From 861d1c5510094c1098b5a9f2dd4f4180d091d3d8 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Sun, 23 Jun 2019 06:32:32 +0000 Subject: [PATCH] Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256. Benefits: - larger seeds -- a 128-bit key alone is not enough for `128-bit security' - better resistance to timing side channels than AES - a better-understood security story (https://eprint.iacr.org/2018/349) - no loss in compliance with US government standards that nobody ever got fired for choosing, at least in the US-dominated western world - no skanky endianness tricks - self-tests Drawbacks: - performance hit: throughput is reduced to about 1/3 in naive measurements => possible to mitigate by using hardware SHA-256 instructions => all you really need is 32 bytes to seed a userland PRNG anyway => if we just used ChaCha this would go away... --- sys/conf/files | 4 +- sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg | 3 - .../nist_ctr_drbg/nist_ctr_aes_rijndael.h | 82 -- sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c | 664 ---------- sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h | 106 -- .../nist_ctr_drbg/nist_ctr_drbg_aes128.h | 80 -- .../nist_ctr_drbg/nist_ctr_drbg_aes256.h | 80 -- .../nist_ctr_drbg/nist_ctr_drbg_config.h | 72 -- .../nist_hash_drbg/files.nist_hash_drbg | 3 + sys/crypto/nist_hash_drbg/nist_hash_drbg.c | 1118 +++++++++++++++++ sys/crypto/nist_hash_drbg/nist_hash_drbg.h | 82 ++ sys/dev/rndpseudo.c | 5 +- sys/kern/subr_cprng.c | 75 +- sys/rump/kern/lib/libcrypto/Makefile | 3 +- sys/rump/librump/rumpkern/Makefile.rumpkern | 8 +- sys/sys/cprng.h | 4 +- 16 files changed, 1253 insertions(+), 1136 deletions(-) delete mode 100644 sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg delete mode 100644 sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h delete mode 100644 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c delete mode 100644 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h delete mode 100644 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h delete mode 100644 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h delete mode 100644 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h create mode 100644 sys/crypto/nist_hash_drbg/files.nist_hash_drbg create mode 100644 sys/crypto/nist_hash_drbg/nist_hash_drbg.c create mode 100644 sys/crypto/nist_hash_drbg/nist_hash_drbg.h diff --git a/sys/conf/files b/sys/conf/files index 10b6e9a1e741..20fedb814fb6 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -196,8 +196,8 @@ include "crypto/camellia/files.camellia" # General-purpose crypto processing framework. include "opencrypto/files.opencrypto" -# NIST SP800.90 CTR DRBG -include "crypto/nist_ctr_drbg/files.nist_ctr_drbg" +# NIST SP800-90A Hash_DRBG +include "crypto/nist_hash_drbg/files.nist_hash_drbg" # ChaCha-based fast PRNG include "crypto/cprng_fast/files.cprng_fast" diff --git a/sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg b/sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg deleted file mode 100644 index 54bc9c995f55..000000000000 --- a/sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg +++ /dev/null @@ -1,3 +0,0 @@ -# $NetBSD: files.nist_ctr_drbg,v 1.1 2011/11/19 22:51:22 tls Exp $ - -file crypto/nist_ctr_drbg/nist_ctr_drbg.c diff --git a/sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h b/sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h deleted file mode 100644 index 5ae922ae1286..000000000000 --- a/sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h +++ /dev/null @@ -1,82 +0,0 @@ -/* $NetBSD: nist_ctr_aes_rijndael.h,v 1.2 2018/04/19 21:50:08 christos Exp $ */ - -/*- - * Copyright (c) 2011 The NetBSD Foundation, Inc. - * All rights reserved. - * - * This code is derived from software contributed to The NetBSD Foundation - * by Thor Lancelot Simon. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * Copyright (c) 2007 Henric Jungheim - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * Interface adapter for Rijndael implmentation (for use by NIST SP 800-90 CTR_DRBG) - */ - -#ifndef NIST_AES_RIJNDAEL_H -#define NIST_AES_RIJNDAEL_H - -#include - -#define NIST_AES_MAXKEYBITS 256 -#define NIST_AES_MAXKEYBYTES (NIST_AES_MAXKEYBITS / 8) -#define NIST_AES_MAXKEYINTS (NIST_AES_MAXKEYBYTES / sizeof(int)) - -#define NIST_AES_BLOCKSIZEBITS 128 -#define NIST_AES_BLOCKSIZEBYTES (NIST_AES_BLOCKSIZEBITS / 8) -#define NIST_AES_BLOCKSIZEINTS (NIST_AES_BLOCKSIZEBYTES / sizeof(int)) - -typedef rijndael_ctx NIST_AES_ENCRYPT_CTX; - -static __inline void -NIST_AES_ECB_Encrypt(const NIST_AES_ENCRYPT_CTX *ctx, - const void *src, void* dst) -{ - rijndael_encrypt(ctx, src, dst); -} - -static __inline int -NIST_AES_Schedule_Encryption(NIST_AES_ENCRYPT_CTX *ctx, - const void *key, int bits) -{ - rijndael_set_key(ctx, key, bits); - return 0; -} - -#endif /* NIST_AES_RIJNDAEL_H */ diff --git a/sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c b/sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c deleted file mode 100644 index 9a6369756587..000000000000 --- a/sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c +++ /dev/null @@ -1,664 +0,0 @@ -/* $NetBSD: nist_ctr_drbg.c,v 1.1 2011/11/19 22:51:22 tls Exp $ */ - -/*- - * Copyright (c) 2011 The NetBSD Foundation, Inc. - * All rights reserved. - * - * This code is derived from software contributed to The NetBSD Foundation - * by Thor Lancelot Simon. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * Copyright (c) 2007 Henric Jungheim - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * NIST SP 800-90 CTR_DRBG (Random Number Generator) - */ -#include -#include - -#include - -#include -__KERNEL_RCSID(0, "$NetBSD: nist_ctr_drbg.c,v 1.1 2011/11/19 22:51:22 tls Exp $"); - -/* - * NIST SP 800-90 March 2007 - * 10.4.2 Derivation Function Using a Block Cipher Algorithm - * Global Constants - */ -static NIST_Key nist_cipher_df_ctx; -static unsigned char nist_cipher_df_encrypted_iv[NIST_BLOCK_SEEDLEN / NIST_BLOCK_OUTLEN][NIST_BLOCK_OUTLEN_BYTES]; - -/* - * NIST SP 800-90 March 2007 - * 10.2.1.3.2 The Process Steps for Instantiation When a Derivation - * Function is Used - * Global Constants - */ -static NIST_Key nist_cipher_zero_ctx; - -/* - * NIST SP 800-90 March 2007 - * 10.2.1.5.2 The Process Steps for Generating Pseudorandom Bits When a - * Derivation Function is Used for the DRBG Implementation - * Global Constants - */ -static const unsigned int - nist_ctr_drgb_generate_null_input[NIST_BLOCK_SEEDLEN_INTS] = { 0 }; - -/* - * Utility - */ -/* - * nist_increment_block - * Increment the output block as a big-endian number. - */ -static inline void -nist_increment_block(unsigned long *V) -{ - int i; - unsigned long x; - - for (i = NIST_BLOCK_OUTLEN_LONGS - 1; i >= 0; --i) { - x = NIST_NTOHL(V[i]) + 1; - V[i] = NIST_HTONL(x); - if (x) /* There was only a carry if we are zero */ - return; - } -} - -/* - * NIST SP 800-90 March 2007 - * 10.4.3 BCC Function - */ -static void -nist_ctr_drbg_bcc_update(const NIST_Key *ctx, const unsigned int *data, - int n, unsigned int *chaining_value) -{ - int i, j; - unsigned int input_block[NIST_BLOCK_OUTLEN_INTS]; - - /* [4] for i = 1 to n */ - for (i = 0; i < n; ++i) { - - /* [4.1] input_block = chaining_value XOR block_i */ - for (j = 0; j < NIST_BLOCK_OUTLEN_INTS; ++j) - input_block[j] = chaining_value[j] ^ *data++; - - /* [4.2] chaining_value = Block_Encrypt(Key, input_block) */ - Block_Encrypt(ctx, &input_block[0], &chaining_value[0]); - } - - /* [5] output_block = chaining_value */ - /* chaining_value already is output_block, so no copy is required */ -} - -static void -nist_ctr_drbg_bcc(NIST_Key *ctx, const unsigned int *data, - int n, unsigned int *output_block) -{ - unsigned int *chaining_value = output_block; - - /* [1] chaining_value = 0^outlen */ - memset(&chaining_value[0], 0, NIST_BLOCK_OUTLEN_BYTES); - - nist_ctr_drbg_bcc_update(ctx, data, n, output_block); -} - -/* - * NIST SP 800-90 March 2007 - * 10.4.2 Derivation Function Using a Block Cipher Algorithm - */ - -typedef struct { - int index; - unsigned char S[NIST_BLOCK_OUTLEN_BYTES]; -} NIST_CTR_DRBG_DF_BCC_CTX; - -static inline int -check_int_alignment(const void *p) -{ - intptr_t ip = (const char *)p - (const char *)0; - - if (ip & (sizeof(int) - 1)) - return 0; - - return 1; -} - -static void -nist_ctr_drbg_df_bcc_init(NIST_CTR_DRBG_DF_BCC_CTX *ctx, int L, int N) -{ - unsigned int *S = (unsigned int *)ctx->S; - - /* [4] S = L || N || input_string || 0x80 */ - S[0] = NIST_HTONL(L); - S[1] = NIST_HTONL(N); - ctx->index = 2 * sizeof(S[0]); -} - -static void -nist_ctr_drbg_df_bcc_update(NIST_CTR_DRBG_DF_BCC_CTX *ctx, - const char *input_string, - int input_string_length, unsigned int *temp) -{ - int i, len; - int index = ctx->index; - unsigned char *S = ctx->S; - - if (index) { - KASSERT(index < NIST_BLOCK_OUTLEN_BYTES); - len = NIST_BLOCK_OUTLEN_BYTES - index; - if (input_string_length < len) - len = input_string_length; - - memcpy(&S[index], input_string, len); - - index += len; - input_string += len; - input_string_length -= len; - - if (index < NIST_BLOCK_OUTLEN_BYTES) { - ctx->index = index; - - return; - } - - /* We have a full block in S, so let's process it */ - /* [9.2] BCC */ - nist_ctr_drbg_bcc_update(&nist_cipher_df_ctx, - (unsigned int *)&S[0], 1, temp); - index = 0; - } - - /* ctx->S is empty, so let's handle as many input blocks as we can */ - len = input_string_length / NIST_BLOCK_OUTLEN_BYTES; - if (len > 0) { - if (check_int_alignment(input_string)) { - /* [9.2] BCC */ - nist_ctr_drbg_bcc_update(&nist_cipher_df_ctx, - (const unsigned int *) - input_string, len, temp); - - input_string += len * NIST_BLOCK_OUTLEN_BYTES; - input_string_length -= len * NIST_BLOCK_OUTLEN_BYTES; - } else { - for (i = 0; i < len; ++i) { - memcpy(&S[0], input_string, - NIST_BLOCK_OUTLEN_BYTES); - - /* [9.2] BCC */ - nist_ctr_drbg_bcc_update(&nist_cipher_df_ctx, - (unsigned int *) - &S[0], 1, temp); - - input_string += NIST_BLOCK_OUTLEN_BYTES; - input_string_length -= NIST_BLOCK_OUTLEN_BYTES; - } - } - } - - KASSERT(input_string_length < NIST_BLOCK_OUTLEN_BYTES); - - if (input_string_length) { - memcpy(&S[0], input_string, input_string_length); - index = input_string_length; - } - - ctx->index = index; -} - -static void -nist_ctr_drbg_df_bcc_final(NIST_CTR_DRBG_DF_BCC_CTX *ctx, unsigned int *temp) -{ - int index; - unsigned char* S = ctx->S; - static const char endmark[] = { 0x80 }; - - nist_ctr_drbg_df_bcc_update(ctx, endmark, sizeof(endmark), temp); - - index = ctx->index; - if (index) { - memset(&S[index], 0, NIST_BLOCK_OUTLEN_BYTES - index); - - /* [9.2] BCC */ - nist_ctr_drbg_bcc_update(&nist_cipher_df_ctx, - (unsigned int *)&S[0], 1, temp); - } -} - -static int -nist_ctr_drbg_block_cipher_df(const char *input_string[], unsigned int L[], - int input_string_count, - unsigned char *output_string, unsigned int N) -{ - int j, k, blocks, sum_L; - unsigned int *temp; - unsigned int *X; - NIST_Key ctx; - NIST_CTR_DRBG_DF_BCC_CTX df_bcc_ctx; - unsigned int buffer[NIST_BLOCK_SEEDLEN_INTS]; - /* - * NIST SP 800-90 March 2007 10.4.2 states that 512 bits is - * the maximum length for the approved block cipher algorithms. - */ - unsigned int output_buffer[512 / 8 / sizeof(unsigned int)]; - - if (N > sizeof(output_buffer) || N < 1) - return 0; - - sum_L = 0; - for (j = 0; j < input_string_count; ++j) - sum_L += L[j]; - - /* [6] temp = Null string */ - temp = buffer; - - /* [9] while len(temp) < keylen + outlen, do */ - for (j = 0; j < NIST_BLOCK_SEEDLEN / NIST_BLOCK_OUTLEN; ++j) { - /* [9.2] temp = temp || BCC(K, (IV || S)) */ - - /* Since we have precomputed BCC(K, IV), we start with that... */ - memcpy(&temp[0], &nist_cipher_df_encrypted_iv[j][0], - NIST_BLOCK_OUTLEN_BYTES); - - nist_ctr_drbg_df_bcc_init(&df_bcc_ctx, sum_L, N); - - /* Compute the rest of BCC(K, (IV || S)) */ - for (k = 0; k < input_string_count; ++k) - nist_ctr_drbg_df_bcc_update(&df_bcc_ctx, - input_string[k], - L[k], temp); - - nist_ctr_drbg_df_bcc_final(&df_bcc_ctx, temp); - - temp += NIST_BLOCK_OUTLEN_INTS; - } - - nist_zeroize(&df_bcc_ctx, sizeof(df_bcc_ctx)); - - /* [6] temp = Null string */ - temp = buffer; - - /* [10] K = Leftmost keylen bits of temp */ - Block_Schedule_Encryption(&ctx, &temp[0]); - - /* [11] X = next outlen bits of temp */ - X = &temp[NIST_BLOCK_KEYLEN_INTS]; - - /* [12] temp = Null string */ - temp = output_buffer; - - /* [13] While len(temp) < number_of_bits_to_return, do */ - blocks = (int)(N / NIST_BLOCK_OUTLEN_BYTES); - if (N & (NIST_BLOCK_OUTLEN_BYTES - 1)) - ++blocks; - for (j = 0; j < blocks; ++j) { - /* [13.1] X = Block_Encrypt(K, X) */ - Block_Encrypt(&ctx, X, temp); - X = temp; - temp += NIST_BLOCK_OUTLEN_INTS; - } - - /* [14] requested_bits = Leftmost number_of_bits_to_return of temp */ - memcpy(output_string, output_buffer, N); - - nist_zeroize(&ctx, sizeof(ctx)); - - return 0; -} - - -static int -nist_ctr_drbg_block_cipher_df_initialize(void) -{ - int i, err; - unsigned char K[NIST_BLOCK_KEYLEN_BYTES]; - unsigned int IV[NIST_BLOCK_OUTLEN_INTS]; - - /* [8] K = Leftmost keylen bits of 0x00010203 ... 1D1E1F */ - for (i = 0; i < sizeof(K); ++i) - K[i] = (unsigned char)i; - - err = Block_Schedule_Encryption(&nist_cipher_df_ctx, K); - if (err) - return err; - - /* - * Precompute the partial BCC result from encrypting the IVs: - * nist_cipher_df_encrypted_iv[i] = BCC(K, IV(i)) - */ - - /* [7] i = 0 */ - /* [9.1] IV = i || 0^(outlen - len(i)) */ - memset(&IV[0], 0, sizeof(IV)); - - /* [9.3] i = i + 1 */ - for (i = 0; i < NIST_BLOCK_SEEDLEN / NIST_BLOCK_OUTLEN; ++i) { - - /* [9.1] IV = i || 0^(outlen - len(i)) */ - IV[0] = NIST_HTONL(i); - - /* - * [9.2] temp = temp || BCC(K, (IV || S)) - * (the IV part, at least) - */ - nist_ctr_drbg_bcc(&nist_cipher_df_ctx, &IV[0], 1, - (unsigned int *) - &nist_cipher_df_encrypted_iv[i][0]); - } - - return 0; -} - -/* - * NIST SP 800-90 March 2007 - * 10.2.1.2 The Update Function - */ -static void -nist_ctr_drbg_update(NIST_CTR_DRBG *drbg, const unsigned int *provided_data) -{ - int i; - unsigned int temp[NIST_BLOCK_SEEDLEN_INTS]; - unsigned int* output_block; - - /* 2. while (len(temp) < seedlen) do */ - for (output_block = temp; - output_block < &temp[NIST_BLOCK_SEEDLEN_INTS]; - output_block += NIST_BLOCK_OUTLEN_INTS) { - - /* 2.1 V = (V + 1) mod 2^outlen */ - nist_increment_block((unsigned long *)&drbg->V[0]); - - /* 2.2 output_block = Block_Encrypt(K, V) */ - Block_Encrypt(&drbg->ctx, drbg->V, output_block); - } - - /* 3 temp is already of size seedlen (NIST_BLOCK_SEEDLEN_INTS) */ - - /* 4 (part 1) temp = temp XOR provided_data */ - for (i = 0; i < NIST_BLOCK_KEYLEN_INTS; ++i) - temp[i] ^= *provided_data++; - - /* 5 Key = leftmost keylen bits of temp */ - Block_Schedule_Encryption(&drbg->ctx, &temp[0]); - - /* 4 (part 2) combined with 6 V = rightmost outlen bits of temp */ - for (i = 0; i < NIST_BLOCK_OUTLEN_INTS; ++i) - drbg->V[i] = - temp[NIST_BLOCK_KEYLEN_INTS + i] ^ *provided_data++; -} - -/* - * NIST SP 800-90 March 2007 - * 10.2.1.3.2 The Process Steps for Instantiation When a Derivation - * Function is Used - */ -int -nist_ctr_drbg_instantiate(NIST_CTR_DRBG* drbg, - const void *entropy_input, int entropy_input_length, - const void *nonce, int nonce_length, - const void *personalization_string, int personalization_string_length) -{ - int err, count; - unsigned int seed_material[NIST_BLOCK_SEEDLEN_INTS]; - unsigned int length[3]; - const char *input_string[3]; - - /* [1] seed_material = entropy_input || - * nonce || personalization_string - */ - - input_string[0] = entropy_input; - length[0] = entropy_input_length; - - input_string[1] = nonce; - length[1] = nonce_length; - - count = 2; - if (personalization_string) { - input_string[count] = personalization_string; - length[count] = personalization_string_length; - ++count; - } - /* [2] seed_material = Block_Cipher_df(seed_material, seedlen) */ - err = nist_ctr_drbg_block_cipher_df(input_string, length, count, - (unsigned char *)seed_material, - sizeof(seed_material)); - if (err) - return err; - - /* [3] Key = 0^keylen */ - memcpy(&drbg->ctx, &nist_cipher_zero_ctx, sizeof(drbg->ctx)); - - /* [4] V = 0^outlen */ - memset(&drbg->V, 0, sizeof(drbg->V)); - - /* [5] (Key, V) = Update(seed_material, Key, V) */ - nist_ctr_drbg_update(drbg, seed_material); - - /* [6] reseed_counter = 1 */ - drbg->reseed_counter = 1; - - return 0; -} - -static int -nist_ctr_drbg_instantiate_initialize(void) -{ - int err; - unsigned char K[NIST_BLOCK_KEYLEN_BYTES]; - - memset(&K[0], 0, sizeof(K)); - - err = Block_Schedule_Encryption(&nist_cipher_zero_ctx, &K[0]); - - return err; -} - -/* - * NIST SP 800-90 March 2007 - * 10.2.1.4.2 The Process Steps for Reseeding When a Derivation - * Function is Used - */ -int -nist_ctr_drbg_reseed(NIST_CTR_DRBG *drbg, - const void *entropy_input, int entropy_input_length, - const void *additional_input, - int additional_input_length) -{ - int err, count; - const char *input_string[2]; - unsigned int length[2]; - unsigned int seed_material[NIST_BLOCK_SEEDLEN_INTS]; - - /* [1] seed_material = entropy_input || additional_input */ - input_string[0] = entropy_input; - length[0] = entropy_input_length; - count = 1; - - if (additional_input) { - input_string[count] = additional_input; - length[count] = additional_input_length; - - ++count; - } - /* [2] seed_material = Block_Cipher_df(seed_material, seedlen) */ - err = nist_ctr_drbg_block_cipher_df(input_string, length, count, - (unsigned char *)seed_material, - sizeof(seed_material)); - if (err) - return err; - - /* [3] (Key, V) = Update(seed_material, Key, V) */ - nist_ctr_drbg_update(drbg, seed_material); - - /* [4] reseed_counter = 1 */ - drbg->reseed_counter = 1; - - return 0; -} - -/* - * NIST SP 800-90 March 2007 - * 10.2.1.5.2 The Process Steps for Generating Pseudorandom Bits When a - * Derivation Function is Used for the DRBG Implementation - */ -static void -nist_ctr_drbg_generate_block(NIST_CTR_DRBG *drbg, unsigned int *output_block) -{ - - /* [4.1] V = (V + 1) mod 2^outlen */ - nist_increment_block((unsigned long *)&drbg->V[0]); - - /* [4.2] output_block = Block_Encrypt(Key, V) */ - Block_Encrypt(&drbg->ctx, &drbg->V[0], output_block); - -} - -int -nist_ctr_drbg_generate(NIST_CTR_DRBG * drbg, - void *output_string, int output_string_length, - const void *additional_input, - int additional_input_length) -{ - int i, len, err; - int blocks = output_string_length / NIST_BLOCK_OUTLEN_BYTES; - unsigned char* p; - unsigned int* temp; - const char *input_string[1]; - unsigned int length[1]; - unsigned int buffer[NIST_BLOCK_OUTLEN_BYTES]; - unsigned int additional_input_buffer[NIST_BLOCK_SEEDLEN_INTS]; - int ret = 0; - - if (output_string_length < 1) - return 1; - - /* [1] If reseed_counter > reseed_interval ... */ - if (drbg->reseed_counter >= NIST_CTR_DRBG_RESEED_INTERVAL) { - ret = 1; - goto out; - } - - /* [2] If (addional_input != Null), then */ - if (additional_input) { - input_string[0] = additional_input; - length[0] = additional_input_length; - /* - * [2.1] additional_input = - * Block_Cipher_df(additional_input, seedlen) - */ - err = nist_ctr_drbg_block_cipher_df(input_string, length, 1, - (unsigned char *)additional_input_buffer, - sizeof(additional_input_buffer)); - if (err) { - ret = err; - goto out; - } - - /* [2.2] (Key, V) = Update(additional_input, Key, V) */ - nist_ctr_drbg_update(drbg, additional_input_buffer); - } - - if (blocks && check_int_alignment(output_string)) { - /* [3] temp = Null */ - temp = (unsigned int *)output_string; - for (i = 0; i < blocks; ++i) { - nist_ctr_drbg_generate_block(drbg, temp); - - temp += NIST_BLOCK_OUTLEN_INTS; - output_string_length -= NIST_BLOCK_OUTLEN_BYTES; - } - - output_string = (unsigned char *)temp; - } - - /* [3] temp = Null */ - temp = buffer; - - len = NIST_BLOCK_OUTLEN_BYTES; - - /* [4] While (len(temp) < requested_number_of_bits) do: */ - p = output_string; - while (output_string_length > 0) { - nist_ctr_drbg_generate_block(drbg, temp); - - if (output_string_length < NIST_BLOCK_OUTLEN_BYTES) - len = output_string_length; - - memcpy(p, temp, len); - - p += len; - output_string_length -= len; - } - - /* [6] (Key, V) = Update(additional_input, Key, V) */ - nist_ctr_drbg_update(drbg, additional_input ? - &additional_input_buffer[0] : - &nist_ctr_drgb_generate_null_input[0]); - - /* [7] reseed_counter = reseed_counter + 1 */ - ++drbg->reseed_counter; - -out: - return ret; -} - -int -nist_ctr_initialize(void) -{ - int err; - - err = nist_ctr_drbg_instantiate_initialize(); - if (err) - return err; - err = nist_ctr_drbg_block_cipher_df_initialize(); - if (err) - return err; - - return 0; -} - -int -nist_ctr_drbg_destroy(NIST_CTR_DRBG* drbg) -{ - nist_zeroize(drbg, sizeof(*drbg)); - drbg->reseed_counter = ~0U; - return 1; -} diff --git a/sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h b/sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h deleted file mode 100644 index 4e3da2b7d08a..000000000000 --- a/sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h +++ /dev/null @@ -1,106 +0,0 @@ -/* $NetBSD: nist_ctr_drbg.h,v 1.3 2018/04/19 21:50:08 christos Exp $ */ - -/*- - * Copyright (c) 2011 The NetBSD Foundation, Inc. - * All rights reserved. - * - * This code is derived from software contributed to The NetBSD Foundation - * by Thor Lancelot Simon. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * Copyright (c) 2007 Henric Jungheim - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * NIST SP 800-90 CTR_DRBG (Random Number Generator) - */ - -#ifndef NIST_CTR_DRBG_H -#define NIST_CTR_DRBG_H - -#include - -#define NIST_BLOCK_SEEDLEN (NIST_BLOCK_KEYLEN + NIST_BLOCK_OUTLEN) -#define NIST_BLOCK_SEEDLEN_BYTES (NIST_BLOCK_SEEDLEN / 8) -#define NIST_BLOCK_SEEDLEN_INTS (NIST_BLOCK_SEEDLEN_BYTES / sizeof(int)) - -typedef struct { - unsigned int reseed_counter; - NIST_Key ctx; - unsigned int V[NIST_BLOCK_OUTLEN_INTS] __attribute__ ((aligned(8))); -} NIST_CTR_DRBG; - -int nist_ctr_initialize(void); -int nist_ctr_drbg_generate(NIST_CTR_DRBG *, void *, int, const void *, int); -int nist_ctr_drbg_reseed(NIST_CTR_DRBG *, const void *, int, - const void *, int); -int nist_ctr_drbg_instantiate(NIST_CTR_DRBG *, const void *, int, - const void *, int, const void *, int); -int nist_ctr_drbg_destroy(NIST_CTR_DRBG *); - -#ifdef NIST_ZEROIZE -#define nist_zeroize(p, s) memset(p, 0, s) -#else -#define nist_zeroize(p, s) do { } while(0) -#endif - -#ifdef NIST_IS_LITTLE_ENDIAN /* Faster, as secure, won't pass KAT */ -#define NIST_HTONL(x) (x) -#define NIST_NTOHL(x) (x) -#else -static __inline unsigned long -NIST_HTONL(unsigned long x) -{ - switch(sizeof(long)) { - case 4: - return be32toh(x); - default: - return be64toh(x); - { -} -static __inline unsigned long -NIST_NTOHL(unsigned long x) -{ - switch(sizeof(long)) { - case 4: - return htobe32(x); - default: - return htobe64(x); -} -#endif - -#endif /* NIST_CTR_DRBG_H */ diff --git a/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h b/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h deleted file mode 100644 index 83d4e14179de..000000000000 --- a/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h +++ /dev/null @@ -1,80 +0,0 @@ -/* $NetBSD: nist_ctr_drbg_aes128.h,v 1.2 2011/12/17 20:05:38 tls Exp $ */ - -/*- - * Copyright (c) 2011 The NetBSD Foundation, Inc. - * All rights reserved. - * - * This code is derived from software contributed to The NetBSD Foundation - * by Thor Lancelot Simon. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * Copyright (c) 2007 Henric Jungheim - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * NIST SP 800-90 CTR_DRBG (Random Number Generator) - */ - -#ifndef NIST_CTR_DRBG_AES128_H -#define NIST_CTR_DRBG_AES128_H - -/* Choose AES-128 as the underlying block cipher */ -#define NIST_BLOCK_KEYLEN (128) -#define NIST_BLOCK_KEYLEN_BYTES (NIST_BLOCK_KEYLEN / 8) -#define NIST_BLOCK_KEYLEN_INTS (NIST_BLOCK_KEYLEN_BYTES / sizeof(int)) - -#define NIST_BLOCK_OUTLEN (NIST_AES_BLOCKSIZEBITS) -#define NIST_BLOCK_OUTLEN_BYTES (NIST_BLOCK_OUTLEN / 8) -#define NIST_BLOCK_OUTLEN_INTS (NIST_BLOCK_OUTLEN_BYTES / sizeof(int)) -#define NIST_BLOCK_OUTLEN_LONGS (NIST_BLOCK_OUTLEN_BYTES / sizeof(long)) - -typedef NIST_AES_ENCRYPT_CTX NIST_Key; - -#define Block_Encrypt(ctx, src, dst) NIST_AES_ECB_Encrypt(ctx, src, dst) -#define Block_Schedule_Encryption(ctx, key) \ - NIST_AES_Schedule_Encryption(ctx, key, NIST_BLOCK_KEYLEN) - -/* - * NIST SP 800-90 March 2007 - * 10.2 DRBG Mechanism Based on Block Ciphers - * - * Table 3 specifies the reseed interval as - * <= 2^48. We use 2^31 so we can always be sure it'll fit in an int. - */ -#define NIST_CTR_DRBG_RESEED_INTERVAL (0x7fffffffU) - -#endif /* NIST_CTR_DRBG_AES128_H */ diff --git a/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h b/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h deleted file mode 100644 index 26365edec102..000000000000 --- a/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h +++ /dev/null @@ -1,80 +0,0 @@ -/* $NetBSD: nist_ctr_drbg_aes256.h,v 1.2 2011/12/17 20:05:38 tls Exp $ */ - -/*- - * Copyright (c) 2011 The NetBSD Foundation, Inc. - * All rights reserved. - * - * This code is derived from software contributed to The NetBSD Foundation - * by Thor Lancelot Simon. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * Copyright (c) 2007 Henric Jungheim - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * NIST SP 800-90 CTR_DRBG (Random Number Generator) - */ - -#ifndef NIST_CTR_DRBG_AES256_H -#define NIST_CTR_DRBG_AES256_H - -/* Choose AES-256 as the underlying block cipher */ -#define NIST_BLOCK_KEYLEN (256) -#define NIST_BLOCK_KEYLEN_BYTES (NIST_BLOCK_KEYLEN / 8) -#define NIST_BLOCK_KEYLEN_INTS (NIST_BLOCK_KEYLEN_BYTES / sizeof(int)) - -#define NIST_BLOCK_OUTLEN (NIST_AES_BLOCKSIZEBITS) -#define NIST_BLOCK_OUTLEN_BYTES (NIST_BLOCK_OUTLEN / 8) -#define NIST_BLOCK_OUTLEN_INTS (NIST_BLOCK_OUTLEN_BYTES / sizeof(int)) -#define NIST_BLOCK_OUTLEN_LONGS (NIST_BLOCK_OUTLEN_BYTES / sizeof(long)) - -typedef NIST_AES_ENCRYPT_CTX NIST_Key; - -#define Block_Encrypt(ctx, src, dst) NIST_AES_ECB_Encrypt(ctx, src, dst) -#define Block_Schedule_Encryption(ctx, key) \ - NIST_AES_Schedule_Encryption(ctx, key, NIST_BLOCK_KEYLEN) - -/* - * NIST SP 800-90 March 2007 - * 10.2 DRBG Mechanism Based on Block Ciphers - * - * Table 3 specifies the reseed interval as - * <= 2^48. We use 2^31 so we can always be sure it'll fit in an int. - */ -#define NIST_CTR_DRBG_RESEED_INTERVAL (0x7fffffffU) - -#endif /* NIST_CTR_DRBG_AES256_H */ diff --git a/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h b/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h deleted file mode 100644 index 9695001d11c3..000000000000 --- a/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h +++ /dev/null @@ -1,72 +0,0 @@ -/* $NetBSD: nist_ctr_drbg_config.h,v 1.1 2011/11/19 22:51:22 tls Exp $ */ - -/*- - * Copyright (c) 2011 The NetBSD Foundation, Inc. - * All rights reserved. - * - * This code is derived from software contributed to The NetBSD Foundation - * by Thor Lancelot Simon. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * Copyright (c) 2007 Henric Jungheim - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * NIST SP 800-90 Configuration (Random Number Generator) - */ - -#ifndef NIST_CTR_DRBG_CONFIG_H -#define NIST_CTR_DRBG_CONFIG_H - -/* - * The test vectors will indicate failure if the - * byte ordering is set incorrectly. - * Pretending to be little endian will improve performance - * slightly but should not have an impact on - * security (a byte-swapped nonce is still a nonce). - */ -#define NIST_IS_LITTLE_ENDIAN 1 - -/* Without NIST_ZEROIZE, we leave some intermediaries on the stack. */ -#define NIST_ZEROIZE 1 - -#include - -/* Use AES-128 as the block cipher */ -#include - -#endif /* NIST_CTR_DRBG_CONFIG_H */ diff --git a/sys/crypto/nist_hash_drbg/files.nist_hash_drbg b/sys/crypto/nist_hash_drbg/files.nist_hash_drbg new file mode 100644 index 000000000000..1a8ddbe68cfa --- /dev/null +++ b/sys/crypto/nist_hash_drbg/files.nist_hash_drbg @@ -0,0 +1,3 @@ +# $NetBSD$ + +file crypto/nist_hash_drbg/nist_hash_drbg.c diff --git a/sys/crypto/nist_hash_drbg/nist_hash_drbg.c b/sys/crypto/nist_hash_drbg/nist_hash_drbg.c new file mode 100644 index 000000000000..4625044747b5 --- /dev/null +++ b/sys/crypto/nist_hash_drbg/nist_hash_drbg.c @@ -0,0 +1,1118 @@ +/* $NetBSD$ */ + +/*- + * Copyright (c) 2019 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Taylor R. Campbell. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This file implements Hash_DRBG, a `deterministic random bit + * generator' (more commonly known in lay terms and in the cryptography + * literature as a pseudorandom bit generator or pseudorandom number + * generator), described in + * + * Elaine Barker and John Kelsey, `Recommendation for Random + * Number Generation Using Deterministic Random Bit Generators', + * NIST SP800-90A, June 2015. + * + * This code is meant to work in userland or in kernel. For a test + * program, compile with -DNIST_HASH_DRBG_MAIN to define a `main' + * function; for verbose debugging output, compile with + * -DNIST_HASH_DRBG_DEBUG, mainly useful if you need to change + * something and have to diagnose what's wrong with the known-answer + * tests. + */ + +#include + +#include +#include +#include + +#ifdef _KERNEL +#include /* memcpy */ +#include /* KASSERT */ +#define ASSERT KASSERT +#else +#include +#include +#include +#include +#define ASSERT assert +#define CTASSERT __CTASSERT +#endif + +#include "nist_hash_drbg.h" + +#define secret /* must not use in variable-time operations; should zero */ +#define arraycount(A) (sizeof(A)/sizeof(A[0])) + +CTASSERT(0 < NIST_HASH_DRBG_RESEED_INTERVAL); +CTASSERT(NIST_HASH_DRBG_RESEED_INTERVAL <= INT_MAX); +CTASSERT(NIST_HASH_DRBG_RESEED_INTERVAL <= ~(~0ull << 48)); + +/* Instantiation: SHA-256 */ +#define HASH_LENGTH SHA256_DIGEST_LENGTH +#define HASH_CTX SHA256_CTX +#define hash_init SHA256_Init +#define hash_update SHA256_Update +#define hash_final SHA256_Final + +#define SEEDLEN_BYTES NIST_HASH_DRBG_SEEDLEN_BYTES + +struct hvec { + const void *hv_base; + size_t hv_len; +}; + +static void hashgen(secret uint8_t *, size_t, + const secret uint8_t[SEEDLEN_BYTES]); +static void add8(secret uint8_t *, size_t, const secret uint8_t *, size_t); +static void hash_df(secret void *, size_t, const struct hvec *, size_t); +static void hash_df_block(secret void *, uint8_t, uint8_t[4], + const struct hvec *, size_t); + +/* 10.1.1 Hash_DRBG */ + +int +nist_hash_drbg_destroy(struct nist_hash_drbg *D) +{ + + explicit_memset(D, 0, sizeof(*D)); + D->reseed_counter = UINT_MAX; /* paranoia: make generate fail */ + return 0; +} + +/* 10.1.1.2 Instantiation of Hash_DRBG */ + +int +nist_hash_drbg_instantiate(secret struct nist_hash_drbg *D, + const secret void *entropy, size_t entropylen, + const void *nonce, size_t noncelen, + const void *personalization, size_t personalizationlen) +{ + /* + * 1. seed_material = entropy_input || nonce || personalization_string + */ + const struct hvec seed_material[] = { + { .hv_base = entropy, .hv_len = entropylen }, + { .hv_base = nonce, .hv_len = noncelen }, + { .hv_base = personalization, .hv_len = personalizationlen }, + }; + + /* + * 2. seed = Hash_df(seed_material, seedlen) + * 3. V = seed + */ + CTASSERT(sizeof D->V == SEEDLEN_BYTES); + hash_df(D->V, sizeof D->V, seed_material, arraycount(seed_material)); + + /* 4. C = Hash_df((0x00 || V), seedlen) */ + const struct hvec hv[] = { + { .hv_base = (const uint8_t[]) {0x00}, .hv_len = 1 }, + { .hv_base = D->V, .hv_len = sizeof D->V }, + }; + CTASSERT(sizeof D->C == SEEDLEN_BYTES); + hash_df(D->C, sizeof D->C, hv, arraycount(hv)); + + /* 5. reseed_counter = 1 */ + D->reseed_counter = 1; + + return 0; +} + +/* 10.1.1.3 Reseeding a Hash_DRBG Instantiation */ + +int +nist_hash_drbg_reseed(secret struct nist_hash_drbg *D, + const secret void *entropy, size_t entropylen, + const void *additional, size_t additionallen) +{ + /* 1. seed_material = 0x01 || V || entropy_input || additional_input */ + const struct hvec seed_material[] = { + { .hv_base = (const uint8_t[]) {0x01}, .hv_len = 1 }, + { .hv_base = D->V, .hv_len = sizeof D->V }, + { .hv_base = entropy, .hv_len = entropylen }, + { .hv_base = additional, .hv_len = additionallen }, + }; + uint8_t seed[SEEDLEN_BYTES]; + + /* + * 2. seed = Hash_df(seed_material, seedlen) + * 3. V = seed + */ + CTASSERT(sizeof D->V == SEEDLEN_BYTES); + hash_df(seed, sizeof seed, seed_material, arraycount(seed_material)); + memcpy(D->V, seed, sizeof D->V); + + /* 3. C = Hash_df((0x00 || V), seedlen) */ + const struct hvec hv[] = { + { .hv_base = (const uint8_t[]) {0x00}, .hv_len = 1 }, + { .hv_base = D->V, .hv_len = sizeof D->V }, + }; + CTASSERT(sizeof D->C == SEEDLEN_BYTES); + hash_df(D->C, sizeof D->C, hv, arraycount(hv)); + + /* 5. reseed_counter = 1 */ + D->reseed_counter = 1; + + return 0; +} + +/* 10.1.1.4 Generating Pseudorandom Bits Using Hash_DRBG */ + +int +nist_hash_drbg_generate(secret struct nist_hash_drbg *D, + secret void *output, size_t outputlen, + const void *additional, size_t additionallen) +{ + secret HASH_CTX ctx; + secret uint8_t H[HASH_LENGTH]; + uint8_t reseed_counter[4]; + + /* + * 1. If reseed_counter > reseed_interval, then return an + * indication that a reseed is required. + */ + if (D->reseed_counter > NIST_HASH_DRBG_RESEED_INTERVAL) + return 1; + + /* 2. If (additional_input != Null), then do: */ + if (additionallen) { + /* 2.1 w = Hash(0x02 || V || additional_input) */ + secret uint8_t w[HASH_LENGTH]; + + hash_init(&ctx); + hash_update(&ctx, (const uint8_t[]) {0x02}, 1); + hash_update(&ctx, D->V, sizeof D->V); + hash_update(&ctx, additional, additionallen); + hash_final(w, &ctx); + + /* 2.2 V = (V + w) mod 2^seedlen */ + add8(D->V, sizeof D->V, w, sizeof w); + + explicit_memset(w, 0, sizeof w); + } + + /* 3. (returned_bits) = Hashgen(requested_number_of_bits, V) */ + hashgen(output, outputlen, D->V); + + /* 4. H = Hash(0x03 || V) */ + hash_init(&ctx); + hash_update(&ctx, (const uint8_t[]) {0x03}, 1); + hash_update(&ctx, D->V, sizeof D->V); + hash_final(H, &ctx); + + /* 5. V = (V + H + C + reseed_counter) mod 2^seedlen */ + be32enc(reseed_counter, D->reseed_counter); + add8(D->V, sizeof D->V, H, sizeof H); + add8(D->V, sizeof D->V, D->C, sizeof D->C); + add8(D->V, sizeof D->V, reseed_counter, sizeof reseed_counter); + + /* 6. reseed_counter = reseed_counter + 1 */ + D->reseed_counter++; + + explicit_memset(&ctx, 0, sizeof ctx); + explicit_memset(H, 0, sizeof H); + + /* 7. Return SUCCESS, ... */ + return 0; +} + +/* + * p := H(V) || H(V + 1) || H(V + 2) || ... + */ +static void +hashgen(secret uint8_t *p, size_t n, const secret uint8_t V[SEEDLEN_BYTES]) +{ + secret uint8_t data[SEEDLEN_BYTES]; + secret HASH_CTX ctx; + + /* Save a copy so that we can increment it. */ + memcpy(data, V, SEEDLEN_BYTES); + + /* Generate block by block into p directly. */ + while (HASH_LENGTH <= n) { + hash_init(&ctx); + hash_update(&ctx, data, SEEDLEN_BYTES); + hash_final(p, &ctx); + + p += HASH_LENGTH; + n -= HASH_LENGTH; + add8(data, sizeof data, (const uint8_t[]) {1}, 1); + } + + /* + * If any partial block requested, generate a full block and + * copy the part we need. + */ + if (n) { + secret uint8_t t[HASH_LENGTH]; + + hash_init(&ctx); + hash_update(&ctx, data, SEEDLEN_BYTES); + hash_final(t, &ctx); + + memcpy(p, t, n); + explicit_memset(t, 0, sizeof t); + } + + explicit_memset(data, 0, sizeof data); + explicit_memset(&ctx, 0, sizeof ctx); +} + +/* + * s := s + a (big-endian, radix-2^8) + */ +static void +add8(secret uint8_t *s, size_t slen, const secret uint8_t *a, size_t alen) +{ + const size_t smax = slen - 1, amax = alen - 1; + size_t i; + secret unsigned c = 0; + + /* 2^8 c + s_i := s_i + a_i + c */ + for (i = 0; i < MIN(slen, alen); i++) { + c += s[smax - i] + a[amax - i]; + s[smax - i] = c & 0xff; + c >>= 8; + } + + /* 2^8 c + s_i := s_i + c */ + for (; i < slen; i++) { + c += s[smax - i]; + s[smax - i] = c & 0xff; + c >>= 8; + } + + explicit_memset(&c, 0, sizeof c); +} + +/* 10.4.1 Derivation Function Using a Hash Function (Hash_df) */ + +static void +hash_df(void *h, size_t hlen, const struct hvec *input, size_t inputlen) +{ + uint8_t *p = h; + size_t n = hlen; + uint8_t counter = 1; + uint8_t hbits[4]; + + ASSERT(hlen <= 255*HASH_LENGTH); + ASSERT(hlen <= UINT32_MAX/8); + be32enc(hbits, 8*hlen); + + while (HASH_LENGTH <= n) { + hash_df_block(p, counter++, hbits, input, inputlen); + p += HASH_LENGTH; + n -= HASH_LENGTH; + } + + if (n) { + secret uint8_t t[HASH_LENGTH]; + + hash_df_block(t, counter, hbits, input, inputlen); + memcpy(p, t, n); + + explicit_memset(t, 0, sizeof t); + } +} + +static void +hash_df_block(secret void *h, uint8_t counter, uint8_t hbits[4], + const struct hvec *input, size_t inputlen) +{ + secret HASH_CTX ctx; + size_t i; + + /* + * Hash_df Process, step 4.1: + * Hash(counter || no_of_bits_to_return || input_string) + */ + hash_init(&ctx); + hash_update(&ctx, &counter, 1); + hash_update(&ctx, hbits, 4); + for (i = 0; i < inputlen; i++) { + if (input[i].hv_len) + hash_update(&ctx, input[i].hv_base, input[i].hv_len); + } + hash_final(h, &ctx); + + explicit_memset(&ctx, 0, sizeof ctx); +} + +/* + * Known-answer test vectors for Hash_DRBG with SHA-256 + */ + +/* Hash_DRBG.PDF, p. 190 */ +static const uint8_t kat_entropy[3][SEEDLEN_BYTES] = { + [0] = { + 0x00,0x01,0x02,0x03, 0x04,0x05,0x06,0x07, + 0x08,0x09,0x0a,0x0b, 0x0c,0x0d,0x0e,0x0f, + 0x10,0x11,0x12,0x13, 0x14,0x15,0x16,0x17, + 0x18,0x19,0x1a,0x1b, 0x1c,0x1d,0x1e,0x1f, + 0x20,0x21,0x22,0x23, 0x24,0x25,0x26,0x27, + 0x28,0x29,0x2a,0x2b, 0x2c,0x2d,0x2e,0x2f, + 0x30,0x31,0x32,0x33, 0x34,0x35,0x36, + }, + [1] = { /* for reseed1 */ + 0x80,0x81,0x82,0x83, 0x84,0x85,0x86,0x87, + 0x88,0x89,0x8a,0x8b, 0x8c,0x8d,0x8e,0x8f, + 0x90,0x91,0x92,0x93, 0x94,0x95,0x96,0x97, + 0x98,0x99,0x9a,0x9b, 0x9c,0x9d,0x9e,0x9f, + 0xa0,0xa1,0xa2,0xa3, 0xa4,0xa5,0xa6,0xa7, + 0xa8,0xa9,0xaa,0xab, 0xac,0xad,0xae,0xaf, + 0xb0,0xb1,0xb2,0xb3, 0xb4,0xb5,0xb6, + }, + [2] = { /* for reseed2 */ + 0xc0,0xc1,0xc2,0xc3, 0xc4,0xc5,0xc6,0xc7, + 0xc8,0xc9,0xca,0xcb, 0xcc,0xcd,0xce,0xcf, + 0xd0,0xd1,0xd2,0xd3, 0xd4,0xd5,0xd6,0xd7, + 0xd8,0xd9,0xda,0xdb, 0xdc,0xdd,0xde,0xdf, + 0xe0,0xe1,0xe2,0xe3, 0xe4,0xe5,0xe6,0xe7, + 0xe8,0xe9,0xea,0xeb, 0xec,0xed,0xee,0xef, + 0xf0,0xf1,0xf2,0xf3, 0xf4,0xf5,0xf6, + }, +}; + +static const uint8_t kat_nonce[] = { + 0x20,0x21,0x22,0x23, 0x24,0x25,0x26,0x27, +}; + +static const struct hvec kat_zero = { .hv_base = 0, .hv_len = 0 }; + +static const struct hvec kat_personalization = { + .hv_len = 55, + .hv_base = (const void *)(const uint8_t[]) { /* p. 208 */ + 0x40,0x41,0x42,0x43, 0x44,0x45,0x46,0x47, + 0x48,0x49,0x4a,0x4b, 0x4c,0x4d,0x4e,0x4f, + 0x50,0x51,0x52,0x53, 0x54,0x55,0x56,0x57, + 0x58,0x59,0x5a,0x5b, 0x5c,0x5d,0x5e,0x5f, + 0x60,0x61,0x62,0x63, 0x64,0x65,0x66,0x67, + 0x68,0x69,0x6a,0x6b, 0x6c,0x6d,0x6e,0x6f, + 0x70,0x71,0x72,0x73, 0x74,0x75,0x76, + }, +}; + +static const struct hvec *const kat_no_additional[] = { + [0] = &kat_zero, + [1] = &kat_zero, +}; + +static const struct hvec *const kat_additional[] = { + [0] = &(const struct hvec) { + .hv_len = 55, + .hv_base = (const void *)(const uint8_t[]) { + 0x60,0x61,0x62,0x63, 0x64,0x65,0x66,0x67, + 0x68,0x69,0x6a,0x6b, 0x6c,0x6d,0x6e,0x6f, + 0x70,0x71,0x72,0x73, 0x74,0x75,0x76,0x77, + 0x78,0x79,0x7a,0x7b, 0x7c,0x7d,0x7e,0x7f, + 0x80,0x81,0x82,0x83, 0x84,0x85,0x86,0x87, + 0x88,0x89,0x8a,0x8b, 0x8c,0x8d,0x8e,0x8f, + 0x90,0x91,0x92,0x93, 0x94,0x95,0x96, + }, + }, + [1] = &(const struct hvec) { + .hv_len = 55, + .hv_base = (const void *)(const uint8_t[]) { + 0xa0,0xa1,0xa2,0xa3, 0xa4,0xa5,0xa6,0xa7, + 0xa8,0xa9,0xaa,0xab, 0xac,0xad,0xae,0xaf, + 0xb0,0xb1,0xb2,0xb3, 0xb4,0xb5,0xb6,0xb7, + 0xb8,0xb9,0xba,0xbb, 0xbc,0xbd,0xbe,0xbf, + 0xc0,0xc1,0xc2,0xc3, 0xc4,0xc5,0xc6,0xc7, + 0xc8,0xc9,0xca,0xcb, 0xcc,0xcd,0xce,0xcf, + 0xd0,0xd1,0xd2,0xd3, 0xd4,0xd5,0xd6, + }, + }, +}; + +static const struct { + const struct hvec *personalization; + const struct hvec *const *additional; + bool reseed; + uint8_t C[SEEDLEN_BYTES]; + uint8_t V[3][SEEDLEN_BYTES]; + uint8_t rnd_val[2][64]; +} kat[] = { + [0] = { /* Hash_DRBG.pdf, p. 190 */ + .personalization = &kat_zero, + .additional = kat_no_additional, + .reseed = false, + .C = { /* p. 193 */ + 0xe1,0x5d,0xe4,0xa8, 0xe3,0xb1,0x41,0x9b, + 0x61,0xd5,0x34,0xf1, 0x5d,0xbd,0x31,0xee, + 0x19,0xec,0x59,0x5f, 0x8b,0x98,0x11,0x1a, + 0x94,0xf5,0x22,0x37, 0xad,0x5d,0x66,0xf0, + 0xcf,0xaa,0xfd,0xdc, 0x90,0x19,0x59,0x02, + 0xe9,0x79,0xf7,0x9b, 0x65,0x35,0x7f,0xea, + 0x85,0x99,0x8e,0x4e, 0x37,0xd2,0xc1, + }, + .V = { + [0] = { /* p. 192 */ + 0xab,0x41,0xcd,0xe4, 0x37,0xab,0x8b,0x09, + 0x1c,0xa7,0xc5,0x75, 0x5d,0x10,0xf0,0x11, + 0x0c,0x1d,0xbd,0x46, 0x2f,0x22,0x6c,0xfd, + 0xab,0xfb,0xb0,0x4a, 0x8b,0xcd,0xef,0x95, + 0x16,0x7d,0x84,0xaf, 0x64,0x12,0x8c,0x0d, + 0x71,0xf4,0xd5,0xb8, 0xc0,0xed,0xfb,0xbe, + 0x3d,0xf4,0x04,0x48, 0xd2,0xd8,0xe1, + }, + [1] = { /* p. 195 */ + 0x8c,0x9f,0xb2,0x8d, 0x1b,0x5c,0xcc,0xa4, + 0x7e,0x7c,0xfa,0x66, 0xba,0xce,0x21,0xff, + 0x26,0x0a,0x16,0xa5, 0xba,0xba,0x7f,0x14, + 0x4e,0x75,0x79,0x36, 0x8e,0x99,0x55,0xbe, + 0xfb,0xe7,0x00,0xee, 0xf8,0x72,0x77,0x6b, + 0x17,0xae,0xff,0xd5, 0x3d,0x76,0xf4,0xe3, + 0xbe,0x65,0xe8,0xc9, 0x4b,0x70,0x8f, + }, + [2] = { /* p. 197 */ + 0x6d,0xfd,0x97,0x35, 0xff,0x0e,0x0e,0x3f, + 0xe0,0x52,0x2f,0x58, 0x18,0x8b,0x53,0xed, + 0x3f,0xf6,0x70,0x05, 0x46,0x52,0x90,0x44, + 0xb6,0x2b,0xe1,0x7d, 0x1b,0x1c,0x21,0xd0, + 0x91,0xb0,0x89,0xb1, 0x77,0x47,0x95,0xdb, + 0x14,0x22,0xa8,0x6c, 0x95,0x46,0x34,0x80, + 0x76,0xb4,0xb6,0x21, 0xc7,0x2f,0x91, + }, + }, + .rnd_val = { + [0] = { + 0x77,0xe0,0x5a,0x0e, 0x7d,0xc7,0x8a,0xb5, + 0xd8,0x93,0x4d,0x5e, 0x93,0xe8,0x2c,0x06, + 0xa0,0x7c,0x04,0xce, 0xe6,0xc9,0xc5,0x30, + 0x45,0xee,0xb4,0x85, 0x87,0x27,0x77,0xcf, + 0x3b,0x3e,0x35,0xc4, 0x74,0xf9,0x76,0xb8, + 0x94,0xbf,0x30,0x1a, 0x86,0xfa,0x65,0x1f, + 0x46,0x39,0x70,0xe8, 0x9d,0x4a,0x05,0x34, + 0xb2,0xec,0xad,0x29, 0xec,0x04,0x4e,0x7e, + }, + { + 0x5f,0xf4,0xba,0x49, 0x3c,0x40,0xcf,0xff, + 0x3b,0x01,0xe4,0x72, 0xc5,0x75,0x66,0x8c, + 0xce,0x38,0x80,0xb9, 0x29,0x0b,0x05,0xbf, + 0xed,0xe5,0xec,0x96, 0xed,0x5e,0x9b,0x28, + 0x98,0x50,0x8b,0x09, 0xbc,0x80,0x0e,0xee, + 0x09,0x9a,0x3c,0x90, 0x60,0x2a,0xbd,0x4b, + 0x1d,0x4f,0x34,0x3d, 0x49,0x7c,0x60,0x55, + 0xc8,0x7b,0xb9,0x56, 0xd5,0x3b,0xf3,0x51, + }, + }, + }, + + [1] = { /* Hash_DRBG.pdf, p. 198 */ + .personalization = &kat_zero, + .additional = kat_additional, + .reseed = false, + .C = { /* p. 201 */ + 0xe1,0x5d,0xe4,0xa8, 0xe3,0xb1,0x41,0x9b, + 0x61,0xd5,0x34,0xf1, 0x5d,0xbd,0x31,0xee, + 0x19,0xec,0x59,0x5f, 0x8b,0x98,0x11,0x1a, + 0x94,0xf5,0x22,0x37, 0xad,0x5d,0x66,0xf0, + 0xcf,0xaa,0xfd,0xdc, 0x90,0x19,0x59,0x02, + 0xe9,0x79,0xf7,0x9b, 0x65,0x35,0x7f,0xea, + 0x85,0x99,0x8e,0x4e, 0x37,0xd2,0xc1, + }, + .V = { + [0] = { /* p. 200 */ + 0xab,0x41,0xcd,0xe4, 0x37,0xab,0x8b,0x09, + 0x1c,0xa7,0xc5,0x75, 0x5d,0x10,0xf0,0x11, + 0x0c,0x1d,0xbd,0x46, 0x2f,0x22,0x6c,0xfd, + 0xab,0xfb,0xb0,0x4a, 0x8b,0xcd,0xef,0x95, + 0x16,0x7d,0x84,0xaf, 0x64,0x12,0x8c,0x0d, + 0x71,0xf4,0xd5,0xb8, 0xc0,0xed,0xfb,0xbe, + 0x3d,0xf4,0x04,0x48, 0xd2,0xd8,0xe1, + }, + [1] = { /* p. 204 */ + 0x8c,0x9f,0xb2,0x8d, 0x1b,0x5c,0xcc,0xa4, + 0x7e,0x7c,0xfa,0x66, 0xba,0xce,0x21,0xff, + 0x26,0x0a,0x16,0xa5, 0xba,0xba,0x7f,0x1f, + 0xd3,0x3b,0x30,0x79, 0x8f,0xb2,0x9a,0x0f, + 0xba,0x66,0x65,0x02, 0x7d,0x7f,0x10,0x58, + 0x71,0xbf,0xb4,0x40, 0xdf,0xbe,0xde,0x81, + 0xd0,0x4d,0x22,0xdf, 0xf7,0x89,0xe1, + }, + [2] = { /* p. 207 */ + 0x6d,0xfd,0x97,0x35, 0xff,0x0e,0x0e,0x3f, + 0xe0,0x52,0x2f,0x58, 0x18,0x8b,0x53,0xed, + 0x3f,0xf6,0x70,0x05, 0x46,0x52,0x90,0xe1, + 0x7c,0x5a,0xd8,0x2d, 0xa9,0x2a,0x05,0x01, + 0xaa,0x66,0x3a,0xa6, 0x9f,0xa5,0xa0,0xb0, + 0x81,0x2b,0x4b,0x4f, 0xaf,0xf3,0xfe,0xce, + 0x79,0xcc,0xf6,0xaa, 0xde,0xc1,0xd0, + }, + }, + .rnd_val = { + [0] = { /* p. 203 */ + 0x51,0x07,0x24,0xb9, 0x3a,0xe9,0xa1,0x82, + 0x70,0xe4,0x84,0x73, 0x71,0x1d,0x88,0x24, + 0x63,0x1b,0xaa,0x7f, 0x1d,0x9a,0xc9,0x28, + 0x4e,0x7e,0xc8,0xf3, 0x63,0x7f,0x7a,0x74, + 0x3b,0x36,0x44,0xeb, 0x96,0xc9,0x86,0x27, + 0xc8,0xfd,0x40,0x5a, 0x7a,0x46,0x03,0xf3, + 0x8c,0xff,0x7c,0x89, 0xe9,0xc1,0x33,0xf5, + 0x85,0x1f,0x40,0xe9, 0x20,0x30,0xfe,0xa2, + }, + [1] = { /* p. 206 */ + 0x62,0x53,0xda,0x3a, 0xae,0x8b,0x88,0xa3, + 0xb7,0x46,0xe4,0xc8, 0xb2,0x63,0x5c,0x54, + 0x0f,0x6e,0x9e,0xa7, 0x15,0x7e,0xe6,0x9d, + 0xd7,0x1e,0xfb,0x2e, 0x8f,0xf7,0xbb,0xe1, + 0xe3,0x33,0x68,0x88, 0x38,0xdd,0x7d,0xe4, + 0x9c,0xc8,0x89,0x90, 0x30,0x9c,0x96,0xcd, + 0xb2,0xab,0x92,0x95, 0x74,0x36,0xbf,0x83, + 0xd1,0xbd,0x83,0x08, 0x19,0xc7,0x48,0xca, + }, + }, + }, + + [2] = { /* Hash_DRBG.pdf, p. 208 */ + .personalization = &kat_personalization, + .additional = kat_no_additional, + .reseed = false, + .C = { /* p. 211 */ + 0x44,0x74,0x8a,0x78, 0xb1,0x6e,0x75,0x55, + 0x9f,0x88,0x1d,0x51, 0xc1,0x5d,0xfe,0x6c, + 0x52,0xcf,0xb0,0xbb, 0x71,0x62,0x01,0x69, + 0xc7,0x93,0x34,0x27, 0x67,0xe7,0xf8,0x87, + 0x5f,0x42,0xcb,0x6a, 0x20,0xc8,0x9d,0x7c, + 0x6e,0xf3,0xdc,0x61, 0x0d,0x8f,0xf2,0x03, + 0xd6,0x76,0x6c,0xed, 0x19,0x19,0xd0, + }, + .V = { + [0] = { /* p. 210 */ + 0xa3,0xe9,0x4e,0x39, 0x26,0xfd,0xa1,0x69, + 0xc3,0x03,0xd6,0x64, 0x38,0x39,0x05,0xe0, + 0xd7,0x99,0x62,0xd1, 0x65,0x44,0x6d,0x63, + 0xbd,0xa6,0x54,0xd1, 0x32,0xf7,0x2d,0xb4, + 0x71,0x56,0x4b,0x45, 0x6f,0xf2,0xee,0xc8, + 0x36,0x42,0x2a,0xcc, 0x5a,0x02,0x99,0x35, + 0xa7,0x99,0x29,0x90, 0x94,0xa1,0xca, + }, + [1] = { /* p. 213 */ + 0xe8,0x5d,0xd8,0xb1, 0xd8,0x6c,0x16,0xbf, + 0x62,0x8b,0xf3,0xb5, 0xf9,0x97,0x04,0x4d, + 0x2a,0x69,0x13,0x8c, 0xd6,0xa6,0x6e,0xe7, + 0x36,0xdb,0xaa,0x3b, 0xf1,0xd0,0x28,0x3b, + 0x71,0x7b,0x33,0x6e, 0xb3,0xae,0x5b,0xdd, + 0x04,0x17,0x2e,0xa2, 0x6e,0x5a,0x48,0xf3, + 0xb3,0xfb,0xab,0xf8, 0x2f,0x76,0x79, + }, + [2] = { /* p. 215 */ + 0x2c,0xd2,0x63,0x2a, 0x89,0xda,0x8c,0x15, + 0x02,0x14,0x11,0x07, 0xba,0xf5,0x02,0xb9, + 0x7d,0x38,0xc4,0x48, 0x48,0x08,0x71,0x0a, + 0x66,0xf8,0x40,0x11, 0xd7,0x02,0x8d,0x14, + 0xd3,0x15,0x5a,0x73, 0x79,0xad,0xd5,0x3c, + 0xc8,0xea,0x84,0xd0, 0xfc,0x64,0x1d,0xfc, + 0x62,0x9e,0x06,0x19, 0x1f,0x5f,0x6d, + }, + }, + .rnd_val = { + [0] = { /* p. 213 */ + 0x4a,0x62,0x66,0x4f, 0x26,0x6e,0xe5,0x37, + 0xb9,0x0d,0x64,0xb0, 0x5e,0x1d,0x81,0x3d, + 0x28,0xb1,0x59,0xa9, 0x79,0xf1,0x50,0x9d, + 0xde,0x31,0xb7,0x1d, 0xa4,0x3d,0x54,0x6e, + 0xe8,0xe7,0x86,0x78, 0x20,0x2d,0xc2,0x37, + 0xad,0x4a,0xfe,0x7d, 0xf3,0x10,0xc9,0xa4, + 0x13,0xe3,0x8a,0xaf, 0x41,0x7d,0x2d,0x22, + 0x5a,0xa3,0x65,0xec, 0x4a,0x7d,0x29,0x96, + }, + [1] = { /* p. 215 */ + 0x59,0x58,0x3d,0x3c, 0x0a,0xc3,0x71,0x30, + 0xc4,0x78,0x9a,0x83, 0x11,0xb8,0xca,0x8f, + 0x98,0x5e,0xf1,0xe8, 0xf9,0x4d,0x95,0x4e, + 0x32,0xe3,0x44,0xa6, 0x21,0xc2,0x4b,0x2f, + 0x37,0x1d,0xa9,0xba, 0x3c,0x33,0x15,0x3f, + 0x09,0xe5,0x51,0x45, 0xe7,0x62,0x92,0x6b, + 0x73,0xac,0x14,0x7a, 0x1e,0x86,0x31,0xd1, + 0xcc,0xd0,0x85,0x67, 0xcf,0x67,0x7c,0x72, + }, + }, + }, + + [3] = { /* Hash_DRBG.pdf, p. 215 */ + .personalization = &kat_personalization, + .additional = kat_additional, + .reseed = false, + .C = { /* p. 220 */ + 0x44,0x74,0x8a,0x78, 0xb1,0x6e,0x75,0x55, + 0x9f,0x88,0x1d,0x51, 0xc1,0x5d,0xfe,0x6c, + 0x52,0xcf,0xb0,0xbb, 0x71,0x62,0x01,0x69, + 0xc7,0x93,0x34,0x27, 0x67,0xe7,0xf8,0x87, + 0x5f,0x42,0xcb,0x6a, 0x20,0xc8,0x9d,0x7c, + 0x6e,0xf3,0xdc,0x61, 0x0d,0x8f,0xf2,0x03, + 0xd6,0x76,0x6c,0xed, 0x19,0x19,0xd0, + }, + .V = { + [0] = { /* p. 218 */ + 0xa3,0xe9,0x4e,0x39, 0x26,0xfd,0xa1,0x69, + 0xc3,0x03,0xd6,0x64, 0x38,0x39,0x05,0xe0, + 0xd7,0x99,0x62,0xd1, 0x65,0x44,0x6d,0x63, + 0xbd,0xa6,0x54,0xd1, 0x32,0xf7,0x2d,0xb4, + 0x71,0x56,0x4b,0x45, 0x6f,0xf2,0xee,0xc8, + 0x36,0x42,0x2a,0xcc, 0x5a,0x02,0x99,0x35, + 0xa7,0x99,0x29,0x90, 0x94,0xa1,0xca, + }, + [1] = { /* p. 222 */ + 0xe8,0x5d,0xd8,0xb1, 0xd8,0x6c,0x16,0xbf, + 0x62,0x8b,0xf3,0xb5, 0xf9,0x97,0x04,0x4d, + 0x2a,0x69,0x13,0x8c, 0xd6,0xa6,0x6f,0x8c, + 0xa8,0x7b,0x87,0x43, 0x50,0x20,0x2e,0x1d, + 0x8a,0xb0,0xb5,0xad, 0x47,0xac,0xc2,0x75, + 0x40,0x28,0x9f,0xe3, 0xa8,0xe3,0x1f,0x7b, + 0x56,0x58,0xdd,0xd1, 0x96,0x94,0x89, + }, + [2] = { /* p. 225 */ + 0x2c,0xd2,0x63,0x2a, 0x89,0xda,0x8c,0x15, + 0x02,0x14,0x11,0x07, 0xba,0xf5,0x02,0xb9, + 0x7d,0x38,0xc4,0x48, 0x48,0x08,0x71,0xb2, + 0x77,0xae,0xc7,0xff, 0x8d,0xa2,0x3c,0x71, + 0xef,0xf5,0x9d,0xc2, 0x4e,0x5e,0x4c,0x7f, + 0x58,0x47,0xb0,0xc1, 0x2f,0x6a,0x59,0x9e, + 0x6b,0x2e,0xda,0xc0, 0x30,0x6b,0xcd, + }, + }, + .rnd_val = { /* p. 222 */ + [0] = { + 0xe0,0xb9,0x7c,0x82, 0x12,0x68,0xfd,0x3b, + 0xb2,0xca,0xbf,0xd1, 0xf9,0x54,0x84,0x78, + 0xae,0x8a,0x60,0x41, 0x7f,0x7b,0x09,0x4a, + 0x26,0x13,0x95,0x46, 0x06,0x2b,0x52,0x1c, + 0xfd,0x33,0xe4,0xe3, 0x9b,0x9d,0xcd,0x0a, + 0x3d,0xa1,0x52,0x09, 0xc7,0x2a,0xdb,0xe5, + 0x8c,0x20,0xab,0x34, 0x07,0x02,0x69,0x51, + 0x29,0x7a,0xd2,0x54, 0x30,0x75,0x53,0xa5, + }, + [1] = { /* p. 225 */ + 0xc1,0xac,0xd3,0xad, 0xa4,0xc8,0xc4,0x95, + 0xbf,0x17,0x9d,0xb5, 0x98,0x22,0xc3,0x51, + 0xbc,0x47,0x9a,0xbe, 0x4e,0xb2,0x8f,0x84, + 0x39,0x57,0xb1,0x1e, 0x3c,0x2b,0xc0,0x48, + 0x83,0x96,0x42,0x97, 0x97,0x5b,0xd7,0x2d, + 0x10,0x24,0xab,0xcf, 0x6f,0x66,0x15,0xd7, + 0xf5,0xb4,0xfd,0x1e, 0x40,0xa6,0x4e,0xeb, + 0x45,0xba,0x21,0x81, 0xb8,0x39,0x37,0xed, + }, + }, + }, + + [4] = { /* Hash_DRBG.pdf, p. 225 */ + .personalization = &kat_zero, + .additional = kat_no_additional, + .reseed = true, + .C = { /* p. 229 */ + 0xe1,0x5d,0xe4,0xa8, 0xe3,0xb1,0x41,0x9b, + 0x61,0xd5,0x34,0xf1, 0x5d,0xbd,0x31,0xee, + 0x19,0xec,0x59,0x5f, 0x8b,0x98,0x11,0x1a, + 0x94,0xf5,0x22,0x37, 0xad,0x5d,0x66,0xf0, + 0xcf,0xaa,0xfd,0xdc, 0x90,0x19,0x59,0x02, + 0xe9,0x79,0xf7,0x9b, 0x65,0x35,0x7f,0xea, + 0x85,0x99,0x8e,0x4e, 0x37,0xd2,0xc1, + }, + .V = { + [0] = { /* p. 227 */ + 0xab,0x41,0xcd,0xe4, 0x37,0xab,0x8b,0x09, + 0x1c,0xa7,0xc5,0x75, 0x5d,0x10,0xf0,0x11, + 0x0c,0x1d,0xbd,0x46, 0x2f,0x22,0x6c,0xfd, + 0xab,0xfb,0xb0,0x4a, 0x8b,0xcd,0xef,0x95, + 0x16,0x7d,0x84,0xaf, 0x64,0x12,0x8c,0x0d, + 0x71,0xf4,0xd5,0xb8, 0xc0,0xed,0xfb,0xbe, + 0x3d,0xf4,0x04,0x48, 0xd2,0xd8,0xe1, + }, + [1] = { /* p. 234 */ + 0x23,0x97,0x6c,0x61, 0x63,0xd7,0xe2,0x4a, + 0x1a,0x03,0x8f,0x2b, 0x2b,0x64,0x67,0x97, + 0x50,0xca,0x9e,0xd8, 0xd1,0x40,0x69,0x8d, + 0x64,0x22,0x39,0x7b, 0x02,0x96,0x9e,0x6e, + 0xcd,0xd2,0x9d,0xac, 0xc5,0x76,0x7e,0x2c, + 0xc2,0xd0,0xa1,0x56, 0xc8,0x7a,0xd0,0xb3, + 0x57,0x89,0x05,0x07, 0xe0,0x37,0x77, + }, + [2] = { /* p. 239 */ + 0x92,0xfb,0x0e,0x48, 0x0e,0x86,0x99,0x13, + 0xc7,0xad,0x45,0xc7, 0xe3,0xfd,0x46,0x10, + 0x17,0xe5,0xa6,0xb7, 0x70,0xf3,0x3b,0x31, + 0x3c,0x38,0x83,0xf1, 0xcc,0x56,0x71,0x89, + 0x45,0x21,0xf5,0xed, 0xe6,0x2e,0xaa,0xb0, + 0x83,0xb1,0x41,0xa7, 0x5b,0x5c,0xc0,0x22, + 0x60,0x5a,0x8a,0x3d, 0xc7,0x1b,0xa7, + }, + }, + .rnd_val = { + [0] = { /* p. 234 */ + 0x92,0x27,0x55,0x23, 0xc7,0x0e,0x56,0x7b, + 0xcf,0x9b,0x35,0xec, 0x50,0xb9,0x33,0xf8, + 0x12,0x61,0x6d,0xf5, 0x86,0xb7,0xf7,0x2e, + 0xe1,0xbc,0x77,0x35, 0xa5,0xc2,0x65,0x43, + 0x73,0xcb,0xbc,0x72, 0x31,0x6d,0xff,0x84, + 0x20,0xa3,0x3b,0xf0, 0x2b,0x97,0xac,0x8d, + 0x19,0x52,0x58,0x3f, 0x27,0x0a,0xcd,0x70, + 0x05,0xcc,0x02,0x7f, 0x4c,0xf1,0x18,0x7e, + }, + [1] = { /* p. 239 */ + 0x68,0x1a,0x46,0xb2, 0xaa,0x86,0x94,0xa0, + 0xfe,0x4d,0xee,0xa7, 0x20,0x92,0x7a,0x84, + 0xea,0xaa,0x98,0x5e, 0x59,0xc1,0x9f,0x8b, + 0xe0,0x98,0x4d,0x8c, 0xbe,0xf8,0xc6,0x9b, + 0x75,0x41,0x67,0x64, 0x19,0x46,0xe0,0x40, + 0xee,0x20,0x43,0xe1, 0xcc,0xb2,0x9d,0xcf, + 0x06,0x3c,0x0a,0x50, 0x83,0x0e,0x42,0x8e, + 0x6d,0xca,0x26,0x2e, 0xcd,0x77,0xc5,0x42, + }, + }, + }, + + [5] = { /* Hash_DRBG.pdf, p. 239 */ + .personalization = &kat_zero, + .additional = kat_additional, + .reseed = true, + .C = { /* p. 243 */ + 0xe1,0x5d,0xe4,0xa8, 0xe3,0xb1,0x41,0x9b, + 0x61,0xd5,0x34,0xf1, 0x5d,0xbd,0x31,0xee, + 0x19,0xec,0x59,0x5f, 0x8b,0x98,0x11,0x1a, + 0x94,0xf5,0x22,0x37, 0xad,0x5d,0x66,0xf0, + 0xcf,0xaa,0xfd,0xdc, 0x90,0x19,0x59,0x02, + 0xe9,0x79,0xf7,0x9b, 0x65,0x35,0x7f,0xea, + 0x85,0x99,0x8e,0x4e, 0x37,0xd2,0xc1, + }, + .V = { + [0] = { /* p. 242 */ + 0xab,0x41,0xcd,0xe4, 0x37,0xab,0x8b,0x09, + 0x1c,0xa7,0xc5,0x75, 0x5d,0x10,0xf0,0x11, + 0x0c,0x1d,0xbd,0x46, 0x2f,0x22,0x6c,0xfd, + 0xab,0xfb,0xb0,0x4a, 0x8b,0xcd,0xef,0x95, + 0x16,0x7d,0x84,0xaf, 0x64,0x12,0x8c,0x0d, + 0x71,0xf4,0xd5,0xb8, 0xc0,0xed,0xfb,0xbe, + 0x3d,0xf4,0x04,0x48, 0xd2,0xd8,0xe1, + }, + [1] = { /* p. 249 */ + 0xb3,0x74,0x95,0x46, 0x81,0xcf,0xc9,0x5b, + 0x8d,0xb8,0x39,0x52, 0x8c,0x71,0x08,0x83, + 0x5e,0xb4,0xf3,0x0a, 0xd9,0x1c,0xbe,0x9e, + 0xa0,0xd5,0x45,0xcc, 0xfd,0x18,0x13,0x2a, + 0xf1,0xd3,0x76,0x8f, 0x47,0x02,0x77,0x2b, + 0x69,0x15,0x9f,0x2c, 0xc0,0x7f,0x48,0x74, + 0x1e,0xb5,0xb2,0xb1, 0x22,0x11,0x25, + }, + [2] = { /* p. 254 */ + 0xbf,0xe3,0xd6,0x81, 0xa2,0x0f,0xbe,0x39, + 0x03,0x8f,0x4d,0x66, 0x77,0x7c,0x1b,0xe5, + 0x79,0xee,0xb4,0x85, 0x7b,0x42,0xf2,0x1c, + 0x3f,0x59,0x8b,0x59, 0x62,0xb7,0xaa,0x48, + 0x0e,0xa5,0x65,0xfe, 0xea,0xbd,0xfb,0xd6, + 0xa7,0xec,0xcb,0x96, 0x02,0xc1,0x4b,0xfa, + 0x30,0xf0,0xf9,0x81, 0x90,0x0c,0xd0, + }, + }, + .rnd_val = { + [0] = { /* p. 249 */ + 0x11,0x60,0x1b,0x72, 0xca,0x60,0x89,0x73, + 0x6b,0x20,0x47,0x44, 0xb2,0x9d,0xa1,0xaa, + 0xaf,0xba,0xca,0xa5, 0x28,0x8f,0x06,0xbe, + 0x48,0x45,0x69,0xcc, 0xed,0xbe,0xce,0x03, + 0xe8,0x22,0xea,0xa5, 0xb1,0x4f,0x0e,0x04, + 0x94,0x8c,0x05,0xcd, 0x3c,0xc2,0xe2,0x88, + 0x9a,0x89,0xfa,0x03, 0xd6,0x5d,0x4d,0x74, + 0xac,0x50,0xff,0x6b, 0xd8,0x56,0xe5,0x79, + }, + [1] = { /* p. 255 */ + 0x05,0x5b,0xc1,0x28, 0xcc,0x2d,0x0e,0x25, + 0x0f,0x47,0xe4,0xe4, 0xf5,0x82,0x37,0x5d, + 0xe3,0xee,0x5e,0x9f, 0xe8,0x31,0x68,0x74, + 0x97,0xe5,0xaf,0x1e, 0x7c,0xb6,0x9e,0xfd, + 0xeb,0xd2,0xfd,0x31, 0xc7,0xce,0x2b,0xba, + 0x0d,0xbc,0x6c,0x74, 0xc8,0xa2,0x0a,0x7d, + 0x72,0xf6,0x0e,0x6d, 0x9f,0x63,0xed,0x50, + 0x9e,0x96,0x3e,0x54, 0xa6,0x9e,0x90,0x48, + }, + }, + }, + + [6] = { /* Hash_DRBG.pdf, p. 255 */ + .personalization = &kat_personalization, + .additional = kat_no_additional, + .reseed = true, + .C = { /* p. 259 */ + 0x44,0x74,0x8a,0x78, 0xb1,0x6e,0x75,0x55, + 0x9f,0x88,0x1d,0x51, 0xc1,0x5d,0xfe,0x6c, + 0x52,0xcf,0xb0,0xbb, 0x71,0x62,0x01,0x69, + 0xc7,0x93,0x34,0x27, 0x67,0xe7,0xf8,0x87, + 0x5f,0x42,0xcb,0x6a, 0x20,0xc8,0x9d,0x7c, + 0x6e,0xf3,0xdc,0x61, 0x0d,0x8f,0xf2,0x03, + 0xd6,0x76,0x6c,0xed, 0x19,0x19,0xd0, + }, + .V = { + [0] = { /* p. 257 */ + 0xa3,0xe9,0x4e,0x39, 0x26,0xfd,0xa1,0x69, + 0xc3,0x03,0xd6,0x64, 0x38,0x39,0x05,0xe0, + 0xd7,0x99,0x62,0xd1, 0x65,0x44,0x6d,0x63, + 0xbd,0xa6,0x54,0xd1, 0x32,0xf7,0x2d,0xb4, + 0x71,0x56,0x4b,0x45, 0x6f,0xf2,0xee,0xc8, + 0x36,0x42,0x2a,0xcc, 0x5a,0x02,0x99,0x35, + 0xa7,0x99,0x29,0x90, 0x94,0xa1,0xca, + }, + [1] = { /* p. 264 */ + 0xaa,0x11,0x1b,0x0e, 0xd5,0x6c,0xf4,0xa6, + 0xcc,0xe4,0xad,0xe7, 0xf1,0x1b,0x06,0x10, + 0x45,0xbf,0x10,0x92, 0xcb,0xb3,0x8f,0xf3, + 0x23,0x95,0xea,0x62, 0xd2,0x6b,0x27,0xc8, + 0x86,0x89,0x45,0xc5, 0x93,0xba,0x70,0xc3, + 0x84,0xad,0xad,0x45, 0x77,0x1c,0x93,0xb0, + 0x9c,0x27,0x69,0x07, 0x52,0xd1,0xd8, + }, + [2] = { /* p. 269 */ + 0x5f,0x0f,0xd4,0x0c, 0x8c,0x82,0xef,0x41, + 0x03,0x14,0xb8,0x30, 0xc2,0x0f,0xcc,0xea, + 0x71,0x59,0x18,0x9a, 0xea,0x13,0xe8,0x48, + 0x75,0x68,0x68,0x18, 0xcd,0x4f,0x12,0xb9, + 0xde,0xa8,0x82,0x58, 0x16,0xa4,0x13,0xa2, + 0x95,0x72,0x5e,0xb3, 0x3e,0x33,0xb9,0xad, + 0xfe,0xe0,0xb1,0xc2, 0x34,0x0a,0xe0, + }, + }, + .rnd_val = { + [0] = { /* p. 264 */ + 0x7a,0x33,0xd3,0x90, 0x33,0xf8,0x60,0x58, + 0x9f,0x37,0x5e,0x73, 0x35,0x30,0x75,0x52, + 0x96,0x58,0xbb,0xed, 0x99,0xc8,0xa0,0xef, + 0x5e,0x28,0xb3,0x51, 0xb2,0xdf,0x33,0x58, + 0xb3,0xd8,0x9b,0xac, 0x72,0x25,0xdf,0x9e, + 0x3b,0xcd,0x08,0x36, 0xb9,0x9b,0x5d,0xbf, + 0x36,0x3a,0x17,0x0c, 0x7b,0xb9,0xbe,0x41, + 0xa4,0xaa,0x97,0x44, 0x5e,0xce,0xe4,0x1e, + }, + [1] = { /* p. 269 */ + 0x04,0x1a,0xbd,0x94, 0x07,0x9a,0x05,0x71, + 0x88,0x5f,0x16,0x65, 0x94,0x4e,0x0e,0x7f, + 0x1b,0xfa,0xcd,0xea, 0xea,0xe9,0xd4,0x4e, + 0xed,0xc1,0x1f,0xad, 0xd8,0x4c,0x34,0xc7, + 0xca,0xa7,0x3d,0x09, 0xa0,0x19,0x31,0x93, + 0xfa,0x40,0xa1,0x9f, 0x64,0x4f,0x04,0x8d, + 0x2a,0x54,0x17,0x04, 0x25,0x53,0xdf,0x52, + 0x51,0x74,0x1b,0x40, 0xea,0xcf,0xeb,0x98, + }, + }, + }, + + [7] = { /* Hash_DRBG.pdf, p. 269 */ + .personalization = &kat_personalization, + .additional = kat_additional, + .reseed = true, + .C = { /* p. 274 */ + 0x44,0x74,0x8a,0x78, 0xb1,0x6e,0x75,0x55, + 0x9f,0x88,0x1d,0x51, 0xc1,0x5d,0xfe,0x6c, + 0x52,0xcf,0xb0,0xbb, 0x71,0x62,0x01,0x69, + 0xc7,0x93,0x34,0x27, 0x67,0xe7,0xf8,0x87, + 0x5f,0x42,0xcb,0x6a, 0x20,0xc8,0x9d,0x7c, + 0x6e,0xf3,0xdc,0x61, 0x0d,0x8f,0xf2,0x03, + 0xd6,0x76,0x6c,0xed, 0x19,0x19,0xd0, + }, + .V = { + [0] = { /* p. 272 */ + 0xa3,0xe9,0x4e,0x39, 0x26,0xfd,0xa1,0x69, + 0xc3,0x03,0xd6,0x64, 0x38,0x39,0x05,0xe0, + 0xd7,0x99,0x62,0xd1, 0x65,0x44,0x6d,0x63, + 0xbd,0xa6,0x54,0xd1, 0x32,0xf7,0x2d,0xb4, + 0x71,0x56,0x4b,0x45, 0x6f,0xf2,0xee,0xc8, + 0x36,0x42,0x2a,0xcc, 0x5a,0x02,0x99,0x35, + 0xa7,0x99,0x29,0x90, 0x94,0xa1,0xca, + }, + [1] = { /* p. 279 */ + 0xaa,0xf6,0xb9,0x9b, 0x7f,0x84,0xb0,0x36, + 0xe1,0xcc,0xbc,0x9d, 0x57,0x3a,0x36,0xb8, + 0xbd,0xd4,0x7c,0x35, 0x8b,0xb5,0xf3,0xc1, + 0xd6,0xe7,0x90,0x3a, 0xaa,0x29,0xf1,0xc8, + 0x7a,0xe6,0x66,0xb8, 0x86,0x93,0xbe,0xf4, + 0x6c,0x51,0xc2,0x4c, 0x47,0xbe,0xfe,0x4b, + 0x35,0x75,0x4d,0xcb, 0xfa,0x1e,0x7d, + }, + [2] = { /* p. 285 */ + 0x0c,0x75,0x77,0x4d, 0x61,0x02,0x69,0xad, + 0x5b,0xb4,0xab,0xbb, 0x14,0x83,0x23,0xc9, + 0x78,0x9f,0x8f,0x76, 0x25,0xcc,0x34,0x33, + 0x7c,0x03,0x47,0x2d, 0x9a,0x0c,0x4f,0xac, + 0x30,0xbe,0xd2,0xdd, 0xde,0x64,0xb8,0x7a, + 0x2c,0x70,0x67,0x52, 0xc2,0x1a,0xc0,0x11, + 0x27,0x43,0x59,0x2c, 0x4f,0xdf,0x67, + }, + }, + .rnd_val = { /* p. 279 */ + [0] = { + 0x88,0x97,0x32,0x97, 0x5b,0x36,0xe8,0xe2, + 0xe7,0xb7,0x40,0x50, 0xae,0xa1,0x71,0x39, + 0xda,0x2b,0x86,0x34, 0xdc,0xe2,0x13,0x3b, + 0x06,0x34,0x74,0x3f, 0x47,0x75,0x57,0xab, + 0x7b,0x84,0x4e,0xd3, 0xf2,0xa4,0x6c,0xc6, + 0x3e,0xb2,0x32,0x86, 0x46,0x4c,0x51,0xd5, + 0xd7,0x69,0x71,0xc4, 0x7b,0xc5,0xb5,0x5f, + 0xed,0x72,0xa8,0x04, 0x3c,0xbf,0x66,0x4f, + }, + [1] = { + 0xbf,0x49,0xb8,0x89, 0xba,0x98,0x4d,0x34, + 0x63,0x87,0xe8,0x64, 0x7e,0x98,0xbb,0x99, + 0xcd,0x41,0xa3,0x2f, 0xbe,0xc1,0xfc,0xb3, + 0xb6,0xa1,0xb7,0xd9, 0x93,0x2b,0xa7,0xe1, + 0x1e,0xe6,0xbb,0xd9, 0x24,0x40,0x5a,0x2c, + 0x7f,0xca,0x89,0x0a, 0x5e,0x9a,0x8d,0xea, + 0x66,0xac,0x0c,0xac, 0xa0,0xca,0x7b,0xc1, + 0x8d,0x74,0xfb,0xc0, 0x2a,0x11,0xe4,0x53, + }, + }, + }, +}; + +#ifdef NIST_HASH_DRBG_DEBUG +#define DPRINTF(fmt, ...) \ + printf("%s:%d: " fmt, __func__, __LINE__, ##__VA_ARGS__) +#define DUSE(v) +#else +#define DPRINTF(fmt, ...) +#define DUSE(v) (void)(v) +#endif + +#define CHECK(i, name, actual, expected, n) do \ +{ \ + CTASSERT(sizeof(actual) == (n)); \ + ok &= check(i, name, actual, expected, (n)); \ +} while (0) + +static bool +check(unsigned katno, const char *name, const uint8_t *actual, + const uint8_t *expected, size_t n) +{ + bool ok = true; + size_t i; + + DUSE(katno); + DUSE(name); + + for (i = 0; i < n; i++) { + if (actual[i] != expected[i]) { + DPRINTF("KAT %u %s[%zu] = %02x, expected %02x\n", + katno, name, i, actual[i], expected[i]); + ok = false; + } + } + + return ok; +} + +#ifdef NIST_HASH_DRBG_MAIN +int +main(void) +{ + int ret; + + ret = nist_hash_drbg_initialize(); + + fflush(stdout); + return ret || ferror(stdout); +} +#endif + +int +nist_hash_drbg_initialize(void) +{ + const unsigned truncation[] = { 0, 1, 32, 63 }; + bool ok = true; + size_t i, j; + + for (i = 0; i < arraycount(kat); i++) { + for (j = 0; j < arraycount(truncation); j++) { + const unsigned trunc = truncation[j]; + struct nist_hash_drbg drbg, *D = &drbg; + uint8_t rnd_val[64]; + unsigned reseed_counter; + + nist_hash_drbg_instantiate(D, + kat_entropy[0], sizeof kat_entropy[0], + kat_nonce, sizeof kat_nonce, + kat[i].personalization->hv_base, + kat[i].personalization->hv_len); + reseed_counter = 1; + CHECK(i, "C", D->C, kat[i].C, SEEDLEN_BYTES); + CHECK(i, "V[0]", D->V, kat[i].V[0], SEEDLEN_BYTES); + if (D->reseed_counter != reseed_counter) { + DPRINTF("bad reseed counter: %u, expected %u", + D->reseed_counter, reseed_counter); + ok = false; + } + + if (kat[i].reseed) { + nist_hash_drbg_reseed(D, + kat_entropy[1], sizeof kat_entropy[1], + kat[i].additional[0]->hv_base, + kat[i].additional[0]->hv_len); + } + + nist_hash_drbg_generate(D, rnd_val, + sizeof(rnd_val) - trunc, + kat[i].reseed ? 0 : kat[i].additional[0]->hv_base, + kat[i].reseed ? 0 : kat[i].additional[0]->hv_len); + reseed_counter++; + CHECK(i, "V[1]", D->V, kat[i].V[1], SEEDLEN_BYTES); + CHECK(i, "rnd_val[0]", rnd_val, kat[i].rnd_val[0], + sizeof(kat[i].rnd_val[0]) - trunc); + if (D->reseed_counter != reseed_counter) { + DPRINTF("bad reseed counter: %u, expected %u", + D->reseed_counter, reseed_counter); + ok = false; + } + + if (kat[i].reseed) { + nist_hash_drbg_reseed(D, + kat_entropy[2], sizeof kat_entropy[2], + kat[i].additional[1]->hv_base, + kat[i].additional[1]->hv_len); + reseed_counter = 1; + } + + nist_hash_drbg_generate(D, rnd_val, + sizeof(rnd_val) - trunc, + kat[i].reseed ? 0 : kat[i].additional[1]->hv_base, + kat[i].reseed ? 0 : kat[i].additional[1]->hv_len); + reseed_counter++; + CHECK(i, "V[2]", D->V, kat[i].V[2], SEEDLEN_BYTES); + CHECK(i, "rnd_val[1]", rnd_val, kat[i].rnd_val[1], + sizeof(kat[i].rnd_val[1]) - trunc); + if (D->reseed_counter != reseed_counter) { + DPRINTF("bad reseed counter: %u, expected %u", + D->reseed_counter, reseed_counter); + ok = false; + } + + nist_hash_drbg_destroy(D); + } + } + + if (!ok) + return 1; + return 0; +} diff --git a/sys/crypto/nist_hash_drbg/nist_hash_drbg.h b/sys/crypto/nist_hash_drbg/nist_hash_drbg.h new file mode 100644 index 000000000000..1e4ad81b0dec --- /dev/null +++ b/sys/crypto/nist_hash_drbg/nist_hash_drbg.h @@ -0,0 +1,82 @@ +/* $NetBSD$ */ + +/*- + * Copyright (c) 2019 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Taylor R. Campbell. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef NIST_HASH_DRBG_H +#define NIST_HASH_DRBG_H + +#include + +/* Instantiation: SHA-256 */ + +/* 10.1 DRBG Mechanisms Based on Hash Functions, Table 2, SHA-256 column */ +#define NIST_SHA256_HASH_DRBG_SEEDLEN 440u + +#define NIST_HASH_DRBG_SEEDLEN NIST_SHA256_HASH_DRBG_SEEDLEN +#define nist_hash_drbg nist_sha256_hash_drbg +#define nist_hash_drbg_destroy nist_sha256_hash_drbg_destroy +#define nist_hash_drbg_generate nist_sha256_hash_drbg_generate +#define nist_hash_drbg_initialize nist_sha256_hash_drbg_initialize +#define nist_hash_drbg_instantiate nist_sha256_hash_drbg_instantiate +#define nist_hash_drbg_reseed nist_sha256_hash_drbg_reseed +#define nist_hash_drbg_selftest nist_sha256_hash_drbg_selftest + +/* + * By 10.1 DRBG Mechanisms Based on Hash Functions, Table 2, the limit + * is <2^48 requests between reseeds. We truncate this to fit in + * 32-bit signed integer instead for hysterical raisins. + */ +#define NIST_HASH_DRBG_RESEED_INTERVAL 0x7fffffff + +#define NIST_HASH_DRBG_SEEDLEN_BYTES (NIST_HASH_DRBG_SEEDLEN/8) + +#define NIST_HASH_DRBG_MIN_SEEDLEN_BYTES \ + MIN(32, NIST_HASH_DRBG_SEEDLEN_BYTES) + +/* 10.1.1.1 Hash_DRBG Internal State */ + +struct nist_hash_drbg { + uint8_t V[NIST_HASH_DRBG_SEEDLEN_BYTES]; + uint8_t C[NIST_HASH_DRBG_SEEDLEN_BYTES]; + unsigned reseed_counter; +}; + +typedef struct nist_hash_drbg NIST_HASH_DRBG; + +int nist_hash_drbg_initialize(void); +int nist_hash_drbg_instantiate(struct nist_hash_drbg *, + const void *, size_t, const void *, size_t, const void *, size_t); +int nist_hash_drbg_reseed(struct nist_hash_drbg *, + const void *, size_t, const void *, size_t); +int nist_hash_drbg_generate(struct nist_hash_drbg *, void *, size_t, + const void *, size_t); +int nist_hash_drbg_destroy(struct nist_hash_drbg *); + +#endif /* NIST_HASH_DRBG_H */ diff --git a/sys/dev/rndpseudo.c b/sys/dev/rndpseudo.c index 30f0d499a5a7..547deb25084d 100644 --- a/sys/dev/rndpseudo.c +++ b/sys/dev/rndpseudo.c @@ -360,11 +360,12 @@ rnd_read(struct file *fp, off_t *offp, struct uio *uio, kauth_cred_t cred, * Choose a CPRNG to use -- either the per-open CPRNG, if this * is /dev/random or a long read, or the per-CPU one otherwise. * - * XXX NIST_BLOCK_KEYLEN_BYTES is a detail of the cprng(9) + * XXX NIST_HASH_DRBG_MIN_SEEDLEN_BYTES is a detail of the cprng(9) * implementation and as such should not be mentioned here. */ struct cprng_strong *const cprng = - ((ctx->rc_hard || (uio->uio_resid > NIST_BLOCK_KEYLEN_BYTES))? + ((ctx->rc_hard || + (uio->uio_resid > NIST_HASH_DRBG_MIN_SEEDLEN_BYTES))? rnd_ctx_cprng(ctx) : rnd_percpu_cprng()); /* diff --git a/sys/kern/subr_cprng.c b/sys/kern/subr_cprng.c index ecc5c325bd56..24609cf1499a 100644 --- a/sys/kern/subr_cprng.c +++ b/sys/kern/subr_cprng.c @@ -53,7 +53,7 @@ __KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.29 2017/12/01 19:05:49 christos Exp #include #endif -#include +#include #if defined(__HAVE_CPU_COUNTER) #include @@ -77,7 +77,8 @@ cprng_init(void) { static struct sysctllog *random_sysctllog; - nist_ctr_initialize(); + if (nist_hash_drbg_initialize() != 0) + panic("NIST Hash_DRBG failed self-test"); sysctl_createv(&random_sysctllog, 0, NULL, NULL, CTLFLAG_PERMANENT, @@ -120,7 +121,7 @@ struct cprng_strong { struct selinfo cs_selq; struct rndsink *cs_rndsink; bool cs_ready; - NIST_CTR_DRBG cs_drbg; + NIST_HASH_DRBG cs_drbg; /* XXX Kludge for /dev/random `information-theoretic' properties. */ unsigned int cs_remaining; @@ -145,23 +146,23 @@ cprng_strong_create(const char *name, int ipl, int flags) mutex_init(&cprng->cs_lock, MUTEX_DEFAULT, ipl); cv_init(&cprng->cs_cv, cprng->cs_name); selinit(&cprng->cs_selq); - cprng->cs_rndsink = rndsink_create(NIST_BLOCK_KEYLEN_BYTES, + cprng->cs_rndsink = rndsink_create(NIST_HASH_DRBG_MIN_SEEDLEN_BYTES, &cprng_strong_rndsink_callback, cprng); /* Get some initial entropy. Record whether it is full entropy. */ - uint8_t seed[NIST_BLOCK_KEYLEN_BYTES]; + uint8_t seed[NIST_HASH_DRBG_MIN_SEEDLEN_BYTES]; mutex_enter(&cprng->cs_lock); cprng->cs_ready = rndsink_request(cprng->cs_rndsink, seed, sizeof(seed)); - if (nist_ctr_drbg_instantiate(&cprng->cs_drbg, seed, sizeof(seed), + if (nist_hash_drbg_instantiate(&cprng->cs_drbg, seed, sizeof(seed), &cc, sizeof(cc), cprng->cs_name, sizeof(cprng->cs_name))) - /* XXX Fix nist_ctr_drbg API so this can't happen. */ - panic("cprng %s: NIST CTR_DRBG instantiation failed", + /* XXX Fix nist_hash_drbg API so this can't happen. */ + panic("cprng %s: NIST Hash_DRBG instantiation failed", cprng->cs_name); explicit_memset(seed, 0, sizeof(seed)); if (ISSET(flags, CPRNG_HARD)) - cprng->cs_remaining = NIST_BLOCK_KEYLEN_BYTES; + cprng->cs_remaining = NIST_HASH_DRBG_MIN_SEEDLEN_BYTES; else cprng->cs_remaining = 0; @@ -187,7 +188,7 @@ cprng_strong_destroy(struct cprng_strong *cprng) KASSERT(!select_has_waiters(&cprng->cs_selq)) /* XXX ? */ #endif - nist_ctr_drbg_destroy(&cprng->cs_drbg); + nist_hash_drbg_destroy(&cprng->cs_drbg); seldestroy(&cprng->cs_selq); cv_destroy(&cprng->cs_cv); mutex_destroy(&cprng->cs_lock); @@ -232,18 +233,20 @@ cprng_strong(struct cprng_strong *cprng, void *buffer, size_t bytes, int flags) */ if (__predict_false(ISSET(cprng->cs_flags, CPRNG_HARD))) { KASSERT(0 < cprng->cs_remaining); - KASSERT(cprng->cs_remaining <= NIST_BLOCK_KEYLEN_BYTES); + KASSERT(cprng->cs_remaining <= + NIST_HASH_DRBG_MIN_SEEDLEN_BYTES); if (bytes < cprng->cs_remaining) { cprng->cs_remaining -= bytes; } else { bytes = cprng->cs_remaining; - cprng->cs_remaining = NIST_BLOCK_KEYLEN_BYTES; + cprng->cs_remaining = NIST_HASH_DRBG_MIN_SEEDLEN_BYTES; cprng->cs_ready = false; rndsink_schedule(cprng->cs_rndsink); } - KASSERT(bytes <= NIST_BLOCK_KEYLEN_BYTES); + KASSERT(bytes <= NIST_HASH_DRBG_MIN_SEEDLEN_BYTES); KASSERT(0 < cprng->cs_remaining); - KASSERT(cprng->cs_remaining <= NIST_BLOCK_KEYLEN_BYTES); + KASSERT(cprng->cs_remaining <= + NIST_HASH_DRBG_MIN_SEEDLEN_BYTES); } cprng_strong_generate(cprng, buffer, bytes); @@ -364,22 +367,22 @@ cprng_strong_poll(struct cprng_strong *cprng, int events) } /* - * XXX Move nist_ctr_drbg_reseed_advised_p and - * nist_ctr_drbg_reseed_needed_p into the nist_ctr_drbg API and make - * the NIST_CTR_DRBG structure opaque. + * XXX Move nist_hash_drbg_reseed_advised_p and + * nist_hash_drbg_reseed_needed_p into the nist_hash_drbg API and make + * the NIST_HASH_DRBG structure opaque. */ static bool -nist_ctr_drbg_reseed_advised_p(NIST_CTR_DRBG *drbg) +nist_hash_drbg_reseed_advised_p(NIST_HASH_DRBG *drbg) { - return (drbg->reseed_counter > (NIST_CTR_DRBG_RESEED_INTERVAL / 2)); + return (drbg->reseed_counter > (NIST_HASH_DRBG_RESEED_INTERVAL / 2)); } static bool -nist_ctr_drbg_reseed_needed_p(NIST_CTR_DRBG *drbg) +nist_hash_drbg_reseed_needed_p(NIST_HASH_DRBG *drbg) { - return (drbg->reseed_counter >= NIST_CTR_DRBG_RESEED_INTERVAL); + return (drbg->reseed_counter >= NIST_HASH_DRBG_RESEED_INTERVAL); } /* @@ -394,27 +397,27 @@ cprng_strong_generate(struct cprng_strong *cprng, void *buffer, size_t bytes) KASSERT(mutex_owned(&cprng->cs_lock)); /* - * Generate some data from the NIST CTR_DRBG. Caller + * Generate some data from the NIST Hash_DRBG. Caller * guarantees reseed if we're not ready, and if we exhaust the * generator, we mark ourselves not ready. Consequently, this - * call to the CTR_DRBG should not fail. + * call to the Hash_DRBG should not fail. */ - if (__predict_false(nist_ctr_drbg_generate(&cprng->cs_drbg, buffer, + if (__predict_false(nist_hash_drbg_generate(&cprng->cs_drbg, buffer, bytes, &cc, sizeof(cc)))) - panic("cprng %s: NIST CTR_DRBG failed", cprng->cs_name); + panic("cprng %s: NIST Hash_DRBG failed", cprng->cs_name); /* * If we've been seeing a lot of use, ask for some fresh * entropy soon. */ - if (__predict_false(nist_ctr_drbg_reseed_advised_p(&cprng->cs_drbg))) + if (__predict_false(nist_hash_drbg_reseed_advised_p(&cprng->cs_drbg))) rndsink_schedule(cprng->cs_rndsink); /* * If we just exhausted the generator, inform the next user * that we need a reseed. */ - if (__predict_false(nist_ctr_drbg_reseed_needed_p(&cprng->cs_drbg))) { + if (__predict_false(nist_hash_drbg_reseed_needed_p(&cprng->cs_drbg))) { cprng->cs_ready = false; rndsink_schedule(cprng->cs_rndsink); /* paranoia */ } @@ -426,7 +429,7 @@ cprng_strong_generate(struct cprng_strong *cprng, void *buffer, size_t bytes) static void cprng_strong_reseed(struct cprng_strong *cprng) { - uint8_t seed[NIST_BLOCK_KEYLEN_BYTES]; + uint8_t seed[NIST_HASH_DRBG_MIN_SEEDLEN_BYTES]; KASSERT(mutex_owned(&cprng->cs_lock)); @@ -445,7 +448,7 @@ cprng_strong_reseed_from(struct cprng_strong *cprng, { const uint32_t cc = cprng_counter(); - KASSERT(bytes == NIST_BLOCK_KEYLEN_BYTES); + KASSERT(bytes == NIST_HASH_DRBG_MIN_SEEDLEN_BYTES); KASSERT(mutex_owned(&cprng->cs_lock)); /* @@ -473,9 +476,11 @@ cprng_strong_reseed_from(struct cprng_strong *cprng, cprng->cs_name); } - if (nist_ctr_drbg_reseed(&cprng->cs_drbg, seed, bytes, &cc, sizeof(cc))) - /* XXX Fix nist_ctr_drbg API so this can't happen. */ - panic("cprng %s: NIST CTR_DRBG reseed failed", cprng->cs_name); + if (nist_hash_drbg_reseed(&cprng->cs_drbg, seed, bytes, &cc, + sizeof(cc))) + /* XXX Fix nist_hash_drbg API so this can't happen. */ + panic("cprng %s: NIST Hash_DRBG reseed failed", + cprng->cs_name); #if DIAGNOSTIC cprng_strong_rngtest(cprng); @@ -500,9 +505,9 @@ cprng_strong_rngtest(struct cprng_strong *cprng) (void)strlcpy(rt->rt_name, cprng->cs_name, sizeof(rt->rt_name)); - if (nist_ctr_drbg_generate(&cprng->cs_drbg, rt->rt_b, sizeof(rt->rt_b), - NULL, 0)) - panic("cprng %s: NIST CTR_DRBG failed after reseed", + if (nist_hash_drbg_generate(&cprng->cs_drbg, rt->rt_b, + sizeof(rt->rt_b), NULL, 0)) + panic("cprng %s: NIST Hash_DRBG failed after reseed", cprng->cs_name); if (rngtest(rt)) { diff --git a/sys/rump/kern/lib/libcrypto/Makefile b/sys/rump/kern/lib/libcrypto/Makefile index c78a6f79b25b..1539e2accba9 100644 --- a/sys/rump/kern/lib/libcrypto/Makefile +++ b/sys/rump/kern/lib/libcrypto/Makefile @@ -28,8 +28,7 @@ SRCS+= cast128.c SRCS+= des_ecb.c des_setkey.c des_enc.c des_cbc.c des_module.c # rijndael -# rijndael is in rumpkern due to it being used by cprng -#SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael.c +SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael.c # skipjack SRCS+= skipjack.c diff --git a/sys/rump/librump/rumpkern/Makefile.rumpkern b/sys/rump/librump/rumpkern/Makefile.rumpkern index 583193d0294b..e7ba9bbbab0d 100644 --- a/sys/rump/librump/rumpkern/Makefile.rumpkern +++ b/sys/rump/librump/rumpkern/Makefile.rumpkern @@ -15,8 +15,7 @@ MAN= rump.3 rump_lwproc.3 ${RUMPTOP}/../uvm \ ${RUMPTOP}/../conf \ ${RUMPTOP}/../dev \ - ${RUMPTOP}/../crypto/nist_ctr_drbg \ - ${RUMPTOP}/../crypto/rijndael \ + ${RUMPTOP}/../crypto/nist_hash_drbg \ ${RUMPTOP}/../crypto/cprng_fast \ ${RUMPTOP}/../secmodel \ ${RUMPTOP}/../secmodel/suser \ @@ -154,10 +153,7 @@ SRCS+= clock_subr.c # sys/dev/crypto # Note: these are here only for cprng. More crypto algos for drivers # are available from the rumpkern_crypto component -SRCS+= nist_ctr_drbg.c -SRCS+= rijndael-alg-fst.c -SRCS+= rijndael-api-fst.c -SRCS+= rijndael.c +SRCS+= nist_hash_drbg.c SRCS+= cprng_fast.c .include "${RUMPTOP}/Makefile.rump" diff --git a/sys/sys/cprng.h b/sys/sys/cprng.h index fe23102ee56b..d99bb4692a7e 100644 --- a/sys/sys/cprng.h +++ b/sys/sys/cprng.h @@ -38,11 +38,11 @@ #include -#include +#include #include /* - * NIST SP800-90 says 2^19 bytes per request for the CTR_DRBG. + * NIST SP800-90 says 2^19 bytes per request for the Hash_DRBG. */ #define CPRNG_MAX_LEN 524288 -- 2.19.1