libstrongswan_ntru_la_SOURCES = \
ntru_plugin.h ntru_plugin.c \
+ ntru_drbg.h ntru_drbg.c \
ntru_ke.h ntru_ke.c \
+ ntru_test_rng.h ntru_test_rng.c \
ntru_crypto/ntru_crypto.h ntru_crypto/ntru_crypto_error.h \
- ntru_crypto/ntru_crypto_drbg.h ntru_crypto/ntru_crypto_drbg.c \
ntru_crypto/ntru_crypto_hash_basics.h \
ntru_crypto/ntru_crypto_hash.h ntru_crypto/ntru_crypto_hash.c \
- ntru_crypto/ntru_crypto_hmac.h ntru_crypto/ntru_crypto_hmac.c \
ntru_crypto/ntru_crypto_msbyte_uint32.h \
ntru_crypto/ntru_crypto_msbyte_uint32.c \
ntru_crypto/ntru_crypto_ntru_convert.h \
#define NTRU_CRYPTO_H
#include "ntru_crypto_platform.h"
-#include "ntru_crypto_drbg.h"
#include "ntru_crypto_error.h"
+#include "ntru_drbg.h"
+
#if !defined( NTRUCALL )
#if !defined(WIN32) || defined (NTRUCRYPTO_STATIC)
// Linux, or a Win32 static library
NTRUCALL
ntru_crypto_ntru_encrypt(
- DRBG_HANDLE drbg_handle, /* in - handle for DRBG */
+ ntru_drbg_t *drbg , /* in - handle for DRBG */
uint16_t pubkey_blob_len, /* in - no. of octets in public key
blob */
uint8_t const *pubkey_blob, /* in - pointer to public key */
NTRUCALL
ntru_crypto_ntru_encrypt_keygen(
- DRBG_HANDLE drbg_handle, /* in - handle of DRBG */
+ ntru_drbg_t *drbg, /* in - handle of DRBG */
NTRU_ENCRYPT_PARAM_SET_ID param_set_id, /* in - parameter set ID */
uint16_t *pubkey_blob_len, /* in/out - no. of octets in
pubkey_blob, addr
+++ /dev/null
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
- *
- * ntru_crypto_drbg.c is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013 Security Innovation
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- *****************************************************************************/
-
-/******************************************************************************
- *
- * File: ntru_crypto_drbg.c
- *
- * Contents: Implementation of a SHA-256 HMAC-based deterministic random byte
- * generator (HMAC_DRBG) as defined in ANSI X9.82, Part 3 - 2007.
- *
- * This implementation:
- * - allows for MAX_INSTANTIATIONS simultaneous drbg instantiations
- * (may be overridden on compiler command line)
- * - has a maximum security strength of 256 bits
- * - automatically uses SHA-256 for all security strengths
- * - allows a personalization string of up to MAX_PERS_STR_BYTES bytes
- * - implments reseeding
- * - does not implement additional input for reseeding or generation
- * - does not implement predictive resistance
- * - limits the number of bytes requested in one invocation of generate to
- * MAX_BYTES_PER_REQUEST
- * - uses a callback function to allow the caller to supply the
- * Get_entropy_input routine (entropy function)
- * - limits the number of bytes returned from the entropy function to
- * MAX_ENTROPY_NONCE_BYTES
- * - gets the nonce bytes along with the entropy input from the entropy
- * function
- * - automatically reseeds an instantitation after MAX_REQUESTS calls to
- * generate
- *
- *****************************************************************************/
-
-
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include "ntru_crypto_drbg.h"
-#include "ntru_crypto_hmac.h"
-
-
-/************************
- * HMAC_DRBG parameters *
- ************************/
-
-/* Note: nonce size is sec_strength_bits/2 */
-#define HMAC_DRBG_MAX_MIN_ENTROPY_NONCE_BYTES \
- (DRBG_MAX_SEC_STRENGTH_BITS + DRBG_MAX_SEC_STRENGTH_BITS/2)/8
-#define HMAC_DRBG_MAX_ENTROPY_NONCE_BYTES \
- HMAC_DRBG_MAX_MIN_ENTROPY_NONCE_BYTES * DRBG_MAX_BYTES_PER_BYTE_OF_ENTROPY
-#define HMAC_DRBG_MAX_REQUESTS 0xffffffff
-
-
-/*******************
- * DRBG structures *
- *******************/
-
-/* SHA256_HMAC_DRBG state structure */
-
-typedef struct {
- uint32_t sec_strength; /* security strength in bits */
- uint32_t requests_left; /* generation requests remaining
- before reseeding */
- ENTROPY_FN entropy_fn; /* pointer to entropy function */
- NTRU_CRYPTO_HMAC_CTX *hmac_ctx; /* pointer to HMAC context */
- uint8_t V[33]; /* md_len size internal state + 1 */
-} SHA256_HMAC_DRBG_STATE;
-
-
-/* DRBG state structure
- * Note: this could contain a DRBG_TYPE to direct allocation, instantiation,
- * and generation to multiple types of DRBGs; at present only the
- * SHA256_HMAC_DRBG is implemented
- */
-
-typedef struct {
- uint32_t handle;
- void *state;
-} DRBG_STATE;
-
-
-/*************
- * DRBG DATA *
- *************/
-
-/* array of drbg states */
-
-static DRBG_STATE drbg_state[DRBG_MAX_INSTANTIATIONS];
-
-
-/******************************
- * SHA256 HMAC_DRBG functions *
- ******************************/
-
-/* sha256_hmac_drbg_update
- *
- * This routine is the SHA-256 HMAC_DRBG derivation function for
- * instantiation, and reseeding, and it is used in generation as well.
- * It updates the internal state.
- *
- * For instantiation, provided_data1 holds the entropy input and nonce;
- * provided_data2 holds the optional personalization string. Combined, this
- * is the seed material.
- *
- * For reseeding, provided_data1 holds the entropy input;
- * provided_data2 is NULL (because this implementation does not support
- * additional input).
- *
- * For byte generation, both provided_data1 and provided_data2 are NULL.
- *
- * Returns DRBG_OK if successful.
- * Returns HMAC errors if they occur.
- */
-
-static uint32_t
-sha256_hmac_drbg_update(
- SHA256_HMAC_DRBG_STATE *s,
- uint8_t *key, /* md_len size array */
- uint32_t md_len,
- uint8_t const *provided_data1,
- uint32_t provided_data1_bytes,
- uint8_t const *provided_data2,
- uint32_t provided_data2_bytes)
-{
- uint32_t result;
-
- /* new key = HMAC(K, V || 0x00 [|| provided data1 [|| provided data2]] */
-
- if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) != NTRU_CRYPTO_HMAC_OK)
- return result;
- s->V[md_len] = 0x00;
- if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, md_len + 1)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
- if (provided_data1) {
- if ((result = ntru_crypto_hmac_update(s->hmac_ctx, provided_data1,
- provided_data1_bytes)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
- if (provided_data2) {
- if ((result = ntru_crypto_hmac_update(s->hmac_ctx, provided_data2,
- provided_data2_bytes)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
- }
- }
- if ((result = ntru_crypto_hmac_final(s->hmac_ctx, key)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
- if ((result = ntru_crypto_hmac_set_key(s->hmac_ctx, key)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
-
- /* new V = HMAC(K, V) */
-
- if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) != NTRU_CRYPTO_HMAC_OK)
- return result;
- if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, md_len)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
- if ((result = ntru_crypto_hmac_final(s->hmac_ctx, s->V)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
-
- /* if provided data exists, update K and V again */
-
- if (provided_data1) {
-
- /* new key = HMAC(K, V || 0x01 || provided data1 [|| provided data2] */
-
- if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
- s->V[md_len] = 0x01;
- if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, md_len + 1)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
- if ((result = ntru_crypto_hmac_update(s->hmac_ctx, provided_data1,
- provided_data1_bytes)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
- if (provided_data2) {
- if ((result = ntru_crypto_hmac_update(s->hmac_ctx, provided_data2,
- provided_data2_bytes)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
- }
- if ((result = ntru_crypto_hmac_final(s->hmac_ctx, key)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
- if ((result = ntru_crypto_hmac_set_key(s->hmac_ctx, key)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
-
- /* new V = HMAC(K, V) */
-
- if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
- if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, md_len)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
- if ((result = ntru_crypto_hmac_final(s->hmac_ctx, s->V)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
- }
-
- memset(key, 0, md_len);
- DRBG_RET(DRBG_OK);
-}
-
-
-/* sha256_hmac_drbg_instantiate
- *
- * This routine allocates and initializes a SHA-256 HMAC_DRBG internal state.
- *
- * Returns DRBG_OK if successful.
- * Returns DRBG_BAD_LENGTH if the personalization string is too long.
- * Returns DRBG_OUT_OF_MEMORY if the internal state cannot be allocated.
- * Returns errors from HASH or SHA256 if those errors occur.
- */
-
-static uint32_t
-sha256_hmac_drbg_instantiate(
- uint32_t sec_strength_bits, /* strength to instantiate */
- uint8_t const *pers_str,
- uint32_t pers_str_bytes,
- ENTROPY_FN entropy_fn,
- SHA256_HMAC_DRBG_STATE **state)
-{
- uint8_t entropy_nonce[HMAC_DRBG_MAX_ENTROPY_NONCE_BYTES];
- uint32_t entropy_nonce_bytes;
- uint32_t min_bytes_of_entropy;
- uint8_t num_bytes_per_byte_of_entropy;
- uint8_t key[32]; /* array of md_len size */
- SHA256_HMAC_DRBG_STATE *s;
- uint32_t result;
- uint32_t i;
-
- /* check arguments */
-
- if (pers_str_bytes > HMAC_DRBG_MAX_PERS_STR_BYTES)
- DRBG_RET(DRBG_BAD_LENGTH);
-
- /* calculate number of bytes needed for the entropy input and nonce
- * for a SHA256_HMAC_DRBG, and get them from the entropy source
- */
-
- if (entropy_fn(GET_NUM_BYTES_PER_BYTE_OF_ENTROPY,
- &num_bytes_per_byte_of_entropy) == 0)
- DRBG_RET(DRBG_ENTROPY_FAIL);
- if ((num_bytes_per_byte_of_entropy == 0) ||
- (num_bytes_per_byte_of_entropy >
- DRBG_MAX_BYTES_PER_BYTE_OF_ENTROPY))
- DRBG_RET(DRBG_ENTROPY_FAIL);
-
- min_bytes_of_entropy = (sec_strength_bits + sec_strength_bits/2) / 8;
- entropy_nonce_bytes = min_bytes_of_entropy * num_bytes_per_byte_of_entropy;
- for (i = 0; i < entropy_nonce_bytes; i++)
- if (entropy_fn(GET_BYTE_OF_ENTROPY, entropy_nonce+i) == 0)
- DRBG_RET(DRBG_ENTROPY_FAIL);
-
- /* allocate SHA256_HMAC_DRBG state */
-
- s = (SHA256_HMAC_DRBG_STATE*) malloc(sizeof(SHA256_HMAC_DRBG_STATE));
- if (s == NULL) {
- DRBG_RET(DRBG_OUT_OF_MEMORY);
- }
-
- /* allocate HMAC context */
-
- memset(key, 0, sizeof(key));
- if ((result = ntru_crypto_hmac_create_ctx(NTRU_CRYPTO_HASH_ALGID_SHA256,
- key, sizeof(key),
- &s->hmac_ctx)) !=
- NTRU_CRYPTO_HMAC_OK) {
- free(s);
- return result;
- }
-
- /* init and update internal state */
-
- memset(s->V, 0x01, sizeof(s->V));
- if ((result = sha256_hmac_drbg_update(s, key, sizeof(key),
- entropy_nonce, entropy_nonce_bytes,
- pers_str, pers_str_bytes)) != DRBG_OK) {
- (void) ntru_crypto_hmac_destroy_ctx(s->hmac_ctx);
- memset(s->V, 0, sizeof(s->V));
- free(s);
- }
- memset(entropy_nonce, 0, sizeof(entropy_nonce));
-
- /* init instantiation parameters */
-
- s->sec_strength = sec_strength_bits;
- s->requests_left = HMAC_DRBG_MAX_REQUESTS;
- s->entropy_fn = entropy_fn;
- *state = s;
-
- return result;
-}
-
-
-/* sha256_hmac_drbg_free
- *
- * This routine frees a SHA-256 HMAC_DRBG internal state.
- *
- * Returns DRBG_OK if successful.
- * Returns DRBG_BAD_PARAMETER if inappropriate NULL pointers are passed.
- */
-
-static void
-sha256_hmac_drbg_free(
- SHA256_HMAC_DRBG_STATE *s)
-{
- if (s->hmac_ctx) {
- (void) ntru_crypto_hmac_destroy_ctx(s->hmac_ctx);
- }
- memset(s->V, 0, sizeof(s->V));
- s->sec_strength = 0;
- s->requests_left = 0;
- s->entropy_fn = NULL;
- free(s);
-}
-
-
-/* sha256_hmac_drbg_reseed
- *
- * This function reseeds an instantiated SHA256_HMAC DRBG.
- *
- * Returns DRBG_OK if successful.
- * Returns HMAC errors if they occur.
- */
-
-static uint32_t
-sha256_hmac_drbg_reseed(
- SHA256_HMAC_DRBG_STATE *s)
-{
- uint8_t entropy[HMAC_DRBG_MAX_ENTROPY_NONCE_BYTES];
- uint32_t entropy_bytes;
- uint32_t min_bytes_of_entropy;
- uint8_t num_bytes_per_byte_of_entropy;
- uint8_t key[32]; // array of md_len size for sha256_hmac_drbg_update()
- uint32_t result;
- uint32_t i;
-
- /* calculate number of bytes needed for the entropy input
- * for a SHA256_HMAC_DRBG, and get them from the entropy source
- */
-
- if (s->entropy_fn(GET_NUM_BYTES_PER_BYTE_OF_ENTROPY,
- &num_bytes_per_byte_of_entropy) == 0)
- DRBG_RET(DRBG_ENTROPY_FAIL);
- if ((num_bytes_per_byte_of_entropy == 0) ||
- (num_bytes_per_byte_of_entropy >
- DRBG_MAX_BYTES_PER_BYTE_OF_ENTROPY))
- DRBG_RET(DRBG_ENTROPY_FAIL);
-
- min_bytes_of_entropy = s->sec_strength / 8;
- entropy_bytes = min_bytes_of_entropy * num_bytes_per_byte_of_entropy;
- for (i = 0; i < entropy_bytes; i++)
- if (s->entropy_fn(GET_BYTE_OF_ENTROPY, entropy+i) == 0)
- DRBG_RET(DRBG_ENTROPY_FAIL);
-
- /* update internal state */
-
- if ((result = sha256_hmac_drbg_update(s, key, sizeof(key),
- entropy, entropy_bytes, NULL, 0)) !=
- DRBG_OK)
- return result;
-
- /* reset request counter */
-
- s->requests_left = HMAC_DRBG_MAX_REQUESTS;
- DRBG_RET(DRBG_OK);
-}
-
-
-/* sha256_hmac_drbg_generate
- *
- * This routine generates pseudorandom bytes from a SHA256_HMAC DRBG.
- *
- * Returns DRBG_OK if successful.
- * Returns DRBG_BAD_LENGTH if too many bytes are requested or the requested
- * security strength is too large.
- * Returns HMAC errors if they occur.
- */
-
-static uint32_t
-sha256_hmac_drbg_generate(
- SHA256_HMAC_DRBG_STATE *s,
- uint32_t sec_strength_bits,
- uint32_t num_bytes,
- uint8_t *out)
-{
- uint8_t key[32]; // array of md_len size for sha256_hmac_drbg_update()
- uint32_t result;
-
- /* check if number of bytes requested exceeds the maximum allowed */
-
- if (num_bytes > HMAC_DRBG_MAX_BYTES_PER_REQUEST)
- DRBG_RET(DRBG_BAD_LENGTH);
-
- /* check if drbg has adequate security strength */
-
- if (sec_strength_bits > s->sec_strength)
- DRBG_RET(DRBG_BAD_LENGTH);
-
- /* check if max requests have been exceeded */
-
- if (s->requests_left == 0)
- if ((result = sha256_hmac_drbg_reseed(s)) != DRBG_OK)
- return result;
-
- /* generate pseudorandom bytes */
-
- while (num_bytes > 0) {
-
- /* generate md_len bytes = V = HMAC(K, V) */
-
- if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
- if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V,
- sizeof(key))) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
- if ((result = ntru_crypto_hmac_final(s->hmac_ctx, s->V)) !=
- NTRU_CRYPTO_HMAC_OK)
- return result;
-
- /* copy generated bytes to output buffer */
-
- if (num_bytes < sizeof(key)) {
- memcpy(out, s->V, num_bytes);
- num_bytes = 0;
- } else {
- memcpy(out, s->V, sizeof(key));
- out += sizeof(key);
- num_bytes -= sizeof(key);
- }
- }
-
- /* update internal state */
-
- if ((result = sha256_hmac_drbg_update(s, key, sizeof(key),
- NULL, 0, NULL, 0)) != DRBG_OK)
- return result;
- s->requests_left--;
-
- DRBG_RET(DRBG_OK);
-}
-
-
-/******************
- * DRBG functions *
- ******************/
-
-/* drbg_get_new_drbg
- *
- * This routine finds an uninstantiated drbg state and returns a pointer to it.
- *
- * Returns a pointer to an uninstantiated drbg state if found.
- * Returns NULL if all drbg states are instantiated.
- */
-
-static DRBG_STATE *
-drbg_get_new_drbg()
-{
- int i;
-
- for (i = 0; i < DRBG_MAX_INSTANTIATIONS; i++) {
- if (drbg_state[i].state == NULL)
- return drbg_state+i;
- }
- return NULL;
-}
-
-
-/* drbg_get_drbg
- *
- * This routine finds an instantiated drbg state given its handle, and returns
- * a pointer to it.
- *
- * Returns a pointer to the drbg state if found.
- * Returns NULL if the drbg state is not found.
- */
-
-static DRBG_STATE *
-drbg_get_drbg(
- DRBG_HANDLE handle) /* in/out - drbg handle */
-{
- int i;
-
- for (i = 0; i < DRBG_MAX_INSTANTIATIONS; i++) {
- if ((drbg_state[i].handle == handle) && drbg_state[i].state)
- return drbg_state+i;
- }
- return NULL;
-}
-
-
-/* drbg_get_new_handle
- *
- * This routine gets a new, unique 32-bit handle.
- *
- * Returns the new DRBG handle.
- */
-
-static DRBG_HANDLE
-drbg_get_new_handle(void)
-{
- DRBG_HANDLE h = 0;
-
- /* ensure the new handle is unique:
- * if it already exists, increment it
- */
-
- while (drbg_get_drbg(h) != NULL)
- ++h;
-
- return h;
-}
-
-
-/********************
- * Public functions *
- ********************/
-
-/* ntru_crypto_drbg_instantiate
- *
- * This routine instantiates a drbg with the requested security strength.
- * See ANS X9.82: Part 3-2007.
- *
- * Returns DRBG_OK if successful.
- * Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if an argument pointer is NULL.
- * Returns DRBG_ERROR_BASE + DRBG_BAD_LENGTH if the security strength requested
- * or the personalization string is too large.
- * Returns DRBG_ERROR_BASE + DRBG_OUT_OF_MEMORY if the internal state cannot be
- * allocated from the heap.
- */
-
-uint32_t
-ntru_crypto_drbg_instantiate(
- uint32_t sec_strength_bits, /* in - requested sec strength in bits */
- uint8_t const *pers_str, /* in - ptr to personalization string */
- uint32_t pers_str_bytes, /* in - no. personalization str bytes */
- ENTROPY_FN entropy_fn, /* in - pointer to entropy function */
- DRBG_HANDLE *handle) /* out - address for drbg handle */
-{
- DRBG_STATE *drbg = NULL;
- SHA256_HMAC_DRBG_STATE *state = NULL;
- uint32_t result;
-
- /* check arguments */
-
- if ((!pers_str && pers_str_bytes) || !entropy_fn || !handle)
- DRBG_RET(DRBG_BAD_PARAMETER);
- if (sec_strength_bits > DRBG_MAX_SEC_STRENGTH_BITS)
- DRBG_RET(DRBG_BAD_LENGTH);
- if (pers_str && (pers_str_bytes == 0))
- pers_str = NULL;
-
- /* set security strength */
-
- if (sec_strength_bits <= 112) {
- sec_strength_bits = 112;
- } else if (sec_strength_bits <= 128) {
- sec_strength_bits = 128;
- } else if (sec_strength_bits <= 192) {
- sec_strength_bits = 192;
- } else {
- sec_strength_bits = 256;
- }
-
- /* get an uninstantiated drbg */
-
- if ((drbg = drbg_get_new_drbg()) == NULL)
- DRBG_RET(DRBG_NOT_AVAILABLE);
-
- /* init entropy function */
-
- if (entropy_fn(INIT, NULL) == 0)
- DRBG_RET(DRBG_ENTROPY_FAIL);
-
- /* instantiate a SHA-256 HMAC_DRBG */
-
- if ((result = sha256_hmac_drbg_instantiate(sec_strength_bits,
- pers_str, pers_str_bytes,
- entropy_fn,
- &state)) != DRBG_OK)
- return result;
-
- /* init drbg state */
-
- drbg->handle = drbg_get_new_handle();
- drbg->state = state;
-
- /* return drbg handle */
-
- *handle = drbg->handle;
- DRBG_RET(DRBG_OK);
-}
-
-
-/* ntru_crypto_drbg_uninstantiate
- *
- * This routine frees a drbg given its handle.
- *
- * Returns DRBG_OK if successful.
- * Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid.
- */
-
-uint32_t
-ntru_crypto_drbg_uninstantiate(
- DRBG_HANDLE handle) /* in - drbg handle */
-{
- DRBG_STATE *drbg = NULL;
-
- /* find the instantiated drbg */
-
- if ((drbg = drbg_get_drbg(handle)) == NULL)
- DRBG_RET(DRBG_BAD_PARAMETER);
-
- /* zero and free drbg state */
-
- if (drbg->state) {
- sha256_hmac_drbg_free((SHA256_HMAC_DRBG_STATE *)drbg->state);
- drbg->state = NULL;
- }
-
- drbg->handle = 0;
- DRBG_RET(DRBG_OK);
-}
-
-
-/* ntru_crypto_drbg_reseed
- *
- * This routine reseeds an instantiated drbg.
- * See ANS X9.82: Part 3-2007.
- *
- * Returns DRBG_OK if successful.
- * Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid.
- * Returns HMAC errors if they occur.
- */
-
-uint32_t
-ntru_crypto_drbg_reseed(
- DRBG_HANDLE handle) /* in - drbg handle */
-{
- DRBG_STATE *drbg = NULL;
-
- /* find the instantiated drbg */
-
- if ((drbg = drbg_get_drbg(handle)) == NULL)
- DRBG_RET(DRBG_BAD_PARAMETER);
-
- /* reseed the SHA-256 HMAC_DRBG */
-
- return sha256_hmac_drbg_reseed((SHA256_HMAC_DRBG_STATE *)drbg->state);
-}
-
-
-/* ntru_crypto_drbg_generate
- *
- * This routine generates pseudorandom bytes using an instantiated drbg.
- * If the maximum number of requests has been reached, reseeding will occur.
- * See ANS X9.82: Part 3-2007.
- *
- * Returns DRBG_OK if successful.
- * Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid or if
- * an argument pointer is NULL.
- * Returns DRBG_ERROR_BASE + DRBG_BAD_LENGTH if the security strength requested
- * is too large or the number of bytes requested is zero or too large.
- * Returns HMAC errors if they occur.
- */
-
-uint32_t
-ntru_crypto_drbg_generate(
- DRBG_HANDLE handle, /* in - drbg handle */
- uint32_t sec_strength_bits, /* in - requested sec strength in bits */
- uint32_t num_bytes, /* in - number of octets to generate */
- uint8_t *out) /* out - address for generated octets */
-{
- DRBG_STATE *drbg = NULL;
-
- /* find the instantiated drbg */
-
- if ((drbg = drbg_get_drbg(handle)) == NULL)
- DRBG_RET(DRBG_BAD_PARAMETER);
-
- /* check arguments */
-
- if (!out)
- DRBG_RET(DRBG_BAD_PARAMETER);
- if (num_bytes == 0)
- DRBG_RET(DRBG_BAD_LENGTH);
-
- /* generate pseudorandom output from the SHA256_HMAC_DRBG */
-
- return sha256_hmac_drbg_generate((SHA256_HMAC_DRBG_STATE *)drbg->state,
- sec_strength_bits, num_bytes, out);
-}
-
+++ /dev/null
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
- *
- * ntru_crypto_drbg.h is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013 Security Innovation
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- *****************************************************************************/
-
-
-/******************************************************************************
- *
- * File: ntru_crypto_drbg.h
- *
- * Contents: Public header file for ntru_crypto_drbg.c.
- *
- *****************************************************************************/
-
-
-#ifndef NTRU_CRYPTO_DRBG_H
-#define NTRU_CRYPTO_DRBG_H
-
-#include "ntru_crypto_platform.h"
-#include "ntru_crypto_error.h"
-
-#if !defined( NTRUCALL )
- #if !defined(WIN32) || defined (NTRUCRYPTO_STATIC)
- // Linux, or a Win32 static library
- #define NTRUCALL extern uint32_t
- #elif defined (NTRUCRYPTO_EXPORTS)
- // Win32 DLL build
- #define NTRUCALL extern __declspec(dllexport) uint32_t
- #else
- // Win32 DLL import
- #define NTRUCALL extern __declspec(dllimport) uint32_t
- #endif
-#endif /* NTRUCALL */
-
-#if defined ( __cplusplus )
-extern "C" {
-#endif /* __cplusplus */
-
-
-/*******************
- * DRBG parameters *
- *******************/
-
-#if !defined(DRBG_MAX_INSTANTIATIONS)
-#define DRBG_MAX_INSTANTIATIONS 4
-#endif
-#define DRBG_MAX_SEC_STRENGTH_BITS 256
-#define DRBG_MAX_BYTES_PER_BYTE_OF_ENTROPY 8
-
-
-/************************
- * HMAC_DRBG parameters *
- ************************/
-
-#define HMAC_DRBG_MAX_PERS_STR_BYTES 32
-#define HMAC_DRBG_MAX_BYTES_PER_REQUEST 1024
-
-
-/********************
- * type definitions *
- ********************/
-
-typedef uint32_t DRBG_HANDLE; /* drbg handle */
-typedef enum { /* entropy-function commands */
- GET_NUM_BYTES_PER_BYTE_OF_ENTROPY = 0,
- INIT,
- GET_BYTE_OF_ENTROPY,
-} ENTROPY_CMD;
-typedef uint8_t (*ENTROPY_FN)( /* get entropy function */
- ENTROPY_CMD cmd, /* command */
- uint8_t *out); /* address for output */
-
-
-/***************
- * error codes *
- ***************/
-
-#define DRBG_OK 0x00000000 /* no errors */
-#define DRBG_OUT_OF_MEMORY 0x00000001 /* can't allocate memory */
-#define DRBG_BAD_PARAMETER 0x00000002 /* null pointer */
-#define DRBG_BAD_LENGTH 0x00000003 /* invalid no. of bytes */
-#define DRBG_NOT_AVAILABLE 0x00000004 /* no instantiation slot available */
-#define DRBG_ENTROPY_FAIL 0x00000005 /* entropy function failure */
-
-/***************
- * error macro *
- ***************/
-
-#define DRBG_RESULT(r) ((uint32_t)((r) ? DRBG_ERROR_BASE + (r) : (r)))
-#define DRBG_RET(r) return DRBG_RESULT(r);
-
-
-/*************************
- * function declarations *
- *************************/
-
-/* ntru_crypto_drbg_instantiate
- *
- * This routine instantiates a drbg with the requested security strength.
- * See ANS X9.82: Part 3-2007.
- *
- * Returns DRBG_OK if successful.
- * Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if an argument pointer is NULL.
- * Returns DRBG_ERROR_BASE + DRBG_BAD_LENGTH if the security strength requested
- * or the personalization string is too large.
- * Returns DRBG_ERROR_BASE + DRBG_OUT_OF_MEMORY if the internal state cannot be
- * allocated from the heap.
- */
-
-NTRUCALL
-ntru_crypto_drbg_instantiate(
- uint32_t sec_strength_bits, /* in - requested sec strength in bits */
- uint8_t const *pers_str, /* in - ptr to personalization string */
- uint32_t pers_str_bytes, /* in - no. personalization str bytes */
- ENTROPY_FN entropy_fn, /* in - pointer to entropy function */
- DRBG_HANDLE *handle); /* out - address for drbg handle */
-
-
-/* ntru_crypto_drbg_uninstantiate
- *
- * This routine frees a drbg given its handle.
- *
- * Returns DRBG_OK if successful.
- * Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid.
- */
-
-NTRUCALL
-ntru_crypto_drbg_uninstantiate(
- DRBG_HANDLE handle); /* in - drbg handle */
-
-
-/* ntru_crypto_drbg_reseed
- *
- * This routine reseeds an instantiated drbg.
- * See ANS X9.82: Part 3-2007.
- *
- * Returns DRBG_OK if successful.
- * Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid.
- * Returns NTRU_CRYPTO_HMAC errors if they occur.
- */
-
-NTRUCALL
-ntru_crypto_drbg_reseed(
- DRBG_HANDLE handle); /* in - drbg handle */
-
-
-/* ntru_crypto_drbg_generate
- *
- * This routine generates pseudorandom bytes using an instantiated drbg.
- * If the maximum number of requests has been reached, reseeding will occur.
- * See ANS X9.82: Part 3-2007.
- *
- * Returns DRBG_OK if successful.
- * Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid or if
- * an argument pointer is NULL.
- * Returns DRBG_ERROR_BASE + DRBG_BAD_LENGTH if the security strength requested
- * is too large or the number of bytes requested is zero or too large.
- * Returns NTRU_CRYPTO_HMAC errors if they occur.
- */
-
-NTRUCALL
-ntru_crypto_drbg_generate(
- DRBG_HANDLE handle, /* in - drbg handle */
- uint32_t sec_strength_bits, /* in - requested sec strength in bits */
- uint32_t num_bytes, /* in - number of octets to generate */
- uint8_t *out); /* out - address for generated octets */
-
-
-#if defined ( __cplusplus )
-}
-#endif /* __cplusplus */
-
-
-#endif /* NTRU_CRYPTO_DRBG_H */
+++ /dev/null
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
- *
- * ntru_crypto_hmac.c is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013 Security Innovation
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- *****************************************************************************/
-
-/******************************************************************************
- *
- * File: ntru_crypto_hmac.c
- *
- * Contents: Routines implementing the HMAC hash calculation.
- *
- *****************************************************************************/
-
-
-#include <stdlib.h>
-#include <string.h>
-#include "ntru_crypto_hmac.h"
-
-
-/* HMAC context */
-
-struct _NTRU_CRYPTO_HMAC_CTX {
- NTRU_CRYPTO_HASH_CTX hash_ctx;
- uint8_t *k0;
- uint16_t blk_len;
- uint16_t md_len;
-};
-
-
-/* ntru_crypto_hmac_create_ctx
- *
- * This routine creates an HMAC context, setting the hash algorithm and
- * the key to be used.
- *
- * Returns NTRU_CRYPTO_HMAC_OK if successful.
- * Returns NTRU_CRYPTO_HMAC_BAD_ALG if the specified algorithm is not supported.
- * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
- * passed.
- * Returns NTRU_CRYPTO_HMAC_OUT_OF_MEMORY if memory cannot be allocated.
- */
-
-uint32_t
-ntru_crypto_hmac_create_ctx(
- NTRU_CRYPTO_HASH_ALGID algid, /* in - the hash algorithm to be used */
- uint8_t const *key, /* in - pointer to the HMAC key */
- uint32_t key_len, /* in - number of bytes in HMAC key */
- NTRU_CRYPTO_HMAC_CTX **c) /* out - address for pointer to HMAC
- context */
-{
- NTRU_CRYPTO_HMAC_CTX *ctx = NULL;
- uint32_t result;
-
- /* check parameters */
-
- if (!c || !key)
- HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
-
- *c = NULL;
-
- /* allocate memory for an HMAC context */
-
- if ((ctx = (NTRU_CRYPTO_HMAC_CTX*) malloc(sizeof(NTRU_CRYPTO_HMAC_CTX))) ==
- NULL)
- HMAC_RET(NTRU_CRYPTO_HMAC_OUT_OF_MEMORY);
-
- /* set the algorithm */
-
- if (result = ntru_crypto_hash_set_alg(algid, &ctx->hash_ctx)) {
- free(ctx);
- HMAC_RET(NTRU_CRYPTO_HMAC_BAD_ALG);
- }
-
- /* set block length and digest length */
-
- if ((result = ntru_crypto_hash_block_length(&ctx->hash_ctx,
- &ctx->blk_len)) ||
- (result = ntru_crypto_hash_digest_length(&ctx->hash_ctx,
- &ctx->md_len))) {
- free(ctx);
- return result;
- }
-
- /* allocate memory for K0 */
-
- if ((ctx->k0 = (uint8_t*) malloc(ctx->blk_len)) == NULL) {
- free(ctx);
- HMAC_RET(NTRU_CRYPTO_HMAC_OUT_OF_MEMORY);
- }
-
- /* calculate K0 and store in HMAC context */
-
- memset(ctx->k0, 0, ctx->blk_len);
-
- /* check if key is too large */
-
- if (key_len > ctx->blk_len) {
-
- if (result = ntru_crypto_hash_digest(algid, key, key_len, ctx->k0)) {
- memset(ctx->k0, 0, ctx->blk_len);
- free(ctx->k0);
- free(ctx);
- return result;
- }
-
- } else
- memcpy(ctx->k0, key, key_len);
-
- /* return pointer to HMAC context */
-
- *c = ctx;
- HMAC_RET(NTRU_CRYPTO_HMAC_OK);
-}
-
-
-/* ntru_crypto_hmac_destroy_ctx
- *
- * Destroys an HMAC context.
- *
- * Returns NTRU_CRYPTO_HMAC_OK if successful.
- * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
- * passed.
- */
-
-uint32_t
-ntru_crypto_hmac_destroy_ctx(
- NTRU_CRYPTO_HMAC_CTX *c) /* in/out - pointer to HMAC context */
-{
- if (!c || !c->k0)
- HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
-
- /* clear key and release memory */
-
- memset(c->k0, 0, c->blk_len);
- free(c->k0);
- free(c);
-
- HMAC_RET(NTRU_CRYPTO_HMAC_OK);
-}
-
-
-/* ntru_crypto_hmac_get_md_len
- *
- * This routine gets the digest length of the HMAC.
- *
- * Returns NTRU_CRYPTO_HMAC_OK on success.
- * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
- * passed.
- */
-
-uint32_t
-ntru_crypto_hmac_get_md_len(
- NTRU_CRYPTO_HMAC_CTX const *c, /* in - pointer to HMAC context */
- uint16_t *md_len) /* out - address for digest length */
-{
- /* check parameters */
-
- if (!c || !md_len)
- HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
-
- /* get digest length */
-
- *md_len = c->md_len;
- HMAC_RET(NTRU_CRYPTO_HMAC_OK);
-}
-
-
-/* ntru_crypto_hmac_set_key
- *
- * This routine sets a digest-length key into the HMAC context.
- *
- * Returns NTRU_CRYPTO_HMAC_OK on success.
- * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
- * passed.
- */
-
-uint32_t
-ntru_crypto_hmac_set_key(
- NTRU_CRYPTO_HMAC_CTX *c, /* in - pointer to HMAC context */
- uint8_t const *key) /* in - pointer to new HMAC key */
-{
- /* check parameters */
-
- if (!c || !key)
- HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
-
- /* copy key */
-
- memcpy(c->k0, key, c->md_len);
- HMAC_RET(NTRU_CRYPTO_HMAC_OK);
-}
-
-
-/* ntru_crypto_hmac_init
- *
- * This routine performs standard initialization of the HMAC state.
- *
- * Returns NTRU_CRYPTO_HMAC_OK on success.
- * Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
- * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
- * passed.
- */
-
-uint32_t
-ntru_crypto_hmac_init(
- NTRU_CRYPTO_HMAC_CTX *c) /* in/out - pointer to HMAC context */
-{
- uint32_t result;
- int i;
-
- /* check parameters */
-
- if (!c)
- HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
-
- /* init hash context and compute H(K0 ^ ipad) */
-
- for (i = 0; i < c->blk_len; i++)
- c->k0[i] ^= 0x36; /* K0 ^ ipad */
- if ((result = ntru_crypto_hash_init(&c->hash_ctx)) ||
- (result = ntru_crypto_hash_update(&c->hash_ctx, c->k0, c->blk_len)))
- return result;
-
- HMAC_RET(NTRU_CRYPTO_HMAC_OK);
-}
-
-
-/* ntru_crypto_hmac_update
- *
- * This routine processes input data and updates the HMAC hash calculation.
- *
- * Returns NTRU_CRYPTO_HMAC_OK on success.
- * Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
- * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
- * passed.
- * Returns NTRU_CRYPTO_HASH_OVERFLOW if more than bytes are hashed than the
- * underlying hash algorithm can handle.
- */
-
-uint32_t
-ntru_crypto_hmac_update(
- NTRU_CRYPTO_HMAC_CTX *c, /* in/out - pointer to HMAC context */
- const uint8_t *data, /* in - pointer to input data */
- uint32_t data_len) /* in - no. of bytes of input data */
-{
- uint32_t result;
-
- /* check parameters */
-
- if (!c || (data_len && !data))
- HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
-
- if (result = ntru_crypto_hash_update(&c->hash_ctx, data, data_len))
- return result;
-
- HMAC_RET(NTRU_CRYPTO_HMAC_OK);
-}
-
-
-/* ntru_crypto_hmac_final
- *
- * This routine completes the HMAC hash calculation and returns the
- * message digest.
- *
- * Returns NTRU_CRYPTO_HMAC_OK on success.
- * Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
- * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
- * passed.
- */
-
-uint32_t
-ntru_crypto_hmac_final(
- NTRU_CRYPTO_HMAC_CTX *c, /* in/out - pointer to HMAC context */
- uint8_t *md) /* out - address for message digest */
-{
- uint32_t result = NTRU_CRYPTO_HMAC_OK;
- int i;
-
- /* check parameters */
-
- if (!c || !md)
- HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER);
-
- /* form K0 ^ opad
- * complete md = H((K0 ^ ipad) || data)
- * compute md = H((K0 ^ opad) || md)
- * re-form K0
- */
-
- for (i = 0; i < c->blk_len; i++)
- c->k0[i] ^= (0x36^0x5c);
- if ((result = ntru_crypto_hash_final(&c->hash_ctx, md)) ||
- (result = ntru_crypto_hash_init(&c->hash_ctx)) ||
- (result = ntru_crypto_hash_update(&c->hash_ctx, c->k0, c->blk_len)) ||
- (result = ntru_crypto_hash_update(&c->hash_ctx, md, c->md_len)) ||
- (result = ntru_crypto_hash_final(&c->hash_ctx, md))) {
- }
- for (i = 0; i < c->blk_len; i++)
- c->k0[i] ^= 0x5c;
- return result;
-}
-
+++ /dev/null
-/*/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
- *
- * ntru_crypto_hmac.h is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013 Security Innovation
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- *****************************************************************************/
-
-/******************************************************************************
- *
- * File: ntru_crypto_hmac.h
- *
- * Contents: Definitions and declarations for the HMAC implementation.
- *
- *****************************************************************************/
-
-#ifndef NTRU_CRYPTO_HMAC_H
-#define NTRU_CRYPTO_HMAC_H
-
-
-#include "ntru_crypto_platform.h"
-#include "ntru_crypto_hash.h"
-
-
-/***************
- * error codes *
- ***************/
-
-#define NTRU_CRYPTO_HMAC_OK ((uint32_t)NTRU_CRYPTO_HASH_OK)
-#define NTRU_CRYPTO_HMAC_BAD_PARAMETER ((uint32_t)NTRU_CRYPTO_HASH_BAD_PARAMETER)
-#define NTRU_CRYPTO_HMAC_BAD_ALG ((uint32_t)NTRU_CRYPTO_HASH_BAD_ALG)
-#define NTRU_CRYPTO_HMAC_OUT_OF_MEMORY ((uint32_t)NTRU_CRYPTO_HASH_OUT_OF_MEMORY)
-
-#define HMAC_RESULT(e) ((uint32_t)((e) ? HMAC_ERROR_BASE + (e) : (e)))
-#define HMAC_RET(e) return HMAC_RESULT(e)
-
-
-/*************************
- * structure definitions *
- *************************/
-
-/* HMAC context structure */
-
-struct _NTRU_CRYPTO_HMAC_CTX; /* opaque forward reference */
-typedef struct _NTRU_CRYPTO_HMAC_CTX NTRU_CRYPTO_HMAC_CTX;
-
-
-/*************************
- * function declarations *
- *************************/
-
-/* ntru_crypto_hmac_create_ctx
- *
- * This routine creates an HMAC context, setting the hash algorithm and
- * the key to be used.
- *
- * Returns NTRU_CRYPTO_HASH_OK if successful.
- * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
- * passed.
- * Returns NTRU_CRYPTO_HASH_OUT_OF_MEMORY if memory cannot be allocated.
- */
-
-extern uint32_t
-ntru_crypto_hmac_create_ctx(
- NTRU_CRYPTO_HASH_ALGID algid, /* in - the hash algorithm to be used */
- uint8_t const *key, /* in - pointer to the HMAC key */
- uint32_t key_len, /* in - number of bytes in HMAC key */
- NTRU_CRYPTO_HMAC_CTX **c); /* out - address for pointer to HMAC
- context */
-
-
-/* ntru_crypto_hmac_destroy_ctx
- *
- * Destroys an HMAC context.
- *
- * Returns NTRU_CRYPTO_HASH_OK if successful.
- * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
- * passed.
- */
-
-extern uint32_t
-ntru_crypto_hmac_destroy_ctx(
- NTRU_CRYPTO_HMAC_CTX *c); /* in/out - pointer to HMAC context */
-
-
-/* ntru_crypto_hmac_get_md_len
- *
- * This routine gets the digest length of the HMAC.
- *
- * Returns NTRU_CRYPTO_HMAC_OK on success.
- * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
- * passed.
- */
-
-extern uint32_t
-ntru_crypto_hmac_get_md_len(
- NTRU_CRYPTO_HMAC_CTX const *c, /* in - pointer to HMAC context */
- uint16_t *md_len); /* out - address for digest length */
-
-
-/* ntru_crypto_hmac_set_key
- *
- * This routine sets a digest-length key into the HMAC context.
- *
- * Returns NTRU_CRYPTO_HMAC_OK on success.
- * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
- * passed.
- */
-
-extern uint32_t
-ntru_crypto_hmac_set_key(
- NTRU_CRYPTO_HMAC_CTX *c, /* in - pointer to HMAC context */
- uint8_t const *key); /* in - pointer to new HMAC key */
-
-
-/* ntru_crypto_hmac_init
- *
- * This routine performs standard initialization of the HMAC state.
- *
- * Returns NTRU_CRYPTO_HMAC_OK on success.
- * Returns NTRU_CRYPTO_HMAC_FAIL with corrupted context.
- * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
- * passed.
- */
-
-extern uint32_t
-ntru_crypto_hmac_init(
- NTRU_CRYPTO_HMAC_CTX *c); /* in/out - pointer to HMAC context */
-
-
-/* ntru_crypto_hmac_update
- *
- * This routine processes input data and updates the HMAC hash calculation.
- *
- * Returns NTRU_CRYPTO_HMAC_OK on success.
- * Returns NTRU_CRYPTO_HMAC_FAIL with corrupted context.
- * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
- * passed.
- * Returns NTRU_CRYPTO_HMAC_OVERFLOW if more than bytes are hashed than the underlying
- * hash algorithm can handle.
- */
-
-extern uint32_t
-ntru_crypto_hmac_update(
- NTRU_CRYPTO_HMAC_CTX *c, /* in/out - pointer to HMAC context */
- uint8_t const *data, /* in - pointer to input data */
- uint32_t data_len); /* in - no. of bytes of input data */
-
-
-/* ntru_crypto_hmac_final
- *
- * This routine completes the HMAC hash calculation and returns the
- * message digest.
- *
- * Returns NTRU_CRYPTO_HMAC_OK on success.
- * Returns NTRU_CRYPTO_HMAC_FAIL with corrupted context.
- * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are
- * passed.
- */
-
-extern uint32_t
-ntru_crypto_hmac_final(
- NTRU_CRYPTO_HMAC_CTX *c, /* in/out - pointer to HMAC context */
- uint8_t *md); /* out - address for message digest */
-
-
-#endif /* NTRU_CRYPTO_HMAC_H */
#include "ntru_crypto_ntru_convert.h"
#include "ntru_crypto_ntru_poly.h"
#include "ntru_crypto_ntru_mgf1.h"
-#include "ntru_crypto_drbg.h"
-
/* ntru_crypto_ntru_encrypt
*
uint32_t
ntru_crypto_ntru_encrypt(
- DRBG_HANDLE drbg_handle, /* in - handle of DRBG */
+ ntru_drbg_t *drbg, /* in - handle of DRBG */
uint16_t pubkey_blob_len, /* in - no. of octets in public key
blob */
uint8_t const *pubkey_blob, /* in - pointer to public key */
uint8_t *ptr = tmp_buf;
/* get b */
- result = ntru_crypto_drbg_generate(drbg_handle,
- params->sec_strength_len << 3,
- params->sec_strength_len, b_buf);
+ if (drbg->generate(drbg, params->sec_strength_len << 3,
+ params->sec_strength_len, b_buf))
+ {
+ result = NTRU_OK;
+ }
+ else
+ {
+ result = NTRU_FAIL;
+ }
if (result == NTRU_OK) {
uint32_t
ntru_crypto_ntru_encrypt_keygen(
- DRBG_HANDLE drbg_handle, /* in - handle of DRBG */
+ ntru_drbg_t *drbg, /* in - handle of DRBG */
NTRU_ENCRYPT_PARAM_SET_ID param_set_id, /* in - parameter set ID */
uint16_t *pubkey_blob_len, /* in/out - no. of octets in
pubkey_blob, addr
* as a list of indices
*/
- result = ntru_crypto_drbg_generate(drbg_handle,
- params->sec_strength_len << 3,
- seed_len, tmp_buf);
+ if (drbg->generate(drbg, params->sec_strength_len << 3, seed_len, tmp_buf))
+ {
+ result = NTRU_OK;
+ }
+ else
+ {
+ result = NTRU_FAIL;
+ }
if (result == NTRU_OK) {
/* get random bytes for seed for generating trinary g
* as a list of indices
*/
- result = ntru_crypto_drbg_generate(drbg_handle,
- params->sec_strength_len << 3,
- seed_len, tmp_buf);
+ if (!drbg->generate(drbg, params->sec_strength_len << 3, seed_len,
+ tmp_buf))
+ {
+ result = NTRU_FAIL;
+ }
}
if (result == NTRU_OK) {
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_drbg.h"
+
+#include <utils/debug.h>
+
+#define MAX_STRENGTH_BITS 256
+#define MAX_DRBG_REQUESTS 0xffffffff
+
+typedef struct private_ntru_drbg_t private_ntru_drbg_t;
+
+/**
+ * Private data of an ntru_drbg_t object.
+ */
+struct private_ntru_drbg_t {
+ /**
+ * Public ntru_drbg_t interface.
+ */
+ ntru_drbg_t public;
+
+ /**
+ * Security strength in bits of the DRBG
+ */
+ u_int32_t strength;
+
+ /**
+ * Number of requests for pseudorandom bits
+ */
+ u_int32_t reseed_counter;
+
+ /**
+ * Maximum number of requests for pseudorandom bits
+ */
+ u_int32_t max_requests;
+
+ /**
+ * True entropy source
+ */
+ rng_t *entropy;
+
+ /**
+ * HMAC-SHA256
+ */
+ signer_t *hmac;
+
+ /**
+ * Internal state of HMAC-SHA256: key
+ */
+ chunk_t key;
+
+ /**
+ * Internal state of HMAC-SHA256: value
+ */
+ chunk_t value;
+
+};
+
+/**
+ * Update the internal state of the HMAC_DRBG
+ */
+static bool update(private_ntru_drbg_t *this, chunk_t data)
+{
+ chunk_t ch_00 = chunk_from_chars(0x00);
+ chunk_t ch_01 = chunk_from_chars(0x01);
+
+ if (!this->hmac->set_key(this->hmac, this->key) ||
+ !this->hmac->get_signature(this->hmac, this->value, NULL) ||
+ !this->hmac->get_signature(this->hmac, ch_00, NULL) ||
+ !this->hmac->get_signature(this->hmac, data, this->key.ptr) ||
+ !this->hmac->set_key(this->hmac, this->key) ||
+ !this->hmac->get_signature(this->hmac, this->value,
+ this->value.ptr))
+ {
+ return FALSE;
+ }
+
+ if (data.len > 0)
+ {
+ if (!this->hmac->set_key(this->hmac, this->key) ||
+ !this->hmac->get_signature(this->hmac, this->value, NULL) ||
+ !this->hmac->get_signature(this->hmac, ch_01, NULL) ||
+ !this->hmac->get_signature(this->hmac, data, this->key.ptr) ||
+ !this->hmac->set_key(this->hmac, this->key) ||
+ !this->hmac->get_signature(this->hmac, this->value,
+ this->value.ptr))
+ {
+ return FALSE;
+ }
+ }
+ DBG4(DBG_LIB, "HMAC_DRBG V: %B", &this->value);
+ DBG4(DBG_LIB, "HMAC_DRBG K: %B", &this->key);
+
+ return TRUE;
+}
+
+METHOD(ntru_drbg_t, get_strength, u_int32_t,
+ private_ntru_drbg_t *this)
+{
+ return this->strength;
+}
+
+METHOD(ntru_drbg_t, reseed, bool,
+ private_ntru_drbg_t *this)
+{
+ chunk_t seed;
+
+ seed = chunk_alloc(this->strength / BITS_PER_BYTE);
+ DBG2(DBG_LIB, "DBRG requesting %u bytes of entropy", seed.len);
+
+ if (!this->entropy->get_bytes(this->entropy, seed.len, seed.ptr))
+ {
+ chunk_free(&seed);
+ return FALSE;
+ }
+ if (!update(this, seed))
+ {
+ chunk_free(&seed);
+ return FALSE;
+ }
+ chunk_clear(&seed);
+ this->reseed_counter = 1;
+
+ return TRUE;
+}
+
+METHOD(ntru_drbg_t, generate, bool,
+ private_ntru_drbg_t *this, u_int32_t strength, u_int32_t len, u_int8_t *out)
+{
+ size_t delta;
+ chunk_t output;
+
+ DBG2(DBG_LIB, "DRBG generates %u pseudorandom bytes", len);
+ if (!out || len == 0)
+ {
+ return FALSE;
+ }
+ output = chunk_create(out, len);
+
+ if (this->reseed_counter >= this->max_requests)
+ {
+ if (!reseed(this))
+ {
+ return FALSE;
+ }
+ }
+ while (len)
+ {
+ if (!this->hmac->get_signature(this->hmac, this->value,
+ this->value.ptr))
+ {
+ return FALSE;
+ }
+ delta = min(len, this->value.len);
+ memcpy(out, this->value.ptr, delta);
+ len -= delta;
+ out += delta;
+ }
+ DBG4(DBG_LIB, "HMAC_DRBG Out: %B", &output);
+
+ if (!update(this, chunk_empty))
+ {
+ return FALSE;
+ }
+ this->reseed_counter++;
+
+ return TRUE;
+}
+
+METHOD(ntru_drbg_t, destroy, void,
+ private_ntru_drbg_t *this)
+{
+ this->hmac->destroy(this->hmac);
+ chunk_clear(&this->key);
+ chunk_clear(&this->value);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str,
+ rng_t *entropy)
+{
+ private_ntru_drbg_t *this;
+ chunk_t seed;
+ signer_t *hmac;
+ size_t entropy_len;
+ u_int32_t max_requests;
+
+ if (strength > MAX_STRENGTH_BITS)
+ {
+ return NULL;
+ }
+ if (strength <= 112)
+ {
+ strength = 112;
+ }
+ else if (strength <= 128)
+ {
+ strength = 128;
+ }
+ else if (strength <= 192)
+ {
+ strength = 192;
+ }
+ else
+ {
+ strength = 256;
+ }
+
+ hmac = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA2_256_256);
+ if (!hmac)
+ {
+ DBG1(DBG_LIB, "could not instantiate HMAC-SHA256");
+ return NULL;
+ }
+
+ max_requests = lib->settings->get_int(lib->settings,
+ "libstrongswan.plugins.ntru.max_drbg_requests",
+ MAX_DRBG_REQUESTS);
+
+ INIT(this,
+ .public = {
+ .get_strength = _get_strength,
+ .reseed = _reseed,
+ .generate = _generate,
+ .destroy = _destroy,
+ },
+ .strength = strength,
+ .entropy = entropy,
+ .hmac = hmac,
+ .key = chunk_alloc(hmac->get_key_size(hmac)),
+ .value = chunk_alloc(hmac->get_block_size(hmac)),
+ .max_requests = max_requests,
+ .reseed_counter = 1,
+ );
+
+ memset(this->key.ptr, 0x00, this->key.len);
+ memset(this->value.ptr, 0x01, this->value.len);
+
+ entropy_len = (strength + strength/2) / BITS_PER_BYTE;
+ seed = chunk_alloc(entropy_len + pers_str.len);
+ DBG2(DBG_LIB, "DBRG requesting %u bytes of entropy", entropy_len);
+
+ if (!this->entropy->get_bytes(this->entropy, entropy_len, seed.ptr))
+ {
+ chunk_free(&seed);
+ destroy(this);
+ return NULL;
+ }
+ memcpy(seed.ptr + entropy_len, pers_str.ptr, pers_str.len);
+ DBG4(DBG_LIB, "seed: %B", &seed);
+
+ if (!update(this, seed))
+ {
+ chunk_free(&seed);
+ destroy(this);
+ return NULL;
+ }
+ chunk_clear(&seed);
+
+ return &this->public;
+}
+
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_drbg ntru_drbg
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_DRBG_H_
+#define NTRU_DRBG_H_
+
+typedef struct ntru_drbg_t ntru_drbg_t;
+
+#include <library.h>
+
+/**
+ * Implements a HMAC Deterministic Random Bit Generator (HMAC_DRBG)
+ * compliant with NIST SP 800-90A
+ */
+struct ntru_drbg_t {
+
+ /**
+ * Reseed the instantiated DRBG
+ *
+ * @return configured security strength in bits
+ */
+ u_int32_t (*get_strength)(ntru_drbg_t *this);
+
+ /**
+ * Reseed the instantiated DRBG
+ *
+ * @return TRUE if successful
+ */
+ bool (*reseed)(ntru_drbg_t *this);
+
+ /**
+ * Generate pseudorandom bytes.
+ * If the maximum number of requests has been reached, reseeding occurs
+ *
+ * @param strength requested security strength in bits
+ * @param len number of octets to generate
+ * @param out address of output buffer
+ * @return TRUE if successful
+ */
+ bool (*generate)(ntru_drbg_t *this, u_int32_t strength, u_int32_t len,
+ u_int8_t *out);
+
+ /**
+ * Uninstantiate and destroy the DRBG object
+ */
+ void (*destroy)(ntru_drbg_t *this);
+};
+
+/**
+ * Create and instantiate a new DRBG objet.
+ *
+ * @param strength security strength in bits
+ * @param pers_str personalization string
+ * @param entropy entropy source to use
+ */
+ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str,
+ rng_t *entropy);
+
+#endif /** NTRU_DRBG_H_ @}*/
+
*/
#include "ntru_ke.h"
-#include "ntru_plugin.h"
+#include "ntru_drbg.h"
#include "ntru_crypto/ntru_crypto.h"
*/
bool computed;
+ /**
+ * True Random Generator
+ */
+ rng_t *entropy;
+
/**
* Deterministic Random Bit Generator
*/
- DRBG_HANDLE drbg;
+ ntru_drbg_t *drbg;
};
METHOD(diffie_hellman_t, get_my_public_value, void,
this->shared_secret = chunk_alloc(2 * this->strength / BITS_PER_BYTE);
/* generate the random shared secret */
- if (ntru_crypto_drbg_generate(this->drbg, this->strength,
- this->shared_secret.len, this->shared_secret.ptr) != DRBG_OK)
+ if (!this->drbg->generate(this->drbg, this->strength,
+ this->shared_secret.len, this->shared_secret.ptr))
{
DBG1(DBG_LIB, "generation of shared secret failed");
chunk_free(&this->shared_secret);
METHOD(diffie_hellman_t, destroy, void,
private_ntru_ke_t *this)
{
- if (ntru_crypto_drbg_uninstantiate(this->drbg) != DRBG_OK)
- {
- DBG1(DBG_LIB, "error uninstantiating DRBG");
- }
+ this->drbg->destroy(this->drbg);
+ this->entropy->destroy(this->entropy);
chunk_free(&this->pub_key);
chunk_free(&this->ciphertext);
chunk_clear(&this->priv_key);
ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
{
private_ntru_ke_t *this;
- char personalization_str[] = "strongSwan NTRU-KE";
param_set_t *param_sets, *param_set;
- DRBG_HANDLE drbg;
+ rng_t *entropy;
+ ntru_drbg_t *drbg;
char *parameter_set;
u_int32_t strength;
DBG1(DBG_LIB, "%u bit %s NTRU parameter set %s selected", strength,
parameter_set, param_set->name);
- if (ntru_crypto_drbg_instantiate(strength,
- personalization_str, strlen(personalization_str),
- (ENTROPY_FN) &ntru_plugin_get_entropy, &drbg) != DRBG_OK)
+ entropy = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
+ if (!entropy)
+ {
+ DBG1(DBG_LIB, "could not attach entropy source for DRBG");
+ return NULL;
+ }
+
+ drbg = ntru_drbg_create(strength, chunk_from_str("IKE NTRU-KE"), entropy);
+ if (!drbg)
{
- DBG1(DBG_LIB, "error instantiating DRBG at %u bit security", strength);
+ DBG1(DBG_LIB, "could not instantiate DRBG at %u bit security", strength);
+ entropy->destroy(entropy);
return NULL;
}
.group = group,
.param_set = param_set,
.strength = strength,
+ .entropy = entropy,
.drbg = drbg,
);
#include "ntru_ke.h"
#include <library.h>
-#include <utils/debug.h>
typedef struct private_ntru_plugin_t private_ntru_plugin_t;
-rng_t *rng;
-
-bool ntru_plugin_get_entropy(ENTROPY_CMD cmd, uint8_t *out)
-{
- switch (cmd)
- {
- case INIT:
- return TRUE;
- case GET_NUM_BYTES_PER_BYTE_OF_ENTROPY:
- /* Here we return the number of bytes needed from the entropy
- * source to obtain 8 bits of entropy. Maximum is 8.
- */
- if (!out)
- {
- return FALSE;
- }
- *out = 1; /* this is a perfectly random source */
- return TRUE;
- case GET_BYTE_OF_ENTROPY:
- if (!out)
- {
- return FALSE;
- }
- if (!rng || !rng->get_bytes(rng, 1, out))
- {
- return FALSE;
- }
- return TRUE;
- default:
- return FALSE;
- }
-}
-
-/**
- * Create/Destroy True Random Generator
- */
-static bool create_random(private_ntru_plugin_t *this,
- plugin_feature_t *feature, bool reg, void *data)
-{
- if (reg)
- {
- rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
- if (!rng)
- {
- return FALSE;
- }
- }
- else
- {
- rng->destroy(rng);
- }
- return TRUE;
-}
-
/**
* private data of ntru_plugin
*/
METHOD(plugin_t, get_features, int,
private_ntru_plugin_t *this, plugin_feature_t *features[])
{
- int count = 0;
-
- static plugin_feature_t f_ke[] = {
+ static plugin_feature_t f[] = {
PLUGIN_REGISTER(DH, ntru_ke_create),
PLUGIN_PROVIDE(DH, NTRU_112_BIT),
PLUGIN_PROVIDE(DH, NTRU_128_BIT),
PLUGIN_PROVIDE(DH, NTRU_192_BIT),
PLUGIN_PROVIDE(DH, NTRU_256_BIT),
+ PLUGIN_DEPENDS(RNG, RNG_TRUE),
+ PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_SHA2_256_256),
};
- static plugin_feature_t f_rng[] = {
- PLUGIN_CALLBACK((plugin_feature_callback_t)create_random, NULL),
- PLUGIN_PROVIDE(CUSTOM, "ntru-rng"),
- PLUGIN_DEPENDS(RNG, RNG_TRUE),
- };
- static plugin_feature_t f[countof(f_ke) + countof(f_rng)] = {};
-
- plugin_features_add(f, f_ke, countof(f_ke), &count);
- plugin_features_add(f, f_rng, countof(f_rng), &count);
-
*features = f;
- return count;
+
+ return countof(f);
}
METHOD(plugin_t, destroy, void,
},
);
-
return &this->public.plugin;
}
#include <plugins/plugin.h>
-#include "ntru_crypto/ntru_crypto_drbg.h"
-
typedef struct ntru_plugin_t ntru_plugin_t;
/**
plugin_t plugin;
};
-/**
- * Return true random bytes
- *
- * @param cmd command to be executed
- * @param out output variable
- * @result return code
- */
-bool ntru_plugin_get_entropy(ENTROPY_CMD cmd, uint8_t *out);
-
#endif /** NTRU_PLUGIN_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_test_rng.h"
+
+typedef struct private_ntru_test_rng_t private_ntru_test_rng_t;
+
+/**
+ * Private data of an ntru_test_rng_t object.
+ */
+struct private_ntru_test_rng_t {
+
+ /**
+ * Public ntru_test_rng_t interface.
+ */
+ ntru_test_rng_t public;
+
+ /**
+ * entropy string
+ */
+ chunk_t entropy;
+};
+
+METHOD(rng_t, get_bytes, bool,
+ private_ntru_test_rng_t *this, size_t bytes, u_int8_t *buffer)
+{
+ if (bytes > this->entropy.len)
+ {
+ return FALSE;
+ }
+ memcpy(buffer, this->entropy.ptr, bytes);
+ this->entropy = chunk_skip(this->entropy, bytes);
+ return TRUE;
+}
+
+METHOD(rng_t, allocate_bytes, bool,
+ private_ntru_test_rng_t *this, size_t bytes, chunk_t *chunk)
+{
+ if (bytes > this->entropy.len)
+ {
+ *chunk = chunk_empty;
+ return FALSE;
+ }
+
+ *chunk = chunk_alloc(bytes);
+ memcpy(chunk->ptr, this->entropy.ptr, bytes);
+ this->entropy = chunk_skip(this->entropy, bytes);
+ return TRUE;
+}
+
+METHOD(rng_t, destroy, void,
+ private_ntru_test_rng_t *this)
+{
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+rng_t *ntru_test_rng_create(chunk_t entropy)
+{
+ private_ntru_test_rng_t *this;
+
+ INIT(this,
+ .public = {
+ .rng = {
+ .get_bytes = _get_bytes,
+ .allocate_bytes = _allocate_bytes,
+ .destroy = _destroy,
+ },
+ },
+ .entropy = entropy,
+ );
+
+ return &this->public.rng;
+}
+
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_test_rng ntru_test_rng
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_TEST_RNG_H_
+#define NTRU_TEST_RNG_H_
+
+typedef struct ntru_test_rng_t ntru_test_rng_t;
+
+#include <library.h>
+
+/**
+ * rng_t providing NIST SP 800-90A entropy test vectors
+ */
+struct ntru_test_rng_t {
+
+ /**
+ * Implements rng_t.
+ */
+ rng_t rng;
+};
+
+/**
+ * Creates an ntru_test_rng_t instance.
+ *
+ * @param entropy entropy test vector
+ * @return created ntru_test_rng_t
+ */
+rng_t *ntru_test_rng_create(chunk_t entropy);
+
+#endif /** NTRU_TEST_RNG_H_ @} */
#include "test_suite.h"
-#include <plugins/ntru/ntru_plugin.h>
+#include <plugins/ntru/ntru_drbg.h>
+#include <plugins/ntru/ntru_test_rng.h>
/**
* NTRU parameter sets to test
"x9_98_speed", "x9_98_bandwidth", "x9_98_balance", "optimum"
};
-START_TEST(test_ntru_entropy)
+typedef struct {
+ u_int32_t requested;
+ u_int32_t standard;
+}strength_t;
+
+strength_t strengths[] = {
+ { 80, 112 },
+ { 112, 112 },
+ { 120, 128 },
+ { 128, 128 },
+ { 150, 192 },
+ { 192, 192 },
+ { 200, 256 },
+ { 256, 256 },
+ { 512, 0 }
+};
+
+START_TEST(test_ntru_drbg_strength)
{
- ck_assert(!ntru_plugin_get_entropy(GET_NUM_BYTES_PER_BYTE_OF_ENTROPY, NULL));
- ck_assert(!ntru_plugin_get_entropy(GET_BYTE_OF_ENTROPY, NULL));
- ck_assert(!ntru_plugin_get_entropy(10, NULL));
+ ntru_drbg_t *drbg;
+ rng_t *entropy;
+
+ entropy = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+ ck_assert(entropy != NULL);
+
+ drbg = ntru_drbg_create(strengths[_i].requested, chunk_empty, entropy);
+ if (strengths[_i].standard)
+ {
+ ck_assert(drbg != NULL);
+ ck_assert(drbg->get_strength(drbg) == strengths[_i].standard);
+ drbg->destroy(drbg);
+ }
+ else
+ {
+ ck_assert(drbg == NULL);
+ }
+ entropy->destroy(entropy);
+}
+END_TEST
+
+START_TEST(test_ntru_dbrg)
+{
+ typedef struct {
+ chunk_t pers_str;
+ chunk_t entropy;
+ chunk_t out;
+ } dbrg_test_t;
+
+ dbrg_test_t dbrg_tests[] = {
+ { chunk_empty,
+ chunk_from_chars(0x06, 0x03, 0x2c, 0xd5, 0xee, 0xd3, 0x3f, 0x39,
+ 0x26, 0x5f, 0x49, 0xec, 0xb1, 0x42, 0xc5, 0x11,
+ 0xda, 0x9a, 0xff, 0x2a, 0xf7, 0x12, 0x03, 0xbf,
+ 0xfa, 0xf3, 0x4a, 0x9c, 0xa5, 0xbd, 0x9c, 0x0d,
+ 0x0e, 0x66, 0xf7, 0x1e, 0xdc, 0x43, 0xe4, 0x2a,
+ 0x45, 0xad, 0x3c, 0x6f, 0xc6, 0xcd, 0xc4, 0xdf,
+ 0x01, 0x92, 0x0a, 0x4e, 0x66, 0x9e, 0xd3, 0xa8,
+ 0x5a, 0xe8, 0xa3, 0x3b, 0x35, 0xa7, 0x4a, 0xd7,
+ 0xfb, 0x2a, 0x6b, 0xb4, 0xcf, 0x39, 0x5c, 0xe0,
+ 0x03, 0x34, 0xa9, 0xc9, 0xa5, 0xa5, 0xd5, 0x52),
+ chunk_from_chars(0x76, 0xfc, 0x79, 0xfe, 0x9b, 0x50, 0xbe, 0xcc,
+ 0xc9, 0x91, 0xa1, 0x1b, 0x56, 0x35, 0x78, 0x3a,
+ 0x83, 0x53, 0x6a, 0xdd, 0x03, 0xc1, 0x57, 0xfb,
+ 0x30, 0x64, 0x5e, 0x61, 0x1c, 0x28, 0x98, 0xbb,
+ 0x2b, 0x1b, 0xc2, 0x15, 0x00, 0x02, 0x09, 0x20,
+ 0x8c, 0xd5, 0x06, 0xcb, 0x28, 0xda, 0x2a, 0x51,
+ 0xbd, 0xb0, 0x38, 0x26, 0xaa, 0xf2, 0xbd, 0x23,
+ 0x35, 0xd5, 0x76, 0xd5, 0x19, 0x16, 0x08, 0x42,
+ 0xe7, 0x15, 0x8a, 0xd0, 0x94, 0x9d, 0x1a, 0x9e,
+ 0xc3, 0xe6, 0x6e, 0xa1, 0xb1, 0xa0, 0x64, 0xb0,
+ 0x05, 0xde, 0x91, 0x4e, 0xac, 0x2e, 0x9d, 0x4f,
+ 0x2d, 0x72, 0xa8, 0x61, 0x6a, 0x80, 0x22, 0x54,
+ 0x22, 0x91, 0x82, 0x50, 0xff, 0x66, 0xa4, 0x1b,
+ 0xd2, 0xf8, 0x64, 0xa6, 0xa3, 0x8c, 0xc5, 0xb6,
+ 0x49, 0x9d, 0xc4, 0x3f, 0x7f, 0x2b, 0xd0, 0x9e,
+ 0x1e, 0x0f, 0x8f, 0x58, 0x85, 0x93, 0x51, 0x24)
+ },
+ { chunk_from_chars(0xf2, 0xe5, 0x8f, 0xe6, 0x0a, 0x3a, 0xfc, 0x59,
+ 0xda, 0xd3, 0x75, 0x95, 0x41, 0x5f, 0xfd, 0x31,
+ 0x8c, 0xcf, 0x69, 0xd6, 0x77, 0x80, 0xf6, 0xfa,
+ 0x07, 0x97, 0xdc, 0x9a, 0xa4, 0x3e, 0x14, 0x4c),
+ chunk_from_chars(0xfa, 0x0e, 0xe1, 0xfe, 0x39, 0xc7, 0xc3, 0x90,
+ 0xaa, 0x94, 0x15, 0x9d, 0x0d, 0xe9, 0x75, 0x64,
+ 0x34, 0x2b, 0x59, 0x17, 0x77, 0xf3, 0xe5, 0xf6,
+ 0xa4, 0xba, 0x2a, 0xea, 0x34, 0x2e, 0xc8, 0x40,
+ 0xdd, 0x08, 0x20, 0x65, 0x5c, 0xb2, 0xff, 0xdb,
+ 0x0d, 0xa9, 0xe9, 0x31, 0x0a, 0x67, 0xc9, 0xe5,
+ 0xe0, 0x62, 0x9b, 0x6d, 0x79, 0x75, 0xdd, 0xfa,
+ 0x96, 0xa3, 0x99, 0x64, 0x87, 0x40, 0xe6, 0x0f,
+ 0x1f, 0x95, 0x57, 0xdc, 0x58, 0xb3, 0xd7, 0x41,
+ 0x5f, 0x9b, 0xa9, 0xd4, 0xdb, 0xb5, 0x01, 0xf6),
+ chunk_from_chars(0xf9, 0x2d, 0x4c, 0xf9, 0x9a, 0x53, 0x5b, 0x20,
+ 0x22, 0x2a, 0x52, 0xa6, 0x8d, 0xb0, 0x4c, 0x5a,
+ 0xf6, 0xf5, 0xff, 0xc7, 0xb6, 0x6a, 0x47, 0x3a,
+ 0x37, 0xa2, 0x56, 0xbd, 0x8d, 0x29, 0x8f, 0x9b,
+ 0x4a, 0xa4, 0xaf, 0x7e, 0x8d, 0x18, 0x1e, 0x02,
+ 0x36, 0x79, 0x03, 0xf9, 0x3b, 0xdb, 0x74, 0x4c,
+ 0x6c, 0x2f, 0x3f, 0x34, 0x72, 0x62, 0x6b, 0x40,
+ 0xce, 0x9b, 0xd6, 0xa7, 0x0e, 0x7b, 0x8f, 0x93,
+ 0x99, 0x2a, 0x16, 0xa7, 0x6f, 0xab, 0x6b, 0x5f,
+ 0x16, 0x25, 0x68, 0xe0, 0x8e, 0xe6, 0xc3, 0xe8,
+ 0x04, 0xae, 0xfd, 0x95, 0x2d, 0xdd, 0x3a, 0xcb,
+ 0x79, 0x1c, 0x50, 0xf2, 0xad, 0x69, 0xe9, 0xa0,
+ 0x40, 0x28, 0xa0, 0x6a, 0x9c, 0x01, 0xd3, 0xa6,
+ 0x2a, 0xca, 0x2a, 0xaf, 0x6e, 0xfe, 0x69, 0xed,
+ 0x97, 0xa0, 0x16, 0x21, 0x3a, 0x2d, 0xd6, 0x42,
+ 0xb4, 0x88, 0x67, 0x64, 0x07, 0x2d, 0x9c, 0xbe)
+ }
+ };
+
+ ntru_drbg_t *drbg;
+ rng_t *entropy;
+ chunk_t in, out;
+ int i;
+
+ /* test ntru_test_rng */
+ in = chunk_from_chars(0x01, 0x02, 0x04, 0x04);
+ entropy = ntru_test_rng_create(in);
+ ck_assert(entropy->allocate_bytes(entropy, 4, &out));
+ ck_assert(chunk_equals(in, out));
+ chunk_free(&out);
+ ck_assert(!entropy->allocate_bytes(entropy, 4, &out));
+ entropy->destroy(entropy);
+
+ /* test DRBG with ntru_test_rng providing NIST test vectors */
+ out = chunk_alloc(128);
+ for (i = 0; i < countof(dbrg_tests); i++)
+ {
+ entropy = ntru_test_rng_create(dbrg_tests[i].entropy);
+ drbg = ntru_drbg_create(256, dbrg_tests[i].pers_str, entropy);
+ ck_assert(drbg != NULL);
+ ck_assert(drbg->reseed(drbg));
+ ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
+ ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
+ ck_assert(chunk_equals(out, dbrg_tests[i].out));
+ drbg->destroy(drbg);
+ entropy->destroy(entropy);
+ }
+ chunk_free(&out);
}
END_TEST
s = suite_create("ntru");
- tc = tcase_create("entropy");
- tcase_add_test(tc, test_ntru_entropy);
+ tc = tcase_create("dbrg_strength");
+ tcase_add_loop_test(tc, test_ntru_drbg_strength, 0, countof(strengths));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("dbrg");
+ tcase_add_test(tc, test_ntru_dbrg);
suite_add_tcase(s, tc);
tc = tcase_create("ke");
TEST_SUITE(printf_suite_create)
TEST_SUITE(pen_suite_create)
TEST_SUITE(asn1_suite_create)
-TEST_SUITE_DEPEND(ntru_suite_create, CUSTOM, "ntru-rng")
+TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT)
projects / thirdparty / strongswan.git / commitdiff
