From: Andreas Steffen Date: Sun, 24 Nov 2013 01:22:25 +0000 (+0100) Subject: Implemented NIST SP 800-90A DRBG_HMAC with SHA-256 X-Git-Tag: 5.1.2dr1~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=98c64216742f9065fceddc4f90993c33bfe3fe67;p=thirdparty%2Fstrongswan.git Implemented NIST SP 800-90A DRBG_HMAC with SHA-256 --- diff --git a/src/libstrongswan/plugins/ntru/Makefile.am b/src/libstrongswan/plugins/ntru/Makefile.am index ebfe95d0b2..4f81ead4ac 100644 --- a/src/libstrongswan/plugins/ntru/Makefile.am +++ b/src/libstrongswan/plugins/ntru/Makefile.am @@ -12,12 +12,12 @@ endif libstrongswan_ntru_la_SOURCES = \ ntru_plugin.h ntru_plugin.c \ + ntru_drbg.h ntru_drbg.c \ ntru_ke.h ntru_ke.c \ + ntru_test_rng.h ntru_test_rng.c \ ntru_crypto/ntru_crypto.h ntru_crypto/ntru_crypto_error.h \ - ntru_crypto/ntru_crypto_drbg.h ntru_crypto/ntru_crypto_drbg.c \ ntru_crypto/ntru_crypto_hash_basics.h \ ntru_crypto/ntru_crypto_hash.h ntru_crypto/ntru_crypto_hash.c \ - ntru_crypto/ntru_crypto_hmac.h ntru_crypto/ntru_crypto_hmac.c \ ntru_crypto/ntru_crypto_msbyte_uint32.h \ ntru_crypto/ntru_crypto_msbyte_uint32.c \ ntru_crypto/ntru_crypto_ntru_convert.h \ diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h index bb0f4b3824..7749b3b950 100644 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h +++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h @@ -35,9 +35,10 @@ #define NTRU_CRYPTO_H #include "ntru_crypto_platform.h" -#include "ntru_crypto_drbg.h" #include "ntru_crypto_error.h" +#include "ntru_drbg.h" + #if !defined( NTRUCALL ) #if !defined(WIN32) || defined (NTRUCRYPTO_STATIC) // Linux, or a Win32 static library @@ -135,7 +136,7 @@ typedef enum _NTRU_ENCRYPT_PARAM_SET_ID { NTRUCALL ntru_crypto_ntru_encrypt( - DRBG_HANDLE drbg_handle, /* in - handle for DRBG */ + ntru_drbg_t *drbg , /* in - handle for DRBG */ uint16_t pubkey_blob_len, /* in - no. of octets in public key blob */ uint8_t const *pubkey_blob, /* in - pointer to public key */ @@ -234,7 +235,7 @@ ntru_crypto_ntru_decrypt( NTRUCALL ntru_crypto_ntru_encrypt_keygen( - DRBG_HANDLE drbg_handle, /* in - handle of DRBG */ + ntru_drbg_t *drbg, /* in - handle of DRBG */ NTRU_ENCRYPT_PARAM_SET_ID param_set_id, /* in - parameter set ID */ uint16_t *pubkey_blob_len, /* in/out - no. of octets in pubkey_blob, addr diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_drbg.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_drbg.c deleted file mode 100644 index 7f5a7c872d..0000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_drbg.c +++ /dev/null @@ -1,724 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_drbg.c is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_drbg.c - * - * Contents: Implementation of a SHA-256 HMAC-based deterministic random byte - * generator (HMAC_DRBG) as defined in ANSI X9.82, Part 3 - 2007. - * - * This implementation: - * - allows for MAX_INSTANTIATIONS simultaneous drbg instantiations - * (may be overridden on compiler command line) - * - has a maximum security strength of 256 bits - * - automatically uses SHA-256 for all security strengths - * - allows a personalization string of up to MAX_PERS_STR_BYTES bytes - * - implments reseeding - * - does not implement additional input for reseeding or generation - * - does not implement predictive resistance - * - limits the number of bytes requested in one invocation of generate to - * MAX_BYTES_PER_REQUEST - * - uses a callback function to allow the caller to supply the - * Get_entropy_input routine (entropy function) - * - limits the number of bytes returned from the entropy function to - * MAX_ENTROPY_NONCE_BYTES - * - gets the nonce bytes along with the entropy input from the entropy - * function - * - automatically reseeds an instantitation after MAX_REQUESTS calls to - * generate - * - *****************************************************************************/ - - -#include -#include -#include -#include "ntru_crypto_drbg.h" -#include "ntru_crypto_hmac.h" - - -/************************ - * HMAC_DRBG parameters * - ************************/ - -/* Note: nonce size is sec_strength_bits/2 */ -#define HMAC_DRBG_MAX_MIN_ENTROPY_NONCE_BYTES \ - (DRBG_MAX_SEC_STRENGTH_BITS + DRBG_MAX_SEC_STRENGTH_BITS/2)/8 -#define HMAC_DRBG_MAX_ENTROPY_NONCE_BYTES \ - HMAC_DRBG_MAX_MIN_ENTROPY_NONCE_BYTES * DRBG_MAX_BYTES_PER_BYTE_OF_ENTROPY -#define HMAC_DRBG_MAX_REQUESTS 0xffffffff - - -/******************* - * DRBG structures * - *******************/ - -/* SHA256_HMAC_DRBG state structure */ - -typedef struct { - uint32_t sec_strength; /* security strength in bits */ - uint32_t requests_left; /* generation requests remaining - before reseeding */ - ENTROPY_FN entropy_fn; /* pointer to entropy function */ - NTRU_CRYPTO_HMAC_CTX *hmac_ctx; /* pointer to HMAC context */ - uint8_t V[33]; /* md_len size internal state + 1 */ -} SHA256_HMAC_DRBG_STATE; - - -/* DRBG state structure - * Note: this could contain a DRBG_TYPE to direct allocation, instantiation, - * and generation to multiple types of DRBGs; at present only the - * SHA256_HMAC_DRBG is implemented - */ - -typedef struct { - uint32_t handle; - void *state; -} DRBG_STATE; - - -/************* - * DRBG DATA * - *************/ - -/* array of drbg states */ - -static DRBG_STATE drbg_state[DRBG_MAX_INSTANTIATIONS]; - - -/****************************** - * SHA256 HMAC_DRBG functions * - ******************************/ - -/* sha256_hmac_drbg_update - * - * This routine is the SHA-256 HMAC_DRBG derivation function for - * instantiation, and reseeding, and it is used in generation as well. - * It updates the internal state. - * - * For instantiation, provided_data1 holds the entropy input and nonce; - * provided_data2 holds the optional personalization string. Combined, this - * is the seed material. - * - * For reseeding, provided_data1 holds the entropy input; - * provided_data2 is NULL (because this implementation does not support - * additional input). - * - * For byte generation, both provided_data1 and provided_data2 are NULL. - * - * Returns DRBG_OK if successful. - * Returns HMAC errors if they occur. - */ - -static uint32_t -sha256_hmac_drbg_update( - SHA256_HMAC_DRBG_STATE *s, - uint8_t *key, /* md_len size array */ - uint32_t md_len, - uint8_t const *provided_data1, - uint32_t provided_data1_bytes, - uint8_t const *provided_data2, - uint32_t provided_data2_bytes) -{ - uint32_t result; - - /* new key = HMAC(K, V || 0x00 [|| provided data1 [|| provided data2]] */ - - if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) != NTRU_CRYPTO_HMAC_OK) - return result; - s->V[md_len] = 0x00; - if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, md_len + 1)) != - NTRU_CRYPTO_HMAC_OK) - return result; - if (provided_data1) { - if ((result = ntru_crypto_hmac_update(s->hmac_ctx, provided_data1, - provided_data1_bytes)) != - NTRU_CRYPTO_HMAC_OK) - return result; - if (provided_data2) { - if ((result = ntru_crypto_hmac_update(s->hmac_ctx, provided_data2, - provided_data2_bytes)) != - NTRU_CRYPTO_HMAC_OK) - return result; - } - } - if ((result = ntru_crypto_hmac_final(s->hmac_ctx, key)) != - NTRU_CRYPTO_HMAC_OK) - return result; - if ((result = ntru_crypto_hmac_set_key(s->hmac_ctx, key)) != - NTRU_CRYPTO_HMAC_OK) - return result; - - /* new V = HMAC(K, V) */ - - if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) != NTRU_CRYPTO_HMAC_OK) - return result; - if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, md_len)) != - NTRU_CRYPTO_HMAC_OK) - return result; - if ((result = ntru_crypto_hmac_final(s->hmac_ctx, s->V)) != - NTRU_CRYPTO_HMAC_OK) - return result; - - /* if provided data exists, update K and V again */ - - if (provided_data1) { - - /* new key = HMAC(K, V || 0x01 || provided data1 [|| provided data2] */ - - if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) != - NTRU_CRYPTO_HMAC_OK) - return result; - s->V[md_len] = 0x01; - if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, md_len + 1)) != - NTRU_CRYPTO_HMAC_OK) - return result; - if ((result = ntru_crypto_hmac_update(s->hmac_ctx, provided_data1, - provided_data1_bytes)) != - NTRU_CRYPTO_HMAC_OK) - return result; - if (provided_data2) { - if ((result = ntru_crypto_hmac_update(s->hmac_ctx, provided_data2, - provided_data2_bytes)) != - NTRU_CRYPTO_HMAC_OK) - return result; - } - if ((result = ntru_crypto_hmac_final(s->hmac_ctx, key)) != - NTRU_CRYPTO_HMAC_OK) - return result; - if ((result = ntru_crypto_hmac_set_key(s->hmac_ctx, key)) != - NTRU_CRYPTO_HMAC_OK) - return result; - - /* new V = HMAC(K, V) */ - - if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) != - NTRU_CRYPTO_HMAC_OK) - return result; - if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, md_len)) != - NTRU_CRYPTO_HMAC_OK) - return result; - if ((result = ntru_crypto_hmac_final(s->hmac_ctx, s->V)) != - NTRU_CRYPTO_HMAC_OK) - return result; - } - - memset(key, 0, md_len); - DRBG_RET(DRBG_OK); -} - - -/* sha256_hmac_drbg_instantiate - * - * This routine allocates and initializes a SHA-256 HMAC_DRBG internal state. - * - * Returns DRBG_OK if successful. - * Returns DRBG_BAD_LENGTH if the personalization string is too long. - * Returns DRBG_OUT_OF_MEMORY if the internal state cannot be allocated. - * Returns errors from HASH or SHA256 if those errors occur. - */ - -static uint32_t -sha256_hmac_drbg_instantiate( - uint32_t sec_strength_bits, /* strength to instantiate */ - uint8_t const *pers_str, - uint32_t pers_str_bytes, - ENTROPY_FN entropy_fn, - SHA256_HMAC_DRBG_STATE **state) -{ - uint8_t entropy_nonce[HMAC_DRBG_MAX_ENTROPY_NONCE_BYTES]; - uint32_t entropy_nonce_bytes; - uint32_t min_bytes_of_entropy; - uint8_t num_bytes_per_byte_of_entropy; - uint8_t key[32]; /* array of md_len size */ - SHA256_HMAC_DRBG_STATE *s; - uint32_t result; - uint32_t i; - - /* check arguments */ - - if (pers_str_bytes > HMAC_DRBG_MAX_PERS_STR_BYTES) - DRBG_RET(DRBG_BAD_LENGTH); - - /* calculate number of bytes needed for the entropy input and nonce - * for a SHA256_HMAC_DRBG, and get them from the entropy source - */ - - if (entropy_fn(GET_NUM_BYTES_PER_BYTE_OF_ENTROPY, - &num_bytes_per_byte_of_entropy) == 0) - DRBG_RET(DRBG_ENTROPY_FAIL); - if ((num_bytes_per_byte_of_entropy == 0) || - (num_bytes_per_byte_of_entropy > - DRBG_MAX_BYTES_PER_BYTE_OF_ENTROPY)) - DRBG_RET(DRBG_ENTROPY_FAIL); - - min_bytes_of_entropy = (sec_strength_bits + sec_strength_bits/2) / 8; - entropy_nonce_bytes = min_bytes_of_entropy * num_bytes_per_byte_of_entropy; - for (i = 0; i < entropy_nonce_bytes; i++) - if (entropy_fn(GET_BYTE_OF_ENTROPY, entropy_nonce+i) == 0) - DRBG_RET(DRBG_ENTROPY_FAIL); - - /* allocate SHA256_HMAC_DRBG state */ - - s = (SHA256_HMAC_DRBG_STATE*) malloc(sizeof(SHA256_HMAC_DRBG_STATE)); - if (s == NULL) { - DRBG_RET(DRBG_OUT_OF_MEMORY); - } - - /* allocate HMAC context */ - - memset(key, 0, sizeof(key)); - if ((result = ntru_crypto_hmac_create_ctx(NTRU_CRYPTO_HASH_ALGID_SHA256, - key, sizeof(key), - &s->hmac_ctx)) != - NTRU_CRYPTO_HMAC_OK) { - free(s); - return result; - } - - /* init and update internal state */ - - memset(s->V, 0x01, sizeof(s->V)); - if ((result = sha256_hmac_drbg_update(s, key, sizeof(key), - entropy_nonce, entropy_nonce_bytes, - pers_str, pers_str_bytes)) != DRBG_OK) { - (void) ntru_crypto_hmac_destroy_ctx(s->hmac_ctx); - memset(s->V, 0, sizeof(s->V)); - free(s); - } - memset(entropy_nonce, 0, sizeof(entropy_nonce)); - - /* init instantiation parameters */ - - s->sec_strength = sec_strength_bits; - s->requests_left = HMAC_DRBG_MAX_REQUESTS; - s->entropy_fn = entropy_fn; - *state = s; - - return result; -} - - -/* sha256_hmac_drbg_free - * - * This routine frees a SHA-256 HMAC_DRBG internal state. - * - * Returns DRBG_OK if successful. - * Returns DRBG_BAD_PARAMETER if inappropriate NULL pointers are passed. - */ - -static void -sha256_hmac_drbg_free( - SHA256_HMAC_DRBG_STATE *s) -{ - if (s->hmac_ctx) { - (void) ntru_crypto_hmac_destroy_ctx(s->hmac_ctx); - } - memset(s->V, 0, sizeof(s->V)); - s->sec_strength = 0; - s->requests_left = 0; - s->entropy_fn = NULL; - free(s); -} - - -/* sha256_hmac_drbg_reseed - * - * This function reseeds an instantiated SHA256_HMAC DRBG. - * - * Returns DRBG_OK if successful. - * Returns HMAC errors if they occur. - */ - -static uint32_t -sha256_hmac_drbg_reseed( - SHA256_HMAC_DRBG_STATE *s) -{ - uint8_t entropy[HMAC_DRBG_MAX_ENTROPY_NONCE_BYTES]; - uint32_t entropy_bytes; - uint32_t min_bytes_of_entropy; - uint8_t num_bytes_per_byte_of_entropy; - uint8_t key[32]; // array of md_len size for sha256_hmac_drbg_update() - uint32_t result; - uint32_t i; - - /* calculate number of bytes needed for the entropy input - * for a SHA256_HMAC_DRBG, and get them from the entropy source - */ - - if (s->entropy_fn(GET_NUM_BYTES_PER_BYTE_OF_ENTROPY, - &num_bytes_per_byte_of_entropy) == 0) - DRBG_RET(DRBG_ENTROPY_FAIL); - if ((num_bytes_per_byte_of_entropy == 0) || - (num_bytes_per_byte_of_entropy > - DRBG_MAX_BYTES_PER_BYTE_OF_ENTROPY)) - DRBG_RET(DRBG_ENTROPY_FAIL); - - min_bytes_of_entropy = s->sec_strength / 8; - entropy_bytes = min_bytes_of_entropy * num_bytes_per_byte_of_entropy; - for (i = 0; i < entropy_bytes; i++) - if (s->entropy_fn(GET_BYTE_OF_ENTROPY, entropy+i) == 0) - DRBG_RET(DRBG_ENTROPY_FAIL); - - /* update internal state */ - - if ((result = sha256_hmac_drbg_update(s, key, sizeof(key), - entropy, entropy_bytes, NULL, 0)) != - DRBG_OK) - return result; - - /* reset request counter */ - - s->requests_left = HMAC_DRBG_MAX_REQUESTS; - DRBG_RET(DRBG_OK); -} - - -/* sha256_hmac_drbg_generate - * - * This routine generates pseudorandom bytes from a SHA256_HMAC DRBG. - * - * Returns DRBG_OK if successful. - * Returns DRBG_BAD_LENGTH if too many bytes are requested or the requested - * security strength is too large. - * Returns HMAC errors if they occur. - */ - -static uint32_t -sha256_hmac_drbg_generate( - SHA256_HMAC_DRBG_STATE *s, - uint32_t sec_strength_bits, - uint32_t num_bytes, - uint8_t *out) -{ - uint8_t key[32]; // array of md_len size for sha256_hmac_drbg_update() - uint32_t result; - - /* check if number of bytes requested exceeds the maximum allowed */ - - if (num_bytes > HMAC_DRBG_MAX_BYTES_PER_REQUEST) - DRBG_RET(DRBG_BAD_LENGTH); - - /* check if drbg has adequate security strength */ - - if (sec_strength_bits > s->sec_strength) - DRBG_RET(DRBG_BAD_LENGTH); - - /* check if max requests have been exceeded */ - - if (s->requests_left == 0) - if ((result = sha256_hmac_drbg_reseed(s)) != DRBG_OK) - return result; - - /* generate pseudorandom bytes */ - - while (num_bytes > 0) { - - /* generate md_len bytes = V = HMAC(K, V) */ - - if ((result = ntru_crypto_hmac_init(s->hmac_ctx)) != - NTRU_CRYPTO_HMAC_OK) - return result; - if ((result = ntru_crypto_hmac_update(s->hmac_ctx, s->V, - sizeof(key))) != - NTRU_CRYPTO_HMAC_OK) - return result; - if ((result = ntru_crypto_hmac_final(s->hmac_ctx, s->V)) != - NTRU_CRYPTO_HMAC_OK) - return result; - - /* copy generated bytes to output buffer */ - - if (num_bytes < sizeof(key)) { - memcpy(out, s->V, num_bytes); - num_bytes = 0; - } else { - memcpy(out, s->V, sizeof(key)); - out += sizeof(key); - num_bytes -= sizeof(key); - } - } - - /* update internal state */ - - if ((result = sha256_hmac_drbg_update(s, key, sizeof(key), - NULL, 0, NULL, 0)) != DRBG_OK) - return result; - s->requests_left--; - - DRBG_RET(DRBG_OK); -} - - -/****************** - * DRBG functions * - ******************/ - -/* drbg_get_new_drbg - * - * This routine finds an uninstantiated drbg state and returns a pointer to it. - * - * Returns a pointer to an uninstantiated drbg state if found. - * Returns NULL if all drbg states are instantiated. - */ - -static DRBG_STATE * -drbg_get_new_drbg() -{ - int i; - - for (i = 0; i < DRBG_MAX_INSTANTIATIONS; i++) { - if (drbg_state[i].state == NULL) - return drbg_state+i; - } - return NULL; -} - - -/* drbg_get_drbg - * - * This routine finds an instantiated drbg state given its handle, and returns - * a pointer to it. - * - * Returns a pointer to the drbg state if found. - * Returns NULL if the drbg state is not found. - */ - -static DRBG_STATE * -drbg_get_drbg( - DRBG_HANDLE handle) /* in/out - drbg handle */ -{ - int i; - - for (i = 0; i < DRBG_MAX_INSTANTIATIONS; i++) { - if ((drbg_state[i].handle == handle) && drbg_state[i].state) - return drbg_state+i; - } - return NULL; -} - - -/* drbg_get_new_handle - * - * This routine gets a new, unique 32-bit handle. - * - * Returns the new DRBG handle. - */ - -static DRBG_HANDLE -drbg_get_new_handle(void) -{ - DRBG_HANDLE h = 0; - - /* ensure the new handle is unique: - * if it already exists, increment it - */ - - while (drbg_get_drbg(h) != NULL) - ++h; - - return h; -} - - -/******************** - * Public functions * - ********************/ - -/* ntru_crypto_drbg_instantiate - * - * This routine instantiates a drbg with the requested security strength. - * See ANS X9.82: Part 3-2007. - * - * Returns DRBG_OK if successful. - * Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if an argument pointer is NULL. - * Returns DRBG_ERROR_BASE + DRBG_BAD_LENGTH if the security strength requested - * or the personalization string is too large. - * Returns DRBG_ERROR_BASE + DRBG_OUT_OF_MEMORY if the internal state cannot be - * allocated from the heap. - */ - -uint32_t -ntru_crypto_drbg_instantiate( - uint32_t sec_strength_bits, /* in - requested sec strength in bits */ - uint8_t const *pers_str, /* in - ptr to personalization string */ - uint32_t pers_str_bytes, /* in - no. personalization str bytes */ - ENTROPY_FN entropy_fn, /* in - pointer to entropy function */ - DRBG_HANDLE *handle) /* out - address for drbg handle */ -{ - DRBG_STATE *drbg = NULL; - SHA256_HMAC_DRBG_STATE *state = NULL; - uint32_t result; - - /* check arguments */ - - if ((!pers_str && pers_str_bytes) || !entropy_fn || !handle) - DRBG_RET(DRBG_BAD_PARAMETER); - if (sec_strength_bits > DRBG_MAX_SEC_STRENGTH_BITS) - DRBG_RET(DRBG_BAD_LENGTH); - if (pers_str && (pers_str_bytes == 0)) - pers_str = NULL; - - /* set security strength */ - - if (sec_strength_bits <= 112) { - sec_strength_bits = 112; - } else if (sec_strength_bits <= 128) { - sec_strength_bits = 128; - } else if (sec_strength_bits <= 192) { - sec_strength_bits = 192; - } else { - sec_strength_bits = 256; - } - - /* get an uninstantiated drbg */ - - if ((drbg = drbg_get_new_drbg()) == NULL) - DRBG_RET(DRBG_NOT_AVAILABLE); - - /* init entropy function */ - - if (entropy_fn(INIT, NULL) == 0) - DRBG_RET(DRBG_ENTROPY_FAIL); - - /* instantiate a SHA-256 HMAC_DRBG */ - - if ((result = sha256_hmac_drbg_instantiate(sec_strength_bits, - pers_str, pers_str_bytes, - entropy_fn, - &state)) != DRBG_OK) - return result; - - /* init drbg state */ - - drbg->handle = drbg_get_new_handle(); - drbg->state = state; - - /* return drbg handle */ - - *handle = drbg->handle; - DRBG_RET(DRBG_OK); -} - - -/* ntru_crypto_drbg_uninstantiate - * - * This routine frees a drbg given its handle. - * - * Returns DRBG_OK if successful. - * Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid. - */ - -uint32_t -ntru_crypto_drbg_uninstantiate( - DRBG_HANDLE handle) /* in - drbg handle */ -{ - DRBG_STATE *drbg = NULL; - - /* find the instantiated drbg */ - - if ((drbg = drbg_get_drbg(handle)) == NULL) - DRBG_RET(DRBG_BAD_PARAMETER); - - /* zero and free drbg state */ - - if (drbg->state) { - sha256_hmac_drbg_free((SHA256_HMAC_DRBG_STATE *)drbg->state); - drbg->state = NULL; - } - - drbg->handle = 0; - DRBG_RET(DRBG_OK); -} - - -/* ntru_crypto_drbg_reseed - * - * This routine reseeds an instantiated drbg. - * See ANS X9.82: Part 3-2007. - * - * Returns DRBG_OK if successful. - * Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid. - * Returns HMAC errors if they occur. - */ - -uint32_t -ntru_crypto_drbg_reseed( - DRBG_HANDLE handle) /* in - drbg handle */ -{ - DRBG_STATE *drbg = NULL; - - /* find the instantiated drbg */ - - if ((drbg = drbg_get_drbg(handle)) == NULL) - DRBG_RET(DRBG_BAD_PARAMETER); - - /* reseed the SHA-256 HMAC_DRBG */ - - return sha256_hmac_drbg_reseed((SHA256_HMAC_DRBG_STATE *)drbg->state); -} - - -/* ntru_crypto_drbg_generate - * - * This routine generates pseudorandom bytes using an instantiated drbg. - * If the maximum number of requests has been reached, reseeding will occur. - * See ANS X9.82: Part 3-2007. - * - * Returns DRBG_OK if successful. - * Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid or if - * an argument pointer is NULL. - * Returns DRBG_ERROR_BASE + DRBG_BAD_LENGTH if the security strength requested - * is too large or the number of bytes requested is zero or too large. - * Returns HMAC errors if they occur. - */ - -uint32_t -ntru_crypto_drbg_generate( - DRBG_HANDLE handle, /* in - drbg handle */ - uint32_t sec_strength_bits, /* in - requested sec strength in bits */ - uint32_t num_bytes, /* in - number of octets to generate */ - uint8_t *out) /* out - address for generated octets */ -{ - DRBG_STATE *drbg = NULL; - - /* find the instantiated drbg */ - - if ((drbg = drbg_get_drbg(handle)) == NULL) - DRBG_RET(DRBG_BAD_PARAMETER); - - /* check arguments */ - - if (!out) - DRBG_RET(DRBG_BAD_PARAMETER); - if (num_bytes == 0) - DRBG_RET(DRBG_BAD_LENGTH); - - /* generate pseudorandom output from the SHA256_HMAC_DRBG */ - - return sha256_hmac_drbg_generate((SHA256_HMAC_DRBG_STATE *)drbg->state, - sec_strength_bits, num_bytes, out); -} - diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_drbg.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_drbg.h deleted file mode 100644 index 3f0297910c..0000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_drbg.h +++ /dev/null @@ -1,193 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_drbg.h is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - - -/****************************************************************************** - * - * File: ntru_crypto_drbg.h - * - * Contents: Public header file for ntru_crypto_drbg.c. - * - *****************************************************************************/ - - -#ifndef NTRU_CRYPTO_DRBG_H -#define NTRU_CRYPTO_DRBG_H - -#include "ntru_crypto_platform.h" -#include "ntru_crypto_error.h" - -#if !defined( NTRUCALL ) - #if !defined(WIN32) || defined (NTRUCRYPTO_STATIC) - // Linux, or a Win32 static library - #define NTRUCALL extern uint32_t - #elif defined (NTRUCRYPTO_EXPORTS) - // Win32 DLL build - #define NTRUCALL extern __declspec(dllexport) uint32_t - #else - // Win32 DLL import - #define NTRUCALL extern __declspec(dllimport) uint32_t - #endif -#endif /* NTRUCALL */ - -#if defined ( __cplusplus ) -extern "C" { -#endif /* __cplusplus */ - - -/******************* - * DRBG parameters * - *******************/ - -#if !defined(DRBG_MAX_INSTANTIATIONS) -#define DRBG_MAX_INSTANTIATIONS 4 -#endif -#define DRBG_MAX_SEC_STRENGTH_BITS 256 -#define DRBG_MAX_BYTES_PER_BYTE_OF_ENTROPY 8 - - -/************************ - * HMAC_DRBG parameters * - ************************/ - -#define HMAC_DRBG_MAX_PERS_STR_BYTES 32 -#define HMAC_DRBG_MAX_BYTES_PER_REQUEST 1024 - - -/******************** - * type definitions * - ********************/ - -typedef uint32_t DRBG_HANDLE; /* drbg handle */ -typedef enum { /* entropy-function commands */ - GET_NUM_BYTES_PER_BYTE_OF_ENTROPY = 0, - INIT, - GET_BYTE_OF_ENTROPY, -} ENTROPY_CMD; -typedef uint8_t (*ENTROPY_FN)( /* get entropy function */ - ENTROPY_CMD cmd, /* command */ - uint8_t *out); /* address for output */ - - -/*************** - * error codes * - ***************/ - -#define DRBG_OK 0x00000000 /* no errors */ -#define DRBG_OUT_OF_MEMORY 0x00000001 /* can't allocate memory */ -#define DRBG_BAD_PARAMETER 0x00000002 /* null pointer */ -#define DRBG_BAD_LENGTH 0x00000003 /* invalid no. of bytes */ -#define DRBG_NOT_AVAILABLE 0x00000004 /* no instantiation slot available */ -#define DRBG_ENTROPY_FAIL 0x00000005 /* entropy function failure */ - -/*************** - * error macro * - ***************/ - -#define DRBG_RESULT(r) ((uint32_t)((r) ? DRBG_ERROR_BASE + (r) : (r))) -#define DRBG_RET(r) return DRBG_RESULT(r); - - -/************************* - * function declarations * - *************************/ - -/* ntru_crypto_drbg_instantiate - * - * This routine instantiates a drbg with the requested security strength. - * See ANS X9.82: Part 3-2007. - * - * Returns DRBG_OK if successful. - * Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if an argument pointer is NULL. - * Returns DRBG_ERROR_BASE + DRBG_BAD_LENGTH if the security strength requested - * or the personalization string is too large. - * Returns DRBG_ERROR_BASE + DRBG_OUT_OF_MEMORY if the internal state cannot be - * allocated from the heap. - */ - -NTRUCALL -ntru_crypto_drbg_instantiate( - uint32_t sec_strength_bits, /* in - requested sec strength in bits */ - uint8_t const *pers_str, /* in - ptr to personalization string */ - uint32_t pers_str_bytes, /* in - no. personalization str bytes */ - ENTROPY_FN entropy_fn, /* in - pointer to entropy function */ - DRBG_HANDLE *handle); /* out - address for drbg handle */ - - -/* ntru_crypto_drbg_uninstantiate - * - * This routine frees a drbg given its handle. - * - * Returns DRBG_OK if successful. - * Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid. - */ - -NTRUCALL -ntru_crypto_drbg_uninstantiate( - DRBG_HANDLE handle); /* in - drbg handle */ - - -/* ntru_crypto_drbg_reseed - * - * This routine reseeds an instantiated drbg. - * See ANS X9.82: Part 3-2007. - * - * Returns DRBG_OK if successful. - * Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid. - * Returns NTRU_CRYPTO_HMAC errors if they occur. - */ - -NTRUCALL -ntru_crypto_drbg_reseed( - DRBG_HANDLE handle); /* in - drbg handle */ - - -/* ntru_crypto_drbg_generate - * - * This routine generates pseudorandom bytes using an instantiated drbg. - * If the maximum number of requests has been reached, reseeding will occur. - * See ANS X9.82: Part 3-2007. - * - * Returns DRBG_OK if successful. - * Returns DRBG_ERROR_BASE + DRBG_BAD_PARAMETER if handle is not valid or if - * an argument pointer is NULL. - * Returns DRBG_ERROR_BASE + DRBG_BAD_LENGTH if the security strength requested - * is too large or the number of bytes requested is zero or too large. - * Returns NTRU_CRYPTO_HMAC errors if they occur. - */ - -NTRUCALL -ntru_crypto_drbg_generate( - DRBG_HANDLE handle, /* in - drbg handle */ - uint32_t sec_strength_bits, /* in - requested sec strength in bits */ - uint32_t num_bytes, /* in - number of octets to generate */ - uint8_t *out); /* out - address for generated octets */ - - -#if defined ( __cplusplus ) -} -#endif /* __cplusplus */ - - -#endif /* NTRU_CRYPTO_DRBG_H */ diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_hmac.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_hmac.c deleted file mode 100644 index 715331b82f..0000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_hmac.c +++ /dev/null @@ -1,320 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_hmac.c is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_hmac.c - * - * Contents: Routines implementing the HMAC hash calculation. - * - *****************************************************************************/ - - -#include -#include -#include "ntru_crypto_hmac.h" - - -/* HMAC context */ - -struct _NTRU_CRYPTO_HMAC_CTX { - NTRU_CRYPTO_HASH_CTX hash_ctx; - uint8_t *k0; - uint16_t blk_len; - uint16_t md_len; -}; - - -/* ntru_crypto_hmac_create_ctx - * - * This routine creates an HMAC context, setting the hash algorithm and - * the key to be used. - * - * Returns NTRU_CRYPTO_HMAC_OK if successful. - * Returns NTRU_CRYPTO_HMAC_BAD_ALG if the specified algorithm is not supported. - * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are - * passed. - * Returns NTRU_CRYPTO_HMAC_OUT_OF_MEMORY if memory cannot be allocated. - */ - -uint32_t -ntru_crypto_hmac_create_ctx( - NTRU_CRYPTO_HASH_ALGID algid, /* in - the hash algorithm to be used */ - uint8_t const *key, /* in - pointer to the HMAC key */ - uint32_t key_len, /* in - number of bytes in HMAC key */ - NTRU_CRYPTO_HMAC_CTX **c) /* out - address for pointer to HMAC - context */ -{ - NTRU_CRYPTO_HMAC_CTX *ctx = NULL; - uint32_t result; - - /* check parameters */ - - if (!c || !key) - HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER); - - *c = NULL; - - /* allocate memory for an HMAC context */ - - if ((ctx = (NTRU_CRYPTO_HMAC_CTX*) malloc(sizeof(NTRU_CRYPTO_HMAC_CTX))) == - NULL) - HMAC_RET(NTRU_CRYPTO_HMAC_OUT_OF_MEMORY); - - /* set the algorithm */ - - if (result = ntru_crypto_hash_set_alg(algid, &ctx->hash_ctx)) { - free(ctx); - HMAC_RET(NTRU_CRYPTO_HMAC_BAD_ALG); - } - - /* set block length and digest length */ - - if ((result = ntru_crypto_hash_block_length(&ctx->hash_ctx, - &ctx->blk_len)) || - (result = ntru_crypto_hash_digest_length(&ctx->hash_ctx, - &ctx->md_len))) { - free(ctx); - return result; - } - - /* allocate memory for K0 */ - - if ((ctx->k0 = (uint8_t*) malloc(ctx->blk_len)) == NULL) { - free(ctx); - HMAC_RET(NTRU_CRYPTO_HMAC_OUT_OF_MEMORY); - } - - /* calculate K0 and store in HMAC context */ - - memset(ctx->k0, 0, ctx->blk_len); - - /* check if key is too large */ - - if (key_len > ctx->blk_len) { - - if (result = ntru_crypto_hash_digest(algid, key, key_len, ctx->k0)) { - memset(ctx->k0, 0, ctx->blk_len); - free(ctx->k0); - free(ctx); - return result; - } - - } else - memcpy(ctx->k0, key, key_len); - - /* return pointer to HMAC context */ - - *c = ctx; - HMAC_RET(NTRU_CRYPTO_HMAC_OK); -} - - -/* ntru_crypto_hmac_destroy_ctx - * - * Destroys an HMAC context. - * - * Returns NTRU_CRYPTO_HMAC_OK if successful. - * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are - * passed. - */ - -uint32_t -ntru_crypto_hmac_destroy_ctx( - NTRU_CRYPTO_HMAC_CTX *c) /* in/out - pointer to HMAC context */ -{ - if (!c || !c->k0) - HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER); - - /* clear key and release memory */ - - memset(c->k0, 0, c->blk_len); - free(c->k0); - free(c); - - HMAC_RET(NTRU_CRYPTO_HMAC_OK); -} - - -/* ntru_crypto_hmac_get_md_len - * - * This routine gets the digest length of the HMAC. - * - * Returns NTRU_CRYPTO_HMAC_OK on success. - * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are - * passed. - */ - -uint32_t -ntru_crypto_hmac_get_md_len( - NTRU_CRYPTO_HMAC_CTX const *c, /* in - pointer to HMAC context */ - uint16_t *md_len) /* out - address for digest length */ -{ - /* check parameters */ - - if (!c || !md_len) - HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER); - - /* get digest length */ - - *md_len = c->md_len; - HMAC_RET(NTRU_CRYPTO_HMAC_OK); -} - - -/* ntru_crypto_hmac_set_key - * - * This routine sets a digest-length key into the HMAC context. - * - * Returns NTRU_CRYPTO_HMAC_OK on success. - * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are - * passed. - */ - -uint32_t -ntru_crypto_hmac_set_key( - NTRU_CRYPTO_HMAC_CTX *c, /* in - pointer to HMAC context */ - uint8_t const *key) /* in - pointer to new HMAC key */ -{ - /* check parameters */ - - if (!c || !key) - HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER); - - /* copy key */ - - memcpy(c->k0, key, c->md_len); - HMAC_RET(NTRU_CRYPTO_HMAC_OK); -} - - -/* ntru_crypto_hmac_init - * - * This routine performs standard initialization of the HMAC state. - * - * Returns NTRU_CRYPTO_HMAC_OK on success. - * Returns NTRU_CRYPTO_HASH_FAIL with corrupted context. - * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are - * passed. - */ - -uint32_t -ntru_crypto_hmac_init( - NTRU_CRYPTO_HMAC_CTX *c) /* in/out - pointer to HMAC context */ -{ - uint32_t result; - int i; - - /* check parameters */ - - if (!c) - HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER); - - /* init hash context and compute H(K0 ^ ipad) */ - - for (i = 0; i < c->blk_len; i++) - c->k0[i] ^= 0x36; /* K0 ^ ipad */ - if ((result = ntru_crypto_hash_init(&c->hash_ctx)) || - (result = ntru_crypto_hash_update(&c->hash_ctx, c->k0, c->blk_len))) - return result; - - HMAC_RET(NTRU_CRYPTO_HMAC_OK); -} - - -/* ntru_crypto_hmac_update - * - * This routine processes input data and updates the HMAC hash calculation. - * - * Returns NTRU_CRYPTO_HMAC_OK on success. - * Returns NTRU_CRYPTO_HASH_FAIL with corrupted context. - * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are - * passed. - * Returns NTRU_CRYPTO_HASH_OVERFLOW if more than bytes are hashed than the - * underlying hash algorithm can handle. - */ - -uint32_t -ntru_crypto_hmac_update( - NTRU_CRYPTO_HMAC_CTX *c, /* in/out - pointer to HMAC context */ - const uint8_t *data, /* in - pointer to input data */ - uint32_t data_len) /* in - no. of bytes of input data */ -{ - uint32_t result; - - /* check parameters */ - - if (!c || (data_len && !data)) - HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER); - - if (result = ntru_crypto_hash_update(&c->hash_ctx, data, data_len)) - return result; - - HMAC_RET(NTRU_CRYPTO_HMAC_OK); -} - - -/* ntru_crypto_hmac_final - * - * This routine completes the HMAC hash calculation and returns the - * message digest. - * - * Returns NTRU_CRYPTO_HMAC_OK on success. - * Returns NTRU_CRYPTO_HASH_FAIL with corrupted context. - * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are - * passed. - */ - -uint32_t -ntru_crypto_hmac_final( - NTRU_CRYPTO_HMAC_CTX *c, /* in/out - pointer to HMAC context */ - uint8_t *md) /* out - address for message digest */ -{ - uint32_t result = NTRU_CRYPTO_HMAC_OK; - int i; - - /* check parameters */ - - if (!c || !md) - HMAC_RET(NTRU_CRYPTO_HMAC_BAD_PARAMETER); - - /* form K0 ^ opad - * complete md = H((K0 ^ ipad) || data) - * compute md = H((K0 ^ opad) || md) - * re-form K0 - */ - - for (i = 0; i < c->blk_len; i++) - c->k0[i] ^= (0x36^0x5c); - if ((result = ntru_crypto_hash_final(&c->hash_ctx, md)) || - (result = ntru_crypto_hash_init(&c->hash_ctx)) || - (result = ntru_crypto_hash_update(&c->hash_ctx, c->k0, c->blk_len)) || - (result = ntru_crypto_hash_update(&c->hash_ctx, md, c->md_len)) || - (result = ntru_crypto_hash_final(&c->hash_ctx, md))) { - } - for (i = 0; i < c->blk_len; i++) - c->k0[i] ^= 0x5c; - return result; -} - diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_hmac.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_hmac.h deleted file mode 100644 index 1ec426b4ac..0000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_hmac.h +++ /dev/null @@ -1,183 +0,0 @@ -/*/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_hmac.h is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_hmac.h - * - * Contents: Definitions and declarations for the HMAC implementation. - * - *****************************************************************************/ - -#ifndef NTRU_CRYPTO_HMAC_H -#define NTRU_CRYPTO_HMAC_H - - -#include "ntru_crypto_platform.h" -#include "ntru_crypto_hash.h" - - -/*************** - * error codes * - ***************/ - -#define NTRU_CRYPTO_HMAC_OK ((uint32_t)NTRU_CRYPTO_HASH_OK) -#define NTRU_CRYPTO_HMAC_BAD_PARAMETER ((uint32_t)NTRU_CRYPTO_HASH_BAD_PARAMETER) -#define NTRU_CRYPTO_HMAC_BAD_ALG ((uint32_t)NTRU_CRYPTO_HASH_BAD_ALG) -#define NTRU_CRYPTO_HMAC_OUT_OF_MEMORY ((uint32_t)NTRU_CRYPTO_HASH_OUT_OF_MEMORY) - -#define HMAC_RESULT(e) ((uint32_t)((e) ? HMAC_ERROR_BASE + (e) : (e))) -#define HMAC_RET(e) return HMAC_RESULT(e) - - -/************************* - * structure definitions * - *************************/ - -/* HMAC context structure */ - -struct _NTRU_CRYPTO_HMAC_CTX; /* opaque forward reference */ -typedef struct _NTRU_CRYPTO_HMAC_CTX NTRU_CRYPTO_HMAC_CTX; - - -/************************* - * function declarations * - *************************/ - -/* ntru_crypto_hmac_create_ctx - * - * This routine creates an HMAC context, setting the hash algorithm and - * the key to be used. - * - * Returns NTRU_CRYPTO_HASH_OK if successful. - * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are - * passed. - * Returns NTRU_CRYPTO_HASH_OUT_OF_MEMORY if memory cannot be allocated. - */ - -extern uint32_t -ntru_crypto_hmac_create_ctx( - NTRU_CRYPTO_HASH_ALGID algid, /* in - the hash algorithm to be used */ - uint8_t const *key, /* in - pointer to the HMAC key */ - uint32_t key_len, /* in - number of bytes in HMAC key */ - NTRU_CRYPTO_HMAC_CTX **c); /* out - address for pointer to HMAC - context */ - - -/* ntru_crypto_hmac_destroy_ctx - * - * Destroys an HMAC context. - * - * Returns NTRU_CRYPTO_HASH_OK if successful. - * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are - * passed. - */ - -extern uint32_t -ntru_crypto_hmac_destroy_ctx( - NTRU_CRYPTO_HMAC_CTX *c); /* in/out - pointer to HMAC context */ - - -/* ntru_crypto_hmac_get_md_len - * - * This routine gets the digest length of the HMAC. - * - * Returns NTRU_CRYPTO_HMAC_OK on success. - * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are - * passed. - */ - -extern uint32_t -ntru_crypto_hmac_get_md_len( - NTRU_CRYPTO_HMAC_CTX const *c, /* in - pointer to HMAC context */ - uint16_t *md_len); /* out - address for digest length */ - - -/* ntru_crypto_hmac_set_key - * - * This routine sets a digest-length key into the HMAC context. - * - * Returns NTRU_CRYPTO_HMAC_OK on success. - * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are - * passed. - */ - -extern uint32_t -ntru_crypto_hmac_set_key( - NTRU_CRYPTO_HMAC_CTX *c, /* in - pointer to HMAC context */ - uint8_t const *key); /* in - pointer to new HMAC key */ - - -/* ntru_crypto_hmac_init - * - * This routine performs standard initialization of the HMAC state. - * - * Returns NTRU_CRYPTO_HMAC_OK on success. - * Returns NTRU_CRYPTO_HMAC_FAIL with corrupted context. - * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are - * passed. - */ - -extern uint32_t -ntru_crypto_hmac_init( - NTRU_CRYPTO_HMAC_CTX *c); /* in/out - pointer to HMAC context */ - - -/* ntru_crypto_hmac_update - * - * This routine processes input data and updates the HMAC hash calculation. - * - * Returns NTRU_CRYPTO_HMAC_OK on success. - * Returns NTRU_CRYPTO_HMAC_FAIL with corrupted context. - * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are - * passed. - * Returns NTRU_CRYPTO_HMAC_OVERFLOW if more than bytes are hashed than the underlying - * hash algorithm can handle. - */ - -extern uint32_t -ntru_crypto_hmac_update( - NTRU_CRYPTO_HMAC_CTX *c, /* in/out - pointer to HMAC context */ - uint8_t const *data, /* in - pointer to input data */ - uint32_t data_len); /* in - no. of bytes of input data */ - - -/* ntru_crypto_hmac_final - * - * This routine completes the HMAC hash calculation and returns the - * message digest. - * - * Returns NTRU_CRYPTO_HMAC_OK on success. - * Returns NTRU_CRYPTO_HMAC_FAIL with corrupted context. - * Returns NTRU_CRYPTO_HMAC_BAD_PARAMETER if inappropriate NULL pointers are - * passed. - */ - -extern uint32_t -ntru_crypto_hmac_final( - NTRU_CRYPTO_HMAC_CTX *c, /* in/out - pointer to HMAC context */ - uint8_t *md); /* out - address for message digest */ - - -#endif /* NTRU_CRYPTO_HMAC_H */ diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c index 5f99446c60..6ece9900b2 100644 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c +++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c @@ -41,8 +41,6 @@ #include "ntru_crypto_ntru_convert.h" #include "ntru_crypto_ntru_poly.h" #include "ntru_crypto_ntru_mgf1.h" -#include "ntru_crypto_drbg.h" - /* ntru_crypto_ntru_encrypt * @@ -81,7 +79,7 @@ uint32_t ntru_crypto_ntru_encrypt( - DRBG_HANDLE drbg_handle, /* in - handle of DRBG */ + ntru_drbg_t *drbg, /* in - handle of DRBG */ uint16_t pubkey_blob_len, /* in - no. of octets in public key blob */ uint8_t const *pubkey_blob, /* in - pointer to public key */ @@ -200,9 +198,15 @@ ntru_crypto_ntru_encrypt( uint8_t *ptr = tmp_buf; /* get b */ - result = ntru_crypto_drbg_generate(drbg_handle, - params->sec_strength_len << 3, - params->sec_strength_len, b_buf); + if (drbg->generate(drbg, params->sec_strength_len << 3, + params->sec_strength_len, b_buf)) + { + result = NTRU_OK; + } + else + { + result = NTRU_FAIL; + } if (result == NTRU_OK) { @@ -767,7 +771,7 @@ ntru_crypto_ntru_decrypt( uint32_t ntru_crypto_ntru_encrypt_keygen( - DRBG_HANDLE drbg_handle, /* in - handle of DRBG */ + ntru_drbg_t *drbg, /* in - handle of DRBG */ NTRU_ENCRYPT_PARAM_SET_ID param_set_id, /* in - parameter set ID */ uint16_t *pubkey_blob_len, /* in/out - no. of octets in pubkey_blob, addr @@ -881,9 +885,14 @@ ntru_crypto_ntru_encrypt_keygen( * as a list of indices */ - result = ntru_crypto_drbg_generate(drbg_handle, - params->sec_strength_len << 3, - seed_len, tmp_buf); + if (drbg->generate(drbg, params->sec_strength_len << 3, seed_len, tmp_buf)) + { + result = NTRU_OK; + } + else + { + result = NTRU_FAIL; + } if (result == NTRU_OK) { @@ -960,9 +969,11 @@ ntru_crypto_ntru_encrypt_keygen( /* get random bytes for seed for generating trinary g * as a list of indices */ - result = ntru_crypto_drbg_generate(drbg_handle, - params->sec_strength_len << 3, - seed_len, tmp_buf); + if (!drbg->generate(drbg, params->sec_strength_len << 3, seed_len, + tmp_buf)) + { + result = NTRU_FAIL; + } } if (result == NTRU_OK) { diff --git a/src/libstrongswan/plugins/ntru/ntru_drbg.c b/src/libstrongswan/plugins/ntru/ntru_drbg.c new file mode 100644 index 0000000000..f9feb98ff9 --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_drbg.c @@ -0,0 +1,277 @@ +/* + * Copyright (C) 2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ntru_drbg.h" + +#include + +#define MAX_STRENGTH_BITS 256 +#define MAX_DRBG_REQUESTS 0xffffffff + +typedef struct private_ntru_drbg_t private_ntru_drbg_t; + +/** + * Private data of an ntru_drbg_t object. + */ +struct private_ntru_drbg_t { + /** + * Public ntru_drbg_t interface. + */ + ntru_drbg_t public; + + /** + * Security strength in bits of the DRBG + */ + u_int32_t strength; + + /** + * Number of requests for pseudorandom bits + */ + u_int32_t reseed_counter; + + /** + * Maximum number of requests for pseudorandom bits + */ + u_int32_t max_requests; + + /** + * True entropy source + */ + rng_t *entropy; + + /** + * HMAC-SHA256 + */ + signer_t *hmac; + + /** + * Internal state of HMAC-SHA256: key + */ + chunk_t key; + + /** + * Internal state of HMAC-SHA256: value + */ + chunk_t value; + +}; + +/** + * Update the internal state of the HMAC_DRBG + */ +static bool update(private_ntru_drbg_t *this, chunk_t data) +{ + chunk_t ch_00 = chunk_from_chars(0x00); + chunk_t ch_01 = chunk_from_chars(0x01); + + if (!this->hmac->set_key(this->hmac, this->key) || + !this->hmac->get_signature(this->hmac, this->value, NULL) || + !this->hmac->get_signature(this->hmac, ch_00, NULL) || + !this->hmac->get_signature(this->hmac, data, this->key.ptr) || + !this->hmac->set_key(this->hmac, this->key) || + !this->hmac->get_signature(this->hmac, this->value, + this->value.ptr)) + { + return FALSE; + } + + if (data.len > 0) + { + if (!this->hmac->set_key(this->hmac, this->key) || + !this->hmac->get_signature(this->hmac, this->value, NULL) || + !this->hmac->get_signature(this->hmac, ch_01, NULL) || + !this->hmac->get_signature(this->hmac, data, this->key.ptr) || + !this->hmac->set_key(this->hmac, this->key) || + !this->hmac->get_signature(this->hmac, this->value, + this->value.ptr)) + { + return FALSE; + } + } + DBG4(DBG_LIB, "HMAC_DRBG V: %B", &this->value); + DBG4(DBG_LIB, "HMAC_DRBG K: %B", &this->key); + + return TRUE; +} + +METHOD(ntru_drbg_t, get_strength, u_int32_t, + private_ntru_drbg_t *this) +{ + return this->strength; +} + +METHOD(ntru_drbg_t, reseed, bool, + private_ntru_drbg_t *this) +{ + chunk_t seed; + + seed = chunk_alloc(this->strength / BITS_PER_BYTE); + DBG2(DBG_LIB, "DBRG requesting %u bytes of entropy", seed.len); + + if (!this->entropy->get_bytes(this->entropy, seed.len, seed.ptr)) + { + chunk_free(&seed); + return FALSE; + } + if (!update(this, seed)) + { + chunk_free(&seed); + return FALSE; + } + chunk_clear(&seed); + this->reseed_counter = 1; + + return TRUE; +} + +METHOD(ntru_drbg_t, generate, bool, + private_ntru_drbg_t *this, u_int32_t strength, u_int32_t len, u_int8_t *out) +{ + size_t delta; + chunk_t output; + + DBG2(DBG_LIB, "DRBG generates %u pseudorandom bytes", len); + if (!out || len == 0) + { + return FALSE; + } + output = chunk_create(out, len); + + if (this->reseed_counter >= this->max_requests) + { + if (!reseed(this)) + { + return FALSE; + } + } + while (len) + { + if (!this->hmac->get_signature(this->hmac, this->value, + this->value.ptr)) + { + return FALSE; + } + delta = min(len, this->value.len); + memcpy(out, this->value.ptr, delta); + len -= delta; + out += delta; + } + DBG4(DBG_LIB, "HMAC_DRBG Out: %B", &output); + + if (!update(this, chunk_empty)) + { + return FALSE; + } + this->reseed_counter++; + + return TRUE; +} + +METHOD(ntru_drbg_t, destroy, void, + private_ntru_drbg_t *this) +{ + this->hmac->destroy(this->hmac); + chunk_clear(&this->key); + chunk_clear(&this->value); + free(this); +} + +/* + * Described in header. + */ +ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str, + rng_t *entropy) +{ + private_ntru_drbg_t *this; + chunk_t seed; + signer_t *hmac; + size_t entropy_len; + u_int32_t max_requests; + + if (strength > MAX_STRENGTH_BITS) + { + return NULL; + } + if (strength <= 112) + { + strength = 112; + } + else if (strength <= 128) + { + strength = 128; + } + else if (strength <= 192) + { + strength = 192; + } + else + { + strength = 256; + } + + hmac = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA2_256_256); + if (!hmac) + { + DBG1(DBG_LIB, "could not instantiate HMAC-SHA256"); + return NULL; + } + + max_requests = lib->settings->get_int(lib->settings, + "libstrongswan.plugins.ntru.max_drbg_requests", + MAX_DRBG_REQUESTS); + + INIT(this, + .public = { + .get_strength = _get_strength, + .reseed = _reseed, + .generate = _generate, + .destroy = _destroy, + }, + .strength = strength, + .entropy = entropy, + .hmac = hmac, + .key = chunk_alloc(hmac->get_key_size(hmac)), + .value = chunk_alloc(hmac->get_block_size(hmac)), + .max_requests = max_requests, + .reseed_counter = 1, + ); + + memset(this->key.ptr, 0x00, this->key.len); + memset(this->value.ptr, 0x01, this->value.len); + + entropy_len = (strength + strength/2) / BITS_PER_BYTE; + seed = chunk_alloc(entropy_len + pers_str.len); + DBG2(DBG_LIB, "DBRG requesting %u bytes of entropy", entropy_len); + + if (!this->entropy->get_bytes(this->entropy, entropy_len, seed.ptr)) + { + chunk_free(&seed); + destroy(this); + return NULL; + } + memcpy(seed.ptr + entropy_len, pers_str.ptr, pers_str.len); + DBG4(DBG_LIB, "seed: %B", &seed); + + if (!update(this, seed)) + { + chunk_free(&seed); + destroy(this); + return NULL; + } + chunk_clear(&seed); + + return &this->public; +} + diff --git a/src/libstrongswan/plugins/ntru/ntru_drbg.h b/src/libstrongswan/plugins/ntru/ntru_drbg.h new file mode 100644 index 0000000000..38ac718aea --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_drbg.h @@ -0,0 +1,77 @@ +/* + * Copyright (C) 2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ntru_drbg ntru_drbg + * @{ @ingroup ntru_p + */ + +#ifndef NTRU_DRBG_H_ +#define NTRU_DRBG_H_ + +typedef struct ntru_drbg_t ntru_drbg_t; + +#include + +/** + * Implements a HMAC Deterministic Random Bit Generator (HMAC_DRBG) + * compliant with NIST SP 800-90A + */ +struct ntru_drbg_t { + + /** + * Reseed the instantiated DRBG + * + * @return configured security strength in bits + */ + u_int32_t (*get_strength)(ntru_drbg_t *this); + + /** + * Reseed the instantiated DRBG + * + * @return TRUE if successful + */ + bool (*reseed)(ntru_drbg_t *this); + + /** + * Generate pseudorandom bytes. + * If the maximum number of requests has been reached, reseeding occurs + * + * @param strength requested security strength in bits + * @param len number of octets to generate + * @param out address of output buffer + * @return TRUE if successful + */ + bool (*generate)(ntru_drbg_t *this, u_int32_t strength, u_int32_t len, + u_int8_t *out); + + /** + * Uninstantiate and destroy the DRBG object + */ + void (*destroy)(ntru_drbg_t *this); +}; + +/** + * Create and instantiate a new DRBG objet. + * + * @param strength security strength in bits + * @param pers_str personalization string + * @param entropy entropy source to use + */ +ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str, + rng_t *entropy); + +#endif /** NTRU_DRBG_H_ @}*/ + diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c index 633245a587..a23991b276 100644 --- a/src/libstrongswan/plugins/ntru/ntru_ke.c +++ b/src/libstrongswan/plugins/ntru/ntru_ke.c @@ -14,7 +14,7 @@ */ #include "ntru_ke.h" -#include "ntru_plugin.h" +#include "ntru_drbg.h" #include "ntru_crypto/ntru_crypto.h" @@ -119,10 +119,15 @@ struct private_ntru_ke_t { */ bool computed; + /** + * True Random Generator + */ + rng_t *entropy; + /** * Deterministic Random Bit Generator */ - DRBG_HANDLE drbg; + ntru_drbg_t *drbg; }; METHOD(diffie_hellman_t, get_my_public_value, void, @@ -246,8 +251,8 @@ METHOD(diffie_hellman_t, set_other_public_value, void, this->shared_secret = chunk_alloc(2 * this->strength / BITS_PER_BYTE); /* generate the random shared secret */ - if (ntru_crypto_drbg_generate(this->drbg, this->strength, - this->shared_secret.len, this->shared_secret.ptr) != DRBG_OK) + if (!this->drbg->generate(this->drbg, this->strength, + this->shared_secret.len, this->shared_secret.ptr)) { DBG1(DBG_LIB, "generation of shared secret failed"); chunk_free(&this->shared_secret); @@ -289,10 +294,8 @@ METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, METHOD(diffie_hellman_t, destroy, void, private_ntru_ke_t *this) { - if (ntru_crypto_drbg_uninstantiate(this->drbg) != DRBG_OK) - { - DBG1(DBG_LIB, "error uninstantiating DRBG"); - } + this->drbg->destroy(this->drbg); + this->entropy->destroy(this->entropy); chunk_free(&this->pub_key); chunk_free(&this->ciphertext); chunk_clear(&this->priv_key); @@ -306,9 +309,9 @@ METHOD(diffie_hellman_t, destroy, void, ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p) { private_ntru_ke_t *this; - char personalization_str[] = "strongSwan NTRU-KE"; param_set_t *param_sets, *param_set; - DRBG_HANDLE drbg; + rng_t *entropy; + ntru_drbg_t *drbg; char *parameter_set; u_int32_t strength; @@ -356,11 +359,18 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p) DBG1(DBG_LIB, "%u bit %s NTRU parameter set %s selected", strength, parameter_set, param_set->name); - if (ntru_crypto_drbg_instantiate(strength, - personalization_str, strlen(personalization_str), - (ENTROPY_FN) &ntru_plugin_get_entropy, &drbg) != DRBG_OK) + entropy = lib->crypto->create_rng(lib->crypto, RNG_TRUE); + if (!entropy) + { + DBG1(DBG_LIB, "could not attach entropy source for DRBG"); + return NULL; + } + + drbg = ntru_drbg_create(strength, chunk_from_str("IKE NTRU-KE"), entropy); + if (!drbg) { - DBG1(DBG_LIB, "error instantiating DRBG at %u bit security", strength); + DBG1(DBG_LIB, "could not instantiate DRBG at %u bit security", strength); + entropy->destroy(entropy); return NULL; } @@ -377,6 +387,7 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p) .group = group, .param_set = param_set, .strength = strength, + .entropy = entropy, .drbg = drbg, ); diff --git a/src/libstrongswan/plugins/ntru/ntru_plugin.c b/src/libstrongswan/plugins/ntru/ntru_plugin.c index 2f066ce762..5b720dd485 100644 --- a/src/libstrongswan/plugins/ntru/ntru_plugin.c +++ b/src/libstrongswan/plugins/ntru/ntru_plugin.c @@ -17,64 +17,9 @@ #include "ntru_ke.h" #include -#include typedef struct private_ntru_plugin_t private_ntru_plugin_t; -rng_t *rng; - -bool ntru_plugin_get_entropy(ENTROPY_CMD cmd, uint8_t *out) -{ - switch (cmd) - { - case INIT: - return TRUE; - case GET_NUM_BYTES_PER_BYTE_OF_ENTROPY: - /* Here we return the number of bytes needed from the entropy - * source to obtain 8 bits of entropy. Maximum is 8. - */ - if (!out) - { - return FALSE; - } - *out = 1; /* this is a perfectly random source */ - return TRUE; - case GET_BYTE_OF_ENTROPY: - if (!out) - { - return FALSE; - } - if (!rng || !rng->get_bytes(rng, 1, out)) - { - return FALSE; - } - return TRUE; - default: - return FALSE; - } -} - -/** - * Create/Destroy True Random Generator - */ -static bool create_random(private_ntru_plugin_t *this, - plugin_feature_t *feature, bool reg, void *data) -{ - if (reg) - { - rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE); - if (!rng) - { - return FALSE; - } - } - else - { - rng->destroy(rng); - } - return TRUE; -} - /** * private data of ntru_plugin */ @@ -95,27 +40,18 @@ METHOD(plugin_t, get_name, char*, METHOD(plugin_t, get_features, int, private_ntru_plugin_t *this, plugin_feature_t *features[]) { - int count = 0; - - static plugin_feature_t f_ke[] = { + static plugin_feature_t f[] = { PLUGIN_REGISTER(DH, ntru_ke_create), PLUGIN_PROVIDE(DH, NTRU_112_BIT), PLUGIN_PROVIDE(DH, NTRU_128_BIT), PLUGIN_PROVIDE(DH, NTRU_192_BIT), PLUGIN_PROVIDE(DH, NTRU_256_BIT), + PLUGIN_DEPENDS(RNG, RNG_TRUE), + PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_SHA2_256_256), }; - static plugin_feature_t f_rng[] = { - PLUGIN_CALLBACK((plugin_feature_callback_t)create_random, NULL), - PLUGIN_PROVIDE(CUSTOM, "ntru-rng"), - PLUGIN_DEPENDS(RNG, RNG_TRUE), - }; - static plugin_feature_t f[countof(f_ke) + countof(f_rng)] = {}; - - plugin_features_add(f, f_ke, countof(f_ke), &count); - plugin_features_add(f, f_rng, countof(f_rng), &count); - *features = f; - return count; + + return countof(f); } METHOD(plugin_t, destroy, void, @@ -141,6 +77,5 @@ plugin_t *ntru_plugin_create() }, ); - return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/ntru/ntru_plugin.h b/src/libstrongswan/plugins/ntru/ntru_plugin.h index 0fa7012131..187b834452 100644 --- a/src/libstrongswan/plugins/ntru/ntru_plugin.h +++ b/src/libstrongswan/plugins/ntru/ntru_plugin.h @@ -26,8 +26,6 @@ #include -#include "ntru_crypto/ntru_crypto_drbg.h" - typedef struct ntru_plugin_t ntru_plugin_t; /** @@ -41,13 +39,4 @@ struct ntru_plugin_t { plugin_t plugin; }; -/** - * Return true random bytes - * - * @param cmd command to be executed - * @param out output variable - * @result return code - */ -bool ntru_plugin_get_entropy(ENTROPY_CMD cmd, uint8_t *out); - #endif /** NTRU_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/ntru/ntru_test_rng.c b/src/libstrongswan/plugins/ntru/ntru_test_rng.c new file mode 100644 index 0000000000..82eae1558c --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_test_rng.c @@ -0,0 +1,89 @@ +/* + * Copyright (C) 2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ntru_test_rng.h" + +typedef struct private_ntru_test_rng_t private_ntru_test_rng_t; + +/** + * Private data of an ntru_test_rng_t object. + */ +struct private_ntru_test_rng_t { + + /** + * Public ntru_test_rng_t interface. + */ + ntru_test_rng_t public; + + /** + * entropy string + */ + chunk_t entropy; +}; + +METHOD(rng_t, get_bytes, bool, + private_ntru_test_rng_t *this, size_t bytes, u_int8_t *buffer) +{ + if (bytes > this->entropy.len) + { + return FALSE; + } + memcpy(buffer, this->entropy.ptr, bytes); + this->entropy = chunk_skip(this->entropy, bytes); + return TRUE; +} + +METHOD(rng_t, allocate_bytes, bool, + private_ntru_test_rng_t *this, size_t bytes, chunk_t *chunk) +{ + if (bytes > this->entropy.len) + { + *chunk = chunk_empty; + return FALSE; + } + + *chunk = chunk_alloc(bytes); + memcpy(chunk->ptr, this->entropy.ptr, bytes); + this->entropy = chunk_skip(this->entropy, bytes); + return TRUE; +} + +METHOD(rng_t, destroy, void, + private_ntru_test_rng_t *this) +{ + free(this); +} + +/* + * Described in header. + */ +rng_t *ntru_test_rng_create(chunk_t entropy) +{ + private_ntru_test_rng_t *this; + + INIT(this, + .public = { + .rng = { + .get_bytes = _get_bytes, + .allocate_bytes = _allocate_bytes, + .destroy = _destroy, + }, + }, + .entropy = entropy, + ); + + return &this->public.rng; +} + diff --git a/src/libstrongswan/plugins/ntru/ntru_test_rng.h b/src/libstrongswan/plugins/ntru/ntru_test_rng.h new file mode 100644 index 0000000000..75962a7e69 --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_test_rng.h @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ntru_test_rng ntru_test_rng + * @{ @ingroup ntru_p + */ + +#ifndef NTRU_TEST_RNG_H_ +#define NTRU_TEST_RNG_H_ + +typedef struct ntru_test_rng_t ntru_test_rng_t; + +#include + +/** + * rng_t providing NIST SP 800-90A entropy test vectors + */ +struct ntru_test_rng_t { + + /** + * Implements rng_t. + */ + rng_t rng; +}; + +/** + * Creates an ntru_test_rng_t instance. + * + * @param entropy entropy test vector + * @return created ntru_test_rng_t + */ +rng_t *ntru_test_rng_create(chunk_t entropy); + +#endif /** NTRU_TEST_RNG_H_ @} */ diff --git a/src/libstrongswan/tests/suites/test_ntru.c b/src/libstrongswan/tests/suites/test_ntru.c index 59851eee58..6d1869f9f0 100644 --- a/src/libstrongswan/tests/suites/test_ntru.c +++ b/src/libstrongswan/tests/suites/test_ntru.c @@ -15,7 +15,8 @@ #include "test_suite.h" -#include +#include +#include /** * NTRU parameter sets to test @@ -37,11 +38,145 @@ char *parameter_sets[] = { "x9_98_speed", "x9_98_bandwidth", "x9_98_balance", "optimum" }; -START_TEST(test_ntru_entropy) +typedef struct { + u_int32_t requested; + u_int32_t standard; +}strength_t; + +strength_t strengths[] = { + { 80, 112 }, + { 112, 112 }, + { 120, 128 }, + { 128, 128 }, + { 150, 192 }, + { 192, 192 }, + { 200, 256 }, + { 256, 256 }, + { 512, 0 } +}; + +START_TEST(test_ntru_drbg_strength) { - ck_assert(!ntru_plugin_get_entropy(GET_NUM_BYTES_PER_BYTE_OF_ENTROPY, NULL)); - ck_assert(!ntru_plugin_get_entropy(GET_BYTE_OF_ENTROPY, NULL)); - ck_assert(!ntru_plugin_get_entropy(10, NULL)); + ntru_drbg_t *drbg; + rng_t *entropy; + + entropy = lib->crypto->create_rng(lib->crypto, RNG_STRONG); + ck_assert(entropy != NULL); + + drbg = ntru_drbg_create(strengths[_i].requested, chunk_empty, entropy); + if (strengths[_i].standard) + { + ck_assert(drbg != NULL); + ck_assert(drbg->get_strength(drbg) == strengths[_i].standard); + drbg->destroy(drbg); + } + else + { + ck_assert(drbg == NULL); + } + entropy->destroy(entropy); +} +END_TEST + +START_TEST(test_ntru_dbrg) +{ + typedef struct { + chunk_t pers_str; + chunk_t entropy; + chunk_t out; + } dbrg_test_t; + + dbrg_test_t dbrg_tests[] = { + { chunk_empty, + chunk_from_chars(0x06, 0x03, 0x2c, 0xd5, 0xee, 0xd3, 0x3f, 0x39, + 0x26, 0x5f, 0x49, 0xec, 0xb1, 0x42, 0xc5, 0x11, + 0xda, 0x9a, 0xff, 0x2a, 0xf7, 0x12, 0x03, 0xbf, + 0xfa, 0xf3, 0x4a, 0x9c, 0xa5, 0xbd, 0x9c, 0x0d, + 0x0e, 0x66, 0xf7, 0x1e, 0xdc, 0x43, 0xe4, 0x2a, + 0x45, 0xad, 0x3c, 0x6f, 0xc6, 0xcd, 0xc4, 0xdf, + 0x01, 0x92, 0x0a, 0x4e, 0x66, 0x9e, 0xd3, 0xa8, + 0x5a, 0xe8, 0xa3, 0x3b, 0x35, 0xa7, 0x4a, 0xd7, + 0xfb, 0x2a, 0x6b, 0xb4, 0xcf, 0x39, 0x5c, 0xe0, + 0x03, 0x34, 0xa9, 0xc9, 0xa5, 0xa5, 0xd5, 0x52), + chunk_from_chars(0x76, 0xfc, 0x79, 0xfe, 0x9b, 0x50, 0xbe, 0xcc, + 0xc9, 0x91, 0xa1, 0x1b, 0x56, 0x35, 0x78, 0x3a, + 0x83, 0x53, 0x6a, 0xdd, 0x03, 0xc1, 0x57, 0xfb, + 0x30, 0x64, 0x5e, 0x61, 0x1c, 0x28, 0x98, 0xbb, + 0x2b, 0x1b, 0xc2, 0x15, 0x00, 0x02, 0x09, 0x20, + 0x8c, 0xd5, 0x06, 0xcb, 0x28, 0xda, 0x2a, 0x51, + 0xbd, 0xb0, 0x38, 0x26, 0xaa, 0xf2, 0xbd, 0x23, + 0x35, 0xd5, 0x76, 0xd5, 0x19, 0x16, 0x08, 0x42, + 0xe7, 0x15, 0x8a, 0xd0, 0x94, 0x9d, 0x1a, 0x9e, + 0xc3, 0xe6, 0x6e, 0xa1, 0xb1, 0xa0, 0x64, 0xb0, + 0x05, 0xde, 0x91, 0x4e, 0xac, 0x2e, 0x9d, 0x4f, + 0x2d, 0x72, 0xa8, 0x61, 0x6a, 0x80, 0x22, 0x54, + 0x22, 0x91, 0x82, 0x50, 0xff, 0x66, 0xa4, 0x1b, + 0xd2, 0xf8, 0x64, 0xa6, 0xa3, 0x8c, 0xc5, 0xb6, + 0x49, 0x9d, 0xc4, 0x3f, 0x7f, 0x2b, 0xd0, 0x9e, + 0x1e, 0x0f, 0x8f, 0x58, 0x85, 0x93, 0x51, 0x24) + }, + { chunk_from_chars(0xf2, 0xe5, 0x8f, 0xe6, 0x0a, 0x3a, 0xfc, 0x59, + 0xda, 0xd3, 0x75, 0x95, 0x41, 0x5f, 0xfd, 0x31, + 0x8c, 0xcf, 0x69, 0xd6, 0x77, 0x80, 0xf6, 0xfa, + 0x07, 0x97, 0xdc, 0x9a, 0xa4, 0x3e, 0x14, 0x4c), + chunk_from_chars(0xfa, 0x0e, 0xe1, 0xfe, 0x39, 0xc7, 0xc3, 0x90, + 0xaa, 0x94, 0x15, 0x9d, 0x0d, 0xe9, 0x75, 0x64, + 0x34, 0x2b, 0x59, 0x17, 0x77, 0xf3, 0xe5, 0xf6, + 0xa4, 0xba, 0x2a, 0xea, 0x34, 0x2e, 0xc8, 0x40, + 0xdd, 0x08, 0x20, 0x65, 0x5c, 0xb2, 0xff, 0xdb, + 0x0d, 0xa9, 0xe9, 0x31, 0x0a, 0x67, 0xc9, 0xe5, + 0xe0, 0x62, 0x9b, 0x6d, 0x79, 0x75, 0xdd, 0xfa, + 0x96, 0xa3, 0x99, 0x64, 0x87, 0x40, 0xe6, 0x0f, + 0x1f, 0x95, 0x57, 0xdc, 0x58, 0xb3, 0xd7, 0x41, + 0x5f, 0x9b, 0xa9, 0xd4, 0xdb, 0xb5, 0x01, 0xf6), + chunk_from_chars(0xf9, 0x2d, 0x4c, 0xf9, 0x9a, 0x53, 0x5b, 0x20, + 0x22, 0x2a, 0x52, 0xa6, 0x8d, 0xb0, 0x4c, 0x5a, + 0xf6, 0xf5, 0xff, 0xc7, 0xb6, 0x6a, 0x47, 0x3a, + 0x37, 0xa2, 0x56, 0xbd, 0x8d, 0x29, 0x8f, 0x9b, + 0x4a, 0xa4, 0xaf, 0x7e, 0x8d, 0x18, 0x1e, 0x02, + 0x36, 0x79, 0x03, 0xf9, 0x3b, 0xdb, 0x74, 0x4c, + 0x6c, 0x2f, 0x3f, 0x34, 0x72, 0x62, 0x6b, 0x40, + 0xce, 0x9b, 0xd6, 0xa7, 0x0e, 0x7b, 0x8f, 0x93, + 0x99, 0x2a, 0x16, 0xa7, 0x6f, 0xab, 0x6b, 0x5f, + 0x16, 0x25, 0x68, 0xe0, 0x8e, 0xe6, 0xc3, 0xe8, + 0x04, 0xae, 0xfd, 0x95, 0x2d, 0xdd, 0x3a, 0xcb, + 0x79, 0x1c, 0x50, 0xf2, 0xad, 0x69, 0xe9, 0xa0, + 0x40, 0x28, 0xa0, 0x6a, 0x9c, 0x01, 0xd3, 0xa6, + 0x2a, 0xca, 0x2a, 0xaf, 0x6e, 0xfe, 0x69, 0xed, + 0x97, 0xa0, 0x16, 0x21, 0x3a, 0x2d, 0xd6, 0x42, + 0xb4, 0x88, 0x67, 0x64, 0x07, 0x2d, 0x9c, 0xbe) + } + }; + + ntru_drbg_t *drbg; + rng_t *entropy; + chunk_t in, out; + int i; + + /* test ntru_test_rng */ + in = chunk_from_chars(0x01, 0x02, 0x04, 0x04); + entropy = ntru_test_rng_create(in); + ck_assert(entropy->allocate_bytes(entropy, 4, &out)); + ck_assert(chunk_equals(in, out)); + chunk_free(&out); + ck_assert(!entropy->allocate_bytes(entropy, 4, &out)); + entropy->destroy(entropy); + + /* test DRBG with ntru_test_rng providing NIST test vectors */ + out = chunk_alloc(128); + for (i = 0; i < countof(dbrg_tests); i++) + { + entropy = ntru_test_rng_create(dbrg_tests[i].entropy); + drbg = ntru_drbg_create(256, dbrg_tests[i].pers_str, entropy); + ck_assert(drbg != NULL); + ck_assert(drbg->reseed(drbg)); + ck_assert(drbg->generate(drbg, 256, 128, out.ptr)); + ck_assert(drbg->generate(drbg, 256, 128, out.ptr)); + ck_assert(chunk_equals(out, dbrg_tests[i].out)); + drbg->destroy(drbg); + entropy->destroy(entropy); + } + chunk_free(&out); } END_TEST @@ -239,8 +374,12 @@ Suite *ntru_suite_create() s = suite_create("ntru"); - tc = tcase_create("entropy"); - tcase_add_test(tc, test_ntru_entropy); + tc = tcase_create("dbrg_strength"); + tcase_add_loop_test(tc, test_ntru_drbg_strength, 0, countof(strengths)); + suite_add_tcase(s, tc); + + tc = tcase_create("dbrg"); + tcase_add_test(tc, test_ntru_dbrg); suite_add_tcase(s, tc); tc = tcase_create("ke"); diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h index c007445541..99057be065 100644 --- a/src/libstrongswan/tests/tests.h +++ b/src/libstrongswan/tests/tests.h @@ -34,5 +34,5 @@ TEST_SUITE(host_suite_create) TEST_SUITE(printf_suite_create) TEST_SUITE(pen_suite_create) TEST_SUITE(asn1_suite_create) -TEST_SUITE_DEPEND(ntru_suite_create, CUSTOM, "ntru-rng") +TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT)