Mercurial > dropbear
diff libtomcrypt/src/prngs/sober128.c @ 1471:6dba84798cd5
Update to libtomcrypt 1.18.1, merged with Dropbear changes
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Fri, 09 Feb 2018 21:44:05 +0800 |
| parents | f849a5ca2efc |
| children | e9dba7abd939 |
line wrap: on
line diff
--- a/libtomcrypt/src/prngs/sober128.c Thu Feb 08 23:11:40 2018 +0800 +++ b/libtomcrypt/src/prngs/sober128.c Fri Feb 09 21:44:05 2018 +0800 @@ -5,196 +5,45 @@ * * The library is free for all purposes without any express * guarantee it works. - * - * Tom St Denis, [email protected], http://libtom.org */ + #include "tomcrypt.h" /** - @file sober128.c + @file prngs/sober128.c Implementation of SOBER-128 by Tom St Denis. Based on s128fast.c reference code supplied by Greg Rose of QUALCOMM. */ #ifdef LTC_SOBER128 -#include "sober128tab.c" - -const struct ltc_prng_descriptor sober128_desc = -{ - "sober128", 64, - &sober128_start, - &sober128_add_entropy, - &sober128_ready, - &sober128_read, - &sober128_done, - &sober128_export, - &sober128_import, - &sober128_test -}; - -/* don't change these... */ -#define N 17 -#define FOLD N /* how many iterations of folding to do */ -#define INITKONST 0x6996c53a /* value of KONST to use during key loading */ -#define KEYP 15 /* where to insert key words */ -#define FOLDP 4 /* where to insert non-linear feedback */ - -#define B(x,i) ((unsigned char)(((x) >> (8*i)) & 0xFF)) - -static ulong32 BYTE2WORD(unsigned char *b) -{ - ulong32 t; - LOAD32L(t, b); - return t; -} - -#define WORD2BYTE(w, b) STORE32L(b, w) - -static void XORWORD(ulong32 w, unsigned char *b) +const struct ltc_prng_descriptor sober128_desc = { - ulong32 t; - LOAD32L(t, b); - t ^= w; - STORE32L(t, b); -} - -/* give correct offset for the current position of the register, - * where logically R[0] is at position "zero". - */ -#define OFF(zero, i) (((zero)+(i)) % N) - -/* step the LFSR */ -/* After stepping, "zero" moves right one place */ -#define STEP(R,z) \ - R[OFF(z,0)] = R[OFF(z,15)] ^ R[OFF(z,4)] ^ (R[OFF(z,0)] << 8) ^ Multab[(R[OFF(z,0)] >> 24) & 0xFF]; - -static void cycle(ulong32 *R) -{ - ulong32 t; - int i; - - STEP(R,0); - t = R[0]; - for (i = 1; i < N; ++i) { - R[i-1] = R[i]; - } - R[N-1] = t; -} - -/* Return a non-linear function of some parts of the register. - */ -#define NLFUNC(c,z) \ -{ \ - t = c->R[OFF(z,0)] + c->R[OFF(z,16)]; \ - t ^= Sbox[(t >> 24) & 0xFF]; \ - t = RORc(t, 8); \ - t = ((t + c->R[OFF(z,1)]) ^ c->konst) + c->R[OFF(z,6)]; \ - t ^= Sbox[(t >> 24) & 0xFF]; \ - t = t + c->R[OFF(z,13)]; \ -} - -static ulong32 nltap(struct sober128_prng *c) -{ - ulong32 t; - NLFUNC(c, 0); - return t; -} + "sober128", + 40, + &sober128_start, + &sober128_add_entropy, + &sober128_ready, + &sober128_read, + &sober128_done, + &sober128_export, + &sober128_import, + &sober128_test +}; /** Start the PRNG @param prng [out] The PRNG state to initialize @return CRYPT_OK if successful -*/ +*/ int sober128_start(prng_state *prng) { - int i; - struct sober128_prng *c; - - LTC_ARGCHK(prng != NULL); - - c = &(prng->sober128); - - /* Register initialised to Fibonacci numbers */ - c->R[0] = 1; - c->R[1] = 1; - for (i = 2; i < N; ++i) { - c->R[i] = c->R[i-1] + c->R[i-2]; - } - c->konst = INITKONST; - - /* next add_entropy will be the key */ - c->flag = 1; - c->set = 0; - - return CRYPT_OK; -} - -/* Save the current register state - */ -static void s128_savestate(struct sober128_prng *c) -{ - int i; - for (i = 0; i < N; ++i) { - c->initR[i] = c->R[i]; - } -} - -/* initialise to previously saved register state - */ -static void s128_reloadstate(struct sober128_prng *c) -{ - int i; - - for (i = 0; i < N; ++i) { - c->R[i] = c->initR[i]; - } -} - -/* Initialise "konst" - */ -static void s128_genkonst(struct sober128_prng *c) -{ - ulong32 newkonst; - - do { - cycle(c->R); - newkonst = nltap(c); - } while ((newkonst & 0xFF000000) == 0); - c->konst = newkonst; -} - -/* Load key material into the register - */ -#define ADDKEY(k) \ - c->R[KEYP] += (k); - -#define XORNL(nl) \ - c->R[FOLDP] ^= (nl); - -/* nonlinear diffusion of register for key */ -#define DROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); c->R[OFF((z+1),FOLDP)] ^= t; -static void s128_diffuse(struct sober128_prng *c) -{ - ulong32 t; - /* relies on FOLD == N == 17! */ - DROUND(0); - DROUND(1); - DROUND(2); - DROUND(3); - DROUND(4); - DROUND(5); - DROUND(6); - DROUND(7); - DROUND(8); - DROUND(9); - DROUND(10); - DROUND(11); - DROUND(12); - DROUND(13); - DROUND(14); - DROUND(15); - DROUND(16); + LTC_ARGCHK(prng != NULL); + prng->ready = 0; + XMEMSET(&prng->sober128.ent, 0, sizeof(prng->sober128.ent)); + prng->sober128.idx = 0; + LTC_MUTEX_INIT(&prng->lock) + return CRYPT_OK; } /** @@ -203,81 +52,63 @@ @param inlen Length of the data to add @param prng PRNG state to update @return CRYPT_OK if successful -*/ +*/ int sober128_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *prng) { - struct sober128_prng *c; - ulong32 i, k; - - LTC_ARGCHK(in != NULL); - LTC_ARGCHK(prng != NULL); - c = &(prng->sober128); + unsigned char buf[40]; + unsigned long i; + int err; - if (c->flag == 1) { - /* this is the first call to the add_entropy so this input is the key */ - /* inlen must be multiple of 4 bytes */ - if ((inlen & 3) != 0) { - return CRYPT_INVALID_KEYSIZE; - } - - for (i = 0; i < inlen; i += 4) { - k = BYTE2WORD((unsigned char *)&in[i]); - ADDKEY(k); - cycle(c->R); - XORNL(nltap(c)); - } - - /* also fold in the length of the key */ - ADDKEY(inlen); - - /* now diffuse */ - s128_diffuse(c); + LTC_ARGCHK(prng != NULL); + LTC_ARGCHK(in != NULL); + LTC_ARGCHK(inlen > 0); - s128_genkonst(c); - s128_savestate(c); - c->nbuf = 0; - c->flag = 0; - c->set = 1; - } else { - /* ok we are adding an IV then... */ - s128_reloadstate(c); - - /* inlen must be multiple of 4 bytes */ - if ((inlen & 3) != 0) { - return CRYPT_INVALID_KEYSIZE; - } - - for (i = 0; i < inlen; i += 4) { - k = BYTE2WORD((unsigned char *)&in[i]); - ADDKEY(k); - cycle(c->R); - XORNL(nltap(c)); - } - - /* also fold in the length of the key */ - ADDKEY(inlen); - - /* now diffuse */ - s128_diffuse(c); - c->nbuf = 0; - } - - return CRYPT_OK; + LTC_MUTEX_LOCK(&prng->lock); + if (prng->ready) { + /* sober128_ready() was already called, do "rekey" operation */ + if ((err = sober128_stream_keystream(&prng->sober128.s, buf, sizeof(buf))) != CRYPT_OK) goto LBL_UNLOCK; + for(i = 0; i < inlen; i++) buf[i % sizeof(buf)] ^= in[i]; + /* key 32 bytes, 20 rounds */ + if ((err = sober128_stream_setup(&prng->sober128.s, buf, 32)) != CRYPT_OK) goto LBL_UNLOCK; + /* iv 8 bytes */ + if ((err = sober128_stream_setiv(&prng->sober128.s, buf + 32, 8)) != CRYPT_OK) goto LBL_UNLOCK; + /* clear KEY + IV */ + zeromem(buf, sizeof(buf)); + } + else { + /* sober128_ready() was not called yet, add entropy to ent buffer */ + while (inlen--) prng->sober128.ent[prng->sober128.idx++ % sizeof(prng->sober128.ent)] ^= *in++; + } + err = CRYPT_OK; +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); + return err; } /** Make the PRNG ready to read from @param prng The PRNG to make active @return CRYPT_OK if successful -*/ +*/ int sober128_ready(prng_state *prng) { - return prng->sober128.set == 1 ? CRYPT_OK : CRYPT_ERROR; -} + int err; + + LTC_ARGCHK(prng != NULL); -/* XOR pseudo-random bytes into buffer - */ -#define SROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); XORWORD(t, out+(z*4)); + LTC_MUTEX_LOCK(&prng->lock); + if (prng->ready) { err = CRYPT_OK; goto LBL_UNLOCK; } + /* key 32 bytes, 20 rounds */ + if ((err = sober128_stream_setup(&prng->sober128.s, prng->sober128.ent, 32)) != CRYPT_OK) goto LBL_UNLOCK; + /* iv 8 bytes */ + if ((err = sober128_stream_setiv(&prng->sober128.s, prng->sober128.ent + 32, 8)) != CRYPT_OK) goto LBL_UNLOCK; + XMEMSET(&prng->sober128.ent, 0, sizeof(prng->sober128.ent)); + prng->sober128.idx = 0; + prng->ready = 1; +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); + return err; +} /** Read from the PRNG @@ -285,90 +116,33 @@ @param outlen Length of output @param prng The active PRNG to read from @return Number of octets read -*/ +*/ unsigned long sober128_read(unsigned char *out, unsigned long outlen, prng_state *prng) { - struct sober128_prng *c; - ulong32 t, tlen; - - LTC_ARGCHK(out != NULL); - LTC_ARGCHK(prng != NULL); - -#ifdef LTC_VALGRIND - zeromem(out, outlen); -#endif - - c = &(prng->sober128); - t = 0; - tlen = outlen; - - /* handle any previously buffered bytes */ - while (c->nbuf != 0 && outlen != 0) { - *out++ ^= c->sbuf & 0xFF; - c->sbuf >>= 8; - c->nbuf -= 8; - --outlen; - } - -#ifndef LTC_SMALL_CODE - /* do lots at a time, if there's enough to do */ - while (outlen >= N*4) { - SROUND(0); - SROUND(1); - SROUND(2); - SROUND(3); - SROUND(4); - SROUND(5); - SROUND(6); - SROUND(7); - SROUND(8); - SROUND(9); - SROUND(10); - SROUND(11); - SROUND(12); - SROUND(13); - SROUND(14); - SROUND(15); - SROUND(16); - out += 4*N; - outlen -= 4*N; - } -#endif - - /* do small or odd size buffers the slow way */ - while (4 <= outlen) { - cycle(c->R); - t = nltap(c); - XORWORD(t, out); - out += 4; - outlen -= 4; - } - - /* handle any trailing bytes */ - if (outlen != 0) { - cycle(c->R); - c->sbuf = nltap(c); - c->nbuf = 32; - while (c->nbuf != 0 && outlen != 0) { - *out++ ^= c->sbuf & 0xFF; - c->sbuf >>= 8; - c->nbuf -= 8; - --outlen; - } - } - - return tlen; + if (outlen == 0 || prng == NULL || out == NULL) return 0; + LTC_MUTEX_LOCK(&prng->lock); + if (!prng->ready) { outlen = 0; goto LBL_UNLOCK; } + if (sober128_stream_keystream(&prng->sober128.s, out, outlen) != CRYPT_OK) outlen = 0; +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); + return outlen; } /** Terminate the PRNG @param prng The PRNG to terminate @return CRYPT_OK if successful -*/ +*/ int sober128_done(prng_state *prng) { + int err; LTC_ARGCHK(prng != NULL); - return CRYPT_OK; + LTC_MUTEX_LOCK(&prng->lock); + prng->ready = 0; + err = sober128_stream_done(&prng->sober128.s); + LTC_MUTEX_UNLOCK(&prng->lock); + LTC_MUTEX_DESTROY(&prng->lock); + return err; } /** @@ -377,124 +151,99 @@ @param outlen [in/out] Max size and resulting size of the state @param prng The PRNG to export @return CRYPT_OK if successful -*/ +*/ int sober128_export(unsigned char *out, unsigned long *outlen, prng_state *prng) { - LTC_ARGCHK(outlen != NULL); - LTC_ARGCHK(out != NULL); + unsigned long len = sober128_desc.export_size; + LTC_ARGCHK(prng != NULL); + LTC_ARGCHK(out != NULL); + LTC_ARGCHK(outlen != NULL); - if (*outlen < 64) { - *outlen = 64; + if (*outlen < len) { + *outlen = len; return CRYPT_BUFFER_OVERFLOW; } - if (sober128_read(out, 64, prng) != 64) { + if (sober128_read(out, len, prng) != len) { return CRYPT_ERROR_READPRNG; } - *outlen = 64; + *outlen = len; return CRYPT_OK; } - + /** Import a PRNG state @param in The PRNG state @param inlen Size of the state @param prng The PRNG to import @return CRYPT_OK if successful -*/ +*/ int sober128_import(const unsigned char *in, unsigned long inlen, prng_state *prng) { int err; - LTC_ARGCHK(in != NULL); - LTC_ARGCHK(prng != NULL); - if (inlen != 64) { - return CRYPT_INVALID_ARG; - } - - if ((err = sober128_start(prng)) != CRYPT_OK) { - return err; - } - if ((err = sober128_add_entropy(in, 64, prng)) != CRYPT_OK) { - return err; - } - return sober128_ready(prng); + LTC_ARGCHK(prng != NULL); + LTC_ARGCHK(in != NULL); + if (inlen < (unsigned long)sober128_desc.export_size) return CRYPT_INVALID_ARG; + + if ((err = sober128_start(prng)) != CRYPT_OK) return err; + if ((err = sober128_add_entropy(in, sober128_desc.export_size, prng)) != CRYPT_OK) return err; + return CRYPT_OK; } /** PRNG self-test @return CRYPT_OK if successful, CRYPT_NOP if self-testing has been disabled -*/ +*/ int sober128_test(void) { #ifndef LTC_TEST return CRYPT_NOP; #else - static const struct { - int keylen, ivlen, len; - unsigned char key[16], iv[4], out[20]; - } tests[] = { - -{ - 16, 4, 20, - - /* key */ - { 0x74, 0x65, 0x73, 0x74, 0x20, 0x6b, 0x65, 0x79, - 0x20, 0x31, 0x32, 0x38, 0x62, 0x69, 0x74, 0x73 }, - - /* IV */ - { 0x00, 0x00, 0x00, 0x00 }, - - /* expected output */ - { 0x43, 0x50, 0x0c, 0xcf, 0x89, 0x91, 0x9f, 0x1d, - 0xaa, 0x37, 0x74, 0x95, 0xf4, 0xb4, 0x58, 0xc2, - 0x40, 0x37, 0x8b, 0xbb } -} - -}; - prng_state prng; - unsigned char dst[20]; - int err, x; + prng_state st; + unsigned char en[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, + 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, + 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, + 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, + 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32 }; + unsigned char dmp[300]; + unsigned long dmplen = sizeof(dmp); + unsigned char out[500]; + unsigned char t1[] = { 0x31, 0x82, 0xA7, 0xA5, 0x8B, 0xD7, 0xCB, 0x39, 0x86, 0x1A }; + unsigned char t2[] = { 0x6B, 0x43, 0x9E, 0xBC, 0xE7, 0x62, 0x9B, 0xE6, 0x9B, 0x83 }; + unsigned char t3[] = { 0x4A, 0x0E, 0x6C, 0xC1, 0xCF, 0xB4, 0x73, 0x49, 0x99, 0x05 }; + int err; - for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) { - if ((err = sober128_start(&prng)) != CRYPT_OK) { - return err; - } - if ((err = sober128_add_entropy(tests[x].key, tests[x].keylen, &prng)) != CRYPT_OK) { - return err; - } - /* add IV */ - if ((err = sober128_add_entropy(tests[x].iv, tests[x].ivlen, &prng)) != CRYPT_OK) { - return err; - } + if ((err = sober128_start(&st)) != CRYPT_OK) return err; + /* add entropy to uninitialized prng */ + if ((err = sober128_add_entropy(en, sizeof(en), &st)) != CRYPT_OK) return err; + if ((err = sober128_ready(&st)) != CRYPT_OK) return err; + if (sober128_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */ + if (compare_testvector(out, 10, t1, sizeof(t1), "SOBER128-PRNG", 1)) return CRYPT_FAIL_TESTVECTOR; + if (sober128_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */ + /* add entropy to already initialized prng */ + if ((err = sober128_add_entropy(en, sizeof(en), &st)) != CRYPT_OK) return err; + if (sober128_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */ + if ((err = sober128_export(dmp, &dmplen, &st)) != CRYPT_OK) return err; + if (sober128_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */ + if (sober128_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */ + if (compare_testvector(out, 10, t2, sizeof(t2), "SOBER128-PRNG", 2)) return CRYPT_FAIL_TESTVECTOR; + if ((err = sober128_done(&st)) != CRYPT_OK) return err; + if ((err = sober128_import(dmp, dmplen, &st)) != CRYPT_OK) return err; + if ((err = sober128_ready(&st)) != CRYPT_OK) return err; + if (sober128_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */ + if (sober128_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */ + if (compare_testvector(out, 10, t3, sizeof(t3), "SOBER128-PRNG", 3)) return CRYPT_FAIL_TESTVECTOR; + if ((err = sober128_done(&st)) != CRYPT_OK) return err; - /* ready up */ - if ((err = sober128_ready(&prng)) != CRYPT_OK) { - return err; - } - XMEMSET(dst, 0, tests[x].len); - if (sober128_read(dst, tests[x].len, &prng) != (unsigned long)tests[x].len) { - return CRYPT_ERROR_READPRNG; - } - sober128_done(&prng); - if (XMEMCMP(dst, tests[x].out, tests[x].len)) { -#if 0 - printf("\n\nLTC_SOBER128 failed, I got:\n"); - for (y = 0; y < tests[x].len; y++) printf("%02x ", dst[y]); - printf("\n"); -#endif - return CRYPT_FAIL_TESTVECTOR; - } - } return CRYPT_OK; #endif } #endif - -/* $Source$ */ -/* $Revision$ */ -/* $Date$ */ +/* ref: $Format:%D$ */ +/* git commit: $Format:%H$ */ +/* commit time: $Format:%ai$ */