ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

Implemented NIST SP 800-90A DRBG_HMAC with SHA-256

This commit is contained in:
Andreas Steffen 2013-11-24 02:22:25 +01:00
parent 798a36dc14
commit 98c6421674
16 changed files with 697 additions and 1541 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/libstrongswan/plugins/ntru/Makefile.am
View File

@ -12,12 +12,12 @@ endif
libstrongswan_ntru_la_SOURCES = \
ntru_plugin.h ntru_plugin.c \
ntru_drbg.h ntru_drbg.c \
ntru_ke.h ntru_ke.c \
ntru_test_rng.h ntru_test_rng.c \
ntru_crypto/ntru_crypto.h ntru_crypto/ntru_crypto_error.h \
ntru_crypto/ntru_crypto_drbg.h ntru_crypto/ntru_crypto_drbg.c \
ntru_crypto/ntru_crypto_hash_basics.h \
ntru_crypto/ntru_crypto_hash.h ntru_crypto/ntru_crypto_hash.c \
ntru_crypto/ntru_crypto_hmac.h ntru_crypto/ntru_crypto_hmac.c \
ntru_crypto/ntru_crypto_msbyte_uint32.h \
ntru_crypto/ntru_crypto_msbyte_uint32.c \
ntru_crypto/ntru_crypto_ntru_convert.h \

7
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h
View File

@ -35,9 +35,10 @@
#define NTRU_CRYPTO_H
#include "ntru_crypto_platform.h"
#include "ntru_crypto_drbg.h"
#include "ntru_crypto_error.h"
#include "ntru_drbg.h"
#if !defined( NTRUCALL )
#if !defined(WIN32) || defined (NTRUCRYPTO_STATIC)
// Linux, or a Win32 static library
@ -135,7 +136,7 @@ typedef enum _NTRU_ENCRYPT_PARAM_SET_ID {
NTRUCALL
ntru_crypto_ntru_encrypt(
DRBG_HANDLE drbg_handle, /* in - handle for DRBG */
ntru_drbg_t *drbg , /* in - handle for DRBG */
uint16_t pubkey_blob_len, /* in - no. of octets in public key
blob */
uint8_t const *pubkey_blob, /* in - pointer to public key */
@ -234,7 +235,7 @@ ntru_crypto_ntru_decrypt(
NTRUCALL
ntru_crypto_ntru_encrypt_keygen(
DRBG_HANDLE drbg_handle, /* in - handle of DRBG */
ntru_drbg_t *drbg, /* in - handle of DRBG */
NTRU_ENCRYPT_PARAM_SET_ID param_set_id, /* in - parameter set ID */
uint16_t *pubkey_blob_len, /* in/out - no. of octets in
pubkey_blob, addr

724
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_drbg.c
View File

@ -1,724 +0,0 @@
/******************************************************************************
* NTRU Cryptography Reference Source Code
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
*
* ntru_crypto_drbg.c is a component of ntru-crypto.
*
* Copyright (C) 2009-2013 Security Innovation
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*****************************************************************************/
/******************************************************************************
*
* File: ntru_crypto_drbg.c
*
* Contents: Implementation of a SHA-256 HMAC-based deterministic random byte
* generator (HMAC_DRBG) as defined in ANSI X9.82, Part 3 - 2007.
*
* This implementation:
* - allows for MAX_INSTANTIATIONS simultaneous drbg instantiations
* (may be overridden on compiler command line)
* - has a maximum security strength of 256 bits
* - automatically uses SHA-256 for all security strengths
* - allows a personalization string of up to MAX_PERS_STR_BYTES bytes
* - implments reseeding
* - does not implement additional input for reseeding or generation
* - does not implement predictive resistance
* - limits the number of bytes requested in one invocation of generate to
* MAX_BYTES_PER_REQUEST
* - uses a callback function to allow the caller to supply the
* Get_entropy_input routine (entropy function)
* - limits the number of bytes returned from the entropy function to
* MAX_ENTROPY_NONCE_BYTES
* - gets the nonce bytes along with the entropy input from the entropy
* function
* - automatically reseeds an instantitation after MAX_REQUESTS calls to
* generate
*
*****************************************************************************/
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include "ntru_crypto_drbg.h"
#include "ntru_crypto_hmac.h"
/************************
* HMAC_DRBG parameters *
************************/
/* Note: nonce size is sec_strength_bits/2 */
#define HMAC_DRBG_MAX_MIN_ENTROPY_NONCE_BYTES \
(DRBG_MAX_SEC_STRENGTH_BITS + DRBG_MAX_SEC_STRENGTH_BITS/2)/8
#define HMAC_DRBG_MAX_ENTROPY_NONCE_BYTES \
HMAC_DRBG_MAX_MIN_ENTROPY_NONCE_BYTES * DRBG_MAX_BYTES_PER_BYTE_OF_ENTROPY
#define HMAC_DRBG_MAX_REQUESTS 0xffffffff
/*******************
* DRBG structures *
*******************/
/* SHA256_HMAC_DRBG state structure */
typedef struct {
uint32_t sec_strength; /* security strength in bits */
uint32_t requests_left; /* generation requests remaining
before reseeding */
ENTROPY_FN entropy_fn; /* pointer to entropy function */
NTRU_CRYPTO_HMAC_CTX *hmac_ctx; /* pointer to HMAC context */
uint8_t V[33]; /* md_len size internal state + 1 */
} SHA256_HMAC_DRBG_STATE;
/* DRBG state structure
* Note: this could contain a DRBG_TYPE to direct allocation, instantiation,
* and generation to multiple types of DRBGs; at present only the
* SHA256_HMAC_DRBG is implemented
*/
typedef struct {
uint32_t handle;
void *state;
} DRBG_STATE;
/*************
* DRBG DATA *
*************/
/* array of drbg states */
static DRBG_STATE drbg_state[DRBG_MAX_INSTANTIATIONS];
/******************************
* SHA256 HMAC_DRBG functions *
******************************/
/* sha256_hmac_drbg_update
*
* This routine is the SHA-256 HMAC_DRBG derivation function for
* instantiation, and reseeding, and it is used in generation as well.
* It updates the internal state.
*
* For instantiation, provided_data1 holds the entropy input and nonce;
* provided_data2 holds the optional personalization string. Combined, this
* is the seed material.
*
* For reseeding, provided_data1 holds the entropy input;
* provided_data2 is NULL (because this implementation does not support
* additional input).
*
* For byte generation, both provided_data1 and provided_data2 are NULL.
*
* Returns DRBG_OK if successful.
* Returns HMAC errors if they occur.
*/
static uint32_t
sha256_hmac_drbg_update(
SHA256_HMAC_DRBG_STATE *s,
uint8_t *key, /* md_len size array */
uint32_t md_len,
uint8_t const *provided_data1,
uint32_t provided_data1_bytes,
uint8_t const *provided_data2,
uint32_t provided_data2_bytes)
{
uint32_t result;
/* new key = HMAC(K, V || 0x00 [|| provided data1 [|| provided data2]] */
if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) != NTRU_CRYPTO_HMAC_OK)
return result;
s->V[md_len] = 0x00;
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, md_len + 1)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
if (provided_data1) {
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, provided_data1,
provided_data1_bytes)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
if (provided_data2) {
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, provided_data2,
provided_data2_bytes)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
}
}
if ((result = ntru_crypto_hmac_final(s->hmac_ctx, key)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
if ((result = ntru_crypto_hmac_set_key(s->hmac_ctx, key)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
/* new V = HMAC(K, V) */
if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) != NTRU_CRYPTO_HMAC_OK)
return result;
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, md_len)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
if ((result = ntru_crypto_hmac_final(s->hmac_ctx, s->V)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
/* if provided data exists, update K and V again */
if (provided_data1) {
/* new key = HMAC(K, V || 0x01 || provided data1 [|| provided data2] */
if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
s->V[md_len] = 0x01;
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, md_len + 1)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, provided_data1,
provided_data1_bytes)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
if (provided_data2) {
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, provided_data2,
provided_data2_bytes)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
}
if ((result = ntru_crypto_hmac_final(s->hmac_ctx, key)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
if ((result = ntru_crypto_hmac_set_key(s->hmac_ctx, key)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
/* new V = HMAC(K, V) */
if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, md_len)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
if ((result = ntru_crypto_hmac_final(s->hmac_ctx, s->V)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
}
memset(key, 0, md_len);
DRBG_RET(DRBG_OK);
}
/* sha256_hmac_drbg_instantiate
*
* This routine allocates and initializes a SHA-256 HMAC_DRBG internal state.
*
* Returns DRBG_OK if successful.
* Returns DRBG_BAD_LENGTH if the personalization string is too long.
* Returns DRBG_OUT_OF_MEMORY if the internal state cannot be allocated.
* Returns errors from HASH or SHA256 if those errors occur.
*/
static uint32_t
sha256_hmac_drbg_instantiate(
uint32_t sec_strength_bits, /* strength to instantiate */
uint8_t const *pers_str,
uint32_t pers_str_bytes,
ENTROPY_FN entropy_fn,
SHA256_HMAC_DRBG_STATE **state)
{
uint8_t entropy_nonce[HMAC_DRBG_MAX_ENTROPY_NONCE_BYTES];
uint32_t entropy_nonce_bytes;
uint32_t min_bytes_of_entropy;
uint8_t num_bytes_per_byte_of_entropy;
uint8_t key[32]; /* array of md_len size */
SHA256_HMAC_DRBG_STATE *s;
uint32_t result;
uint32_t i;
/* check arguments */
if (pers_str_bytes > HMAC_DRBG_MAX_PERS_STR_BYTES)
DRBG_RET(DRBG_BAD_LENGTH);
/* calculate number of bytes needed for the entropy input and nonce
* for a SHA256_HMAC_DRBG, and get them from the entropy source
*/
if (entropy_fn(GET_NUM_BYTES_PER_BYTE_OF_ENTROPY,
&num_bytes_per_byte_of_entropy) == 0)
DRBG_RET(DRBG_ENTROPY_FAIL);
if ((num_bytes_per_byte_of_entropy == 0) ||
(num_bytes_per_byte_of_entropy >
DRBG_MAX_BYTES_PER_BYTE_OF_ENTROPY))
DRBG_RET(DRBG_ENTROPY_FAIL);
min_bytes_of_entropy = (sec_strength_bits + sec_strength_bits/2) / 8;
entropy_nonce_bytes = min_bytes_of_entropy * num_bytes_per_byte_of_entropy;
for (i = 0; i < entropy_nonce_bytes; i++)
if (entropy_fn(GET_BYTE_OF_ENTROPY, entropy_nonce+i) == 0)
DRBG_RET(DRBG_ENTROPY_FAIL);
/* allocate SHA256_HMAC_DRBG state */
s = (SHA256_HMAC_DRBG_STATE*) malloc(sizeof(SHA256_HMAC_DRBG_STATE));
if (s == NULL) {
DRBG_RET(DRBG_OUT_OF_MEMORY);
}
/* allocate HMAC context */
memset(key, 0, sizeof(key));
if ((result = ntru_crypto_hmac_create_ctx(NTRU_CRYPTO_HASH_ALGID_SHA256,
key, sizeof(key),
&s->hmac_ctx)) !=
NTRU_CRYPTO_HMAC_OK) {
free(s);
return result;
}
/* init and update internal state */
memset(s->V, 0x01, sizeof(s->V));
if ((result = sha256_hmac_drbg_update(s, key, sizeof(key),
entropy_nonce, entropy_nonce_bytes,
pers_str, pers_str_bytes)) != DRBG_OK) {
(void) ntru_crypto_hmac_destroy_ctx(s->hmac_ctx);
memset(s->V, 0, sizeof(s->V));
free(s);
}
memset(entropy_nonce, 0, sizeof(entropy_nonce));
/* init instantiation parameters */
s->sec_strength = sec_strength_bits;
s->requests_left = HMAC_DRBG_MAX_REQUESTS;
s->entropy_fn = entropy_fn;
*state = s;
return result;
}
/* sha256_hmac_drbg_free
*
* This routine frees a SHA-256 HMAC_DRBG internal state.
*
* Returns DRBG_OK if successful.
* Returns DRBG_BAD_PARAMETER if inappropriate NULL pointers are passed.
*/
static void
sha256_hmac_drbg_free(
SHA256_HMAC_DRBG_STATE *s)
{
if (s->hmac_ctx) {
(void) ntru_crypto_hmac_destroy_ctx(s->hmac_ctx);
}
memset(s->V, 0, sizeof(s->V));
s->sec_strength = 0;
s->requests_left = 0;
s->entropy_fn = NULL;
free(s);
}
/* sha256_hmac_drbg_reseed
*
* This function reseeds an instantiated SHA256_HMAC DRBG.
*
* Returns DRBG_OK if successful.
* Returns HMAC errors if they occur.
*/
static uint32_t
sha256_hmac_drbg_reseed(
SHA256_HMAC_DRBG_STATE *s)
{
uint8_t entropy[HMAC_DRBG_MAX_ENTROPY_NONCE_BYTES];
uint32_t entropy_bytes;
uint32_t min_bytes_of_entropy;
uint8_t num_bytes_per_byte_of_entropy;
uint8_t key[32]; // array of md_len size for sha256_hmac_drbg_update()
uint32_t result;
uint32_t i;
/* calculate number of bytes needed for the entropy input
* for a SHA256_HMAC_DRBG, and get them from the entropy source
*/
if (s->entropy_fn(GET_NUM_BYTES_PER_BYTE_OF_ENTROPY,
&num_bytes_per_byte_of_entropy) == 0)
DRBG_RET(DRBG_ENTROPY_FAIL);
if ((num_bytes_per_byte_of_entropy == 0) ||
(num_bytes_per_byte_of_entropy >
DRBG_MAX_BYTES_PER_BYTE_OF_ENTROPY))
DRBG_RET(DRBG_ENTROPY_FAIL);
min_bytes_of_entropy = s->sec_strength / 8;
entropy_bytes = min_bytes_of_entropy * num_bytes_per_byte_of_entropy;
for (i = 0; i < entropy_bytes; i++)
if (s->entropy_fn(GET_BYTE_OF_ENTROPY, entropy+i) == 0)
DRBG_RET(DRBG_ENTROPY_FAIL);
/* update internal state */
if ((result = sha256_hmac_drbg_update(s, key, sizeof(key),
entropy, entropy_bytes, NULL, 0)) !=
DRBG_OK)
return result;
/* reset request counter */
s->requests_left = HMAC_DRBG_MAX_REQUESTS;
DRBG_RET(DRBG_OK);
}
/* sha256_hmac_drbg_generate
*
* This routine generates pseudorandom bytes from a SHA256_HMAC DRBG.
*
* Returns DRBG_OK if successful.
* Returns DRBG_BAD_LENGTH if too many bytes are requested or the requested
* security strength is too large.
* Returns HMAC errors if they occur.
*/
static uint32_t
sha256_hmac_drbg_generate(
SHA256_HMAC_DRBG_STATE *s,
uint32_t sec_strength_bits,
uint32_t num_bytes,
uint8_t *out)
{
uint8_t key[32]; // array of md_len size for sha256_hmac_drbg_update()
uint32_t result;
/* check if number of bytes requested exceeds the maximum allowed */
if (num_bytes > HMAC_DRBG_MAX_BYTES_PER_REQUEST)
DRBG_RET(DRBG_BAD_LENGTH);
/* check if drbg has adequate security strength */
if (sec_strength_bits > s->sec_strength)
DRBG_RET(DRBG_BAD_LENGTH);
/* check if max requests have been exceeded */
if (s->requests_left == 0)
if ((result = sha256_hmac_drbg_reseed(s)) != DRBG_OK)
return result;
/* generate pseudorandom bytes */
while (num_bytes > 0) {
/* generate md_len bytes = V = HMAC(K, V) */
if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V,
sizeof(key))) !=
NTRU_CRYPTO_HMAC_OK)
return result;
if ((result = ntru_crypto_hmac_final(s->hmac_ctx, s->V)) !=
NTRU_CRYPTO_HMAC_OK)
return result;
/* copy generated bytes to output buffer */
if (num_bytes < sizeof(key)) {
memcpy(out, s->V, num_bytes);
num_bytes = 0;
} else {
memcpy(out, s->V, sizeof(key));
out += sizeof(key);
num_bytes -= sizeof(key);
}
}
/* update internal state */
if ((result = sha256_hmac_drbg_update(s, key, sizeof(key),
NULL, 0, NULL, 0)) != DRBG_OK)
return result;
s->requests_left--;
DRBG_RET(DRBG_OK);
}
/******************
* DRBG functions *
******************/
/* drbg_get_new_drbg
*
* This routine finds an uninstantiated drbg state and returns a pointer to it.
*
* Returns a pointer to an uninstantiated drbg state if found.
* Returns NULL if all drbg states are instantiated.
*/
static DRBG_STATE *
drbg_get_new_drbg()
{
int i;
for (i = 0; i < DRBG_MAX_INSTANTIATIONS; i++) {
if (drbg_state[i].state == NULL)
return drbg_state+i;
}
return NULL;
}
/* drbg_get_drbg
*
* This routine finds an instantiated drbg state given its handle, and returns
* a pointer to it.
*
* Returns a pointer to the drbg state if found.
* Returns NULL if the drbg state is not found.
*/
static DRBG_STATE *
drbg_get_drbg(
DRBG_HANDLE handle) /* in/out - drbg handle */
{
int i;
for (i = 0; i < DRBG_MAX_INSTANTIATIONS; i++) {
if ((drbg_state[i].handle == handle) && drbg_state[i].state)
return drbg_state+i;
}
return NULL;
}
/* drbg_get_new_handle
*
* This routine gets a new, unique 32-bit handle.
*
* Returns the new DRBG handle.
*/
static DRBG_HANDLE
drbg_get_new_handle(void)
{
DRBG_HANDLE h = 0;
/* ensure the new handle is unique:
* if it already exists, increment it
*/
while (drbg_get_drbg(h) != NULL)
++h;
return h;
}
/********************
* Public functions *
********************/
/* ntru_crypto_drbg_instantiate
*
* This routine instantiates a drbg with the requested security strength.
* See ANS X9.82: Part 3-2007.
*
* Returns DRBG_OK if successful.
* Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if an argument pointer is NULL.
* Returns DRBG_ERROR_BASE + DRBG_BAD_LENGTH if the security strength requested
* or the personalization string is too large.
* Returns DRBG_ERROR_BASE + DRBG_OUT_OF_MEMORY if the internal state cannot be
* allocated from the heap.
*/
uint32_t
ntru_crypto_drbg_instantiate(
uint32_t sec_strength_bits, /* in - requested sec strength in bits */
uint8_t const *pers_str, /* in - ptr to personalization string */
uint32_t pers_str_bytes, /* in - no. personalization str bytes */
ENTROPY_FN entropy_fn, /* in - pointer to entropy function */
DRBG_HANDLE *handle) /* out - address for drbg handle */
{
DRBG_STATE *drbg = NULL;
SHA256_HMAC_DRBG_STATE *state = NULL;
uint32_t result;
/* check arguments */
if ((!pers_str && pers_str_bytes) || !entropy_fn || !handle)
DRBG_RET(DRBG_BAD_PARAMETER);
if (sec_strength_bits > DRBG_MAX_SEC_STRENGTH_BITS)
DRBG_RET(DRBG_BAD_LENGTH);
if (pers_str && (pers_str_bytes == 0))
pers_str = NULL;
/* set security strength */
if (sec_strength_bits <= 112) {
sec_strength_bits = 112;
} else if (sec_strength_bits <= 128) {
sec_strength_bits = 128;
} else if (sec_strength_bits <= 192) {
sec_strength_bits = 192;
} else {
sec_strength_bits = 256;
}
/* get an uninstantiated drbg */
if ((drbg = drbg_get_new_drbg()) == NULL)
DRBG_RET(DRBG_NOT_AVAILABLE);
/* init entropy function */
if (entropy_fn(INIT, NULL) == 0)
DRBG_RET(DRBG_ENTROPY_FAIL);
/* instantiate a SHA-256 HMAC_DRBG */
if ((result = sha256_hmac_drbg_instantiate(sec_strength_bits,
pers_str, pers_str_bytes,
entropy_fn,
&state)) != DRBG_OK)
return result;
/* init drbg state */
drbg->handle = drbg_get_new_handle();
drbg->state = state;
/* return drbg handle */
*handle = drbg->handle;
DRBG_RET(DRBG_OK);
}
/* ntru_crypto_drbg_uninstantiate
*
* This routine frees a drbg given its handle.
*
* Returns DRBG_OK if successful.
* Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid.
*/
uint32_t
ntru_crypto_drbg_uninstantiate(
DRBG_HANDLE handle) /* in - drbg handle */
{
DRBG_STATE *drbg = NULL;
/* find the instantiated drbg */
if ((drbg = drbg_get_drbg(handle)) == NULL)
DRBG_RET(DRBG_BAD_PARAMETER);
/* zero and free drbg state */
if (drbg->state) {
sha256_hmac_drbg_free((SHA256_HMAC_DRBG_STATE *)drbg->state);
drbg->state = NULL;
}
drbg->handle = 0;
DRBG_RET(DRBG_OK);
}
/* ntru_crypto_drbg_reseed
*
* This routine reseeds an instantiated drbg.
* See ANS X9.82: Part 3-2007.
*
* Returns DRBG_OK if successful.
* Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid.
* Returns HMAC errors if they occur.
*/
uint32_t
ntru_crypto_drbg_reseed(
DRBG_HANDLE handle) /* in - drbg handle */
{
DRBG_STATE *drbg = NULL;
/* find the instantiated drbg */
if ((drbg = drbg_get_drbg(handle)) == NULL)
DRBG_RET(DRBG_BAD_PARAMETER);
/* reseed the SHA-256 HMAC_DRBG */
return sha256_hmac_drbg_reseed((SHA256_HMAC_DRBG_STATE *)drbg->state);
}
/* ntru_crypto_drbg_generate
*
* This routine generates pseudorandom bytes using an instantiated drbg.
* If the maximum number of requests has been reached, reseeding will occur.
* See ANS X9.82: Part 3-2007.
*
* Returns DRBG_OK if successful.
* Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid or if
* an argument pointer is NULL.
* Returns DRBG_ERROR_BASE + DRBG_BAD_LENGTH if the security strength requested
* is too large or the number of bytes requested is zero or too large.
* Returns HMAC errors if they occur.
*/
uint32_t
ntru_crypto_drbg_generate(
DRBG_HANDLE handle, /* in - drbg handle */
uint32_t sec_strength_bits, /* in - requested sec strength in bits */
uint32_t num_bytes, /* in - number of octets to generate */
uint8_t *out) /* out - address for generated octets */
{
DRBG_STATE *drbg = NULL;
/* find the instantiated drbg */
if ((drbg = drbg_get_drbg(handle)) == NULL)
DRBG_RET(DRBG_BAD_PARAMETER);
/* check arguments */
if (!out)
DRBG_RET(DRBG_BAD_PARAMETER);
if (num_bytes == 0)
DRBG_RET(DRBG_BAD_LENGTH);
/* generate pseudorandom output from the SHA256_HMAC_DRBG */
return sha256_hmac_drbg_generate((SHA256_HMAC_DRBG_STATE *)drbg->state,
sec_strength_bits, num_bytes, out);
}

193
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_drbg.h
View File

@ -1,193 +0,0 @@
/******************************************************************************
* NTRU Cryptography Reference Source Code
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
*
* ntru_crypto_drbg.h is a component of ntru-crypto.
*
* Copyright (C) 2009-2013 Security Innovation
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*****************************************************************************/
/******************************************************************************
*
* File: ntru_crypto_drbg.h
*
* Contents: Public header file for ntru_crypto_drbg.c.
*
*****************************************************************************/
#ifndef NTRU_CRYPTO_DRBG_H
#define NTRU_CRYPTO_DRBG_H
#include "ntru_crypto_platform.h"
#include "ntru_crypto_error.h"
#if !defined( NTRUCALL )
#if !defined(WIN32) || defined (NTRUCRYPTO_STATIC)
// Linux, or a Win32 static library
#define NTRUCALL extern uint32_t
#elif defined (NTRUCRYPTO_EXPORTS)
// Win32 DLL build
#define NTRUCALL extern __declspec(dllexport) uint32_t
#else
// Win32 DLL import
#define NTRUCALL extern __declspec(dllimport) uint32_t
#endif
#endif /* NTRUCALL */
#if defined ( __cplusplus )
extern "C" {
#endif /* __cplusplus */
/*******************
* DRBG parameters *
*******************/
#if !defined(DRBG_MAX_INSTANTIATIONS)
#define DRBG_MAX_INSTANTIATIONS 4
#endif
#define DRBG_MAX_SEC_STRENGTH_BITS 256
#define DRBG_MAX_BYTES_PER_BYTE_OF_ENTROPY 8
/************************
* HMAC_DRBG parameters *
************************/
#define HMAC_DRBG_MAX_PERS_STR_BYTES 32
#define HMAC_DRBG_MAX_BYTES_PER_REQUEST 1024
/********************
* type definitions *
********************/
typedef uint32_t DRBG_HANDLE; /* drbg handle */
typedef enum { /* entropy-function commands */
GET_NUM_BYTES_PER_BYTE_OF_ENTROPY = 0,
INIT,
GET_BYTE_OF_ENTROPY,
} ENTROPY_CMD;
typedef uint8_t (*ENTROPY_FN)( /* get entropy function */
ENTROPY_CMD cmd, /* command */
uint8_t *out); /* address for output */
/***************
* error codes *
***************/
#define DRBG_OK 0x00000000 /* no errors */
#define DRBG_OUT_OF_MEMORY 0x00000001 /* can't allocate memory */
#define DRBG_BAD_PARAMETER 0x00000002 /* null pointer */
#define DRBG_BAD_LENGTH 0x00000003 /* invalid no. of bytes */
#define DRBG_NOT_AVAILABLE 0x00000004 /* no instantiation slot available */
#define DRBG_ENTROPY_FAIL 0x00000005 /* entropy function failure */
/***************
* error macro *
***************/
#define DRBG_RESULT(r) ((uint32_t)((r) ? DRBG_ERROR_BASE + (r) : (r)))
#define DRBG_RET(r) return DRBG_RESULT(r);
/*************************
* function declarations *
*************************/
/* ntru_crypto_drbg_instantiate
*
* This routine instantiates a drbg with the requested security strength.
* See ANS X9.82: Part 3-2007.
*
* Returns DRBG_OK if successful.
* Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if an argument pointer is NULL.
* Returns DRBG_ERROR_BASE + DRBG_BAD_LENGTH if the security strength requested
* or the personalization string is too large.
* Returns DRBG_ERROR_BASE + DRBG_OUT_OF_MEMORY if the internal state cannot be
* allocated from the heap.
*/
NTRUCALL
ntru_crypto_drbg_instantiate(
uint32_t sec_strength_bits, /* in - requested sec strength in bits */
uint8_t const *pers_str, /* in - ptr to personalization string */
uint32_t pers_str_bytes, /* in - no. personalization str bytes */
ENTROPY_FN entropy_fn, /* in - pointer to entropy function */
DRBG_HANDLE *handle); /* out - address for drbg handle */
/* ntru_crypto_drbg_uninstantiate
*
* This routine frees a drbg given its handle.
*
* Returns DRBG_OK if successful.
* Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid.
*/
NTRUCALL
ntru_crypto_drbg_uninstantiate(
DRBG_HANDLE handle); /* in - drbg handle */
/* ntru_crypto_drbg_reseed
*
* This routine reseeds an instantiated drbg.
* See ANS X9.82: Part 3-2007.
*
* Returns DRBG_OK if successful.
* Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid.
* Returns NTRU_CRYPTO_HMAC errors if they occur.
*/
NTRUCALL
ntru_crypto_drbg_reseed(
DRBG_HANDLE handle); /* in - drbg handle */
/* ntru_crypto_drbg_generate
*
* This routine generates pseudorandom bytes using an instantiated drbg.
* If the maximum number of requests has been reached, reseeding will occur.
* See ANS X9.82: Part 3-2007.
*
* Returns DRBG_OK if successful.
* Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid or if
* an argument pointer is NULL.
* Returns DRBG_ERROR_BASE + DRBG_BAD_LENGTH if the security strength requested
* is too large or the number of bytes requested is zero or too large.
* Returns NTRU_CRYPTO_HMAC errors if they occur.
*/
NTRUCALL
ntru_crypto_drbg_generate(
DRBG_HANDLE handle, /* in - drbg handle */
uint32_t sec_strength_bits, /* in - requested sec strength in bits */
uint32_t num_bytes, /* in - number of octets to generate */
uint8_t *out); /* out - address for generated octets */
#if defined ( __cplusplus )
}
#endif /* __cplusplus */
#endif /* NTRU_CRYPTO_DRBG_H */

320
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_hmac.c
View File

@ -1,320 +0,0 @@
/******************************************************************************
* NTRU Cryptography Reference Source Code
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
*
* ntru_crypto_hmac.c is a component of ntru-crypto.
*
* Copyright (C) 2009-2013 Security Innovation
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*****************************************************************************/
/******************************************************************************
*
* File: ntru_crypto_hmac.c
*
* Contents: Routines implementing the HMAC hash calculation.
*
*****************************************************************************/
#include <stdlib.h>
#include <string.h>
#include "ntru_crypto_hmac.h"
/* HMAC context */
struct _NTRU_CRYPTO_HMAC_CTX {
NTRU_CRYPTO_HASH_CTX hash_ctx;
uint8_t *k0;
uint16_t blk_len;
uint16_t md_len;
};
/* ntru_crypto_hmac_create_ctx
*
* This routine creates an HMAC context, setting the hash algorithm and
* the key to be used.
*
* Returns NTRU_CRYPTO_HMAC_OK if successful.
* Returns NTRU_CRYPTO_HMAC_BAD_ALG if the specified algorithm is not supported.
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HMAC_OUT_OF_MEMORY if memory cannot be allocated.
*/
uint32_t
ntru_crypto_hmac_create_ctx(
NTRU_CRYPTO_HASH_ALGID algid, /* in - the hash algorithm to be used */
uint8_t const *key, /* in - pointer to the HMAC key */
uint32_t key_len, /* in - number of bytes in HMAC key */
NTRU_CRYPTO_HMAC_CTX **c) /* out - address for pointer to HMAC
context */
{
NTRU_CRYPTO_HMAC_CTX *ctx = NULL;
uint32_t result;
/* check parameters */
if (!c || !key)
HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
*c = NULL;
/* allocate memory for an HMAC context */
if ((ctx = (NTRU_CRYPTO_HMAC_CTX*) malloc(sizeof(NTRU_CRYPTO_HMAC_CTX))) ==
NULL)
HMAC_RET(NTRU_CRYPTO_HMAC_OUT_OF_MEMORY);
/* set the algorithm */
if (result = ntru_crypto_hash_set_alg(algid, &ctx->hash_ctx)) {
free(ctx);
HMAC_RET(NTRU_CRYPTO_HMAC_BAD_ALG);
}
/* set block length and digest length */
if ((result = ntru_crypto_hash_block_length(&ctx->hash_ctx,
&ctx->blk_len)) ||
(result = ntru_crypto_hash_digest_length(&ctx->hash_ctx,
&ctx->md_len))) {
free(ctx);
return result;
}
/* allocate memory for K0 */
if ((ctx->k0 = (uint8_t*) malloc(ctx->blk_len)) == NULL) {
free(ctx);
HMAC_RET(NTRU_CRYPTO_HMAC_OUT_OF_MEMORY);
}
/* calculate K0 and store in HMAC context */
memset(ctx->k0, 0, ctx->blk_len);
/* check if key is too large */
if (key_len > ctx->blk_len) {
if (result = ntru_crypto_hash_digest(algid, key, key_len, ctx->k0)) {
memset(ctx->k0, 0, ctx->blk_len);
free(ctx->k0);
free(ctx);
return result;
}
} else
memcpy(ctx->k0, key, key_len);
/* return pointer to HMAC context */
*c = ctx;
HMAC_RET(NTRU_CRYPTO_HMAC_OK);
}
/* ntru_crypto_hmac_destroy_ctx
*
* Destroys an HMAC context.
*
* Returns NTRU_CRYPTO_HMAC_OK if successful.
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
*/
uint32_t
ntru_crypto_hmac_destroy_ctx(
NTRU_CRYPTO_HMAC_CTX *c) /* in/out - pointer to HMAC context */
{
if (!c || !c->k0)
HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
/* clear key and release memory */
memset(c->k0, 0, c->blk_len);
free(c->k0);
free(c);
HMAC_RET(NTRU_CRYPTO_HMAC_OK);
}
/* ntru_crypto_hmac_get_md_len
*
* This routine gets the digest length of the HMAC.
*
* Returns NTRU_CRYPTO_HMAC_OK on success.
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
*/
uint32_t
ntru_crypto_hmac_get_md_len(
NTRU_CRYPTO_HMAC_CTX const *c, /* in - pointer to HMAC context */
uint16_t *md_len) /* out - address for digest length */
{
/* check parameters */
if (!c || !md_len)
HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
/* get digest length */
*md_len = c->md_len;
HMAC_RET(NTRU_CRYPTO_HMAC_OK);
}
/* ntru_crypto_hmac_set_key
*
* This routine sets a digest-length key into the HMAC context.
*
* Returns NTRU_CRYPTO_HMAC_OK on success.
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
*/
uint32_t
ntru_crypto_hmac_set_key(
NTRU_CRYPTO_HMAC_CTX *c, /* in - pointer to HMAC context */
uint8_t const *key) /* in - pointer to new HMAC key */
{
/* check parameters */
if (!c || !key)
HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
/* copy key */
memcpy(c->k0, key, c->md_len);
HMAC_RET(NTRU_CRYPTO_HMAC_OK);
}
/* ntru_crypto_hmac_init
*
* This routine performs standard initialization of the HMAC state.
*
* Returns NTRU_CRYPTO_HMAC_OK on success.
* Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
*/
uint32_t
ntru_crypto_hmac_init(
NTRU_CRYPTO_HMAC_CTX *c) /* in/out - pointer to HMAC context */
{
uint32_t result;
int i;
/* check parameters */
if (!c)
HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
/* init hash context and compute H(K0 ^ ipad) */
for (i = 0; i < c->blk_len; i++)
c->k0[i] ^= 0x36; /* K0 ^ ipad */
if ((result = ntru_crypto_hash_init(&c->hash_ctx)) ||
(result = ntru_crypto_hash_update(&c->hash_ctx, c->k0, c->blk_len)))
return result;
HMAC_RET(NTRU_CRYPTO_HMAC_OK);
}
/* ntru_crypto_hmac_update
*
* This routine processes input data and updates the HMAC hash calculation.
*
* Returns NTRU_CRYPTO_HMAC_OK on success.
* Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HASH_OVERFLOW if more than bytes are hashed than the
* underlying hash algorithm can handle.
*/
uint32_t
ntru_crypto_hmac_update(
NTRU_CRYPTO_HMAC_CTX *c, /* in/out - pointer to HMAC context */
const uint8_t *data, /* in - pointer to input data */
uint32_t data_len) /* in - no. of bytes of input data */
{
uint32_t result;
/* check parameters */
if (!c || (data_len && !data))
HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
if (result = ntru_crypto_hash_update(&c->hash_ctx, data, data_len))
return result;
HMAC_RET(NTRU_CRYPTO_HMAC_OK);
}
/* ntru_crypto_hmac_final
*
* This routine completes the HMAC hash calculation and returns the
* message digest.
*
* Returns NTRU_CRYPTO_HMAC_OK on success.
* Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
*/
uint32_t
ntru_crypto_hmac_final(
NTRU_CRYPTO_HMAC_CTX *c, /* in/out - pointer to HMAC context */
uint8_t *md) /* out - address for message digest */
{
uint32_t result = NTRU_CRYPTO_HMAC_OK;
int i;
/* check parameters */
if (!c || !md)
HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
/* form K0 ^ opad
* complete md = H((K0 ^ ipad) || data)
* compute md = H((K0 ^ opad) || md)
* re-form K0
*/
for (i = 0; i < c->blk_len; i++)
c->k0[i] ^= (0x36^0x5c);
if ((result = ntru_crypto_hash_final(&c->hash_ctx, md)) ||
(result = ntru_crypto_hash_init(&c->hash_ctx)) ||
(result = ntru_crypto_hash_update(&c->hash_ctx, c->k0, c->blk_len)) ||
(result = ntru_crypto_hash_update(&c->hash_ctx, md, c->md_len)) ||
(result = ntru_crypto_hash_final(&c->hash_ctx, md))) {
}
for (i = 0; i < c->blk_len; i++)
c->k0[i] ^= 0x5c;
return result;
}

183
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_hmac.h
View File

@ -1,183 +0,0 @@
/*/******************************************************************************
* NTRU Cryptography Reference Source Code
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
*
* ntru_crypto_hmac.h is a component of ntru-crypto.
*
* Copyright (C) 2009-2013 Security Innovation
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*****************************************************************************/
/******************************************************************************
*
* File: ntru_crypto_hmac.h
*
* Contents: Definitions and declarations for the HMAC implementation.
*
*****************************************************************************/
#ifndef NTRU_CRYPTO_HMAC_H
#define NTRU_CRYPTO_HMAC_H
#include "ntru_crypto_platform.h"
#include "ntru_crypto_hash.h"
/***************
* error codes *
***************/
#define NTRU_CRYPTO_HMAC_OK ((uint32_t)NTRU_CRYPTO_HASH_OK)
#define NTRU_CRYPTO_HMAC_BAD_PARAMETER ((uint32_t)NTRU_CRYPTO_HASH_BAD_PARAMETER)
#define NTRU_CRYPTO_HMAC_BAD_ALG ((uint32_t)NTRU_CRYPTO_HASH_BAD_ALG)
#define NTRU_CRYPTO_HMAC_OUT_OF_MEMORY ((uint32_t)NTRU_CRYPTO_HASH_OUT_OF_MEMORY)
#define HMAC_RESULT(e) ((uint32_t)((e) ? HMAC_ERROR_BASE + (e) : (e)))
#define HMAC_RET(e) return HMAC_RESULT(e)
/*************************
* structure definitions *
*************************/
/* HMAC context structure */
struct _NTRU_CRYPTO_HMAC_CTX; /* opaque forward reference */
typedef struct _NTRU_CRYPTO_HMAC_CTX NTRU_CRYPTO_HMAC_CTX;
/*************************
* function declarations *
*************************/
/* ntru_crypto_hmac_create_ctx
*
* This routine creates an HMAC context, setting the hash algorithm and
* the key to be used.
*
* Returns NTRU_CRYPTO_HASH_OK if successful.
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HASH_OUT_OF_MEMORY if memory cannot be allocated.
*/
extern uint32_t
ntru_crypto_hmac_create_ctx(
NTRU_CRYPTO_HASH_ALGID algid, /* in - the hash algorithm to be used */
uint8_t const *key, /* in - pointer to the HMAC key */
uint32_t key_len, /* in - number of bytes in HMAC key */
NTRU_CRYPTO_HMAC_CTX **c); /* out - address for pointer to HMAC
context */
/* ntru_crypto_hmac_destroy_ctx
*
* Destroys an HMAC context.
*
* Returns NTRU_CRYPTO_HASH_OK if successful.
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
*/
extern uint32_t
ntru_crypto_hmac_destroy_ctx(
NTRU_CRYPTO_HMAC_CTX *c); /* in/out - pointer to HMAC context */
/* ntru_crypto_hmac_get_md_len
*
* This routine gets the digest length of the HMAC.
*
* Returns NTRU_CRYPTO_HMAC_OK on success.
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
*/
extern uint32_t
ntru_crypto_hmac_get_md_len(
NTRU_CRYPTO_HMAC_CTX const *c, /* in - pointer to HMAC context */
uint16_t *md_len); /* out - address for digest length */
/* ntru_crypto_hmac_set_key
*
* This routine sets a digest-length key into the HMAC context.
*
* Returns NTRU_CRYPTO_HMAC_OK on success.
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
*/
extern uint32_t
ntru_crypto_hmac_set_key(
NTRU_CRYPTO_HMAC_CTX *c, /* in - pointer to HMAC context */
uint8_t const *key); /* in - pointer to new HMAC key */
/* ntru_crypto_hmac_init
*
* This routine performs standard initialization of the HMAC state.
*
* Returns NTRU_CRYPTO_HMAC_OK on success.
* Returns NTRU_CRYPTO_HMAC_FAIL with corrupted context.
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
*/
extern uint32_t
ntru_crypto_hmac_init(
NTRU_CRYPTO_HMAC_CTX *c); /* in/out - pointer to HMAC context */
/* ntru_crypto_hmac_update
*
* This routine processes input data and updates the HMAC hash calculation.
*
* Returns NTRU_CRYPTO_HMAC_OK on success.
* Returns NTRU_CRYPTO_HMAC_FAIL with corrupted context.
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HMAC_OVERFLOW if more than bytes are hashed than the underlying
* hash algorithm can handle.
*/
extern uint32_t
ntru_crypto_hmac_update(
NTRU_CRYPTO_HMAC_CTX *c, /* in/out - pointer to HMAC context */
uint8_t const *data, /* in - pointer to input data */
uint32_t data_len); /* in - no. of bytes of input data */
/* ntru_crypto_hmac_final
*
* This routine completes the HMAC hash calculation and returns the
* message digest.
*
* Returns NTRU_CRYPTO_HMAC_OK on success.
* Returns NTRU_CRYPTO_HMAC_FAIL with corrupted context.
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
*/
extern uint32_t
ntru_crypto_hmac_final(
NTRU_CRYPTO_HMAC_CTX *c, /* in/out - pointer to HMAC context */
uint8_t *md); /* out - address for message digest */
#endif /* NTRU_CRYPTO_HMAC_H */

37
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c
View File

@ -41,8 +41,6 @@
#include "ntru_crypto_ntru_convert.h"
#include "ntru_crypto_ntru_poly.h"
#include "ntru_crypto_ntru_mgf1.h"
#include "ntru_crypto_drbg.h"
/* ntru_crypto_ntru_encrypt
*
@ -81,7 +79,7 @@
uint32_t
ntru_crypto_ntru_encrypt(
DRBG_HANDLE drbg_handle, /* in - handle of DRBG */
ntru_drbg_t *drbg, /* in - handle of DRBG */
uint16_t pubkey_blob_len, /* in - no. of octets in public key
blob */
uint8_t const *pubkey_blob, /* in - pointer to public key */
@ -200,9 +198,15 @@ ntru_crypto_ntru_encrypt(
uint8_t *ptr = tmp_buf;
/* get b */
result = ntru_crypto_drbg_generate(drbg_handle,
params->sec_strength_len << 3,
params->sec_strength_len, b_buf);
if (drbg->generate(drbg, params->sec_strength_len << 3,
params->sec_strength_len, b_buf))
{
result = NTRU_OK;
}
else
{
result = NTRU_FAIL;
}
if (result == NTRU_OK) {
@ -767,7 +771,7 @@ ntru_crypto_ntru_decrypt(
uint32_t
ntru_crypto_ntru_encrypt_keygen(
DRBG_HANDLE drbg_handle, /* in - handle of DRBG */
ntru_drbg_t *drbg, /* in - handle of DRBG */
NTRU_ENCRYPT_PARAM_SET_ID param_set_id, /* in - parameter set ID */
uint16_t *pubkey_blob_len, /* in/out - no. of octets in
pubkey_blob, addr
@ -881,9 +885,14 @@ ntru_crypto_ntru_encrypt_keygen(
* as a list of indices
*/
result = ntru_crypto_drbg_generate(drbg_handle,
params->sec_strength_len << 3,
seed_len, tmp_buf);
if (drbg->generate(drbg, params->sec_strength_len << 3, seed_len, tmp_buf))
{
result = NTRU_OK;
}
else
{
result = NTRU_FAIL;
}
if (result == NTRU_OK) {
@ -960,9 +969,11 @@ ntru_crypto_ntru_encrypt_keygen(
/* get random bytes for seed for generating trinary g
* as a list of indices
*/
result = ntru_crypto_drbg_generate(drbg_handle,
params->sec_strength_len << 3,
seed_len, tmp_buf);
if (!drbg->generate(drbg, params->sec_strength_len << 3, seed_len,
tmp_buf))
{
result = NTRU_FAIL;
}
}
if (result == NTRU_OK) {

277
src/libstrongswan/plugins/ntru/ntru_drbg.c Normal file
View File

@ -0,0 +1,277 @@
/*
* Copyright (C) 2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "ntru_drbg.h"
#include <utils/debug.h>
#define MAX_STRENGTH_BITS 256
#define MAX_DRBG_REQUESTS 0xffffffff
typedef struct private_ntru_drbg_t private_ntru_drbg_t;
/**
* Private data of an ntru_drbg_t object.
*/
struct private_ntru_drbg_t {
/**
* Public ntru_drbg_t interface.
*/
ntru_drbg_t public;
/**
* Security strength in bits of the DRBG
*/
u_int32_t strength;
/**
* Number of requests for pseudorandom bits
*/
u_int32_t reseed_counter;
/**
* Maximum number of requests for pseudorandom bits
*/
u_int32_t max_requests;
/**
* True entropy source
*/
rng_t *entropy;
/**
* HMAC-SHA256
*/
signer_t *hmac;
/**
* Internal state of HMAC-SHA256: key
*/
chunk_t key;
/**
* Internal state of HMAC-SHA256: value
*/
chunk_t value;
};
/**
* Update the internal state of the HMAC_DRBG
*/
static bool update(private_ntru_drbg_t *this, chunk_t data)
{
chunk_t ch_00 = chunk_from_chars(0x00);
chunk_t ch_01 = chunk_from_chars(0x01);
if (!this->hmac->set_key(this->hmac, this->key) ||
!this->hmac->get_signature(this->hmac, this->value, NULL) ||
!this->hmac->get_signature(this->hmac, ch_00, NULL) ||
!this->hmac->get_signature(this->hmac, data, this->key.ptr) ||
!this->hmac->set_key(this->hmac, this->key) ||
!this->hmac->get_signature(this->hmac, this->value,
this->value.ptr))
{
return FALSE;
}
if (data.len > 0)
{
if (!this->hmac->set_key(this->hmac, this->key) ||
!this->hmac->get_signature(this->hmac, this->value, NULL) ||
!this->hmac->get_signature(this->hmac, ch_01, NULL) ||
!this->hmac->get_signature(this->hmac, data, this->key.ptr) ||
!this->hmac->set_key(this->hmac, this->key) ||
!this->hmac->get_signature(this->hmac, this->value,
this->value.ptr))
{
return FALSE;
}
}
DBG4(DBG_LIB, "HMAC_DRBG V: %B", &this->value);
DBG4(DBG_LIB, "HMAC_DRBG K: %B", &this->key);
return TRUE;
}
METHOD(ntru_drbg_t, get_strength, u_int32_t,
private_ntru_drbg_t *this)
{
return this->strength;
}
METHOD(ntru_drbg_t, reseed, bool,
private_ntru_drbg_t *this)
{
chunk_t seed;
seed = chunk_alloc(this->strength / BITS_PER_BYTE);
DBG2(DBG_LIB, "DBRG requesting %u bytes of entropy", seed.len);
if (!this->entropy->get_bytes(this->entropy, seed.len, seed.ptr))
{
chunk_free(&seed);
return FALSE;
}
if (!update(this, seed))
{
chunk_free(&seed);
return FALSE;
}
chunk_clear(&seed);
this->reseed_counter = 1;
return TRUE;
}
METHOD(ntru_drbg_t, generate, bool,
private_ntru_drbg_t *this, u_int32_t strength, u_int32_t len, u_int8_t *out)
{
size_t delta;
chunk_t output;
DBG2(DBG_LIB, "DRBG generates %u pseudorandom bytes", len);
if (!out || len == 0)
{
return FALSE;
}
output = chunk_create(out, len);
if (this->reseed_counter >= this->max_requests)
{
if (!reseed(this))
{
return FALSE;
}
}
while (len)
{
if (!this->hmac->get_signature(this->hmac, this->value,
this->value.ptr))
{
return FALSE;
}
delta = min(len, this->value.len);
memcpy(out, this->value.ptr, delta);
len -= delta;
out += delta;
}
DBG4(DBG_LIB, "HMAC_DRBG Out: %B", &output);
if (!update(this, chunk_empty))
{
return FALSE;
}
this->reseed_counter++;
return TRUE;
}
METHOD(ntru_drbg_t, destroy, void,
private_ntru_drbg_t *this)
{
this->hmac->destroy(this->hmac);
chunk_clear(&this->key);
chunk_clear(&this->value);
free(this);
}
/*
* Described in header.
*/
ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str,
rng_t *entropy)
{
private_ntru_drbg_t *this;
chunk_t seed;
signer_t *hmac;
size_t entropy_len;
u_int32_t max_requests;
if (strength > MAX_STRENGTH_BITS)
{
return NULL;
}
if (strength <= 112)
{
strength = 112;
}
else if (strength <= 128)
{
strength = 128;
}
else if (strength <= 192)
{
strength = 192;
}
else
{
strength = 256;
}
hmac = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA2_256_256);
if (!hmac)
{
DBG1(DBG_LIB, "could not instantiate HMAC-SHA256");
return NULL;
}
max_requests = lib->settings->get_int(lib->settings,
"libstrongswan.plugins.ntru.max_drbg_requests",
MAX_DRBG_REQUESTS);
INIT(this,
.public = {
.get_strength = _get_strength,
.reseed = _reseed,
.generate = _generate,
.destroy = _destroy,
},
.strength = strength,
.entropy = entropy,
.hmac = hmac,
.key = chunk_alloc(hmac->get_key_size(hmac)),
.value = chunk_alloc(hmac->get_block_size(hmac)),
.max_requests = max_requests,
.reseed_counter = 1,
);
memset(this->key.ptr, 0x00, this->key.len);
memset(this->value.ptr, 0x01, this->value.len);
entropy_len = (strength + strength/2) / BITS_PER_BYTE;
seed = chunk_alloc(entropy_len + pers_str.len);
DBG2(DBG_LIB, "DBRG requesting %u bytes of entropy", entropy_len);
if (!this->entropy->get_bytes(this->entropy, entropy_len, seed.ptr))
{
chunk_free(&seed);
destroy(this);
return NULL;
}
memcpy(seed.ptr + entropy_len, pers_str.ptr, pers_str.len);
DBG4(DBG_LIB, "seed: %B", &seed);
if (!update(this, seed))
{
chunk_free(&seed);
destroy(this);
return NULL;
}
chunk_clear(&seed);
return &this->public;
}

77
src/libstrongswan/plugins/ntru/ntru_drbg.h Normal file
View File

@ -0,0 +1,77 @@
/*
* Copyright (C) 2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup ntru_drbg ntru_drbg
* @{ @ingroup ntru_p
*/
#ifndef NTRU_DRBG_H_
#define NTRU_DRBG_H_
typedef struct ntru_drbg_t ntru_drbg_t;
#include <library.h>
/**
* Implements a HMAC Deterministic Random Bit Generator (HMAC_DRBG)
* compliant with NIST SP 800-90A
*/
struct ntru_drbg_t {
/**
* Reseed the instantiated DRBG
*
* @return configured security strength in bits
*/
u_int32_t (*get_strength)(ntru_drbg_t *this);
/**
* Reseed the instantiated DRBG
*
* @return TRUE if successful
*/
bool (*reseed)(ntru_drbg_t *this);
/**
* Generate pseudorandom bytes.
* If the maximum number of requests has been reached, reseeding occurs
*
* @param strength requested security strength in bits
* @param len number of octets to generate
* @param out address of output buffer
* @return TRUE if successful
*/
bool (*generate)(ntru_drbg_t *this, u_int32_t strength, u_int32_t len,
u_int8_t *out);
/**
* Uninstantiate and destroy the DRBG object
*/
void (*destroy)(ntru_drbg_t *this);
};
/**
* Create and instantiate a new DRBG objet.
*
* @param strength security strength in bits
* @param pers_str personalization string
* @param entropy entropy source to use
*/
ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str,
rng_t *entropy);
#endif /** NTRU_DRBG_H_ @}*/

39
src/libstrongswan/plugins/ntru/ntru_ke.c
View File

@ -14,7 +14,7 @@
*/
#include "ntru_ke.h"
#include "ntru_plugin.h"
#include "ntru_drbg.h"
#include "ntru_crypto/ntru_crypto.h"
@ -119,10 +119,15 @@ struct private_ntru_ke_t {
*/
bool computed;
/**
* True Random Generator
*/
rng_t *entropy;
/**
* Deterministic Random Bit Generator
*/
DRBG_HANDLE drbg;
ntru_drbg_t *drbg;
};
METHOD(diffie_hellman_t, get_my_public_value, void,
@ -246,8 +251,8 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
this->shared_secret = chunk_alloc(2 * this->strength / BITS_PER_BYTE);
/* generate the random shared secret */
if (ntru_crypto_drbg_generate(this->drbg, this->strength,
this->shared_secret.len, this->shared_secret.ptr) != DRBG_OK)
if (!this->drbg->generate(this->drbg, this->strength,
this->shared_secret.len, this->shared_secret.ptr))
{
DBG1(DBG_LIB, "generation of shared secret failed");
chunk_free(&this->shared_secret);
@ -289,10 +294,8 @@ METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
METHOD(diffie_hellman_t, destroy, void,
private_ntru_ke_t *this)
{
if (ntru_crypto_drbg_uninstantiate(this->drbg) != DRBG_OK)
{
DBG1(DBG_LIB, "error uninstantiating DRBG");
}
this->drbg->destroy(this->drbg);
this->entropy->destroy(this->entropy);
chunk_free(&this->pub_key);
chunk_free(&this->ciphertext);
chunk_clear(&this->priv_key);
@ -306,9 +309,9 @@ METHOD(diffie_hellman_t, destroy, void,
ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
{
private_ntru_ke_t *this;
char personalization_str[] = "strongSwan NTRU-KE";
param_set_t *param_sets, *param_set;
DRBG_HANDLE drbg;
rng_t *entropy;
ntru_drbg_t *drbg;
char *parameter_set;
u_int32_t strength;
@ -356,11 +359,18 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
DBG1(DBG_LIB, "%u bit %s NTRU parameter set %s selected", strength,
parameter_set, param_set->name);
if (ntru_crypto_drbg_instantiate(strength,
personalization_str, strlen(personalization_str),
(ENTROPY_FN) &ntru_plugin_get_entropy, &drbg) != DRBG_OK)
entropy = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
if (!entropy)
{
DBG1(DBG_LIB, "could not attach entropy source for DRBG");
return NULL;
}
drbg = ntru_drbg_create(strength, chunk_from_str("IKE NTRU-KE"), entropy);
if (!drbg)
{
DBG1(DBG_LIB, "error instantiating DRBG at %u bit security", strength);
DBG1(DBG_LIB, "could not instantiate DRBG at %u bit security", strength);
entropy->destroy(entropy);
return NULL;
}
@ -377,6 +387,7 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
.group = group,
.param_set = param_set,
.strength = strength,
.entropy = entropy,
.drbg = drbg,
);

75
src/libstrongswan/plugins/ntru/ntru_plugin.c
View File

@ -17,64 +17,9 @@
#include "ntru_ke.h"
#include <library.h>
#include <utils/debug.h>
typedef struct private_ntru_plugin_t private_ntru_plugin_t;
rng_t *rng;
bool ntru_plugin_get_entropy(ENTROPY_CMD cmd, uint8_t *out)
{
switch (cmd)
{
case INIT:
return TRUE;
case GET_NUM_BYTES_PER_BYTE_OF_ENTROPY:
/* Here we return the number of bytes needed from the entropy
* source to obtain 8 bits of entropy. Maximum is 8.
*/
if (!out)
{
return FALSE;
}
*out = 1; /* this is a perfectly random source */
return TRUE;
case GET_BYTE_OF_ENTROPY:
if (!out)
{
return FALSE;
}
if (!rng || !rng->get_bytes(rng, 1, out))
{
return FALSE;
}
return TRUE;
default:
return FALSE;
}
}
/**
* Create/Destroy True Random Generator
*/
static bool create_random(private_ntru_plugin_t *this,
plugin_feature_t *feature, bool reg, void *data)
{
if (reg)
{
rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
if (!rng)
{
return FALSE;
}
}
else
{
rng->destroy(rng);
}
return TRUE;
}
/**
* private data of ntru_plugin
*/
@ -95,27 +40,18 @@ METHOD(plugin_t, get_name, char*,
METHOD(plugin_t, get_features, int,
private_ntru_plugin_t *this, plugin_feature_t *features[])
{
int count = 0;
static plugin_feature_t f_ke[] = {
static plugin_feature_t f[] = {
PLUGIN_REGISTER(DH, ntru_ke_create),
PLUGIN_PROVIDE(DH, NTRU_112_BIT),
PLUGIN_PROVIDE(DH, NTRU_128_BIT),
PLUGIN_PROVIDE(DH, NTRU_192_BIT),
PLUGIN_PROVIDE(DH, NTRU_256_BIT),
PLUGIN_DEPENDS(RNG, RNG_TRUE),
PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_SHA2_256_256),
};
static plugin_feature_t f_rng[] = {
PLUGIN_CALLBACK((plugin_feature_callback_t)create_random, NULL),
PLUGIN_PROVIDE(CUSTOM, "ntru-rng"),
PLUGIN_DEPENDS(RNG, RNG_TRUE),
};
static plugin_feature_t f[countof(f_ke) + countof(f_rng)] = {};
plugin_features_add(f, f_ke, countof(f_ke), &count);
plugin_features_add(f, f_rng, countof(f_rng), &count);
*features = f;
return count;
return countof(f);
}
METHOD(plugin_t, destroy, void,
@ -141,6 +77,5 @@ plugin_t *ntru_plugin_create()
},
);
return &this->public.plugin;
}

11
src/libstrongswan/plugins/ntru/ntru_plugin.h
View File

@ -26,8 +26,6 @@
#include <plugins/plugin.h>
#include "ntru_crypto/ntru_crypto_drbg.h"
typedef struct ntru_plugin_t ntru_plugin_t;
/**
@ -41,13 +39,4 @@ struct ntru_plugin_t {
plugin_t plugin;
};
/**
* Return true random bytes
*
* @param cmd command to be executed
* @param out output variable
* @result return code
*/
bool ntru_plugin_get_entropy(ENTROPY_CMD cmd, uint8_t *out);
#endif /** NTRU_PLUGIN_H_ @}*/

89
src/libstrongswan/plugins/ntru/ntru_test_rng.c Normal file
View File

@ -0,0 +1,89 @@
/*
* Copyright (C) 2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "ntru_test_rng.h"
typedef struct private_ntru_test_rng_t private_ntru_test_rng_t;
/**
* Private data of an ntru_test_rng_t object.
*/
struct private_ntru_test_rng_t {
/**
* Public ntru_test_rng_t interface.
*/
ntru_test_rng_t public;
/**
* entropy string
*/
chunk_t entropy;
};
METHOD(rng_t, get_bytes, bool,
private_ntru_test_rng_t *this, size_t bytes, u_int8_t *buffer)
{
if (bytes > this->entropy.len)
{
return FALSE;
}
memcpy(buffer, this->entropy.ptr, bytes);
this->entropy = chunk_skip(this->entropy, bytes);
return TRUE;
}
METHOD(rng_t, allocate_bytes, bool,
private_ntru_test_rng_t *this, size_t bytes, chunk_t *chunk)
{
if (bytes > this->entropy.len)
{
*chunk = chunk_empty;
return FALSE;
}
*chunk = chunk_alloc(bytes);
memcpy(chunk->ptr, this->entropy.ptr, bytes);
this->entropy = chunk_skip(this->entropy, bytes);
return TRUE;
}
METHOD(rng_t, destroy, void,
private_ntru_test_rng_t *this)
{
free(this);
}
/*
* Described in header.
*/
rng_t *ntru_test_rng_create(chunk_t entropy)
{
private_ntru_test_rng_t *this;
INIT(this,
.public = {
.rng = {
.get_bytes = _get_bytes,
.allocate_bytes = _allocate_bytes,
.destroy = _destroy,
},
},
.entropy = entropy,
);
return &this->public.rng;
}

47
src/libstrongswan/plugins/ntru/ntru_test_rng.h Normal file
View File

@ -0,0 +1,47 @@
/*
* Copyright (C) 2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup ntru_test_rng ntru_test_rng
* @{ @ingroup ntru_p
*/
#ifndef NTRU_TEST_RNG_H_
#define NTRU_TEST_RNG_H_
typedef struct ntru_test_rng_t ntru_test_rng_t;
#include <library.h>
/**
* rng_t providing NIST SP 800-90A entropy test vectors
*/
struct ntru_test_rng_t {
/**
* Implements rng_t.
*/
rng_t rng;
};
/**
* Creates an ntru_test_rng_t instance.
*
* @param entropy entropy test vector
* @return created ntru_test_rng_t
*/
rng_t *ntru_test_rng_create(chunk_t entropy);
#endif /** NTRU_TEST_RNG_H_ @} */

153
src/libstrongswan/tests/suites/test_ntru.c
View File

@ -15,7 +15,8 @@
#include "test_suite.h"
#include <plugins/ntru/ntru_plugin.h>
#include <plugins/ntru/ntru_drbg.h>
#include <plugins/ntru/ntru_test_rng.h>
/**
* NTRU parameter sets to test
@ -37,11 +38,145 @@ char *parameter_sets[] = {
"x9_98_speed", "x9_98_bandwidth", "x9_98_balance", "optimum"
};
START_TEST(test_ntru_entropy)
typedef struct {
u_int32_t requested;
u_int32_t standard;
}strength_t;
strength_t strengths[] = {
{ 80, 112 },
{ 112, 112 },
{ 120, 128 },
{ 128, 128 },
{ 150, 192 },
{ 192, 192 },
{ 200, 256 },
{ 256, 256 },
{ 512, 0 }
};
START_TEST(test_ntru_drbg_strength)
{
ck_assert(!ntru_plugin_get_entropy(GET_NUM_BYTES_PER_BYTE_OF_ENTROPY, NULL));
ck_assert(!ntru_plugin_get_entropy(GET_BYTE_OF_ENTROPY, NULL));
ck_assert(!ntru_plugin_get_entropy(10, NULL));
ntru_drbg_t *drbg;
rng_t *entropy;
entropy = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
ck_assert(entropy != NULL);
drbg = ntru_drbg_create(strengths[_i].requested, chunk_empty, entropy);
if (strengths[_i].standard)
{
ck_assert(drbg != NULL);
ck_assert(drbg->get_strength(drbg) == strengths[_i].standard);
drbg->destroy(drbg);
}
else
{
ck_assert(drbg == NULL);
}
entropy->destroy(entropy);
}
END_TEST
START_TEST(test_ntru_dbrg)
{
typedef struct {
chunk_t pers_str;
chunk_t entropy;
chunk_t out;
} dbrg_test_t;
dbrg_test_t dbrg_tests[] = {
{ chunk_empty,
chunk_from_chars(0x06, 0x03, 0x2c, 0xd5, 0xee, 0xd3, 0x3f, 0x39,
0x26, 0x5f, 0x49, 0xec, 0xb1, 0x42, 0xc5, 0x11,
0xda, 0x9a, 0xff, 0x2a, 0xf7, 0x12, 0x03, 0xbf,
0xfa, 0xf3, 0x4a, 0x9c, 0xa5, 0xbd, 0x9c, 0x0d,
0x0e, 0x66, 0xf7, 0x1e, 0xdc, 0x43, 0xe4, 0x2a,
0x45, 0xad, 0x3c, 0x6f, 0xc6, 0xcd, 0xc4, 0xdf,
0x01, 0x92, 0x0a, 0x4e, 0x66, 0x9e, 0xd3, 0xa8,
0x5a, 0xe8, 0xa3, 0x3b, 0x35, 0xa7, 0x4a, 0xd7,
0xfb, 0x2a, 0x6b, 0xb4, 0xcf, 0x39, 0x5c, 0xe0,
0x03, 0x34, 0xa9, 0xc9, 0xa5, 0xa5, 0xd5, 0x52),
chunk_from_chars(0x76, 0xfc, 0x79, 0xfe, 0x9b, 0x50, 0xbe, 0xcc,
0xc9, 0x91, 0xa1, 0x1b, 0x56, 0x35, 0x78, 0x3a,
0x83, 0x53, 0x6a, 0xdd, 0x03, 0xc1, 0x57, 0xfb,
0x30, 0x64, 0x5e, 0x61, 0x1c, 0x28, 0x98, 0xbb,
0x2b, 0x1b, 0xc2, 0x15, 0x00, 0x02, 0x09, 0x20,
0x8c, 0xd5, 0x06, 0xcb, 0x28, 0xda, 0x2a, 0x51,
0xbd, 0xb0, 0x38, 0x26, 0xaa, 0xf2, 0xbd, 0x23,
0x35, 0xd5, 0x76, 0xd5, 0x19, 0x16, 0x08, 0x42,
0xe7, 0x15, 0x8a, 0xd0, 0x94, 0x9d, 0x1a, 0x9e,
0xc3, 0xe6, 0x6e, 0xa1, 0xb1, 0xa0, 0x64, 0xb0,
0x05, 0xde, 0x91, 0x4e, 0xac, 0x2e, 0x9d, 0x4f,
0x2d, 0x72, 0xa8, 0x61, 0x6a, 0x80, 0x22, 0x54,
0x22, 0x91, 0x82, 0x50, 0xff, 0x66, 0xa4, 0x1b,
0xd2, 0xf8, 0x64, 0xa6, 0xa3, 0x8c, 0xc5, 0xb6,
0x49, 0x9d, 0xc4, 0x3f, 0x7f, 0x2b, 0xd0, 0x9e,
0x1e, 0x0f, 0x8f, 0x58, 0x85, 0x93, 0x51, 0x24)
},
{ chunk_from_chars(0xf2, 0xe5, 0x8f, 0xe6, 0x0a, 0x3a, 0xfc, 0x59,
0xda, 0xd3, 0x75, 0x95, 0x41, 0x5f, 0xfd, 0x31,
0x8c, 0xcf, 0x69, 0xd6, 0x77, 0x80, 0xf6, 0xfa,
0x07, 0x97, 0xdc, 0x9a, 0xa4, 0x3e, 0x14, 0x4c),
chunk_from_chars(0xfa, 0x0e, 0xe1, 0xfe, 0x39, 0xc7, 0xc3, 0x90,
0xaa, 0x94, 0x15, 0x9d, 0x0d, 0xe9, 0x75, 0x64,
0x34, 0x2b, 0x59, 0x17, 0x77, 0xf3, 0xe5, 0xf6,
0xa4, 0xba, 0x2a, 0xea, 0x34, 0x2e, 0xc8, 0x40,
0xdd, 0x08, 0x20, 0x65, 0x5c, 0xb2, 0xff, 0xdb,
0x0d, 0xa9, 0xe9, 0x31, 0x0a, 0x67, 0xc9, 0xe5,
0xe0, 0x62, 0x9b, 0x6d, 0x79, 0x75, 0xdd, 0xfa,
0x96, 0xa3, 0x99, 0x64, 0x87, 0x40, 0xe6, 0x0f,
0x1f, 0x95, 0x57, 0xdc, 0x58, 0xb3, 0xd7, 0x41,
0x5f, 0x9b, 0xa9, 0xd4, 0xdb, 0xb5, 0x01, 0xf6),
chunk_from_chars(0xf9, 0x2d, 0x4c, 0xf9, 0x9a, 0x53, 0x5b, 0x20,
0x22, 0x2a, 0x52, 0xa6, 0x8d, 0xb0, 0x4c, 0x5a,
0xf6, 0xf5, 0xff, 0xc7, 0xb6, 0x6a, 0x47, 0x3a,
0x37, 0xa2, 0x56, 0xbd, 0x8d, 0x29, 0x8f, 0x9b,
0x4a, 0xa4, 0xaf, 0x7e, 0x8d, 0x18, 0x1e, 0x02,
0x36, 0x79, 0x03, 0xf9, 0x3b, 0xdb, 0x74, 0x4c,
0x6c, 0x2f, 0x3f, 0x34, 0x72, 0x62, 0x6b, 0x40,
0xce, 0x9b, 0xd6, 0xa7, 0x0e, 0x7b, 0x8f, 0x93,
0x99, 0x2a, 0x16, 0xa7, 0x6f, 0xab, 0x6b, 0x5f,
0x16, 0x25, 0x68, 0xe0, 0x8e, 0xe6, 0xc3, 0xe8,
0x04, 0xae, 0xfd, 0x95, 0x2d, 0xdd, 0x3a, 0xcb,
0x79, 0x1c, 0x50, 0xf2, 0xad, 0x69, 0xe9, 0xa0,
0x40, 0x28, 0xa0, 0x6a, 0x9c, 0x01, 0xd3, 0xa6,
0x2a, 0xca, 0x2a, 0xaf, 0x6e, 0xfe, 0x69, 0xed,
0x97, 0xa0, 0x16, 0x21, 0x3a, 0x2d, 0xd6, 0x42,
0xb4, 0x88, 0x67, 0x64, 0x07, 0x2d, 0x9c, 0xbe)
}
};
ntru_drbg_t *drbg;
rng_t *entropy;
chunk_t in, out;
int i;
/* test ntru_test_rng */
in = chunk_from_chars(0x01, 0x02, 0x04, 0x04);
entropy = ntru_test_rng_create(in);
ck_assert(entropy->allocate_bytes(entropy, 4, &out));
ck_assert(chunk_equals(in, out));
chunk_free(&out);
ck_assert(!entropy->allocate_bytes(entropy, 4, &out));
entropy->destroy(entropy);
/* test DRBG with ntru_test_rng providing NIST test vectors */
out = chunk_alloc(128);
for (i = 0; i < countof(dbrg_tests); i++)
{
entropy = ntru_test_rng_create(dbrg_tests[i].entropy);
drbg = ntru_drbg_create(256, dbrg_tests[i].pers_str, entropy);
ck_assert(drbg != NULL);
ck_assert(drbg->reseed(drbg));
ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
ck_assert(chunk_equals(out, dbrg_tests[i].out));
drbg->destroy(drbg);
entropy->destroy(entropy);
}
chunk_free(&out);
}
END_TEST
@ -239,8 +374,12 @@ Suite *ntru_suite_create()
s = suite_create("ntru");
tc = tcase_create("entropy");
tcase_add_test(tc, test_ntru_entropy);
tc = tcase_create("dbrg_strength");
tcase_add_loop_test(tc, test_ntru_drbg_strength, 0, countof(strengths));
suite_add_tcase(s, tc);
tc = tcase_create("dbrg");
tcase_add_test(tc, test_ntru_dbrg);
suite_add_tcase(s, tc);
tc = tcase_create("ke");

2
src/libstrongswan/tests/tests.h
View File

@ -34,5 +34,5 @@ TEST_SUITE(host_suite_create)
TEST_SUITE(printf_suite_create)
TEST_SUITE(pen_suite_create)
TEST_SUITE(asn1_suite_create)
TEST_SUITE_DEPEND(ntru_suite_create, CUSTOM, "ntru-rng")
TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT)