strongswan/src/libstrongswan/plugins/drbg/drbg_ctr.c

/*
 * Copyright (C) 2016-2019 Andreas Steffen
 * HSR Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include "drbg_ctr.h"

#define MAX_DRBG_REQUESTS	0xfffffffe	/* 2^32 - 2 */
#define MAX_DRBG_BYTES		0x00010000	/* 2^19 bits = 2^16 bytes */

typedef struct private_drbg_ctr_t private_drbg_ctr_t;

/**
 * Private data of an drbg_ctr_t object.
 */
struct private_drbg_ctr_t {

	/**
	 * Public drbg_ctr_t interface.
	 */
	drbg_ctr_t public;

	/**
	 * DRBG type.
	 */
	drbg_type_t type;

	/**
	 * Security strength in bits.
	 */
	uint32_t strength;

	/**
	 * Number of requests for pseudorandom bits
	 */
	uint32_t reseed_counter;

	/**
	 * Maximum number of requests for pseudorandom bits
	 */
	uint32_t max_requests;

	/**
	 * True entropy source
	 */
	rng_t *entropy;

	/**
	 * Block cipher in counter mode used by the DRBG
	 */
	crypter_t *crypter;

	/**
	 * Internal state of HMAC: key
	 */
	chunk_t key;

	/**
	 * Internal state of HMAC: value
	 */
	chunk_t value;

	/**
	 * reference count
	 */
	refcount_t ref;

};

METHOD(drbg_t, get_type, drbg_type_t,
	private_drbg_ctr_t *this)
{
	return this->type;
}

METHOD(drbg_t, get_strength, uint32_t,
	private_drbg_ctr_t *this)
{
	return this->strength;
}

static bool encrypt_ctr(private_drbg_ctr_t *this, chunk_t out)
{
	chunk_t bl = chunk_alloca(this->value.len);
	chunk_t block;
	size_t delta, pos = 0;

	if (!this->crypter->set_key(this->crypter, this->key))
	{
		return FALSE;
	}

	while (pos < out.len)
	{
		/* Increment counter by one */
		chunk_increment(this->value);

		/* Copy current counter to input block */
		delta = out.len - pos;
		block = (delta < this->value.len) ?
					 bl : chunk_create(out.ptr + pos, this->value.len);
		memcpy(block.ptr, this->value.ptr, this->value.len);

		/* ECB encryption */
		if (!this->crypter->encrypt(this->crypter, block, chunk_empty, NULL))
		{
			return FALSE;
		}

		/* Partial output block at the end? */
		if (delta < this->value.len)
		{
			memcpy(out.ptr + pos, block.ptr, delta);
		}
		pos += this->value.len;
	}

	return TRUE;
}

/**
 * Update the internal state of the CTR_DRBG
 */
static bool update(private_drbg_ctr_t *this, chunk_t data)
{
	chunk_t temp;

	if (data.len && data.len != (this->key.len + this->value.len))
	{
		return FALSE;
	}
	temp = chunk_alloca(this->key.len + this->value.len);

	if (!encrypt_ctr(this, temp))
	{
		return FALSE;
	}
	/* Apply data */
	memxor(temp.ptr, data.ptr, data.len);

	/* Copy new key and value */
	memcpy(this->key.ptr, temp.ptr, this->key.len);
	memcpy(this->value.ptr, temp.ptr + this->key.len, this->value.len);
	memwipe(temp.ptr, temp.len);
	DBG4(DBG_LIB, "CTR_DRBG K: %B", &this->key);
	DBG4(DBG_LIB, "CTR_DRBG V: %B", &this->value);

	return TRUE;
}

METHOD(drbg_t, reseed, bool,
	private_drbg_ctr_t *this)
{
	chunk_t seed;
	bool success;

	seed = chunk_alloc(this->key.len + this->value.len);
	DBG2(DBG_LIB, "DRBG requests %u bytes of entropy", seed.len);

	if (!this->entropy->get_bytes(this->entropy, seed.len, seed.ptr))
	{
		chunk_free(&seed);
		return FALSE;
	}
	DBG4(DBG_LIB, "reseed: %B", &seed);

	success = update(this, seed);
	chunk_clear(&seed);

	if (!success)
	{
		return FALSE;
	}
	this->reseed_counter = 1;

	return TRUE;
}

METHOD(drbg_t, generate, bool,
	private_drbg_ctr_t *this, uint32_t len, uint8_t *out)
{
	chunk_t output;

	if (len > MAX_DRBG_BYTES)
	{
		DBG1(DBG_LIB, "DRBG cannot generate more than %d bytes", MAX_DRBG_BYTES);
		return FALSE;
	}

	if (this->reseed_counter > this->max_requests)
	{
		if (!reseed(this))
		{
			return FALSE;
		}
	}

	DBG2(DBG_LIB, "DRBG generates %u pseudorandom bytes", len);
	if (!out || len == 0)
	{
		return FALSE;
	}
	output = chunk_create(out, len);

	if (!encrypt_ctr(this, output))
	{
		return FALSE;
	}
	DBG4(DBG_LIB, "CTR_DRBG Out: %B", &output);

	if (!update(this, chunk_empty))
	{
		return FALSE;
	}
	this->reseed_counter++;

	return TRUE;
}

METHOD(drbg_t, get_ref, drbg_t*,
	private_drbg_ctr_t *this)
{
	ref_get(&this->ref);
	return &this->public.interface;
}

METHOD(drbg_t, destroy, void,
	private_drbg_ctr_t *this)
{
	if (ref_put(&this->ref))
	{
		DESTROY_IF(this->entropy);
		this->crypter->destroy(this->crypter);
		chunk_clear(&this->key);
		chunk_clear(&this->value);
		free(this);
	}
}

/**
 * See header
 */
drbg_ctr_t *drbg_ctr_create(drbg_type_t type, uint32_t strength,
							rng_t *entropy, chunk_t personalization_str)
{
	private_drbg_ctr_t *this;
	encryption_algorithm_t crypter_type;
	crypter_t *crypter;
	chunk_t seed;
	size_t key_len, out_len, seed_len;
	uint32_t max_requests;
	bool success;

	switch (type)
	{
		case DRBG_CTR_AES128:
			crypter_type = ENCR_AES_ECB;
			key_len = 16;
			break;
		case DRBG_CTR_AES192:
			crypter_type = ENCR_AES_ECB;
			key_len = 24;
			break;
		case DRBG_CTR_AES256:
			crypter_type = ENCR_AES_ECB;
			key_len = 32;
			break;
		default:
			DBG1(DBG_LIB, "%N not supported", drbg_type_names, type);
			return NULL;
	}

	if (strength >  key_len * BITS_PER_BYTE)
	{
		DBG1(DBG_LIB, "%d bit block encryption key not sufficient for security "
			 "strength of % bits", key_len * BITS_PER_BYTE, strength);
		return NULL;
	}

	crypter = lib->crypto->create_crypter(lib->crypto, crypter_type, key_len);
	if (!crypter)
	{
		DBG1(DBG_LIB, "creation of %N for DRBG failed",
			 encryption_algorithm_names, crypter_type);
		return NULL;
	}
	out_len = crypter->get_block_size(crypter);
	seed_len = key_len + out_len;

	if (personalization_str.len > seed_len)
	{
		DBG1(DBG_LIB, "personalization string length of %d bytes is larger "
			 "than seed length of % bytes", personalization_str.len, seed_len);
		crypter->destroy(crypter);
		return NULL;
	}

	max_requests = lib->settings->get_int(lib->settings,
										  "%s.plugins.drbg.max_drbg_requests",
										  MAX_DRBG_REQUESTS, lib->ns);

	INIT(this,
		.public = {
			.interface = {
				.get_type = _get_type,
				.get_strength = _get_strength,
				.reseed = _reseed,
				.generate = _generate,
				.get_ref = _get_ref,
				.destroy = _destroy,
			},
		},
		.type = type,
		.strength = strength,
		.crypter = crypter,
		.key = chunk_alloc(key_len),
		.value = chunk_alloc(out_len),
		.max_requests = max_requests,
		.reseed_counter = 1,
		.ref = 1,
	);

	memset(this->key.ptr,   0x00, key_len);
	memset(this->value.ptr, 0x00, out_len);

	seed = chunk_alloc(seed_len);
	DBG2(DBG_LIB, "DRBG requests %u bytes of entropy", seed_len);

	if (!entropy->get_bytes(entropy, seed.len, seed.ptr))
	{
		chunk_free(&seed);
		destroy(this);
		return NULL;
	}
	memxor(seed.ptr, personalization_str.ptr, personalization_str.len);
	DBG4(DBG_LIB, "seed: %B", &seed);

	success = update(this, seed);
	chunk_clear(&seed);

	if (!success)
	{
		destroy(this);
		return NULL;
	}

	/* ownership of entropy source is transferred to DRBG */
	this->entropy = entropy;

	return &this->public;
}