure that we are still using the values we have
1775 : traditionally used for the random levels. */
1776 : gcry_assert (GCRY_WEAK_RANDOM == 0
1777 : && GCRY_STRONG_RANDOM == 1
1778 : && GCRY_VERY_STRONG_RANDOM == 2);
1779 : }
1780 :
1781 : /****** helper functions where lock must be held by caller *****/
1782 :
1783 : /* Check whether given flags are known to point to an applicable DRBG */
1784 : static gpg_err_code_t
1785 2 : drbg_algo_available (u32 flags, int *coreref)
1786 : {
1787 2 : int i = 0;
1788 12 : for (i = 0; ARRAY_SIZE (drbg_cores) > i; i++)
1789 : {
1790 12 : if ((drbg_cores[i].flags & DRBG_CIPHER_MASK) ==
1791 : (flags & DRBG_CIPHER_MASK))
1792 : {
1793 2 : *coreref = i;
1794 2 : return 0;
1795 : }
1796 : }
1797 0 : return GPG_ERR_GENERAL;
1798 : }
1799 :
1800 : static gpg_err_code_t
1801 2 : _drbg_init_internal (u32 flags, drbg_string_t *pers)
1802 : {
1803 : static u32 oldflags;
1804 2 : gpg_err_code_t ret = 0;
1805 2 : int coreref = 0;
1806 2 : int pr = 0;
1807 :
1808 : /* If a caller provides 0 as flags, use the flags of the previous
1809 : * initialization, otherwise use the current flags and remember them
1810 : * for the next invocation. If no flag is given and no global state
1811 : * is set this is the first initialization and we set the default
1812 : * type.
1813 : */
1814 2 : if (!flags && !drbg_state)
1815 2 : flags = oldflags = DRBG_DEFAULT_TYPE;
1816 0 : else if (!flags)
1817 0 : flags = oldflags;
1818 : else
1819 0 : oldflags = flags;
1820 :
1821 2 : ret = drbg_algo_available (flags, &coreref);
1822 2 : if (ret)
1823 0 : return ret;
1824 :
1825 2 : if (drbg_state)
1826 : {
1827 0 : drbg_uninstantiate (drbg_state);
1828 : }
1829 : else
1830 : {
1831 2 : drbg_state = xtrycalloc_secure (1, sizeof *drbg_state);
1832 2 : if (!drbg_state)
1833 0 : return gpg_err_code_from_syserror ();
1834 : }
1835 2 : if (flags & DRBG_PREDICTION_RESIST)
1836 0 : pr = 1;
1837 2 : ret = drbg_instantiate (drbg_state, pers, coreref, pr);
1838 2 : if (ret)
1839 0 : fips_signal_error ("DRBG cannot be initialized");
1840 : else
1841 2 : drbg_state->seed_init_pid = getpid ();
1842 2 : return ret;
1843 : }
1844 :
1845 : /************* calls available to common RNG code **************/
1846 :
1847 : /*
1848 : * Initialize one DRBG invoked by the libgcrypt API
1849 : */
1850 : void
1851 8 : _gcry_rngdrbg_inititialize (int full)
1852 : {
1853 8 : basic_initialization ();
1854 8 : if (!full)
1855 10 : return;
1856 6 : drbg_lock ();
1857 6 : if (!drbg_state)
1858 2 : _drbg_init_internal (0, NULL);
1859 6 : drbg_unlock ();
1860 : }
1861 :
1862 : /*
1863 : * Backend handler function for GCRYCTL_DRBG_REINIT
1864 : *
1865 : * Select a different DRBG type and initialize it.
1866 : * Function checks whether requested DRBG type exists and returns an error in
1867 : * case it does not. In case of an error, the previous instantiated DRBG is
1868 : * left untouched and alive. Thus, in case of an error, a DRBG is always
1869 : * available, even if it is not the chosen one.
1870 : *
1871 : * Re-initialization will be performed in any case regardless whether flags
1872 : * or personalization string are set.
1873 : *
1874 : * If flags is NULL, do not change current DRBG. If PERS is NULL and
1875 : * NPERS is 0, re-initialize without personalization string. If PERS
1876 : * is not NULL NPERS must be one and PERS and the first ietm from the
1877 : * bufer is take as personalization string.
1878 : */
1879 : gpg_err_code_t
1880 0 : _gcry_rngdrbg_reinit (const char *flagstr, gcry_buffer_t *pers, int npers)
1881 : {
1882 : gpg_err_code_t ret;
1883 : unsigned int flags;
1884 :
1885 : /* If PERS is not given we expect NPERS to be zero; if given we
1886 : expect a one-item array. */
1887 0 : if ((!pers && npers) || (pers && npers != 1))
1888 0 : return GPG_ERR_INV_ARG;
1889 :
1890 0 : ret = parse_flag_string (flagstr, &flags);
1891 0 : if (!ret)
1892 : {
1893 : dbg (("DRBG: reinitialize internal DRBG state with flags %u\n", flags));
1894 0 : drbg_lock ();
1895 0 : if (pers)
1896 : {
1897 : drbg_string_t persbuf;
1898 :
1899 0 : drbg_string_fill
1900 0 : (&persbuf, (const unsigned char *)pers[0].data + pers[0].off,
1901 : pers[0].len);
1902 0 : ret = _drbg_init_internal (flags, &persbuf);
1903 : }
1904 : else
1905 0 : ret = _drbg_init_internal (flags, NULL);
1906 0 : drbg_unlock ();
1907 : }
1908 0 : return ret;
1909 : }
1910 :
1911 : /* Try to close the FDs of the random gather module. This is
1912 : * currently only implemented for rndlinux. */
1913 : void
1914 0 : _gcry_rngdrbg_close_fds (void)
1915 : {
1916 : #if USE_RNDLINUX
1917 0 : drbg_lock ();
1918 0 : _gcry_rndlinux_gather_random (NULL, 0, 0, 0);
1919 0 : drbg_unlock ();
1920 : #endif
1921 0 : }
1922 :
1923 : /* Print some statistics about the RNG. */
1924 : void
1925 0 : _gcry_rngdrbg_dump_stats (void)
1926 : {
1927 : /* Not yet implemented. */
1928 : /* Maybe dumping of reseed counter? */
1929 0 : }
1930 :
1931 : /* This function returns true if no real RNG is available or the
1932 : * quality of the RNG has been degraded for test purposes. */
1933 : int
1934 0 : _gcry_rngdrbg_is_faked (void)
1935 : {
1936 0 : return 0; /* Faked random is not allowed. */
1937 : }
1938 :
1939 : /* Add BUFLEN bytes from BUF to the internal random pool. QUALITY
1940 : * should be in the range of 0..100 to indicate the goodness of the
1941 : * entropy added, or -1 for goodness not known. */
1942 : gcry_error_t
1943 0 : _gcry_rngdrbg_add_bytes (const void *buf, size_t buflen, int quality)
1944 : {
1945 0 : gpg_err_code_t ret = 0;
1946 : drbg_string_t seed;
1947 : (void) quality;
1948 0 : _gcry_rngdrbg_inititialize (1); /* Auto-initialize if needed */
1949 0 : if (!drbg_state)
1950 0 : return GPG_ERR_GENERAL;
1951 0 : drbg_string_fill (&seed, (unsigned char *) buf, buflen);
1952 0 : drbg_lock ();
1953 0 : ret = drbg_reseed (drbg_state, &seed);
1954 0 : drbg_unlock ();
1955 0 : return ret;
1956 : }
1957 :
1958 : /* This function is to be used for all types of random numbers, including
1959 : * nonces
1960 : */
1961 : void
1962 6 : _gcry_rngdrbg_randomize (void *buffer, size_t length,
1963 : enum gcry_random_level level)
1964 : {
1965 : (void) level;
1966 6 : _gcry_rngdrbg_inititialize (1); /* Auto-initialize if needed */
1967 6 : drbg_lock ();
1968 6 : if (!drbg_state)
1969 : {
1970 0 : fips_signal_error ("DRBG is not initialized");
1971 0 : goto bailout;
1972 : }
1973 :
1974 : /* As reseeding changes the entire state of the DRBG, including any
1975 : * key, either a re-init or a reseed is sufficient for a fork */
1976 6 : if (drbg_state->seed_init_pid != getpid ())
1977 : {
1978 : /* We are in a child of us. Perform a reseeding. */
1979 0 : if (drbg_reseed (drbg_state, NULL))
1980 : {
1981 0 : fips_signal_error ("reseeding upon fork failed");
1982 0 : log_fatal ("severe error getting random\n");
1983 : goto bailout;
1984 : }
1985 : }
1986 : /* potential integer overflow is covered by drbg_generate which
1987 : * ensures that length cannot overflow an unsigned int */
1988 6 : if (0 < length)
1989 : {
1990 6 : if (!buffer)
1991 0 : goto bailout;
1992 6 : if (drbg_generate_long (drbg_state, buffer, (unsigned int) length, NULL))
1993 0 : log_fatal ("No random numbers generated\n");
1994 : }
1995 : else
1996 : {
1997 0 : drbg_gen_t *data = (drbg_gen_t *)buffer;
1998 : /* catch NULL pointer */
1999 0 : if (!data || !data->outbuf)
2000 : {
2001 0 : fips_signal_error ("No output buffer provided");
2002 0 : goto bailout;
2003 : }
2004 0 : if (drbg_generate_long (drbg_state, data->outbuf, data->outlen,
2005 : data->addtl))
2006 0 : log_fatal ("No random numbers generated\n");
2007 : }
2008 :
2009 : bailout:
2010 6 : drbg_unlock ();
2011 6 : return;
2012 :
2013 : }
2014 :
2015 : /***************************************************************
2016 : * Self-test code
2017 : ***************************************************************/
2018 :
2019 : /*
2020 : * Test vectors from
2021 : * http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgtestvectors.zip
2022 : */
2023 : struct gcry_drbg_test_vector drbg_test_pr[] = {
2024 : {
2025 : /* .flags = */ "sha256 pr" /* DRBG_PR_HASHSHA256 */,
2026 : /* .entropy = */ (unsigned char *)
2027 : "\x5d\xf2\x14\xbc\xf6\xb5\x4e\x0b\xf0\x0d\x6f\x2d"
2028 : "\xe2\x01\x66\x7b\xd0\xa4\x73\xa4\x21\xdd\xb0\xc0"
2029 : "\x51\x79\x09\xf4\xea\xa9\x08\xfa\xa6\x67\xe0\xe1"
2030 : "\xd1\x88\xa8\xad\xee\x69\x74\xb3\x55\x06\x9b\xf6",
2031 : /* .entropylen = */ 48,
2032 : /* .entpra = */ (unsigned char *)
2033 : "\xef\x48\x06\xa2\xc2\x45\xf1\x44\xfa\x34\x2c\xeb"
2034 : "\x8d\x78\x3c\x09\x8f\x34\x72\x20\xf2\xe7\xfd\x13"
2035 : "\x76\x0a\xf6\xdc\x3c\xf5\xc0\x15",
2036 : /* .entprb = */ (unsigned char *)
2037 : "\x4b\xbe\xe5\x24\xed\x6a\x2d\x0c\xdb\x73\x5e\x09"
2038 : "\xf9\xad\x67\x7c\x51\x47\x8b\x6b\x30\x2a\xc6\xde"
2039 : "\x76\xaa\x55\x04\x8b\x0a\x72\x95",
2040 : /* .entprlen = */ 32,
2041 : /* .addtla = */ (unsigned char *)
2042 : "\xbe\x13\xdb\x2a\xe9\xa8\xfe\x09\x97\xe1\xce\x5d"
2043 : "\xe8\xbb\xc0\x7c\x4f\xcb\x62\x19\x3f\x0f\xd2\xad"
2044 : "\xa9\xd0\x1d\x59\x02\xc4\xff\x70",
2045 : /* .addtlb = */ (unsigned char *)
2046 : "\x6f\x96\x13\xe2\xa7\xf5\x6c\xfe\xdf\x66\xe3\x31"
2047 : "\x63\x76\xbf\x20\x27\x06\x49\xf1\xf3\x01\x77\x41"
2048 : "\x9f\xeb\xe4\x38\xfe\x67\x00\xcd",
2049 : /* .addtllen = */ 32,
2050 : /* .pers = */ NULL,
2051 : /* .perslen = */ 0,
2052 : /* .expected = */ (unsigned char *)
2053 : "\x3b\x14\x71\x99\xa1\xda\xa0\x42\xe6\xc8\x85\x32"
2054 : "\x70\x20\x32\x53\x9a\xbe\xd1\x1e\x15\xef\xfb\x4c"
2055 : "\x25\x6e\x19\x3a\xf0\xb9\xcb\xde\xf0\x3b\xc6\x18"
2056 : "\x4d\x85\x5a\x9b\xf1\xe3\xc2\x23\x03\x93\x08\xdb"
2057 : "\xa7\x07\x4b\x33\x78\x40\x4d\xeb\x24\xf5\x6e\x81"
2058 : "\x4a\x1b\x6e\xa3\x94\x52\x43\xb0\xaf\x2e\x21\xf4"
2059 : "\x42\x46\x8e\x90\xed\x34\x21\x75\xea\xda\x67\xb6"
2060 : "\xe4\xf6\xff\xc6\x31\x6c\x9a\x5a\xdb\xb3\x97\x13"
2061 : "\x09\xd3\x20\x98\x33\x2d\x6d\xd7\xb5\x6a\xa8\xa9"
2062 : "\x9a\x5b\xd6\x87\x52\xa1\x89\x2b\x4b\x9c\x64\x60"
2063 : "\x50\x47\xa3\x63\x81\x16\xaf\x19",
2064 : /* .expectedlen = */ 128,
2065 : /* .entropyreseed = */ NULL,
2066 : /* .entropyreseed_len = */ 0,
2067 : /* .addtl_reseed = */ NULL,
2068 : /* .addtl_reseed_len = */ 0
2069 : },
2070 : {
2071 : /* flags = */ "hmac sha256 pr" /* DRBG_PR_HMACSHA256 */,
2072 : /* .entropy = */ (unsigned char *)
2073 : "\x13\x54\x96\xfc\x1b\x7d\x28\xf3\x18\xc9\xa7\x89"
2074 : "\xb6\xb3\xc8\x72\xac\x00\xd4\x59\x36\x25\x05\xaf"
2075 : "\xa5\xdb\x96\xcb\x3c\x58\x46\x87\xa5\xaa\xbf\x20"
2076 : "\x3b\xfe\x23\x0e\xd1\xc7\x41\x0f\x3f\xc9\xb3\x67",
2077 : /* .entropylen = */ 48,
2078 : /* .entpra = */ (unsigned char *)
2079 : "\xe2\xbd\xb7\x48\x08\x06\xf3\xe1\x93\x3c\xac\x79"
2080 : "\xa7\x2b\x11\xda\xe3\x2e\xe1\x91\xa5\x02\x19\x57"
2081 : "\x20\x28\xad\xf2\x60\xd7\xcd\x45",
2082 : /* .entprb = */ (unsigned char *)
2083 : "\x8b\xd4\x69\xfc\xff\x59\x95\x95\xc6\x51\xde\x71"
2084 : "\x68\x5f\xfc\xf9\x4a\xab\xec\x5a\xcb\xbe\xd3\x66"
2085 : "\x1f\xfa\x74\xd3\xac\xa6\x74\x60",
2086 : /* .entprlen = */ 32,
2087 : /* .addtla = */ NULL,
2088 : /* .addtlb = */ NULL,
2089 : /* .addtllen = */ 0,
2090 : /* .pers = */ (unsigned char *)
2091 : "\x64\xb6\xfc\x60\xbc\x61\x76\x23\x6d\x3f\x4a\x0f"
2092 : "\xe1\xb4\xd5\x20\x9e\x70\xdd\x03\x53\x6d\xbf\xce"
2093 : "\xcd\x56\x80\xbc\xb8\x15\xc8\xaa",
2094 : /* .perslen = */ 32,
2095 : /* .expected = */ (unsigned char *)
2096 : "\x1f\x9e\xaf\xe4\xd2\x46\xb7\x47\x41\x4c\x65\x99"
2097 : "\x01\xe9\x3b\xbb\x83\x0c\x0a\xb0\xc1\x3a\xe2\xb3"
2098 : "\x31\x4e\xeb\x93\x73\xee\x0b\x26\xc2\x63\xa5\x75"
2099 : "\x45\x99\xd4\x5c\x9f\xa1\xd4\x45\x87\x6b\x20\x61"
2100 : "\x40\xea\x78\xa5\x32\xdf\x9e\x66\x17\xaf\xb1\x88"
2101 : "\x9e\x2e\x23\xdd\xc1\xda\x13\x97\x88\xa5\xb6\x5e"
2102 : "\x90\x14\x4e\xef\x13\xab\x5c\xd9\x2c\x97\x9e\x7c"
2103 : "\xd7\xf8\xce\xea\x81\xf5\xcd\x71\x15\x49\x44\xce"
2104 : "\x83\xb6\x05\xfb\x7d\x30\xb5\x57\x2c\x31\x4f\xfc"
2105 : "\xfe\x80\xb6\xc0\x13\x0c\x5b\x9b\x2e\x8f\x3d\xfc"
2106 : "\xc2\xa3\x0c\x11\x1b\x80\x5f\xf3",
2107 : /* .expectedlen = */ 128,
2108 : /* .entropyreseed = */ NULL,
2109 : /* .entropyreseed_len = */ 0,
2110 : /* .addtl_reseed = */ NULL,
2111 : /* .addtl_reseed_len = */ 0
2112 : },
2113 : {
2114 : /* .flags = */ "aes sym128 pr", /* DRBG_PR_CTRAES128 */
2115 : /* .entropy = */ (unsigned char *)
2116 : "\x92\x89\x8f\x31\xfa\x1c\xff\x6d\x18\x2f\x26\x06"
2117 : "\x43\xdf\xf8\x18\xc2\xa4\xd9\x72\xc3\xb9\xb6\x97",
2118 : /* .entropylen = */ 24,
2119 : /* .entpra = */ (unsigned char *)
2120 : "\x20\x72\x8a\x06\xf8\x6f\x8d\xd4\x41\xe2\x72\xb7"
2121 : "\xc4\x2c\xe8\x10",
2122 : /* .entprb = */ (unsigned char *)
2123 : "\x3d\xb0\xf0\x94\xf3\x05\x50\x33\x17\x86\x3e\x22"
2124 : "\x08\xf7\xa5\x01",
2125 : /* .entprlen = */ 16,
2126 : /* .addtla = */ (unsigned char *)
2127 : "\x1a\x40\xfa\xe3\xcc\x6c\x7c\xa0\xf8\xda\xba\x59"
2128 : "\x23\x6d\xad\x1d",
2129 : /* .addtlb = */ (unsigned char *)
2130 : "\x9f\x72\x76\x6c\xc7\x46\xe5\xed\x2e\x53\x20\x12"
2131 : "\xbc\x59\x31\x8c",
2132 : /* .addtllen = */ 16,
2133 : /* .pers = */ (unsigned char *)
2134 : "\xea\x65\xee\x60\x26\x4e\x7e\xb6\x0e\x82\x68\xc4"
2135 : "\x37\x3c\x5c\x0b",
2136 : /* .perslen = */ 16,
2137 : /* .expected = */ (unsigned char *)
2138 : "\x5a\x35\x39\x87\x0f\x4d\x22\xa4\x09\x24\xee\x71"
2139 : "\xc9\x6f\xac\x72\x0a\xd6\xf0\x88\x82\xd0\x83\x28"
2140 : "\x73\xec\x3f\x93\xd8\xab\x45\x23\xf0\x7e\xac\x45"
2141 : "\x14\x5e\x93\x9f\xb1\xd6\x76\x43\x3d\xb6\xe8\x08"
2142 : "\x88\xf6\xda\x89\x08\x77\x42\xfe\x1a\xf4\x3f\xc4"
2143 : "\x23\xc5\x1f\x68",
2144 : /* .expectedlen = */ 64,
2145 : /* .entropyreseed = */ NULL,
2146 : /* .entropyreseed_len = */ 0,
2147 : /* .addtl_reseed = */ NULL,
2148 : /* .addtl_reseed_len = */ 0
2149 : }
2150 : };
2151 :
2152 : struct gcry_drbg_test_vector drbg_test_nopr[] = {
2153 : {
2154 : /* .flags = */ "sha256" /* DRBG_NOPR_HASHSHA256 */,
2155 : /* .entropy = */ (unsigned char *)
2156 : "\x73\xd3\xfb\xa3\x94\x5f\x2b\x5f\xb9\x8f\xf6\x9c"
2157 : "\x8a\x93\x17\xae\x19\xc3\x4c\xc3\xd6\xca\xa3\x2d"
2158 : "\x16\xfc\x42\xd2\x2d\xd5\x6f\x56\xcc\x1d\x30\xff"
2159 : "\x9e\x06\x3e\x09\xce\x58\xe6\x9a\x35\xb3\xa6\x56",
2160 : /* .entropylen = */ 48,
2161 : /* .entpra = */ NULL,
2162 : /* .entprb = */ NULL,
2163 : /* .entprlen = */ 0,
2164 : /* .addtla = */ (unsigned char *)
2165 : "\xf4\xd5\x98\x3d\xa8\xfc\xfa\x37\xb7\x54\x67\x73"
2166 : "\xc7\xc3\xdd\x47\x34\x71\x02\x5d\xc1\xa0\xd3\x10"
2167 : "\xc1\x8b\xbd\xf5\x66\x34\x6f\xdd",
2168 : /* .addtlb = */ (unsigned char *)
2169 : "\xf7\x9e\x6a\x56\x0e\x73\xe9\xd9\x7a\xd1\x69\xe0"
2170 : "\x6f\x8c\x55\x1c\x44\xd1\xce\x6f\x28\xcc\xa4\x4d"
2171 : "\xa8\xc0\x85\xd1\x5a\x0c\x59\x40",
2172 : /* .addtllen = */ 32,
2173 : /* .pers = */ NULL,
2174 : /* .perslen = */ 0,
2175 : /* .expected = */ (unsigned char *)
2176 : "\x71\x7b\x93\x46\x1a\x40\xaa\x35\xa4\xaa\xc5\xe7"
2177 : "\x6d\x5b\x5b\x8a\xa0\xdf\x39\x7d\xae\x71\x58\x5b"
2178 : "\x3c\x7c\xb4\xf0\x89\xfa\x4a\x8c\xa9\x5c\x54\xc0"
2179 : "\x40\xdf\xbc\xce\x26\x81\x34\xf8\xba\x7d\x1c\xe8"
2180 : "\xad\x21\xe0\x74\xcf\x48\x84\x30\x1f\xa1\xd5\x4f"
2181 : "\x81\x42\x2f\xf4\xdb\x0b\x23\xf8\x73\x27\xb8\x1d"
2182 : "\x42\xf8\x44\x58\xd8\x5b\x29\x27\x0a\xf8\x69\x59"
2183 : "\xb5\x78\x44\xeb\x9e\xe0\x68\x6f\x42\x9a\xb0\x5b"
2184 : "\xe0\x4e\xcb\x6a\xaa\xe2\xd2\xd5\x33\x25\x3e\xe0"
2185 : "\x6c\xc7\x6a\x07\xa5\x03\x83\x9f\xe2\x8b\xd1\x1c"
2186 : "\x70\xa8\x07\x59\x97\xeb\xf6\xbe",
2187 : /* .expectedlen = */ 128,
2188 : /* .entropyreseed = */ NULL,
2189 : /* .entropyreseed_len = */ 0,
2190 : /* .addtl_reseed = */ NULL,
2191 : /* .addtl_reseed_len = */ 0
2192 : },
2193 : {
2194 : /* .flags = */ "hmac sha256" /* DRBG_NOPR_HMACSHA256 */,
2195 : /* .entropy = */ (unsigned char *)
2196 : "\x8d\xf0\x13\xb4\xd1\x03\x52\x30\x73\x91\x7d\xdf"
2197 : "\x6a\x86\x97\x93\x05\x9e\x99\x43\xfc\x86\x54\x54"
2198 : "\x9e\x7a\xb2\x2f\x7c\x29\xf1\x22\xda\x26\x25\xaf"
2199 : "\x2d\xdd\x4a\xbc\xce\x3c\xf4\xfa\x46\x59\xd8\x4e",
2200 : /* .entropylen = */ 48,
2201 : /* .entpra = */ NULL,
2202 : /* .entprb = */ NULL,
2203 : /* .entprlen = */ 0,
2204 : /* .addtla = */ NULL,
2205 : /* .addtlb = */ NULL,
2206 : /* .addtllen = */ 0,
2207 : /* .pers = */ (unsigned char *)
2208 : "\xb5\x71\xe6\x6d\x7c\x33\x8b\xc0\x7b\x76\xad\x37"
2209 : "\x57\xbb\x2f\x94\x52\xbf\x7e\x07\x43\x7a\xe8\x58"
2210 : "\x1c\xe7\xbc\x7c\x3a\xc6\x51\xa9",
2211 : /* .perslen = */ 32,
2212 : /* .expected = */ (unsigned char *)
2213 : "\xb9\x1c\xba\x4c\xc8\x4f\xa2\x5d\xf8\x61\x0b\x81"
2214 : "\xb6\x41\x40\x27\x68\xa2\x09\x72\x34\x93\x2e\x37"
2215 : "\xd5\x90\xb1\x15\x4c\xbd\x23\xf9\x74\x52\xe3\x10"
2216 : "\xe2\x91\xc4\x51\x46\x14\x7f\x0d\xa2\xd8\x17\x61"
2217 : "\xfe\x90\xfb\xa6\x4f\x94\x41\x9c\x0f\x66\x2b\x28"
2218 : "\xc1\xed\x94\xda\x48\x7b\xb7\xe7\x3e\xec\x79\x8f"
2219 : "\xbc\xf9\x81\xb7\x91\xd1\xbe\x4f\x17\x7a\x89\x07"
2220 : "\xaa\x3c\x40\x16\x43\xa5\xb6\x2b\x87\xb8\x9d\x66"
2221 : "\xb3\xa6\x0e\x40\xd4\xa8\xe4\xe9\xd8\x2a\xf6\xd2"
2222 : "\x70\x0e\x6f\x53\x5c\xdb\x51\xf7\x5c\x32\x17\x29"
2223 : "\x10\x37\x41\x03\x0c\xcc\x3a\x56",
2224 : /* .expectedlen = */ 128,
2225 : /* .entropyreseed = */ NULL,
2226 : /* .entropyreseed_len = */ 0,
2227 : /* .addtl_reseed = */ NULL,
2228 : /* .addtl_reseed_len = */ 0
2229 : },
2230 : {
2231 : /* .flags = */ "aes sym128" /* DRBG_NOPR_CTRAES128 */,
2232 : /* .entropy = */ (unsigned char *)
2233 : "\xc0\x70\x1f\x92\x50\x75\x8f\xcd\xf2\xbe\x73\x98"
2234 : "\x80\xdb\x66\xeb\x14\x68\xb4\xa5\x87\x9c\x2d\xa6",
2235 : /* .entropylen = */ 24,
2236 : /* .entpra = */ NULL,
2237 : /* .entprb = */ NULL,
2238 : /* .entprlen = */ 0,
2239 : /* .addtla = */ (unsigned char *)
2240 : "\xf9\x01\xf8\x16\x7a\x1d\xff\xde\x8e\x3c\x83\xe2"
2241 : "\x44\x85\xe7\xfe",
2242 : /* .addtlb = */ (unsigned char *)
2243 : "\x17\x1c\x09\x38\xc2\x38\x9f\x97\x87\x60\x55\xb4"
2244 : "\x82\x16\x62\x7f",
2245 : /* .addtllen = */ 16,
2246 : /* .pers = */ (unsigned char *)
2247 : "\x80\x08\xae\xe8\xe9\x69\x40\xc5\x08\x73\xc7\x9f"
2248 : "\x8e\xcf\xe0\x02",
2249 : /* .perslen = */ 16,
2250 : /* .expected = */ (unsigned char *)
2251 : "\x97\xc0\xc0\xe5\xa0\xcc\xf2\x4f\x33\x63\x48\x8a"
2252 : "\xdb\x13\x0a\x35\x89\xbf\x80\x65\x62\xee\x13\x95"
2253 : "\x7c\x33\xd3\x7d\xf4\x07\x77\x7a\x2b\x65\x0b\x5f"
2254 : "\x45\x5c\x13\xf1\x90\x77\x7f\xc5\x04\x3f\xcc\x1a"
2255 : "\x38\xf8\xcd\x1b\xbb\xd5\x57\xd1\x4a\x4c\x2e\x8a"
2256 : "\x2b\x49\x1e\x5c",
2257 : /* .expectedlen = */ 64,
2258 : /* .entropyreseed = */ NULL,
2259 : /* .entropyreseed_len = */ 0,
2260 : /* .addtl_reseed = */ NULL,
2261 : /* .addtl_reseed_len = */ 0
2262 : },
2263 : {
2264 : /* .flags = */ "sha1" /* DRBG_NOPR_HASHSHA1 */,
2265 : /* .entropy = */ (unsigned char *)
2266 : "\x16\x10\xb8\x28\xcc\xd2\x7d\xe0\x8c\xee\xa0\x32"
2267 : "\xa2\x0e\x92\x08\x49\x2c\xf1\x70\x92\x42\xf6\xb5",
2268 : /* .entropylen = */ 24,
2269 : /* .entpra = */ NULL,
2270 : /* .entprb = */ NULL,
2271 : /* .entprlen = */ 0,
2272 : /* .addtla = */ NULL,
2273 : /* .addtlb = */ NULL,
2274 : /* .addtllen = */ 0,
2275 : /* .pers = */ NULL,
2276 : /* .perslen = */ 0,
2277 : /* .expected = */ (unsigned char *)
2278 : "\x56\xf3\x3d\x4f\xdb\xb9\xa5\xb6\x4d\x26\x23\x44"
2279 : "\x97\xe9\xdc\xb8\x77\x98\xc6\x8d\x08\xf7\xc4\x11"
2280 : "\x99\xd4\xbd\xdf\x97\xeb\xbf\x6c\xb5\x55\x0e\x5d"
2281 : "\x14\x9f\xf4\xd5\xbd\x0f\x05\xf2\x5a\x69\x88\xc1"
2282 : "\x74\x36\x39\x62\x27\x18\x4a\xf8\x4a\x56\x43\x35"
2283 : "\x65\x8e\x2f\x85\x72\xbe\xa3\x33\xee\xe2\xab\xff"
2284 : "\x22\xff\xa6\xde\x3e\x22\xac\xa2",
2285 : /* .expectedlen = */ 80,
2286 : /* .entropyreseed = */ (unsigned char *)
2287 : "\x72\xd2\x8c\x90\x8e\xda\xf9\xa4\xd1\xe5\x26\xd8"
2288 : "\xf2\xde\xd5\x44",
2289 : /* .entropyreseed_len = */ 16,
2290 : /* .addtl_reseed = */ NULL,
2291 : /* .addtl_reseed_len = */ 0
2292 : },
2293 : {
2294 : /* .flags = */ "sha1" /* DRBG_NOPR_HASHSHA1 */,
2295 : /* .entropy = */ (unsigned char *)
2296 : "\xd9\xba\xb5\xce\xdc\xa9\x6f\x61\x78\xd6\x45\x09"
2297 : "\xa0\xdf\xdc\x5e\xda\xd8\x98\x94\x14\x45\x0e\x01",
2298 : /* .entropylen = */ 24,
2299 : /* .entpra = */ NULL,
2300 : /* .entprb = */ NULL,
2301 : /* .entprlen = */ 0,
2302 : /* .addtla = */ (unsigned char *)
2303 : "\x04\xfa\x28\x95\xaa\x5a\x6f\x8c\x57\x43\x34\x3b"
2304 : "\x80\x5e\x5e\xa4",
2305 : /* .addtlb = */ (unsigned char *)
2306 : "\xdf\x5d\xc4\x59\xdf\xf0\x2a\xa2\xf0\x52\xd7\x21"
2307 : "\xec\x60\x72\x30",
2308 : /* .addtllen = */ 16,
2309 : /* .pers = */ NULL,
2310 : /* .perslen = */ 0,
2311 : /* .expected = */ (unsigned char *)
2312 : "\xc4\x8b\x89\xf9\xda\x3f\x74\x82\x45\x55\x5d\x5d"
2313 : "\x03\x3b\x69\x3d\xd7\x1a\x4d\xf5\x69\x02\x05\xce"
2314 : "\xfc\xd7\x20\x11\x3c\xc2\x4e\x09\x89\x36\xff\x5e"
2315 : "\x77\xb5\x41\x53\x58\x70\xb3\x39\x46\x8c\xdd\x8d"
2316 : "\x6f\xaf\x8c\x56\x16\x3a\x70\x0a\x75\xb2\x3e\x59"
2317 : "\x9b\x5a\xec\xf1\x6f\x3b\xaf\x6d\x5f\x24\x19\x97"
2318 : "\x1f\x24\xf4\x46\x72\x0f\xea\xbe",
2319 : /* .expectedlen = */ 80,
2320 : /* .entropyreseed = */ (unsigned char *)
2321 : "\xc6\xba\xd0\x74\xc5\x90\x67\x86\xf5\xe1\xf3\x20"
2322 : "\x99\xf5\xb4\x91",
2323 : /* .entropyreseed_len = */ 16,
2324 : /* .addtl_reseed = */ (unsigned char *)
2325 : "\x3e\x6b\xf4\x6f\x4d\xaa\x38\x25\xd7\x19\x4e\x69"
2326 : "\x4e\x77\x52\xf7",
2327 : /* .addtl_reseed_len = */ 16
2328 : }
2329 : };
2330 :
2331 :
2332 : /*
2333 : * Tests implement the CAVS test approach as documented in
2334 : * http://csrc.nist.gov/groups/STM/cavp/documents/drbg/DRBGVS.pdf
2335 : */
2336 :
2337 : /*
2338 : * CAVS test
2339 : *
2340 : * This function is not static as it is needed for as a private API
2341 : * call for the CAVS test tool.
2342 : */
2343 : gpg_err_code_t
2344 0 : _gcry_rngdrbg_cavs_test (struct gcry_drbg_test_vector *test, unsigned char *buf)
2345 : {
2346 0 : gpg_err_code_t ret = 0;
2347 0 : drbg_state_t drbg = NULL;
2348 : struct drbg_test_data_s test_data;
2349 : drbg_string_t addtl, pers, testentropy;
2350 0 : int coreref = 0;
2351 0 : int pr = 0;
2352 : u32 flags;
2353 :
2354 0 : ret = parse_flag_string (test->flagstr, &flags);
2355 0 : if (ret)
2356 0 : goto outbuf;
2357 :
2358 0 : ret = drbg_algo_available (flags, &coreref);
2359 0 : if (ret)
2360 0 : goto outbuf;
2361 :
2362 0 : drbg = xtrycalloc_secure (1, sizeof *drbg);
2363 0 : if (!drbg)
2364 : {
2365 0 : ret = gpg_err_code_from_syserror ();
2366 0 : goto outbuf;
2367 : }
2368 :
2369 0 : if ((flags & DRBG_PREDICTION_RESIST))
2370 0 : pr = 1;
2371 :
2372 0 : test_data.testentropy = &testentropy;
2373 0 : drbg_string_fill (&testentropy, test->entropy, test->entropylen);
2374 0 : drbg->test_data = &test_data;
2375 0 : drbg_string_fill (&pers, test->pers, test->perslen);
2376 0 : ret = drbg_instantiate (drbg, &pers, coreref, pr);
2377 0 : if (ret)
2378 0 : goto outbuf;
2379 :
2380 0 : if (test->entropyreseed)
2381 : {
2382 0 : drbg_string_fill (&testentropy, test->entropyreseed,
2383 : test->entropyreseed_len);
2384 0 : drbg_string_fill (&addtl, test->addtl_reseed,
2385 : test->addtl_reseed_len);
2386 0 : if (drbg_reseed (drbg, &addtl))
2387 0 : goto outbuf;
2388 : }
2389 :
2390 0 : drbg_string_fill (&addtl, test->addtla, test->addtllen);
2391 0 : if (test->entpra)
2392 : {
2393 0 : drbg_string_fill (&testentropy, test->entpra, test->entprlen);
2394 0 : drbg->test_data = &test_data;
2395 : }
2396 0 : drbg_generate_long (drbg, buf, test->expectedlen, &addtl);
2397 :
2398 0 : drbg_string_fill (&addtl, test->addtlb, test->addtllen);
2399 0 : if (test->entprb)
2400 : {
2401 0 : drbg_string_fill (&testentropy, test->entprb, test->entprlen);
2402 0 : drbg->test_data = &test_data;
2403 : }
2404 0 : drbg_generate_long (drbg, buf, test->expectedlen, &addtl);
2405 0 : drbg_uninstantiate (drbg);
2406 :
2407 : outbuf:
2408 0 : xfree (drbg);
2409 0 : return ret;
2410 : }
2411 :
2412 : /*
2413 : * Invoke the CAVS test and perform the final check whether the
2414 : * calculated random value matches the expected one.
2415 : *
2416 : * This function is not static as it is needed for as a private API
2417 : * call for the CAVS test tool.
2418 : */
2419 : gpg_err_code_t
2420 0 : _gcry_rngdrbg_healthcheck_one (struct gcry_drbg_test_vector * test)
2421 : {
2422 0 : gpg_err_code_t ret = GPG_ERR_ENOMEM;
2423 0 : unsigned char *buf = xcalloc_secure (1, test->expectedlen);
2424 0 : if (!buf)
2425 0 : return GPG_ERR_ENOMEM;
2426 :
2427 0 : ret = _gcry_rngdrbg_cavs_test (test, buf);
2428 : /* FIXME: The next line is wrong. */
2429 0 : ret = memcmp (test->expected, buf, test->expectedlen);
2430 :
2431 0 : xfree (buf);
2432 0 : return ret;
2433 : }
2434 :
2435 : /*
2436 : * Tests as defined in 11.3.2 in addition to the cipher tests: testing
2437 : * of the error handling.
2438 : *
2439 : * Note, testing the reseed counter is not done as an automatic reseeding
2440 : * is performed in drbg_generate when the reseed counter is too large.
2441 : */
2442 : static gpg_err_code_t
2443 0 : drbg_healthcheck_sanity (struct gcry_drbg_test_vector *test)
2444 : {
2445 0 : unsigned int len = 0;
2446 0 : drbg_state_t drbg = NULL;
2447 0 : gpg_err_code_t ret = GPG_ERR_GENERAL;
2448 0 : gpg_err_code_t tmpret = GPG_ERR_GENERAL;
2449 : struct drbg_test_data_s test_data;
2450 : drbg_string_t addtl, testentropy;
2451 0 : int coreref = 0;
2452 0 : unsigned char *buf = NULL;
2453 : size_t max_addtllen, max_request_bytes;
2454 : u32 flags;
2455 :
2456 : /* only perform test in FIPS mode */
2457 0 : if (0 == fips_mode ())
2458 0 : return 0;
2459 :
2460 0 : ret = parse_flag_string (test->flagstr, &flags);
2461 0 : if (ret)
2462 0 : return ret;
2463 0 : ret = GPG_ERR_GENERAL; /* Fixme: Improve handling of RET. */
2464 :
2465 0 : buf = xtrycalloc_secure (1, test->expectedlen);
2466 0 : if (!buf)
2467 0 : return gpg_err_code_from_syserror ();
2468 0 : tmpret = drbg_algo_available (flags, &coreref);
2469 0 : if (tmpret)
2470 0 : goto outbuf;
2471 0 : drbg = xtrycalloc_secure (1, sizeof *drbg);
2472 0 : if (!drbg)
2473 : {
2474 0 : ret = gpg_err_code_from_syserror ();
2475 0 : goto outbuf;
2476 : }
2477 :
2478 : /* if the following tests fail, it is likely that there is a buffer
2479 : * overflow and we get a SIGSEV */
2480 0 : ret = drbg_instantiate (drbg, NULL, coreref, 1);
2481 0 : if (ret)
2482 0 : goto outbuf;
2483 0 : max_addtllen = drbg_max_addtl ();
2484 0 : max_request_bytes = drbg_max_request_bytes ();
2485 : /* overflow addtllen with additonal info string */
2486 0 : drbg_string_fill (&addtl, test->addtla, (max_addtllen + 1));
2487 0 : len = drbg_generate (drbg, buf, test->expectedlen, &addtl);
2488 0 : if (len)
2489 0 : goto outdrbg;
2490 :
2491 : /* overflow max_bits */
2492 0 : len = drbg_generate (drbg, buf, (max_request_bytes + 1), NULL);
2493 0 : if (len)
2494 0 : goto outdrbg;
2495 0 : drbg_uninstantiate (drbg);
2496 :
2497 : /* test failing entropy source as defined in 11.3.2 */
2498 0 : test_data.testentropy = NULL;
2499 0 : test_data.fail_seed_source = 1;
2500 0 : drbg->test_data = &test_data;
2501 0 : tmpret = drbg_instantiate (drbg, NULL, coreref, 0);
2502 0 : if (!tmpret)
2503 0 : goto outdrbg;
2504 0 : test_data.fail_seed_source = 0;
2505 :
2506 0 : test_data.testentropy = &testentropy;
2507 0 : drbg_string_fill (&testentropy, test->entropy, test->entropylen);
2508 : /* overflow max addtllen with personalization string */
2509 0 : tmpret = drbg_instantiate (drbg, &addtl, coreref, 0);
2510 0 : if (!tmpret)
2511 0 : goto outdrbg;
2512 :
2513 : dbg (("DRBG: Sanity tests for failure code paths successfully completed\n"));
2514 0 : ret = 0;
2515 :
2516 : outdrbg:
2517 0 : drbg_uninstantiate (drbg);
2518 : outbuf:
2519 0 : xfree (buf);
2520 0 : xfree (drbg);
2521 0 : return ret;
2522 : }
2523 :
2524 : /*
2525 : * DRBG Healthcheck function as required in SP800-90A
2526 : *
2527 : * return:
2528 : * 0 on success (all tests pass)
2529 : * >0 on error (return code indicate the number of failures)
2530 : */
2531 : static int
2532 0 : drbg_healthcheck (void)
2533 : {
2534 0 : int ret = 0;
2535 0 : ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[0]);
2536 0 : ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[1]);
2537 0 : ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[2]);
2538 0 : ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[3]);
2539 0 : ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[4]);
2540 0 : ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_pr[0]);
2541 0 : ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_pr[1]);
2542 0 : ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_pr[2]);
2543 0 : ret += drbg_healthcheck_sanity (&drbg_test_nopr[0]);
2544 0 : return ret;
2545 : }
2546 :
2547 : /* Run the self-tests. */
2548 : gcry_error_t
2549 0 : _gcry_rngdrbg_selftest (selftest_report_func_t report)
2550 : {
2551 : gcry_err_code_t ec;
2552 0 : const char *errtxt = NULL;
2553 0 : drbg_lock ();
2554 0 : if (0 != drbg_healthcheck ())
2555 0 : errtxt = "RNG output does not match known value";
2556 0 : drbg_unlock ();
2557 0 : if (report && errtxt)
2558 0 : report ("random", 0, "KAT", errtxt);
2559 0 : ec = errtxt ? GPG_ERR_SELFTEST_FAILED : 0;
2560 0 : return gpg_error (ec);
2561 : }
2562 :
2563 : /***************************************************************
2564 : * Cipher invocations requested by DRBG
2565 : ***************************************************************/
2566 :
2567 : static gpg_err_code_t
2568 26 : drbg_hmac (drbg_state_t drbg, const unsigned char *key,
2569 : unsigned char *outval, const drbg_string_t *buf)
2570 : {
2571 : gpg_error_t err;
2572 : gcry_md_hd_t hd;
2573 :
2574 26 : if (key)
2575 : {
2576 26 : err =
2577 26 : _gcry_md_open (&hd, drbg->core->backend_cipher, GCRY_MD_FLAG_HMAC);
2578 26 : if (err)
2579 0 : return err;
2580 26 : err = _gcry_md_setkey (hd, key, drbg_statelen (drbg));
2581 26 : if (err)
2582 0 : return err;
2583 : }
2584 : else
2585 : {
2586 0 : err = _gcry_md_open (&hd, drbg->core->backend_cipher, 0);
2587 0 : if (err)
2588 0 : return err;
2589 : }
2590 66 : for (; NULL != buf; buf = buf->next)
2591 40 : _gcry_md_write (hd, buf->buf, buf->len);
2592 26 : _gcry_md_final (hd);
2593 26 : memcpy (outval, _gcry_md_read (hd, drbg->core->backend_cipher),
2594 26 : drbg_blocklen (drbg));
2595 26 : _gcry_md_close (hd);
2596 26 : return 0;
2597 : }
2598 :
2599 : static gpg_err_code_t
2600 0 : drbg_sym (drbg_state_t drbg, const unsigned char *key,
2601 : unsigned char *outval, const drbg_string_t *buf)
2602 : {
2603 : gpg_error_t err;
2604 : gcry_cipher_hd_t hd;
2605 :
2606 0 : err = _gcry_cipher_open (&hd, drbg->core->backend_cipher,
2607 : GCRY_CIPHER_MODE_ECB, 0);
2608 0 : if (err)
2609 0 : return err;
2610 0 : if (drbg_blocklen (drbg) !=
2611 0 : _gcry_cipher_get_algo_blklen (drbg->core->backend_cipher))
2612 0 : return -GPG_ERR_NO_ERROR;
2613 0 : if (drbg_blocklen (drbg) < buf->len)
2614 0 : return -GPG_ERR_NO_ERROR;
2615 0 : err = _gcry_cipher_setkey (hd, key, drbg_keylen (drbg));
2616 0 : if (err)
2617 0 : return err;
2618 : /* in is only component */
2619 0 : _gcry_cipher_encrypt (hd, outval, drbg_blocklen (drbg), buf->buf,
2620 : buf->len);
2621 0 : _gcry_cipher_close (hd);
2622 0 : return 0;
2623 : }
|