Line data Source code
1 : /* random-drbg.c - Deterministic Random Bits Generator
2 : * Copyright 2014 Stephan Mueller <smueller@chronox.de>
3 : *
4 : * DRBG: Deterministic Random Bits Generator
5 : * Based on NIST Recommended DRBG from NIST SP800-90A with the following
6 : * properties:
7 : * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores
8 : * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
9 : * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
10 : * * with and without prediction resistance
11 : *
12 : * Redistribution and use in source and binary forms, with or without
13 : * modification, are permitted provided that the following conditions
14 : * are met:
15 : * 1. Redistributions of source code must retain the above copyright
16 : * notice, and the entire permission notice in its entirety,
17 : * including the disclaimer of warranties.
18 : * 2. Redistributions in binary form must reproduce the above copyright
19 : * notice, this list of conditions and the following disclaimer in the
20 : * documentation and/or other materials provided with the distribution.
21 : * 3. The name of the author may not be used to endorse or promote
22 : * products derived from this software without specific prior
23 : * written permission.
24 : *
25 : * ALTERNATIVELY, this product may be distributed under the terms of
26 : * LGPLv2+, in which case the provisions of the LGPL are
27 : * required INSTEAD OF the above restrictions. (This clause is
28 : * necessary due to a potential bad interaction between the LGPL and
29 : * the restrictions contained in a BSD-style copyright.)
30 : *
31 : * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
32 : * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
33 : * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
34 : * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
35 : * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
36 : * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
37 : * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
38 : * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
39 : * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
40 : * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
41 : * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
42 : * DAMAGE.
43 : *
44 : *
45 : * gcry_control GCRYCTL_DRBG_REINIT
46 : * ================================
47 : * This control request re-initializes the DRBG completely, i.e. the entire
48 : * state of the DRBG is zeroized (with two exceptions listed in
49 : * GCRYCTL_DRBG_SET_ENTROPY).
50 : *
51 : * The control request takes the following values which influences how
52 : * the DRBG is re-initialized:
53 : *
54 : * - const char *flagstr
55 : *
56 : * This variable specifies the DRBG type to be used for the next
57 : * initialization. If set to NULL, the previous DRBG type is
58 : * used for the initialization. If not NULL a space separated
59 : * list of tokens with associated flag values is expected which
60 : * are ORed to form the mandatory flags of the requested DRBG
61 : * strength and cipher type. Optionally, the prediction
62 : * resistance flag can be ORed into the flags variable.
63 : *
64 : * | String token | Flag value |
65 : * |--------------+------------------------|
66 : * | aes | DRBG_CTRAES |
67 : * | serpent | DRBG_CTRSERPENT |
68 : * | twofish | DRBG_CTRTWOFISH |
69 : * | sha1 | DRBG_HASHSHA1 |
70 : * | sha256 | DRBG_HASHSHA256 |
71 : * | sha512 | DRBG_HASHSHA512 |
72 : * | hmac | DRBG_HMAC |
73 : * | sym128 | DRBG_SYM128 |
74 : * | sym192 | DRBG_SYM192 |
75 : * | sym256 | DRBG_SYM256 |
76 : * | pr | DRBG_PREDICTION_RESIST |
77 : *
78 : * For example:
79 : *
80 : * - CTR-DRBG with AES-128 without prediction resistance:
81 : * "aes sym128"
82 : * - HMAC-DRBG with SHA-512 with prediction resistance:
83 : * "hmac sha512 pr"
84 : *
85 : * - gcry_buffer_t *pers
86 : *
87 : * NULL terminated array with personalization strings to be used
88 : * for initialization.
89 : *
90 : * - int npers
91 : *
92 : * Size of PERS.
93 : *
94 : * - void *guard
95 : *
96 : * A value of NULL must be passed for this.
97 : *
98 : * The variable of flags is independent from the pers/perslen variables. If
99 : * flags is set to 0 and perslen is set to 0, the current DRBG type is
100 : * completely reset without using a personalization string.
101 : *
102 : * DRBG Usage
103 : * ==========
104 : * The SP 800-90A DRBG allows the user to specify a personalization string
105 : * for initialization as well as an additional information string for each
106 : * random number request. The following code fragments show how a caller
107 : * uses the API to use the full functionality of the DRBG.
108 : *
109 : * Usage without any additional data
110 : * ---------------------------------
111 : * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);
112 : *
113 : *
114 : * Usage with personalization string during initialization
115 : * -------------------------------------------------------
116 : * drbg_string_t pers;
117 : * char personalization[11] = "some-string";
118 : *
119 : * drbg_string_fill(&pers, personalization, strlen(personalization));
120 : * // The reset completely re-initializes the DRBG with the provided
121 : * // personalization string without changing the DRBG type
122 : * ret = gcry_control(GCRYCTL_DRBG_REINIT, 0, &pers);
123 : * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);
124 : *
125 : *
126 : * Usage with additional information string during random number request
127 : * ---------------------------------------------------------------------
128 : * drbg_string_t addtl;
129 : * char addtl_string[11] = "some-string";
130 : *
131 : * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
132 : * // The following call is a wrapper to gcry_randomize() and returns
133 : * // the same error codes.
134 : * gcry_randomize_drbg(outbuf, OUTLEN, GCRY_STRONG_RANDOM, &addtl);
135 : *
136 : *
137 : * Usage with personalization and additional information strings
138 : * -------------------------------------------------------------
139 : * Just mix both scenarios above.
140 : *
141 : *
142 : * Switch the DRBG type to some other type
143 : * ---------------------------------------
144 : * // Switch to CTR DRBG AES-128 without prediction resistance
145 : * ret = gcry_control(GCRYCTL_DRBG_REINIT, DRBG_NOPR_CTRAES128, NULL);
146 : * gcry_randomize(outbuf, OUTLEN, GCRY_STRONG_RANDOM);
147 : */
148 :
149 : #include <string.h>
150 : #include <unistd.h>
151 : #include <stdint.h>
152 :
153 : #include <config.h>
154 :
155 : #include "g10lib.h"
156 : #include "random.h"
157 : #include "rand-internal.h"
158 : #include "../cipher/bufhelp.h"
159 :
160 :
161 :
162 : /******************************************************************
163 : * Constants
164 : ******************************************************************/
165 :
166 : /*
167 : * DRBG flags bitmasks
168 : *
169 : * 31 (B) 28 19 (A) 0
170 : * +-+-+-+--------+---+-----------+-----+
171 : * |~|~|u|~~~~~~~~| 3 | 2 | 1 |
172 : * +-+-+-+--------+- -+-----------+-----+
173 : * ctl flg| |drbg use selection flags
174 : *
175 : */
176 :
177 : /* Internal state control flags (B) */
178 : #define DRBG_PREDICTION_RESIST ((u32)1<<28)
179 :
180 : /* CTR type modifiers (A.1)*/
181 : #define DRBG_CTRAES ((u32)1<<0)
182 : #define DRBG_CTRSERPENT ((u32)1<<1)
183 : #define DRBG_CTRTWOFISH ((u32)1<<2)
184 : #define DRBG_CTR_MASK (DRBG_CTRAES | DRBG_CTRSERPENT \
185 : | DRBG_CTRTWOFISH)
186 :
187 : /* HASH type modifiers (A.2)*/
188 : #define DRBG_HASHSHA1 ((u32)1<<4)
189 : #define DRBG_HASHSHA224 ((u32)1<<5)
190 : #define DRBG_HASHSHA256 ((u32)1<<6)
191 : #define DRBG_HASHSHA384 ((u32)1<<7)
192 : #define DRBG_HASHSHA512 ((u32)1<<8)
193 : #define DRBG_HASH_MASK (DRBG_HASHSHA1 | DRBG_HASHSHA224 \
194 : | DRBG_HASHSHA256 | DRBG_HASHSHA384 \
195 : | DRBG_HASHSHA512)
196 : /* type modifiers (A.3)*/
197 : #define DRBG_HMAC ((u32)1<<12)
198 : #define DRBG_SYM128 ((u32)1<<13)
199 : #define DRBG_SYM192 ((u32)1<<14)
200 : #define DRBG_SYM256 ((u32)1<<15)
201 : #define DRBG_TYPE_MASK (DRBG_HMAC | DRBG_SYM128 | DRBG_SYM192 \
202 : | DRBG_SYM256)
203 : #define DRBG_CIPHER_MASK (DRBG_CTR_MASK | DRBG_HASH_MASK \
204 : | DRBG_TYPE_MASK)
205 :
206 : #define DRBG_PR_CTRAES128 (DRBG_PREDICTION_RESIST | DRBG_CTRAES | DRBG_SYM128)
207 : #define DRBG_PR_CTRAES192 (DRBG_PREDICTION_RESIST | DRBG_CTRAES | DRBG_SYM192)
208 : #define DRBG_PR_CTRAES256 (DRBG_PREDICTION_RESIST | DRBG_CTRAES | DRBG_SYM256)
209 : #define DRBG_NOPR_CTRAES128 (DRBG_CTRAES | DRBG_SYM128)
210 : #define DRBG_NOPR_CTRAES192 (DRBG_CTRAES | DRBG_SYM192)
211 : #define DRBG_NOPR_CTRAES256 (DRBG_CTRAES | DRBG_SYM256)
212 : #define DRBG_PR_HASHSHA1 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA1)
213 : #define DRBG_PR_HASHSHA256 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA256)
214 : #define DRBG_PR_HASHSHA384 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA384)
215 : #define DRBG_PR_HASHSHA512 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA512)
216 : #define DRBG_NOPR_HASHSHA1 (DRBG_HASHSHA1)
217 : #define DRBG_NOPR_HASHSHA256 (DRBG_HASHSHA256)
218 : #define DRBG_NOPR_HASHSHA384 (DRBG_HASHSHA384)
219 : #define DRBG_NOPR_HASHSHA512 (DRBG_HASHSHA512)
220 : #define DRBG_PR_HMACSHA1 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA1 \
221 : | DRBG_HMAC)
222 : #define DRBG_PR_HMACSHA256 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA256 \
223 : | DRBG_HMAC)
224 : #define DRBG_PR_HMACSHA384 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA384 \
225 : | DRBG_HMAC)
226 : #define DRBG_PR_HMACSHA512 (DRBG_PREDICTION_RESIST | DRBG_HASHSHA512 \
227 : | DRBG_HMAC)
228 : #define DRBG_NOPR_HMACSHA1 (DRBG_HASHSHA1 | DRBG_HMAC)
229 : #define DRBG_NOPR_HMACSHA256 (DRBG_HASHSHA256 | DRBG_HMAC)
230 : #define DRBG_NOPR_HMACSHA384 (DRBG_HASHSHA384 | DRBG_HMAC)
231 : #define DRBG_NOPR_HMACSHA512 (DRBG_HASHSHA512 | DRBG_HMAC)
232 :
233 :
234 : /* The default DRGB type. */
235 : #define DRBG_DEFAULT_TYPE DRBG_NOPR_HMACSHA256
236 :
237 :
238 :
239 : /******************************************************************
240 : * Common data structures
241 : ******************************************************************/
242 :
243 : /*
244 : * SP800-90A requires the concatenation of different data. To avoid copying
245 : * buffers around or allocate additional memory, the following data structure
246 : * is used to point to the original memory with its size. In addition, it
247 : * is used to build a linked list. The linked list defines the concatenation
248 : * of individual buffers. The order of memory block referenced in that
249 : * linked list determines the order of concatenation.
250 : */
251 : struct drbg_string_s
252 : {
253 : const unsigned char *buf;
254 : size_t len;
255 : struct drbg_string_s *next;
256 : };
257 : typedef struct drbg_string_s drbg_string_t;
258 :
259 :
260 : /* DRBG input data structure for DRBG generate with additional
261 : * information string. */
262 : struct drbg_gen_s
263 : {
264 : unsigned char *outbuf; /* output buffer for random numbers */
265 : unsigned int outlen; /* size of output buffer */
266 : drbg_string_t *addtl; /* input buffer for
267 : * additional information string */
268 : };
269 : typedef struct drbg_gen_s drbg_gen_t;
270 :
271 :
272 : /* Forward declaration of the state object pointer. */
273 : struct drbg_state_s;
274 : typedef struct drbg_state_s *drbg_state_t;
275 :
276 :
277 : struct drbg_core_s
278 : {
279 : u32 flags; /* flags for the cipher */
280 : ushort statelen; /* maximum state length */
281 : ushort blocklen_bytes; /* block size of output in bytes */
282 : int backend_cipher; /* libgcrypt backend cipher */
283 : };
284 :
285 : struct drbg_state_ops_s
286 : {
287 : gpg_err_code_t (*update) (drbg_state_t drbg,
288 : drbg_string_t *seed, int reseed);
289 : gpg_err_code_t (*generate) (drbg_state_t drbg,
290 : unsigned char *buf, unsigned int buflen,
291 : drbg_string_t *addtl);
292 : gpg_err_code_t (*crypto_init) (drbg_state_t drbg);
293 : void (*crypto_fini) (drbg_state_t drbg);
294 : };
295 :
296 : struct drbg_test_data_s
297 : {
298 : drbg_string_t *testentropy; /* TEST PARAMETER: test entropy */
299 : int fail_seed_source:1; /* If set, the seed function will
300 : * return an error. */
301 : };
302 :
303 :
304 : /* This state object keeps the state of an DRBG instance. */
305 : struct drbg_state_s
306 : {
307 : unsigned char *V; /* internal state 10.1.1.1 1a) */
308 : unsigned char *C; /* hash: static value 10.1.1.1 1b)
309 : * hmac / ctr: key */
310 : size_t reseed_ctr; /* Number of RNG requests since last reseed --
311 : * 10.1.1.1 1c) */
312 : unsigned char *scratchpad; /* some memory the DRBG can use for its
313 : * operation -- allocated during init */
314 : void *priv_data; /* Cipher handle */
315 : gcry_cipher_hd_t ctr_handle; /* CTR mode cipher handle */
316 : #define DRBG_CTR_NULL_LEN 128
317 : unsigned char *ctr_null; /* CTR mode zero buffer */
318 : int seeded:1; /* DRBG fully seeded? */
319 : int pr:1; /* Prediction resistance enabled? */
320 : /* Taken from libgcrypt ANSI X9.31 DRNG: We need to keep track of the
321 : * process which did the initialization so that we can detect a fork.
322 : * The volatile modifier is required so that the compiler does not
323 : * optimize it away in case the getpid function is badly attributed. */
324 : pid_t seed_init_pid;
325 : const struct drbg_state_ops_s *d_ops;
326 : const struct drbg_core_s *core;
327 : struct drbg_test_data_s *test_data;
328 : };
329 :
330 : enum drbg_prefixes
331 : {
332 : DRBG_PREFIX0 = 0x00,
333 : DRBG_PREFIX1,
334 : DRBG_PREFIX2,
335 : DRBG_PREFIX3
336 : };
337 :
338 : #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
339 :
340 : /***************************************************************
341 : * Global variables
342 : ***************************************************************/
343 :
344 : /* Global state variable holding the current instance of the DRBG. */
345 : static drbg_state_t drbg_state;
346 :
347 : /* This is the lock variable we use to serialize access to this RNG. */
348 : GPGRT_LOCK_DEFINE(drbg_lock_var);
349 :
350 :
351 : /***************************************************************
352 : * Backend cipher definitions available to DRBG
353 : ***************************************************************/
354 :
355 : static const struct drbg_core_s drbg_cores[] = {
356 : /* Hash DRBGs */
357 : {DRBG_HASHSHA1, 55, 20, GCRY_MD_SHA1},
358 : {DRBG_HASHSHA256, 55, 32, GCRY_MD_SHA256},
359 : {DRBG_HASHSHA384, 111, 48, GCRY_MD_SHA384},
360 : {DRBG_HASHSHA512, 111, 64, GCRY_MD_SHA512},
361 : /* HMAC DRBGs */
362 : {DRBG_HASHSHA1 | DRBG_HMAC, 20, 20, GCRY_MD_SHA1},
363 : {DRBG_HASHSHA256 | DRBG_HMAC, 32, 32, GCRY_MD_SHA256},
364 : {DRBG_HASHSHA384 | DRBG_HMAC, 48, 48, GCRY_MD_SHA384},
365 : {DRBG_HASHSHA512 | DRBG_HMAC, 64, 64, GCRY_MD_SHA512},
366 : /* block ciphers */
367 : {DRBG_CTRAES | DRBG_SYM128, 32, 16, GCRY_CIPHER_AES128},
368 : {DRBG_CTRAES | DRBG_SYM192, 40, 16, GCRY_CIPHER_AES192},
369 : {DRBG_CTRAES | DRBG_SYM256, 48, 16, GCRY_CIPHER_AES256}
370 : };
371 :
372 : static gpg_err_code_t drbg_hash_init (drbg_state_t drbg);
373 : static gpg_err_code_t drbg_hmac_init (drbg_state_t drbg);
374 : static gpg_err_code_t drbg_hmac_setkey (drbg_state_t drbg,
375 : const unsigned char *key);
376 : static void drbg_hash_fini (drbg_state_t drbg);
377 : static byte *drbg_hash (drbg_state_t drbg, const drbg_string_t *buf);
378 : static gpg_err_code_t drbg_sym_init (drbg_state_t drbg);
379 : static void drbg_sym_fini (drbg_state_t drbg);
380 : static gpg_err_code_t drbg_sym_setkey (drbg_state_t drbg,
381 : const unsigned char *key);
382 : static gpg_err_code_t drbg_sym (drbg_state_t drbg, unsigned char *outval,
383 : const drbg_string_t *buf);
384 : static gpg_err_code_t drbg_sym_ctr (drbg_state_t drbg,
385 : const unsigned char *inbuf, unsigned int inbuflen,
386 : unsigned char *outbuf, unsigned int outbuflen);
387 :
388 : /******************************************************************
389 : ******************************************************************
390 : ******************************************************************
391 : * Generic DRBG code
392 : ******************************************************************
393 : ******************************************************************
394 : ******************************************************************/
395 :
396 : /******************************************************************
397 : * Generic helper functions
398 : ******************************************************************/
399 :
400 : #if 0
401 : #define dbg(x) do { log_debug x; } while(0)
402 : #else
403 : #define dbg(x)
404 : #endif
405 :
406 : /*
407 : * Parse a string of flags and store the flag values at R_FLAGS.
408 : * Return 0 on success.
409 : */
410 : static gpg_err_code_t
411 0 : parse_flag_string (const char *string, u32 *r_flags)
412 : {
413 : struct {
414 : const char *name;
415 : u32 flag;
416 0 : } table[] = {
417 : { "aes", DRBG_CTRAES },
418 : { "serpent", DRBG_CTRSERPENT },
419 : { "twofish", DRBG_CTRTWOFISH },
420 : { "sha1", DRBG_HASHSHA1 },
421 : { "sha256", DRBG_HASHSHA256 },
422 : { "sha512", DRBG_HASHSHA512 },
423 : { "hmac", DRBG_HMAC },
424 : { "sym128", DRBG_SYM128 },
425 : { "sym192", DRBG_SYM192 },
426 : { "sym256", DRBG_SYM256 },
427 : { "pr", DRBG_PREDICTION_RESIST }
428 : };
429 :
430 0 : *r_flags = 0;
431 0 : if (string)
432 : {
433 : char **tl;
434 : const char *s;
435 : int i, j;
436 :
437 0 : tl = _gcry_strtokenize (string, NULL);
438 0 : if (!tl)
439 0 : return gpg_err_code_from_syserror ();
440 0 : for (i=0; (s=tl[i]); i++)
441 : {
442 0 : for (j=0; j < DIM (table); j++)
443 0 : if (!strcmp (s, table[j].name))
444 : {
445 0 : *r_flags |= table[j].flag;
446 0 : break;
447 : }
448 0 : if (!(j < DIM (table)))
449 : {
450 0 : xfree (tl);
451 0 : return GPG_ERR_INV_FLAG;
452 : }
453 : }
454 0 : xfree (tl);
455 : }
456 :
457 0 : return 0;
458 : }
459 :
460 : static inline void
461 0 : drbg_string_fill (drbg_string_t *string,
462 : const unsigned char *buf, size_t len)
463 : {
464 0 : string->buf = buf;
465 0 : string->len = len;
466 0 : string->next = NULL;
467 0 : }
468 :
469 : static inline ushort
470 0 : drbg_statelen (drbg_state_t drbg)
471 : {
472 0 : if (drbg && drbg->core)
473 0 : return drbg->core->statelen;
474 0 : return 0;
475 : }
476 :
477 : static inline ushort
478 0 : drbg_blocklen (drbg_state_t drbg)
479 : {
480 0 : if (drbg && drbg->core)
481 0 : return drbg->core->blocklen_bytes;
482 0 : return 0;
483 : }
484 :
485 : static inline ushort
486 0 : drbg_keylen (drbg_state_t drbg)
487 : {
488 0 : if (drbg && drbg->core)
489 0 : return (drbg->core->statelen - drbg->core->blocklen_bytes);
490 0 : return 0;
491 : }
492 :
493 : static inline size_t
494 0 : drbg_max_request_bytes (void)
495 : {
496 : /* SP800-90A requires the limit 2**19 bits, but we return bytes */
497 0 : return (1 << 16);
498 : }
499 :
500 : static inline size_t
501 0 : drbg_max_addtl (void)
502 : {
503 : /* SP800-90A requires 2**35 bytes additional info str / pers str */
504 : #ifdef __LP64__
505 0 : return (1UL << 35);
506 : #else
507 : /*
508 : * SP800-90A allows smaller maximum numbers to be returned -- we
509 : * return SIZE_MAX - 1 to allow the verification of the enforcement
510 : * of this value in drbg_healthcheck_sanity.
511 : */
512 : return (SIZE_MAX - 1);
513 : #endif
514 : }
515 :
516 : static inline size_t
517 0 : drbg_max_requests (void)
518 : {
519 : /* SP800-90A requires 2**48 maximum requests before reseeding */
520 : #ifdef __LP64__
521 0 : return (1UL << 48);
522 : #else
523 : return SIZE_MAX;
524 : #endif
525 : }
526 :
527 : /*
528 : * Return strength of DRBG according to SP800-90A section 8.4
529 : *
530 : * flags: DRBG flags reference
531 : *
532 : * Return: normalized strength value or 32 as a default to counter
533 : * programming errors
534 : */
535 : static inline unsigned short
536 0 : drbg_sec_strength (u32 flags)
537 : {
538 0 : if ((flags & DRBG_HASHSHA1) || (flags & DRBG_SYM128))
539 0 : return 16;
540 0 : else if (flags & DRBG_SYM192)
541 0 : return 24;
542 0 : else if ((flags & DRBG_SYM256) || (flags & DRBG_HASHSHA256) ||
543 0 : (flags & DRBG_HASHSHA384) || (flags & DRBG_HASHSHA512))
544 0 : return 32;
545 : else
546 0 : return 32;
547 : }
548 :
549 : static void
550 0 : drbg_add_buf (unsigned char *dst, size_t dstlen,
551 : unsigned char *add, size_t addlen)
552 : {
553 : /* implied: dstlen > addlen */
554 : unsigned char *dstptr, *addptr;
555 0 : unsigned int remainder = 0;
556 0 : size_t len = addlen;
557 :
558 0 : dstptr = dst + (dstlen - 1);
559 0 : addptr = add + (addlen - 1);
560 0 : while (len)
561 : {
562 0 : remainder += *dstptr + *addptr;
563 0 : *dstptr = remainder & 0xff;
564 0 : remainder >>= 8;
565 0 : len--;
566 0 : dstptr--;
567 0 : addptr--;
568 : }
569 0 : len = dstlen - addlen;
570 0 : while (len && remainder > 0)
571 : {
572 0 : remainder = *dstptr + 1;
573 0 : *dstptr = remainder & 0xff;
574 0 : remainder >>= 8;
575 0 : len--;
576 0 : dstptr--;
577 : }
578 0 : }
579 :
580 : /* Helper variables for read_cb().
581 : *
582 : * The _gcry_rnd*_gather_random interface does not allow to provide a
583 : * data pointer. Thus we need to use a global variable for
584 : * communication. However, the then required locking is anyway a good
585 : * idea because it does not make sense to have several readers of (say
586 : * /dev/random). It is easier to serve them one after the other.
587 : */
588 : static unsigned char *read_cb_buffer; /* The buffer. */
589 : static size_t read_cb_size; /* Size of the buffer. */
590 : static size_t read_cb_len; /* Used length. */
591 :
592 : /* Callback for generating seed from kernel device. */
593 : static void
594 0 : drbg_read_cb (const void *buffer, size_t length,
595 : enum random_origins origin)
596 : {
597 0 : const unsigned char *p = buffer;
598 :
599 : (void) origin;
600 0 : gcry_assert (read_cb_buffer);
601 :
602 : /* Note that we need to protect against gatherers returning more
603 : * than the requested bytes (e.g. rndw32). */
604 0 : while (length-- && read_cb_len < read_cb_size)
605 0 : read_cb_buffer[read_cb_len++] = *p++;
606 0 : }
607 :
608 : static inline int
609 0 : drbg_get_entropy (drbg_state_t drbg, unsigned char *buffer,
610 : size_t len)
611 : {
612 0 : int rc = 0;
613 :
614 : /* Perform testing as defined in 11.3.2 */
615 0 : if (drbg->test_data && drbg->test_data->fail_seed_source)
616 0 : return -1;
617 :
618 0 : read_cb_buffer = buffer;
619 0 : read_cb_size = len;
620 0 : read_cb_len = 0;
621 : #if USE_RNDLINUX
622 0 : rc = _gcry_rndlinux_gather_random (drbg_read_cb, 0, len,
623 : GCRY_VERY_STRONG_RANDOM);
624 : #elif USE_RNDUNIX
625 : rc = _gcry_rndunix_gather_random (drbg_read_cb, 0, len,
626 : GCRY_VERY_STRONG_RANDOM);
627 : #elif USE_RNDW32
628 : do
629 : {
630 : rc = _gcry_rndw32_gather_random (drbg_read_cb, 0, len,
631 : GCRY_VERY_STRONG_RANDOM);
632 : }
633 : while (rc >= 0 && read_cb_len < read_cb_size);
634 : #else
635 : rc = -1;
636 : #endif
637 0 : return rc;
638 : }
639 :
640 : /******************************************************************
641 : * CTR DRBG callback functions
642 : ******************************************************************/
643 :
644 : /* BCC function for CTR DRBG as defined in 10.4.3 */
645 : static gpg_err_code_t
646 0 : drbg_ctr_bcc (drbg_state_t drbg,
647 : unsigned char *out, const unsigned char *key,
648 : drbg_string_t *in)
649 : {
650 0 : gpg_err_code_t ret = GPG_ERR_GENERAL;
651 0 : drbg_string_t *curr = in;
652 0 : size_t inpos = curr->len;
653 0 : const unsigned char *pos = curr->buf;
654 : drbg_string_t data;
655 :
656 0 : drbg_string_fill (&data, out, drbg_blocklen (drbg));
657 :
658 : /* 10.4.3 step 1 */
659 0 : memset (out, 0, drbg_blocklen (drbg));
660 :
661 0 : ret = drbg_sym_setkey(drbg, key);
662 0 : if (ret)
663 0 : return ret;
664 :
665 : /* 10.4.3 step 2 / 4 */
666 0 : while (inpos)
667 : {
668 0 : short cnt = 0;
669 : /* 10.4.3 step 4.1 */
670 0 : for (cnt = 0; cnt < drbg_blocklen (drbg); cnt++)
671 : {
672 0 : out[cnt] ^= *pos;
673 0 : pos++;
674 0 : inpos--;
675 : /* the following branch implements the linked list
676 : * iteration. If we are at the end of the current data
677 : * set, we have to start using the next data set if
678 : * available -- the inpos value always points to the
679 : * current byte and will be zero if we have processed
680 : * the last byte of the last linked list member */
681 0 : if (0 == inpos)
682 : {
683 0 : curr = curr->next;
684 0 : if (NULL != curr)
685 : {
686 0 : pos = curr->buf;
687 0 : inpos = curr->len;
688 : }
689 : else
690 : {
691 0 : inpos = 0;
692 0 : break;
693 : }
694 : }
695 : }
696 : /* 10.4.3 step 4.2 */
697 0 : ret = drbg_sym (drbg, out, &data);
698 0 : if (ret)
699 0 : return ret;
700 : /* 10.4.3 step 2 */
701 : }
702 0 : return 0;
703 : }
704 :
705 :
706 : /*
707 : * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df
708 : * (and drbg_ctr_bcc, but this function does not need any temporary buffers),
709 : * the scratchpad is used as follows:
710 : * drbg_ctr_update:
711 : * temp
712 : * start: drbg->scratchpad
713 : * length: drbg_statelen(drbg) + drbg_blocklen(drbg)
714 : * note: the cipher writing into this variable works
715 : * blocklen-wise. Now, when the statelen is not a multiple
716 : * of blocklen, the generateion loop below "spills over"
717 : * by at most blocklen. Thus, we need to give sufficient
718 : * memory.
719 : * df_data
720 : * start: drbg->scratchpad +
721 : * drbg_statelen(drbg) +
722 : * drbg_blocklen(drbg)
723 : * length: drbg_statelen(drbg)
724 : *
725 : * drbg_ctr_df:
726 : * pad
727 : * start: df_data + drbg_statelen(drbg)
728 : * length: drbg_blocklen(drbg)
729 : * iv
730 : * start: pad + drbg_blocklen(drbg)
731 : * length: drbg_blocklen(drbg)
732 : * temp
733 : * start: iv + drbg_blocklen(drbg)
734 : * length: drbg_satelen(drbg) + drbg_blocklen(drbg)
735 : * note: temp is the buffer that the BCC function operates
736 : * on. BCC operates blockwise. drbg_statelen(drbg)
737 : * is sufficient when the DRBG state length is a multiple
738 : * of the block size. For AES192 (and maybe other ciphers)
739 : * this is not correct and the length for temp is
740 : * insufficient (yes, that also means for such ciphers,
741 : * the final output of all BCC rounds are truncated).
742 : * Therefore, add drbg_blocklen(drbg) to cover all
743 : * possibilities.
744 : */
745 :
746 : /* Derivation Function for CTR DRBG as defined in 10.4.2 */
747 : static gpg_err_code_t
748 0 : drbg_ctr_df (drbg_state_t drbg, unsigned char *df_data,
749 : size_t bytes_to_return, drbg_string_t *addtl)
750 : {
751 0 : gpg_err_code_t ret = GPG_ERR_GENERAL;
752 : unsigned char L_N[8];
753 : /* S3 is input */
754 : drbg_string_t S1, S2, S4, cipherin;
755 0 : drbg_string_t *tempstr = addtl;
756 0 : unsigned char *pad = df_data + drbg_statelen (drbg);
757 0 : unsigned char *iv = pad + drbg_blocklen (drbg);
758 0 : unsigned char *temp = iv + drbg_blocklen (drbg);
759 0 : size_t padlen = 0;
760 0 : unsigned int templen = 0;
761 : /* 10.4.2 step 7 */
762 0 : unsigned int i = 0;
763 : /* 10.4.2 step 8 */
764 0 : const unsigned char *K = (unsigned char *)
765 : "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
766 : "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
767 : unsigned char *X;
768 0 : size_t generated_len = 0;
769 0 : size_t inputlen = 0;
770 :
771 0 : memset (pad, 0, drbg_blocklen (drbg));
772 0 : memset (iv, 0, drbg_blocklen (drbg));
773 0 : memset (temp, 0, drbg_statelen (drbg));
774 :
775 : /* 10.4.2 step 1 is implicit as we work byte-wise */
776 :
777 : /* 10.4.2 step 2 */
778 0 : if ((512 / 8) < bytes_to_return)
779 0 : return GPG_ERR_INV_ARG;
780 :
781 : /* 10.4.2 step 2 -- calculate the entire length of all input data */
782 0 : for (; NULL != tempstr; tempstr = tempstr->next)
783 0 : inputlen += tempstr->len;
784 0 : buf_put_be32 (&L_N[0], inputlen);
785 :
786 : /* 10.4.2 step 3 */
787 0 : buf_put_be32 (&L_N[4], bytes_to_return);
788 :
789 : /* 10.4.2 step 5: length is size of L_N, input_string, one byte, padding */
790 0 : padlen = (inputlen + sizeof (L_N) + 1) % (drbg_blocklen (drbg));
791 : /* wrap the padlen appropriately */
792 0 : if (padlen)
793 0 : padlen = drbg_blocklen (drbg) - padlen;
794 : /* pad / padlen contains the 0x80 byte and the following zero bytes, so
795 : * add one for byte for 0x80 */
796 0 : padlen++;
797 0 : pad[0] = 0x80;
798 :
799 : /* 10.4.2 step 4 -- first fill the linked list and then order it */
800 0 : drbg_string_fill (&S1, iv, drbg_blocklen (drbg));
801 0 : drbg_string_fill (&S2, L_N, sizeof (L_N));
802 0 : drbg_string_fill (&S4, pad, padlen);
803 0 : S1.next = &S2;
804 0 : S2.next = addtl;
805 :
806 : /* Splice in addtl between S2 and S4 -- we place S4 at the end of the
807 : * input data chain. As this code is only triggered when addtl is not
808 : * NULL, no NULL checks are necessary.*/
809 0 : tempstr = addtl;
810 0 : while (tempstr->next)
811 0 : tempstr = tempstr->next;
812 0 : tempstr->next = &S4;
813 :
814 : /* 10.4.2 step 9 */
815 0 : while (templen < (drbg_keylen (drbg) + (drbg_blocklen (drbg))))
816 : {
817 : /* 10.4.2 step 9.1 - the padding is implicit as the buffer
818 : * holds zeros after allocation -- even the increment of i
819 : * is irrelevant as the increment remains within length of i */
820 0 : buf_put_be32 (iv, i);
821 : /* 10.4.2 step 9.2 -- BCC and concatenation with temp */
822 0 : ret = drbg_ctr_bcc (drbg, temp + templen, K, &S1);
823 0 : if (ret)
824 0 : goto out;
825 : /* 10.4.2 step 9.3 */
826 0 : i++;
827 0 : templen += drbg_blocklen (drbg);
828 : }
829 :
830 : /* 10.4.2 step 11 */
831 : /* implicit key len with seedlen - blocklen according to table 3 */
832 0 : X = temp + (drbg_keylen (drbg));
833 0 : drbg_string_fill (&cipherin, X, drbg_blocklen (drbg));
834 :
835 : /* 10.4.2 step 12: overwriting of outval */
836 :
837 : /* 10.4.2 step 13 */
838 0 : ret = drbg_sym_setkey(drbg, temp);
839 0 : if (ret)
840 0 : goto out;
841 0 : while (generated_len < bytes_to_return)
842 : {
843 0 : short blocklen = 0;
844 : /* 10.4.2 step 13.1 */
845 : /* the truncation of the key length is implicit as the key
846 : * is only drbg_blocklen in size -- check for the implementation
847 : * of the cipher function callback */
848 0 : ret = drbg_sym (drbg, X, &cipherin);
849 0 : if (ret)
850 0 : goto out;
851 0 : blocklen = (drbg_blocklen (drbg) < (bytes_to_return - generated_len)) ?
852 0 : drbg_blocklen (drbg) : (bytes_to_return - generated_len);
853 : /* 10.4.2 step 13.2 and 14 */
854 0 : memcpy (df_data + generated_len, X, blocklen);
855 0 : generated_len += blocklen;
856 : }
857 :
858 0 : ret = 0;
859 :
860 : out:
861 0 : memset (iv, 0, drbg_blocklen (drbg));
862 0 : memset (temp, 0, drbg_statelen (drbg));
863 0 : memset (pad, 0, drbg_blocklen (drbg));
864 0 : return ret;
865 : }
866 :
867 : /*
868 : * Update function of CTR DRBG as defined in 10.2.1.2
869 : *
870 : * The reseed variable has an enhanced meaning compared to the update
871 : * functions of the other DRBGs as follows:
872 : * 0 => initial seed from initialization
873 : * 1 => reseed via drbg_seed
874 : * 2 => first invocation from drbg_ctr_update when addtl is present. In
875 : * this case, the df_data scratchpad is not deleted so that it is
876 : * available for another calls to prevent calling the DF function
877 : * again.
878 : * 3 => second invocation from drbg_ctr_update. When the update function
879 : * was called with addtl, the df_data memory already contains the
880 : * DFed addtl information and we do not need to call DF again.
881 : */
882 : static gpg_err_code_t
883 0 : drbg_ctr_update (drbg_state_t drbg, drbg_string_t *addtl, int reseed)
884 : {
885 0 : gpg_err_code_t ret = GPG_ERR_GENERAL;
886 : /* 10.2.1.2 step 1 */
887 0 : unsigned char *temp = drbg->scratchpad;
888 0 : unsigned char *df_data = drbg->scratchpad +
889 0 : drbg_statelen (drbg) + drbg_blocklen (drbg);
890 0 : unsigned char prefix = DRBG_PREFIX1;
891 :
892 0 : memset (temp, 0, drbg_statelen (drbg) + drbg_blocklen (drbg));
893 0 : if (3 > reseed)
894 0 : memset (df_data, 0, drbg_statelen (drbg));
895 :
896 0 : if (!reseed)
897 : {
898 : /*
899 : * The DRBG uses the CTR mode of the underlying AES cipher. The
900 : * CTR mode increments the counter value after the AES operation
901 : * but SP800-90A requires that the counter is incremented before
902 : * the AES operation. Hence, we increment it at the time we set
903 : * it by one.
904 : */
905 0 : drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1);
906 :
907 0 : ret = _gcry_cipher_setkey (drbg->ctr_handle, drbg->C, drbg_keylen (drbg));
908 0 : if (ret)
909 0 : goto out;
910 : }
911 :
912 : /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
913 0 : if (addtl && 0 < addtl->len)
914 : {
915 0 : ret =
916 0 : drbg_ctr_df (drbg, df_data, drbg_statelen (drbg), addtl);
917 0 : if (ret)
918 0 : goto out;
919 : }
920 :
921 0 : ret = drbg_sym_ctr (drbg, df_data, drbg_statelen(drbg),
922 0 : temp, drbg_statelen(drbg));
923 0 : if (ret)
924 0 : goto out;
925 :
926 : /* 10.2.1.2 step 5 */
927 0 : ret = _gcry_cipher_setkey (drbg->ctr_handle, temp, drbg_keylen (drbg));
928 0 : if (ret)
929 0 : goto out;
930 :
931 : /* 10.2.1.2 step 6 */
932 0 : memcpy (drbg->V, temp + drbg_keylen (drbg), drbg_blocklen (drbg));
933 : /* See above: increment counter by one to compensate timing of CTR op */
934 0 : drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1);
935 0 : ret = 0;
936 :
937 : out:
938 0 : memset (temp, 0, drbg_statelen (drbg) + drbg_blocklen (drbg));
939 0 : if (2 != reseed)
940 0 : memset (df_data, 0, drbg_statelen (drbg));
941 0 : return ret;
942 : }
943 :
944 : /*
945 : * scratchpad use: drbg_ctr_update is called independently from
946 : * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
947 : */
948 : /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
949 : static gpg_err_code_t
950 0 : drbg_ctr_generate (drbg_state_t drbg,
951 : unsigned char *buf, unsigned int buflen,
952 : drbg_string_t *addtl)
953 : {
954 0 : gpg_err_code_t ret = 0;
955 :
956 0 : memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
957 :
958 : /* 10.2.1.5.2 step 2 */
959 0 : if (addtl && 0 < addtl->len)
960 : {
961 0 : addtl->next = NULL;
962 0 : ret = drbg_ctr_update (drbg, addtl, 2);
963 0 : if (ret)
964 0 : return ret;
965 : }
966 :
967 : /* 10.2.1.5.2 step 4.1 */
968 0 : ret = drbg_sym_ctr (drbg, drbg->ctr_null, DRBG_CTR_NULL_LEN, buf, buflen);
969 0 : if (ret)
970 0 : goto out;
971 :
972 : /* 10.2.1.5.2 step 6 */
973 0 : if (addtl)
974 0 : addtl->next = NULL;
975 0 : ret = drbg_ctr_update (drbg, addtl, 3);
976 :
977 : out:
978 0 : return ret;
979 : }
980 :
981 : static struct drbg_state_ops_s drbg_ctr_ops = {
982 : drbg_ctr_update,
983 : drbg_ctr_generate,
984 : drbg_sym_init,
985 : drbg_sym_fini,
986 : };
987 :
988 : /******************************************************************
989 : * HMAC DRBG callback functions
990 : ******************************************************************/
991 :
992 : static gpg_err_code_t
993 0 : drbg_hmac_update (drbg_state_t drbg, drbg_string_t *seed, int reseed)
994 : {
995 0 : gpg_err_code_t ret = GPG_ERR_GENERAL;
996 0 : int i = 0;
997 : drbg_string_t seed1, seed2, cipherin;
998 :
999 0 : if (!reseed)
1000 : {
1001 : /* 10.1.2.3 step 2 already implicitly covered with
1002 : * the initial memset(0) of drbg->C */
1003 0 : memset (drbg->V, 1, drbg_statelen (drbg));
1004 0 : ret = drbg_hmac_setkey (drbg, drbg->C);
1005 0 : if (ret)
1006 0 : return ret;
1007 : }
1008 :
1009 : /* build linked list which implements the concatenation and fill
1010 : * first part*/
1011 0 : drbg_string_fill (&seed1, drbg->V, drbg_statelen (drbg));
1012 : /* buffer will be filled in for loop below with one byte */
1013 0 : drbg_string_fill (&seed2, NULL, 1);
1014 0 : seed1.next = &seed2;
1015 : /* seed may be NULL */
1016 0 : seed2.next = seed;
1017 :
1018 0 : drbg_string_fill (&cipherin, drbg->V, drbg_statelen (drbg));
1019 : /* we execute two rounds of V/K massaging */
1020 0 : for (i = 2; 0 < i; i--)
1021 : {
1022 : byte *retval;
1023 : /* first round uses 0x0, second 0x1 */
1024 0 : unsigned char prefix = DRBG_PREFIX0;
1025 0 : if (1 == i)
1026 0 : prefix = DRBG_PREFIX1;
1027 : /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
1028 0 : seed2.buf = &prefix;
1029 0 : retval = drbg_hash (drbg, &seed1);
1030 0 : ret = drbg_hmac_setkey (drbg, retval);
1031 0 : if (ret)
1032 0 : return ret;
1033 :
1034 : /* 10.1.2.2 step 2 and 5 -- HMAC for V */
1035 0 : retval = drbg_hash (drbg, &cipherin);
1036 0 : memcpy(drbg->V, retval, drbg_blocklen (drbg));
1037 :
1038 : /* 10.1.2.2 step 3 */
1039 0 : if (!seed || 0 == seed->len)
1040 0 : return ret;
1041 : }
1042 0 : return 0;
1043 : }
1044 :
1045 : /* generate function of HMAC DRBG as defined in 10.1.2.5 */
1046 : static gpg_err_code_t
1047 0 : drbg_hmac_generate (drbg_state_t drbg, unsigned char *buf, unsigned int buflen,
1048 : drbg_string_t *addtl)
1049 : {
1050 0 : gpg_err_code_t ret = 0;
1051 0 : unsigned int len = 0;
1052 : drbg_string_t data;
1053 :
1054 : /* 10.1.2.5 step 2 */
1055 0 : if (addtl && 0 < addtl->len)
1056 : {
1057 0 : addtl->next = NULL;
1058 0 : ret = drbg_hmac_update (drbg, addtl, 1);
1059 0 : if (ret)
1060 0 : return ret;
1061 : }
1062 :
1063 0 : drbg_string_fill (&data, drbg->V, drbg_statelen (drbg));
1064 0 : while (len < buflen)
1065 : {
1066 0 : unsigned int outlen = 0;
1067 : /* 10.1.2.5 step 4.1 */
1068 0 : byte *retval = drbg_hash (drbg, &data);
1069 0 : memcpy(drbg->V, retval, drbg_blocklen (drbg));
1070 0 : outlen = (drbg_blocklen (drbg) < (buflen - len)) ?
1071 0 : drbg_blocklen (drbg) : (buflen - len);
1072 :
1073 : /* 10.1.2.5 step 4.2 */
1074 0 : memcpy (buf + len, drbg->V, outlen);
1075 0 : len += outlen;
1076 : }
1077 :
1078 : /* 10.1.2.5 step 6 */
1079 0 : if (addtl)
1080 0 : addtl->next = NULL;
1081 0 : ret = drbg_hmac_update (drbg, addtl, 1);
1082 :
1083 0 : return ret;
1084 : }
1085 :
1086 : static struct drbg_state_ops_s drbg_hmac_ops = {
1087 : drbg_hmac_update,
1088 : drbg_hmac_generate,
1089 : drbg_hmac_init,
1090 : drbg_hash_fini,
1091 : };
1092 :
1093 : /******************************************************************
1094 : * Hash DRBG callback functions
1095 : ******************************************************************/
1096 :
1097 : /*
1098 : * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
1099 : * interlinked, the scratchpad is used as follows:
1100 : * drbg_hash_update
1101 : * start: drbg->scratchpad
1102 : * length: drbg_statelen(drbg)
1103 : * drbg_hash_df:
1104 : * start: drbg->scratchpad + drbg_statelen(drbg)
1105 : * length: drbg_blocklen(drbg)
1106 : */
1107 : /* Derivation Function for Hash DRBG as defined in 10.4.1 */
1108 : static gpg_err_code_t
1109 0 : drbg_hash_df (drbg_state_t drbg,
1110 : unsigned char *outval, size_t outlen,
1111 : drbg_string_t *entropy)
1112 : {
1113 0 : size_t len = 0;
1114 : unsigned char input[5];
1115 : drbg_string_t data1;
1116 :
1117 : /* 10.4.1 step 3 */
1118 0 : input[0] = 1;
1119 0 : buf_put_be32 (&input[1], (outlen * 8));
1120 :
1121 : /* 10.4.1 step 4.1 -- concatenation of data for input into hash */
1122 0 : drbg_string_fill (&data1, input, 5);
1123 0 : data1.next = entropy;
1124 :
1125 : /* 10.4.1 step 4 */
1126 0 : while (len < outlen)
1127 : {
1128 0 : short blocklen = 0;
1129 : /* 10.4.1 step 4.1 */
1130 0 : byte *retval = drbg_hash (drbg, &data1);
1131 : /* 10.4.1 step 4.2 */
1132 0 : input[0]++;
1133 0 : blocklen = (drbg_blocklen (drbg) < (outlen - len)) ?
1134 0 : drbg_blocklen (drbg) : (outlen - len);
1135 0 : memcpy (outval + len, retval, blocklen);
1136 0 : len += blocklen;
1137 : }
1138 :
1139 0 : return 0;
1140 : }
1141 :
1142 : /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
1143 : static gpg_err_code_t
1144 0 : drbg_hash_update (drbg_state_t drbg, drbg_string_t *seed, int reseed)
1145 : {
1146 0 : gpg_err_code_t ret = 0;
1147 : drbg_string_t data1, data2;
1148 0 : unsigned char *V = drbg->scratchpad;
1149 0 : unsigned char prefix = DRBG_PREFIX1;
1150 :
1151 0 : memset (drbg->scratchpad, 0, drbg_statelen (drbg));
1152 0 : if (!seed)
1153 0 : return GPG_ERR_INV_ARG;
1154 :
1155 0 : if (reseed)
1156 : {
1157 : /* 10.1.1.3 step 1: string length is concatenation of
1158 : * 1 byte, V and seed (which is concatenated entropy/addtl
1159 : * input)
1160 : */
1161 0 : memcpy (V, drbg->V, drbg_statelen (drbg));
1162 0 : drbg_string_fill (&data1, &prefix, 1);
1163 0 : drbg_string_fill (&data2, V, drbg_statelen (drbg));
1164 0 : data1.next = &data2;
1165 0 : data2.next = seed;
1166 : }
1167 : else
1168 : {
1169 0 : drbg_string_fill (&data1, seed->buf, seed->len);
1170 0 : data1.next = seed->next;
1171 : }
1172 :
1173 : /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
1174 0 : ret = drbg_hash_df (drbg, drbg->V, drbg_statelen (drbg), &data1);
1175 0 : if (ret)
1176 0 : goto out;
1177 :
1178 : /* 10.1.1.2 / 10.1.1.3 step 4 -- concatenation */
1179 0 : prefix = DRBG_PREFIX0;
1180 0 : drbg_string_fill (&data1, &prefix, 1);
1181 0 : drbg_string_fill (&data2, drbg->V, drbg_statelen (drbg));
1182 0 : data1.next = &data2;
1183 : /* 10.1.1.2 / 10.1.1.3 step 4 -- df operation */
1184 0 : ret = drbg_hash_df (drbg, drbg->C, drbg_statelen (drbg), &data1);
1185 :
1186 : out:
1187 0 : memset (drbg->scratchpad, 0, drbg_statelen (drbg));
1188 0 : return ret;
1189 : }
1190 :
1191 : /* Processing of additional information string for Hash DRBG. */
1192 : static gpg_err_code_t
1193 0 : drbg_hash_process_addtl (drbg_state_t drbg, drbg_string_t *addtl)
1194 : {
1195 : drbg_string_t data1, data2;
1196 : drbg_string_t *data3;
1197 0 : unsigned char prefix = DRBG_PREFIX2;
1198 : byte *retval;
1199 :
1200 : /* 10.1.1.4 step 2 */
1201 0 : if (!addtl || 0 == addtl->len)
1202 0 : return 0;
1203 :
1204 : /* 10.1.1.4 step 2a -- concatenation */
1205 0 : drbg_string_fill (&data1, &prefix, 1);
1206 0 : drbg_string_fill (&data2, drbg->V, drbg_statelen (drbg));
1207 0 : data3 = addtl;
1208 0 : data1.next = &data2;
1209 0 : data2.next = data3;
1210 0 : data3->next = NULL;
1211 : /* 10.1.1.4 step 2a -- cipher invocation */
1212 0 : retval = drbg_hash (drbg, &data1);
1213 :
1214 : /* 10.1.1.4 step 2b */
1215 0 : drbg_add_buf (drbg->V, drbg_statelen (drbg), retval, drbg_blocklen (drbg));
1216 :
1217 0 : return 0;
1218 : }
1219 :
1220 : /*
1221 : * Hashgen defined in 10.1.1.4
1222 : */
1223 : static gpg_err_code_t
1224 0 : drbg_hash_hashgen (drbg_state_t drbg, unsigned char *buf, unsigned int buflen)
1225 : {
1226 0 : unsigned int len = 0;
1227 0 : unsigned char *src = drbg->scratchpad;
1228 : drbg_string_t data;
1229 0 : unsigned char prefix = DRBG_PREFIX1;
1230 :
1231 : /* 10.1.1.4 step hashgen 2 */
1232 0 : memcpy (src, drbg->V, drbg_statelen (drbg));
1233 :
1234 0 : drbg_string_fill (&data, src, drbg_statelen (drbg));
1235 0 : while (len < buflen)
1236 : {
1237 0 : unsigned int outlen = 0;
1238 : /* 10.1.1.4 step hashgen 4.1 */
1239 0 : byte *retval = drbg_hash (drbg, &data);
1240 0 : outlen = (drbg_blocklen (drbg) < (buflen - len)) ?
1241 0 : drbg_blocklen (drbg) : (buflen - len);
1242 : /* 10.1.1.4 step hashgen 4.2 */
1243 0 : memcpy (buf + len, retval, outlen);
1244 0 : len += outlen;
1245 : /* 10.1.1.4 hashgen step 4.3 */
1246 0 : if (len < buflen)
1247 0 : drbg_add_buf (src, drbg_statelen (drbg), &prefix, 1);
1248 : }
1249 :
1250 0 : memset (drbg->scratchpad, 0, drbg_statelen (drbg));
1251 0 : return 0;
1252 : }
1253 :
1254 : /* Generate function for Hash DRBG as defined in 10.1.1.4 */
1255 : static gpg_err_code_t
1256 0 : drbg_hash_generate (drbg_state_t drbg, unsigned char *buf, unsigned int buflen,
1257 : drbg_string_t *addtl)
1258 : {
1259 : gpg_err_code_t ret;
1260 0 : unsigned char prefix = DRBG_PREFIX3;
1261 : drbg_string_t data1, data2;
1262 : byte *retval;
1263 : union
1264 : {
1265 : unsigned char req[8];
1266 : u64 req_int;
1267 : } u;
1268 :
1269 : /* 10.1.1.4 step 2 */
1270 0 : ret = drbg_hash_process_addtl (drbg, addtl);
1271 0 : if (ret)
1272 0 : return ret;
1273 : /* 10.1.1.4 step 3 -- invocation of the Hashgen function defined in
1274 : * 10.1.1.4 */
1275 0 : ret = drbg_hash_hashgen (drbg, buf, buflen);
1276 0 : if (ret)
1277 0 : return ret;
1278 :
1279 : /* 10.1.1.4 step 4 */
1280 0 : drbg_string_fill (&data1, &prefix, 1);
1281 0 : drbg_string_fill (&data2, drbg->V, drbg_statelen (drbg));
1282 0 : data1.next = &data2;
1283 :
1284 : /* this is the value H as documented in 10.1.1.4 */
1285 0 : retval = drbg_hash (drbg, &data1);
1286 :
1287 : /* 10.1.1.4 step 5 */
1288 0 : drbg_add_buf (drbg->V, drbg_statelen (drbg), retval, drbg_blocklen (drbg));
1289 0 : drbg_add_buf (drbg->V, drbg_statelen (drbg), drbg->C, drbg_statelen (drbg));
1290 0 : u.req_int = be_bswap64 (drbg->reseed_ctr);
1291 0 : drbg_add_buf (drbg->V, drbg_statelen (drbg), u.req, sizeof (u.req));
1292 :
1293 0 : return ret;
1294 : }
1295 :
1296 : /*
1297 : * scratchpad usage: as update and generate are used isolated, both
1298 : * can use the scratchpad
1299 : */
1300 : static struct drbg_state_ops_s drbg_hash_ops = {
1301 : drbg_hash_update,
1302 : drbg_hash_generate,
1303 : drbg_hash_init,
1304 : drbg_hash_fini,
1305 : };
1306 :
1307 : /******************************************************************
1308 : * Functions common for DRBG implementations
1309 : ******************************************************************/
1310 :
1311 : /*
1312 : * Seeding or reseeding of the DRBG
1313 : *
1314 : * @drbg: DRBG state struct
1315 : * @pers: personalization / additional information buffer
1316 : * @reseed: 0 for initial seed process, 1 for reseeding
1317 : *
1318 : * return:
1319 : * 0 on success
1320 : * error value otherwise
1321 : */
1322 : static gpg_err_code_t
1323 0 : drbg_seed (drbg_state_t drbg, drbg_string_t *pers, int reseed)
1324 : {
1325 0 : gpg_err_code_t ret = 0;
1326 0 : unsigned char *entropy = NULL;
1327 0 : size_t entropylen = 0;
1328 : drbg_string_t data1;
1329 :
1330 : /* 9.1 / 9.2 / 9.3.1 step 3 */
1331 0 : if (pers && pers->len > (drbg_max_addtl ()))
1332 : {
1333 : dbg (("DRBG: personalization string too long %lu\n", pers->len));
1334 0 : return GPG_ERR_INV_ARG;
1335 : }
1336 0 : if (drbg->test_data && drbg->test_data->testentropy)
1337 : {
1338 0 : drbg_string_fill (&data1, drbg->test_data->testentropy->buf,
1339 0 : drbg->test_data->testentropy->len);
1340 : dbg (("DRBG: using test entropy\n"));
1341 : }
1342 : else
1343 : {
1344 : /* Gather entropy equal to the security strength of the DRBG.
1345 : * With a derivation function, a nonce is required in addition
1346 : * to the entropy. A nonce must be at least 1/2 of the security
1347 : * strength of the DRBG in size. Thus, entropy * nonce is 3/2
1348 : * of the strength. The consideration of a nonce is only
1349 : * applicable during initial seeding. */
1350 0 : entropylen = drbg_sec_strength (drbg->core->flags);
1351 0 : if (!entropylen)
1352 0 : return GPG_ERR_GENERAL;
1353 0 : if (0 == reseed)
1354 : /* make sure we round up strength/2 in
1355 : * case it is not divisible by 2 */
1356 0 : entropylen = ((entropylen + 1) / 2) * 3;
1357 : dbg (("DRBG: (re)seeding with %lu bytes of entropy\n", entropylen));
1358 0 : entropy = xcalloc_secure (1, entropylen);
1359 0 : if (!entropy)
1360 0 : return GPG_ERR_ENOMEM;
1361 0 : ret = drbg_get_entropy (drbg, entropy, entropylen);
1362 0 : if (ret)
1363 0 : goto out;
1364 0 : drbg_string_fill (&data1, entropy, entropylen);
1365 : }
1366 :
1367 : /* concatenation of entropy with personalization str / addtl input)
1368 : * the variable pers is directly handed by the caller, check its
1369 : * contents whether it is appropriate */
1370 0 : if (pers && pers->buf && 0 < pers->len && NULL == pers->next)
1371 : {
1372 0 : data1.next = pers;
1373 : dbg (("DRBG: using personalization string\n"));
1374 : }
1375 :
1376 0 : ret = drbg->d_ops->update (drbg, &data1, reseed);
1377 : dbg (("DRBG: state updated with seed\n"));
1378 0 : if (ret)
1379 0 : goto out;
1380 0 : drbg->seeded = 1;
1381 : /* 10.1.1.2 / 10.1.1.3 step 5 */
1382 0 : drbg->reseed_ctr = 1;
1383 :
1384 : out:
1385 0 : xfree (entropy);
1386 0 : return ret;
1387 : }
1388 :
1389 :
1390 : /*************************************************************************
1391 : * Exported interfaces.
1392 : *************************************************************************/
1393 :
1394 : /*
1395 : * DRBG generate function as required by SP800-90A - this function
1396 : * generates random numbers
1397 : *
1398 : * @drbg DRBG state handle
1399 : * @buf Buffer where to store the random numbers -- the buffer must already
1400 : * be pre-allocated by caller
1401 : * @buflen Length of output buffer - this value defines the number of random
1402 : * bytes pulled from DRBG
1403 : * @addtl Additional input that is mixed into state, may be NULL -- note
1404 : * the entropy is pulled by the DRBG internally unconditionally
1405 : * as defined in SP800-90A. The additional input is mixed into
1406 : * the state in addition to the pulled entropy.
1407 : *
1408 : * return: Generated number of bytes.
1409 : */
1410 : static gpg_err_code_t
1411 0 : drbg_generate (drbg_state_t drbg,
1412 : unsigned char *buf, unsigned int buflen,
1413 : drbg_string_t *addtl)
1414 : {
1415 0 : gpg_err_code_t ret = GPG_ERR_INV_ARG;
1416 :
1417 0 : if (0 == buflen || !buf)
1418 : {
1419 : dbg (("DRBG: no buffer provided\n"));
1420 0 : return ret;
1421 : }
1422 0 : if (addtl && NULL == addtl->buf && 0 < addtl->len)
1423 : {
1424 : dbg (("DRBG: wrong format of additional information\n"));
1425 0 : return ret;
1426 : }
1427 :
1428 : /* 9.3.1 step 2 */
1429 0 : if (buflen > (drbg_max_request_bytes ()))
1430 : {
1431 : dbg (("DRBG: requested random numbers too large %u\n", buflen));
1432 0 : return ret;
1433 : }
1434 : /* 9.3.1 step 3 is implicit with the chosen DRBG */
1435 : /* 9.3.1 step 4 */
1436 0 : if (addtl && addtl->len > (drbg_max_addtl ()))
1437 : {
1438 : dbg (("DRBG: additional information string too long %lu\n",
1439 : addtl->len));
1440 0 : return ret;
1441 : }
1442 : /* 9.3.1 step 5 is implicit with the chosen DRBG */
1443 : /* 9.3.1 step 6 and 9 supplemented by 9.3.2 step c -- the spec is a
1444 : * bit convoluted here, we make it simpler */
1445 0 : if ((drbg_max_requests ()) < drbg->reseed_ctr)
1446 0 : drbg->seeded = 0;
1447 :
1448 0 : if (drbg->pr || !drbg->seeded)
1449 : {
1450 : dbg (("DRBG: reseeding before generation (prediction resistance: %s, state %s)\n", drbg->pr ? "true" : "false", drbg->seeded ? "seeded" : "unseeded"));
1451 : /* 9.3.1 steps 7.1 through 7.3 */
1452 0 : ret = drbg_seed (drbg, addtl, 1);
1453 0 : if (ret)
1454 0 : return ret;
1455 : /* 9.3.1 step 7.4 */
1456 0 : addtl = NULL;
1457 : }
1458 :
1459 0 : if (addtl && addtl->buf)
1460 : {
1461 : dbg (("DRBG: using additional information string\n"));
1462 : }
1463 :
1464 : /* 9.3.1 step 8 and 10 */
1465 0 : ret = drbg->d_ops->generate (drbg, buf, buflen, addtl);
1466 :
1467 : /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
1468 0 : drbg->reseed_ctr++;
1469 0 : if (ret)
1470 0 : return ret;
1471 :
1472 : /* 11.3.3 -- re-perform self tests after some generated random
1473 : * numbers, the chosen value after which self test is performed
1474 : * is arbitrary, but it should be reasonable */
1475 : /* Here we do not perform the self tests because of the following
1476 : * reasons: it is mathematically impossible that the initial self tests
1477 : * were successfully and the following are not. If the initial would
1478 : * pass and the following would not, the system integrity is violated.
1479 : * In this case, the entire system operation is questionable and it
1480 : * is unlikely that the integrity violation only affects to the
1481 : * correct operation of the DRBG.
1482 : */
1483 : #if 0
1484 : if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096))
1485 : {
1486 : dbg (("DRBG: start to perform self test\n"));
1487 : ret = drbg_healthcheck ();
1488 : if (ret)
1489 : {
1490 : log_fatal (("DRBG: self test failed\n"));
1491 : return ret;
1492 : }
1493 : else
1494 : {
1495 : dbg (("DRBG: self test successful\n"));
1496 : }
1497 : }
1498 : #endif
1499 :
1500 0 : return ret;
1501 : }
1502 :
1503 : /*
1504 : * Wrapper around drbg_generate which can pull arbitrary long strings
1505 : * from the DRBG without hitting the maximum request limitation.
1506 : *
1507 : * Parameters: see drbg_generate
1508 : * Return codes: see drbg_generate -- if one drbg_generate request fails,
1509 : * the entire drbg_generate_long request fails
1510 : */
1511 : static gpg_err_code_t
1512 0 : drbg_generate_long (drbg_state_t drbg,
1513 : unsigned char *buf, unsigned int buflen,
1514 : drbg_string_t *addtl)
1515 : {
1516 0 : gpg_err_code_t ret = 0;
1517 0 : unsigned int slice = 0;
1518 0 : unsigned char *buf_p = buf;
1519 0 : unsigned len = 0;
1520 : do
1521 : {
1522 0 : unsigned int chunk = 0;
1523 0 : slice = ((buflen - len) / drbg_max_request_bytes ());
1524 0 : chunk = slice ? drbg_max_request_bytes () : (buflen - len);
1525 0 : ret = drbg_generate (drbg, buf_p, chunk, addtl);
1526 0 : if (ret)
1527 0 : return ret;
1528 0 : buf_p += chunk;
1529 0 : len += chunk;
1530 : }
1531 0 : while (slice > 0 && (len < buflen));
1532 0 : return ret;
1533 : }
1534 :
1535 : /*
1536 : * DRBG uninstantiate function as required by SP800-90A - this function
1537 : * frees all buffers and the DRBG handle
1538 : *
1539 : * @drbg DRBG state handle
1540 : *
1541 : * return
1542 : * 0 on success
1543 : */
1544 : static gpg_err_code_t
1545 0 : drbg_uninstantiate (drbg_state_t drbg)
1546 : {
1547 0 : if (!drbg)
1548 0 : return GPG_ERR_INV_ARG;
1549 0 : drbg->d_ops->crypto_fini(drbg);
1550 0 : xfree (drbg->V);
1551 0 : drbg->V = NULL;
1552 0 : xfree (drbg->C);
1553 0 : drbg->C = NULL;
1554 0 : drbg->reseed_ctr = 0;
1555 0 : xfree (drbg->scratchpad);
1556 0 : drbg->scratchpad = NULL;
1557 0 : drbg->seeded = 0;
1558 0 : drbg->pr = 0;
1559 0 : drbg->seed_init_pid = 0;
1560 0 : return 0;
1561 : }
1562 :
1563 : /*
1564 : * DRBG instantiation function as required by SP800-90A - this function
1565 : * sets up the DRBG handle, performs the initial seeding and all sanity
1566 : * checks required by SP800-90A
1567 : *
1568 : * @drbg memory of state -- if NULL, new memory is allocated
1569 : * @pers Personalization string that is mixed into state, may be NULL -- note
1570 : * the entropy is pulled by the DRBG internally unconditionally
1571 : * as defined in SP800-90A. The additional input is mixed into
1572 : * the state in addition to the pulled entropy.
1573 : * @coreref reference to core
1574 : * @flags Flags defining the requested DRBG type and cipher type. The flags
1575 : * are defined in drbg.h and may be XORed. Beware, if you XOR multiple
1576 : * cipher types together, the code picks the core on a first come first
1577 : * serve basis as it iterates through the available cipher cores and
1578 : * uses the one with the first match. The minimum required flags are:
1579 : * cipher type flag
1580 : *
1581 : * return
1582 : * 0 on success
1583 : * error value otherwise
1584 : */
1585 : static gpg_err_code_t
1586 0 : drbg_instantiate (drbg_state_t drbg,
1587 : drbg_string_t *pers, int coreref, int pr)
1588 : {
1589 0 : gpg_err_code_t ret = GPG_ERR_ENOMEM;
1590 0 : unsigned int sb_size = 0;
1591 :
1592 0 : if (!drbg)
1593 0 : return GPG_ERR_INV_ARG;
1594 :
1595 : dbg (("DRBG: Initializing DRBG core %d with prediction resistance %s\n",
1596 : coreref, pr ? "enabled" : "disabled"));
1597 0 : drbg->core = &drbg_cores[coreref];
1598 0 : drbg->pr = pr;
1599 0 : drbg->seeded = 0;
1600 0 : if (drbg->core->flags & DRBG_HMAC)
1601 0 : drbg->d_ops = &drbg_hmac_ops;
1602 0 : else if (drbg->core->flags & DRBG_HASH_MASK)
1603 0 : drbg->d_ops = &drbg_hash_ops;
1604 0 : else if (drbg->core->flags & DRBG_CTR_MASK)
1605 0 : drbg->d_ops = &drbg_ctr_ops;
1606 : else
1607 0 : return GPG_ERR_GENERAL;
1608 : /* 9.1 step 1 is implicit with the selected DRBG type -- see
1609 : * drbg_sec_strength() */
1610 :
1611 : /* 9.1 step 2 is implicit as caller can select prediction resistance
1612 : * and the flag is copied into drbg->flags --
1613 : * all DRBG types support prediction resistance */
1614 :
1615 : /* 9.1 step 4 is implicit in drbg_sec_strength */
1616 :
1617 0 : ret = drbg->d_ops->crypto_init(drbg);
1618 0 : if (ret)
1619 0 : goto err;
1620 :
1621 0 : drbg->V = xcalloc_secure (1, drbg_statelen (drbg));
1622 0 : if (!drbg->V)
1623 0 : goto fini;
1624 0 : drbg->C = xcalloc_secure (1, drbg_statelen (drbg));
1625 0 : if (!drbg->C)
1626 0 : goto fini;
1627 : /* scratchpad is only generated for CTR and Hash */
1628 0 : if (drbg->core->flags & DRBG_HMAC)
1629 0 : sb_size = 0;
1630 0 : else if (drbg->core->flags & DRBG_CTR_MASK)
1631 0 : sb_size = drbg_statelen (drbg) + drbg_blocklen (drbg) + /* temp */
1632 0 : drbg_statelen (drbg) + /* df_data */
1633 0 : drbg_blocklen (drbg) + /* pad */
1634 0 : drbg_blocklen (drbg) + /* iv */
1635 0 : drbg_statelen (drbg) + drbg_blocklen (drbg); /* temp */
1636 : else
1637 0 : sb_size = drbg_statelen (drbg);
1638 :
1639 0 : if (0 < sb_size)
1640 : {
1641 0 : drbg->scratchpad = xcalloc_secure (1, sb_size);
1642 0 : if (!drbg->scratchpad)
1643 0 : goto fini;
1644 : }
1645 : dbg (("DRBG: state allocated with scratchpad size %u bytes\n", sb_size));
1646 :
1647 : /* 9.1 step 6 through 11 */
1648 0 : ret = drbg_seed (drbg, pers, 0);
1649 0 : if (ret)
1650 0 : goto fini;
1651 :
1652 : dbg (("DRBG: core %d %s prediction resistance successfully initialized\n",
1653 : coreref, pr ? "with" : "without"));
1654 0 : return 0;
1655 :
1656 : fini:
1657 0 : drbg->d_ops->crypto_fini(drbg);
1658 : err:
1659 0 : drbg_uninstantiate (drbg);
1660 0 : return ret;
1661 : }
1662 :
1663 : /*
1664 : * DRBG reseed function as required by SP800-90A
1665 : *
1666 : * @drbg DRBG state handle
1667 : * @addtl Additional input that is mixed into state, may be NULL -- note
1668 : * the entropy is pulled by the DRBG internally unconditionally
1669 : * as defined in SP800-90A. The additional input is mixed into
1670 : * the state in addition to the pulled entropy.
1671 : *
1672 : * return
1673 : * 0 on success
1674 : * error value otherwise
1675 : */
1676 : static gpg_err_code_t
1677 0 : drbg_reseed (drbg_state_t drbg,drbg_string_t *addtl)
1678 : {
1679 0 : gpg_err_code_t ret = 0;
1680 0 : ret = drbg_seed (drbg, addtl, 1);
1681 0 : return ret;
1682 : }
1683 :
1684 :
1685 :
1686 : /******************************************************************
1687 : * Libgcrypt integration code.
1688 : ******************************************************************/
1689 :
1690 : /***************************************************
1691 : * Libgcrypt backend functions to the RNG API code.
1692 : ***************************************************/
1693 :
1694 : static inline void
1695 0 : drbg_lock (void)
1696 : {
1697 : gpg_err_code_t ec;
1698 :
1699 0 : ec = gpgrt_lock_lock (&drbg_lock_var);
1700 0 : if (ec)
1701 0 : log_fatal ("failed to acquire the RNG lock: %s\n", gpg_strerror (ec));
1702 0 : }
1703 :
1704 : static inline void
1705 0 : drbg_unlock (void)
1706 : {
1707 : gpg_err_code_t ec;
1708 :
1709 0 : ec = gpgrt_lock_unlock (&drbg_lock_var);
1710 0 : if (ec)
1711 0 : log_fatal ("failed to release the RNG lock: %s\n", gpg_strerror (ec));
1712 0 : }
1713 :
1714 : /* Basic initialization is required to initialize mutexes and
1715 : do a few checks on the implementation. */
1716 : static void
1717 0 : basic_initialization (void)
1718 : {
1719 : static int initialized;
1720 :
1721 0 : if (initialized)
1722 0 : return;
1723 0 : initialized = 1;
1724 :
1725 : /* Make sure that we are still using the values we have
1726 : traditionally used for the random levels. */
1727 : gcry_assert (GCRY_WEAK_RANDOM == 0
1728 : && GCRY_STRONG_RANDOM == 1
1729 : && GCRY_VERY_STRONG_RANDOM == 2);
1730 : }
1731 :
1732 : /****** helper functions where lock must be held by caller *****/
1733 :
1734 : /* Check whether given flags are known to point to an applicable DRBG */
1735 : static gpg_err_code_t
1736 0 : drbg_algo_available (u32 flags, int *coreref)
1737 : {
1738 0 : int i = 0;
1739 0 : for (i = 0; ARRAY_SIZE (drbg_cores) > i; i++)
1740 : {
1741 0 : if ((drbg_cores[i].flags & DRBG_CIPHER_MASK) ==
1742 : (flags & DRBG_CIPHER_MASK))
1743 : {
1744 0 : *coreref = i;
1745 0 : return 0;
1746 : }
1747 : }
1748 0 : return GPG_ERR_GENERAL;
1749 : }
1750 :
1751 : static gpg_err_code_t
1752 0 : _drbg_init_internal (u32 flags, drbg_string_t *pers)
1753 : {
1754 : static u32 oldflags;
1755 0 : gpg_err_code_t ret = 0;
1756 0 : int coreref = 0;
1757 0 : int pr = 0;
1758 :
1759 : /* If a caller provides 0 as flags, use the flags of the previous
1760 : * initialization, otherwise use the current flags and remember them
1761 : * for the next invocation. If no flag is given and no global state
1762 : * is set this is the first initialization and we set the default
1763 : * type.
1764 : */
1765 0 : if (!flags && !drbg_state)
1766 0 : flags = oldflags = DRBG_DEFAULT_TYPE;
1767 0 : else if (!flags)
1768 0 : flags = oldflags;
1769 : else
1770 0 : oldflags = flags;
1771 :
1772 0 : ret = drbg_algo_available (flags, &coreref);
1773 0 : if (ret)
1774 0 : return ret;
1775 :
1776 0 : if (drbg_state)
1777 : {
1778 0 : drbg_uninstantiate (drbg_state);
1779 : }
1780 : else
1781 : {
1782 0 : drbg_state = xtrycalloc_secure (1, sizeof *drbg_state);
1783 0 : if (!drbg_state)
1784 0 : return gpg_err_code_from_syserror ();
1785 : }
1786 0 : if (flags & DRBG_PREDICTION_RESIST)
1787 0 : pr = 1;
1788 0 : ret = drbg_instantiate (drbg_state, pers, coreref, pr);
1789 0 : if (ret)
1790 0 : fips_signal_error ("DRBG cannot be initialized");
1791 : else
1792 0 : drbg_state->seed_init_pid = getpid ();
1793 0 : return ret;
1794 : }
1795 :
1796 : /************* calls available to common RNG code **************/
1797 :
1798 : /*
1799 : * Initialize one DRBG invoked by the libgcrypt API
1800 : */
1801 : void
1802 0 : _gcry_rngdrbg_inititialize (int full)
1803 : {
1804 0 : basic_initialization ();
1805 0 : if (!full)
1806 0 : return;
1807 0 : drbg_lock ();
1808 0 : if (!drbg_state)
1809 0 : _drbg_init_internal (0, NULL);
1810 0 : drbg_unlock ();
1811 : }
1812 :
1813 : /*
1814 : * Backend handler function for GCRYCTL_DRBG_REINIT
1815 : *
1816 : * Select a different DRBG type and initialize it.
1817 : * Function checks whether requested DRBG type exists and returns an error in
1818 : * case it does not. In case of an error, the previous instantiated DRBG is
1819 : * left untouched and alive. Thus, in case of an error, a DRBG is always
1820 : * available, even if it is not the chosen one.
1821 : *
1822 : * Re-initialization will be performed in any case regardless whether flags
1823 : * or personalization string are set.
1824 : *
1825 : * If flags is NULL, do not change current DRBG. If PERS is NULL and
1826 : * NPERS is 0, re-initialize without personalization string. If PERS
1827 : * is not NULL NPERS must be one and PERS and the first ietm from the
1828 : * bufer is take as personalization string.
1829 : */
1830 : gpg_err_code_t
1831 0 : _gcry_rngdrbg_reinit (const char *flagstr, gcry_buffer_t *pers, int npers)
1832 : {
1833 : gpg_err_code_t ret;
1834 : unsigned int flags;
1835 :
1836 : /* If PERS is not given we expect NPERS to be zero; if given we
1837 : expect a one-item array. */
1838 0 : if ((!pers && npers) || (pers && npers != 1))
1839 0 : return GPG_ERR_INV_ARG;
1840 :
1841 0 : ret = parse_flag_string (flagstr, &flags);
1842 0 : if (!ret)
1843 : {
1844 : dbg (("DRBG: reinitialize internal DRBG state with flags %u\n", flags));
1845 0 : drbg_lock ();
1846 0 : if (pers)
1847 : {
1848 : drbg_string_t persbuf;
1849 :
1850 0 : drbg_string_fill
1851 0 : (&persbuf, (const unsigned char *)pers[0].data + pers[0].off,
1852 : pers[0].len);
1853 0 : ret = _drbg_init_internal (flags, &persbuf);
1854 : }
1855 : else
1856 0 : ret = _drbg_init_internal (flags, NULL);
1857 0 : drbg_unlock ();
1858 : }
1859 0 : return ret;
1860 : }
1861 :
1862 : /* Try to close the FDs of the random gather module. This is
1863 : * currently only implemented for rndlinux. */
1864 : void
1865 0 : _gcry_rngdrbg_close_fds (void)
1866 : {
1867 : #if USE_RNDLINUX
1868 0 : drbg_lock ();
1869 0 : _gcry_rndlinux_gather_random (NULL, 0, 0, 0);
1870 0 : drbg_unlock ();
1871 : #endif
1872 0 : }
1873 :
1874 : /* Print some statistics about the RNG. */
1875 : void
1876 0 : _gcry_rngdrbg_dump_stats (void)
1877 : {
1878 : /* Not yet implemented. */
1879 : /* Maybe dumping of reseed counter? */
1880 0 : }
1881 :
1882 : /* This function returns true if no real RNG is available or the
1883 : * quality of the RNG has been degraded for test purposes. */
1884 : int
1885 0 : _gcry_rngdrbg_is_faked (void)
1886 : {
1887 0 : return 0; /* Faked random is not allowed. */
1888 : }
1889 :
1890 : /* Add BUFLEN bytes from BUF to the internal random pool. QUALITY
1891 : * should be in the range of 0..100 to indicate the goodness of the
1892 : * entropy added, or -1 for goodness not known. */
1893 : gcry_error_t
1894 0 : _gcry_rngdrbg_add_bytes (const void *buf, size_t buflen, int quality)
1895 : {
1896 0 : gpg_err_code_t ret = 0;
1897 : drbg_string_t seed;
1898 : (void) quality;
1899 0 : _gcry_rngdrbg_inititialize (1); /* Auto-initialize if needed */
1900 0 : if (!drbg_state)
1901 0 : return GPG_ERR_GENERAL;
1902 0 : drbg_string_fill (&seed, (unsigned char *) buf, buflen);
1903 0 : drbg_lock ();
1904 0 : ret = drbg_reseed (drbg_state, &seed);
1905 0 : drbg_unlock ();
1906 0 : return ret;
1907 : }
1908 :
1909 : /* This function is to be used for all types of random numbers, including
1910 : * nonces
1911 : */
1912 : void
1913 0 : _gcry_rngdrbg_randomize (void *buffer, size_t length,
1914 : enum gcry_random_level level)
1915 : {
1916 : (void) level;
1917 0 : _gcry_rngdrbg_inititialize (1); /* Auto-initialize if needed */
1918 0 : drbg_lock ();
1919 0 : if (!drbg_state)
1920 : {
1921 0 : fips_signal_error ("DRBG is not initialized");
1922 0 : goto bailout;
1923 : }
1924 :
1925 : /* As reseeding changes the entire state of the DRBG, including any
1926 : * key, either a re-init or a reseed is sufficient for a fork */
1927 0 : if (drbg_state->seed_init_pid != getpid ())
1928 : {
1929 : /* We are in a child of us. Perform a reseeding. */
1930 0 : if (drbg_reseed (drbg_state, NULL))
1931 : {
1932 0 : fips_signal_error ("reseeding upon fork failed");
1933 0 : log_fatal ("severe error getting random\n");
1934 : goto bailout;
1935 : }
1936 : }
1937 : /* potential integer overflow is covered by drbg_generate which
1938 : * ensures that length cannot overflow an unsigned int */
1939 0 : if (0 < length)
1940 : {
1941 0 : if (!buffer)
1942 0 : goto bailout;
1943 0 : if (drbg_generate_long (drbg_state, buffer, (unsigned int) length, NULL))
1944 0 : log_fatal ("No random numbers generated\n");
1945 : }
1946 : else
1947 : {
1948 0 : drbg_gen_t *data = (drbg_gen_t *)buffer;
1949 : /* catch NULL pointer */
1950 0 : if (!data || !data->outbuf)
1951 : {
1952 0 : fips_signal_error ("No output buffer provided");
1953 0 : goto bailout;
1954 : }
1955 0 : if (drbg_generate_long (drbg_state, data->outbuf, data->outlen,
1956 : data->addtl))
1957 0 : log_fatal ("No random numbers generated\n");
1958 : }
1959 :
1960 : bailout:
1961 0 : drbg_unlock ();
1962 0 : return;
1963 :
1964 : }
1965 :
1966 : /***************************************************************
1967 : * Self-test code
1968 : ***************************************************************/
1969 :
1970 : /*
1971 : * Test vectors from
1972 : * http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgtestvectors.zip
1973 : */
1974 : struct gcry_drbg_test_vector drbg_test_pr[] = {
1975 : {
1976 : /* .flags = */ "sha256 pr" /* DRBG_PR_HASHSHA256 */,
1977 : /* .entropy = */ (unsigned char *)
1978 : "\x5d\xf2\x14\xbc\xf6\xb5\x4e\x0b\xf0\x0d\x6f\x2d"
1979 : "\xe2\x01\x66\x7b\xd0\xa4\x73\xa4\x21\xdd\xb0\xc0"
1980 : "\x51\x79\x09\xf4\xea\xa9\x08\xfa\xa6\x67\xe0\xe1"
1981 : "\xd1\x88\xa8\xad\xee\x69\x74\xb3\x55\x06\x9b\xf6",
1982 : /* .entropylen = */ 48,
1983 : /* .entpra = */ (unsigned char *)
1984 : "\xef\x48\x06\xa2\xc2\x45\xf1\x44\xfa\x34\x2c\xeb"
1985 : "\x8d\x78\x3c\x09\x8f\x34\x72\x20\xf2\xe7\xfd\x13"
1986 : "\x76\x0a\xf6\xdc\x3c\xf5\xc0\x15",
1987 : /* .entprb = */ (unsigned char *)
1988 : "\x4b\xbe\xe5\x24\xed\x6a\x2d\x0c\xdb\x73\x5e\x09"
1989 : "\xf9\xad\x67\x7c\x51\x47\x8b\x6b\x30\x2a\xc6\xde"
1990 : "\x76\xaa\x55\x04\x8b\x0a\x72\x95",
1991 : /* .entprlen = */ 32,
1992 : /* .addtla = */ (unsigned char *)
1993 : "\xbe\x13\xdb\x2a\xe9\xa8\xfe\x09\x97\xe1\xce\x5d"
1994 : "\xe8\xbb\xc0\x7c\x4f\xcb\x62\x19\x3f\x0f\xd2\xad"
1995 : "\xa9\xd0\x1d\x59\x02\xc4\xff\x70",
1996 : /* .addtlb = */ (unsigned char *)
1997 : "\x6f\x96\x13\xe2\xa7\xf5\x6c\xfe\xdf\x66\xe3\x31"
1998 : "\x63\x76\xbf\x20\x27\x06\x49\xf1\xf3\x01\x77\x41"
1999 : "\x9f\xeb\xe4\x38\xfe\x67\x00\xcd",
2000 : /* .addtllen = */ 32,
2001 : /* .pers = */ NULL,
2002 : /* .perslen = */ 0,
2003 : /* .expected = */ (unsigned char *)
2004 : "\x3b\x14\x71\x99\xa1\xda\xa0\x42\xe6\xc8\x85\x32"
2005 : "\x70\x20\x32\x53\x9a\xbe\xd1\x1e\x15\xef\xfb\x4c"
2006 : "\x25\x6e\x19\x3a\xf0\xb9\xcb\xde\xf0\x3b\xc6\x18"
2007 : "\x4d\x85\x5a\x9b\xf1\xe3\xc2\x23\x03\x93\x08\xdb"
2008 : "\xa7\x07\x4b\x33\x78\x40\x4d\xeb\x24\xf5\x6e\x81"
2009 : "\x4a\x1b\x6e\xa3\x94\x52\x43\xb0\xaf\x2e\x21\xf4"
2010 : "\x42\x46\x8e\x90\xed\x34\x21\x75\xea\xda\x67\xb6"
2011 : "\xe4\xf6\xff\xc6\x31\x6c\x9a\x5a\xdb\xb3\x97\x13"
2012 : "\x09\xd3\x20\x98\x33\x2d\x6d\xd7\xb5\x6a\xa8\xa9"
2013 : "\x9a\x5b\xd6\x87\x52\xa1\x89\x2b\x4b\x9c\x64\x60"
2014 : "\x50\x47\xa3\x63\x81\x16\xaf\x19",
2015 : /* .expectedlen = */ 128,
2016 : /* .entropyreseed = */ NULL,
2017 : /* .entropyreseed_len = */ 0,
2018 : /* .addtl_reseed = */ NULL,
2019 : /* .addtl_reseed_len = */ 0
2020 : },
2021 : {
2022 : /* flags = */ "hmac sha256 pr" /* DRBG_PR_HMACSHA256 */,
2023 : /* .entropy = */ (unsigned char *)
2024 : "\x13\x54\x96\xfc\x1b\x7d\x28\xf3\x18\xc9\xa7\x89"
2025 : "\xb6\xb3\xc8\x72\xac\x00\xd4\x59\x36\x25\x05\xaf"
2026 : "\xa5\xdb\x96\xcb\x3c\x58\x46\x87\xa5\xaa\xbf\x20"
2027 : "\x3b\xfe\x23\x0e\xd1\xc7\x41\x0f\x3f\xc9\xb3\x67",
2028 : /* .entropylen = */ 48,
2029 : /* .entpra = */ (unsigned char *)
2030 : "\xe2\xbd\xb7\x48\x08\x06\xf3\xe1\x93\x3c\xac\x79"
2031 : "\xa7\x2b\x11\xda\xe3\x2e\xe1\x91\xa5\x02\x19\x57"
2032 : "\x20\x28\xad\xf2\x60\xd7\xcd\x45",
2033 : /* .entprb = */ (unsigned char *)
2034 : "\x8b\xd4\x69\xfc\xff\x59\x95\x95\xc6\x51\xde\x71"
2035 : "\x68\x5f\xfc\xf9\x4a\xab\xec\x5a\xcb\xbe\xd3\x66"
2036 : "\x1f\xfa\x74\xd3\xac\xa6\x74\x60",
2037 : /* .entprlen = */ 32,
2038 : /* .addtla = */ NULL,
2039 : /* .addtlb = */ NULL,
2040 : /* .addtllen = */ 0,
2041 : /* .pers = */ (unsigned char *)
2042 : "\x64\xb6\xfc\x60\xbc\x61\x76\x23\x6d\x3f\x4a\x0f"
2043 : "\xe1\xb4\xd5\x20\x9e\x70\xdd\x03\x53\x6d\xbf\xce"
2044 : "\xcd\x56\x80\xbc\xb8\x15\xc8\xaa",
2045 : /* .perslen = */ 32,
2046 : /* .expected = */ (unsigned char *)
2047 : "\x1f\x9e\xaf\xe4\xd2\x46\xb7\x47\x41\x4c\x65\x99"
2048 : "\x01\xe9\x3b\xbb\x83\x0c\x0a\xb0\xc1\x3a\xe2\xb3"
2049 : "\x31\x4e\xeb\x93\x73\xee\x0b\x26\xc2\x63\xa5\x75"
2050 : "\x45\x99\xd4\x5c\x9f\xa1\xd4\x45\x87\x6b\x20\x61"
2051 : "\x40\xea\x78\xa5\x32\xdf\x9e\x66\x17\xaf\xb1\x88"
2052 : "\x9e\x2e\x23\xdd\xc1\xda\x13\x97\x88\xa5\xb6\x5e"
2053 : "\x90\x14\x4e\xef\x13\xab\x5c\xd9\x2c\x97\x9e\x7c"
2054 : "\xd7\xf8\xce\xea\x81\xf5\xcd\x71\x15\x49\x44\xce"
2055 : "\x83\xb6\x05\xfb\x7d\x30\xb5\x57\x2c\x31\x4f\xfc"
2056 : "\xfe\x80\xb6\xc0\x13\x0c\x5b\x9b\x2e\x8f\x3d\xfc"
2057 : "\xc2\xa3\x0c\x11\x1b\x80\x5f\xf3",
2058 : /* .expectedlen = */ 128,
2059 : /* .entropyreseed = */ NULL,
2060 : /* .entropyreseed_len = */ 0,
2061 : /* .addtl_reseed = */ NULL,
2062 : /* .addtl_reseed_len = */ 0
2063 : },
2064 : {
2065 : /* .flags = */ "aes sym128 pr", /* DRBG_PR_CTRAES128 */
2066 : /* .entropy = */ (unsigned char *)
2067 : "\x92\x89\x8f\x31\xfa\x1c\xff\x6d\x18\x2f\x26\x06"
2068 : "\x43\xdf\xf8\x18\xc2\xa4\xd9\x72\xc3\xb9\xb6\x97",
2069 : /* .entropylen = */ 24,
2070 : /* .entpra = */ (unsigned char *)
2071 : "\x20\x72\x8a\x06\xf8\x6f\x8d\xd4\x41\xe2\x72\xb7"
2072 : "\xc4\x2c\xe8\x10",
2073 : /* .entprb = */ (unsigned char *)
2074 : "\x3d\xb0\xf0\x94\xf3\x05\x50\x33\x17\x86\x3e\x22"
2075 : "\x08\xf7\xa5\x01",
2076 : /* .entprlen = */ 16,
2077 : /* .addtla = */ (unsigned char *)
2078 : "\x1a\x40\xfa\xe3\xcc\x6c\x7c\xa0\xf8\xda\xba\x59"
2079 : "\x23\x6d\xad\x1d",
2080 : /* .addtlb = */ (unsigned char *)
2081 : "\x9f\x72\x76\x6c\xc7\x46\xe5\xed\x2e\x53\x20\x12"
2082 : "\xbc\x59\x31\x8c",
2083 : /* .addtllen = */ 16,
2084 : /* .pers = */ (unsigned char *)
2085 : "\xea\x65\xee\x60\x26\x4e\x7e\xb6\x0e\x82\x68\xc4"
2086 : "\x37\x3c\x5c\x0b",
2087 : /* .perslen = */ 16,
2088 : /* .expected = */ (unsigned char *)
2089 : "\x5a\x35\x39\x87\x0f\x4d\x22\xa4\x09\x24\xee\x71"
2090 : "\xc9\x6f\xac\x72\x0a\xd6\xf0\x88\x82\xd0\x83\x28"
2091 : "\x73\xec\x3f\x93\xd8\xab\x45\x23\xf0\x7e\xac\x45"
2092 : "\x14\x5e\x93\x9f\xb1\xd6\x76\x43\x3d\xb6\xe8\x08"
2093 : "\x88\xf6\xda\x89\x08\x77\x42\xfe\x1a\xf4\x3f\xc4"
2094 : "\x23\xc5\x1f\x68",
2095 : /* .expectedlen = */ 64,
2096 : /* .entropyreseed = */ NULL,
2097 : /* .entropyreseed_len = */ 0,
2098 : /* .addtl_reseed = */ NULL,
2099 : /* .addtl_reseed_len = */ 0
2100 : }
2101 : };
2102 :
2103 : struct gcry_drbg_test_vector drbg_test_nopr[] = {
2104 : {
2105 : /* .flags = */ "sha256" /* DRBG_NOPR_HASHSHA256 */,
2106 : /* .entropy = */ (unsigned char *)
2107 : "\x73\xd3\xfb\xa3\x94\x5f\x2b\x5f\xb9\x8f\xf6\x9c"
2108 : "\x8a\x93\x17\xae\x19\xc3\x4c\xc3\xd6\xca\xa3\x2d"
2109 : "\x16\xfc\x42\xd2\x2d\xd5\x6f\x56\xcc\x1d\x30\xff"
2110 : "\x9e\x06\x3e\x09\xce\x58\xe6\x9a\x35\xb3\xa6\x56",
2111 : /* .entropylen = */ 48,
2112 : /* .entpra = */ NULL,
2113 : /* .entprb = */ NULL,
2114 : /* .entprlen = */ 0,
2115 : /* .addtla = */ (unsigned char *)
2116 : "\xf4\xd5\x98\x3d\xa8\xfc\xfa\x37\xb7\x54\x67\x73"
2117 : "\xc7\xc3\xdd\x47\x34\x71\x02\x5d\xc1\xa0\xd3\x10"
2118 : "\xc1\x8b\xbd\xf5\x66\x34\x6f\xdd",
2119 : /* .addtlb = */ (unsigned char *)
2120 : "\xf7\x9e\x6a\x56\x0e\x73\xe9\xd9\x7a\xd1\x69\xe0"
2121 : "\x6f\x8c\x55\x1c\x44\xd1\xce\x6f\x28\xcc\xa4\x4d"
2122 : "\xa8\xc0\x85\xd1\x5a\x0c\x59\x40",
2123 : /* .addtllen = */ 32,
2124 : /* .pers = */ NULL,
2125 : /* .perslen = */ 0,
2126 : /* .expected = */ (unsigned char *)
2127 : "\x71\x7b\x93\x46\x1a\x40\xaa\x35\xa4\xaa\xc5\xe7"
2128 : "\x6d\x5b\x5b\x8a\xa0\xdf\x39\x7d\xae\x71\x58\x5b"
2129 : "\x3c\x7c\xb4\xf0\x89\xfa\x4a\x8c\xa9\x5c\x54\xc0"
2130 : "\x40\xdf\xbc\xce\x26\x81\x34\xf8\xba\x7d\x1c\xe8"
2131 : "\xad\x21\xe0\x74\xcf\x48\x84\x30\x1f\xa1\xd5\x4f"
2132 : "\x81\x42\x2f\xf4\xdb\x0b\x23\xf8\x73\x27\xb8\x1d"
2133 : "\x42\xf8\x44\x58\xd8\x5b\x29\x27\x0a\xf8\x69\x59"
2134 : "\xb5\x78\x44\xeb\x9e\xe0\x68\x6f\x42\x9a\xb0\x5b"
2135 : "\xe0\x4e\xcb\x6a\xaa\xe2\xd2\xd5\x33\x25\x3e\xe0"
2136 : "\x6c\xc7\x6a\x07\xa5\x03\x83\x9f\xe2\x8b\xd1\x1c"
2137 : "\x70\xa8\x07\x59\x97\xeb\xf6\xbe",
2138 : /* .expectedlen = */ 128,
2139 : /* .entropyreseed = */ NULL,
2140 : /* .entropyreseed_len = */ 0,
2141 : /* .addtl_reseed = */ NULL,
2142 : /* .addtl_reseed_len = */ 0
2143 : },
2144 : {
2145 : /* .flags = */ "hmac sha256" /* DRBG_NOPR_HMACSHA256 */,
2146 : /* .entropy = */ (unsigned char *)
2147 : "\x8d\xf0\x13\xb4\xd1\x03\x52\x30\x73\x91\x7d\xdf"
2148 : "\x6a\x86\x97\x93\x05\x9e\x99\x43\xfc\x86\x54\x54"
2149 : "\x9e\x7a\xb2\x2f\x7c\x29\xf1\x22\xda\x26\x25\xaf"
2150 : "\x2d\xdd\x4a\xbc\xce\x3c\xf4\xfa\x46\x59\xd8\x4e",
2151 : /* .entropylen = */ 48,
2152 : /* .entpra = */ NULL,
2153 : /* .entprb = */ NULL,
2154 : /* .entprlen = */ 0,
2155 : /* .addtla = */ NULL,
2156 : /* .addtlb = */ NULL,
2157 : /* .addtllen = */ 0,
2158 : /* .pers = */ (unsigned char *)
2159 : "\xb5\x71\xe6\x6d\x7c\x33\x8b\xc0\x7b\x76\xad\x37"
2160 : "\x57\xbb\x2f\x94\x52\xbf\x7e\x07\x43\x7a\xe8\x58"
2161 : "\x1c\xe7\xbc\x7c\x3a\xc6\x51\xa9",
2162 : /* .perslen = */ 32,
2163 : /* .expected = */ (unsigned char *)
2164 : "\xb9\x1c\xba\x4c\xc8\x4f\xa2\x5d\xf8\x61\x0b\x81"
2165 : "\xb6\x41\x40\x27\x68\xa2\x09\x72\x34\x93\x2e\x37"
2166 : "\xd5\x90\xb1\x15\x4c\xbd\x23\xf9\x74\x52\xe3\x10"
2167 : "\xe2\x91\xc4\x51\x46\x14\x7f\x0d\xa2\xd8\x17\x61"
2168 : "\xfe\x90\xfb\xa6\x4f\x94\x41\x9c\x0f\x66\x2b\x28"
2169 : "\xc1\xed\x94\xda\x48\x7b\xb7\xe7\x3e\xec\x79\x8f"
2170 : "\xbc\xf9\x81\xb7\x91\xd1\xbe\x4f\x17\x7a\x89\x07"
2171 : "\xaa\x3c\x40\x16\x43\xa5\xb6\x2b\x87\xb8\x9d\x66"
2172 : "\xb3\xa6\x0e\x40\xd4\xa8\xe4\xe9\xd8\x2a\xf6\xd2"
2173 : "\x70\x0e\x6f\x53\x5c\xdb\x51\xf7\x5c\x32\x17\x29"
2174 : "\x10\x37\x41\x03\x0c\xcc\x3a\x56",
2175 : /* .expectedlen = */ 128,
2176 : /* .entropyreseed = */ NULL,
2177 : /* .entropyreseed_len = */ 0,
2178 : /* .addtl_reseed = */ NULL,
2179 : /* .addtl_reseed_len = */ 0
2180 : },
2181 : {
2182 : /* .flags = */ "aes sym128" /* DRBG_NOPR_CTRAES128 */,
2183 : /* .entropy = */ (unsigned char *)
2184 : "\xc0\x70\x1f\x92\x50\x75\x8f\xcd\xf2\xbe\x73\x98"
2185 : "\x80\xdb\x66\xeb\x14\x68\xb4\xa5\x87\x9c\x2d\xa6",
2186 : /* .entropylen = */ 24,
2187 : /* .entpra = */ NULL,
2188 : /* .entprb = */ NULL,
2189 : /* .entprlen = */ 0,
2190 : /* .addtla = */ (unsigned char *)
2191 : "\xf9\x01\xf8\x16\x7a\x1d\xff\xde\x8e\x3c\x83\xe2"
2192 : "\x44\x85\xe7\xfe",
2193 : /* .addtlb = */ (unsigned char *)
2194 : "\x17\x1c\x09\x38\xc2\x38\x9f\x97\x87\x60\x55\xb4"
2195 : "\x82\x16\x62\x7f",
2196 : /* .addtllen = */ 16,
2197 : /* .pers = */ (unsigned char *)
2198 : "\x80\x08\xae\xe8\xe9\x69\x40\xc5\x08\x73\xc7\x9f"
2199 : "\x8e\xcf\xe0\x02",
2200 : /* .perslen = */ 16,
2201 : /* .expected = */ (unsigned char *)
2202 : "\x97\xc0\xc0\xe5\xa0\xcc\xf2\x4f\x33\x63\x48\x8a"
2203 : "\xdb\x13\x0a\x35\x89\xbf\x80\x65\x62\xee\x13\x95"
2204 : "\x7c\x33\xd3\x7d\xf4\x07\x77\x7a\x2b\x65\x0b\x5f"
2205 : "\x45\x5c\x13\xf1\x90\x77\x7f\xc5\x04\x3f\xcc\x1a"
2206 : "\x38\xf8\xcd\x1b\xbb\xd5\x57\xd1\x4a\x4c\x2e\x8a"
2207 : "\x2b\x49\x1e\x5c",
2208 : /* .expectedlen = */ 64,
2209 : /* .entropyreseed = */ NULL,
2210 : /* .entropyreseed_len = */ 0,
2211 : /* .addtl_reseed = */ NULL,
2212 : /* .addtl_reseed_len = */ 0
2213 : },
2214 : {
2215 : /* .flags = */ "sha1" /* DRBG_NOPR_HASHSHA1 */,
2216 : /* .entropy = */ (unsigned char *)
2217 : "\x16\x10\xb8\x28\xcc\xd2\x7d\xe0\x8c\xee\xa0\x32"
2218 : "\xa2\x0e\x92\x08\x49\x2c\xf1\x70\x92\x42\xf6\xb5",
2219 : /* .entropylen = */ 24,
2220 : /* .entpra = */ NULL,
2221 : /* .entprb = */ NULL,
2222 : /* .entprlen = */ 0,
2223 : /* .addtla = */ NULL,
2224 : /* .addtlb = */ NULL,
2225 : /* .addtllen = */ 0,
2226 : /* .pers = */ NULL,
2227 : /* .perslen = */ 0,
2228 : /* .expected = */ (unsigned char *)
2229 : "\x56\xf3\x3d\x4f\xdb\xb9\xa5\xb6\x4d\x26\x23\x44"
2230 : "\x97\xe9\xdc\xb8\x77\x98\xc6\x8d\x08\xf7\xc4\x11"
2231 : "\x99\xd4\xbd\xdf\x97\xeb\xbf\x6c\xb5\x55\x0e\x5d"
2232 : "\x14\x9f\xf4\xd5\xbd\x0f\x05\xf2\x5a\x69\x88\xc1"
2233 : "\x74\x36\x39\x62\x27\x18\x4a\xf8\x4a\x56\x43\x35"
2234 : "\x65\x8e\x2f\x85\x72\xbe\xa3\x33\xee\xe2\xab\xff"
2235 : "\x22\xff\xa6\xde\x3e\x22\xac\xa2",
2236 : /* .expectedlen = */ 80,
2237 : /* .entropyreseed = */ (unsigned char *)
2238 : "\x72\xd2\x8c\x90\x8e\xda\xf9\xa4\xd1\xe5\x26\xd8"
2239 : "\xf2\xde\xd5\x44",
2240 : /* .entropyreseed_len = */ 16,
2241 : /* .addtl_reseed = */ NULL,
2242 : /* .addtl_reseed_len = */ 0
2243 : },
2244 : {
2245 : /* .flags = */ "sha1" /* DRBG_NOPR_HASHSHA1 */,
2246 : /* .entropy = */ (unsigned char *)
2247 : "\xd9\xba\xb5\xce\xdc\xa9\x6f\x61\x78\xd6\x45\x09"
2248 : "\xa0\xdf\xdc\x5e\xda\xd8\x98\x94\x14\x45\x0e\x01",
2249 : /* .entropylen = */ 24,
2250 : /* .entpra = */ NULL,
2251 : /* .entprb = */ NULL,
2252 : /* .entprlen = */ 0,
2253 : /* .addtla = */ (unsigned char *)
2254 : "\x04\xfa\x28\x95\xaa\x5a\x6f\x8c\x57\x43\x34\x3b"
2255 : "\x80\x5e\x5e\xa4",
2256 : /* .addtlb = */ (unsigned char *)
2257 : "\xdf\x5d\xc4\x59\xdf\xf0\x2a\xa2\xf0\x52\xd7\x21"
2258 : "\xec\x60\x72\x30",
2259 : /* .addtllen = */ 16,
2260 : /* .pers = */ NULL,
2261 : /* .perslen = */ 0,
2262 : /* .expected = */ (unsigned char *)
2263 : "\xc4\x8b\x89\xf9\xda\x3f\x74\x82\x45\x55\x5d\x5d"
2264 : "\x03\x3b\x69\x3d\xd7\x1a\x4d\xf5\x69\x02\x05\xce"
2265 : "\xfc\xd7\x20\x11\x3c\xc2\x4e\x09\x89\x36\xff\x5e"
2266 : "\x77\xb5\x41\x53\x58\x70\xb3\x39\x46\x8c\xdd\x8d"
2267 : "\x6f\xaf\x8c\x56\x16\x3a\x70\x0a\x75\xb2\x3e\x59"
2268 : "\x9b\x5a\xec\xf1\x6f\x3b\xaf\x6d\x5f\x24\x19\x97"
2269 : "\x1f\x24\xf4\x46\x72\x0f\xea\xbe",
2270 : /* .expectedlen = */ 80,
2271 : /* .entropyreseed = */ (unsigned char *)
2272 : "\xc6\xba\xd0\x74\xc5\x90\x67\x86\xf5\xe1\xf3\x20"
2273 : "\x99\xf5\xb4\x91",
2274 : /* .entropyreseed_len = */ 16,
2275 : /* .addtl_reseed = */ (unsigned char *)
2276 : "\x3e\x6b\xf4\x6f\x4d\xaa\x38\x25\xd7\x19\x4e\x69"
2277 : "\x4e\x77\x52\xf7",
2278 : /* .addtl_reseed_len = */ 16
2279 : }
2280 : };
2281 :
2282 :
2283 : /*
2284 : * Tests implement the CAVS test approach as documented in
2285 : * http://csrc.nist.gov/groups/STM/cavp/documents/drbg/DRBGVS.pdf
2286 : */
2287 :
2288 : /*
2289 : * CAVS test
2290 : *
2291 : * This function is not static as it is needed for as a private API
2292 : * call for the CAVS test tool.
2293 : */
2294 : gpg_err_code_t
2295 0 : _gcry_rngdrbg_cavs_test (struct gcry_drbg_test_vector *test, unsigned char *buf)
2296 : {
2297 0 : gpg_err_code_t ret = 0;
2298 0 : drbg_state_t drbg = NULL;
2299 : struct drbg_test_data_s test_data;
2300 : drbg_string_t addtl, pers, testentropy;
2301 0 : int coreref = 0;
2302 0 : int pr = 0;
2303 : u32 flags;
2304 :
2305 0 : ret = parse_flag_string (test->flagstr, &flags);
2306 0 : if (ret)
2307 0 : goto outbuf;
2308 :
2309 0 : ret = drbg_algo_available (flags, &coreref);
2310 0 : if (ret)
2311 0 : goto outbuf;
2312 :
2313 0 : drbg = xtrycalloc_secure (1, sizeof *drbg);
2314 0 : if (!drbg)
2315 : {
2316 0 : ret = gpg_err_code_from_syserror ();
2317 0 : goto outbuf;
2318 : }
2319 :
2320 0 : if ((flags & DRBG_PREDICTION_RESIST))
2321 0 : pr = 1;
2322 :
2323 0 : test_data.testentropy = &testentropy;
2324 0 : drbg_string_fill (&testentropy, test->entropy, test->entropylen);
2325 0 : drbg->test_data = &test_data;
2326 0 : drbg_string_fill (&pers, test->pers, test->perslen);
2327 0 : ret = drbg_instantiate (drbg, &pers, coreref, pr);
2328 0 : if (ret)
2329 0 : goto outbuf;
2330 :
2331 0 : if (test->entropyreseed)
2332 : {
2333 0 : drbg_string_fill (&testentropy, test->entropyreseed,
2334 : test->entropyreseed_len);
2335 0 : drbg_string_fill (&addtl, test->addtl_reseed,
2336 : test->addtl_reseed_len);
2337 0 : if (drbg_reseed (drbg, &addtl))
2338 0 : goto outbuf;
2339 : }
2340 :
2341 0 : drbg_string_fill (&addtl, test->addtla, test->addtllen);
2342 0 : if (test->entpra)
2343 : {
2344 0 : drbg_string_fill (&testentropy, test->entpra, test->entprlen);
2345 0 : drbg->test_data = &test_data;
2346 : }
2347 0 : drbg_generate_long (drbg, buf, test->expectedlen, &addtl);
2348 :
2349 0 : drbg_string_fill (&addtl, test->addtlb, test->addtllen);
2350 0 : if (test->entprb)
2351 : {
2352 0 : drbg_string_fill (&testentropy, test->entprb, test->entprlen);
2353 0 : drbg->test_data = &test_data;
2354 : }
2355 0 : drbg_generate_long (drbg, buf, test->expectedlen, &addtl);
2356 0 : drbg_uninstantiate (drbg);
2357 :
2358 : outbuf:
2359 0 : xfree (drbg);
2360 0 : return ret;
2361 : }
2362 :
2363 : /*
2364 : * Invoke the CAVS test and perform the final check whether the
2365 : * calculated random value matches the expected one.
2366 : *
2367 : * This function is not static as it is needed for as a private API
2368 : * call for the CAVS test tool.
2369 : */
2370 : gpg_err_code_t
2371 0 : _gcry_rngdrbg_healthcheck_one (struct gcry_drbg_test_vector * test)
2372 : {
2373 0 : gpg_err_code_t ret = GPG_ERR_ENOMEM;
2374 0 : unsigned char *buf = xcalloc_secure (1, test->expectedlen);
2375 0 : if (!buf)
2376 0 : return GPG_ERR_ENOMEM;
2377 :
2378 0 : ret = _gcry_rngdrbg_cavs_test (test, buf);
2379 : /* FIXME: The next line is wrong. */
2380 0 : ret = memcmp (test->expected, buf, test->expectedlen);
2381 :
2382 0 : xfree (buf);
2383 0 : return ret;
2384 : }
2385 :
2386 : /*
2387 : * Tests as defined in 11.3.2 in addition to the cipher tests: testing
2388 : * of the error handling.
2389 : *
2390 : * Note, testing the reseed counter is not done as an automatic reseeding
2391 : * is performed in drbg_generate when the reseed counter is too large.
2392 : */
2393 : static gpg_err_code_t
2394 0 : drbg_healthcheck_sanity (struct gcry_drbg_test_vector *test)
2395 : {
2396 0 : unsigned int len = 0;
2397 0 : drbg_state_t drbg = NULL;
2398 0 : gpg_err_code_t ret = GPG_ERR_GENERAL;
2399 0 : gpg_err_code_t tmpret = GPG_ERR_GENERAL;
2400 : struct drbg_test_data_s test_data;
2401 : drbg_string_t addtl, testentropy;
2402 0 : int coreref = 0;
2403 0 : unsigned char *buf = NULL;
2404 : size_t max_addtllen, max_request_bytes;
2405 : u32 flags;
2406 :
2407 : /* only perform test in FIPS mode */
2408 0 : if (0 == fips_mode ())
2409 0 : return 0;
2410 :
2411 0 : ret = parse_flag_string (test->flagstr, &flags);
2412 0 : if (ret)
2413 0 : return ret;
2414 0 : ret = GPG_ERR_GENERAL; /* Fixme: Improve handling of RET. */
2415 :
2416 0 : buf = xtrycalloc_secure (1, test->expectedlen);
2417 0 : if (!buf)
2418 0 : return gpg_err_code_from_syserror ();
2419 0 : tmpret = drbg_algo_available (flags, &coreref);
2420 0 : if (tmpret)
2421 0 : goto outbuf;
2422 0 : drbg = xtrycalloc_secure (1, sizeof *drbg);
2423 0 : if (!drbg)
2424 : {
2425 0 : ret = gpg_err_code_from_syserror ();
2426 0 : goto outbuf;
2427 : }
2428 :
2429 : /* if the following tests fail, it is likely that there is a buffer
2430 : * overflow and we get a SIGSEV */
2431 0 : ret = drbg_instantiate (drbg, NULL, coreref, 1);
2432 0 : if (ret)
2433 0 : goto outbuf;
2434 0 : max_addtllen = drbg_max_addtl ();
2435 0 : max_request_bytes = drbg_max_request_bytes ();
2436 : /* overflow addtllen with additonal info string */
2437 0 : drbg_string_fill (&addtl, test->addtla, (max_addtllen + 1));
2438 0 : len = drbg_generate (drbg, buf, test->expectedlen, &addtl);
2439 0 : if (len)
2440 0 : goto outdrbg;
2441 :
2442 : /* overflow max_bits */
2443 0 : len = drbg_generate (drbg, buf, (max_request_bytes + 1), NULL);
2444 0 : if (len)
2445 0 : goto outdrbg;
2446 0 : drbg_uninstantiate (drbg);
2447 :
2448 : /* test failing entropy source as defined in 11.3.2 */
2449 0 : test_data.testentropy = NULL;
2450 0 : test_data.fail_seed_source = 1;
2451 0 : drbg->test_data = &test_data;
2452 0 : tmpret = drbg_instantiate (drbg, NULL, coreref, 0);
2453 0 : if (!tmpret)
2454 0 : goto outdrbg;
2455 0 : test_data.fail_seed_source = 0;
2456 :
2457 0 : test_data.testentropy = &testentropy;
2458 0 : drbg_string_fill (&testentropy, test->entropy, test->entropylen);
2459 : /* overflow max addtllen with personalization string */
2460 0 : tmpret = drbg_instantiate (drbg, &addtl, coreref, 0);
2461 0 : if (!tmpret)
2462 0 : goto outdrbg;
2463 :
2464 : dbg (("DRBG: Sanity tests for failure code paths successfully completed\n"));
2465 0 : ret = 0;
2466 :
2467 : outdrbg:
2468 0 : drbg_uninstantiate (drbg);
2469 : outbuf:
2470 0 : xfree (buf);
2471 0 : xfree (drbg);
2472 0 : return ret;
2473 : }
2474 :
2475 : /*
2476 : * DRBG Healthcheck function as required in SP800-90A
2477 : *
2478 : * return:
2479 : * 0 on success (all tests pass)
2480 : * >0 on error (return code indicate the number of failures)
2481 : */
2482 : static int
2483 0 : drbg_healthcheck (void)
2484 : {
2485 0 : int ret = 0;
2486 0 : ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[0]);
2487 0 : ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[1]);
2488 0 : ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[2]);
2489 0 : ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[3]);
2490 0 : ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_nopr[4]);
2491 0 : ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_pr[0]);
2492 0 : ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_pr[1]);
2493 0 : ret += _gcry_rngdrbg_healthcheck_one (&drbg_test_pr[2]);
2494 0 : ret += drbg_healthcheck_sanity (&drbg_test_nopr[0]);
2495 0 : return ret;
2496 : }
2497 :
2498 : /* Run the self-tests. */
2499 : gcry_error_t
2500 0 : _gcry_rngdrbg_selftest (selftest_report_func_t report)
2501 : {
2502 : gcry_err_code_t ec;
2503 0 : const char *errtxt = NULL;
2504 0 : drbg_lock ();
2505 0 : if (0 != drbg_healthcheck ())
2506 0 : errtxt = "RNG output does not match known value";
2507 0 : drbg_unlock ();
2508 0 : if (report && errtxt)
2509 0 : report ("random", 0, "KAT", errtxt);
2510 0 : ec = errtxt ? GPG_ERR_SELFTEST_FAILED : 0;
2511 0 : return gpg_error (ec);
2512 : }
2513 :
2514 : /***************************************************************
2515 : * Cipher invocations requested by DRBG
2516 : ***************************************************************/
2517 :
2518 : static gpg_err_code_t
2519 0 : drbg_hash_init (drbg_state_t drbg)
2520 : {
2521 : gcry_md_hd_t hd;
2522 : gpg_error_t err;
2523 :
2524 0 : err = _gcry_md_open (&hd, drbg->core->backend_cipher, 0);
2525 0 : if (err)
2526 0 : return err;
2527 :
2528 0 : drbg->priv_data = hd;
2529 :
2530 0 : return 0;
2531 : }
2532 :
2533 : static gpg_err_code_t
2534 0 : drbg_hmac_init (drbg_state_t drbg)
2535 : {
2536 : gcry_md_hd_t hd;
2537 : gpg_error_t err;
2538 :
2539 0 : err = _gcry_md_open (&hd, drbg->core->backend_cipher, GCRY_MD_FLAG_HMAC);
2540 0 : if (err)
2541 0 : return err;
2542 :
2543 0 : drbg->priv_data = hd;
2544 :
2545 0 : return 0;
2546 : }
2547 :
2548 : static gpg_err_code_t
2549 0 : drbg_hmac_setkey (drbg_state_t drbg, const unsigned char *key)
2550 : {
2551 0 : gcry_md_hd_t hd = (gcry_md_hd_t)drbg->priv_data;
2552 :
2553 0 : return _gcry_md_setkey (hd, key, drbg_statelen (drbg));
2554 : }
2555 :
2556 : static void
2557 0 : drbg_hash_fini (drbg_state_t drbg)
2558 : {
2559 0 : gcry_md_hd_t hd = (gcry_md_hd_t)drbg->priv_data;
2560 :
2561 0 : _gcry_md_close (hd);
2562 0 : }
2563 :
2564 : static byte *
2565 0 : drbg_hash (drbg_state_t drbg, const drbg_string_t *buf)
2566 : {
2567 0 : gcry_md_hd_t hd = (gcry_md_hd_t)drbg->priv_data;
2568 :
2569 0 : _gcry_md_reset(hd);
2570 0 : for (; NULL != buf; buf = buf->next)
2571 0 : _gcry_md_write (hd, buf->buf, buf->len);
2572 0 : _gcry_md_final (hd);
2573 0 : return _gcry_md_read (hd, drbg->core->backend_cipher);
2574 : }
2575 :
2576 : static void
2577 0 : drbg_sym_fini (drbg_state_t drbg)
2578 : {
2579 0 : gcry_cipher_hd_t hd = (gcry_cipher_hd_t)drbg->priv_data;
2580 :
2581 0 : if (hd)
2582 0 : _gcry_cipher_close (hd);
2583 0 : if (drbg->ctr_handle)
2584 0 : _gcry_cipher_close (drbg->ctr_handle);
2585 0 : if (drbg->ctr_null)
2586 0 : free(drbg->ctr_null);
2587 0 : }
2588 :
2589 : static gpg_err_code_t
2590 0 : drbg_sym_init (drbg_state_t drbg)
2591 : {
2592 : gcry_cipher_hd_t hd;
2593 : gpg_error_t err;
2594 :
2595 0 : drbg->ctr_null = calloc(1, DRBG_CTR_NULL_LEN);
2596 0 : if (!drbg->ctr_null)
2597 0 : return GPG_ERR_ENOMEM;
2598 :
2599 0 : err = _gcry_cipher_open (&hd, drbg->core->backend_cipher,
2600 : GCRY_CIPHER_MODE_ECB, 0);
2601 0 : if (err)
2602 : {
2603 0 : drbg_sym_fini (drbg);
2604 0 : return err;
2605 : }
2606 0 : drbg->priv_data = hd;
2607 :
2608 0 : err = _gcry_cipher_open (&drbg->ctr_handle, drbg->core->backend_cipher,
2609 : GCRY_CIPHER_MODE_CTR, 0);
2610 0 : if (err)
2611 : {
2612 0 : drbg_sym_fini (drbg);
2613 0 : return err;
2614 : }
2615 :
2616 :
2617 0 : if (drbg_blocklen (drbg) !=
2618 0 : _gcry_cipher_get_algo_blklen (drbg->core->backend_cipher))
2619 : {
2620 0 : drbg_sym_fini (drbg);
2621 0 : return -GPG_ERR_NO_ERROR;
2622 : }
2623 :
2624 0 : return 0;
2625 : }
2626 :
2627 : static gpg_err_code_t
2628 0 : drbg_sym_setkey (drbg_state_t drbg, const unsigned char *key)
2629 : {
2630 0 : gcry_cipher_hd_t hd = (gcry_cipher_hd_t)drbg->priv_data;
2631 :
2632 0 : return _gcry_cipher_setkey (hd, key, drbg_keylen (drbg));
2633 : }
2634 :
2635 : static gpg_err_code_t
2636 0 : drbg_sym (drbg_state_t drbg, unsigned char *outval, const drbg_string_t *buf)
2637 : {
2638 0 : gcry_cipher_hd_t hd = (gcry_cipher_hd_t)drbg->priv_data;
2639 :
2640 0 : _gcry_cipher_reset(hd);
2641 0 : if (drbg_blocklen (drbg) < buf->len)
2642 0 : return -GPG_ERR_NO_ERROR;
2643 : /* in is only component */
2644 0 : return _gcry_cipher_encrypt (hd, outval, drbg_blocklen (drbg), buf->buf,
2645 : buf->len);
2646 : }
2647 :
2648 : static gpg_err_code_t
2649 0 : drbg_sym_ctr (drbg_state_t drbg,
2650 : const unsigned char *inbuf, unsigned int inbuflen,
2651 : unsigned char *outbuf, unsigned int outbuflen)
2652 : {
2653 : gpg_error_t err;
2654 :
2655 0 : _gcry_cipher_reset(drbg->ctr_handle);
2656 0 : err = _gcry_cipher_setctr(drbg->ctr_handle, drbg->V, drbg_blocklen (drbg));
2657 0 : if (err)
2658 0 : return err;
2659 :
2660 0 : while (outbuflen)
2661 : {
2662 0 : unsigned int cryptlen = (inbuflen > outbuflen) ? outbuflen : inbuflen;
2663 :
2664 0 : err = _gcry_cipher_encrypt (drbg->ctr_handle, outbuf, cryptlen, inbuf,
2665 : cryptlen);
2666 0 : if (err)
2667 0 : return err;
2668 :
2669 0 : outbuflen -= cryptlen;
2670 0 : outbuf += cryptlen;
2671 : }
2672 0 : return _gcry_cipher_getctr(drbg->ctr_handle, drbg->V, drbg_blocklen (drbg));
2673 : }
|