dropbear: libtomcrypt/src/prngs/sober128.c comparison

comparison libtomcrypt/src/prngs/sober128.c @ 1478:3a933956437e coverity

update coverity

author	Matt Johnston <matt@ucc.asn.au>
date	Fri, 09 Feb 2018 23:49:22 +0800
parents	6dba84798cd5
children	e9dba7abd939

comparison

equal deleted inserted replaced

-:8d24733026c5
+:3a933956437e
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
-*
-* Tom St Denis, [email protected], http://libtom.org
 */
 #include "tomcrypt.h"
 /**
-@file sober128.c
+@file prngs/sober128.c
 Implementation of SOBER-128 by Tom St Denis.
 Based on s128fast.c reference code supplied by Greg Rose of QUALCOMM.
 */
 #ifdef LTC_SOBER128
-#include "sober128tab.c"
+const struct ltc_prng_descriptor sober128_desc =
+{
-const struct ltc_prng_descriptor sober128_desc =
+"sober128",
-{
+40,
-"sober128", 64,
+&sober128_start,
-&sober128_start,
+&sober128_add_entropy,
-&sober128_add_entropy,
+&sober128_ready,
-&sober128_ready,
+&sober128_read,
-&sober128_read,
+&sober128_done,
-&sober128_done,
+&sober128_export,
-&sober128_export,
+&sober128_import,
-&sober128_import,
+&sober128_test
-&sober128_test
 };
-/* don't change these... */
-#define N                        17
-#define FOLD                      N /* how many iterations of folding to do */
-#define INITKONST        0x6996c53a /* value of KONST to use during key loading */
-#define KEYP                     15 /* where to insert key words */
-#define FOLDP                     4 /* where to insert non-linear feedback */
-#define B(x,i) ((unsigned char)(((x) >> (8*i)) & 0xFF))
-static ulong32 BYTE2WORD(unsigned char *b)
-{
-ulong32 t;
-LOAD32L(t, b);
-return t;
-}
-#define WORD2BYTE(w, b) STORE32L(b, w)
-static void XORWORD(ulong32 w, unsigned char *b)
-{
-ulong32 t;
-LOAD32L(t, b);
-t ^= w;
-STORE32L(t, b);
-}
-/* give correct offset for the current position of the register,
-* where logically R[0] is at position "zero".
-*/
-#define OFF(zero, i) (((zero)+(i)) % N)
-/* step the LFSR */
-/* After stepping, "zero" moves right one place */
-#define STEP(R,z) \
-R[OFF(z,0)] = R[OFF(z,15)] ^ R[OFF(z,4)] ^ (R[OFF(z,0)] << 8) ^ Multab[(R[OFF(z,0)] >> 24) & 0xFF];
-static void cycle(ulong32 *R)
-{
-ulong32 t;
-int     i;
-STEP(R,0);
-t = R[0];
-for (i = 1; i < N; ++i) {
-R[i-1] = R[i];
-}
-R[N-1] = t;
-}
-/* Return a non-linear function of some parts of the register.
-*/
-#define NLFUNC(c,z) \
-{ \
-t = c->R[OFF(z,0)] + c->R[OFF(z,16)]; \
-t ^= Sbox[(t >> 24) & 0xFF]; \
-t = RORc(t, 8); \
-t = ((t + c->R[OFF(z,1)]) ^ c->konst) + c->R[OFF(z,6)]; \
-t ^= Sbox[(t >> 24) & 0xFF]; \
-t = t + c->R[OFF(z,13)]; \
-}
-static ulong32 nltap(struct sober128_prng *c)
-{
-ulong32 t;
-NLFUNC(c, 0);
-return t;
-}
 /**
 Start the PRNG
 @param prng     [out] The PRNG state to initialize
 @return CRYPT_OK if successful
 */
 int sober128_start(prng_state *prng)
 {
-int                   i;
+LTC_ARGCHK(prng != NULL);
-struct sober128_prng *c;
+prng->ready = 0;
+XMEMSET(&prng->sober128.ent, 0, sizeof(prng->sober128.ent));
-LTC_ARGCHK(prng != NULL);
+prng->sober128.idx = 0;
+LTC_MUTEX_INIT(&prng->lock)
-c = &(prng->sober128);
+return CRYPT_OK;
-/* Register initialised to Fibonacci numbers */
-c->R[0] = 1;
-c->R[1] = 1;
-for (i = 2; i < N; ++i) {
-c->R[i] = c->R[i-1] + c->R[i-2];
-}
-c->konst = INITKONST;
-/* next add_entropy will be the key */
-c->flag  = 1;
-c->set   = 0;
-return CRYPT_OK;
-}
-/* Save the current register state
-*/
-static void s128_savestate(struct sober128_prng *c)
-{
-int i;
-for (i = 0; i < N; ++i) {
-c->initR[i] = c->R[i];
-}
-}
-/* initialise to previously saved register state
-*/
-static void s128_reloadstate(struct sober128_prng *c)
-{
-int i;
-for (i = 0; i < N; ++i) {
-c->R[i] = c->initR[i];
-}
-}
-/* Initialise "konst"
-*/
-static void s128_genkonst(struct sober128_prng *c)
-{
-ulong32 newkonst;
-do {
-cycle(c->R);
-newkonst = nltap(c);
-} while ((newkonst & 0xFF000000) == 0);
-c->konst = newkonst;
-}
-/* Load key material into the register
-*/
-#define ADDKEY(k) \
-c->R[KEYP] += (k);
-#define XORNL(nl) \
-c->R[FOLDP] ^= (nl);
-/* nonlinear diffusion of register for key */
-#define DROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); c->R[OFF((z+1),FOLDP)] ^= t;
-static void s128_diffuse(struct sober128_prng *c)
-{
-ulong32 t;
-/* relies on FOLD == N == 17! */
-DROUND(0);
-DROUND(1);
-DROUND(2);
-DROUND(3);
-DROUND(4);
-DROUND(5);
-DROUND(6);
-DROUND(7);
-DROUND(8);
-DROUND(9);
-DROUND(10);
-DROUND(11);
-DROUND(12);
-DROUND(13);
-DROUND(14);
-DROUND(15);
-DROUND(16);
 }
 /**
 Add entropy to the PRNG state
 @param in       The data to add
 @param inlen    Length of the data to add
 @param prng     PRNG state to update
 @return CRYPT_OK if successful
 */
 int sober128_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *prng)
 {
-struct sober128_prng *c;
+unsigned char buf[40];
-ulong32               i, k;
+unsigned long i;
+int err;
-LTC_ARGCHK(in != NULL);
 LTC_ARGCHK(prng != NULL);
-c = &(prng->sober128);
+LTC_ARGCHK(in != NULL);
+LTC_ARGCHK(inlen > 0);
-if (c->flag == 1) {
-/* this is the first call to the add_entropy so this input is the key */
+LTC_MUTEX_LOCK(&prng->lock);
-/* inlen must be multiple of 4 bytes */
+if (prng->ready) {
-if ((inlen & 3) != 0) {
+/* sober128_ready() was already called, do "rekey" operation */
-return CRYPT_INVALID_KEYSIZE;
+if ((err = sober128_stream_keystream(&prng->sober128.s, buf, sizeof(buf))) != CRYPT_OK) goto LBL_UNLOCK;
-}
+for(i = 0; i < inlen; i++) buf[i % sizeof(buf)] ^= in[i];
+/* key 32 bytes, 20 rounds */
-for (i = 0; i < inlen; i += 4) {
+if ((err = sober128_stream_setup(&prng->sober128.s, buf, 32)) != CRYPT_OK)     goto LBL_UNLOCK;
-k = BYTE2WORD((unsigned char *)&in[i]);
+/* iv 8 bytes */
-ADDKEY(k);
+if ((err = sober128_stream_setiv(&prng->sober128.s, buf + 32, 8)) != CRYPT_OK) goto LBL_UNLOCK;
-cycle(c->R);
+/* clear KEY + IV */
-XORNL(nltap(c));
+zeromem(buf, sizeof(buf));
 }
+else {
-/* also fold in the length of the key */
+/* sober128_ready() was not called yet, add entropy to ent buffer */
-ADDKEY(inlen);
+while (inlen--) prng->sober128.ent[prng->sober128.idx++ % sizeof(prng->sober128.ent)] ^= *in++;
+}
-/* now diffuse */
+err = CRYPT_OK;
-s128_diffuse(c);
+LBL_UNLOCK:
+LTC_MUTEX_UNLOCK(&prng->lock);
-s128_genkonst(c);
+return err;
-s128_savestate(c);
-c->nbuf = 0;
-c->flag = 0;
-c->set  = 1;
-} else {
-/* ok we are adding an IV then... */
-s128_reloadstate(c);
-/* inlen must be multiple of 4 bytes */
-if ((inlen & 3) != 0) {
-return CRYPT_INVALID_KEYSIZE;
-}
-for (i = 0; i < inlen; i += 4) {
-k = BYTE2WORD((unsigned char *)&in[i]);
-ADDKEY(k);
-cycle(c->R);
-XORNL(nltap(c));
-}
-/* also fold in the length of the key */
-ADDKEY(inlen);
-/* now diffuse */
-s128_diffuse(c);
-c->nbuf = 0;
-}
-return CRYPT_OK;
 }
 /**
 Make the PRNG ready to read from
 @param prng   The PRNG to make active
 @return CRYPT_OK if successful
 */
 int sober128_ready(prng_state *prng)
 {
-return prng->sober128.set == 1 ? CRYPT_OK : CRYPT_ERROR;
+int err;
-}
+LTC_ARGCHK(prng != NULL);
-/* XOR pseudo-random bytes into buffer
-*/
+LTC_MUTEX_LOCK(&prng->lock);
-#define SROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); XORWORD(t, out+(z*4));
+if (prng->ready)                                                            { err = CRYPT_OK; goto LBL_UNLOCK; }
+/* key 32 bytes, 20 rounds */
+if ((err = sober128_stream_setup(&prng->sober128.s, prng->sober128.ent, 32)) != CRYPT_OK)     goto LBL_UNLOCK;
+/* iv 8 bytes */
+if ((err = sober128_stream_setiv(&prng->sober128.s, prng->sober128.ent + 32, 8)) != CRYPT_OK) goto LBL_UNLOCK;
+XMEMSET(&prng->sober128.ent, 0, sizeof(prng->sober128.ent));
+prng->sober128.idx = 0;
+prng->ready = 1;
+LBL_UNLOCK:
+LTC_MUTEX_UNLOCK(&prng->lock);
+return err;
+}
 /**
 Read from the PRNG
 @param out      Destination
 @param outlen   Length of output
 @param prng     The active PRNG to read from
 @return Number of octets read
 */
 unsigned long sober128_read(unsigned char *out, unsigned long outlen, prng_state *prng)
 {
-struct sober128_prng *c;
+if (outlen == 0 || prng == NULL || out == NULL) return 0;
-ulong32               t, tlen;
+LTC_MUTEX_LOCK(&prng->lock);
+if (!prng->ready) { outlen = 0; goto LBL_UNLOCK; }
-LTC_ARGCHK(out  != NULL);
+if (sober128_stream_keystream(&prng->sober128.s, out, outlen) != CRYPT_OK) outlen = 0;
-LTC_ARGCHK(prng != NULL);
+LBL_UNLOCK:
+LTC_MUTEX_UNLOCK(&prng->lock);
-#ifdef LTC_VALGRIND
+return outlen;
-zeromem(out, outlen);
-#endif
-c = &(prng->sober128);
-t = 0;
-tlen = outlen;
-/* handle any previously buffered bytes */
-while (c->nbuf != 0 && outlen != 0) {
-*out++ ^= c->sbuf & 0xFF;
-c->sbuf >>= 8;
-c->nbuf -= 8;
---outlen;
-}
-#ifndef LTC_SMALL_CODE
-/* do lots at a time, if there's enough to do */
-while (outlen >= N*4) {
-SROUND(0);
-SROUND(1);
-SROUND(2);
-SROUND(3);
-SROUND(4);
-SROUND(5);
-SROUND(6);
-SROUND(7);
-SROUND(8);
-SROUND(9);
-SROUND(10);
-SROUND(11);
-SROUND(12);
-SROUND(13);
-SROUND(14);
-SROUND(15);
-SROUND(16);
-out    += 4*N;
-outlen -= 4*N;
-}
-#endif
-/* do small or odd size buffers the slow way */
-while (4 <= outlen) {
-cycle(c->R);
-t = nltap(c);
-XORWORD(t, out);
-out    += 4;
-outlen -= 4;
-}
-/* handle any trailing bytes */
-if (outlen != 0) {
-cycle(c->R);
-c->sbuf = nltap(c);
-c->nbuf = 32;
-while (c->nbuf != 0 && outlen != 0) {
-*out++ ^= c->sbuf & 0xFF;
-c->sbuf >>= 8;
-c->nbuf -= 8;
---outlen;
-}
-}
-return tlen;
 }
 /**
 Terminate the PRNG
 @param prng   The PRNG to terminate
 @return CRYPT_OK if successful
 */
 int sober128_done(prng_state *prng)
 {
-LTC_ARGCHK(prng != NULL);
+int err;
-return CRYPT_OK;
+LTC_ARGCHK(prng != NULL);
+LTC_MUTEX_LOCK(&prng->lock);
+prng->ready = 0;
+err = sober128_stream_done(&prng->sober128.s);
+LTC_MUTEX_UNLOCK(&prng->lock);
+LTC_MUTEX_DESTROY(&prng->lock);
+return err;
 }
 /**
 Export the PRNG state
 @param out       [out] Destination
 @param outlen    [in/out] Max size and resulting size of the state
 @param prng      The PRNG to export
 @return CRYPT_OK if successful
 */
 int sober128_export(unsigned char *out, unsigned long *outlen, prng_state *prng)
 {
+unsigned long len = sober128_desc.export_size;
+LTC_ARGCHK(prng   != NULL);
+LTC_ARGCHK(out    != NULL);
 LTC_ARGCHK(outlen != NULL);
-LTC_ARGCHK(out    != NULL);
-LTC_ARGCHK(prng   != NULL);
+if (*outlen < len) {
+*outlen = len;
-if (*outlen < 64) {
-*outlen = 64;
 return CRYPT_BUFFER_OVERFLOW;
 }
-if (sober128_read(out, 64, prng) != 64) {
+if (sober128_read(out, len, prng) != len) {
 return CRYPT_ERROR_READPRNG;
 }
-*outlen = 64;
+*outlen = len;
 return CRYPT_OK;
 }
 /**
 Import a PRNG state
 @param in       The PRNG state
 @param inlen    Size of the state
 @param prng     The PRNG to import
 @return CRYPT_OK if successful
 */
 int sober128_import(const unsigned char *in, unsigned long inlen, prng_state *prng)
 {
 int err;
+LTC_ARGCHK(prng != NULL);
 LTC_ARGCHK(in   != NULL);
-LTC_ARGCHK(prng != NULL);
+if (inlen < (unsigned long)sober128_desc.export_size) return CRYPT_INVALID_ARG;
-if (inlen != 64) {
+if ((err = sober128_start(prng)) != CRYPT_OK) return err;
-return CRYPT_INVALID_ARG;
+if ((err = sober128_add_entropy(in, sober128_desc.export_size, prng)) != CRYPT_OK) return err;
-}
+return CRYPT_OK;
-if ((err = sober128_start(prng)) != CRYPT_OK) {
-return err;
-}
-if ((err = sober128_add_entropy(in, 64, prng)) != CRYPT_OK) {
-return err;
-}
-return sober128_ready(prng);
 }
 /**
 PRNG self-test
 @return CRYPT_OK if successful, CRYPT_NOP if self-testing has been disabled
 */
 int sober128_test(void)
 {
 #ifndef LTC_TEST
 return CRYPT_NOP;
 #else
-static const struct {
+prng_state st;
-int keylen, ivlen, len;
+unsigned char en[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
-unsigned char key[16], iv[4], out[20];
+0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14,
-} tests[] = {
+0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e,
+0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28,
-{
+0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32 };
-16, 4, 20,
+unsigned char dmp[300];
+unsigned long dmplen = sizeof(dmp);
-/* key */
+unsigned char out[500];
-{ 0x74, 0x65, 0x73, 0x74, 0x20, 0x6b, 0x65, 0x79,
+unsigned char t1[] = { 0x31, 0x82, 0xA7, 0xA5, 0x8B, 0xD7, 0xCB, 0x39, 0x86, 0x1A };
-0x20, 0x31, 0x32, 0x38, 0x62, 0x69, 0x74, 0x73 },
+unsigned char t2[] = { 0x6B, 0x43, 0x9E, 0xBC, 0xE7, 0x62, 0x9B, 0xE6, 0x9B, 0x83 };
+unsigned char t3[] = { 0x4A, 0x0E, 0x6C, 0xC1, 0xCF, 0xB4, 0x73, 0x49, 0x99, 0x05 };
-/* IV */
+int err;
-{ 0x00, 0x00, 0x00, 0x00 },
+if ((err = sober128_start(&st)) != CRYPT_OK)                         return err;
-/* expected output */
+/* add entropy to uninitialized prng */
-{ 0x43, 0x50, 0x0c, 0xcf, 0x89, 0x91, 0x9f, 0x1d,
+if ((err = sober128_add_entropy(en, sizeof(en), &st)) != CRYPT_OK)   return err;
-0xaa, 0x37, 0x74, 0x95, 0xf4, 0xb4, 0x58, 0xc2,
+if ((err = sober128_ready(&st)) != CRYPT_OK)                         return err;
-0x40, 0x37, 0x8b, 0xbb }
+if (sober128_read(out, 10, &st) != 10)                               return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
-}
+if (compare_testvector(out, 10, t1, sizeof(t1), "SOBER128-PRNG", 1)) return CRYPT_FAIL_TESTVECTOR;
+if (sober128_read(out, 500, &st) != 500)                             return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
-};
+/* add entropy to already initialized prng */
-prng_state    prng;
+if ((err = sober128_add_entropy(en, sizeof(en), &st)) != CRYPT_OK)   return err;
-unsigned char dst[20];
+if (sober128_read(out, 500, &st) != 500)                             return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
-int           err, x;
+if ((err = sober128_export(dmp, &dmplen, &st)) != CRYPT_OK)          return err;
+if (sober128_read(out, 500, &st) != 500)                             return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
-for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) {
+if (sober128_read(out, 10, &st) != 10)                               return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
-if ((err = sober128_start(&prng)) != CRYPT_OK) {
+if (compare_testvector(out, 10, t2, sizeof(t2), "SOBER128-PRNG", 2)) return CRYPT_FAIL_TESTVECTOR;
-return err;
+if ((err = sober128_done(&st)) != CRYPT_OK)                          return err;
-}
+if ((err = sober128_import(dmp, dmplen, &st)) != CRYPT_OK)           return err;
-if ((err = sober128_add_entropy(tests[x].key, tests[x].keylen, &prng)) != CRYPT_OK) {
+if ((err = sober128_ready(&st)) != CRYPT_OK)                         return err;
-return err;
+if (sober128_read(out, 500, &st) != 500)                             return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
-}
+if (sober128_read(out, 10, &st) != 10)                               return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
-/* add IV */
+if (compare_testvector(out, 10, t3, sizeof(t3), "SOBER128-PRNG", 3)) return CRYPT_FAIL_TESTVECTOR;
-if ((err = sober128_add_entropy(tests[x].iv, tests[x].ivlen, &prng)) != CRYPT_OK) {
+if ((err = sober128_done(&st)) != CRYPT_OK)                          return err;
-return err;
-}
+return CRYPT_OK;
-/* ready up */
-if ((err = sober128_ready(&prng)) != CRYPT_OK) {
-return err;
-}
-XMEMSET(dst, 0, tests[x].len);
-if (sober128_read(dst, tests[x].len, &prng) != (unsigned long)tests[x].len) {
-return CRYPT_ERROR_READPRNG;
-}
-sober128_done(&prng);
-if (XMEMCMP(dst, tests[x].out, tests[x].len)) {
-#if 0
-printf("\n\nLTC_SOBER128 failed, I got:\n");
-for (y = 0; y < tests[x].len; y++) printf("%02x ", dst[y]);
-printf("\n");
 #endif
-return CRYPT_FAIL_TESTVECTOR;
+}
-}
-}
-return CRYPT_OK;
 #endif
-}
+/* ref:         $Format:%D$ */
-#endif
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */

Mercurial > dropbear

comparison libtomcrypt/src/prngs/sober128.c @ 1478:3a933956437e coverity