Implemented NIST SP 800-90A DRBG_HMAC with SHA-256
This commit is contained in:
parent
798a36dc14
commit
98c6421674
|
@ -12,12 +12,12 @@ endif
|
|||
|
||||
libstrongswan_ntru_la_SOURCES = \
|
||||
ntru_plugin.h ntru_plugin.c \
|
||||
ntru_drbg.h ntru_drbg.c \
|
||||
ntru_ke.h ntru_ke.c \
|
||||
ntru_test_rng.h ntru_test_rng.c \
|
||||
ntru_crypto/ntru_crypto.h ntru_crypto/ntru_crypto_error.h \
|
||||
ntru_crypto/ntru_crypto_drbg.h ntru_crypto/ntru_crypto_drbg.c \
|
||||
ntru_crypto/ntru_crypto_hash_basics.h \
|
||||
ntru_crypto/ntru_crypto_hash.h ntru_crypto/ntru_crypto_hash.c \
|
||||
ntru_crypto/ntru_crypto_hmac.h ntru_crypto/ntru_crypto_hmac.c \
|
||||
ntru_crypto/ntru_crypto_msbyte_uint32.h \
|
||||
ntru_crypto/ntru_crypto_msbyte_uint32.c \
|
||||
ntru_crypto/ntru_crypto_ntru_convert.h \
|
||||
|
|
|
@ -35,9 +35,10 @@
|
|||
#define NTRU_CRYPTO_H
|
||||
|
||||
#include "ntru_crypto_platform.h"
|
||||
#include "ntru_crypto_drbg.h"
|
||||
#include "ntru_crypto_error.h"
|
||||
|
||||
#include "ntru_drbg.h"
|
||||
|
||||
#if !defined( NTRUCALL )
|
||||
#if !defined(WIN32) || defined (NTRUCRYPTO_STATIC)
|
||||
// Linux, or a Win32 static library
|
||||
|
@ -135,7 +136,7 @@ typedef enum _NTRU_ENCRYPT_PARAM_SET_ID {
|
|||
|
||||
NTRUCALL
|
||||
ntru_crypto_ntru_encrypt(
|
||||
DRBG_HANDLE drbg_handle, /* in - handle for DRBG */
|
||||
ntru_drbg_t *drbg , /* in - handle for DRBG */
|
||||
uint16_t pubkey_blob_len, /* in - no. of octets in public key
|
||||
blob */
|
||||
uint8_t const *pubkey_blob, /* in - pointer to public key */
|
||||
|
@ -234,7 +235,7 @@ ntru_crypto_ntru_decrypt(
|
|||
|
||||
NTRUCALL
|
||||
ntru_crypto_ntru_encrypt_keygen(
|
||||
DRBG_HANDLE drbg_handle, /* in - handle of DRBG */
|
||||
ntru_drbg_t *drbg, /* in - handle of DRBG */
|
||||
NTRU_ENCRYPT_PARAM_SET_ID param_set_id, /* in - parameter set ID */
|
||||
uint16_t *pubkey_blob_len, /* in/out - no. of octets in
|
||||
pubkey_blob, addr
|
||||
|
|
|
@ -1,724 +0,0 @@
|
|||
/******************************************************************************
|
||||
* NTRU Cryptography Reference Source Code
|
||||
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
|
||||
*
|
||||
* ntru_crypto_drbg.c is a component of ntru-crypto.
|
||||
*
|
||||
* Copyright (C) 2009-2013 Security Innovation
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
*
|
||||
*****************************************************************************/
|
||||
|
||||
/******************************************************************************
|
||||
*
|
||||
* File: ntru_crypto_drbg.c
|
||||
*
|
||||
* Contents: Implementation of a SHA-256 HMAC-based deterministic random byte
|
||||
* generator (HMAC_DRBG) as defined in ANSI X9.82, Part 3 - 2007.
|
||||
*
|
||||
* This implementation:
|
||||
* - allows for MAX_INSTANTIATIONS simultaneous drbg instantiations
|
||||
* (may be overridden on compiler command line)
|
||||
* - has a maximum security strength of 256 bits
|
||||
* - automatically uses SHA-256 for all security strengths
|
||||
* - allows a personalization string of up to MAX_PERS_STR_BYTES bytes
|
||||
* - implments reseeding
|
||||
* - does not implement additional input for reseeding or generation
|
||||
* - does not implement predictive resistance
|
||||
* - limits the number of bytes requested in one invocation of generate to
|
||||
* MAX_BYTES_PER_REQUEST
|
||||
* - uses a callback function to allow the caller to supply the
|
||||
* Get_entropy_input routine (entropy function)
|
||||
* - limits the number of bytes returned from the entropy function to
|
||||
* MAX_ENTROPY_NONCE_BYTES
|
||||
* - gets the nonce bytes along with the entropy input from the entropy
|
||||
* function
|
||||
* - automatically reseeds an instantitation after MAX_REQUESTS calls to
|
||||
* generate
|
||||
*
|
||||
*****************************************************************************/
|
||||
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
#include "ntru_crypto_drbg.h"
|
||||
#include "ntru_crypto_hmac.h"
|
||||
|
||||
|
||||
/************************
|
||||
* HMAC_DRBG parameters *
|
||||
************************/
|
||||
|
||||
/* Note: nonce size is sec_strength_bits/2 */
|
||||
#define HMAC_DRBG_MAX_MIN_ENTROPY_NONCE_BYTES \
|
||||
(DRBG_MAX_SEC_STRENGTH_BITS + DRBG_MAX_SEC_STRENGTH_BITS/2)/8
|
||||
#define HMAC_DRBG_MAX_ENTROPY_NONCE_BYTES \
|
||||
HMAC_DRBG_MAX_MIN_ENTROPY_NONCE_BYTES * DRBG_MAX_BYTES_PER_BYTE_OF_ENTROPY
|
||||
#define HMAC_DRBG_MAX_REQUESTS 0xffffffff
|
||||
|
||||
|
||||
/*******************
|
||||
* DRBG structures *
|
||||
*******************/
|
||||
|
||||
/* SHA256_HMAC_DRBG state structure */
|
||||
|
||||
typedef struct {
|
||||
uint32_t sec_strength; /* security strength in bits */
|
||||
uint32_t requests_left; /* generation requests remaining
|
||||
before reseeding */
|
||||
ENTROPY_FN entropy_fn; /* pointer to entropy function */
|
||||
NTRU_CRYPTO_HMAC_CTX *hmac_ctx; /* pointer to HMAC context */
|
||||
uint8_t V[33]; /* md_len size internal state + 1 */
|
||||
} SHA256_HMAC_DRBG_STATE;
|
||||
|
||||
|
||||
/* DRBG state structure
|
||||
* Note: this could contain a DRBG_TYPE to direct allocation, instantiation,
|
||||
* and generation to multiple types of DRBGs; at present only the
|
||||
* SHA256_HMAC_DRBG is implemented
|
||||
*/
|
||||
|
||||
typedef struct {
|
||||
uint32_t handle;
|
||||
void *state;
|
||||
} DRBG_STATE;
|
||||
|
||||
|
||||
/*************
|
||||
* DRBG DATA *
|
||||
*************/
|
||||
|
||||
/* array of drbg states */
|
||||
|
||||
static DRBG_STATE drbg_state[DRBG_MAX_INSTANTIATIONS];
|
||||
|
||||
|
||||
/******************************
|
||||
* SHA256 HMAC_DRBG functions *
|
||||
******************************/
|
||||
|
||||
/* sha256_hmac_drbg_update
|
||||
*
|
||||
* This routine is the SHA-256 HMAC_DRBG derivation function for
|
||||
* instantiation, and reseeding, and it is used in generation as well.
|
||||
* It updates the internal state.
|
||||
*
|
||||
* For instantiation, provided_data1 holds the entropy input and nonce;
|
||||
* provided_data2 holds the optional personalization string. Combined, this
|
||||
* is the seed material.
|
||||
*
|
||||
* For reseeding, provided_data1 holds the entropy input;
|
||||
* provided_data2 is NULL (because this implementation does not support
|
||||
* additional input).
|
||||
*
|
||||
* For byte generation, both provided_data1 and provided_data2 are NULL.
|
||||
*
|
||||
* Returns DRBG_OK if successful.
|
||||
* Returns HMAC errors if they occur.
|
||||
*/
|
||||
|
||||
static uint32_t
|
||||
sha256_hmac_drbg_update(
|
||||
SHA256_HMAC_DRBG_STATE *s,
|
||||
uint8_t *key, /* md_len size array */
|
||||
uint32_t md_len,
|
||||
uint8_t const *provided_data1,
|
||||
uint32_t provided_data1_bytes,
|
||||
uint8_t const *provided_data2,
|
||||
uint32_t provided_data2_bytes)
|
||||
{
|
||||
uint32_t result;
|
||||
|
||||
/* new key = HMAC(K, V || 0x00 [|| provided data1 [|| provided data2]] */
|
||||
|
||||
if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) != NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
s->V[md_len] = 0x00;
|
||||
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, md_len + 1)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
if (provided_data1) {
|
||||
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, provided_data1,
|
||||
provided_data1_bytes)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
if (provided_data2) {
|
||||
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, provided_data2,
|
||||
provided_data2_bytes)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
}
|
||||
}
|
||||
if ((result = ntru_crypto_hmac_final(s->hmac_ctx, key)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
if ((result = ntru_crypto_hmac_set_key(s->hmac_ctx, key)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
|
||||
/* new V = HMAC(K, V) */
|
||||
|
||||
if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) != NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, md_len)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
if ((result = ntru_crypto_hmac_final(s->hmac_ctx, s->V)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
|
||||
/* if provided data exists, update K and V again */
|
||||
|
||||
if (provided_data1) {
|
||||
|
||||
/* new key = HMAC(K, V || 0x01 || provided data1 [|| provided data2] */
|
||||
|
||||
if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
s->V[md_len] = 0x01;
|
||||
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, md_len + 1)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, provided_data1,
|
||||
provided_data1_bytes)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
if (provided_data2) {
|
||||
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, provided_data2,
|
||||
provided_data2_bytes)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
}
|
||||
if ((result = ntru_crypto_hmac_final(s->hmac_ctx, key)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
if ((result = ntru_crypto_hmac_set_key(s->hmac_ctx, key)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
|
||||
/* new V = HMAC(K, V) */
|
||||
|
||||
if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, md_len)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
if ((result = ntru_crypto_hmac_final(s->hmac_ctx, s->V)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
}
|
||||
|
||||
memset(key, 0, md_len);
|
||||
DRBG_RET(DRBG_OK);
|
||||
}
|
||||
|
||||
|
||||
/* sha256_hmac_drbg_instantiate
|
||||
*
|
||||
* This routine allocates and initializes a SHA-256 HMAC_DRBG internal state.
|
||||
*
|
||||
* Returns DRBG_OK if successful.
|
||||
* Returns DRBG_BAD_LENGTH if the personalization string is too long.
|
||||
* Returns DRBG_OUT_OF_MEMORY if the internal state cannot be allocated.
|
||||
* Returns errors from HASH or SHA256 if those errors occur.
|
||||
*/
|
||||
|
||||
static uint32_t
|
||||
sha256_hmac_drbg_instantiate(
|
||||
uint32_t sec_strength_bits, /* strength to instantiate */
|
||||
uint8_t const *pers_str,
|
||||
uint32_t pers_str_bytes,
|
||||
ENTROPY_FN entropy_fn,
|
||||
SHA256_HMAC_DRBG_STATE **state)
|
||||
{
|
||||
uint8_t entropy_nonce[HMAC_DRBG_MAX_ENTROPY_NONCE_BYTES];
|
||||
uint32_t entropy_nonce_bytes;
|
||||
uint32_t min_bytes_of_entropy;
|
||||
uint8_t num_bytes_per_byte_of_entropy;
|
||||
uint8_t key[32]; /* array of md_len size */
|
||||
SHA256_HMAC_DRBG_STATE *s;
|
||||
uint32_t result;
|
||||
uint32_t i;
|
||||
|
||||
/* check arguments */
|
||||
|
||||
if (pers_str_bytes > HMAC_DRBG_MAX_PERS_STR_BYTES)
|
||||
DRBG_RET(DRBG_BAD_LENGTH);
|
||||
|
||||
/* calculate number of bytes needed for the entropy input and nonce
|
||||
* for a SHA256_HMAC_DRBG, and get them from the entropy source
|
||||
*/
|
||||
|
||||
if (entropy_fn(GET_NUM_BYTES_PER_BYTE_OF_ENTROPY,
|
||||
&num_bytes_per_byte_of_entropy) == 0)
|
||||
DRBG_RET(DRBG_ENTROPY_FAIL);
|
||||
if ((num_bytes_per_byte_of_entropy == 0) ||
|
||||
(num_bytes_per_byte_of_entropy >
|
||||
DRBG_MAX_BYTES_PER_BYTE_OF_ENTROPY))
|
||||
DRBG_RET(DRBG_ENTROPY_FAIL);
|
||||
|
||||
min_bytes_of_entropy = (sec_strength_bits + sec_strength_bits/2) / 8;
|
||||
entropy_nonce_bytes = min_bytes_of_entropy * num_bytes_per_byte_of_entropy;
|
||||
for (i = 0; i < entropy_nonce_bytes; i++)
|
||||
if (entropy_fn(GET_BYTE_OF_ENTROPY, entropy_nonce+i) == 0)
|
||||
DRBG_RET(DRBG_ENTROPY_FAIL);
|
||||
|
||||
/* allocate SHA256_HMAC_DRBG state */
|
||||
|
||||
s = (SHA256_HMAC_DRBG_STATE*) malloc(sizeof(SHA256_HMAC_DRBG_STATE));
|
||||
if (s == NULL) {
|
||||
DRBG_RET(DRBG_OUT_OF_MEMORY);
|
||||
}
|
||||
|
||||
/* allocate HMAC context */
|
||||
|
||||
memset(key, 0, sizeof(key));
|
||||
if ((result = ntru_crypto_hmac_create_ctx(NTRU_CRYPTO_HASH_ALGID_SHA256,
|
||||
key, sizeof(key),
|
||||
&s->hmac_ctx)) !=
|
||||
NTRU_CRYPTO_HMAC_OK) {
|
||||
free(s);
|
||||
return result;
|
||||
}
|
||||
|
||||
/* init and update internal state */
|
||||
|
||||
memset(s->V, 0x01, sizeof(s->V));
|
||||
if ((result = sha256_hmac_drbg_update(s, key, sizeof(key),
|
||||
entropy_nonce, entropy_nonce_bytes,
|
||||
pers_str, pers_str_bytes)) != DRBG_OK) {
|
||||
(void) ntru_crypto_hmac_destroy_ctx(s->hmac_ctx);
|
||||
memset(s->V, 0, sizeof(s->V));
|
||||
free(s);
|
||||
}
|
||||
memset(entropy_nonce, 0, sizeof(entropy_nonce));
|
||||
|
||||
/* init instantiation parameters */
|
||||
|
||||
s->sec_strength = sec_strength_bits;
|
||||
s->requests_left = HMAC_DRBG_MAX_REQUESTS;
|
||||
s->entropy_fn = entropy_fn;
|
||||
*state = s;
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
|
||||
/* sha256_hmac_drbg_free
|
||||
*
|
||||
* This routine frees a SHA-256 HMAC_DRBG internal state.
|
||||
*
|
||||
* Returns DRBG_OK if successful.
|
||||
* Returns DRBG_BAD_PARAMETER if inappropriate NULL pointers are passed.
|
||||
*/
|
||||
|
||||
static void
|
||||
sha256_hmac_drbg_free(
|
||||
SHA256_HMAC_DRBG_STATE *s)
|
||||
{
|
||||
if (s->hmac_ctx) {
|
||||
(void) ntru_crypto_hmac_destroy_ctx(s->hmac_ctx);
|
||||
}
|
||||
memset(s->V, 0, sizeof(s->V));
|
||||
s->sec_strength = 0;
|
||||
s->requests_left = 0;
|
||||
s->entropy_fn = NULL;
|
||||
free(s);
|
||||
}
|
||||
|
||||
|
||||
/* sha256_hmac_drbg_reseed
|
||||
*
|
||||
* This function reseeds an instantiated SHA256_HMAC DRBG.
|
||||
*
|
||||
* Returns DRBG_OK if successful.
|
||||
* Returns HMAC errors if they occur.
|
||||
*/
|
||||
|
||||
static uint32_t
|
||||
sha256_hmac_drbg_reseed(
|
||||
SHA256_HMAC_DRBG_STATE *s)
|
||||
{
|
||||
uint8_t entropy[HMAC_DRBG_MAX_ENTROPY_NONCE_BYTES];
|
||||
uint32_t entropy_bytes;
|
||||
uint32_t min_bytes_of_entropy;
|
||||
uint8_t num_bytes_per_byte_of_entropy;
|
||||
uint8_t key[32]; // array of md_len size for sha256_hmac_drbg_update()
|
||||
uint32_t result;
|
||||
uint32_t i;
|
||||
|
||||
/* calculate number of bytes needed for the entropy input
|
||||
* for a SHA256_HMAC_DRBG, and get them from the entropy source
|
||||
*/
|
||||
|
||||
if (s->entropy_fn(GET_NUM_BYTES_PER_BYTE_OF_ENTROPY,
|
||||
&num_bytes_per_byte_of_entropy) == 0)
|
||||
DRBG_RET(DRBG_ENTROPY_FAIL);
|
||||
if ((num_bytes_per_byte_of_entropy == 0) ||
|
||||
(num_bytes_per_byte_of_entropy >
|
||||
DRBG_MAX_BYTES_PER_BYTE_OF_ENTROPY))
|
||||
DRBG_RET(DRBG_ENTROPY_FAIL);
|
||||
|
||||
min_bytes_of_entropy = s->sec_strength / 8;
|
||||
entropy_bytes = min_bytes_of_entropy * num_bytes_per_byte_of_entropy;
|
||||
for (i = 0; i < entropy_bytes; i++)
|
||||
if (s->entropy_fn(GET_BYTE_OF_ENTROPY, entropy+i) == 0)
|
||||
DRBG_RET(DRBG_ENTROPY_FAIL);
|
||||
|
||||
/* update internal state */
|
||||
|
||||
if ((result = sha256_hmac_drbg_update(s, key, sizeof(key),
|
||||
entropy, entropy_bytes, NULL, 0)) !=
|
||||
DRBG_OK)
|
||||
return result;
|
||||
|
||||
/* reset request counter */
|
||||
|
||||
s->requests_left = HMAC_DRBG_MAX_REQUESTS;
|
||||
DRBG_RET(DRBG_OK);
|
||||
}
|
||||
|
||||
|
||||
/* sha256_hmac_drbg_generate
|
||||
*
|
||||
* This routine generates pseudorandom bytes from a SHA256_HMAC DRBG.
|
||||
*
|
||||
* Returns DRBG_OK if successful.
|
||||
* Returns DRBG_BAD_LENGTH if too many bytes are requested or the requested
|
||||
* security strength is too large.
|
||||
* Returns HMAC errors if they occur.
|
||||
*/
|
||||
|
||||
static uint32_t
|
||||
sha256_hmac_drbg_generate(
|
||||
SHA256_HMAC_DRBG_STATE *s,
|
||||
uint32_t sec_strength_bits,
|
||||
uint32_t num_bytes,
|
||||
uint8_t *out)
|
||||
{
|
||||
uint8_t key[32]; // array of md_len size for sha256_hmac_drbg_update()
|
||||
uint32_t result;
|
||||
|
||||
/* check if number of bytes requested exceeds the maximum allowed */
|
||||
|
||||
if (num_bytes > HMAC_DRBG_MAX_BYTES_PER_REQUEST)
|
||||
DRBG_RET(DRBG_BAD_LENGTH);
|
||||
|
||||
/* check if drbg has adequate security strength */
|
||||
|
||||
if (sec_strength_bits > s->sec_strength)
|
||||
DRBG_RET(DRBG_BAD_LENGTH);
|
||||
|
||||
/* check if max requests have been exceeded */
|
||||
|
||||
if (s->requests_left == 0)
|
||||
if ((result = sha256_hmac_drbg_reseed(s)) != DRBG_OK)
|
||||
return result;
|
||||
|
||||
/* generate pseudorandom bytes */
|
||||
|
||||
while (num_bytes > 0) {
|
||||
|
||||
/* generate md_len bytes = V = HMAC(K, V) */
|
||||
|
||||
if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V,
|
||||
sizeof(key))) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
if ((result = ntru_crypto_hmac_final(s->hmac_ctx, s->V)) !=
|
||||
NTRU_CRYPTO_HMAC_OK)
|
||||
return result;
|
||||
|
||||
/* copy generated bytes to output buffer */
|
||||
|
||||
if (num_bytes < sizeof(key)) {
|
||||
memcpy(out, s->V, num_bytes);
|
||||
num_bytes = 0;
|
||||
} else {
|
||||
memcpy(out, s->V, sizeof(key));
|
||||
out += sizeof(key);
|
||||
num_bytes -= sizeof(key);
|
||||
}
|
||||
}
|
||||
|
||||
/* update internal state */
|
||||
|
||||
if ((result = sha256_hmac_drbg_update(s, key, sizeof(key),
|
||||
NULL, 0, NULL, 0)) != DRBG_OK)
|
||||
return result;
|
||||
s->requests_left--;
|
||||
|
||||
DRBG_RET(DRBG_OK);
|
||||
}
|
||||
|
||||
|
||||
/******************
|
||||
* DRBG functions *
|
||||
******************/
|
||||
|
||||
/* drbg_get_new_drbg
|
||||
*
|
||||
* This routine finds an uninstantiated drbg state and returns a pointer to it.
|
||||
*
|
||||
* Returns a pointer to an uninstantiated drbg state if found.
|
||||
* Returns NULL if all drbg states are instantiated.
|
||||
*/
|
||||
|
||||
static DRBG_STATE *
|
||||
drbg_get_new_drbg()
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < DRBG_MAX_INSTANTIATIONS; i++) {
|
||||
if (drbg_state[i].state == NULL)
|
||||
return drbg_state+i;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
/* drbg_get_drbg
|
||||
*
|
||||
* This routine finds an instantiated drbg state given its handle, and returns
|
||||
* a pointer to it.
|
||||
*
|
||||
* Returns a pointer to the drbg state if found.
|
||||
* Returns NULL if the drbg state is not found.
|
||||
*/
|
||||
|
||||
static DRBG_STATE *
|
||||
drbg_get_drbg(
|
||||
DRBG_HANDLE handle) /* in/out - drbg handle */
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < DRBG_MAX_INSTANTIATIONS; i++) {
|
||||
if ((drbg_state[i].handle == handle) && drbg_state[i].state)
|
||||
return drbg_state+i;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
/* drbg_get_new_handle
|
||||
*
|
||||
* This routine gets a new, unique 32-bit handle.
|
||||
*
|
||||
* Returns the new DRBG handle.
|
||||
*/
|
||||
|
||||
static DRBG_HANDLE
|
||||
drbg_get_new_handle(void)
|
||||
{
|
||||
DRBG_HANDLE h = 0;
|
||||
|
||||
/* ensure the new handle is unique:
|
||||
* if it already exists, increment it
|
||||
*/
|
||||
|
||||
while (drbg_get_drbg(h) != NULL)
|
||||
++h;
|
||||
|
||||
return h;
|
||||
}
|
||||
|
||||
|
||||
/********************
|
||||
* Public functions *
|
||||
********************/
|
||||
|
||||
/* ntru_crypto_drbg_instantiate
|
||||
*
|
||||
* This routine instantiates a drbg with the requested security strength.
|
||||
* See ANS X9.82: Part 3-2007.
|
||||
*
|
||||
* Returns DRBG_OK if successful.
|
||||
* Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if an argument pointer is NULL.
|
||||
* Returns DRBG_ERROR_BASE + DRBG_BAD_LENGTH if the security strength requested
|
||||
* or the personalization string is too large.
|
||||
* Returns DRBG_ERROR_BASE + DRBG_OUT_OF_MEMORY if the internal state cannot be
|
||||
* allocated from the heap.
|
||||
*/
|
||||
|
||||
uint32_t
|
||||
ntru_crypto_drbg_instantiate(
|
||||
uint32_t sec_strength_bits, /* in - requested sec strength in bits */
|
||||
uint8_t const *pers_str, /* in - ptr to personalization string */
|
||||
uint32_t pers_str_bytes, /* in - no. personalization str bytes */
|
||||
ENTROPY_FN entropy_fn, /* in - pointer to entropy function */
|
||||
DRBG_HANDLE *handle) /* out - address for drbg handle */
|
||||
{
|
||||
DRBG_STATE *drbg = NULL;
|
||||
SHA256_HMAC_DRBG_STATE *state = NULL;
|
||||
uint32_t result;
|
||||
|
||||
/* check arguments */
|
||||
|
||||
if ((!pers_str && pers_str_bytes) || !entropy_fn || !handle)
|
||||
DRBG_RET(DRBG_BAD_PARAMETER);
|
||||
if (sec_strength_bits > DRBG_MAX_SEC_STRENGTH_BITS)
|
||||
DRBG_RET(DRBG_BAD_LENGTH);
|
||||
if (pers_str && (pers_str_bytes == 0))
|
||||
pers_str = NULL;
|
||||
|
||||
/* set security strength */
|
||||
|
||||
if (sec_strength_bits <= 112) {
|
||||
sec_strength_bits = 112;
|
||||
} else if (sec_strength_bits <= 128) {
|
||||
sec_strength_bits = 128;
|
||||
} else if (sec_strength_bits <= 192) {
|
||||
sec_strength_bits = 192;
|
||||
} else {
|
||||
sec_strength_bits = 256;
|
||||
}
|
||||
|
||||
/* get an uninstantiated drbg */
|
||||
|
||||
if ((drbg = drbg_get_new_drbg()) == NULL)
|
||||
DRBG_RET(DRBG_NOT_AVAILABLE);
|
||||
|
||||
/* init entropy function */
|
||||
|
||||
if (entropy_fn(INIT, NULL) == 0)
|
||||
DRBG_RET(DRBG_ENTROPY_FAIL);
|
||||
|
||||
/* instantiate a SHA-256 HMAC_DRBG */
|
||||
|
||||
if ((result = sha256_hmac_drbg_instantiate(sec_strength_bits,
|
||||
pers_str, pers_str_bytes,
|
||||
entropy_fn,
|
||||
&state)) != DRBG_OK)
|
||||
return result;
|
||||
|
||||
/* init drbg state */
|
||||
|
||||
drbg->handle = drbg_get_new_handle();
|
||||
drbg->state = state;
|
||||
|
||||
/* return drbg handle */
|
||||
|
||||
*handle = drbg->handle;
|
||||
DRBG_RET(DRBG_OK);
|
||||
}
|
||||
|
||||
|
||||
/* ntru_crypto_drbg_uninstantiate
|
||||
*
|
||||
* This routine frees a drbg given its handle.
|
||||
*
|
||||
* Returns DRBG_OK if successful.
|
||||
* Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid.
|
||||
*/
|
||||
|
||||
uint32_t
|
||||
ntru_crypto_drbg_uninstantiate(
|
||||
DRBG_HANDLE handle) /* in - drbg handle */
|
||||
{
|
||||
DRBG_STATE *drbg = NULL;
|
||||
|
||||
/* find the instantiated drbg */
|
||||
|
||||
if ((drbg = drbg_get_drbg(handle)) == NULL)
|
||||
DRBG_RET(DRBG_BAD_PARAMETER);
|
||||
|
||||
/* zero and free drbg state */
|
||||
|
||||
if (drbg->state) {
|
||||
sha256_hmac_drbg_free((SHA256_HMAC_DRBG_STATE *)drbg->state);
|
||||
drbg->state = NULL;
|
||||
}
|
||||
|
||||
drbg->handle = 0;
|
||||
DRBG_RET(DRBG_OK);
|
||||
}
|
||||
|
||||
|
||||
/* ntru_crypto_drbg_reseed
|
||||
*
|
||||
* This routine reseeds an instantiated drbg.
|
||||
* See ANS X9.82: Part 3-2007.
|
||||
*
|
||||
* Returns DRBG_OK if successful.
|
||||
* Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid.
|
||||
* Returns HMAC errors if they occur.
|
||||
*/
|
||||
|
||||
uint32_t
|
||||
ntru_crypto_drbg_reseed(
|
||||
DRBG_HANDLE handle) /* in - drbg handle */
|
||||
{
|
||||
DRBG_STATE *drbg = NULL;
|
||||
|
||||
/* find the instantiated drbg */
|
||||
|
||||
if ((drbg = drbg_get_drbg(handle)) == NULL)
|
||||
DRBG_RET(DRBG_BAD_PARAMETER);
|
||||
|
||||
/* reseed the SHA-256 HMAC_DRBG */
|
||||
|
||||
return sha256_hmac_drbg_reseed((SHA256_HMAC_DRBG_STATE *)drbg->state);
|
||||
}
|
||||
|
||||
|
||||
/* ntru_crypto_drbg_generate
|
||||
*
|
||||
* This routine generates pseudorandom bytes using an instantiated drbg.
|
||||
* If the maximum number of requests has been reached, reseeding will occur.
|
||||
* See ANS X9.82: Part 3-2007.
|
||||
*
|
||||
* Returns DRBG_OK if successful.
|
||||
* Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid or if
|
||||
* an argument pointer is NULL.
|
||||
* Returns DRBG_ERROR_BASE + DRBG_BAD_LENGTH if the security strength requested
|
||||
* is too large or the number of bytes requested is zero or too large.
|
||||
* Returns HMAC errors if they occur.
|
||||
*/
|
||||
|
||||
uint32_t
|
||||
ntru_crypto_drbg_generate(
|
||||
DRBG_HANDLE handle, /* in - drbg handle */
|
||||
uint32_t sec_strength_bits, /* in - requested sec strength in bits */
|
||||
uint32_t num_bytes, /* in - number of octets to generate */
|
||||
uint8_t *out) /* out - address for generated octets */
|
||||
{
|
||||
DRBG_STATE *drbg = NULL;
|
||||
|
||||
/* find the instantiated drbg */
|
||||
|
||||
if ((drbg = drbg_get_drbg(handle)) == NULL)
|
||||
DRBG_RET(DRBG_BAD_PARAMETER);
|
||||
|
||||
/* check arguments */
|
||||
|
||||
if (!out)
|
||||
DRBG_RET(DRBG_BAD_PARAMETER);
|
||||
if (num_bytes == 0)
|
||||
DRBG_RET(DRBG_BAD_LENGTH);
|
||||
|
||||
/* generate pseudorandom output from the SHA256_HMAC_DRBG */
|
||||
|
||||
return sha256_hmac_drbg_generate((SHA256_HMAC_DRBG_STATE *)drbg->state,
|
||||
sec_strength_bits, num_bytes, out);
|
||||
}
|
||||
|
|
@ -1,193 +0,0 @@
|
|||
/******************************************************************************
|
||||
* NTRU Cryptography Reference Source Code
|
||||
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
|
||||
*
|
||||
* ntru_crypto_drbg.h is a component of ntru-crypto.
|
||||
*
|
||||
* Copyright (C) 2009-2013 Security Innovation
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
*
|
||||
*****************************************************************************/
|
||||
|
||||
|
||||
/******************************************************************************
|
||||
*
|
||||
* File: ntru_crypto_drbg.h
|
||||
*
|
||||
* Contents: Public header file for ntru_crypto_drbg.c.
|
||||
*
|
||||
*****************************************************************************/
|
||||
|
||||
|
||||
#ifndef NTRU_CRYPTO_DRBG_H
|
||||
#define NTRU_CRYPTO_DRBG_H
|
||||
|
||||
#include "ntru_crypto_platform.h"
|
||||
#include "ntru_crypto_error.h"
|
||||
|
||||
#if !defined( NTRUCALL )
|
||||
#if !defined(WIN32) || defined (NTRUCRYPTO_STATIC)
|
||||
// Linux, or a Win32 static library
|
||||
#define NTRUCALL extern uint32_t
|
||||
#elif defined (NTRUCRYPTO_EXPORTS)
|
||||
// Win32 DLL build
|
||||
#define NTRUCALL extern __declspec(dllexport) uint32_t
|
||||
#else
|
||||
// Win32 DLL import
|
||||
#define NTRUCALL extern __declspec(dllimport) uint32_t
|
||||
#endif
|
||||
#endif /* NTRUCALL */
|
||||
|
||||
#if defined ( __cplusplus )
|
||||
extern "C" {
|
||||
#endif /* __cplusplus */
|
||||
|
||||
|
||||
/*******************
|
||||
* DRBG parameters *
|
||||
*******************/
|
||||
|
||||
#if !defined(DRBG_MAX_INSTANTIATIONS)
|
||||
#define DRBG_MAX_INSTANTIATIONS 4
|
||||
#endif
|
||||
#define DRBG_MAX_SEC_STRENGTH_BITS 256
|
||||
#define DRBG_MAX_BYTES_PER_BYTE_OF_ENTROPY 8
|
||||
|
||||
|
||||
/************************
|
||||
* HMAC_DRBG parameters *
|
||||
************************/
|
||||
|
||||
#define HMAC_DRBG_MAX_PERS_STR_BYTES 32
|
||||
#define HMAC_DRBG_MAX_BYTES_PER_REQUEST 1024
|
||||
|
||||
|
||||
/********************
|
||||
* type definitions *
|
||||
********************/
|
||||
|
||||
typedef uint32_t DRBG_HANDLE; /* drbg handle */
|
||||
typedef enum { /* entropy-function commands */
|
||||
GET_NUM_BYTES_PER_BYTE_OF_ENTROPY = 0,
|
||||
INIT,
|
||||
GET_BYTE_OF_ENTROPY,
|
||||
} ENTROPY_CMD;
|
||||
typedef uint8_t (*ENTROPY_FN)( /* get entropy function */
|
||||
ENTROPY_CMD cmd, /* command */
|
||||
uint8_t *out); /* address for output */
|
||||
|
||||
|
||||
/***************
|
||||
* error codes *
|
||||
***************/
|
||||
|
||||
#define DRBG_OK 0x00000000 /* no errors */
|
||||
#define DRBG_OUT_OF_MEMORY 0x00000001 /* can't allocate memory */
|
||||
#define DRBG_BAD_PARAMETER 0x00000002 /* null pointer */
|
||||
#define DRBG_BAD_LENGTH 0x00000003 /* invalid no. of bytes */
|
||||
#define DRBG_NOT_AVAILABLE 0x00000004 /* no instantiation slot available */
|
||||
#define DRBG_ENTROPY_FAIL 0x00000005 /* entropy function failure */
|
||||
|
||||
/***************
|
||||
* error macro *
|
||||
***************/
|
||||
|
||||
#define DRBG_RESULT(r) ((uint32_t)((r) ? DRBG_ERROR_BASE + (r) : (r)))
|
||||
#define DRBG_RET(r) return DRBG_RESULT(r);
|
||||
|
||||
|
||||
/*************************
|
||||
* function declarations *
|
||||
*************************/
|
||||
|
||||
/* ntru_crypto_drbg_instantiate
|
||||
*
|
||||
* This routine instantiates a drbg with the requested security strength.
|
||||
* See ANS X9.82: Part 3-2007.
|
||||
*
|
||||
* Returns DRBG_OK if successful.
|
||||
* Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if an argument pointer is NULL.
|
||||
* Returns DRBG_ERROR_BASE + DRBG_BAD_LENGTH if the security strength requested
|
||||
* or the personalization string is too large.
|
||||
* Returns DRBG_ERROR_BASE + DRBG_OUT_OF_MEMORY if the internal state cannot be
|
||||
* allocated from the heap.
|
||||
*/
|
||||
|
||||
NTRUCALL
|
||||
ntru_crypto_drbg_instantiate(
|
||||
uint32_t sec_strength_bits, /* in - requested sec strength in bits */
|
||||
uint8_t const *pers_str, /* in - ptr to personalization string */
|
||||
uint32_t pers_str_bytes, /* in - no. personalization str bytes */
|
||||
ENTROPY_FN entropy_fn, /* in - pointer to entropy function */
|
||||
DRBG_HANDLE *handle); /* out - address for drbg handle */
|
||||
|
||||
|
||||
/* ntru_crypto_drbg_uninstantiate
|
||||
*
|
||||
* This routine frees a drbg given its handle.
|
||||
*
|
||||
* Returns DRBG_OK if successful.
|
||||
* Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid.
|
||||
*/
|
||||
|
||||
NTRUCALL
|
||||
ntru_crypto_drbg_uninstantiate(
|
||||
DRBG_HANDLE handle); /* in - drbg handle */
|
||||
|
||||
|
||||
/* ntru_crypto_drbg_reseed
|
||||
*
|
||||
* This routine reseeds an instantiated drbg.
|
||||
* See ANS X9.82: Part 3-2007.
|
||||
*
|
||||
* Returns DRBG_OK if successful.
|
||||
* Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid.
|
||||
* Returns NTRU_CRYPTO_HMAC errors if they occur.
|
||||
*/
|
||||
|
||||
NTRUCALL
|
||||
ntru_crypto_drbg_reseed(
|
||||
DRBG_HANDLE handle); /* in - drbg handle */
|
||||
|
||||
|
||||
/* ntru_crypto_drbg_generate
|
||||
*
|
||||
* This routine generates pseudorandom bytes using an instantiated drbg.
|
||||
* If the maximum number of requests has been reached, reseeding will occur.
|
||||
* See ANS X9.82: Part 3-2007.
|
||||
*
|
||||
* Returns DRBG_OK if successful.
|
||||
* Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid or if
|
||||
* an argument pointer is NULL.
|
||||
* Returns DRBG_ERROR_BASE + DRBG_BAD_LENGTH if the security strength requested
|
||||
* is too large or the number of bytes requested is zero or too large.
|
||||
* Returns NTRU_CRYPTO_HMAC errors if they occur.
|
||||
*/
|
||||
|
||||
NTRUCALL
|
||||
ntru_crypto_drbg_generate(
|
||||
DRBG_HANDLE handle, /* in - drbg handle */
|
||||
uint32_t sec_strength_bits, /* in - requested sec strength in bits */
|
||||
uint32_t num_bytes, /* in - number of octets to generate */
|
||||
uint8_t *out); /* out - address for generated octets */
|
||||
|
||||
|
||||
#if defined ( __cplusplus )
|
||||
}
|
||||
#endif /* __cplusplus */
|
||||
|
||||
|
||||
#endif /* NTRU_CRYPTO_DRBG_H */
|
|
@ -1,320 +0,0 @@
|
|||
/******************************************************************************
|
||||
* NTRU Cryptography Reference Source Code
|
||||
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
|
||||
*
|
||||
* ntru_crypto_hmac.c is a component of ntru-crypto.
|
||||
*
|
||||
* Copyright (C) 2009-2013 Security Innovation
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
*
|
||||
*****************************************************************************/
|
||||
|
||||
/******************************************************************************
|
||||
*
|
||||
* File: ntru_crypto_hmac.c
|
||||
*
|
||||
* Contents: Routines implementing the HMAC hash calculation.
|
||||
*
|
||||
*****************************************************************************/
|
||||
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include "ntru_crypto_hmac.h"
|
||||
|
||||
|
||||
/* HMAC context */
|
||||
|
||||
struct _NTRU_CRYPTO_HMAC_CTX {
|
||||
NTRU_CRYPTO_HASH_CTX hash_ctx;
|
||||
uint8_t *k0;
|
||||
uint16_t blk_len;
|
||||
uint16_t md_len;
|
||||
};
|
||||
|
||||
|
||||
/* ntru_crypto_hmac_create_ctx
|
||||
*
|
||||
* This routine creates an HMAC context, setting the hash algorithm and
|
||||
* the key to be used.
|
||||
*
|
||||
* Returns NTRU_CRYPTO_HMAC_OK if successful.
|
||||
* Returns NTRU_CRYPTO_HMAC_BAD_ALG if the specified algorithm is not supported.
|
||||
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
|
||||
* passed.
|
||||
* Returns NTRU_CRYPTO_HMAC_OUT_OF_MEMORY if memory cannot be allocated.
|
||||
*/
|
||||
|
||||
uint32_t
|
||||
ntru_crypto_hmac_create_ctx(
|
||||
NTRU_CRYPTO_HASH_ALGID algid, /* in - the hash algorithm to be used */
|
||||
uint8_t const *key, /* in - pointer to the HMAC key */
|
||||
uint32_t key_len, /* in - number of bytes in HMAC key */
|
||||
NTRU_CRYPTO_HMAC_CTX **c) /* out - address for pointer to HMAC
|
||||
context */
|
||||
{
|
||||
NTRU_CRYPTO_HMAC_CTX *ctx = NULL;
|
||||
uint32_t result;
|
||||
|
||||
/* check parameters */
|
||||
|
||||
if (!c || !key)
|
||||
HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
|
||||
|
||||
*c = NULL;
|
||||
|
||||
/* allocate memory for an HMAC context */
|
||||
|
||||
if ((ctx = (NTRU_CRYPTO_HMAC_CTX*) malloc(sizeof(NTRU_CRYPTO_HMAC_CTX))) ==
|
||||
NULL)
|
||||
HMAC_RET(NTRU_CRYPTO_HMAC_OUT_OF_MEMORY);
|
||||
|
||||
/* set the algorithm */
|
||||
|
||||
if (result = ntru_crypto_hash_set_alg(algid, &ctx->hash_ctx)) {
|
||||
free(ctx);
|
||||
HMAC_RET(NTRU_CRYPTO_HMAC_BAD_ALG);
|
||||
}
|
||||
|
||||
/* set block length and digest length */
|
||||
|
||||
if ((result = ntru_crypto_hash_block_length(&ctx->hash_ctx,
|
||||
&ctx->blk_len)) ||
|
||||
(result = ntru_crypto_hash_digest_length(&ctx->hash_ctx,
|
||||
&ctx->md_len))) {
|
||||
free(ctx);
|
||||
return result;
|
||||
}
|
||||
|
||||
/* allocate memory for K0 */
|
||||
|
||||
if ((ctx->k0 = (uint8_t*) malloc(ctx->blk_len)) == NULL) {
|
||||
free(ctx);
|
||||
HMAC_RET(NTRU_CRYPTO_HMAC_OUT_OF_MEMORY);
|
||||
}
|
||||
|
||||
/* calculate K0 and store in HMAC context */
|
||||
|
||||
memset(ctx->k0, 0, ctx->blk_len);
|
||||
|
||||
/* check if key is too large */
|
||||
|
||||
if (key_len > ctx->blk_len) {
|
||||
|
||||
if (result = ntru_crypto_hash_digest(algid, key, key_len, ctx->k0)) {
|
||||
memset(ctx->k0, 0, ctx->blk_len);
|
||||
free(ctx->k0);
|
||||
free(ctx);
|
||||
return result;
|
||||
}
|
||||
|
||||
} else
|
||||
memcpy(ctx->k0, key, key_len);
|
||||
|
||||
/* return pointer to HMAC context */
|
||||
|
||||
*c = ctx;
|
||||
HMAC_RET(NTRU_CRYPTO_HMAC_OK);
|
||||
}
|
||||
|
||||
|
||||
/* ntru_crypto_hmac_destroy_ctx
|
||||
*
|
||||
* Destroys an HMAC context.
|
||||
*
|
||||
* Returns NTRU_CRYPTO_HMAC_OK if successful.
|
||||
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
|
||||
* passed.
|
||||
*/
|
||||
|
||||
uint32_t
|
||||
ntru_crypto_hmac_destroy_ctx(
|
||||
NTRU_CRYPTO_HMAC_CTX *c) /* in/out - pointer to HMAC context */
|
||||
{
|
||||
if (!c || !c->k0)
|
||||
HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
|
||||
|
||||
/* clear key and release memory */
|
||||
|
||||
memset(c->k0, 0, c->blk_len);
|
||||
free(c->k0);
|
||||
free(c);
|
||||
|
||||
HMAC_RET(NTRU_CRYPTO_HMAC_OK);
|
||||
}
|
||||
|
||||
|
||||
/* ntru_crypto_hmac_get_md_len
|
||||
*
|
||||
* This routine gets the digest length of the HMAC.
|
||||
*
|
||||
* Returns NTRU_CRYPTO_HMAC_OK on success.
|
||||
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
|
||||
* passed.
|
||||
*/
|
||||
|
||||
uint32_t
|
||||
ntru_crypto_hmac_get_md_len(
|
||||
NTRU_CRYPTO_HMAC_CTX const *c, /* in - pointer to HMAC context */
|
||||
uint16_t *md_len) /* out - address for digest length */
|
||||
{
|
||||
/* check parameters */
|
||||
|
||||
if (!c || !md_len)
|
||||
HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
|
||||
|
||||
/* get digest length */
|
||||
|
||||
*md_len = c->md_len;
|
||||
HMAC_RET(NTRU_CRYPTO_HMAC_OK);
|
||||
}
|
||||
|
||||
|
||||
/* ntru_crypto_hmac_set_key
|
||||
*
|
||||
* This routine sets a digest-length key into the HMAC context.
|
||||
*
|
||||
* Returns NTRU_CRYPTO_HMAC_OK on success.
|
||||
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
|
||||
* passed.
|
||||
*/
|
||||
|
||||
uint32_t
|
||||
ntru_crypto_hmac_set_key(
|
||||
NTRU_CRYPTO_HMAC_CTX *c, /* in - pointer to HMAC context */
|
||||
uint8_t const *key) /* in - pointer to new HMAC key */
|
||||
{
|
||||
/* check parameters */
|
||||
|
||||
if (!c || !key)
|
||||
HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
|
||||
|
||||
/* copy key */
|
||||
|
||||
memcpy(c->k0, key, c->md_len);
|
||||
HMAC_RET(NTRU_CRYPTO_HMAC_OK);
|
||||
}
|
||||
|
||||
|
||||
/* ntru_crypto_hmac_init
|
||||
*
|
||||
* This routine performs standard initialization of the HMAC state.
|
||||
*
|
||||
* Returns NTRU_CRYPTO_HMAC_OK on success.
|
||||
* Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
|
||||
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
|
||||
* passed.
|
||||
*/
|
||||
|
||||
uint32_t
|
||||
ntru_crypto_hmac_init(
|
||||
NTRU_CRYPTO_HMAC_CTX *c) /* in/out - pointer to HMAC context */
|
||||
{
|
||||
uint32_t result;
|
||||
int i;
|
||||
|
||||
/* check parameters */
|
||||
|
||||
if (!c)
|
||||
HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
|
||||
|
||||
/* init hash context and compute H(K0 ^ ipad) */
|
||||
|
||||
for (i = 0; i < c->blk_len; i++)
|
||||
c->k0[i] ^= 0x36; /* K0 ^ ipad */
|
||||
if ((result = ntru_crypto_hash_init(&c->hash_ctx)) ||
|
||||
(result = ntru_crypto_hash_update(&c->hash_ctx, c->k0, c->blk_len)))
|
||||
return result;
|
||||
|
||||
HMAC_RET(NTRU_CRYPTO_HMAC_OK);
|
||||
}
|
||||
|
||||
|
||||
/* ntru_crypto_hmac_update
|
||||
*
|
||||
* This routine processes input data and updates the HMAC hash calculation.
|
||||
*
|
||||
* Returns NTRU_CRYPTO_HMAC_OK on success.
|
||||
* Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
|
||||
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
|
||||
* passed.
|
||||
* Returns NTRU_CRYPTO_HASH_OVERFLOW if more than bytes are hashed than the
|
||||
* underlying hash algorithm can handle.
|
||||
*/
|
||||
|
||||
uint32_t
|
||||
ntru_crypto_hmac_update(
|
||||
NTRU_CRYPTO_HMAC_CTX *c, /* in/out - pointer to HMAC context */
|
||||
const uint8_t *data, /* in - pointer to input data */
|
||||
uint32_t data_len) /* in - no. of bytes of input data */
|
||||
{
|
||||
uint32_t result;
|
||||
|
||||
/* check parameters */
|
||||
|
||||
if (!c || (data_len && !data))
|
||||
HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
|
||||
|
||||
if (result = ntru_crypto_hash_update(&c->hash_ctx, data, data_len))
|
||||
return result;
|
||||
|
||||
HMAC_RET(NTRU_CRYPTO_HMAC_OK);
|
||||
}
|
||||
|
||||
|
||||
/* ntru_crypto_hmac_final
|
||||
*
|
||||
* This routine completes the HMAC hash calculation and returns the
|
||||
* message digest.
|
||||
*
|
||||
* Returns NTRU_CRYPTO_HMAC_OK on success.
|
||||
* Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
|
||||
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
|
||||
* passed.
|
||||
*/
|
||||
|
||||
uint32_t
|
||||
ntru_crypto_hmac_final(
|
||||
NTRU_CRYPTO_HMAC_CTX *c, /* in/out - pointer to HMAC context */
|
||||
uint8_t *md) /* out - address for message digest */
|
||||
{
|
||||
uint32_t result = NTRU_CRYPTO_HMAC_OK;
|
||||
int i;
|
||||
|
||||
/* check parameters */
|
||||
|
||||
if (!c || !md)
|
||||
HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
|
||||
|
||||
/* form K0 ^ opad
|
||||
* complete md = H((K0 ^ ipad) || data)
|
||||
* compute md = H((K0 ^ opad) || md)
|
||||
* re-form K0
|
||||
*/
|
||||
|
||||
for (i = 0; i < c->blk_len; i++)
|
||||
c->k0[i] ^= (0x36^0x5c);
|
||||
if ((result = ntru_crypto_hash_final(&c->hash_ctx, md)) ||
|
||||
(result = ntru_crypto_hash_init(&c->hash_ctx)) ||
|
||||
(result = ntru_crypto_hash_update(&c->hash_ctx, c->k0, c->blk_len)) ||
|
||||
(result = ntru_crypto_hash_update(&c->hash_ctx, md, c->md_len)) ||
|
||||
(result = ntru_crypto_hash_final(&c->hash_ctx, md))) {
|
||||
}
|
||||
for (i = 0; i < c->blk_len; i++)
|
||||
c->k0[i] ^= 0x5c;
|
||||
return result;
|
||||
}
|
||||
|
|
@ -1,183 +0,0 @@
|
|||
/*/******************************************************************************
|
||||
* NTRU Cryptography Reference Source Code
|
||||
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
|
||||
*
|
||||
* ntru_crypto_hmac.h is a component of ntru-crypto.
|
||||
*
|
||||
* Copyright (C) 2009-2013 Security Innovation
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
*
|
||||
*****************************************************************************/
|
||||
|
||||
/******************************************************************************
|
||||
*
|
||||
* File: ntru_crypto_hmac.h
|
||||
*
|
||||
* Contents: Definitions and declarations for the HMAC implementation.
|
||||
*
|
||||
*****************************************************************************/
|
||||
|
||||
#ifndef NTRU_CRYPTO_HMAC_H
|
||||
#define NTRU_CRYPTO_HMAC_H
|
||||
|
||||
|
||||
#include "ntru_crypto_platform.h"
|
||||
#include "ntru_crypto_hash.h"
|
||||
|
||||
|
||||
/***************
|
||||
* error codes *
|
||||
***************/
|
||||
|
||||
#define NTRU_CRYPTO_HMAC_OK ((uint32_t)NTRU_CRYPTO_HASH_OK)
|
||||
#define NTRU_CRYPTO_HMAC_BAD_PARAMETER ((uint32_t)NTRU_CRYPTO_HASH_BAD_PARAMETER)
|
||||
#define NTRU_CRYPTO_HMAC_BAD_ALG ((uint32_t)NTRU_CRYPTO_HASH_BAD_ALG)
|
||||
#define NTRU_CRYPTO_HMAC_OUT_OF_MEMORY ((uint32_t)NTRU_CRYPTO_HASH_OUT_OF_MEMORY)
|
||||
|
||||
#define HMAC_RESULT(e) ((uint32_t)((e) ? HMAC_ERROR_BASE + (e) : (e)))
|
||||
#define HMAC_RET(e) return HMAC_RESULT(e)
|
||||
|
||||
|
||||
/*************************
|
||||
* structure definitions *
|
||||
*************************/
|
||||
|
||||
/* HMAC context structure */
|
||||
|
||||
struct _NTRU_CRYPTO_HMAC_CTX; /* opaque forward reference */
|
||||
typedef struct _NTRU_CRYPTO_HMAC_CTX NTRU_CRYPTO_HMAC_CTX;
|
||||
|
||||
|
||||
/*************************
|
||||
* function declarations *
|
||||
*************************/
|
||||
|
||||
/* ntru_crypto_hmac_create_ctx
|
||||
*
|
||||
* This routine creates an HMAC context, setting the hash algorithm and
|
||||
* the key to be used.
|
||||
*
|
||||
* Returns NTRU_CRYPTO_HASH_OK if successful.
|
||||
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
|
||||
* passed.
|
||||
* Returns NTRU_CRYPTO_HASH_OUT_OF_MEMORY if memory cannot be allocated.
|
||||
*/
|
||||
|
||||
extern uint32_t
|
||||
ntru_crypto_hmac_create_ctx(
|
||||
NTRU_CRYPTO_HASH_ALGID algid, /* in - the hash algorithm to be used */
|
||||
uint8_t const *key, /* in - pointer to the HMAC key */
|
||||
uint32_t key_len, /* in - number of bytes in HMAC key */
|
||||
NTRU_CRYPTO_HMAC_CTX **c); /* out - address for pointer to HMAC
|
||||
context */
|
||||
|
||||
|
||||
/* ntru_crypto_hmac_destroy_ctx
|
||||
*
|
||||
* Destroys an HMAC context.
|
||||
*
|
||||
* Returns NTRU_CRYPTO_HASH_OK if successful.
|
||||
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
|
||||
* passed.
|
||||
*/
|
||||
|
||||
extern uint32_t
|
||||
ntru_crypto_hmac_destroy_ctx(
|
||||
NTRU_CRYPTO_HMAC_CTX *c); /* in/out - pointer to HMAC context */
|
||||
|
||||
|
||||
/* ntru_crypto_hmac_get_md_len
|
||||
*
|
||||
* This routine gets the digest length of the HMAC.
|
||||
*
|
||||
* Returns NTRU_CRYPTO_HMAC_OK on success.
|
||||
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
|
||||
* passed.
|
||||
*/
|
||||
|
||||
extern uint32_t
|
||||
ntru_crypto_hmac_get_md_len(
|
||||
NTRU_CRYPTO_HMAC_CTX const *c, /* in - pointer to HMAC context */
|
||||
uint16_t *md_len); /* out - address for digest length */
|
||||
|
||||
|
||||
/* ntru_crypto_hmac_set_key
|
||||
*
|
||||
* This routine sets a digest-length key into the HMAC context.
|
||||
*
|
||||
* Returns NTRU_CRYPTO_HMAC_OK on success.
|
||||
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
|
||||
* passed.
|
||||
*/
|
||||
|
||||
extern uint32_t
|
||||
ntru_crypto_hmac_set_key(
|
||||
NTRU_CRYPTO_HMAC_CTX *c, /* in - pointer to HMAC context */
|
||||
uint8_t const *key); /* in - pointer to new HMAC key */
|
||||
|
||||
|
||||
/* ntru_crypto_hmac_init
|
||||
*
|
||||
* This routine performs standard initialization of the HMAC state.
|
||||
*
|
||||
* Returns NTRU_CRYPTO_HMAC_OK on success.
|
||||
* Returns NTRU_CRYPTO_HMAC_FAIL with corrupted context.
|
||||
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
|
||||
* passed.
|
||||
*/
|
||||
|
||||
extern uint32_t
|
||||
ntru_crypto_hmac_init(
|
||||
NTRU_CRYPTO_HMAC_CTX *c); /* in/out - pointer to HMAC context */
|
||||
|
||||
|
||||
/* ntru_crypto_hmac_update
|
||||
*
|
||||
* This routine processes input data and updates the HMAC hash calculation.
|
||||
*
|
||||
* Returns NTRU_CRYPTO_HMAC_OK on success.
|
||||
* Returns NTRU_CRYPTO_HMAC_FAIL with corrupted context.
|
||||
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
|
||||
* passed.
|
||||
* Returns NTRU_CRYPTO_HMAC_OVERFLOW if more than bytes are hashed than the underlying
|
||||
* hash algorithm can handle.
|
||||
*/
|
||||
|
||||
extern uint32_t
|
||||
ntru_crypto_hmac_update(
|
||||
NTRU_CRYPTO_HMAC_CTX *c, /* in/out - pointer to HMAC context */
|
||||
uint8_t const *data, /* in - pointer to input data */
|
||||
uint32_t data_len); /* in - no. of bytes of input data */
|
||||
|
||||
|
||||
/* ntru_crypto_hmac_final
|
||||
*
|
||||
* This routine completes the HMAC hash calculation and returns the
|
||||
* message digest.
|
||||
*
|
||||
* Returns NTRU_CRYPTO_HMAC_OK on success.
|
||||
* Returns NTRU_CRYPTO_HMAC_FAIL with corrupted context.
|
||||
* Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
|
||||
* passed.
|
||||
*/
|
||||
|
||||
extern uint32_t
|
||||
ntru_crypto_hmac_final(
|
||||
NTRU_CRYPTO_HMAC_CTX *c, /* in/out - pointer to HMAC context */
|
||||
uint8_t *md); /* out - address for message digest */
|
||||
|
||||
|
||||
#endif /* NTRU_CRYPTO_HMAC_H */
|
|
@ -41,8 +41,6 @@
|
|||
#include "ntru_crypto_ntru_convert.h"
|
||||
#include "ntru_crypto_ntru_poly.h"
|
||||
#include "ntru_crypto_ntru_mgf1.h"
|
||||
#include "ntru_crypto_drbg.h"
|
||||
|
||||
|
||||
/* ntru_crypto_ntru_encrypt
|
||||
*
|
||||
|
@ -81,7 +79,7 @@
|
|||
|
||||
uint32_t
|
||||
ntru_crypto_ntru_encrypt(
|
||||
DRBG_HANDLE drbg_handle, /* in - handle of DRBG */
|
||||
ntru_drbg_t *drbg, /* in - handle of DRBG */
|
||||
uint16_t pubkey_blob_len, /* in - no. of octets in public key
|
||||
blob */
|
||||
uint8_t const *pubkey_blob, /* in - pointer to public key */
|
||||
|
@ -200,9 +198,15 @@ ntru_crypto_ntru_encrypt(
|
|||
uint8_t *ptr = tmp_buf;
|
||||
|
||||
/* get b */
|
||||
result = ntru_crypto_drbg_generate(drbg_handle,
|
||||
params->sec_strength_len << 3,
|
||||
params->sec_strength_len, b_buf);
|
||||
if (drbg->generate(drbg, params->sec_strength_len << 3,
|
||||
params->sec_strength_len, b_buf))
|
||||
{
|
||||
result = NTRU_OK;
|
||||
}
|
||||
else
|
||||
{
|
||||
result = NTRU_FAIL;
|
||||
}
|
||||
|
||||
if (result == NTRU_OK) {
|
||||
|
||||
|
@ -767,7 +771,7 @@ ntru_crypto_ntru_decrypt(
|
|||
|
||||
uint32_t
|
||||
ntru_crypto_ntru_encrypt_keygen(
|
||||
DRBG_HANDLE drbg_handle, /* in - handle of DRBG */
|
||||
ntru_drbg_t *drbg, /* in - handle of DRBG */
|
||||
NTRU_ENCRYPT_PARAM_SET_ID param_set_id, /* in - parameter set ID */
|
||||
uint16_t *pubkey_blob_len, /* in/out - no. of octets in
|
||||
pubkey_blob, addr
|
||||
|
@ -881,9 +885,14 @@ ntru_crypto_ntru_encrypt_keygen(
|
|||
* as a list of indices
|
||||
*/
|
||||
|
||||
result = ntru_crypto_drbg_generate(drbg_handle,
|
||||
params->sec_strength_len << 3,
|
||||
seed_len, tmp_buf);
|
||||
if (drbg->generate(drbg, params->sec_strength_len << 3, seed_len, tmp_buf))
|
||||
{
|
||||
result = NTRU_OK;
|
||||
}
|
||||
else
|
||||
{
|
||||
result = NTRU_FAIL;
|
||||
}
|
||||
|
||||
if (result == NTRU_OK) {
|
||||
|
||||
|
@ -960,9 +969,11 @@ ntru_crypto_ntru_encrypt_keygen(
|
|||
/* get random bytes for seed for generating trinary g
|
||||
* as a list of indices
|
||||
*/
|
||||
result = ntru_crypto_drbg_generate(drbg_handle,
|
||||
params->sec_strength_len << 3,
|
||||
seed_len, tmp_buf);
|
||||
if (!drbg->generate(drbg, params->sec_strength_len << 3, seed_len,
|
||||
tmp_buf))
|
||||
{
|
||||
result = NTRU_FAIL;
|
||||
}
|
||||
}
|
||||
|
||||
if (result == NTRU_OK) {
|
||||
|
|
|
@ -0,0 +1,277 @@
|
|||
/*
|
||||
* Copyright (C) 2013 Andreas Steffen
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "ntru_drbg.h"
|
||||
|
||||
#include <utils/debug.h>
|
||||
|
||||
#define MAX_STRENGTH_BITS 256
|
||||
#define MAX_DRBG_REQUESTS 0xffffffff
|
||||
|
||||
typedef struct private_ntru_drbg_t private_ntru_drbg_t;
|
||||
|
||||
/**
|
||||
* Private data of an ntru_drbg_t object.
|
||||
*/
|
||||
struct private_ntru_drbg_t {
|
||||
/**
|
||||
* Public ntru_drbg_t interface.
|
||||
*/
|
||||
ntru_drbg_t public;
|
||||
|
||||
/**
|
||||
* Security strength in bits of the DRBG
|
||||
*/
|
||||
u_int32_t strength;
|
||||
|
||||
/**
|
||||
* Number of requests for pseudorandom bits
|
||||
*/
|
||||
u_int32_t reseed_counter;
|
||||
|
||||
/**
|
||||
* Maximum number of requests for pseudorandom bits
|
||||
*/
|
||||
u_int32_t max_requests;
|
||||
|
||||
/**
|
||||
* True entropy source
|
||||
*/
|
||||
rng_t *entropy;
|
||||
|
||||
/**
|
||||
* HMAC-SHA256
|
||||
*/
|
||||
signer_t *hmac;
|
||||
|
||||
/**
|
||||
* Internal state of HMAC-SHA256: key
|
||||
*/
|
||||
chunk_t key;
|
||||
|
||||
/**
|
||||
* Internal state of HMAC-SHA256: value
|
||||
*/
|
||||
chunk_t value;
|
||||
|
||||
};
|
||||
|
||||
/**
|
||||
* Update the internal state of the HMAC_DRBG
|
||||
*/
|
||||
static bool update(private_ntru_drbg_t *this, chunk_t data)
|
||||
{
|
||||
chunk_t ch_00 = chunk_from_chars(0x00);
|
||||
chunk_t ch_01 = chunk_from_chars(0x01);
|
||||
|
||||
if (!this->hmac->set_key(this->hmac, this->key) ||
|
||||
!this->hmac->get_signature(this->hmac, this->value, NULL) ||
|
||||
!this->hmac->get_signature(this->hmac, ch_00, NULL) ||
|
||||
!this->hmac->get_signature(this->hmac, data, this->key.ptr) ||
|
||||
!this->hmac->set_key(this->hmac, this->key) ||
|
||||
!this->hmac->get_signature(this->hmac, this->value,
|
||||
this->value.ptr))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (data.len > 0)
|
||||
{
|
||||
if (!this->hmac->set_key(this->hmac, this->key) ||
|
||||
!this->hmac->get_signature(this->hmac, this->value, NULL) ||
|
||||
!this->hmac->get_signature(this->hmac, ch_01, NULL) ||
|
||||
!this->hmac->get_signature(this->hmac, data, this->key.ptr) ||
|
||||
!this->hmac->set_key(this->hmac, this->key) ||
|
||||
!this->hmac->get_signature(this->hmac, this->value,
|
||||
this->value.ptr))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
DBG4(DBG_LIB, "HMAC_DRBG V: %B", &this->value);
|
||||
DBG4(DBG_LIB, "HMAC_DRBG K: %B", &this->key);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
METHOD(ntru_drbg_t, get_strength, u_int32_t,
|
||||
private_ntru_drbg_t *this)
|
||||
{
|
||||
return this->strength;
|
||||
}
|
||||
|
||||
METHOD(ntru_drbg_t, reseed, bool,
|
||||
private_ntru_drbg_t *this)
|
||||
{
|
||||
chunk_t seed;
|
||||
|
||||
seed = chunk_alloc(this->strength / BITS_PER_BYTE);
|
||||
DBG2(DBG_LIB, "DBRG requesting %u bytes of entropy", seed.len);
|
||||
|
||||
if (!this->entropy->get_bytes(this->entropy, seed.len, seed.ptr))
|
||||
{
|
||||
chunk_free(&seed);
|
||||
return FALSE;
|
||||
}
|
||||
if (!update(this, seed))
|
||||
{
|
||||
chunk_free(&seed);
|
||||
return FALSE;
|
||||
}
|
||||
chunk_clear(&seed);
|
||||
this->reseed_counter = 1;
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
METHOD(ntru_drbg_t, generate, bool,
|
||||
private_ntru_drbg_t *this, u_int32_t strength, u_int32_t len, u_int8_t *out)
|
||||
{
|
||||
size_t delta;
|
||||
chunk_t output;
|
||||
|
||||
DBG2(DBG_LIB, "DRBG generates %u pseudorandom bytes", len);
|
||||
if (!out || len == 0)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
output = chunk_create(out, len);
|
||||
|
||||
if (this->reseed_counter >= this->max_requests)
|
||||
{
|
||||
if (!reseed(this))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
while (len)
|
||||
{
|
||||
if (!this->hmac->get_signature(this->hmac, this->value,
|
||||
this->value.ptr))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
delta = min(len, this->value.len);
|
||||
memcpy(out, this->value.ptr, delta);
|
||||
len -= delta;
|
||||
out += delta;
|
||||
}
|
||||
DBG4(DBG_LIB, "HMAC_DRBG Out: %B", &output);
|
||||
|
||||
if (!update(this, chunk_empty))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
this->reseed_counter++;
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
METHOD(ntru_drbg_t, destroy, void,
|
||||
private_ntru_drbg_t *this)
|
||||
{
|
||||
this->hmac->destroy(this->hmac);
|
||||
chunk_clear(&this->key);
|
||||
chunk_clear(&this->value);
|
||||
free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str,
|
||||
rng_t *entropy)
|
||||
{
|
||||
private_ntru_drbg_t *this;
|
||||
chunk_t seed;
|
||||
signer_t *hmac;
|
||||
size_t entropy_len;
|
||||
u_int32_t max_requests;
|
||||
|
||||
if (strength > MAX_STRENGTH_BITS)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
if (strength <= 112)
|
||||
{
|
||||
strength = 112;
|
||||
}
|
||||
else if (strength <= 128)
|
||||
{
|
||||
strength = 128;
|
||||
}
|
||||
else if (strength <= 192)
|
||||
{
|
||||
strength = 192;
|
||||
}
|
||||
else
|
||||
{
|
||||
strength = 256;
|
||||
}
|
||||
|
||||
hmac = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA2_256_256);
|
||||
if (!hmac)
|
||||
{
|
||||
DBG1(DBG_LIB, "could not instantiate HMAC-SHA256");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
max_requests = lib->settings->get_int(lib->settings,
|
||||
"libstrongswan.plugins.ntru.max_drbg_requests",
|
||||
MAX_DRBG_REQUESTS);
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
.get_strength = _get_strength,
|
||||
.reseed = _reseed,
|
||||
.generate = _generate,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
.strength = strength,
|
||||
.entropy = entropy,
|
||||
.hmac = hmac,
|
||||
.key = chunk_alloc(hmac->get_key_size(hmac)),
|
||||
.value = chunk_alloc(hmac->get_block_size(hmac)),
|
||||
.max_requests = max_requests,
|
||||
.reseed_counter = 1,
|
||||
);
|
||||
|
||||
memset(this->key.ptr, 0x00, this->key.len);
|
||||
memset(this->value.ptr, 0x01, this->value.len);
|
||||
|
||||
entropy_len = (strength + strength/2) / BITS_PER_BYTE;
|
||||
seed = chunk_alloc(entropy_len + pers_str.len);
|
||||
DBG2(DBG_LIB, "DBRG requesting %u bytes of entropy", entropy_len);
|
||||
|
||||
if (!this->entropy->get_bytes(this->entropy, entropy_len, seed.ptr))
|
||||
{
|
||||
chunk_free(&seed);
|
||||
destroy(this);
|
||||
return NULL;
|
||||
}
|
||||
memcpy(seed.ptr + entropy_len, pers_str.ptr, pers_str.len);
|
||||
DBG4(DBG_LIB, "seed: %B", &seed);
|
||||
|
||||
if (!update(this, seed))
|
||||
{
|
||||
chunk_free(&seed);
|
||||
destroy(this);
|
||||
return NULL;
|
||||
}
|
||||
chunk_clear(&seed);
|
||||
|
||||
return &this->public;
|
||||
}
|
||||
|
|
@ -0,0 +1,77 @@
|
|||
/*
|
||||
* Copyright (C) 2013 Andreas Steffen
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup ntru_drbg ntru_drbg
|
||||
* @{ @ingroup ntru_p
|
||||
*/
|
||||
|
||||
#ifndef NTRU_DRBG_H_
|
||||
#define NTRU_DRBG_H_
|
||||
|
||||
typedef struct ntru_drbg_t ntru_drbg_t;
|
||||
|
||||
#include <library.h>
|
||||
|
||||
/**
|
||||
* Implements a HMAC Deterministic Random Bit Generator (HMAC_DRBG)
|
||||
* compliant with NIST SP 800-90A
|
||||
*/
|
||||
struct ntru_drbg_t {
|
||||
|
||||
/**
|
||||
* Reseed the instantiated DRBG
|
||||
*
|
||||
* @return configured security strength in bits
|
||||
*/
|
||||
u_int32_t (*get_strength)(ntru_drbg_t *this);
|
||||
|
||||
/**
|
||||
* Reseed the instantiated DRBG
|
||||
*
|
||||
* @return TRUE if successful
|
||||
*/
|
||||
bool (*reseed)(ntru_drbg_t *this);
|
||||
|
||||
/**
|
||||
* Generate pseudorandom bytes.
|
||||
* If the maximum number of requests has been reached, reseeding occurs
|
||||
*
|
||||
* @param strength requested security strength in bits
|
||||
* @param len number of octets to generate
|
||||
* @param out address of output buffer
|
||||
* @return TRUE if successful
|
||||
*/
|
||||
bool (*generate)(ntru_drbg_t *this, u_int32_t strength, u_int32_t len,
|
||||
u_int8_t *out);
|
||||
|
||||
/**
|
||||
* Uninstantiate and destroy the DRBG object
|
||||
*/
|
||||
void (*destroy)(ntru_drbg_t *this);
|
||||
};
|
||||
|
||||
/**
|
||||
* Create and instantiate a new DRBG objet.
|
||||
*
|
||||
* @param strength security strength in bits
|
||||
* @param pers_str personalization string
|
||||
* @param entropy entropy source to use
|
||||
*/
|
||||
ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str,
|
||||
rng_t *entropy);
|
||||
|
||||
#endif /** NTRU_DRBG_H_ @}*/
|
||||
|
|
@ -14,7 +14,7 @@
|
|||
*/
|
||||
|
||||
#include "ntru_ke.h"
|
||||
#include "ntru_plugin.h"
|
||||
#include "ntru_drbg.h"
|
||||
|
||||
#include "ntru_crypto/ntru_crypto.h"
|
||||
|
||||
|
@ -119,10 +119,15 @@ struct private_ntru_ke_t {
|
|||
*/
|
||||
bool computed;
|
||||
|
||||
/**
|
||||
* True Random Generator
|
||||
*/
|
||||
rng_t *entropy;
|
||||
|
||||
/**
|
||||
* Deterministic Random Bit Generator
|
||||
*/
|
||||
DRBG_HANDLE drbg;
|
||||
ntru_drbg_t *drbg;
|
||||
};
|
||||
|
||||
METHOD(diffie_hellman_t, get_my_public_value, void,
|
||||
|
@ -246,8 +251,8 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
|
|||
this->shared_secret = chunk_alloc(2 * this->strength / BITS_PER_BYTE);
|
||||
|
||||
/* generate the random shared secret */
|
||||
if (ntru_crypto_drbg_generate(this->drbg, this->strength,
|
||||
this->shared_secret.len, this->shared_secret.ptr) != DRBG_OK)
|
||||
if (!this->drbg->generate(this->drbg, this->strength,
|
||||
this->shared_secret.len, this->shared_secret.ptr))
|
||||
{
|
||||
DBG1(DBG_LIB, "generation of shared secret failed");
|
||||
chunk_free(&this->shared_secret);
|
||||
|
@ -289,10 +294,8 @@ METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
|
|||
METHOD(diffie_hellman_t, destroy, void,
|
||||
private_ntru_ke_t *this)
|
||||
{
|
||||
if (ntru_crypto_drbg_uninstantiate(this->drbg) != DRBG_OK)
|
||||
{
|
||||
DBG1(DBG_LIB, "error uninstantiating DRBG");
|
||||
}
|
||||
this->drbg->destroy(this->drbg);
|
||||
this->entropy->destroy(this->entropy);
|
||||
chunk_free(&this->pub_key);
|
||||
chunk_free(&this->ciphertext);
|
||||
chunk_clear(&this->priv_key);
|
||||
|
@ -306,9 +309,9 @@ METHOD(diffie_hellman_t, destroy, void,
|
|||
ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
|
||||
{
|
||||
private_ntru_ke_t *this;
|
||||
char personalization_str[] = "strongSwan NTRU-KE";
|
||||
param_set_t *param_sets, *param_set;
|
||||
DRBG_HANDLE drbg;
|
||||
rng_t *entropy;
|
||||
ntru_drbg_t *drbg;
|
||||
char *parameter_set;
|
||||
u_int32_t strength;
|
||||
|
||||
|
@ -356,11 +359,18 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
|
|||
DBG1(DBG_LIB, "%u bit %s NTRU parameter set %s selected", strength,
|
||||
parameter_set, param_set->name);
|
||||
|
||||
if (ntru_crypto_drbg_instantiate(strength,
|
||||
personalization_str, strlen(personalization_str),
|
||||
(ENTROPY_FN) &ntru_plugin_get_entropy, &drbg) != DRBG_OK)
|
||||
entropy = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
|
||||
if (!entropy)
|
||||
{
|
||||
DBG1(DBG_LIB, "could not attach entropy source for DRBG");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
drbg = ntru_drbg_create(strength, chunk_from_str("IKE NTRU-KE"), entropy);
|
||||
if (!drbg)
|
||||
{
|
||||
DBG1(DBG_LIB, "error instantiating DRBG at %u bit security", strength);
|
||||
DBG1(DBG_LIB, "could not instantiate DRBG at %u bit security", strength);
|
||||
entropy->destroy(entropy);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
@ -377,6 +387,7 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
|
|||
.group = group,
|
||||
.param_set = param_set,
|
||||
.strength = strength,
|
||||
.entropy = entropy,
|
||||
.drbg = drbg,
|
||||
);
|
||||
|
||||
|
|
|
@ -17,64 +17,9 @@
|
|||
#include "ntru_ke.h"
|
||||
|
||||
#include <library.h>
|
||||
#include <utils/debug.h>
|
||||
|
||||
typedef struct private_ntru_plugin_t private_ntru_plugin_t;
|
||||
|
||||
rng_t *rng;
|
||||
|
||||
bool ntru_plugin_get_entropy(ENTROPY_CMD cmd, uint8_t *out)
|
||||
{
|
||||
switch (cmd)
|
||||
{
|
||||
case INIT:
|
||||
return TRUE;
|
||||
case GET_NUM_BYTES_PER_BYTE_OF_ENTROPY:
|
||||
/* Here we return the number of bytes needed from the entropy
|
||||
* source to obtain 8 bits of entropy. Maximum is 8.
|
||||
*/
|
||||
if (!out)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
*out = 1; /* this is a perfectly random source */
|
||||
return TRUE;
|
||||
case GET_BYTE_OF_ENTROPY:
|
||||
if (!out)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
if (!rng || !rng->get_bytes(rng, 1, out))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
return TRUE;
|
||||
default:
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Create/Destroy True Random Generator
|
||||
*/
|
||||
static bool create_random(private_ntru_plugin_t *this,
|
||||
plugin_feature_t *feature, bool reg, void *data)
|
||||
{
|
||||
if (reg)
|
||||
{
|
||||
rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
|
||||
if (!rng)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
rng->destroy(rng);
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/**
|
||||
* private data of ntru_plugin
|
||||
*/
|
||||
|
@ -95,27 +40,18 @@ METHOD(plugin_t, get_name, char*,
|
|||
METHOD(plugin_t, get_features, int,
|
||||
private_ntru_plugin_t *this, plugin_feature_t *features[])
|
||||
{
|
||||
int count = 0;
|
||||
|
||||
static plugin_feature_t f_ke[] = {
|
||||
static plugin_feature_t f[] = {
|
||||
PLUGIN_REGISTER(DH, ntru_ke_create),
|
||||
PLUGIN_PROVIDE(DH, NTRU_112_BIT),
|
||||
PLUGIN_PROVIDE(DH, NTRU_128_BIT),
|
||||
PLUGIN_PROVIDE(DH, NTRU_192_BIT),
|
||||
PLUGIN_PROVIDE(DH, NTRU_256_BIT),
|
||||
PLUGIN_DEPENDS(RNG, RNG_TRUE),
|
||||
PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_SHA2_256_256),
|
||||
};
|
||||
static plugin_feature_t f_rng[] = {
|
||||
PLUGIN_CALLBACK((plugin_feature_callback_t)create_random, NULL),
|
||||
PLUGIN_PROVIDE(CUSTOM, "ntru-rng"),
|
||||
PLUGIN_DEPENDS(RNG, RNG_TRUE),
|
||||
};
|
||||
static plugin_feature_t f[countof(f_ke) + countof(f_rng)] = {};
|
||||
|
||||
plugin_features_add(f, f_ke, countof(f_ke), &count);
|
||||
plugin_features_add(f, f_rng, countof(f_rng), &count);
|
||||
|
||||
*features = f;
|
||||
return count;
|
||||
|
||||
return countof(f);
|
||||
}
|
||||
|
||||
METHOD(plugin_t, destroy, void,
|
||||
|
@ -141,6 +77,5 @@ plugin_t *ntru_plugin_create()
|
|||
},
|
||||
);
|
||||
|
||||
|
||||
return &this->public.plugin;
|
||||
}
|
||||
|
|
|
@ -26,8 +26,6 @@
|
|||
|
||||
#include <plugins/plugin.h>
|
||||
|
||||
#include "ntru_crypto/ntru_crypto_drbg.h"
|
||||
|
||||
typedef struct ntru_plugin_t ntru_plugin_t;
|
||||
|
||||
/**
|
||||
|
@ -41,13 +39,4 @@ struct ntru_plugin_t {
|
|||
plugin_t plugin;
|
||||
};
|
||||
|
||||
/**
|
||||
* Return true random bytes
|
||||
*
|
||||
* @param cmd command to be executed
|
||||
* @param out output variable
|
||||
* @result return code
|
||||
*/
|
||||
bool ntru_plugin_get_entropy(ENTROPY_CMD cmd, uint8_t *out);
|
||||
|
||||
#endif /** NTRU_PLUGIN_H_ @}*/
|
||||
|
|
|
@ -0,0 +1,89 @@
|
|||
/*
|
||||
* Copyright (C) 2013 Andreas Steffen
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "ntru_test_rng.h"
|
||||
|
||||
typedef struct private_ntru_test_rng_t private_ntru_test_rng_t;
|
||||
|
||||
/**
|
||||
* Private data of an ntru_test_rng_t object.
|
||||
*/
|
||||
struct private_ntru_test_rng_t {
|
||||
|
||||
/**
|
||||
* Public ntru_test_rng_t interface.
|
||||
*/
|
||||
ntru_test_rng_t public;
|
||||
|
||||
/**
|
||||
* entropy string
|
||||
*/
|
||||
chunk_t entropy;
|
||||
};
|
||||
|
||||
METHOD(rng_t, get_bytes, bool,
|
||||
private_ntru_test_rng_t *this, size_t bytes, u_int8_t *buffer)
|
||||
{
|
||||
if (bytes > this->entropy.len)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
memcpy(buffer, this->entropy.ptr, bytes);
|
||||
this->entropy = chunk_skip(this->entropy, bytes);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
METHOD(rng_t, allocate_bytes, bool,
|
||||
private_ntru_test_rng_t *this, size_t bytes, chunk_t *chunk)
|
||||
{
|
||||
if (bytes > this->entropy.len)
|
||||
{
|
||||
*chunk = chunk_empty;
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
*chunk = chunk_alloc(bytes);
|
||||
memcpy(chunk->ptr, this->entropy.ptr, bytes);
|
||||
this->entropy = chunk_skip(this->entropy, bytes);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
METHOD(rng_t, destroy, void,
|
||||
private_ntru_test_rng_t *this)
|
||||
{
|
||||
free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
rng_t *ntru_test_rng_create(chunk_t entropy)
|
||||
{
|
||||
private_ntru_test_rng_t *this;
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
.rng = {
|
||||
.get_bytes = _get_bytes,
|
||||
.allocate_bytes = _allocate_bytes,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
},
|
||||
.entropy = entropy,
|
||||
);
|
||||
|
||||
return &this->public.rng;
|
||||
}
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
/*
|
||||
* Copyright (C) 2013 Andreas Steffen
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup ntru_test_rng ntru_test_rng
|
||||
* @{ @ingroup ntru_p
|
||||
*/
|
||||
|
||||
#ifndef NTRU_TEST_RNG_H_
|
||||
#define NTRU_TEST_RNG_H_
|
||||
|
||||
typedef struct ntru_test_rng_t ntru_test_rng_t;
|
||||
|
||||
#include <library.h>
|
||||
|
||||
/**
|
||||
* rng_t providing NIST SP 800-90A entropy test vectors
|
||||
*/
|
||||
struct ntru_test_rng_t {
|
||||
|
||||
/**
|
||||
* Implements rng_t.
|
||||
*/
|
||||
rng_t rng;
|
||||
};
|
||||
|
||||
/**
|
||||
* Creates an ntru_test_rng_t instance.
|
||||
*
|
||||
* @param entropy entropy test vector
|
||||
* @return created ntru_test_rng_t
|
||||
*/
|
||||
rng_t *ntru_test_rng_create(chunk_t entropy);
|
||||
|
||||
#endif /** NTRU_TEST_RNG_H_ @} */
|
|
@ -15,7 +15,8 @@
|
|||
|
||||
#include "test_suite.h"
|
||||
|
||||
#include <plugins/ntru/ntru_plugin.h>
|
||||
#include <plugins/ntru/ntru_drbg.h>
|
||||
#include <plugins/ntru/ntru_test_rng.h>
|
||||
|
||||
/**
|
||||
* NTRU parameter sets to test
|
||||
|
@ -37,11 +38,145 @@ char *parameter_sets[] = {
|
|||
"x9_98_speed", "x9_98_bandwidth", "x9_98_balance", "optimum"
|
||||
};
|
||||
|
||||
START_TEST(test_ntru_entropy)
|
||||
typedef struct {
|
||||
u_int32_t requested;
|
||||
u_int32_t standard;
|
||||
}strength_t;
|
||||
|
||||
strength_t strengths[] = {
|
||||
{ 80, 112 },
|
||||
{ 112, 112 },
|
||||
{ 120, 128 },
|
||||
{ 128, 128 },
|
||||
{ 150, 192 },
|
||||
{ 192, 192 },
|
||||
{ 200, 256 },
|
||||
{ 256, 256 },
|
||||
{ 512, 0 }
|
||||
};
|
||||
|
||||
START_TEST(test_ntru_drbg_strength)
|
||||
{
|
||||
ck_assert(!ntru_plugin_get_entropy(GET_NUM_BYTES_PER_BYTE_OF_ENTROPY, NULL));
|
||||
ck_assert(!ntru_plugin_get_entropy(GET_BYTE_OF_ENTROPY, NULL));
|
||||
ck_assert(!ntru_plugin_get_entropy(10, NULL));
|
||||
ntru_drbg_t *drbg;
|
||||
rng_t *entropy;
|
||||
|
||||
entropy = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
|
||||
ck_assert(entropy != NULL);
|
||||
|
||||
drbg = ntru_drbg_create(strengths[_i].requested, chunk_empty, entropy);
|
||||
if (strengths[_i].standard)
|
||||
{
|
||||
ck_assert(drbg != NULL);
|
||||
ck_assert(drbg->get_strength(drbg) == strengths[_i].standard);
|
||||
drbg->destroy(drbg);
|
||||
}
|
||||
else
|
||||
{
|
||||
ck_assert(drbg == NULL);
|
||||
}
|
||||
entropy->destroy(entropy);
|
||||
}
|
||||
END_TEST
|
||||
|
||||
START_TEST(test_ntru_dbrg)
|
||||
{
|
||||
typedef struct {
|
||||
chunk_t pers_str;
|
||||
chunk_t entropy;
|
||||
chunk_t out;
|
||||
} dbrg_test_t;
|
||||
|
||||
dbrg_test_t dbrg_tests[] = {
|
||||
{ chunk_empty,
|
||||
chunk_from_chars(0x06, 0x03, 0x2c, 0xd5, 0xee, 0xd3, 0x3f, 0x39,
|
||||
0x26, 0x5f, 0x49, 0xec, 0xb1, 0x42, 0xc5, 0x11,
|
||||
0xda, 0x9a, 0xff, 0x2a, 0xf7, 0x12, 0x03, 0xbf,
|
||||
0xfa, 0xf3, 0x4a, 0x9c, 0xa5, 0xbd, 0x9c, 0x0d,
|
||||
0x0e, 0x66, 0xf7, 0x1e, 0xdc, 0x43, 0xe4, 0x2a,
|
||||
0x45, 0xad, 0x3c, 0x6f, 0xc6, 0xcd, 0xc4, 0xdf,
|
||||
0x01, 0x92, 0x0a, 0x4e, 0x66, 0x9e, 0xd3, 0xa8,
|
||||
0x5a, 0xe8, 0xa3, 0x3b, 0x35, 0xa7, 0x4a, 0xd7,
|
||||
0xfb, 0x2a, 0x6b, 0xb4, 0xcf, 0x39, 0x5c, 0xe0,
|
||||
0x03, 0x34, 0xa9, 0xc9, 0xa5, 0xa5, 0xd5, 0x52),
|
||||
chunk_from_chars(0x76, 0xfc, 0x79, 0xfe, 0x9b, 0x50, 0xbe, 0xcc,
|
||||
0xc9, 0x91, 0xa1, 0x1b, 0x56, 0x35, 0x78, 0x3a,
|
||||
0x83, 0x53, 0x6a, 0xdd, 0x03, 0xc1, 0x57, 0xfb,
|
||||
0x30, 0x64, 0x5e, 0x61, 0x1c, 0x28, 0x98, 0xbb,
|
||||
0x2b, 0x1b, 0xc2, 0x15, 0x00, 0x02, 0x09, 0x20,
|
||||
0x8c, 0xd5, 0x06, 0xcb, 0x28, 0xda, 0x2a, 0x51,
|
||||
0xbd, 0xb0, 0x38, 0x26, 0xaa, 0xf2, 0xbd, 0x23,
|
||||
0x35, 0xd5, 0x76, 0xd5, 0x19, 0x16, 0x08, 0x42,
|
||||
0xe7, 0x15, 0x8a, 0xd0, 0x94, 0x9d, 0x1a, 0x9e,
|
||||
0xc3, 0xe6, 0x6e, 0xa1, 0xb1, 0xa0, 0x64, 0xb0,
|
||||
0x05, 0xde, 0x91, 0x4e, 0xac, 0x2e, 0x9d, 0x4f,
|
||||
0x2d, 0x72, 0xa8, 0x61, 0x6a, 0x80, 0x22, 0x54,
|
||||
0x22, 0x91, 0x82, 0x50, 0xff, 0x66, 0xa4, 0x1b,
|
||||
0xd2, 0xf8, 0x64, 0xa6, 0xa3, 0x8c, 0xc5, 0xb6,
|
||||
0x49, 0x9d, 0xc4, 0x3f, 0x7f, 0x2b, 0xd0, 0x9e,
|
||||
0x1e, 0x0f, 0x8f, 0x58, 0x85, 0x93, 0x51, 0x24)
|
||||
},
|
||||
{ chunk_from_chars(0xf2, 0xe5, 0x8f, 0xe6, 0x0a, 0x3a, 0xfc, 0x59,
|
||||
0xda, 0xd3, 0x75, 0x95, 0x41, 0x5f, 0xfd, 0x31,
|
||||
0x8c, 0xcf, 0x69, 0xd6, 0x77, 0x80, 0xf6, 0xfa,
|
||||
0x07, 0x97, 0xdc, 0x9a, 0xa4, 0x3e, 0x14, 0x4c),
|
||||
chunk_from_chars(0xfa, 0x0e, 0xe1, 0xfe, 0x39, 0xc7, 0xc3, 0x90,
|
||||
0xaa, 0x94, 0x15, 0x9d, 0x0d, 0xe9, 0x75, 0x64,
|
||||
0x34, 0x2b, 0x59, 0x17, 0x77, 0xf3, 0xe5, 0xf6,
|
||||
0xa4, 0xba, 0x2a, 0xea, 0x34, 0x2e, 0xc8, 0x40,
|
||||
0xdd, 0x08, 0x20, 0x65, 0x5c, 0xb2, 0xff, 0xdb,
|
||||
0x0d, 0xa9, 0xe9, 0x31, 0x0a, 0x67, 0xc9, 0xe5,
|
||||
0xe0, 0x62, 0x9b, 0x6d, 0x79, 0x75, 0xdd, 0xfa,
|
||||
0x96, 0xa3, 0x99, 0x64, 0x87, 0x40, 0xe6, 0x0f,
|
||||
0x1f, 0x95, 0x57, 0xdc, 0x58, 0xb3, 0xd7, 0x41,
|
||||
0x5f, 0x9b, 0xa9, 0xd4, 0xdb, 0xb5, 0x01, 0xf6),
|
||||
chunk_from_chars(0xf9, 0x2d, 0x4c, 0xf9, 0x9a, 0x53, 0x5b, 0x20,
|
||||
0x22, 0x2a, 0x52, 0xa6, 0x8d, 0xb0, 0x4c, 0x5a,
|
||||
0xf6, 0xf5, 0xff, 0xc7, 0xb6, 0x6a, 0x47, 0x3a,
|
||||
0x37, 0xa2, 0x56, 0xbd, 0x8d, 0x29, 0x8f, 0x9b,
|
||||
0x4a, 0xa4, 0xaf, 0x7e, 0x8d, 0x18, 0x1e, 0x02,
|
||||
0x36, 0x79, 0x03, 0xf9, 0x3b, 0xdb, 0x74, 0x4c,
|
||||
0x6c, 0x2f, 0x3f, 0x34, 0x72, 0x62, 0x6b, 0x40,
|
||||
0xce, 0x9b, 0xd6, 0xa7, 0x0e, 0x7b, 0x8f, 0x93,
|
||||
0x99, 0x2a, 0x16, 0xa7, 0x6f, 0xab, 0x6b, 0x5f,
|
||||
0x16, 0x25, 0x68, 0xe0, 0x8e, 0xe6, 0xc3, 0xe8,
|
||||
0x04, 0xae, 0xfd, 0x95, 0x2d, 0xdd, 0x3a, 0xcb,
|
||||
0x79, 0x1c, 0x50, 0xf2, 0xad, 0x69, 0xe9, 0xa0,
|
||||
0x40, 0x28, 0xa0, 0x6a, 0x9c, 0x01, 0xd3, 0xa6,
|
||||
0x2a, 0xca, 0x2a, 0xaf, 0x6e, 0xfe, 0x69, 0xed,
|
||||
0x97, 0xa0, 0x16, 0x21, 0x3a, 0x2d, 0xd6, 0x42,
|
||||
0xb4, 0x88, 0x67, 0x64, 0x07, 0x2d, 0x9c, 0xbe)
|
||||
}
|
||||
};
|
||||
|
||||
ntru_drbg_t *drbg;
|
||||
rng_t *entropy;
|
||||
chunk_t in, out;
|
||||
int i;
|
||||
|
||||
/* test ntru_test_rng */
|
||||
in = chunk_from_chars(0x01, 0x02, 0x04, 0x04);
|
||||
entropy = ntru_test_rng_create(in);
|
||||
ck_assert(entropy->allocate_bytes(entropy, 4, &out));
|
||||
ck_assert(chunk_equals(in, out));
|
||||
chunk_free(&out);
|
||||
ck_assert(!entropy->allocate_bytes(entropy, 4, &out));
|
||||
entropy->destroy(entropy);
|
||||
|
||||
/* test DRBG with ntru_test_rng providing NIST test vectors */
|
||||
out = chunk_alloc(128);
|
||||
for (i = 0; i < countof(dbrg_tests); i++)
|
||||
{
|
||||
entropy = ntru_test_rng_create(dbrg_tests[i].entropy);
|
||||
drbg = ntru_drbg_create(256, dbrg_tests[i].pers_str, entropy);
|
||||
ck_assert(drbg != NULL);
|
||||
ck_assert(drbg->reseed(drbg));
|
||||
ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
|
||||
ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
|
||||
ck_assert(chunk_equals(out, dbrg_tests[i].out));
|
||||
drbg->destroy(drbg);
|
||||
entropy->destroy(entropy);
|
||||
}
|
||||
chunk_free(&out);
|
||||
}
|
||||
END_TEST
|
||||
|
||||
|
@ -239,8 +374,12 @@ Suite *ntru_suite_create()
|
|||
|
||||
s = suite_create("ntru");
|
||||
|
||||
tc = tcase_create("entropy");
|
||||
tcase_add_test(tc, test_ntru_entropy);
|
||||
tc = tcase_create("dbrg_strength");
|
||||
tcase_add_loop_test(tc, test_ntru_drbg_strength, 0, countof(strengths));
|
||||
suite_add_tcase(s, tc);
|
||||
|
||||
tc = tcase_create("dbrg");
|
||||
tcase_add_test(tc, test_ntru_dbrg);
|
||||
suite_add_tcase(s, tc);
|
||||
|
||||
tc = tcase_create("ke");
|
||||
|
|
|
@ -34,5 +34,5 @@ TEST_SUITE(host_suite_create)
|
|||
TEST_SUITE(printf_suite_create)
|
||||
TEST_SUITE(pen_suite_create)
|
||||
TEST_SUITE(asn1_suite_create)
|
||||
TEST_SUITE_DEPEND(ntru_suite_create, CUSTOM, "ntru-rng")
|
||||
TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT)
|
||||
|
||||
|
|
Loading…
Reference in New Issue