TeaSpeak/tomcrypt
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Move RC4 + SOBER128 to src/stream/

Browse Source
This commit is contained in:
Karel Miko 2017-04-24 21:36:25 +02:00
parent 93317a1d6a
commit fe14c8bfaf
26 changed files with 1066 additions and 736 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
src/headers/tomcrypt_cipher.h
View File

@ -939,7 +939,7 @@ LTC_MUTEX_PROTO(ltc_cipher_mutex)
/* ---- stream ciphers ---- */
#ifdef LTC_CHACHA
#ifdef LTC_CHACHA_STREAM
typedef struct {
ulong32 input[16];
@ -957,7 +957,41 @@ int chacha_keystream(chacha_state *st, unsigned char *out, unsigned long outlen)
int chacha_done(chacha_state *st);
int chacha_test(void);
#endif /* LTC_CHACHA */
#endif /* LTC_CHACHA_STREAM */
#ifdef LTC_RC4_STREAM
typedef struct {
int x, y;
unsigned char buf[256];
} rc4_state;
int rc4_setup(rc4_state *st, const unsigned char *key, unsigned long keylen);
int rc4_crypt(rc4_state *st, const unsigned char *in, unsigned long inlen, unsigned char *out);
int rc4_keystream(rc4_state *st, unsigned char *out, unsigned long outlen);
int rc4_stream_done(rc4_state *st);
int rc4_test(void);
#endif /* LTC_RC4_STREAM */
#ifdef LTC_SOBER128_STREAM
typedef struct {
ulong32 R[17], /* Working storage for the shift register */
initR[17], /* saved register contents */
konst, /* key dependent constant */
sbuf; /* partial word encryption buffer */
int nbuf; /* number of part-word stream bits buffered */
} sober128_state;
int sober128_setup(sober128_state *st, const unsigned char *key, unsigned long keylen);
int sober128_setiv(sober128_state *st, const unsigned char *iv, unsigned long ivlen);
int sober128_crypt(sober128_state *st, const unsigned char *in, unsigned long inlen, unsigned char *out);
int sober128_keystream(sober128_state *st, unsigned char *out, unsigned long outlen);
int sober128_stream_done(sober128_state *st);
int sober128_test(void);
#endif /* LTC_SOBER128_STREAM */
/* $Source$ */
/* $Revision$ */

29
src/headers/tomcrypt_custom.h
View File

@ -189,8 +189,11 @@
#define LTC_KASUMI
#define LTC_MULTI2
#define LTC_CAMELLIA
/* ChaCha is special (a stream cipher) */
#define LTC_CHACHA
/* stream ciphers */
#define LTC_CHACHA_STREAM
#define LTC_RC4_STREAM
#define LTC_SOBER128_STREAM
#endif /* LTC_NO_CIPHERS */
@ -295,7 +298,7 @@
/* a PRNG that simply reads from an available system source */
#define LTC_SPRNG
/* The LTC_RC4 stream cipher */
/* The RC4 stream cipher based PRNG */
#define LTC_RC4
/* The ChaCha20 stream cipher based PRNG */
@ -304,7 +307,7 @@
/* Fortuna PRNG */
#define LTC_FORTUNA
/* Greg's LTC_SOBER128 PRNG ;-0 */
/* Greg's SOBER128 stream cipher based PRNG */
#define LTC_SOBER128
/* the *nix style /dev/random device */
@ -515,12 +518,20 @@
#error PK requires ASN.1 DER functionality, make sure LTC_DER is enabled
#endif
#if defined(LTC_CHACHA20POLY1305_MODE) && (!defined(LTC_CHACHA) || !defined(LTC_POLY1305))
#error LTC_CHACHA20POLY1305_MODE requires LTC_CHACHA + LTC_POLY1305
#if defined(LTC_CHACHA20POLY1305_MODE) && (!defined(LTC_CHACHA_STREAM) || !defined(LTC_POLY1305))
#error LTC_CHACHA20POLY1305_MODE requires LTC_CHACHA_STREAM + LTC_POLY1305
#endif
#if defined(LTC_CHACHA20_PRNG) && !defined(LTC_CHACHA)
#error LTC_CHACHA20_PRNG requires LTC_CHACHA
#if defined(LTC_CHACHA20_PRNG) && !defined(LTC_CHACHA_STREAM)
#error LTC_CHACHA20_PRNG requires LTC_CHACHA_STREAM
#endif
#if defined(LTC_RC4) && !defined(LTC_RC4_STREAM)
#error LTC_RC4 requires LTC_RC4_STREAM
#endif
#if defined(LTC_SOBER128) && !defined(LTC_SOBER128_STREAM)
#error LTC_SOBER128 requires LTC_SOBER128_STREAM
#endif
#if defined(LTC_BLAKE2SMAC) && !defined(LTC_BLAKE2S)
@ -557,7 +568,7 @@
/* Debuggers */
/* define this if you use Valgrind, note: it CHANGES the way SOBER-128 and LTC_RC4 work (see the code) */
/* define this if you use Valgrind, note: it CHANGES the way SOBER-128 and RC4 work (see the code) */
/* #define LTC_VALGRIND */
#endif

36
src/headers/tomcrypt_prng.h
View File

@ -4,14 +4,12 @@ struct yarrow_prng {
int cipher, hash;
unsigned char pool[MAXBLOCKSIZE];
symmetric_CTR ctr;
LTC_MUTEX_TYPE(prng_lock)
};
#endif
#ifdef LTC_RC4
struct rc4_prng {
int x, y;
unsigned char buf[256];
rc4_state s;
};
#endif
@ -20,7 +18,6 @@ struct chacha20_prng {
chacha_state s; /* chacha state */
unsigned char ent[40]; /* entropy buffer */
unsigned long idx; /* entropy counter */
short ready; /* ready flag 0-1 */
};
#endif
@ -38,41 +35,38 @@ struct fortuna_prng {
wd;
ulong64 reset_cnt; /* number of times we have reset */
LTC_MUTEX_TYPE(prng_lock)
};
#endif
#ifdef LTC_SOBER128
struct sober128_prng {
ulong32 R[17], /* Working storage for the shift register */
initR[17], /* saved register contents */
konst, /* key dependent constant */
sbuf; /* partial word encryption buffer */
int nbuf, /* number of part-word stream bits buffered */
flag, /* first add_entropy call or not? */
set; /* did we call add_entropy to set key? */
sober128_state s; /* sober128 state */
unsigned char ent[40]; /* entropy buffer */
unsigned long idx; /* entropy counter */
};
#endif
typedef union Prng_state {
char dummy[1];
typedef struct {
union {
char dummy[1];
#ifdef LTC_YARROW
struct yarrow_prng yarrow;
struct yarrow_prng yarrow;
#endif
#ifdef LTC_RC4
struct rc4_prng rc4;
struct rc4_prng rc4;
#endif
#ifdef LTC_CHACHA20_PRNG
struct chacha20_prng chacha;
struct chacha20_prng chacha;
#endif
#ifdef LTC_FORTUNA
struct fortuna_prng fortuna;
struct fortuna_prng fortuna;
#endif
#ifdef LTC_SOBER128
struct sober128_prng sober128;
struct sober128_prng sober128;
#endif
};
short ready; /* ready flag 0-1 */
LTC_MUTEX_TYPE(lock); /* lock */
} prng_state;
/** PRNG descriptor */

9
src/misc/crypt/crypt.c
View File

@ -124,9 +124,16 @@ const char *crypt_build_settings =
#if defined(LTC_CAMELLIA)
" Camellia\n"
#endif
#if defined(LTC_CHACHA)
"Stream ciphers built-in:\n"
#if defined(LTC_CHACHA_STREAM)
" ChaCha\n"
#endif
#if defined(LTC_RC4_STREAM)
" RC4\n"
#endif
#if defined(LTC_SOBER128_STREAM)
" SOBER128\n"
#endif
"\nHashes built-in:\n"
#if defined(LTC_SHA3)

137
src/prngs/chacha20.c
View File

@ -17,8 +17,8 @@
const struct ltc_prng_descriptor chacha20_prng_desc =
{
"chacha",
sizeof(chacha_state),
"chacha20",
40,
&chacha20_prng_start,
&chacha20_prng_add_entropy,
&chacha20_prng_ready,
@ -37,9 +37,10 @@ const struct ltc_prng_descriptor chacha20_prng_desc =
int chacha20_prng_start(prng_state *prng)
{
LTC_ARGCHK(prng != NULL);
prng->chacha.ready = 0;
XMEMSET(&prng->chacha.ent, 0, 40);
prng->ready = 0;
XMEMSET(&prng->chacha.ent, 0, sizeof(prng->chacha.ent));
prng->chacha.idx = 0;
LTC_MUTEX_INIT(&prng->lock)
return CRYPT_OK;
}
@ -60,23 +61,26 @@ int chacha20_prng_add_entropy(const unsigned char *in, unsigned long inlen, prng
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(inlen > 0);
if (prng->chacha.ready) {
LTC_MUTEX_LOCK(&prng->lock);
if (prng->ready) {
/* chacha20_prng_ready() was already called, do "rekey" operation */
if ((err = chacha_keystream(&prng->chacha.s, buf, 40)) != CRYPT_OK) return err;
for(i = 0; i < inlen; i++) buf[i % 40] ^= in[i];
if ((err = chacha_keystream(&prng->chacha.s, buf, sizeof(buf))) != CRYPT_OK) goto LBL_UNLOCK;
for(i = 0; i < inlen; i++) buf[i % sizeof(buf)] ^= in[i];
/* key 32 bytes, 20 rounds */
if ((err = chacha_setup(&prng->chacha.s, buf, 32, 20)) != CRYPT_OK) return err;
if ((err = chacha_setup(&prng->chacha.s, buf, 32, 20)) != CRYPT_OK) goto LBL_UNLOCK;
/* iv 8 bytes */
if ((err = chacha_ivctr64(&prng->chacha.s, buf + 32, 8, 0)) != CRYPT_OK) return err;
if ((err = chacha_ivctr64(&prng->chacha.s, buf + 32, 8, 0)) != CRYPT_OK) goto LBL_UNLOCK;
/* clear KEY + IV */
XMEMSET(buf, 0, 40);
XMEMSET(buf, 0, sizeof(buf));
}
else {
/* chacha20_prng_ready() was not called yet, add entropy to ent buffer */
while (inlen--) prng->chacha.ent[prng->chacha.idx++ % 40] ^= *in++;
while (inlen--) prng->chacha.ent[prng->chacha.idx++ % sizeof(prng->chacha.ent)] ^= *in++;
}
return CRYPT_OK;
err = CRYPT_OK;
LBL_UNLOCK:
LTC_MUTEX_UNLOCK(&prng->lock);
return err;
}
/**
@ -90,14 +94,18 @@ int chacha20_prng_ready(prng_state *prng)
LTC_ARGCHK(prng != NULL);
LTC_MUTEX_LOCK(&prng->lock);
if (prng->ready) { err = CRYPT_OK; goto LBL_UNLOCK; }
/* key 32 bytes, 20 rounds */
if ((err = chacha_setup(&prng->chacha.s, prng->chacha.ent, 32, 20)) != CRYPT_OK) return err;
if ((err = chacha_setup(&prng->chacha.s, prng->chacha.ent, 32, 20)) != CRYPT_OK) goto LBL_UNLOCK;
/* iv 8 bytes */
if ((err = chacha_ivctr64(&prng->chacha.s, prng->chacha.ent + 32, 8, 0)) != CRYPT_OK) return err;
XMEMSET(&prng->chacha.ent, 0, 40);
prng->chacha.ready = 1;
if ((err = chacha_ivctr64(&prng->chacha.s, prng->chacha.ent + 32, 8, 0)) != CRYPT_OK) goto LBL_UNLOCK;
XMEMSET(&prng->chacha.ent, 0, sizeof(prng->chacha.ent));
prng->chacha.idx = 0;
return CRYPT_OK;
prng->ready = 1;
LBL_UNLOCK:
LTC_MUTEX_UNLOCK(&prng->lock);
return err;
}
/**
@ -109,8 +117,12 @@ int chacha20_prng_ready(prng_state *prng)
*/
unsigned long chacha20_prng_read(unsigned char *out, unsigned long outlen, prng_state *prng)
{
LTC_ARGCHK(prng != NULL);
if (chacha_keystream(&prng->chacha.s, out, outlen) != CRYPT_OK) return 0;
if (outlen == 0 || prng == NULL || out == NULL) return 0;
LTC_MUTEX_LOCK(&prng->lock);
if (!prng->ready) { outlen = 0; goto LBL_UNLOCK; }
if (chacha_keystream(&prng->chacha.s, out, outlen) != CRYPT_OK) outlen = 0;
LBL_UNLOCK:
LTC_MUTEX_UNLOCK(&prng->lock);
return outlen;
}
@ -121,8 +133,13 @@ unsigned long chacha20_prng_read(unsigned char *out, unsigned long outlen, prng_
*/
int chacha20_prng_done(prng_state *prng)
{
int err;
LTC_ARGCHK(prng != NULL);
return chacha_done(&prng->chacha.s);
LTC_MUTEX_LOCK(&prng->lock);
prng->ready = 0;
err = chacha_done(&prng->chacha.s);
LTC_MUTEX_UNLOCK(&prng->lock);
return err;
}
/**
@ -134,19 +151,21 @@ int chacha20_prng_done(prng_state *prng)
*/
int chacha20_prng_export(unsigned char *out, unsigned long *outlen, prng_state *prng)
{
unsigned long len = sizeof(chacha_state);
LTC_ARGCHK(outlen != NULL);
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(prng != NULL);
unsigned long len = chacha20_prng_desc.export_size;
LTC_ARGCHK(prng != NULL);
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
if (!prng->chacha.ready) {
return CRYPT_ERROR;
}
if (*outlen < len) {
*outlen = len;
return CRYPT_BUFFER_OVERFLOW;
}
XMEMCPY(out, &prng->chacha.s, len);
if (chacha20_prng_read(out, len, prng) != len) {
return CRYPT_ERROR_READPRNG;
}
*outlen = len;
return CRYPT_OK;
}
@ -160,13 +179,14 @@ int chacha20_prng_export(unsigned char *out, unsigned long *outlen, prng_state *
*/
int chacha20_prng_import(const unsigned char *in, unsigned long inlen, prng_state *prng)
{
unsigned long len = sizeof(chacha_state);
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(prng != NULL);
int err;
if (inlen != len) return CRYPT_INVALID_ARG;
XMEMCPY(&prng->chacha.s, in, inlen);
prng->chacha.ready = 1;
LTC_ARGCHK(prng != NULL);
LTC_ARGCHK(in != NULL);
if (inlen < (unsigned long)chacha20_prng_desc.export_size) return CRYPT_INVALID_ARG;
if ((err = chacha20_prng_start(prng)) != CRYPT_OK) return err;
if ((err = chacha20_prng_add_entropy(in, inlen, prng)) != CRYPT_OK) return err;
return CRYPT_OK;
}
@ -188,29 +208,32 @@ int chacha20_prng_test(void)
unsigned char dmp[300];
unsigned long dmplen = sizeof(dmp);
unsigned char out[500];
unsigned char t1[] = { 0x59, 0xb2, 0x26, 0x95, 0x2b, 0x01, 0x8f, 0x05, 0xbe, 0xd8 };
unsigned char t2[] = { 0x30, 0x34, 0x5c, 0x6e, 0x56, 0x18, 0x8c, 0x46, 0xbe, 0x8a };
unsigned char t1[] = { 0x59, 0xB2, 0x26, 0x95, 0x2B, 0x01, 0x8F, 0x05, 0xBE, 0xD8 };
unsigned char t2[] = { 0x47, 0xC9, 0x0D, 0x03, 0xE4, 0x75, 0x34, 0x27, 0xBD, 0xDE };
unsigned char t3[] = { 0xBC, 0xFA, 0xEF, 0x59, 0x37, 0x7F, 0x1A, 0x91, 0x1A, 0xA6 };
int err;
chacha20_prng_start(&st);
chacha20_prng_add_entropy(en, sizeof(en), &st); /* add entropy to uninitialized prng */
chacha20_prng_ready(&st);
chacha20_prng_read(out, 10, &st); /* 10 bytes for testing */
if (compare_testvector(out, 10, t1, sizeof(t1), "CHACHA-PRNG", 1)) return CRYPT_FAIL_TESTVECTOR;
chacha20_prng_read(out, 500, &st);
chacha20_prng_add_entropy(en, sizeof(en), &st); /* add entropy to already initialized prng */
chacha20_prng_read(out, 500, &st);
chacha20_prng_export(dmp, &dmplen, &st);
chacha20_prng_read(out, 500, &st); /* skip 500 bytes */
chacha20_prng_read(out, 10, &st); /* 10 bytes for testing */
if (compare_testvector(out, 10, t2, sizeof(t2), "CHACHA-PRNG", 2)) return CRYPT_FAIL_TESTVECTOR;
chacha20_prng_done(&st);
XMEMSET(&st, 0xFF, sizeof(st)); /* just to be sure */
chacha20_prng_import(dmp, dmplen, &st);
chacha20_prng_read(out, 500, &st); /* skip 500 bytes */
chacha20_prng_read(out, 10, &st); /* 10 bytes for testing */
if (compare_testvector(out, 10, t2, sizeof(t2), "CHACHA-PRNG", 3)) return CRYPT_FAIL_TESTVECTOR;
chacha20_prng_done(&st);
if ((err = chacha20_prng_start(&st)) != CRYPT_OK) return err;
/* add entropy to uninitialized prng */
if ((err = chacha20_prng_add_entropy(en, sizeof(en), &st)) != CRYPT_OK) return err;
if ((err = chacha20_prng_ready(&st)) != CRYPT_OK) return err;
if (chacha20_prng_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
if (compare_testvector(out, 10, t1, sizeof(t1), "CHACHA-PRNG", 1)) return CRYPT_FAIL_TESTVECTOR;
if (chacha20_prng_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
/* add entropy to already initialized prng */
if ((err = chacha20_prng_add_entropy(en, sizeof(en), &st)) != CRYPT_OK) return err;
if (chacha20_prng_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
if ((err = chacha20_prng_export(dmp, &dmplen, &st)) != CRYPT_OK) return err;
if (chacha20_prng_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
if (chacha20_prng_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
if (compare_testvector(out, 10, t2, sizeof(t2), "CHACHA-PRNG", 2)) return CRYPT_FAIL_TESTVECTOR;
if ((err = chacha20_prng_done(&st)) != CRYPT_OK) return err;
if ((err = chacha20_prng_import(dmp, dmplen, &st)) != CRYPT_OK) return err;
if ((err = chacha20_prng_ready(&st)) != CRYPT_OK) return err;
if (chacha20_prng_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
if (chacha20_prng_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
if (compare_testvector(out, 10, t3, sizeof(t3), "CHACHA-PRNG", 3)) return CRYPT_FAIL_TESTVECTOR;
if ((err = chacha20_prng_done(&st)) != CRYPT_OK) return err;
return CRYPT_OK;
#endif

91
src/prngs/fortuna.c
View File

@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
*
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
#include "tomcrypt.h"
@ -133,6 +131,7 @@ int fortuna_start(prng_state *prng)
unsigned char tmp[MAXBLOCKSIZE];
LTC_ARGCHK(prng != NULL);
prng->ready = 0;
/* initialize the pools */
for (x = 0; x < LTC_FORTUNA_POOLS; x++) {
@ -156,7 +155,7 @@ int fortuna_start(prng_state *prng)
}
zeromem(prng->fortuna.IV, 16);
LTC_MUTEX_INIT(&prng->fortuna.prng_lock)
LTC_MUTEX_INIT(&prng->lock)
return CRYPT_OK;
}
@ -173,27 +172,25 @@ int fortuna_add_entropy(const unsigned char *in, unsigned long inlen, prng_state
unsigned char tmp[2];
int err;
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(prng != NULL);
LTC_MUTEX_LOCK(&prng->fortuna.prng_lock);
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(inlen > 0);
/* ensure inlen <= 32 */
if (inlen > 32) {
LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock);
return CRYPT_INVALID_ARG;
inlen = 32;
}
/* add s || length(in) || in to pool[pool_idx] */
tmp[0] = 0;
tmp[1] = (unsigned char)inlen;
LTC_MUTEX_LOCK(&prng->lock);
if ((err = sha256_process(&prng->fortuna.pool[prng->fortuna.pool_idx], tmp, 2)) != CRYPT_OK) {
LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock);
return err;
goto LBL_UNLOCK;
}
if ((err = sha256_process(&prng->fortuna.pool[prng->fortuna.pool_idx], in, inlen)) != CRYPT_OK) {
LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock);
return err;
goto LBL_UNLOCK;
}
if (prng->fortuna.pool_idx == 0) {
prng->fortuna.pool0_len += inlen;
@ -201,9 +198,11 @@ int fortuna_add_entropy(const unsigned char *in, unsigned long inlen, prng_state
if (++(prng->fortuna.pool_idx) == LTC_FORTUNA_POOLS) {
prng->fortuna.pool_idx = 0;
}
err = CRYPT_OK; /* success */
LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock);
return CRYPT_OK;
LBL_UNLOCK:
LTC_MUTEX_UNLOCK(&prng->lock);
return err;
}
/**
@ -213,7 +212,15 @@ int fortuna_add_entropy(const unsigned char *in, unsigned long inlen, prng_state
*/
int fortuna_ready(prng_state *prng)
{
return fortuna_reseed(prng);
int err;
LTC_ARGCHK(prng != NULL);
LTC_MUTEX_LOCK(&prng->lock);
err = fortuna_reseed(prng);
prng->ready = (err == CRYPT_OK) ? 1 : 0;
LTC_MUTEX_UNLOCK(&prng->lock);
return err;
}
/**
@ -226,18 +233,20 @@ int fortuna_ready(prng_state *prng)
unsigned long fortuna_read(unsigned char *out, unsigned long outlen, prng_state *prng)
{
unsigned char tmp[16];
unsigned long tlen;
unsigned long tlen = 0;
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(prng != NULL);
if (outlen == 0 || prng == NULL || out == NULL) return 0;
LTC_MUTEX_LOCK(&prng->fortuna.prng_lock);
LTC_MUTEX_LOCK(&prng->lock);
if (!prng->ready) {
goto LBL_UNLOCK;
}
/* do we have to reseed? */
if (++prng->fortuna.wd == LTC_FORTUNA_WD || prng->fortuna.pool0_len >= 64) {
if (fortuna_reseed(prng) != CRYPT_OK) {
LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock);
return 0;
goto LBL_UNLOCK;
}
}
@ -268,14 +277,14 @@ unsigned long fortuna_read(unsigned char *out, unsigned long outlen, prng_state
fortuna_update_iv(prng);
if (rijndael_setup(prng->fortuna.K, 32, 0, &prng->fortuna.skey) != CRYPT_OK) {
LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock);
return 0;
tlen = 0;
}
#ifdef LTC_CLEAN_STACK
zeromem(tmp, sizeof(tmp));
#endif
LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock);
LBL_UNLOCK:
LTC_MUTEX_UNLOCK(&prng->lock);
return tlen;
}
@ -290,23 +299,25 @@ int fortuna_done(prng_state *prng)
unsigned char tmp[32];
LTC_ARGCHK(prng != NULL);
LTC_MUTEX_LOCK(&prng->fortuna.prng_lock);
LTC_MUTEX_LOCK(&prng->lock);
prng->ready = 0;
/* terminate all the hashes */
for (x = 0; x < LTC_FORTUNA_POOLS; x++) {
if ((err = sha256_done(&(prng->fortuna.pool[x]), tmp)) != CRYPT_OK) {
LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock);
return err;
goto LBL_UNLOCK;
}
}
/* call cipher done when we invent one ;-) */
err = CRYPT_OK; /* success */
#ifdef LTC_CLEAN_STACK
zeromem(tmp, sizeof(tmp));
#endif
LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock);
return CRYPT_OK;
LBL_UNLOCK:
LTC_MUTEX_UNLOCK(&prng->lock);
return err;
}
/**
@ -325,19 +336,24 @@ int fortuna_export(unsigned char *out, unsigned long *outlen, prng_state *prng)
LTC_ARGCHK(outlen != NULL);
LTC_ARGCHK(prng != NULL);
LTC_MUTEX_LOCK(&prng->fortuna.prng_lock);
LTC_MUTEX_LOCK(&prng->lock);
if (!prng->ready) {
err = CRYPT_ERROR;
goto LBL_UNLOCK;
}
/* we'll write bytes for s&g's */
if (*outlen < 32*LTC_FORTUNA_POOLS) {
LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock);
*outlen = 32*LTC_FORTUNA_POOLS;
return CRYPT_BUFFER_OVERFLOW;
err = CRYPT_BUFFER_OVERFLOW;
goto LBL_UNLOCK;
}
md = XMALLOC(sizeof(hash_state));
if (md == NULL) {
LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock);
return CRYPT_MEM;
err = CRYPT_MEM;
goto LBL_UNLOCK;
}
/* to emit the state we copy each pool, terminate it then hash it again so
@ -371,7 +387,8 @@ LBL_ERR:
zeromem(md, sizeof(*md));
#endif
XFREE(md);
LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock);
LBL_UNLOCK:
LTC_MUTEX_UNLOCK(&prng->lock);
return err;
}
@ -401,7 +418,7 @@ int fortuna_import(const unsigned char *in, unsigned long inlen, prng_state *prn
return err;
}
}
return err;
return CRYPT_OK;
}
/**

267
src/prngs/rc4.c
View File

@ -5,29 +5,28 @@
*
* The library is free for all purposes without any express
* guarantee it works.
*
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
#include "tomcrypt.h"
/**
@file rc4.c
LTC_RC4 PRNG, Tom St Denis
RC4 PRNG, Tom St Denis
*/
#ifdef LTC_RC4
const struct ltc_prng_descriptor rc4_desc =
{
"rc4", 32,
&rc4_start,
&rc4_add_entropy,
&rc4_ready,
&rc4_read,
&rc4_done,
&rc4_export,
&rc4_import,
&rc4_test
"rc4",
32,
&rc4_start,
&rc4_add_entropy,
&rc4_ready,
&rc4_read,
&rc4_done,
&rc4_export,
&rc4_import,
&rc4_test
};
/**
@ -37,12 +36,14 @@ const struct ltc_prng_descriptor rc4_desc =
*/
int rc4_start(prng_state *prng)
{
LTC_ARGCHK(prng != NULL);
/* set keysize to zero */
prng->rc4.x = 0;
return CRYPT_OK;
LTC_ARGCHK(prng != NULL);
prng->ready = 0;
/* set entropy (key) size to zero */
prng->rc4.s.x = 0;
/* clear entropy (key) buffer */
XMEMSET(&prng->rc4.s.buf, 0, sizeof(prng->rc4.s.buf));
LTC_MUTEX_INIT(&prng->lock)
return CRYPT_OK;
}
/**
@ -54,26 +55,32 @@ int rc4_start(prng_state *prng)
*/
int rc4_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *prng)
{
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(prng != NULL);
unsigned char buf[256];
unsigned long i;
int err;
/* trim as required */
if (prng->rc4.x + inlen > 256) {
if (prng->rc4.x == 256) {
/* I can't possibly accept another byte, ok maybe a mint wafer... */
return CRYPT_OK;
} else {
/* only accept part of it */
inlen = 256 - prng->rc4.x;
}
}
while (inlen--) {
prng->rc4.buf[prng->rc4.x++] = *in++;
}
return CRYPT_OK;
LTC_ARGCHK(prng != NULL);
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(inlen > 0);
LTC_MUTEX_LOCK(&prng->lock);
if (prng->ready) {
/* rc4_ready() was already called, do "rekey" operation */
if ((err = rc4_keystream(&prng->rc4.s, buf, sizeof(buf))) != CRYPT_OK) goto LBL_UNLOCK;
for(i = 0; i < inlen; i++) buf[i % sizeof(buf)] ^= in[i];
/* initialize RC4 */
if ((err = rc4_setup(&prng->rc4.s, buf, sizeof(buf))) != CRYPT_OK) goto LBL_UNLOCK;
/* drop first 3072 bytes - https://en.wikipedia.org/wiki/RC4#Fluhrer.2C_Mantin_and_Shamir_attack */
for (i = 0; i < 12; i++) rc4_keystream(&prng->rc4.s, buf, sizeof(buf));
}
else {
/* rc4_ready() was not called yet, add entropy to the buffer */
while (inlen--) prng->rc4.s.buf[prng->rc4.s.x++ % sizeof(prng->rc4.s.buf)] ^= *in++;
}
err = CRYPT_OK;
LBL_UNLOCK:
LTC_MUTEX_UNLOCK(&prng->lock);
return err;
}
/**
@ -83,36 +90,24 @@ int rc4_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *pr
*/
int rc4_ready(prng_state *prng)
{
unsigned char key[256], tmp, *s;
int keylen, x, y, j;
unsigned char buf[256] = { 0 };
unsigned long len;
int err, i;
LTC_ARGCHK(prng != NULL);
LTC_ARGCHK(prng != NULL);
/* extract the key */
s = prng->rc4.buf;
XMEMCPY(key, s, 256);
keylen = prng->rc4.x;
/* make LTC_RC4 perm and shuffle */
for (x = 0; x < 256; x++) {
s[x] = x;
}
for (j = x = y = 0; x < 256; x++) {
y = (y + prng->rc4.buf[x] + key[j++]) & 255;
if (j == keylen) {
j = 0;
}
tmp = s[x]; s[x] = s[y]; s[y] = tmp;
}
prng->rc4.x = 0;
prng->rc4.y = 0;
#ifdef LTC_CLEAN_STACK
zeromem(key, sizeof(key));
#endif
return CRYPT_OK;
LTC_MUTEX_LOCK(&prng->lock);
if (prng->ready) { err = CRYPT_OK; goto LBL_UNLOCK; }
XMEMCPY(buf, prng->rc4.s.buf, sizeof(buf));
/* initialize RC4 */
len = MIN(prng->rc4.s.x, 256); /* TODO: we can perhaps always use all 256 bytes */
if ((err = rc4_setup(&prng->rc4.s, buf, len)) != CRYPT_OK) goto LBL_UNLOCK;
/* drop first 3072 bytes - https://en.wikipedia.org/wiki/RC4#Fluhrer.2C_Mantin_and_Shamir_attack */
for (i = 0; i < 12; i++) rc4_keystream(&prng->rc4.s, buf, sizeof(buf));
prng->ready = 1;
LBL_UNLOCK:
LTC_MUTEX_UNLOCK(&prng->lock);
return err;
}
/**
@ -124,30 +119,13 @@ int rc4_ready(prng_state *prng)
*/
unsigned long rc4_read(unsigned char *out, unsigned long outlen, prng_state *prng)
{
unsigned char x, y, *s, tmp;
unsigned long n;
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(prng != NULL);
#ifdef LTC_VALGRIND
zeromem(out, outlen);
#endif
n = outlen;
x = prng->rc4.x;
y = prng->rc4.y;
s = prng->rc4.buf;
while (outlen--) {
x = (x + 1) & 255;
y = (y + s[x]) & 255;
tmp = s[x]; s[x] = s[y]; s[y] = tmp;
tmp = (s[x] + s[y]) & 255;
*out++ ^= s[tmp];
}
prng->rc4.x = x;
prng->rc4.y = y;
return n;
if (outlen == 0 || prng == NULL || out == NULL) return 0;
LTC_MUTEX_LOCK(&prng->lock);
if (!prng->ready) { outlen = 0; goto LBL_UNLOCK; }
if (rc4_keystream(&prng->rc4.s, out, outlen) != CRYPT_OK) outlen = 0;
LBL_UNLOCK:
LTC_MUTEX_UNLOCK(&prng->lock);
return outlen;
}
/**
@ -157,8 +135,13 @@ unsigned long rc4_read(unsigned char *out, unsigned long outlen, prng_state *prn
*/
int rc4_done(prng_state *prng)
{
int err;
LTC_ARGCHK(prng != NULL);
return CRYPT_OK;
LTC_MUTEX_LOCK(&prng->lock);
prng->ready = 0;
err = rc4_stream_done(&prng->rc4.s);
LTC_MUTEX_UNLOCK(&prng->lock);
return err;
}
/**
@ -170,20 +153,22 @@ int rc4_done(prng_state *prng)
*/
int rc4_export(unsigned char *out, unsigned long *outlen, prng_state *prng)
{
LTC_ARGCHK(outlen != NULL);
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(prng != NULL);
unsigned long len = rc4_desc.export_size;
if (*outlen < 32) {
*outlen = 32;
LTC_ARGCHK(prng != NULL);
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
if (*outlen < len) {
*outlen = len;
return CRYPT_BUFFER_OVERFLOW;
}
if (rc4_read(out, 32, prng) != 32) {
if (rc4_read(out, len, prng) != len) {
return CRYPT_ERROR_READPRNG;
}
*outlen = 32;
*outlen = len;
return CRYPT_OK;
}
@ -197,17 +182,14 @@ int rc4_export(unsigned char *out, unsigned long *outlen, prng_state *prng)
int rc4_import(const unsigned char *in, unsigned long inlen, prng_state *prng)
{
int err;
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(prng != NULL);
LTC_ARGCHK(in != NULL);
if (inlen < (unsigned long)rc4_desc.export_size) return CRYPT_INVALID_ARG;
if (inlen != 32) {
return CRYPT_INVALID_ARG;
}
if ((err = rc4_start(prng)) != CRYPT_OK) {
return err;
}
return rc4_add_entropy(in, 32, prng);
if ((err = rc4_start(prng)) != CRYPT_OK) return err;
if ((err = rc4_add_entropy(in, inlen, prng)) != CRYPT_OK) return err;
return CRYPT_OK;
}
/**
@ -216,54 +198,43 @@ int rc4_import(const unsigned char *in, unsigned long inlen, prng_state *prng)
*/
int rc4_test(void)
{
#if !defined(LTC_TEST) || defined(LTC_VALGRIND)
#ifndef LTC_TEST
return CRYPT_NOP;
#else
static const struct {
unsigned char key[8], pt[8], ct[8];
} tests[] = {
{
{ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef },
{ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef },
{ 0x75, 0xb7, 0x87, 0x80, 0x99, 0xe0, 0xc5, 0x96 }
}
};
prng_state prng;
unsigned char dst[8];
int err, x;
prng_state st;
unsigned char en[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14,
0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e,
0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28,
0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32 };
unsigned char dmp[500];
unsigned long dmplen = sizeof(dmp);
unsigned char out[1000];
unsigned char t1[] = { 0xE0, 0x4D, 0x9A, 0xF6, 0xA8, 0x9D, 0x77, 0x53, 0xAE, 0x09 };
unsigned char t2[] = { 0x9D, 0x3C, 0xC6, 0x64, 0x36, 0xB6, 0x76, 0xD5, 0xEB, 0x93 };
unsigned char t3[] = { 0x6B, 0x6D, 0xF5, 0xCB, 0x84, 0x37, 0x8F, 0x02, 0xA2, 0x90 };
int err;
if ((err = rc4_start(&st)) != CRYPT_OK) return err;
if ((err = rc4_add_entropy(en, sizeof(en), &st)) != CRYPT_OK) return err;
if ((err = rc4_ready(&st)) != CRYPT_OK) return err;
if (rc4_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
if (compare_testvector(out, 10, t1, sizeof(t1), "RC4-PRNG", 1)) return CRYPT_FAIL_TESTVECTOR;
if (rc4_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG;
if ((err = rc4_export(dmp, &dmplen, &st)) != CRYPT_OK) return err;
if (rc4_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
if (rc4_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
if (compare_testvector(out, 10, t2, sizeof(t2), "RC4-PRNG", 2)) return CRYPT_FAIL_TESTVECTOR;
if ((err = rc4_done(&st)) != CRYPT_OK) return err;
if ((err = rc4_import(dmp, dmplen, &st)) != CRYPT_OK) return err;
if ((err = rc4_ready(&st)) != CRYPT_OK) return err;
if (rc4_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
if (rc4_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
if (compare_testvector(out, 10, t3, sizeof(t3), "RC4-PRNG", 3)) return CRYPT_FAIL_TESTVECTOR;
if ((err = rc4_done(&st)) != CRYPT_OK) return err;
for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) {
if ((err = rc4_start(&prng)) != CRYPT_OK) {
return err;
}
if ((err = rc4_add_entropy(tests[x].key, 8, &prng)) != CRYPT_OK) {
return err;
}
if ((err = rc4_ready(&prng)) != CRYPT_OK) {
return err;
}
XMEMCPY(dst, tests[x].pt, 8);
if (rc4_read(dst, 8, &prng) != 8) {
return CRYPT_ERROR_READPRNG;
}
rc4_done(&prng);
if (XMEMCMP(dst, tests[x].ct, 8)) {
#if 0
int y;
printf("\n\nLTC_RC4 failed, I got:\n");
for (y = 0; y < 8; y++) printf("%02x ", dst[y]);
printf("\n");
#endif
return CRYPT_FAIL_TESTVECTOR;
}
}
return CRYPT_OK;
#endif
}
#endif
/* $Source$ */
/* $Revision$ */
/* $Date$ */

2
src/prngs/rng_get_bytes.c
View File

@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
*
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
#include "tomcrypt.h"

2
src/prngs/rng_make_prng.c
View File

@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
*
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
#include "tomcrypt.h"

498
src/prngs/sober128.c
View File

@ -5,9 +5,8 @@
*
* The library is free for all purposes without any express
* guarantee it works.
*
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
#include "tomcrypt.h"
/**
@ -18,90 +17,20 @@
#ifdef LTC_SOBER128
#define __LTC_SOBER128TAB_C__
#include "sober128tab.c"
const struct ltc_prng_descriptor sober128_desc =
{
"sober128", 64,
&sober128_start,
&sober128_add_entropy,
&sober128_ready,
&sober128_read,
&sober128_done,
&sober128_export,
&sober128_import,
&sober128_test
"sober128",
40,
&sober128_start,
&sober128_add_entropy,
&sober128_ready,
&sober128_read,
&sober128_done,
&sober128_export,
&sober128_import,
&sober128_test
};
/* don't change these... */
#define N 17
#define FOLD N /* how many iterations of folding to do */
#define INITKONST 0x6996c53a /* value of KONST to use during key loading */
#define KEYP 15 /* where to insert key words */
#define FOLDP 4 /* where to insert non-linear feedback */
#define B(x,i) ((unsigned char)(((x) >> (8*i)) & 0xFF))
static ulong32 BYTE2WORD(unsigned char *b)
{
ulong32 t;
LOAD32L(t, b);
return t;
}
#define WORD2BYTE(w, b) STORE32L(b, w)
static void XORWORD(ulong32 w, unsigned char *b)
{
ulong32 t;
LOAD32L(t, b);
t ^= w;
STORE32L(t, b);
}
/* give correct offset for the current position of the register,
* where logically R[0] is at position "zero".
*/
#define OFF(zero, i) (((zero)+(i)) % N)
/* step the LFSR */
/* After stepping, "zero" moves right one place */
#define STEP(R,z) \
R[OFF(z,0)] = R[OFF(z,15)] ^ R[OFF(z,4)] ^ (R[OFF(z,0)] << 8) ^ Multab[(R[OFF(z,0)] >> 24) & 0xFF];
static void cycle(ulong32 *R)
{
ulong32 t;
int i;
STEP(R,0);
t = R[0];
for (i = 1; i < N; ++i) {
R[i-1] = R[i];
}
R[N-1] = t;
}
/* Return a non-linear function of some parts of the register.
*/
#define NLFUNC(c,z) \
{ \
t = c->R[OFF(z,0)] + c->R[OFF(z,16)]; \
t ^= Sbox[(t >> 24) & 0xFF]; \
t = RORc(t, 8); \
t = ((t + c->R[OFF(z,1)]) ^ c->konst) + c->R[OFF(z,6)]; \
t ^= Sbox[(t >> 24) & 0xFF]; \
t = t + c->R[OFF(z,13)]; \
}
static ulong32 nltap(struct sober128_prng *c)
{
ulong32 t;
NLFUNC(c, 0);
return t;
}
/**
Start the PRNG
@param prng [out] The PRNG state to initialize
@ -109,93 +38,12 @@ static ulong32 nltap(struct sober128_prng *c)
*/
int sober128_start(prng_state *prng)
{
int i;
struct sober128_prng *c;
LTC_ARGCHK(prng != NULL);
c = &(prng->sober128);
/* Register initialised to Fibonacci numbers */
c->R[0] = 1;
c->R[1] = 1;
for (i = 2; i < N; ++i) {
c->R[i] = c->R[i-1] + c->R[i-2];
}
c->konst = INITKONST;
/* next add_entropy will be the key */
c->flag = 1;
c->set = 0;
return CRYPT_OK;
}
/* Save the current register state
*/
static void s128_savestate(struct sober128_prng *c)
{
int i;
for (i = 0; i < N; ++i) {
c->initR[i] = c->R[i];
}
}
/* initialise to previously saved register state
*/
static void s128_reloadstate(struct sober128_prng *c)
{
int i;
for (i = 0; i < N; ++i) {
c->R[i] = c->initR[i];
}
}
/* Initialise "konst"
*/
static void s128_genkonst(struct sober128_prng *c)
{
ulong32 newkonst;
do {
cycle(c->R);
newkonst = nltap(c);
} while ((newkonst & 0xFF000000) == 0);
c->konst = newkonst;
}
/* Load key material into the register
*/
#define ADDKEY(k) \
c->R[KEYP] += (k);
#define XORNL(nl) \
c->R[FOLDP] ^= (nl);
/* nonlinear diffusion of register for key */
#define DROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); c->R[OFF((z+1),FOLDP)] ^= t;
static void s128_diffuse(struct sober128_prng *c)
{
ulong32 t;
/* relies on FOLD == N == 17! */
DROUND(0);
DROUND(1);
DROUND(2);
DROUND(3);
DROUND(4);
DROUND(5);
DROUND(6);
DROUND(7);
DROUND(8);
DROUND(9);
DROUND(10);
DROUND(11);
DROUND(12);
DROUND(13);
DROUND(14);
DROUND(15);
DROUND(16);
LTC_ARGCHK(prng != NULL);
prng->ready = 0;
XMEMSET(&prng->sober128.ent, 0, sizeof(prng->sober128.ent));
prng->sober128.idx = 0;
LTC_MUTEX_INIT(&prng->lock)
return CRYPT_OK;
}
/**
@ -207,63 +55,34 @@ static void s128_diffuse(struct sober128_prng *c)
*/
int sober128_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *prng)
{
struct sober128_prng *c;
ulong32 i, k;
unsigned char buf[40];
unsigned long i;
int err;
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(prng != NULL);
c = &(prng->sober128);
LTC_ARGCHK(prng != NULL);
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(inlen > 0);
if (c->flag == 1) {
/* this is the first call to the add_entropy so this input is the key */
/* inlen must be multiple of 4 bytes */
if ((inlen & 3) != 0) {
return CRYPT_INVALID_KEYSIZE;
}
for (i = 0; i < inlen; i += 4) {
k = BYTE2WORD((unsigned char *)&in[i]);
ADDKEY(k);
cycle(c->R);
XORNL(nltap(c));
}
/* also fold in the length of the key */
ADDKEY(inlen);
/* now diffuse */
s128_diffuse(c);
s128_genkonst(c);
s128_savestate(c);
c->nbuf = 0;
c->flag = 0;
c->set = 1;
} else {
/* ok we are adding an IV then... */
s128_reloadstate(c);
/* inlen must be multiple of 4 bytes */
if ((inlen & 3) != 0) {
return CRYPT_INVALID_KEYSIZE;
}
for (i = 0; i < inlen; i += 4) {
k = BYTE2WORD((unsigned char *)&in[i]);
ADDKEY(k);
cycle(c->R);
XORNL(nltap(c));
}
/* also fold in the length of the key */
ADDKEY(inlen);
/* now diffuse */
s128_diffuse(c);
c->nbuf = 0;
}
return CRYPT_OK;
LTC_MUTEX_LOCK(&prng->lock);
if (prng->ready) {
/* sober128_ready() was already called, do "rekey" operation */
if ((err = sober128_keystream(&prng->sober128.s, buf, sizeof(buf))) != CRYPT_OK) goto LBL_UNLOCK;
for(i = 0; i < inlen; i++) buf[i % sizeof(buf)] ^= in[i];
/* key 32 bytes, 20 rounds */
if ((err = sober128_setup(&prng->sober128.s, buf, 32)) != CRYPT_OK) goto LBL_UNLOCK;
/* iv 8 bytes */
if ((err = sober128_setiv(&prng->sober128.s, buf + 32, 8)) != CRYPT_OK) goto LBL_UNLOCK;
/* clear KEY + IV */
XMEMSET(buf, 0, sizeof(buf));
}
else {
/* sober128_ready() was not called yet, add entropy to ent buffer */
while (inlen--) prng->sober128.ent[prng->sober128.idx++ % sizeof(prng->sober128.ent)] ^= *in++;
}
err = CRYPT_OK;
LBL_UNLOCK:
LTC_MUTEX_UNLOCK(&prng->lock);
return err;
}
/**
@ -273,12 +92,23 @@ int sober128_add_entropy(const unsigned char *in, unsigned long inlen, prng_stat
*/
int sober128_ready(prng_state *prng)
{
return prng->sober128.set == 1 ? CRYPT_OK : CRYPT_ERROR;
}
int err;
/* XOR pseudo-random bytes into buffer
*/
#define SROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); XORWORD(t, out+(z*4));
LTC_ARGCHK(prng != NULL);
LTC_MUTEX_LOCK(&prng->lock);
if (prng->ready) { err = CRYPT_OK; goto LBL_UNLOCK; }
/* key 32 bytes, 20 rounds */
if ((err = sober128_setup(&prng->sober128.s, prng->sober128.ent, 32)) != CRYPT_OK) goto LBL_UNLOCK;
/* iv 8 bytes */
if ((err = sober128_setiv(&prng->sober128.s, prng->sober128.ent + 32, 8)) != CRYPT_OK) goto LBL_UNLOCK;
XMEMSET(&prng->sober128.ent, 0, sizeof(prng->sober128.ent));
prng->sober128.idx = 0;
prng->ready = 1;
LBL_UNLOCK:
LTC_MUTEX_UNLOCK(&prng->lock);
return err;
}
/**
Read from the PRNG
@ -289,75 +119,13 @@ int sober128_ready(prng_state *prng)
*/
unsigned long sober128_read(unsigned char *out, unsigned long outlen, prng_state *prng)
{
struct sober128_prng *c;
ulong32 t, tlen;
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(prng != NULL);
#ifdef LTC_VALGRIND
zeromem(out, outlen);
#endif
c = &(prng->sober128);
tlen = outlen;
/* handle any previously buffered bytes */
while (c->nbuf != 0 && outlen != 0) {
*out++ ^= c->sbuf & 0xFF;
c->sbuf >>= 8;
c->nbuf -= 8;
--outlen;
}
#ifndef LTC_SMALL_CODE
/* do lots at a time, if there's enough to do */
while (outlen >= N*4) {
SROUND(0);
SROUND(1);
SROUND(2);
SROUND(3);
SROUND(4);
SROUND(5);
SROUND(6);
SROUND(7);
SROUND(8);
SROUND(9);
SROUND(10);
SROUND(11);
SROUND(12);
SROUND(13);
SROUND(14);
SROUND(15);
SROUND(16);
out += 4*N;
outlen -= 4*N;
}
#endif
/* do small or odd size buffers the slow way */
while (4 <= outlen) {
cycle(c->R);
t = nltap(c);
XORWORD(t, out);
out += 4;
outlen -= 4;
}
/* handle any trailing bytes */
if (outlen != 0) {
cycle(c->R);
c->sbuf = nltap(c);
c->nbuf = 32;
while (c->nbuf != 0 && outlen != 0) {
*out++ ^= c->sbuf & 0xFF;
c->sbuf >>= 8;
c->nbuf -= 8;
--outlen;
}
}
return tlen;
if (outlen == 0 || prng == NULL || out == NULL) return 0;
LTC_MUTEX_LOCK(&prng->lock);
if (!prng->ready) { outlen = 0; goto LBL_UNLOCK; }
if (sober128_keystream(&prng->sober128.s, out, outlen) != CRYPT_OK) outlen = 0;
LBL_UNLOCK:
LTC_MUTEX_UNLOCK(&prng->lock);
return outlen;
}
/**
@ -367,8 +135,13 @@ unsigned long sober128_read(unsigned char *out, unsigned long outlen, prng_state
*/
int sober128_done(prng_state *prng)
{
int err;
LTC_ARGCHK(prng != NULL);
return CRYPT_OK;
LTC_MUTEX_LOCK(&prng->lock);
prng->ready = 0;
err = sober128_stream_done(&prng->sober128.s);
LTC_MUTEX_UNLOCK(&prng->lock);
return err;
}
/**
@ -380,20 +153,22 @@ int sober128_done(prng_state *prng)
*/
int sober128_export(unsigned char *out, unsigned long *outlen, prng_state *prng)
{
LTC_ARGCHK(outlen != NULL);
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(prng != NULL);
unsigned long len = sober128_desc.export_size;
if (*outlen < 64) {
*outlen = 64;
LTC_ARGCHK(prng != NULL);
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
if (*outlen < len) {
*outlen = len;
return CRYPT_BUFFER_OVERFLOW;
}
if (sober128_read(out, 64, prng) != 64) {
if (sober128_read(out, len, prng) != len) {
return CRYPT_ERROR_READPRNG;
}
*outlen = 64;
*outlen = len;
return CRYPT_OK;
}
@ -407,20 +182,14 @@ int sober128_export(unsigned char *out, unsigned long *outlen, prng_state *prng)
int sober128_import(const unsigned char *in, unsigned long inlen, prng_state *prng)
{
int err;
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(prng != NULL);
LTC_ARGCHK(in != NULL);
if (inlen < (unsigned long)sober128_desc.export_size) return CRYPT_INVALID_ARG;
if (inlen != 64) {
return CRYPT_INVALID_ARG;
}
if ((err = sober128_start(prng)) != CRYPT_OK) {
return err;
}
if ((err = sober128_add_entropy(in, 64, prng)) != CRYPT_OK) {
return err;
}
return sober128_ready(prng);
if ((err = sober128_start(prng)) != CRYPT_OK) return err;
if ((err = sober128_add_entropy(in, inlen, prng)) != CRYPT_OK) return err;
return CRYPT_OK;
}
/**
@ -432,69 +201,44 @@ int sober128_test(void)
#ifndef LTC_TEST
return CRYPT_NOP;
#else
static const struct {
int keylen, ivlen, len;
unsigned char key[16], iv[4], out[20];
} tests[] = {
prng_state st;
unsigned char en[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14,
0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e,
0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28,
0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32 };
unsigned char dmp[300];
unsigned long dmplen = sizeof(dmp);
unsigned char out[500];
unsigned char t1[] = { 0x31, 0x82, 0xA7, 0xA5, 0x8B, 0xD7, 0xCB, 0x39, 0x86, 0x1A };
unsigned char t2[] = { 0x6B, 0x43, 0x9E, 0xBC, 0xE7, 0x62, 0x9B, 0xE6, 0x9B, 0x83 };
unsigned char t3[] = { 0x4A, 0x0E, 0x6C, 0xC1, 0xCF, 0xB4, 0x73, 0x49, 0x99, 0x05 };
int err;
{
16, 4, 20,
if ((err = sober128_start(&st)) != CRYPT_OK) return err;
/* add entropy to uninitialized prng */
if ((err = sober128_add_entropy(en, sizeof(en), &st)) != CRYPT_OK) return err;
if ((err = sober128_ready(&st)) != CRYPT_OK) return err;
if (sober128_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
if (compare_testvector(out, 10, t1, sizeof(t1), "SOBER128-PRNG", 1)) return CRYPT_FAIL_TESTVECTOR;
if (sober128_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
/* add entropy to already initialized prng */
if ((err = sober128_add_entropy(en, sizeof(en), &st)) != CRYPT_OK) return err;
if (sober128_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
if ((err = sober128_export(dmp, &dmplen, &st)) != CRYPT_OK) return err;
if (sober128_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
if (sober128_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
if (compare_testvector(out, 10, t2, sizeof(t2), "SOBER128-PRNG", 2)) return CRYPT_FAIL_TESTVECTOR;
if ((err = sober128_done(&st)) != CRYPT_OK) return err;
if ((err = sober128_import(dmp, dmplen, &st)) != CRYPT_OK) return err;
if ((err = sober128_ready(&st)) != CRYPT_OK) return err;
if (sober128_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
if (sober128_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
if (compare_testvector(out, 10, t3, sizeof(t3), "SOBER128-PRNG", 3)) return CRYPT_FAIL_TESTVECTOR;
if ((err = sober128_done(&st)) != CRYPT_OK) return err;
/* key */
{ 0x74, 0x65, 0x73, 0x74, 0x20, 0x6b, 0x65, 0x79,
0x20, 0x31, 0x32, 0x38, 0x62, 0x69, 0x74, 0x73 },
/* IV */
{ 0x00, 0x00, 0x00, 0x00 },
/* expected output */
{ 0x43, 0x50, 0x0c, 0xcf, 0x89, 0x91, 0x9f, 0x1d,
0xaa, 0x37, 0x74, 0x95, 0xf4, 0xb4, 0x58, 0xc2,
0x40, 0x37, 0x8b, 0xbb }
}
};
prng_state prng;
unsigned char dst[20];
int err, x;
for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) {
if ((err = sober128_start(&prng)) != CRYPT_OK) {
return err;
}
if ((err = sober128_add_entropy(tests[x].key, tests[x].keylen, &prng)) != CRYPT_OK) {
return err;
}
/* add IV */
if ((err = sober128_add_entropy(tests[x].iv, tests[x].ivlen, &prng)) != CRYPT_OK) {
return err;
}
/* ready up */
if ((err = sober128_ready(&prng)) != CRYPT_OK) {
return err;
}
XMEMSET(dst, 0, tests[x].len);
if (sober128_read(dst, tests[x].len, &prng) != (unsigned long)tests[x].len) {
return CRYPT_ERROR_READPRNG;
}
sober128_done(&prng);
if (XMEMCMP(dst, tests[x].out, tests[x].len)) {
#if 0
printf("\n\nLTC_SOBER128 failed, I got:\n");
for (y = 0; y < tests[x].len; y++) printf("%02x ", dst[y]);
printf("\n");
#endif
return CRYPT_FAIL_TESTVECTOR;
}
}
return CRYPT_OK;
#endif
}
#endif
/* $Source$ */
/* $Revision$ */
/* $Date$ */

2
src/prngs/sprng.c
View File

@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
*
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
#include "tomcrypt.h"

95
src/prngs/yarrow.c
View File

@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
*
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
#include "tomcrypt.h"
@ -40,6 +38,7 @@ int yarrow_start(prng_state *prng)
int err;
LTC_ARGCHK(prng != NULL);
prng->ready = 0;
/* these are the default hash/cipher combo used */
#ifdef LTC_RIJNDAEL
@ -120,7 +119,7 @@ int yarrow_start(prng_state *prng)
/* zero the memory used */
zeromem(prng->yarrow.pool, sizeof(prng->yarrow.pool));
LTC_MUTEX_INIT(&prng->yarrow.prng_lock)
LTC_MUTEX_INIT(&prng->lock)
return CRYPT_OK;
}
@ -137,43 +136,38 @@ int yarrow_add_entropy(const unsigned char *in, unsigned long inlen, prng_state
hash_state md;
int err;
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(prng != NULL);
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(inlen > 0);
LTC_MUTEX_LOCK(&prng->yarrow.prng_lock);
LTC_MUTEX_LOCK(&prng->lock);
if ((err = hash_is_valid(prng->yarrow.hash)) != CRYPT_OK) {
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
return err;
goto LBL_UNLOCK;
}
/* start the hash */
if ((err = hash_descriptor[prng->yarrow.hash].init(&md)) != CRYPT_OK) {
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
return err;
goto LBL_UNLOCK;
}
/* hash the current pool */
if ((err = hash_descriptor[prng->yarrow.hash].process(&md, prng->yarrow.pool,
hash_descriptor[prng->yarrow.hash].hashsize)) != CRYPT_OK) {
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
return err;
goto LBL_UNLOCK;
}
/* add the new entropy */
if ((err = hash_descriptor[prng->yarrow.hash].process(&md, in, inlen)) != CRYPT_OK) {
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
return err;
goto LBL_UNLOCK;
}
/* store result */
if ((err = hash_descriptor[prng->yarrow.hash].done(&md, prng->yarrow.pool)) != CRYPT_OK) {
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
return err;
}
err = hash_descriptor[prng->yarrow.hash].done(&md, prng->yarrow.pool);
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
return CRYPT_OK;
LBL_UNLOCK:
LTC_MUTEX_UNLOCK(&prng->lock);
return err;
}
/**
@ -186,23 +180,21 @@ int yarrow_ready(prng_state *prng)
int ks, err;
LTC_ARGCHK(prng != NULL);
LTC_MUTEX_LOCK(&prng->yarrow.prng_lock);
LTC_MUTEX_LOCK(&prng->lock);
if ((err = hash_is_valid(prng->yarrow.hash)) != CRYPT_OK) {
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
return err;
goto LBL_UNLOCK;
}
if ((err = cipher_is_valid(prng->yarrow.cipher)) != CRYPT_OK) {
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
return err;
goto LBL_UNLOCK;
}
/* setup CTR mode using the "pool" as the key */
ks = (int)hash_descriptor[prng->yarrow.hash].hashsize;
if ((err = cipher_descriptor[prng->yarrow.cipher].keysize(&ks)) != CRYPT_OK) {
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
return err;
goto LBL_UNLOCK;
}
if ((err = ctr_start(prng->yarrow.cipher, /* what cipher to use */
@ -211,11 +203,13 @@ int yarrow_ready(prng_state *prng)
0, /* number of rounds */
CTR_COUNTER_LITTLE_ENDIAN, /* little endian counter */
&prng->yarrow.ctr)) != CRYPT_OK) {
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
return err;
goto LBL_UNLOCK;
}
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
return CRYPT_OK;
prng->ready = 1;
LBL_UNLOCK:
LTC_MUTEX_UNLOCK(&prng->lock);
return err;
}
/**
@ -227,20 +221,25 @@ int yarrow_ready(prng_state *prng)
*/
unsigned long yarrow_read(unsigned char *out, unsigned long outlen, prng_state *prng)
{
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(prng != NULL);
if (outlen == 0 || prng == NULL || out == NULL) return 0;
LTC_MUTEX_LOCK(&prng->yarrow.prng_lock);
LTC_MUTEX_LOCK(&prng->lock);
if (!prng->ready) {
outlen = 0;
goto LBL_UNLOCK;
}
/* put out in predictable state first */
zeromem(out, outlen);
/* now randomize it */
if (ctr_encrypt(out, out, outlen, &prng->yarrow.ctr) != CRYPT_OK) {
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
return 0;
outlen = 0;
}
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
LBL_UNLOCK:
LTC_MUTEX_UNLOCK(&prng->lock);
return outlen;
}
@ -254,14 +253,15 @@ int yarrow_done(prng_state *prng)
int err;
LTC_ARGCHK(prng != NULL);
LTC_MUTEX_LOCK(&prng->yarrow.prng_lock);
LTC_MUTEX_LOCK(&prng->lock);
prng->ready = 0;
/* call cipher done when we invent one ;-) */
/* we invented one */
err = ctr_done(&prng->yarrow.ctr);
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
LTC_MUTEX_UNLOCK(&prng->lock);
return err;
}
@ -277,22 +277,19 @@ int yarrow_export(unsigned char *out, unsigned long *outlen, prng_state *prng)
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
LTC_ARGCHK(prng != NULL);
LTC_MUTEX_LOCK(&prng->yarrow.prng_lock);
if (!prng->ready) return CRYPT_ERROR;
/* we'll write 64 bytes for s&g's */
if (*outlen < 64) {
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
*outlen = 64;
return CRYPT_BUFFER_OVERFLOW;
}
if (yarrow_read(out, 64, prng) != 64) {
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
return CRYPT_ERROR_READPRNG;
}
*outlen = 64;
*outlen = 64;
return CRYPT_OK;
}
@ -310,20 +307,16 @@ int yarrow_import(const unsigned char *in, unsigned long inlen, prng_state *prng
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(prng != NULL);
LTC_MUTEX_LOCK(&prng->yarrow.prng_lock);
if (inlen != 64) {
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
return CRYPT_INVALID_ARG;
}
if ((err = yarrow_start(prng)) != CRYPT_OK) {
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
return err;
}
err = yarrow_add_entropy(in, 64, prng);
LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock);
return err;
if ((err = yarrow_add_entropy(in, 64, prng)) != CRYPT_OK) {
return err;
}
return CRYPT_OK;
}
/**

2
src/stream/chacha/chacha_crypt.c
View File

@ -14,7 +14,7 @@
#include "tomcrypt.h"
#ifdef LTC_CHACHA
#ifdef LTC_CHACHA_STREAM
#define QUARTERROUND(a,b,c,d) \
x[a] += x[b]; x[d] = ROL(x[d] ^ x[a], 16); \

2
src/stream/chacha/chacha_done.c
View File

@ -9,7 +9,7 @@
#include "tomcrypt.h"
#ifdef LTC_CHACHA
#ifdef LTC_CHACHA_STREAM
/**
Terminate and clear ChaCha state

2
src/stream/chacha/chacha_ivctr32.c
View File

@ -14,7 +14,7 @@
#include "tomcrypt.h"
#ifdef LTC_CHACHA
#ifdef LTC_CHACHA_STREAM
/**
Set IV + counter data to the ChaCha state

2
src/stream/chacha/chacha_ivctr64.c
View File

@ -14,7 +14,7 @@
#include "tomcrypt.h"
#ifdef LTC_CHACHA
#ifdef LTC_CHACHA_STREAM
/**
Set IV + counter data to the ChaCha state

2
src/stream/chacha/chacha_keystream.c
View File

@ -14,7 +14,7 @@
#include "tomcrypt.h"
#ifdef LTC_CHACHA
#ifdef LTC_CHACHA_STREAM
/**
Generate a stream of random bytes via ChaCha

2
src/stream/chacha/chacha_setup.c
View File

@ -14,7 +14,7 @@
#include "tomcrypt.h"
#ifdef LTC_CHACHA
#ifdef LTC_CHACHA_STREAM
static const char * const sigma = "expand 32-byte k";
static const char * const tau = "expand 16-byte k";

35
src/stream/chacha/chacha_test.c
View File

@ -14,7 +14,7 @@
#include "tomcrypt.h"
#ifdef LTC_CHACHA
#ifdef LTC_CHACHA_STREAM
int chacha_test(void)
{
@ -37,27 +37,28 @@ int chacha_test(void)
0x87, 0x4D };
char pt[] = "Ladies and Gentlemen of the class of '99: If I could offer you only one tip for the future, sunscreen would be it.";
chacha_state st;
int err;
len = strlen(pt);
/* crypt piece by piece */
chacha_setup(&st, k, sizeof(k), 20);
chacha_ivctr32(&st, n, sizeof(n), 1);
chacha_crypt(&st, (unsigned char*)pt, 35, out);
chacha_crypt(&st, (unsigned char*)pt + 35, 35, out + 35);
chacha_crypt(&st, (unsigned char*)pt + 70, 5, out + 70);
chacha_crypt(&st, (unsigned char*)pt + 75, 5, out + 75);
chacha_crypt(&st, (unsigned char*)pt + 80, len - 80, out + 80);
if (compare_testvector(out, len, ct, sizeof(ct), "CHACHA-TV1", 1)) return CRYPT_FAIL_TESTVECTOR;
if ((err = chacha_setup(&st, k, sizeof(k), 20)) != CRYPT_OK) return err;
if ((err = chacha_ivctr32(&st, n, sizeof(n), 1)) != CRYPT_OK) return err;
if ((err = chacha_crypt(&st, (unsigned char*)pt, 35, out)) != CRYPT_OK) return err;
if ((err = chacha_crypt(&st, (unsigned char*)pt + 35, 35, out + 35)) != CRYPT_OK) return err;
if ((err = chacha_crypt(&st, (unsigned char*)pt + 70, 5, out + 70)) != CRYPT_OK) return err;
if ((err = chacha_crypt(&st, (unsigned char*)pt + 75, 5, out + 75)) != CRYPT_OK) return err;
if ((err = chacha_crypt(&st, (unsigned char*)pt + 80, len - 80, out + 80)) != CRYPT_OK) return err;
if (compare_testvector(out, len, ct, sizeof(ct), "CHACHA-TV1", 1)) return CRYPT_FAIL_TESTVECTOR;
/* crypt in one go */
chacha_setup(&st, k, sizeof(k), 20);
chacha_ivctr32(&st, n, sizeof(n), 1);
chacha_crypt(&st, (unsigned char*)pt, len, out);
if (compare_testvector(out, len, ct, sizeof(ct), "CHACHA-TV2", 1)) return CRYPT_FAIL_TESTVECTOR;
if ((err = chacha_setup(&st, k, sizeof(k), 20)) != CRYPT_OK) return err;
if ((err = chacha_ivctr32(&st, n, sizeof(n), 1)) != CRYPT_OK) return err;
if ((err = chacha_crypt(&st, (unsigned char*)pt, len, out)) != CRYPT_OK) return err;
if (compare_testvector(out, len, ct, sizeof(ct), "CHACHA-TV2", 1)) return CRYPT_FAIL_TESTVECTOR;
/* crypt in one go - using chacha_ivctr64() */
chacha_setup(&st, k, sizeof(k), 20);
chacha_ivctr64(&st, n + 4, sizeof(n) - 4, 1);
chacha_crypt(&st, (unsigned char*)pt, len, out);
if (compare_testvector(out, len, ct, sizeof(ct), "CHACHA-TV3", 1)) return CRYPT_FAIL_TESTVECTOR;
if ((err = chacha_setup(&st, k, sizeof(k), 20)) != CRYPT_OK) return err;
if ((err = chacha_ivctr64(&st, n + 4, sizeof(n) - 4, 1)) != CRYPT_OK) return err;
if ((err = chacha_crypt(&st, (unsigned char*)pt, len, out)) != CRYPT_OK) return err;
if (compare_testvector(out, len, ct, sizeof(ct), "CHACHA-TV3", 1)) return CRYPT_FAIL_TESTVECTOR;
return CRYPT_OK;
#endif

107
src/stream/rc4/rc4.c Normal file
View File

@ -0,0 +1,107 @@
/* LibTomCrypt, modular cryptographic library -- Tom St Denis
*
* LibTomCrypt is a library that provides various cryptographic
* algorithms in a highly modular and flexible manner.
*
* The library is free for all purposes without any express
* guarantee it works.
*/
#include "tomcrypt.h"
#ifdef LTC_RC4_STREAM
/**
Initialize an RC4 context (only the key)
@param st [out] The destination of the RC4 state
@param key The secret key
@param keylen The length of the secret key (8 - 256 bytes)
@return CRYPT_OK if successful
*/
int rc4_setup(rc4_state *st, const unsigned char *key, unsigned long keylen)
{
unsigned char tmp, *s;
int x, y;
unsigned long j;
LTC_ARGCHK(st != NULL);
LTC_ARGCHK(key != NULL);
LTC_ARGCHK(keylen >= 5); /* 40-2048 bits */
s = st->buf;
for (x = 0; x < 256; x++) {
s[x] = x;
}
for (j = x = y = 0; x < 256; x++) {
y = (y + s[x] + key[j++]) & 255;
if (j == keylen) {
j = 0;
}
tmp = s[x]; s[x] = s[y]; s[y] = tmp;
}
st->x = 0;
st->y = 0;
return CRYPT_OK;
}
/**
Encrypt (or decrypt) bytes of ciphertext (or plaintext) with RC4
@param st The RC4 state
@param in The plaintext (or ciphertext)
@param inlen The length of the input (octets)
@param out [out] The ciphertext (or plaintext), length inlen
@return CRYPT_OK if successful
*/
int rc4_crypt(rc4_state *st, const unsigned char *in, unsigned long inlen, unsigned char *out)
{
unsigned char x, y, *s, tmp;
LTC_ARGCHK(st != NULL);
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(out != NULL);
x = st->x;
y = st->y;
s = st->buf;
while (inlen--) {
x = (x + 1) & 255;
y = (y + s[x]) & 255;
tmp = s[x]; s[x] = s[y]; s[y] = tmp;
tmp = (s[x] + s[y]) & 255;
*out++ = *in++ ^ s[tmp];
}
st->x = x;
st->y = y;
return CRYPT_OK;
}
/**
Generate a stream of random bytes via RC4
@param st The RC420 state
@param out [out] The output buffer
@param outlen The output length
@return CRYPT_OK on success
*/
int rc4_keystream(rc4_state *st, unsigned char *out, unsigned long outlen)
{
if (outlen == 0) return CRYPT_OK; /* nothing to do */
LTC_ARGCHK(out != NULL);
XMEMSET(out, 0, outlen);
return rc4_crypt(st, out, outlen, out);
}
/**
Terminate and clear RC4 state
@param st The RC4 state
@return CRYPT_OK on success
*/
int rc4_stream_done(rc4_state *st)
{
LTC_ARGCHK(st != NULL);
XMEMSET(st, 0, sizeof(rc4_state));
return CRYPT_OK;
}
#endif

35
src/stream/rc4/rc4_test.c Normal file
View File

@ -0,0 +1,35 @@
/* LibTomCrypt, modular cryptographic library -- Tom St Denis
*
* LibTomCrypt is a library that provides various cryptographic
* algorithms in a highly modular and flexible manner.
*
* The library is free for all purposes without any express
* guarantee it works.
*/
#include "tomcrypt.h"
#ifdef LTC_RC4_STREAM
int rc4_test(void)
{
#ifndef LTC_TEST
return CRYPT_NOP;
#else
rc4_state st;
int err;
const unsigned char key[] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
const unsigned char pt[] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
const unsigned char ct[] = { 0x75, 0xb7, 0x87, 0x80, 0x99, 0xe0, 0xc5, 0x96 };
unsigned char buf[10];
if ((err = rc4_setup(&st, key, sizeof(key))) != CRYPT_OK) return err;
if ((err = rc4_crypt(&st, pt, sizeof(pt), buf)) != CRYPT_OK) return err;
if (XMEMCMP(buf, ct, sizeof(ct))) return CRYPT_FAIL_TESTVECTOR;
if ((err = rc4_stream_done(&st)) != CRYPT_OK) return err;
return CRYPT_OK;
#endif
}
#endif

344
src/stream/sober128/sober128.c Normal file
View File

@ -0,0 +1,344 @@
/* LibTomCrypt, modular cryptographic library -- Tom St Denis
*
* LibTomCrypt is a library that provides various cryptographic
* algorithms in a highly modular and flexible manner.
*
* The library is free for all purposes without any express
* guarantee it works.
*
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
#include "tomcrypt.h"
/**
@file sober128.c
Implementation of SOBER-128 by Tom St Denis.
Based on s128fast.c reference code supplied by Greg Rose of QUALCOMM.
*/
#ifdef LTC_SOBER128
#define __LTC_SOBER128TAB_C__
#include "sober128tab.c"
/* don't change these... */
#define N 17
#define FOLD N /* how many iterations of folding to do */
#define INITKONST 0x6996c53a /* value of KONST to use during key loading */
#define KEYP 15 /* where to insert key words */
#define FOLDP 4 /* where to insert non-linear feedback */
#define B(x,i) ((unsigned char)(((x) >> (8*i)) & 0xFF))
static ulong32 BYTE2WORD(unsigned char *b)
{
ulong32 t;
LOAD32L(t, b);
return t;
}
static void XORWORD(ulong32 w, const unsigned char *in, unsigned char *out)
{
ulong32 t;
LOAD32L(t, in);
t ^= w;
STORE32L(t, out);
}
/* give correct offset for the current position of the register,
* where logically R[0] is at position "zero".
*/
#define OFF(zero, i) (((zero)+(i)) % N)
/* step the LFSR */
/* After stepping, "zero" moves right one place */
#define STEP(R,z) \
R[OFF(z,0)] = R[OFF(z,15)] ^ R[OFF(z,4)] ^ (R[OFF(z,0)] << 8) ^ Multab[(R[OFF(z,0)] >> 24) & 0xFF];
static void cycle(ulong32 *R)
{
ulong32 t;
int i;
STEP(R,0);
t = R[0];
for (i = 1; i < N; ++i) {
R[i-1] = R[i];
}
R[N-1] = t;
}
/* Return a non-linear function of some parts of the register.
*/
#define NLFUNC(c,z) \
{ \
t = c->R[OFF(z,0)] + c->R[OFF(z,16)]; \
t ^= Sbox[(t >> 24) & 0xFF]; \
t = RORc(t, 8); \
t = ((t + c->R[OFF(z,1)]) ^ c->konst) + c->R[OFF(z,6)]; \
t ^= Sbox[(t >> 24) & 0xFF]; \
t = t + c->R[OFF(z,13)]; \
}
static ulong32 nltap(sober128_state *c)
{
ulong32 t;
NLFUNC(c, 0);
return t;
}
/* Save the current register state
*/
static void s128_savestate(sober128_state *c)
{
int i;
for (i = 0; i < N; ++i) {
c->initR[i] = c->R[i];
}
}
/* initialise to previously saved register state
*/
static void s128_reloadstate(sober128_state *c)
{
int i;
for (i = 0; i < N; ++i) {
c->R[i] = c->initR[i];
}
}
/* Initialise "konst"
*/
static void s128_genkonst(sober128_state *c)
{
ulong32 newkonst;
do {
cycle(c->R);
newkonst = nltap(c);
} while ((newkonst & 0xFF000000) == 0);
c->konst = newkonst;
}
/* Load key material into the register
*/
#define ADDKEY(k) \
c->R[KEYP] += (k);
#define XORNL(nl) \
c->R[FOLDP] ^= (nl);
/* nonlinear diffusion of register for key */
#define DROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); c->R[OFF((z+1),FOLDP)] ^= t;
static void s128_diffuse(sober128_state *c)
{
ulong32 t;
/* relies on FOLD == N == 17! */
DROUND(0);
DROUND(1);
DROUND(2);
DROUND(3);
DROUND(4);
DROUND(5);
DROUND(6);
DROUND(7);
DROUND(8);
DROUND(9);
DROUND(10);
DROUND(11);
DROUND(12);
DROUND(13);
DROUND(14);
DROUND(15);
DROUND(16);
}
/**
Initialize an Sober128 context (only the key)
@param c [out] The destination of the Sober128 state
@param key The secret key
@param keylen The length of the secret key (octets)
@return CRYPT_OK if successful
*/
int sober128_setup(sober128_state *c, const unsigned char *key, unsigned long keylen)
{
ulong32 i, k;
LTC_ARGCHK(c != NULL);
LTC_ARGCHK(key != NULL);
LTC_ARGCHK(keylen > 0);
/* keylen must be multiple of 4 bytes */
if ((keylen & 3) != 0) {
return CRYPT_INVALID_KEYSIZE;
}
/* Register initialised to Fibonacci numbers */
c->R[0] = 1;
c->R[1] = 1;
for (i = 2; i < N; ++i) {
c->R[i] = c->R[i-1] + c->R[i-2];
}
c->konst = INITKONST;
for (i = 0; i < keylen; i += 4) {
k = BYTE2WORD((unsigned char *)&key[i]);
ADDKEY(k);
cycle(c->R);
XORNL(nltap(c));
}
/* also fold in the length of the key */
ADDKEY(keylen);
/* now diffuse */
s128_diffuse(c);
s128_genkonst(c);
s128_savestate(c);
c->nbuf = 0;
return CRYPT_OK;
}
/**
Set IV to the Sober128 state
@param c The Sober12820 state
@param iv The IV data to add
@param inlen The length of the IV (must be 12)
@return CRYPT_OK on success
*/
int sober128_setiv(sober128_state *c, const unsigned char *iv, unsigned long ivlen)
{
ulong32 i, k;
LTC_ARGCHK(c != NULL);
LTC_ARGCHK(iv != NULL);
LTC_ARGCHK(ivlen > 0);
/* ok we are adding an IV then... */
s128_reloadstate(c);
/* ivlen must be multiple of 4 bytes */
if ((ivlen & 3) != 0) {
return CRYPT_INVALID_KEYSIZE;
}
for (i = 0; i < ivlen; i += 4) {
k = BYTE2WORD((unsigned char *)&iv[i]);
ADDKEY(k);
cycle(c->R);
XORNL(nltap(c));
}
/* also fold in the length of the key */
ADDKEY(ivlen);
/* now diffuse */
s128_diffuse(c);
c->nbuf = 0;
return CRYPT_OK;
}
/* XOR pseudo-random bytes into buffer
*/
#define SROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); XORWORD(t, in+(z*4), out+(z*4));
/**
Encrypt (or decrypt) bytes of ciphertext (or plaintext) with Sober128
@param c The Sober128 state
@param in The plaintext (or ciphertext)
@param inlen The length of the input (octets)
@param out [out] The ciphertext (or plaintext), length inlen
@return CRYPT_OK if successful
*/
int sober128_crypt(sober128_state *c, const unsigned char *in, unsigned long inlen, unsigned char *out)
{
ulong32 t;
if (inlen == 0) return CRYPT_OK; /* nothing to do */
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(c != NULL);
/* handle any previously buffered bytes */
while (c->nbuf != 0 && inlen != 0) {
*out++ = *in++ ^ (c->sbuf & 0xFF);
c->sbuf >>= 8;
c->nbuf -= 8;
--inlen;
}
#ifndef LTC_SMALL_CODE
/* do lots at a time, if there's enough to do */
while (inlen >= N*4) {
SROUND(0);
SROUND(1);
SROUND(2);
SROUND(3);
SROUND(4);
SROUND(5);
SROUND(6);
SROUND(7);
SROUND(8);
SROUND(9);
SROUND(10);
SROUND(11);
SROUND(12);
SROUND(13);
SROUND(14);
SROUND(15);
SROUND(16);
out += 4*N;
in += 4*N;
inlen -= 4*N;
}
#endif
/* do small or odd size buffers the slow way */
while (4 <= inlen) {
cycle(c->R);
t = nltap(c);
XORWORD(t, in, out);
out += 4;
in += 4;
inlen -= 4;
}
/* handle any trailing bytes */
if (inlen != 0) {
cycle(c->R);
c->sbuf = nltap(c);
c->nbuf = 32;
while (c->nbuf != 0 && inlen != 0) {
*out++ = *in++ ^ (c->sbuf & 0xFF);
c->sbuf >>= 8;
c->nbuf -= 8;
--inlen;
}
}
return CRYPT_OK;
}
int sober128_keystream(sober128_state *c, unsigned char *out, unsigned long outlen)
{
if (outlen == 0) return CRYPT_OK; /* nothing to do */
LTC_ARGCHK(out != NULL);
XMEMSET(out, 0, outlen);
return sober128_crypt(c, out, outlen, out);
}
/**
Terminate and clear Sober128 state
@param c The Sober128 state
@return CRYPT_OK on success
*/
int sober128_stream_done(sober128_state *c)
{
LTC_ARGCHK(c != NULL);
XMEMSET(c, 0, sizeof(sober128_state));
return CRYPT_OK;
}
#endif

49
src/stream/sober128/sober128_test.c Normal file
View File

@ -0,0 +1,49 @@
/* LibTomCrypt, modular cryptographic library -- Tom St Denis
*
* LibTomCrypt is a library that provides various cryptographic
* algorithms in a highly modular and flexible manner.
*
* The library is free for all purposes without any express
* guarantee it works.
*/
#include "tomcrypt.h"
#ifdef LTC_SOBER128
int sober128_test(void)
{
#ifndef LTC_TEST
return CRYPT_NOP;
#else
unsigned char key[16] = { 0x74, 0x65, 0x73, 0x74, 0x20, 0x6b, 0x65, 0x79,
0x20, 0x31, 0x32, 0x38, 0x62, 0x69, 0x74, 0x73 };
unsigned char iv[4] = { 0x00, 0x00, 0x00, 0x00 };
unsigned char out[20] = { 0x43, 0x50, 0x0c, 0xcf, 0x89, 0x91, 0x9f, 0x1d,
0xaa, 0x37, 0x74, 0x95, 0xf4, 0xb4, 0x58, 0xc2,
0x40, 0x37, 0x8b, 0xbb };
int err, len = 20;
unsigned char src[20], dst[20];
sober128_state st;
XMEMSET(src, 0, len); /* input */
if ((err = sober128_setup(&st, key, sizeof(key))) != CRYPT_OK) return err;
if ((err = sober128_setiv(&st, iv, sizeof(iv))) != CRYPT_OK) return err;
if ((err = sober128_crypt(&st, src, len, dst)) != CRYPT_OK) return err;
if ((err = sober128_stream_done(&st)) != CRYPT_OK) return err;
if (XMEMCMP(dst, out, len)) {
#if 0
int y;
printf("\nLTC_SOBER128 failed, I got:\n");
for (y = 0; y < len; y++) printf("%02x ", dst[y]);
printf("\nLTC_SOBER128 failed, expected:\n");
for (y = 0; y < len; y++) printf("%02x ", out[y]);
printf("\n");
#endif
return CRYPT_FAIL_TESTVECTOR;
}
return CRYPT_OK;
#endif
}
#endif

0
src/prngs/sober128tab.c → src/stream/sober128/sober128tab.c
View File

10
testprof/cipher_hash_test.c
View File

@ -14,10 +14,16 @@ int cipher_hash_test(void)
DOX(cipher_descriptor[x].test(), cipher_descriptor[x].name);
}
#ifdef LTC_CHACHA
/* ChaCha is a special case (stream cipher) */
/* stream ciphers */
#ifdef LTC_CHACHA_STREAM
DO(chacha_test());
#endif
#ifdef LTC_RC4_STREAM
DO(rc4_test());
#endif
#ifdef LTC_SOBER128_STREAM
DO(sober128_test());
#endif
/* test hashes */
for (x = 0; hash_descriptor[x].name != NULL; x++) {

4
testprof/x86_prof.c
View File

@ -342,7 +342,7 @@ static void _unregister_all(void)
#ifdef LTC_RC4
unregister_prng(&rc4_desc);
#endif
#ifdef LTC_CHACHA
#ifdef LTC_CHACHA_PRNG
unregister_prng(&chacha20_prng_desc);
#endif
#ifdef LTC_SOBER128
@ -524,7 +524,7 @@ register_prng(&fortuna_desc);
#ifdef LTC_RC4
register_prng(&rc4_desc);
#endif
#ifdef LTC_CHACHA
#ifdef LTC_CHACHA_PRNG
register_prng(&chacha20_prng_desc);
#endif
#ifdef LTC_SOBER128