Mercurial > dropbear
comparison libtomcrypt/src/prngs/fortuna.c @ 1437:871b18fd7065 fuzz
merge from main (libtommath/libtomcrypt/curve25510-donna updates)
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Sat, 24 Jun 2017 22:51:45 +0800 |
parents | f849a5ca2efc |
children | 6dba84798cd5 |
comparison
equal
deleted
inserted
replaced
1432:41dca1e5ea34 | 1437:871b18fd7065 |
---|---|
4 * algorithms in a highly modular and flexible manner. | 4 * algorithms in a highly modular and flexible manner. |
5 * | 5 * |
6 * The library is free for all purposes without any express | 6 * The library is free for all purposes without any express |
7 * guarantee it works. | 7 * guarantee it works. |
8 * | 8 * |
9 * Tom St Denis, [email protected], http://libtomcrypt.com | 9 * Tom St Denis, [email protected], http://libtom.org |
10 */ | 10 */ |
11 #include "tomcrypt.h" | 11 #include "tomcrypt.h" |
12 | 12 |
13 /** | 13 /** |
14 @file fortuna.c | 14 @file fortuna.c |
17 | 17 |
18 /* Implementation of Fortuna by Tom St Denis | 18 /* Implementation of Fortuna by Tom St Denis |
19 | 19 |
20 We deviate slightly here for reasons of simplicity [and to fit in the API]. First all "sources" | 20 We deviate slightly here for reasons of simplicity [and to fit in the API]. First all "sources" |
21 in the AddEntropy function are fixed to 0. Second since no reliable timer is provided | 21 in the AddEntropy function are fixed to 0. Second since no reliable timer is provided |
22 we reseed automatically when len(pool0) >= 64 or every FORTUNA_WD calls to the read function */ | 22 we reseed automatically when len(pool0) >= 64 or every LTC_FORTUNA_WD calls to the read function */ |
23 | 23 |
24 #ifdef FORTUNA | 24 #ifdef LTC_FORTUNA |
25 | 25 |
26 /* requries SHA256 and AES */ | 26 /* requries LTC_SHA256 and AES */ |
27 #if !(defined(RIJNDAEL) && defined(SHA256)) | 27 #if !(defined(LTC_RIJNDAEL) && defined(LTC_SHA256)) |
28 #error FORTUNA requires SHA256 and RIJNDAEL (AES) | 28 #error LTC_FORTUNA requires LTC_SHA256 and LTC_RIJNDAEL (AES) |
29 #endif | 29 #endif |
30 | 30 |
31 #ifndef FORTUNA_POOLS | 31 #ifndef LTC_FORTUNA_POOLS |
32 #warning FORTUNA_POOLS was not previously defined (old headers?) | 32 #warning LTC_FORTUNA_POOLS was not previously defined (old headers?) |
33 #define FORTUNA_POOLS 32 | 33 #define LTC_FORTUNA_POOLS 32 |
34 #endif | 34 #endif |
35 | 35 |
36 #if FORTUNA_POOLS < 4 || FORTUNA_POOLS > 32 | 36 #if LTC_FORTUNA_POOLS < 4 || LTC_FORTUNA_POOLS > 32 |
37 #error FORTUNA_POOLS must be in [4..32] | 37 #error LTC_FORTUNA_POOLS must be in [4..32] |
38 #endif | 38 #endif |
39 | 39 |
40 const struct ltc_prng_descriptor fortuna_desc = { | 40 const struct ltc_prng_descriptor fortuna_desc = { |
41 "fortuna", 1024, | 41 "fortuna", 1024, |
42 &fortuna_start, | 42 &fortuna_start, |
69 hash_state md; | 69 hash_state md; |
70 int err, x; | 70 int err, x; |
71 | 71 |
72 ++prng->fortuna.reset_cnt; | 72 ++prng->fortuna.reset_cnt; |
73 | 73 |
74 /* new K == SHA256(K || s) where s == SHA256(P0) || SHA256(P1) ... */ | 74 /* new K == LTC_SHA256(K || s) where s == LTC_SHA256(P0) || LTC_SHA256(P1) ... */ |
75 sha256_init(&md); | 75 sha256_init(&md); |
76 if ((err = sha256_process(&md, prng->fortuna.K, 32)) != CRYPT_OK) { | 76 if ((err = sha256_process(&md, prng->fortuna.K, 32)) != CRYPT_OK) { |
77 sha256_done(&md, tmp); | 77 sha256_done(&md, tmp); |
78 return err; | 78 return err; |
79 } | 79 } |
80 | 80 |
81 for (x = 0; x < FORTUNA_POOLS; x++) { | 81 for (x = 0; x < LTC_FORTUNA_POOLS; x++) { |
82 if (x == 0 || ((prng->fortuna.reset_cnt >> (x-1)) & 1) == 0) { | 82 if (x == 0 || ((prng->fortuna.reset_cnt >> (x-1)) & 1) == 0) { |
83 /* terminate this hash */ | 83 /* terminate this hash */ |
84 if ((err = sha256_done(&prng->fortuna.pool[x], tmp)) != CRYPT_OK) { | 84 if ((err = sha256_done(&prng->fortuna.pool[x], tmp)) != CRYPT_OK) { |
85 sha256_done(&md, tmp); | 85 sha256_done(&md, tmp); |
86 return err; | 86 return err; |
133 unsigned char tmp[MAXBLOCKSIZE]; | 133 unsigned char tmp[MAXBLOCKSIZE]; |
134 | 134 |
135 LTC_ARGCHK(prng != NULL); | 135 LTC_ARGCHK(prng != NULL); |
136 | 136 |
137 /* initialize the pools */ | 137 /* initialize the pools */ |
138 for (x = 0; x < FORTUNA_POOLS; x++) { | 138 for (x = 0; x < LTC_FORTUNA_POOLS; x++) { |
139 if ((err = sha256_init(&prng->fortuna.pool[x])) != CRYPT_OK) { | 139 if ((err = sha256_init(&prng->fortuna.pool[x])) != CRYPT_OK) { |
140 for (y = 0; y < x; y++) { | 140 for (y = 0; y < x; y++) { |
141 sha256_done(&prng->fortuna.pool[y], tmp); | 141 sha256_done(&prng->fortuna.pool[y], tmp); |
142 } | 142 } |
143 return err; | 143 return err; |
147 prng->fortuna.reset_cnt = 0; | 147 prng->fortuna.reset_cnt = 0; |
148 | 148 |
149 /* reset bufs */ | 149 /* reset bufs */ |
150 zeromem(prng->fortuna.K, 32); | 150 zeromem(prng->fortuna.K, 32); |
151 if ((err = rijndael_setup(prng->fortuna.K, 32, 0, &prng->fortuna.skey)) != CRYPT_OK) { | 151 if ((err = rijndael_setup(prng->fortuna.K, 32, 0, &prng->fortuna.skey)) != CRYPT_OK) { |
152 for (x = 0; x < FORTUNA_POOLS; x++) { | 152 for (x = 0; x < LTC_FORTUNA_POOLS; x++) { |
153 sha256_done(&prng->fortuna.pool[x], tmp); | 153 sha256_done(&prng->fortuna.pool[x], tmp); |
154 } | 154 } |
155 return err; | 155 return err; |
156 } | 156 } |
157 zeromem(prng->fortuna.IV, 16); | 157 zeromem(prng->fortuna.IV, 16); |
196 return err; | 196 return err; |
197 } | 197 } |
198 if (prng->fortuna.pool_idx == 0) { | 198 if (prng->fortuna.pool_idx == 0) { |
199 prng->fortuna.pool0_len += inlen; | 199 prng->fortuna.pool0_len += inlen; |
200 } | 200 } |
201 if (++(prng->fortuna.pool_idx) == FORTUNA_POOLS) { | 201 if (++(prng->fortuna.pool_idx) == LTC_FORTUNA_POOLS) { |
202 prng->fortuna.pool_idx = 0; | 202 prng->fortuna.pool_idx = 0; |
203 } | 203 } |
204 | 204 |
205 LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); | 205 LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); |
206 return CRYPT_OK; | 206 return CRYPT_OK; |
233 LTC_ARGCHK(prng != NULL); | 233 LTC_ARGCHK(prng != NULL); |
234 | 234 |
235 LTC_MUTEX_LOCK(&prng->fortuna.prng_lock); | 235 LTC_MUTEX_LOCK(&prng->fortuna.prng_lock); |
236 | 236 |
237 /* do we have to reseed? */ | 237 /* do we have to reseed? */ |
238 if (++prng->fortuna.wd == FORTUNA_WD || prng->fortuna.pool0_len >= 64) { | 238 if (++prng->fortuna.wd == LTC_FORTUNA_WD || prng->fortuna.pool0_len >= 64) { |
239 if ((err = fortuna_reseed(prng)) != CRYPT_OK) { | 239 if ((err = fortuna_reseed(prng)) != CRYPT_OK) { |
240 LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); | 240 LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); |
241 return 0; | 241 return 0; |
242 } | 242 } |
243 } | 243 } |
288 | 288 |
289 LTC_ARGCHK(prng != NULL); | 289 LTC_ARGCHK(prng != NULL); |
290 LTC_MUTEX_LOCK(&prng->fortuna.prng_lock); | 290 LTC_MUTEX_LOCK(&prng->fortuna.prng_lock); |
291 | 291 |
292 /* terminate all the hashes */ | 292 /* terminate all the hashes */ |
293 for (x = 0; x < FORTUNA_POOLS; x++) { | 293 for (x = 0; x < LTC_FORTUNA_POOLS; x++) { |
294 if ((err = sha256_done(&(prng->fortuna.pool[x]), tmp)) != CRYPT_OK) { | 294 if ((err = sha256_done(&(prng->fortuna.pool[x]), tmp)) != CRYPT_OK) { |
295 LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); | 295 LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); |
296 return err; | 296 return err; |
297 } | 297 } |
298 } | 298 } |
323 LTC_ARGCHK(prng != NULL); | 323 LTC_ARGCHK(prng != NULL); |
324 | 324 |
325 LTC_MUTEX_LOCK(&prng->fortuna.prng_lock); | 325 LTC_MUTEX_LOCK(&prng->fortuna.prng_lock); |
326 | 326 |
327 /* we'll write bytes for s&g's */ | 327 /* we'll write bytes for s&g's */ |
328 if (*outlen < 32*FORTUNA_POOLS) { | 328 if (*outlen < 32*LTC_FORTUNA_POOLS) { |
329 LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); | 329 LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); |
330 *outlen = 32*FORTUNA_POOLS; | 330 *outlen = 32*LTC_FORTUNA_POOLS; |
331 return CRYPT_BUFFER_OVERFLOW; | 331 return CRYPT_BUFFER_OVERFLOW; |
332 } | 332 } |
333 | 333 |
334 md = XMALLOC(sizeof(hash_state)); | 334 md = XMALLOC(sizeof(hash_state)); |
335 if (md == NULL) { | 335 if (md == NULL) { |
338 } | 338 } |
339 | 339 |
340 /* to emit the state we copy each pool, terminate it then hash it again so | 340 /* to emit the state we copy each pool, terminate it then hash it again so |
341 * an attacker who sees the state can't determine the current state of the PRNG | 341 * an attacker who sees the state can't determine the current state of the PRNG |
342 */ | 342 */ |
343 for (x = 0; x < FORTUNA_POOLS; x++) { | 343 for (x = 0; x < LTC_FORTUNA_POOLS; x++) { |
344 /* copy the PRNG */ | 344 /* copy the PRNG */ |
345 XMEMCPY(md, &(prng->fortuna.pool[x]), sizeof(*md)); | 345 XMEMCPY(md, &(prng->fortuna.pool[x]), sizeof(*md)); |
346 | 346 |
347 /* terminate it */ | 347 /* terminate it */ |
348 if ((err = sha256_done(md, out+x*32)) != CRYPT_OK) { | 348 if ((err = sha256_done(md, out+x*32)) != CRYPT_OK) { |
358 } | 358 } |
359 if ((err = sha256_done(md, out+x*32)) != CRYPT_OK) { | 359 if ((err = sha256_done(md, out+x*32)) != CRYPT_OK) { |
360 goto LBL_ERR; | 360 goto LBL_ERR; |
361 } | 361 } |
362 } | 362 } |
363 *outlen = 32*FORTUNA_POOLS; | 363 *outlen = 32*LTC_FORTUNA_POOLS; |
364 err = CRYPT_OK; | 364 err = CRYPT_OK; |
365 | 365 |
366 LBL_ERR: | 366 LBL_ERR: |
367 #ifdef LTC_CLEAN_STACK | 367 #ifdef LTC_CLEAN_STACK |
368 zeromem(md, sizeof(*md)); | 368 zeromem(md, sizeof(*md)); |
384 int err, x; | 384 int err, x; |
385 | 385 |
386 LTC_ARGCHK(in != NULL); | 386 LTC_ARGCHK(in != NULL); |
387 LTC_ARGCHK(prng != NULL); | 387 LTC_ARGCHK(prng != NULL); |
388 | 388 |
389 if (inlen != 32*FORTUNA_POOLS) { | 389 if (inlen != 32*LTC_FORTUNA_POOLS) { |
390 return CRYPT_INVALID_ARG; | 390 return CRYPT_INVALID_ARG; |
391 } | 391 } |
392 | 392 |
393 if ((err = fortuna_start(prng)) != CRYPT_OK) { | 393 if ((err = fortuna_start(prng)) != CRYPT_OK) { |
394 return err; | 394 return err; |
395 } | 395 } |
396 for (x = 0; x < FORTUNA_POOLS; x++) { | 396 for (x = 0; x < LTC_FORTUNA_POOLS; x++) { |
397 if ((err = fortuna_add_entropy(in+x*32, 32, prng)) != CRYPT_OK) { | 397 if ((err = fortuna_add_entropy(in+x*32, 32, prng)) != CRYPT_OK) { |
398 return err; | 398 return err; |
399 } | 399 } |
400 } | 400 } |
401 return err; | 401 return err; |
420 } | 420 } |
421 | 421 |
422 #endif | 422 #endif |
423 | 423 |
424 | 424 |
425 /* $Source: /cvs/libtom/libtomcrypt/src/prngs/fortuna.c,v $ */ | 425 /* $Source$ */ |
426 /* $Revision: 1.12 $ */ | 426 /* $Revision$ */ |
427 /* $Date: 2006/12/04 21:34:03 $ */ | 427 /* $Date$ */ |