From: Nikos Mavrogiannopoulos Date: Wed, 4 Dec 2013 14:08:33 +0000 (+0100) Subject: force reseed and rekey on fork and if we exceed a number of iterations. X-Git-Tag: gnutls_3_3_0pre0~504 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b994a35debf3b5287a6ef7da23a62dbafa0c1dd;p=thirdparty%2Fgnutls.git force reseed and rekey on fork and if we exceed a number of iterations. --- diff --git a/lib/nettle/int/drbg-aes.c b/lib/nettle/int/drbg-aes.c index f73cfdb23f..e70a655de9 100644 --- a/lib/nettle/int/drbg-aes.c +++ b/lib/nettle/int/drbg-aes.c @@ -35,6 +35,7 @@ drbg_aes_set_key(struct drbg_aes_ctx *ctx, unsigned length, aes_set_encrypt_key(&ctx->key, length, key); ctx->seeded = 0; + ctx->reseed_counter = 0; ctx->prev_block_present = 0; return 1; @@ -49,19 +50,9 @@ drbg_aes_seed(struct drbg_aes_ctx *ctx, const uint8_t seed[AES_BLOCK_SIZE], dt_func(dt_priv, ctx->dt); + ctx->reseed_counter = 0; ctx->seeded = 1; } - -/* This is nettle's increment macro */ -/* Requires that size > 0 */ -#define INCREMENT(size, ctr) \ - do { \ - unsigned increment_i = (size) - 1; \ - if (++(ctr)[increment_i] == 0) \ - while (increment_i > 0 \ - && ++(ctr)[--increment_i] == 0 ) \ - ; \ - } while (0) int drbg_aes_random(struct drbg_aes_ctx *ctx, unsigned length, uint8_t * dst) @@ -144,6 +135,10 @@ drbg_aes_random(struct drbg_aes_ctx *ctx, unsigned length, uint8_t * dst) INCREMENT(sizeof(ctx->dt), ctx->dt); } + + if (ctx->reseed_counter > DRBG_AES_RESEED_TIME) + return 0; + ctx->reseed_counter++; return 1; } diff --git a/lib/nettle/int/drbg-aes.h b/lib/nettle/int/drbg-aes.h index f680740293..9454fd01e8 100644 --- a/lib/nettle/int/drbg-aes.h +++ b/lib/nettle/int/drbg-aes.h @@ -27,6 +27,17 @@ #include #include +/* This is nettle's increment macro */ +/* Requires that size > 0 */ +#define INCREMENT(size, ctr) \ + do { \ + unsigned increment_i = (size) - 1; \ + if (++(ctr)[increment_i] == 0) \ + while (increment_i > 0 \ + && ++(ctr)[--increment_i] == 0 ) \ + ; \ + } while (0) + /* This is the AES-based random-number generator from ANSI X9.31 * Appendix A.2.4. Note that the DT value from the document is obtained * during seeding. Then it is used as an 128-bit counter which is @@ -43,8 +54,14 @@ struct drbg_aes_ctx { unsigned prev_block_present; uint8_t prev_block[AES_BLOCK_SIZE]; + unsigned reseed_counter; }; +/* This DRBG should be reseeded if reseed_counter exceeds + * that number. + */ +#define DRBG_AES_RESEED_TIME 65536 + typedef int (*aes_dt) (void *priv, uint8_t dt[AES_BLOCK_SIZE]); /* should return zero on error */ diff --git a/lib/nettle/rnd-fips.c b/lib/nettle/rnd-fips.c index 088c985018..a0613dadb0 100644 --- a/lib/nettle/rnd-fips.c +++ b/lib/nettle/rnd-fips.c @@ -130,8 +130,9 @@ static int get_random(struct drbg_aes_ctx *ctx, struct fips_ctx* fctx, { int ret; - if (fctx->pid != getpid()) { - /* We are in a child of us. */ + if (fctx->pid != getpid() || + ctx->reseed_counter > DRBG_AES_RESEED_TIME) { + ret = _rngfips_reinit(fctx); if (ret < 0) return gnutls_assert_val(ret);