diff --git a/src/headers/tomcrypt_cipher.h b/src/headers/tomcrypt_cipher.h index 03cf80d..acb6200 100644 --- a/src/headers/tomcrypt_cipher.h +++ b/src/headers/tomcrypt_cipher.h @@ -939,7 +939,7 @@ LTC_MUTEX_PROTO(ltc_cipher_mutex) /* ---- stream ciphers ---- */ -#ifdef LTC_CHACHA +#ifdef LTC_CHACHA_STREAM typedef struct { ulong32 input[16]; @@ -957,7 +957,41 @@ int chacha_keystream(chacha_state *st, unsigned char *out, unsigned long outlen) int chacha_done(chacha_state *st); int chacha_test(void); -#endif /* LTC_CHACHA */ +#endif /* LTC_CHACHA_STREAM */ + +#ifdef LTC_RC4_STREAM + +typedef struct { + int x, y; + unsigned char buf[256]; +} rc4_state; + +int rc4_setup(rc4_state *st, const unsigned char *key, unsigned long keylen); +int rc4_crypt(rc4_state *st, const unsigned char *in, unsigned long inlen, unsigned char *out); +int rc4_keystream(rc4_state *st, unsigned char *out, unsigned long outlen); +int rc4_stream_done(rc4_state *st); +int rc4_test(void); + +#endif /* LTC_RC4_STREAM */ + +#ifdef LTC_SOBER128_STREAM + +typedef struct { + ulong32 R[17], /* Working storage for the shift register */ + initR[17], /* saved register contents */ + konst, /* key dependent constant */ + sbuf; /* partial word encryption buffer */ + int nbuf; /* number of part-word stream bits buffered */ +} sober128_state; + +int sober128_setup(sober128_state *st, const unsigned char *key, unsigned long keylen); +int sober128_setiv(sober128_state *st, const unsigned char *iv, unsigned long ivlen); +int sober128_crypt(sober128_state *st, const unsigned char *in, unsigned long inlen, unsigned char *out); +int sober128_keystream(sober128_state *st, unsigned char *out, unsigned long outlen); +int sober128_stream_done(sober128_state *st); +int sober128_test(void); + +#endif /* LTC_SOBER128_STREAM */ /* $Source$ */ /* $Revision$ */ diff --git a/src/headers/tomcrypt_custom.h b/src/headers/tomcrypt_custom.h index 944b02b..831c541 100644 --- a/src/headers/tomcrypt_custom.h +++ b/src/headers/tomcrypt_custom.h @@ -189,8 +189,11 @@ #define LTC_KASUMI #define LTC_MULTI2 #define LTC_CAMELLIA -/* ChaCha is special (a stream cipher) */ -#define LTC_CHACHA + +/* stream ciphers */ +#define LTC_CHACHA_STREAM +#define LTC_RC4_STREAM +#define LTC_SOBER128_STREAM #endif /* LTC_NO_CIPHERS */ @@ -295,7 +298,7 @@ /* a PRNG that simply reads from an available system source */ #define LTC_SPRNG -/* The LTC_RC4 stream cipher */ +/* The RC4 stream cipher based PRNG */ #define LTC_RC4 /* The ChaCha20 stream cipher based PRNG */ @@ -304,7 +307,7 @@ /* Fortuna PRNG */ #define LTC_FORTUNA -/* Greg's LTC_SOBER128 PRNG ;-0 */ +/* Greg's SOBER128 stream cipher based PRNG */ #define LTC_SOBER128 /* the *nix style /dev/random device */ @@ -515,12 +518,20 @@ #error PK requires ASN.1 DER functionality, make sure LTC_DER is enabled #endif -#if defined(LTC_CHACHA20POLY1305_MODE) && (!defined(LTC_CHACHA) || !defined(LTC_POLY1305)) - #error LTC_CHACHA20POLY1305_MODE requires LTC_CHACHA + LTC_POLY1305 +#if defined(LTC_CHACHA20POLY1305_MODE) && (!defined(LTC_CHACHA_STREAM) || !defined(LTC_POLY1305)) + #error LTC_CHACHA20POLY1305_MODE requires LTC_CHACHA_STREAM + LTC_POLY1305 #endif -#if defined(LTC_CHACHA20_PRNG) && !defined(LTC_CHACHA) - #error LTC_CHACHA20_PRNG requires LTC_CHACHA +#if defined(LTC_CHACHA20_PRNG) && !defined(LTC_CHACHA_STREAM) + #error LTC_CHACHA20_PRNG requires LTC_CHACHA_STREAM +#endif + +#if defined(LTC_RC4) && !defined(LTC_RC4_STREAM) + #error LTC_RC4 requires LTC_RC4_STREAM +#endif + +#if defined(LTC_SOBER128) && !defined(LTC_SOBER128_STREAM) + #error LTC_SOBER128 requires LTC_SOBER128_STREAM #endif #if defined(LTC_BLAKE2SMAC) && !defined(LTC_BLAKE2S) @@ -557,7 +568,7 @@ /* Debuggers */ -/* define this if you use Valgrind, note: it CHANGES the way SOBER-128 and LTC_RC4 work (see the code) */ +/* define this if you use Valgrind, note: it CHANGES the way SOBER-128 and RC4 work (see the code) */ /* #define LTC_VALGRIND */ #endif diff --git a/src/headers/tomcrypt_prng.h b/src/headers/tomcrypt_prng.h index 1b91ec6..b90d36b 100644 --- a/src/headers/tomcrypt_prng.h +++ b/src/headers/tomcrypt_prng.h @@ -4,14 +4,12 @@ struct yarrow_prng { int cipher, hash; unsigned char pool[MAXBLOCKSIZE]; symmetric_CTR ctr; - LTC_MUTEX_TYPE(prng_lock) }; #endif #ifdef LTC_RC4 struct rc4_prng { - int x, y; - unsigned char buf[256]; + rc4_state s; }; #endif @@ -20,7 +18,6 @@ struct chacha20_prng { chacha_state s; /* chacha state */ unsigned char ent[40]; /* entropy buffer */ unsigned long idx; /* entropy counter */ - short ready; /* ready flag 0-1 */ }; #endif @@ -38,41 +35,38 @@ struct fortuna_prng { wd; ulong64 reset_cnt; /* number of times we have reset */ - LTC_MUTEX_TYPE(prng_lock) }; #endif #ifdef LTC_SOBER128 struct sober128_prng { - ulong32 R[17], /* Working storage for the shift register */ - initR[17], /* saved register contents */ - konst, /* key dependent constant */ - sbuf; /* partial word encryption buffer */ - - int nbuf, /* number of part-word stream bits buffered */ - flag, /* first add_entropy call or not? */ - set; /* did we call add_entropy to set key? */ - + sober128_state s; /* sober128 state */ + unsigned char ent[40]; /* entropy buffer */ + unsigned long idx; /* entropy counter */ }; #endif -typedef union Prng_state { - char dummy[1]; +typedef struct { + union { + char dummy[1]; #ifdef LTC_YARROW - struct yarrow_prng yarrow; + struct yarrow_prng yarrow; #endif #ifdef LTC_RC4 - struct rc4_prng rc4; + struct rc4_prng rc4; #endif #ifdef LTC_CHACHA20_PRNG - struct chacha20_prng chacha; + struct chacha20_prng chacha; #endif #ifdef LTC_FORTUNA - struct fortuna_prng fortuna; + struct fortuna_prng fortuna; #endif #ifdef LTC_SOBER128 - struct sober128_prng sober128; + struct sober128_prng sober128; #endif + }; + short ready; /* ready flag 0-1 */ + LTC_MUTEX_TYPE(lock); /* lock */ } prng_state; /** PRNG descriptor */ diff --git a/src/misc/crypt/crypt.c b/src/misc/crypt/crypt.c index d1311f9..9787c13 100644 --- a/src/misc/crypt/crypt.c +++ b/src/misc/crypt/crypt.c @@ -124,9 +124,16 @@ const char *crypt_build_settings = #if defined(LTC_CAMELLIA) " Camellia\n" #endif -#if defined(LTC_CHACHA) + "Stream ciphers built-in:\n" +#if defined(LTC_CHACHA_STREAM) " ChaCha\n" #endif +#if defined(LTC_RC4_STREAM) + " RC4\n" +#endif +#if defined(LTC_SOBER128_STREAM) + " SOBER128\n" +#endif "\nHashes built-in:\n" #if defined(LTC_SHA3) diff --git a/src/prngs/chacha20.c b/src/prngs/chacha20.c index 45d554b..faaf629 100644 --- a/src/prngs/chacha20.c +++ b/src/prngs/chacha20.c @@ -17,8 +17,8 @@ const struct ltc_prng_descriptor chacha20_prng_desc = { - "chacha", - sizeof(chacha_state), + "chacha20", + 40, &chacha20_prng_start, &chacha20_prng_add_entropy, &chacha20_prng_ready, @@ -37,9 +37,10 @@ const struct ltc_prng_descriptor chacha20_prng_desc = int chacha20_prng_start(prng_state *prng) { LTC_ARGCHK(prng != NULL); - prng->chacha.ready = 0; - XMEMSET(&prng->chacha.ent, 0, 40); + prng->ready = 0; + XMEMSET(&prng->chacha.ent, 0, sizeof(prng->chacha.ent)); prng->chacha.idx = 0; + LTC_MUTEX_INIT(&prng->lock) return CRYPT_OK; } @@ -60,23 +61,26 @@ int chacha20_prng_add_entropy(const unsigned char *in, unsigned long inlen, prng LTC_ARGCHK(in != NULL); LTC_ARGCHK(inlen > 0); - if (prng->chacha.ready) { + LTC_MUTEX_LOCK(&prng->lock); + if (prng->ready) { /* chacha20_prng_ready() was already called, do "rekey" operation */ - if ((err = chacha_keystream(&prng->chacha.s, buf, 40)) != CRYPT_OK) return err; - for(i = 0; i < inlen; i++) buf[i % 40] ^= in[i]; + if ((err = chacha_keystream(&prng->chacha.s, buf, sizeof(buf))) != CRYPT_OK) goto LBL_UNLOCK; + for(i = 0; i < inlen; i++) buf[i % sizeof(buf)] ^= in[i]; /* key 32 bytes, 20 rounds */ - if ((err = chacha_setup(&prng->chacha.s, buf, 32, 20)) != CRYPT_OK) return err; + if ((err = chacha_setup(&prng->chacha.s, buf, 32, 20)) != CRYPT_OK) goto LBL_UNLOCK; /* iv 8 bytes */ - if ((err = chacha_ivctr64(&prng->chacha.s, buf + 32, 8, 0)) != CRYPT_OK) return err; + if ((err = chacha_ivctr64(&prng->chacha.s, buf + 32, 8, 0)) != CRYPT_OK) goto LBL_UNLOCK; /* clear KEY + IV */ - XMEMSET(buf, 0, 40); + XMEMSET(buf, 0, sizeof(buf)); } else { /* chacha20_prng_ready() was not called yet, add entropy to ent buffer */ - while (inlen--) prng->chacha.ent[prng->chacha.idx++ % 40] ^= *in++; + while (inlen--) prng->chacha.ent[prng->chacha.idx++ % sizeof(prng->chacha.ent)] ^= *in++; } - - return CRYPT_OK; + err = CRYPT_OK; +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); + return err; } /** @@ -90,14 +94,18 @@ int chacha20_prng_ready(prng_state *prng) LTC_ARGCHK(prng != NULL); + LTC_MUTEX_LOCK(&prng->lock); + if (prng->ready) { err = CRYPT_OK; goto LBL_UNLOCK; } /* key 32 bytes, 20 rounds */ - if ((err = chacha_setup(&prng->chacha.s, prng->chacha.ent, 32, 20)) != CRYPT_OK) return err; + if ((err = chacha_setup(&prng->chacha.s, prng->chacha.ent, 32, 20)) != CRYPT_OK) goto LBL_UNLOCK; /* iv 8 bytes */ - if ((err = chacha_ivctr64(&prng->chacha.s, prng->chacha.ent + 32, 8, 0)) != CRYPT_OK) return err; - XMEMSET(&prng->chacha.ent, 0, 40); - prng->chacha.ready = 1; + if ((err = chacha_ivctr64(&prng->chacha.s, prng->chacha.ent + 32, 8, 0)) != CRYPT_OK) goto LBL_UNLOCK; + XMEMSET(&prng->chacha.ent, 0, sizeof(prng->chacha.ent)); prng->chacha.idx = 0; - return CRYPT_OK; + prng->ready = 1; +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); + return err; } /** @@ -109,8 +117,12 @@ int chacha20_prng_ready(prng_state *prng) */ unsigned long chacha20_prng_read(unsigned char *out, unsigned long outlen, prng_state *prng) { - LTC_ARGCHK(prng != NULL); - if (chacha_keystream(&prng->chacha.s, out, outlen) != CRYPT_OK) return 0; + if (outlen == 0 || prng == NULL || out == NULL) return 0; + LTC_MUTEX_LOCK(&prng->lock); + if (!prng->ready) { outlen = 0; goto LBL_UNLOCK; } + if (chacha_keystream(&prng->chacha.s, out, outlen) != CRYPT_OK) outlen = 0; +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); return outlen; } @@ -121,8 +133,13 @@ unsigned long chacha20_prng_read(unsigned char *out, unsigned long outlen, prng_ */ int chacha20_prng_done(prng_state *prng) { + int err; LTC_ARGCHK(prng != NULL); - return chacha_done(&prng->chacha.s); + LTC_MUTEX_LOCK(&prng->lock); + prng->ready = 0; + err = chacha_done(&prng->chacha.s); + LTC_MUTEX_UNLOCK(&prng->lock); + return err; } /** @@ -134,19 +151,21 @@ int chacha20_prng_done(prng_state *prng) */ int chacha20_prng_export(unsigned char *out, unsigned long *outlen, prng_state *prng) { - unsigned long len = sizeof(chacha_state); - LTC_ARGCHK(outlen != NULL); - LTC_ARGCHK(out != NULL); - LTC_ARGCHK(prng != NULL); + unsigned long len = chacha20_prng_desc.export_size; + + LTC_ARGCHK(prng != NULL); + LTC_ARGCHK(out != NULL); + LTC_ARGCHK(outlen != NULL); - if (!prng->chacha.ready) { - return CRYPT_ERROR; - } if (*outlen < len) { *outlen = len; return CRYPT_BUFFER_OVERFLOW; } - XMEMCPY(out, &prng->chacha.s, len); + + if (chacha20_prng_read(out, len, prng) != len) { + return CRYPT_ERROR_READPRNG; + } + *outlen = len; return CRYPT_OK; } @@ -160,13 +179,14 @@ int chacha20_prng_export(unsigned char *out, unsigned long *outlen, prng_state * */ int chacha20_prng_import(const unsigned char *in, unsigned long inlen, prng_state *prng) { - unsigned long len = sizeof(chacha_state); - LTC_ARGCHK(in != NULL); - LTC_ARGCHK(prng != NULL); + int err; - if (inlen != len) return CRYPT_INVALID_ARG; - XMEMCPY(&prng->chacha.s, in, inlen); - prng->chacha.ready = 1; + LTC_ARGCHK(prng != NULL); + LTC_ARGCHK(in != NULL); + if (inlen < (unsigned long)chacha20_prng_desc.export_size) return CRYPT_INVALID_ARG; + + if ((err = chacha20_prng_start(prng)) != CRYPT_OK) return err; + if ((err = chacha20_prng_add_entropy(in, inlen, prng)) != CRYPT_OK) return err; return CRYPT_OK; } @@ -188,29 +208,32 @@ int chacha20_prng_test(void) unsigned char dmp[300]; unsigned long dmplen = sizeof(dmp); unsigned char out[500]; - unsigned char t1[] = { 0x59, 0xb2, 0x26, 0x95, 0x2b, 0x01, 0x8f, 0x05, 0xbe, 0xd8 }; - unsigned char t2[] = { 0x30, 0x34, 0x5c, 0x6e, 0x56, 0x18, 0x8c, 0x46, 0xbe, 0x8a }; + unsigned char t1[] = { 0x59, 0xB2, 0x26, 0x95, 0x2B, 0x01, 0x8F, 0x05, 0xBE, 0xD8 }; + unsigned char t2[] = { 0x47, 0xC9, 0x0D, 0x03, 0xE4, 0x75, 0x34, 0x27, 0xBD, 0xDE }; + unsigned char t3[] = { 0xBC, 0xFA, 0xEF, 0x59, 0x37, 0x7F, 0x1A, 0x91, 0x1A, 0xA6 }; + int err; - chacha20_prng_start(&st); - chacha20_prng_add_entropy(en, sizeof(en), &st); /* add entropy to uninitialized prng */ - chacha20_prng_ready(&st); - chacha20_prng_read(out, 10, &st); /* 10 bytes for testing */ - if (compare_testvector(out, 10, t1, sizeof(t1), "CHACHA-PRNG", 1)) return CRYPT_FAIL_TESTVECTOR; - chacha20_prng_read(out, 500, &st); - chacha20_prng_add_entropy(en, sizeof(en), &st); /* add entropy to already initialized prng */ - chacha20_prng_read(out, 500, &st); - chacha20_prng_export(dmp, &dmplen, &st); - chacha20_prng_read(out, 500, &st); /* skip 500 bytes */ - chacha20_prng_read(out, 10, &st); /* 10 bytes for testing */ - if (compare_testvector(out, 10, t2, sizeof(t2), "CHACHA-PRNG", 2)) return CRYPT_FAIL_TESTVECTOR; - chacha20_prng_done(&st); - - XMEMSET(&st, 0xFF, sizeof(st)); /* just to be sure */ - chacha20_prng_import(dmp, dmplen, &st); - chacha20_prng_read(out, 500, &st); /* skip 500 bytes */ - chacha20_prng_read(out, 10, &st); /* 10 bytes for testing */ - if (compare_testvector(out, 10, t2, sizeof(t2), "CHACHA-PRNG", 3)) return CRYPT_FAIL_TESTVECTOR; - chacha20_prng_done(&st); + if ((err = chacha20_prng_start(&st)) != CRYPT_OK) return err; + /* add entropy to uninitialized prng */ + if ((err = chacha20_prng_add_entropy(en, sizeof(en), &st)) != CRYPT_OK) return err; + if ((err = chacha20_prng_ready(&st)) != CRYPT_OK) return err; + if (chacha20_prng_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */ + if (compare_testvector(out, 10, t1, sizeof(t1), "CHACHA-PRNG", 1)) return CRYPT_FAIL_TESTVECTOR; + if (chacha20_prng_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */ + /* add entropy to already initialized prng */ + if ((err = chacha20_prng_add_entropy(en, sizeof(en), &st)) != CRYPT_OK) return err; + if (chacha20_prng_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */ + if ((err = chacha20_prng_export(dmp, &dmplen, &st)) != CRYPT_OK) return err; + if (chacha20_prng_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */ + if (chacha20_prng_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */ + if (compare_testvector(out, 10, t2, sizeof(t2), "CHACHA-PRNG", 2)) return CRYPT_FAIL_TESTVECTOR; + if ((err = chacha20_prng_done(&st)) != CRYPT_OK) return err; + if ((err = chacha20_prng_import(dmp, dmplen, &st)) != CRYPT_OK) return err; + if ((err = chacha20_prng_ready(&st)) != CRYPT_OK) return err; + if (chacha20_prng_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */ + if (chacha20_prng_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */ + if (compare_testvector(out, 10, t3, sizeof(t3), "CHACHA-PRNG", 3)) return CRYPT_FAIL_TESTVECTOR; + if ((err = chacha20_prng_done(&st)) != CRYPT_OK) return err; return CRYPT_OK; #endif diff --git a/src/prngs/fortuna.c b/src/prngs/fortuna.c index 173deea..88ba28e 100644 --- a/src/prngs/fortuna.c +++ b/src/prngs/fortuna.c @@ -5,8 +5,6 @@ * * The library is free for all purposes without any express * guarantee it works. - * - * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ #include "tomcrypt.h" @@ -133,6 +131,7 @@ int fortuna_start(prng_state *prng) unsigned char tmp[MAXBLOCKSIZE]; LTC_ARGCHK(prng != NULL); + prng->ready = 0; /* initialize the pools */ for (x = 0; x < LTC_FORTUNA_POOLS; x++) { @@ -156,7 +155,7 @@ int fortuna_start(prng_state *prng) } zeromem(prng->fortuna.IV, 16); - LTC_MUTEX_INIT(&prng->fortuna.prng_lock) + LTC_MUTEX_INIT(&prng->lock) return CRYPT_OK; } @@ -173,27 +172,25 @@ int fortuna_add_entropy(const unsigned char *in, unsigned long inlen, prng_state unsigned char tmp[2]; int err; - LTC_ARGCHK(in != NULL); LTC_ARGCHK(prng != NULL); - - LTC_MUTEX_LOCK(&prng->fortuna.prng_lock); + LTC_ARGCHK(in != NULL); + LTC_ARGCHK(inlen > 0); /* ensure inlen <= 32 */ if (inlen > 32) { - LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); - return CRYPT_INVALID_ARG; + inlen = 32; } /* add s || length(in) || in to pool[pool_idx] */ tmp[0] = 0; tmp[1] = (unsigned char)inlen; + + LTC_MUTEX_LOCK(&prng->lock); if ((err = sha256_process(&prng->fortuna.pool[prng->fortuna.pool_idx], tmp, 2)) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); - return err; + goto LBL_UNLOCK; } if ((err = sha256_process(&prng->fortuna.pool[prng->fortuna.pool_idx], in, inlen)) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); - return err; + goto LBL_UNLOCK; } if (prng->fortuna.pool_idx == 0) { prng->fortuna.pool0_len += inlen; @@ -201,9 +198,11 @@ int fortuna_add_entropy(const unsigned char *in, unsigned long inlen, prng_state if (++(prng->fortuna.pool_idx) == LTC_FORTUNA_POOLS) { prng->fortuna.pool_idx = 0; } + err = CRYPT_OK; /* success */ - LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); - return CRYPT_OK; +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); + return err; } /** @@ -213,7 +212,15 @@ int fortuna_add_entropy(const unsigned char *in, unsigned long inlen, prng_state */ int fortuna_ready(prng_state *prng) { - return fortuna_reseed(prng); + int err; + LTC_ARGCHK(prng != NULL); + + LTC_MUTEX_LOCK(&prng->lock); + err = fortuna_reseed(prng); + prng->ready = (err == CRYPT_OK) ? 1 : 0; + + LTC_MUTEX_UNLOCK(&prng->lock); + return err; } /** @@ -226,18 +233,20 @@ int fortuna_ready(prng_state *prng) unsigned long fortuna_read(unsigned char *out, unsigned long outlen, prng_state *prng) { unsigned char tmp[16]; - unsigned long tlen; + unsigned long tlen = 0; - LTC_ARGCHK(out != NULL); - LTC_ARGCHK(prng != NULL); + if (outlen == 0 || prng == NULL || out == NULL) return 0; - LTC_MUTEX_LOCK(&prng->fortuna.prng_lock); + LTC_MUTEX_LOCK(&prng->lock); + + if (!prng->ready) { + goto LBL_UNLOCK; + } /* do we have to reseed? */ if (++prng->fortuna.wd == LTC_FORTUNA_WD || prng->fortuna.pool0_len >= 64) { if (fortuna_reseed(prng) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); - return 0; + goto LBL_UNLOCK; } } @@ -268,14 +277,14 @@ unsigned long fortuna_read(unsigned char *out, unsigned long outlen, prng_state fortuna_update_iv(prng); if (rijndael_setup(prng->fortuna.K, 32, 0, &prng->fortuna.skey) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); - return 0; + tlen = 0; } #ifdef LTC_CLEAN_STACK zeromem(tmp, sizeof(tmp)); #endif - LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); return tlen; } @@ -290,23 +299,25 @@ int fortuna_done(prng_state *prng) unsigned char tmp[32]; LTC_ARGCHK(prng != NULL); - LTC_MUTEX_LOCK(&prng->fortuna.prng_lock); + + LTC_MUTEX_LOCK(&prng->lock); + prng->ready = 0; /* terminate all the hashes */ for (x = 0; x < LTC_FORTUNA_POOLS; x++) { if ((err = sha256_done(&(prng->fortuna.pool[x]), tmp)) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); - return err; + goto LBL_UNLOCK; } } /* call cipher done when we invent one ;-) */ + err = CRYPT_OK; /* success */ #ifdef LTC_CLEAN_STACK zeromem(tmp, sizeof(tmp)); #endif - - LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); - return CRYPT_OK; +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); + return err; } /** @@ -325,19 +336,24 @@ int fortuna_export(unsigned char *out, unsigned long *outlen, prng_state *prng) LTC_ARGCHK(outlen != NULL); LTC_ARGCHK(prng != NULL); - LTC_MUTEX_LOCK(&prng->fortuna.prng_lock); + LTC_MUTEX_LOCK(&prng->lock); + + if (!prng->ready) { + err = CRYPT_ERROR; + goto LBL_UNLOCK; + } /* we'll write bytes for s&g's */ if (*outlen < 32*LTC_FORTUNA_POOLS) { - LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); *outlen = 32*LTC_FORTUNA_POOLS; - return CRYPT_BUFFER_OVERFLOW; + err = CRYPT_BUFFER_OVERFLOW; + goto LBL_UNLOCK; } md = XMALLOC(sizeof(hash_state)); if (md == NULL) { - LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); - return CRYPT_MEM; + err = CRYPT_MEM; + goto LBL_UNLOCK; } /* to emit the state we copy each pool, terminate it then hash it again so @@ -371,7 +387,8 @@ LBL_ERR: zeromem(md, sizeof(*md)); #endif XFREE(md); - LTC_MUTEX_UNLOCK(&prng->fortuna.prng_lock); +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); return err; } @@ -401,7 +418,7 @@ int fortuna_import(const unsigned char *in, unsigned long inlen, prng_state *prn return err; } } - return err; + return CRYPT_OK; } /** diff --git a/src/prngs/rc4.c b/src/prngs/rc4.c index 2583451..3212791 100644 --- a/src/prngs/rc4.c +++ b/src/prngs/rc4.c @@ -5,29 +5,28 @@ * * The library is free for all purposes without any express * guarantee it works. - * - * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ #include "tomcrypt.h" /** @file rc4.c - LTC_RC4 PRNG, Tom St Denis + RC4 PRNG, Tom St Denis */ #ifdef LTC_RC4 const struct ltc_prng_descriptor rc4_desc = { - "rc4", 32, - &rc4_start, - &rc4_add_entropy, - &rc4_ready, - &rc4_read, - &rc4_done, - &rc4_export, - &rc4_import, - &rc4_test + "rc4", + 32, + &rc4_start, + &rc4_add_entropy, + &rc4_ready, + &rc4_read, + &rc4_done, + &rc4_export, + &rc4_import, + &rc4_test }; /** @@ -37,12 +36,14 @@ const struct ltc_prng_descriptor rc4_desc = */ int rc4_start(prng_state *prng) { - LTC_ARGCHK(prng != NULL); - - /* set keysize to zero */ - prng->rc4.x = 0; - - return CRYPT_OK; + LTC_ARGCHK(prng != NULL); + prng->ready = 0; + /* set entropy (key) size to zero */ + prng->rc4.s.x = 0; + /* clear entropy (key) buffer */ + XMEMSET(&prng->rc4.s.buf, 0, sizeof(prng->rc4.s.buf)); + LTC_MUTEX_INIT(&prng->lock) + return CRYPT_OK; } /** @@ -54,26 +55,32 @@ int rc4_start(prng_state *prng) */ int rc4_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *prng) { - LTC_ARGCHK(in != NULL); - LTC_ARGCHK(prng != NULL); + unsigned char buf[256]; + unsigned long i; + int err; - /* trim as required */ - if (prng->rc4.x + inlen > 256) { - if (prng->rc4.x == 256) { - /* I can't possibly accept another byte, ok maybe a mint wafer... */ - return CRYPT_OK; - } else { - /* only accept part of it */ - inlen = 256 - prng->rc4.x; - } - } - - while (inlen--) { - prng->rc4.buf[prng->rc4.x++] = *in++; - } - - return CRYPT_OK; + LTC_ARGCHK(prng != NULL); + LTC_ARGCHK(in != NULL); + LTC_ARGCHK(inlen > 0); + LTC_MUTEX_LOCK(&prng->lock); + if (prng->ready) { + /* rc4_ready() was already called, do "rekey" operation */ + if ((err = rc4_keystream(&prng->rc4.s, buf, sizeof(buf))) != CRYPT_OK) goto LBL_UNLOCK; + for(i = 0; i < inlen; i++) buf[i % sizeof(buf)] ^= in[i]; + /* initialize RC4 */ + if ((err = rc4_setup(&prng->rc4.s, buf, sizeof(buf))) != CRYPT_OK) goto LBL_UNLOCK; + /* drop first 3072 bytes - https://en.wikipedia.org/wiki/RC4#Fluhrer.2C_Mantin_and_Shamir_attack */ + for (i = 0; i < 12; i++) rc4_keystream(&prng->rc4.s, buf, sizeof(buf)); + } + else { + /* rc4_ready() was not called yet, add entropy to the buffer */ + while (inlen--) prng->rc4.s.buf[prng->rc4.s.x++ % sizeof(prng->rc4.s.buf)] ^= *in++; + } + err = CRYPT_OK; +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); + return err; } /** @@ -83,36 +90,24 @@ int rc4_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *pr */ int rc4_ready(prng_state *prng) { - unsigned char key[256], tmp, *s; - int keylen, x, y, j; + unsigned char buf[256] = { 0 }; + unsigned long len; + int err, i; - LTC_ARGCHK(prng != NULL); + LTC_ARGCHK(prng != NULL); - /* extract the key */ - s = prng->rc4.buf; - XMEMCPY(key, s, 256); - keylen = prng->rc4.x; - - /* make LTC_RC4 perm and shuffle */ - for (x = 0; x < 256; x++) { - s[x] = x; - } - - for (j = x = y = 0; x < 256; x++) { - y = (y + prng->rc4.buf[x] + key[j++]) & 255; - if (j == keylen) { - j = 0; - } - tmp = s[x]; s[x] = s[y]; s[y] = tmp; - } - prng->rc4.x = 0; - prng->rc4.y = 0; - -#ifdef LTC_CLEAN_STACK - zeromem(key, sizeof(key)); -#endif - - return CRYPT_OK; + LTC_MUTEX_LOCK(&prng->lock); + if (prng->ready) { err = CRYPT_OK; goto LBL_UNLOCK; } + XMEMCPY(buf, prng->rc4.s.buf, sizeof(buf)); + /* initialize RC4 */ + len = MIN(prng->rc4.s.x, 256); /* TODO: we can perhaps always use all 256 bytes */ + if ((err = rc4_setup(&prng->rc4.s, buf, len)) != CRYPT_OK) goto LBL_UNLOCK; + /* drop first 3072 bytes - https://en.wikipedia.org/wiki/RC4#Fluhrer.2C_Mantin_and_Shamir_attack */ + for (i = 0; i < 12; i++) rc4_keystream(&prng->rc4.s, buf, sizeof(buf)); + prng->ready = 1; +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); + return err; } /** @@ -124,30 +119,13 @@ int rc4_ready(prng_state *prng) */ unsigned long rc4_read(unsigned char *out, unsigned long outlen, prng_state *prng) { - unsigned char x, y, *s, tmp; - unsigned long n; - - LTC_ARGCHK(out != NULL); - LTC_ARGCHK(prng != NULL); - -#ifdef LTC_VALGRIND - zeromem(out, outlen); -#endif - - n = outlen; - x = prng->rc4.x; - y = prng->rc4.y; - s = prng->rc4.buf; - while (outlen--) { - x = (x + 1) & 255; - y = (y + s[x]) & 255; - tmp = s[x]; s[x] = s[y]; s[y] = tmp; - tmp = (s[x] + s[y]) & 255; - *out++ ^= s[tmp]; - } - prng->rc4.x = x; - prng->rc4.y = y; - return n; + if (outlen == 0 || prng == NULL || out == NULL) return 0; + LTC_MUTEX_LOCK(&prng->lock); + if (!prng->ready) { outlen = 0; goto LBL_UNLOCK; } + if (rc4_keystream(&prng->rc4.s, out, outlen) != CRYPT_OK) outlen = 0; +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); + return outlen; } /** @@ -157,8 +135,13 @@ unsigned long rc4_read(unsigned char *out, unsigned long outlen, prng_state *prn */ int rc4_done(prng_state *prng) { + int err; LTC_ARGCHK(prng != NULL); - return CRYPT_OK; + LTC_MUTEX_LOCK(&prng->lock); + prng->ready = 0; + err = rc4_stream_done(&prng->rc4.s); + LTC_MUTEX_UNLOCK(&prng->lock); + return err; } /** @@ -170,20 +153,22 @@ int rc4_done(prng_state *prng) */ int rc4_export(unsigned char *out, unsigned long *outlen, prng_state *prng) { - LTC_ARGCHK(outlen != NULL); - LTC_ARGCHK(out != NULL); - LTC_ARGCHK(prng != NULL); + unsigned long len = rc4_desc.export_size; - if (*outlen < 32) { - *outlen = 32; + LTC_ARGCHK(prng != NULL); + LTC_ARGCHK(out != NULL); + LTC_ARGCHK(outlen != NULL); + + if (*outlen < len) { + *outlen = len; return CRYPT_BUFFER_OVERFLOW; } - if (rc4_read(out, 32, prng) != 32) { + if (rc4_read(out, len, prng) != len) { return CRYPT_ERROR_READPRNG; } - *outlen = 32; + *outlen = len; return CRYPT_OK; } @@ -197,17 +182,14 @@ int rc4_export(unsigned char *out, unsigned long *outlen, prng_state *prng) int rc4_import(const unsigned char *in, unsigned long inlen, prng_state *prng) { int err; - LTC_ARGCHK(in != NULL); + LTC_ARGCHK(prng != NULL); + LTC_ARGCHK(in != NULL); + if (inlen < (unsigned long)rc4_desc.export_size) return CRYPT_INVALID_ARG; - if (inlen != 32) { - return CRYPT_INVALID_ARG; - } - - if ((err = rc4_start(prng)) != CRYPT_OK) { - return err; - } - return rc4_add_entropy(in, 32, prng); + if ((err = rc4_start(prng)) != CRYPT_OK) return err; + if ((err = rc4_add_entropy(in, inlen, prng)) != CRYPT_OK) return err; + return CRYPT_OK; } /** @@ -216,54 +198,43 @@ int rc4_import(const unsigned char *in, unsigned long inlen, prng_state *prng) */ int rc4_test(void) { -#if !defined(LTC_TEST) || defined(LTC_VALGRIND) +#ifndef LTC_TEST return CRYPT_NOP; #else - static const struct { - unsigned char key[8], pt[8], ct[8]; - } tests[] = { -{ - { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef }, - { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef }, - { 0x75, 0xb7, 0x87, 0x80, 0x99, 0xe0, 0xc5, 0x96 } -} -}; - prng_state prng; - unsigned char dst[8]; - int err, x; + prng_state st; + unsigned char en[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, + 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, + 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, + 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, + 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32 }; + unsigned char dmp[500]; + unsigned long dmplen = sizeof(dmp); + unsigned char out[1000]; + unsigned char t1[] = { 0xE0, 0x4D, 0x9A, 0xF6, 0xA8, 0x9D, 0x77, 0x53, 0xAE, 0x09 }; + unsigned char t2[] = { 0x9D, 0x3C, 0xC6, 0x64, 0x36, 0xB6, 0x76, 0xD5, 0xEB, 0x93 }; + unsigned char t3[] = { 0x6B, 0x6D, 0xF5, 0xCB, 0x84, 0x37, 0x8F, 0x02, 0xA2, 0x90 }; + int err; + + if ((err = rc4_start(&st)) != CRYPT_OK) return err; + if ((err = rc4_add_entropy(en, sizeof(en), &st)) != CRYPT_OK) return err; + if ((err = rc4_ready(&st)) != CRYPT_OK) return err; + if (rc4_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */ + if (compare_testvector(out, 10, t1, sizeof(t1), "RC4-PRNG", 1)) return CRYPT_FAIL_TESTVECTOR; + if (rc4_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; + if ((err = rc4_export(dmp, &dmplen, &st)) != CRYPT_OK) return err; + if (rc4_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */ + if (rc4_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */ + if (compare_testvector(out, 10, t2, sizeof(t2), "RC4-PRNG", 2)) return CRYPT_FAIL_TESTVECTOR; + if ((err = rc4_done(&st)) != CRYPT_OK) return err; + if ((err = rc4_import(dmp, dmplen, &st)) != CRYPT_OK) return err; + if ((err = rc4_ready(&st)) != CRYPT_OK) return err; + if (rc4_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */ + if (rc4_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */ + if (compare_testvector(out, 10, t3, sizeof(t3), "RC4-PRNG", 3)) return CRYPT_FAIL_TESTVECTOR; + if ((err = rc4_done(&st)) != CRYPT_OK) return err; - for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) { - if ((err = rc4_start(&prng)) != CRYPT_OK) { - return err; - } - if ((err = rc4_add_entropy(tests[x].key, 8, &prng)) != CRYPT_OK) { - return err; - } - if ((err = rc4_ready(&prng)) != CRYPT_OK) { - return err; - } - XMEMCPY(dst, tests[x].pt, 8); - if (rc4_read(dst, 8, &prng) != 8) { - return CRYPT_ERROR_READPRNG; - } - rc4_done(&prng); - if (XMEMCMP(dst, tests[x].ct, 8)) { -#if 0 - int y; - printf("\n\nLTC_RC4 failed, I got:\n"); - for (y = 0; y < 8; y++) printf("%02x ", dst[y]); - printf("\n"); -#endif - return CRYPT_FAIL_TESTVECTOR; - } - } return CRYPT_OK; #endif } #endif - - -/* $Source$ */ -/* $Revision$ */ -/* $Date$ */ diff --git a/src/prngs/rng_get_bytes.c b/src/prngs/rng_get_bytes.c index 28e8585..2c05d0d 100644 --- a/src/prngs/rng_get_bytes.c +++ b/src/prngs/rng_get_bytes.c @@ -5,8 +5,6 @@ * * The library is free for all purposes without any express * guarantee it works. - * - * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ #include "tomcrypt.h" diff --git a/src/prngs/rng_make_prng.c b/src/prngs/rng_make_prng.c index 05af405..fff92c7 100644 --- a/src/prngs/rng_make_prng.c +++ b/src/prngs/rng_make_prng.c @@ -5,8 +5,6 @@ * * The library is free for all purposes without any express * guarantee it works. - * - * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ #include "tomcrypt.h" diff --git a/src/prngs/sober128.c b/src/prngs/sober128.c index 33d7f00..c1069d1 100644 --- a/src/prngs/sober128.c +++ b/src/prngs/sober128.c @@ -5,9 +5,8 @@ * * The library is free for all purposes without any express * guarantee it works. - * - * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ + #include "tomcrypt.h" /** @@ -18,90 +17,20 @@ #ifdef LTC_SOBER128 -#define __LTC_SOBER128TAB_C__ -#include "sober128tab.c" - const struct ltc_prng_descriptor sober128_desc = { - "sober128", 64, - &sober128_start, - &sober128_add_entropy, - &sober128_ready, - &sober128_read, - &sober128_done, - &sober128_export, - &sober128_import, - &sober128_test + "sober128", + 40, + &sober128_start, + &sober128_add_entropy, + &sober128_ready, + &sober128_read, + &sober128_done, + &sober128_export, + &sober128_import, + &sober128_test }; -/* don't change these... */ -#define N 17 -#define FOLD N /* how many iterations of folding to do */ -#define INITKONST 0x6996c53a /* value of KONST to use during key loading */ -#define KEYP 15 /* where to insert key words */ -#define FOLDP 4 /* where to insert non-linear feedback */ - -#define B(x,i) ((unsigned char)(((x) >> (8*i)) & 0xFF)) - -static ulong32 BYTE2WORD(unsigned char *b) -{ - ulong32 t; - LOAD32L(t, b); - return t; -} - -#define WORD2BYTE(w, b) STORE32L(b, w) - -static void XORWORD(ulong32 w, unsigned char *b) -{ - ulong32 t; - LOAD32L(t, b); - t ^= w; - STORE32L(t, b); -} - -/* give correct offset for the current position of the register, - * where logically R[0] is at position "zero". - */ -#define OFF(zero, i) (((zero)+(i)) % N) - -/* step the LFSR */ -/* After stepping, "zero" moves right one place */ -#define STEP(R,z) \ - R[OFF(z,0)] = R[OFF(z,15)] ^ R[OFF(z,4)] ^ (R[OFF(z,0)] << 8) ^ Multab[(R[OFF(z,0)] >> 24) & 0xFF]; - -static void cycle(ulong32 *R) -{ - ulong32 t; - int i; - - STEP(R,0); - t = R[0]; - for (i = 1; i < N; ++i) { - R[i-1] = R[i]; - } - R[N-1] = t; -} - -/* Return a non-linear function of some parts of the register. - */ -#define NLFUNC(c,z) \ -{ \ - t = c->R[OFF(z,0)] + c->R[OFF(z,16)]; \ - t ^= Sbox[(t >> 24) & 0xFF]; \ - t = RORc(t, 8); \ - t = ((t + c->R[OFF(z,1)]) ^ c->konst) + c->R[OFF(z,6)]; \ - t ^= Sbox[(t >> 24) & 0xFF]; \ - t = t + c->R[OFF(z,13)]; \ -} - -static ulong32 nltap(struct sober128_prng *c) -{ - ulong32 t; - NLFUNC(c, 0); - return t; -} - /** Start the PRNG @param prng [out] The PRNG state to initialize @@ -109,93 +38,12 @@ static ulong32 nltap(struct sober128_prng *c) */ int sober128_start(prng_state *prng) { - int i; - struct sober128_prng *c; - - LTC_ARGCHK(prng != NULL); - - c = &(prng->sober128); - - /* Register initialised to Fibonacci numbers */ - c->R[0] = 1; - c->R[1] = 1; - for (i = 2; i < N; ++i) { - c->R[i] = c->R[i-1] + c->R[i-2]; - } - c->konst = INITKONST; - - /* next add_entropy will be the key */ - c->flag = 1; - c->set = 0; - - return CRYPT_OK; -} - -/* Save the current register state - */ -static void s128_savestate(struct sober128_prng *c) -{ - int i; - for (i = 0; i < N; ++i) { - c->initR[i] = c->R[i]; - } -} - -/* initialise to previously saved register state - */ -static void s128_reloadstate(struct sober128_prng *c) -{ - int i; - - for (i = 0; i < N; ++i) { - c->R[i] = c->initR[i]; - } -} - -/* Initialise "konst" - */ -static void s128_genkonst(struct sober128_prng *c) -{ - ulong32 newkonst; - - do { - cycle(c->R); - newkonst = nltap(c); - } while ((newkonst & 0xFF000000) == 0); - c->konst = newkonst; -} - -/* Load key material into the register - */ -#define ADDKEY(k) \ - c->R[KEYP] += (k); - -#define XORNL(nl) \ - c->R[FOLDP] ^= (nl); - -/* nonlinear diffusion of register for key */ -#define DROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); c->R[OFF((z+1),FOLDP)] ^= t; -static void s128_diffuse(struct sober128_prng *c) -{ - ulong32 t; - /* relies on FOLD == N == 17! */ - DROUND(0); - DROUND(1); - DROUND(2); - DROUND(3); - DROUND(4); - DROUND(5); - DROUND(6); - DROUND(7); - DROUND(8); - DROUND(9); - DROUND(10); - DROUND(11); - DROUND(12); - DROUND(13); - DROUND(14); - DROUND(15); - DROUND(16); + LTC_ARGCHK(prng != NULL); + prng->ready = 0; + XMEMSET(&prng->sober128.ent, 0, sizeof(prng->sober128.ent)); + prng->sober128.idx = 0; + LTC_MUTEX_INIT(&prng->lock) + return CRYPT_OK; } /** @@ -207,63 +55,34 @@ static void s128_diffuse(struct sober128_prng *c) */ int sober128_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *prng) { - struct sober128_prng *c; - ulong32 i, k; + unsigned char buf[40]; + unsigned long i; + int err; - LTC_ARGCHK(in != NULL); - LTC_ARGCHK(prng != NULL); - c = &(prng->sober128); + LTC_ARGCHK(prng != NULL); + LTC_ARGCHK(in != NULL); + LTC_ARGCHK(inlen > 0); - if (c->flag == 1) { - /* this is the first call to the add_entropy so this input is the key */ - /* inlen must be multiple of 4 bytes */ - if ((inlen & 3) != 0) { - return CRYPT_INVALID_KEYSIZE; - } - - for (i = 0; i < inlen; i += 4) { - k = BYTE2WORD((unsigned char *)&in[i]); - ADDKEY(k); - cycle(c->R); - XORNL(nltap(c)); - } - - /* also fold in the length of the key */ - ADDKEY(inlen); - - /* now diffuse */ - s128_diffuse(c); - - s128_genkonst(c); - s128_savestate(c); - c->nbuf = 0; - c->flag = 0; - c->set = 1; - } else { - /* ok we are adding an IV then... */ - s128_reloadstate(c); - - /* inlen must be multiple of 4 bytes */ - if ((inlen & 3) != 0) { - return CRYPT_INVALID_KEYSIZE; - } - - for (i = 0; i < inlen; i += 4) { - k = BYTE2WORD((unsigned char *)&in[i]); - ADDKEY(k); - cycle(c->R); - XORNL(nltap(c)); - } - - /* also fold in the length of the key */ - ADDKEY(inlen); - - /* now diffuse */ - s128_diffuse(c); - c->nbuf = 0; - } - - return CRYPT_OK; + LTC_MUTEX_LOCK(&prng->lock); + if (prng->ready) { + /* sober128_ready() was already called, do "rekey" operation */ + if ((err = sober128_keystream(&prng->sober128.s, buf, sizeof(buf))) != CRYPT_OK) goto LBL_UNLOCK; + for(i = 0; i < inlen; i++) buf[i % sizeof(buf)] ^= in[i]; + /* key 32 bytes, 20 rounds */ + if ((err = sober128_setup(&prng->sober128.s, buf, 32)) != CRYPT_OK) goto LBL_UNLOCK; + /* iv 8 bytes */ + if ((err = sober128_setiv(&prng->sober128.s, buf + 32, 8)) != CRYPT_OK) goto LBL_UNLOCK; + /* clear KEY + IV */ + XMEMSET(buf, 0, sizeof(buf)); + } + else { + /* sober128_ready() was not called yet, add entropy to ent buffer */ + while (inlen--) prng->sober128.ent[prng->sober128.idx++ % sizeof(prng->sober128.ent)] ^= *in++; + } + err = CRYPT_OK; +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); + return err; } /** @@ -273,12 +92,23 @@ int sober128_add_entropy(const unsigned char *in, unsigned long inlen, prng_stat */ int sober128_ready(prng_state *prng) { - return prng->sober128.set == 1 ? CRYPT_OK : CRYPT_ERROR; -} + int err; -/* XOR pseudo-random bytes into buffer - */ -#define SROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); XORWORD(t, out+(z*4)); + LTC_ARGCHK(prng != NULL); + + LTC_MUTEX_LOCK(&prng->lock); + if (prng->ready) { err = CRYPT_OK; goto LBL_UNLOCK; } + /* key 32 bytes, 20 rounds */ + if ((err = sober128_setup(&prng->sober128.s, prng->sober128.ent, 32)) != CRYPT_OK) goto LBL_UNLOCK; + /* iv 8 bytes */ + if ((err = sober128_setiv(&prng->sober128.s, prng->sober128.ent + 32, 8)) != CRYPT_OK) goto LBL_UNLOCK; + XMEMSET(&prng->sober128.ent, 0, sizeof(prng->sober128.ent)); + prng->sober128.idx = 0; + prng->ready = 1; +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); + return err; +} /** Read from the PRNG @@ -289,75 +119,13 @@ int sober128_ready(prng_state *prng) */ unsigned long sober128_read(unsigned char *out, unsigned long outlen, prng_state *prng) { - struct sober128_prng *c; - ulong32 t, tlen; - - LTC_ARGCHK(out != NULL); - LTC_ARGCHK(prng != NULL); - -#ifdef LTC_VALGRIND - zeromem(out, outlen); -#endif - - c = &(prng->sober128); - tlen = outlen; - - /* handle any previously buffered bytes */ - while (c->nbuf != 0 && outlen != 0) { - *out++ ^= c->sbuf & 0xFF; - c->sbuf >>= 8; - c->nbuf -= 8; - --outlen; - } - -#ifndef LTC_SMALL_CODE - /* do lots at a time, if there's enough to do */ - while (outlen >= N*4) { - SROUND(0); - SROUND(1); - SROUND(2); - SROUND(3); - SROUND(4); - SROUND(5); - SROUND(6); - SROUND(7); - SROUND(8); - SROUND(9); - SROUND(10); - SROUND(11); - SROUND(12); - SROUND(13); - SROUND(14); - SROUND(15); - SROUND(16); - out += 4*N; - outlen -= 4*N; - } -#endif - - /* do small or odd size buffers the slow way */ - while (4 <= outlen) { - cycle(c->R); - t = nltap(c); - XORWORD(t, out); - out += 4; - outlen -= 4; - } - - /* handle any trailing bytes */ - if (outlen != 0) { - cycle(c->R); - c->sbuf = nltap(c); - c->nbuf = 32; - while (c->nbuf != 0 && outlen != 0) { - *out++ ^= c->sbuf & 0xFF; - c->sbuf >>= 8; - c->nbuf -= 8; - --outlen; - } - } - - return tlen; + if (outlen == 0 || prng == NULL || out == NULL) return 0; + LTC_MUTEX_LOCK(&prng->lock); + if (!prng->ready) { outlen = 0; goto LBL_UNLOCK; } + if (sober128_keystream(&prng->sober128.s, out, outlen) != CRYPT_OK) outlen = 0; +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); + return outlen; } /** @@ -367,8 +135,13 @@ unsigned long sober128_read(unsigned char *out, unsigned long outlen, prng_state */ int sober128_done(prng_state *prng) { + int err; LTC_ARGCHK(prng != NULL); - return CRYPT_OK; + LTC_MUTEX_LOCK(&prng->lock); + prng->ready = 0; + err = sober128_stream_done(&prng->sober128.s); + LTC_MUTEX_UNLOCK(&prng->lock); + return err; } /** @@ -380,20 +153,22 @@ int sober128_done(prng_state *prng) */ int sober128_export(unsigned char *out, unsigned long *outlen, prng_state *prng) { - LTC_ARGCHK(outlen != NULL); - LTC_ARGCHK(out != NULL); - LTC_ARGCHK(prng != NULL); + unsigned long len = sober128_desc.export_size; - if (*outlen < 64) { - *outlen = 64; + LTC_ARGCHK(prng != NULL); + LTC_ARGCHK(out != NULL); + LTC_ARGCHK(outlen != NULL); + + if (*outlen < len) { + *outlen = len; return CRYPT_BUFFER_OVERFLOW; } - if (sober128_read(out, 64, prng) != 64) { + if (sober128_read(out, len, prng) != len) { return CRYPT_ERROR_READPRNG; } - *outlen = 64; + *outlen = len; return CRYPT_OK; } @@ -407,20 +182,14 @@ int sober128_export(unsigned char *out, unsigned long *outlen, prng_state *prng) int sober128_import(const unsigned char *in, unsigned long inlen, prng_state *prng) { int err; - LTC_ARGCHK(in != NULL); + LTC_ARGCHK(prng != NULL); + LTC_ARGCHK(in != NULL); + if (inlen < (unsigned long)sober128_desc.export_size) return CRYPT_INVALID_ARG; - if (inlen != 64) { - return CRYPT_INVALID_ARG; - } - - if ((err = sober128_start(prng)) != CRYPT_OK) { - return err; - } - if ((err = sober128_add_entropy(in, 64, prng)) != CRYPT_OK) { - return err; - } - return sober128_ready(prng); + if ((err = sober128_start(prng)) != CRYPT_OK) return err; + if ((err = sober128_add_entropy(in, inlen, prng)) != CRYPT_OK) return err; + return CRYPT_OK; } /** @@ -432,69 +201,44 @@ int sober128_test(void) #ifndef LTC_TEST return CRYPT_NOP; #else - static const struct { - int keylen, ivlen, len; - unsigned char key[16], iv[4], out[20]; - } tests[] = { + prng_state st; + unsigned char en[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, + 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, + 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, + 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, + 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32 }; + unsigned char dmp[300]; + unsigned long dmplen = sizeof(dmp); + unsigned char out[500]; + unsigned char t1[] = { 0x31, 0x82, 0xA7, 0xA5, 0x8B, 0xD7, 0xCB, 0x39, 0x86, 0x1A }; + unsigned char t2[] = { 0x6B, 0x43, 0x9E, 0xBC, 0xE7, 0x62, 0x9B, 0xE6, 0x9B, 0x83 }; + unsigned char t3[] = { 0x4A, 0x0E, 0x6C, 0xC1, 0xCF, 0xB4, 0x73, 0x49, 0x99, 0x05 }; + int err; -{ - 16, 4, 20, + if ((err = sober128_start(&st)) != CRYPT_OK) return err; + /* add entropy to uninitialized prng */ + if ((err = sober128_add_entropy(en, sizeof(en), &st)) != CRYPT_OK) return err; + if ((err = sober128_ready(&st)) != CRYPT_OK) return err; + if (sober128_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */ + if (compare_testvector(out, 10, t1, sizeof(t1), "SOBER128-PRNG", 1)) return CRYPT_FAIL_TESTVECTOR; + if (sober128_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */ + /* add entropy to already initialized prng */ + if ((err = sober128_add_entropy(en, sizeof(en), &st)) != CRYPT_OK) return err; + if (sober128_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */ + if ((err = sober128_export(dmp, &dmplen, &st)) != CRYPT_OK) return err; + if (sober128_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */ + if (sober128_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */ + if (compare_testvector(out, 10, t2, sizeof(t2), "SOBER128-PRNG", 2)) return CRYPT_FAIL_TESTVECTOR; + if ((err = sober128_done(&st)) != CRYPT_OK) return err; + if ((err = sober128_import(dmp, dmplen, &st)) != CRYPT_OK) return err; + if ((err = sober128_ready(&st)) != CRYPT_OK) return err; + if (sober128_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */ + if (sober128_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */ + if (compare_testvector(out, 10, t3, sizeof(t3), "SOBER128-PRNG", 3)) return CRYPT_FAIL_TESTVECTOR; + if ((err = sober128_done(&st)) != CRYPT_OK) return err; - /* key */ - { 0x74, 0x65, 0x73, 0x74, 0x20, 0x6b, 0x65, 0x79, - 0x20, 0x31, 0x32, 0x38, 0x62, 0x69, 0x74, 0x73 }, - - /* IV */ - { 0x00, 0x00, 0x00, 0x00 }, - - /* expected output */ - { 0x43, 0x50, 0x0c, 0xcf, 0x89, 0x91, 0x9f, 0x1d, - 0xaa, 0x37, 0x74, 0x95, 0xf4, 0xb4, 0x58, 0xc2, - 0x40, 0x37, 0x8b, 0xbb } -} - -}; - prng_state prng; - unsigned char dst[20]; - int err, x; - - for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) { - if ((err = sober128_start(&prng)) != CRYPT_OK) { - return err; - } - if ((err = sober128_add_entropy(tests[x].key, tests[x].keylen, &prng)) != CRYPT_OK) { - return err; - } - /* add IV */ - if ((err = sober128_add_entropy(tests[x].iv, tests[x].ivlen, &prng)) != CRYPT_OK) { - return err; - } - - /* ready up */ - if ((err = sober128_ready(&prng)) != CRYPT_OK) { - return err; - } - XMEMSET(dst, 0, tests[x].len); - if (sober128_read(dst, tests[x].len, &prng) != (unsigned long)tests[x].len) { - return CRYPT_ERROR_READPRNG; - } - sober128_done(&prng); - if (XMEMCMP(dst, tests[x].out, tests[x].len)) { -#if 0 - printf("\n\nLTC_SOBER128 failed, I got:\n"); - for (y = 0; y < tests[x].len; y++) printf("%02x ", dst[y]); - printf("\n"); -#endif - return CRYPT_FAIL_TESTVECTOR; - } - } return CRYPT_OK; #endif } #endif - - -/* $Source$ */ -/* $Revision$ */ -/* $Date$ */ diff --git a/src/prngs/sprng.c b/src/prngs/sprng.c index 7b538dd..0d44571 100644 --- a/src/prngs/sprng.c +++ b/src/prngs/sprng.c @@ -5,8 +5,6 @@ * * The library is free for all purposes without any express * guarantee it works. - * - * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ #include "tomcrypt.h" diff --git a/src/prngs/yarrow.c b/src/prngs/yarrow.c index d6566e6..c0d211e 100644 --- a/src/prngs/yarrow.c +++ b/src/prngs/yarrow.c @@ -5,8 +5,6 @@ * * The library is free for all purposes without any express * guarantee it works. - * - * Tom St Denis, tomstdenis@gmail.com, http://libtom.org */ #include "tomcrypt.h" @@ -40,6 +38,7 @@ int yarrow_start(prng_state *prng) int err; LTC_ARGCHK(prng != NULL); + prng->ready = 0; /* these are the default hash/cipher combo used */ #ifdef LTC_RIJNDAEL @@ -120,7 +119,7 @@ int yarrow_start(prng_state *prng) /* zero the memory used */ zeromem(prng->yarrow.pool, sizeof(prng->yarrow.pool)); - LTC_MUTEX_INIT(&prng->yarrow.prng_lock) + LTC_MUTEX_INIT(&prng->lock) return CRYPT_OK; } @@ -137,43 +136,38 @@ int yarrow_add_entropy(const unsigned char *in, unsigned long inlen, prng_state hash_state md; int err; - LTC_ARGCHK(in != NULL); LTC_ARGCHK(prng != NULL); + LTC_ARGCHK(in != NULL); + LTC_ARGCHK(inlen > 0); - LTC_MUTEX_LOCK(&prng->yarrow.prng_lock); + LTC_MUTEX_LOCK(&prng->lock); if ((err = hash_is_valid(prng->yarrow.hash)) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); - return err; + goto LBL_UNLOCK; } /* start the hash */ if ((err = hash_descriptor[prng->yarrow.hash].init(&md)) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); - return err; + goto LBL_UNLOCK; } /* hash the current pool */ if ((err = hash_descriptor[prng->yarrow.hash].process(&md, prng->yarrow.pool, hash_descriptor[prng->yarrow.hash].hashsize)) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); - return err; + goto LBL_UNLOCK; } /* add the new entropy */ if ((err = hash_descriptor[prng->yarrow.hash].process(&md, in, inlen)) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); - return err; + goto LBL_UNLOCK; } /* store result */ - if ((err = hash_descriptor[prng->yarrow.hash].done(&md, prng->yarrow.pool)) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); - return err; - } + err = hash_descriptor[prng->yarrow.hash].done(&md, prng->yarrow.pool); - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); - return CRYPT_OK; +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); + return err; } /** @@ -186,23 +180,21 @@ int yarrow_ready(prng_state *prng) int ks, err; LTC_ARGCHK(prng != NULL); - LTC_MUTEX_LOCK(&prng->yarrow.prng_lock); + + LTC_MUTEX_LOCK(&prng->lock); if ((err = hash_is_valid(prng->yarrow.hash)) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); - return err; + goto LBL_UNLOCK; } if ((err = cipher_is_valid(prng->yarrow.cipher)) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); - return err; + goto LBL_UNLOCK; } /* setup CTR mode using the "pool" as the key */ ks = (int)hash_descriptor[prng->yarrow.hash].hashsize; if ((err = cipher_descriptor[prng->yarrow.cipher].keysize(&ks)) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); - return err; + goto LBL_UNLOCK; } if ((err = ctr_start(prng->yarrow.cipher, /* what cipher to use */ @@ -211,11 +203,13 @@ int yarrow_ready(prng_state *prng) 0, /* number of rounds */ CTR_COUNTER_LITTLE_ENDIAN, /* little endian counter */ &prng->yarrow.ctr)) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); - return err; + goto LBL_UNLOCK; } - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); - return CRYPT_OK; + prng->ready = 1; + +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); + return err; } /** @@ -227,20 +221,25 @@ int yarrow_ready(prng_state *prng) */ unsigned long yarrow_read(unsigned char *out, unsigned long outlen, prng_state *prng) { - LTC_ARGCHK(out != NULL); - LTC_ARGCHK(prng != NULL); + if (outlen == 0 || prng == NULL || out == NULL) return 0; - LTC_MUTEX_LOCK(&prng->yarrow.prng_lock); + LTC_MUTEX_LOCK(&prng->lock); + + if (!prng->ready) { + outlen = 0; + goto LBL_UNLOCK; + } /* put out in predictable state first */ zeromem(out, outlen); /* now randomize it */ if (ctr_encrypt(out, out, outlen, &prng->yarrow.ctr) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); - return 0; + outlen = 0; } - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); + +LBL_UNLOCK: + LTC_MUTEX_UNLOCK(&prng->lock); return outlen; } @@ -254,14 +253,15 @@ int yarrow_done(prng_state *prng) int err; LTC_ARGCHK(prng != NULL); - LTC_MUTEX_LOCK(&prng->yarrow.prng_lock); + LTC_MUTEX_LOCK(&prng->lock); + prng->ready = 0; /* call cipher done when we invent one ;-) */ /* we invented one */ err = ctr_done(&prng->yarrow.ctr); - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); + LTC_MUTEX_UNLOCK(&prng->lock); return err; } @@ -277,22 +277,19 @@ int yarrow_export(unsigned char *out, unsigned long *outlen, prng_state *prng) LTC_ARGCHK(out != NULL); LTC_ARGCHK(outlen != NULL); LTC_ARGCHK(prng != NULL); - - LTC_MUTEX_LOCK(&prng->yarrow.prng_lock); + if (!prng->ready) return CRYPT_ERROR; /* we'll write 64 bytes for s&g's */ if (*outlen < 64) { - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); *outlen = 64; return CRYPT_BUFFER_OVERFLOW; } if (yarrow_read(out, 64, prng) != 64) { - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); return CRYPT_ERROR_READPRNG; } - *outlen = 64; + *outlen = 64; return CRYPT_OK; } @@ -310,20 +307,16 @@ int yarrow_import(const unsigned char *in, unsigned long inlen, prng_state *prng LTC_ARGCHK(in != NULL); LTC_ARGCHK(prng != NULL); - LTC_MUTEX_LOCK(&prng->yarrow.prng_lock); - if (inlen != 64) { - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); return CRYPT_INVALID_ARG; } - if ((err = yarrow_start(prng)) != CRYPT_OK) { - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); return err; } - err = yarrow_add_entropy(in, 64, prng); - LTC_MUTEX_UNLOCK(&prng->yarrow.prng_lock); - return err; + if ((err = yarrow_add_entropy(in, 64, prng)) != CRYPT_OK) { + return err; + } + return CRYPT_OK; } /** diff --git a/src/stream/chacha/chacha_crypt.c b/src/stream/chacha/chacha_crypt.c index de42a10..d1c691c 100644 --- a/src/stream/chacha/chacha_crypt.c +++ b/src/stream/chacha/chacha_crypt.c @@ -14,7 +14,7 @@ #include "tomcrypt.h" -#ifdef LTC_CHACHA +#ifdef LTC_CHACHA_STREAM #define QUARTERROUND(a,b,c,d) \ x[a] += x[b]; x[d] = ROL(x[d] ^ x[a], 16); \ diff --git a/src/stream/chacha/chacha_done.c b/src/stream/chacha/chacha_done.c index 4d6e278..06afbd2 100644 --- a/src/stream/chacha/chacha_done.c +++ b/src/stream/chacha/chacha_done.c @@ -9,7 +9,7 @@ #include "tomcrypt.h" -#ifdef LTC_CHACHA +#ifdef LTC_CHACHA_STREAM /** Terminate and clear ChaCha state diff --git a/src/stream/chacha/chacha_ivctr32.c b/src/stream/chacha/chacha_ivctr32.c index 9884a1e..5602f6d 100644 --- a/src/stream/chacha/chacha_ivctr32.c +++ b/src/stream/chacha/chacha_ivctr32.c @@ -14,7 +14,7 @@ #include "tomcrypt.h" -#ifdef LTC_CHACHA +#ifdef LTC_CHACHA_STREAM /** Set IV + counter data to the ChaCha state diff --git a/src/stream/chacha/chacha_ivctr64.c b/src/stream/chacha/chacha_ivctr64.c index 82d39fb..9780e09 100644 --- a/src/stream/chacha/chacha_ivctr64.c +++ b/src/stream/chacha/chacha_ivctr64.c @@ -14,7 +14,7 @@ #include "tomcrypt.h" -#ifdef LTC_CHACHA +#ifdef LTC_CHACHA_STREAM /** Set IV + counter data to the ChaCha state diff --git a/src/stream/chacha/chacha_keystream.c b/src/stream/chacha/chacha_keystream.c index b45323f..5ea3b57 100644 --- a/src/stream/chacha/chacha_keystream.c +++ b/src/stream/chacha/chacha_keystream.c @@ -14,7 +14,7 @@ #include "tomcrypt.h" -#ifdef LTC_CHACHA +#ifdef LTC_CHACHA_STREAM /** Generate a stream of random bytes via ChaCha diff --git a/src/stream/chacha/chacha_setup.c b/src/stream/chacha/chacha_setup.c index 69a1483..5dc5d72 100644 --- a/src/stream/chacha/chacha_setup.c +++ b/src/stream/chacha/chacha_setup.c @@ -14,7 +14,7 @@ #include "tomcrypt.h" -#ifdef LTC_CHACHA +#ifdef LTC_CHACHA_STREAM static const char * const sigma = "expand 32-byte k"; static const char * const tau = "expand 16-byte k"; diff --git a/src/stream/chacha/chacha_test.c b/src/stream/chacha/chacha_test.c index d48cd47..c22e09b 100644 --- a/src/stream/chacha/chacha_test.c +++ b/src/stream/chacha/chacha_test.c @@ -14,7 +14,7 @@ #include "tomcrypt.h" -#ifdef LTC_CHACHA +#ifdef LTC_CHACHA_STREAM int chacha_test(void) { @@ -37,27 +37,28 @@ int chacha_test(void) 0x87, 0x4D }; char pt[] = "Ladies and Gentlemen of the class of '99: If I could offer you only one tip for the future, sunscreen would be it."; chacha_state st; + int err; len = strlen(pt); /* crypt piece by piece */ - chacha_setup(&st, k, sizeof(k), 20); - chacha_ivctr32(&st, n, sizeof(n), 1); - chacha_crypt(&st, (unsigned char*)pt, 35, out); - chacha_crypt(&st, (unsigned char*)pt + 35, 35, out + 35); - chacha_crypt(&st, (unsigned char*)pt + 70, 5, out + 70); - chacha_crypt(&st, (unsigned char*)pt + 75, 5, out + 75); - chacha_crypt(&st, (unsigned char*)pt + 80, len - 80, out + 80); - if (compare_testvector(out, len, ct, sizeof(ct), "CHACHA-TV1", 1)) return CRYPT_FAIL_TESTVECTOR; + if ((err = chacha_setup(&st, k, sizeof(k), 20)) != CRYPT_OK) return err; + if ((err = chacha_ivctr32(&st, n, sizeof(n), 1)) != CRYPT_OK) return err; + if ((err = chacha_crypt(&st, (unsigned char*)pt, 35, out)) != CRYPT_OK) return err; + if ((err = chacha_crypt(&st, (unsigned char*)pt + 35, 35, out + 35)) != CRYPT_OK) return err; + if ((err = chacha_crypt(&st, (unsigned char*)pt + 70, 5, out + 70)) != CRYPT_OK) return err; + if ((err = chacha_crypt(&st, (unsigned char*)pt + 75, 5, out + 75)) != CRYPT_OK) return err; + if ((err = chacha_crypt(&st, (unsigned char*)pt + 80, len - 80, out + 80)) != CRYPT_OK) return err; + if (compare_testvector(out, len, ct, sizeof(ct), "CHACHA-TV1", 1)) return CRYPT_FAIL_TESTVECTOR; /* crypt in one go */ - chacha_setup(&st, k, sizeof(k), 20); - chacha_ivctr32(&st, n, sizeof(n), 1); - chacha_crypt(&st, (unsigned char*)pt, len, out); - if (compare_testvector(out, len, ct, sizeof(ct), "CHACHA-TV2", 1)) return CRYPT_FAIL_TESTVECTOR; + if ((err = chacha_setup(&st, k, sizeof(k), 20)) != CRYPT_OK) return err; + if ((err = chacha_ivctr32(&st, n, sizeof(n), 1)) != CRYPT_OK) return err; + if ((err = chacha_crypt(&st, (unsigned char*)pt, len, out)) != CRYPT_OK) return err; + if (compare_testvector(out, len, ct, sizeof(ct), "CHACHA-TV2", 1)) return CRYPT_FAIL_TESTVECTOR; /* crypt in one go - using chacha_ivctr64() */ - chacha_setup(&st, k, sizeof(k), 20); - chacha_ivctr64(&st, n + 4, sizeof(n) - 4, 1); - chacha_crypt(&st, (unsigned char*)pt, len, out); - if (compare_testvector(out, len, ct, sizeof(ct), "CHACHA-TV3", 1)) return CRYPT_FAIL_TESTVECTOR; + if ((err = chacha_setup(&st, k, sizeof(k), 20)) != CRYPT_OK) return err; + if ((err = chacha_ivctr64(&st, n + 4, sizeof(n) - 4, 1)) != CRYPT_OK) return err; + if ((err = chacha_crypt(&st, (unsigned char*)pt, len, out)) != CRYPT_OK) return err; + if (compare_testvector(out, len, ct, sizeof(ct), "CHACHA-TV3", 1)) return CRYPT_FAIL_TESTVECTOR; return CRYPT_OK; #endif diff --git a/src/stream/rc4/rc4.c b/src/stream/rc4/rc4.c new file mode 100644 index 0000000..90227f2 --- /dev/null +++ b/src/stream/rc4/rc4.c @@ -0,0 +1,107 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + */ + +#include "tomcrypt.h" + +#ifdef LTC_RC4_STREAM + +/** + Initialize an RC4 context (only the key) + @param st [out] The destination of the RC4 state + @param key The secret key + @param keylen The length of the secret key (8 - 256 bytes) + @return CRYPT_OK if successful +*/ +int rc4_setup(rc4_state *st, const unsigned char *key, unsigned long keylen) +{ + unsigned char tmp, *s; + int x, y; + unsigned long j; + + LTC_ARGCHK(st != NULL); + LTC_ARGCHK(key != NULL); + LTC_ARGCHK(keylen >= 5); /* 40-2048 bits */ + + s = st->buf; + for (x = 0; x < 256; x++) { + s[x] = x; + } + + for (j = x = y = 0; x < 256; x++) { + y = (y + s[x] + key[j++]) & 255; + if (j == keylen) { + j = 0; + } + tmp = s[x]; s[x] = s[y]; s[y] = tmp; + } + st->x = 0; + st->y = 0; + + return CRYPT_OK; +} + +/** + Encrypt (or decrypt) bytes of ciphertext (or plaintext) with RC4 + @param st The RC4 state + @param in The plaintext (or ciphertext) + @param inlen The length of the input (octets) + @param out [out] The ciphertext (or plaintext), length inlen + @return CRYPT_OK if successful +*/ +int rc4_crypt(rc4_state *st, const unsigned char *in, unsigned long inlen, unsigned char *out) +{ + unsigned char x, y, *s, tmp; + + LTC_ARGCHK(st != NULL); + LTC_ARGCHK(in != NULL); + LTC_ARGCHK(out != NULL); + + x = st->x; + y = st->y; + s = st->buf; + while (inlen--) { + x = (x + 1) & 255; + y = (y + s[x]) & 255; + tmp = s[x]; s[x] = s[y]; s[y] = tmp; + tmp = (s[x] + s[y]) & 255; + *out++ = *in++ ^ s[tmp]; + } + st->x = x; + st->y = y; + return CRYPT_OK; +} + +/** + Generate a stream of random bytes via RC4 + @param st The RC420 state + @param out [out] The output buffer + @param outlen The output length + @return CRYPT_OK on success + */ +int rc4_keystream(rc4_state *st, unsigned char *out, unsigned long outlen) +{ + if (outlen == 0) return CRYPT_OK; /* nothing to do */ + LTC_ARGCHK(out != NULL); + XMEMSET(out, 0, outlen); + return rc4_crypt(st, out, outlen, out); +} + +/** + Terminate and clear RC4 state + @param st The RC4 state + @return CRYPT_OK on success +*/ +int rc4_stream_done(rc4_state *st) +{ + LTC_ARGCHK(st != NULL); + XMEMSET(st, 0, sizeof(rc4_state)); + return CRYPT_OK; +} + +#endif diff --git a/src/stream/rc4/rc4_test.c b/src/stream/rc4/rc4_test.c new file mode 100644 index 0000000..36ace3d --- /dev/null +++ b/src/stream/rc4/rc4_test.c @@ -0,0 +1,35 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + */ + +#include "tomcrypt.h" + +#ifdef LTC_RC4_STREAM + +int rc4_test(void) +{ +#ifndef LTC_TEST + return CRYPT_NOP; +#else + rc4_state st; + int err; + const unsigned char key[] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef }; + const unsigned char pt[] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef }; + const unsigned char ct[] = { 0x75, 0xb7, 0x87, 0x80, 0x99, 0xe0, 0xc5, 0x96 }; + unsigned char buf[10]; + + if ((err = rc4_setup(&st, key, sizeof(key))) != CRYPT_OK) return err; + if ((err = rc4_crypt(&st, pt, sizeof(pt), buf)) != CRYPT_OK) return err; + if (XMEMCMP(buf, ct, sizeof(ct))) return CRYPT_FAIL_TESTVECTOR; + if ((err = rc4_stream_done(&st)) != CRYPT_OK) return err; + + return CRYPT_OK; +#endif +} + +#endif diff --git a/src/stream/sober128/sober128.c b/src/stream/sober128/sober128.c new file mode 100644 index 0000000..c9da8db --- /dev/null +++ b/src/stream/sober128/sober128.c @@ -0,0 +1,344 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtom.org + */ +#include "tomcrypt.h" + +/** + @file sober128.c + Implementation of SOBER-128 by Tom St Denis. + Based on s128fast.c reference code supplied by Greg Rose of QUALCOMM. +*/ + +#ifdef LTC_SOBER128 + +#define __LTC_SOBER128TAB_C__ +#include "sober128tab.c" + +/* don't change these... */ +#define N 17 +#define FOLD N /* how many iterations of folding to do */ +#define INITKONST 0x6996c53a /* value of KONST to use during key loading */ +#define KEYP 15 /* where to insert key words */ +#define FOLDP 4 /* where to insert non-linear feedback */ + +#define B(x,i) ((unsigned char)(((x) >> (8*i)) & 0xFF)) + +static ulong32 BYTE2WORD(unsigned char *b) +{ + ulong32 t; + LOAD32L(t, b); + return t; +} + +static void XORWORD(ulong32 w, const unsigned char *in, unsigned char *out) +{ + ulong32 t; + LOAD32L(t, in); + t ^= w; + STORE32L(t, out); +} + +/* give correct offset for the current position of the register, + * where logically R[0] is at position "zero". + */ +#define OFF(zero, i) (((zero)+(i)) % N) + +/* step the LFSR */ +/* After stepping, "zero" moves right one place */ +#define STEP(R,z) \ + R[OFF(z,0)] = R[OFF(z,15)] ^ R[OFF(z,4)] ^ (R[OFF(z,0)] << 8) ^ Multab[(R[OFF(z,0)] >> 24) & 0xFF]; + +static void cycle(ulong32 *R) +{ + ulong32 t; + int i; + + STEP(R,0); + t = R[0]; + for (i = 1; i < N; ++i) { + R[i-1] = R[i]; + } + R[N-1] = t; +} + +/* Return a non-linear function of some parts of the register. + */ +#define NLFUNC(c,z) \ +{ \ + t = c->R[OFF(z,0)] + c->R[OFF(z,16)]; \ + t ^= Sbox[(t >> 24) & 0xFF]; \ + t = RORc(t, 8); \ + t = ((t + c->R[OFF(z,1)]) ^ c->konst) + c->R[OFF(z,6)]; \ + t ^= Sbox[(t >> 24) & 0xFF]; \ + t = t + c->R[OFF(z,13)]; \ +} + +static ulong32 nltap(sober128_state *c) +{ + ulong32 t; + NLFUNC(c, 0); + return t; +} + +/* Save the current register state + */ +static void s128_savestate(sober128_state *c) +{ + int i; + for (i = 0; i < N; ++i) { + c->initR[i] = c->R[i]; + } +} + +/* initialise to previously saved register state + */ +static void s128_reloadstate(sober128_state *c) +{ + int i; + + for (i = 0; i < N; ++i) { + c->R[i] = c->initR[i]; + } +} + +/* Initialise "konst" + */ +static void s128_genkonst(sober128_state *c) +{ + ulong32 newkonst; + + do { + cycle(c->R); + newkonst = nltap(c); + } while ((newkonst & 0xFF000000) == 0); + c->konst = newkonst; +} + +/* Load key material into the register + */ +#define ADDKEY(k) \ + c->R[KEYP] += (k); + +#define XORNL(nl) \ + c->R[FOLDP] ^= (nl); + +/* nonlinear diffusion of register for key */ +#define DROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); c->R[OFF((z+1),FOLDP)] ^= t; +static void s128_diffuse(sober128_state *c) +{ + ulong32 t; + /* relies on FOLD == N == 17! */ + DROUND(0); + DROUND(1); + DROUND(2); + DROUND(3); + DROUND(4); + DROUND(5); + DROUND(6); + DROUND(7); + DROUND(8); + DROUND(9); + DROUND(10); + DROUND(11); + DROUND(12); + DROUND(13); + DROUND(14); + DROUND(15); + DROUND(16); +} + +/** + Initialize an Sober128 context (only the key) + @param c [out] The destination of the Sober128 state + @param key The secret key + @param keylen The length of the secret key (octets) + @return CRYPT_OK if successful +*/ +int sober128_setup(sober128_state *c, const unsigned char *key, unsigned long keylen) +{ + ulong32 i, k; + + LTC_ARGCHK(c != NULL); + LTC_ARGCHK(key != NULL); + LTC_ARGCHK(keylen > 0); + + /* keylen must be multiple of 4 bytes */ + if ((keylen & 3) != 0) { + return CRYPT_INVALID_KEYSIZE; + } + + /* Register initialised to Fibonacci numbers */ + c->R[0] = 1; + c->R[1] = 1; + for (i = 2; i < N; ++i) { + c->R[i] = c->R[i-1] + c->R[i-2]; + } + c->konst = INITKONST; + + for (i = 0; i < keylen; i += 4) { + k = BYTE2WORD((unsigned char *)&key[i]); + ADDKEY(k); + cycle(c->R); + XORNL(nltap(c)); + } + + /* also fold in the length of the key */ + ADDKEY(keylen); + + /* now diffuse */ + s128_diffuse(c); + s128_genkonst(c); + s128_savestate(c); + c->nbuf = 0; + + return CRYPT_OK; +} + +/** + Set IV to the Sober128 state + @param c The Sober12820 state + @param iv The IV data to add + @param inlen The length of the IV (must be 12) + @return CRYPT_OK on success + */ +int sober128_setiv(sober128_state *c, const unsigned char *iv, unsigned long ivlen) +{ + ulong32 i, k; + + LTC_ARGCHK(c != NULL); + LTC_ARGCHK(iv != NULL); + LTC_ARGCHK(ivlen > 0); + + /* ok we are adding an IV then... */ + s128_reloadstate(c); + + /* ivlen must be multiple of 4 bytes */ + if ((ivlen & 3) != 0) { + return CRYPT_INVALID_KEYSIZE; + } + + for (i = 0; i < ivlen; i += 4) { + k = BYTE2WORD((unsigned char *)&iv[i]); + ADDKEY(k); + cycle(c->R); + XORNL(nltap(c)); + } + + /* also fold in the length of the key */ + ADDKEY(ivlen); + + /* now diffuse */ + s128_diffuse(c); + c->nbuf = 0; + + return CRYPT_OK; +} + +/* XOR pseudo-random bytes into buffer + */ +#define SROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); XORWORD(t, in+(z*4), out+(z*4)); + +/** + Encrypt (or decrypt) bytes of ciphertext (or plaintext) with Sober128 + @param c The Sober128 state + @param in The plaintext (or ciphertext) + @param inlen The length of the input (octets) + @param out [out] The ciphertext (or plaintext), length inlen + @return CRYPT_OK if successful +*/ +int sober128_crypt(sober128_state *c, const unsigned char *in, unsigned long inlen, unsigned char *out) +{ + ulong32 t; + + if (inlen == 0) return CRYPT_OK; /* nothing to do */ + LTC_ARGCHK(out != NULL); + LTC_ARGCHK(c != NULL); + + /* handle any previously buffered bytes */ + while (c->nbuf != 0 && inlen != 0) { + *out++ = *in++ ^ (c->sbuf & 0xFF); + c->sbuf >>= 8; + c->nbuf -= 8; + --inlen; + } + +#ifndef LTC_SMALL_CODE + /* do lots at a time, if there's enough to do */ + while (inlen >= N*4) { + SROUND(0); + SROUND(1); + SROUND(2); + SROUND(3); + SROUND(4); + SROUND(5); + SROUND(6); + SROUND(7); + SROUND(8); + SROUND(9); + SROUND(10); + SROUND(11); + SROUND(12); + SROUND(13); + SROUND(14); + SROUND(15); + SROUND(16); + out += 4*N; + in += 4*N; + inlen -= 4*N; + } +#endif + + /* do small or odd size buffers the slow way */ + while (4 <= inlen) { + cycle(c->R); + t = nltap(c); + XORWORD(t, in, out); + out += 4; + in += 4; + inlen -= 4; + } + + /* handle any trailing bytes */ + if (inlen != 0) { + cycle(c->R); + c->sbuf = nltap(c); + c->nbuf = 32; + while (c->nbuf != 0 && inlen != 0) { + *out++ = *in++ ^ (c->sbuf & 0xFF); + c->sbuf >>= 8; + c->nbuf -= 8; + --inlen; + } + } + + return CRYPT_OK; +} + +int sober128_keystream(sober128_state *c, unsigned char *out, unsigned long outlen) +{ + if (outlen == 0) return CRYPT_OK; /* nothing to do */ + LTC_ARGCHK(out != NULL); + XMEMSET(out, 0, outlen); + return sober128_crypt(c, out, outlen, out); +} + +/** + Terminate and clear Sober128 state + @param c The Sober128 state + @return CRYPT_OK on success +*/ +int sober128_stream_done(sober128_state *c) +{ + LTC_ARGCHK(c != NULL); + XMEMSET(c, 0, sizeof(sober128_state)); + return CRYPT_OK; +} + +#endif diff --git a/src/stream/sober128/sober128_test.c b/src/stream/sober128/sober128_test.c new file mode 100644 index 0000000..99d1abd --- /dev/null +++ b/src/stream/sober128/sober128_test.c @@ -0,0 +1,49 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + */ + +#include "tomcrypt.h" + +#ifdef LTC_SOBER128 + +int sober128_test(void) +{ +#ifndef LTC_TEST + return CRYPT_NOP; +#else + unsigned char key[16] = { 0x74, 0x65, 0x73, 0x74, 0x20, 0x6b, 0x65, 0x79, + 0x20, 0x31, 0x32, 0x38, 0x62, 0x69, 0x74, 0x73 }; + unsigned char iv[4] = { 0x00, 0x00, 0x00, 0x00 }; + unsigned char out[20] = { 0x43, 0x50, 0x0c, 0xcf, 0x89, 0x91, 0x9f, 0x1d, + 0xaa, 0x37, 0x74, 0x95, 0xf4, 0xb4, 0x58, 0xc2, + 0x40, 0x37, 0x8b, 0xbb }; + int err, len = 20; + unsigned char src[20], dst[20]; + sober128_state st; + + XMEMSET(src, 0, len); /* input */ + if ((err = sober128_setup(&st, key, sizeof(key))) != CRYPT_OK) return err; + if ((err = sober128_setiv(&st, iv, sizeof(iv))) != CRYPT_OK) return err; + if ((err = sober128_crypt(&st, src, len, dst)) != CRYPT_OK) return err; + if ((err = sober128_stream_done(&st)) != CRYPT_OK) return err; + if (XMEMCMP(dst, out, len)) { +#if 0 + int y; + printf("\nLTC_SOBER128 failed, I got:\n"); + for (y = 0; y < len; y++) printf("%02x ", dst[y]); + printf("\nLTC_SOBER128 failed, expected:\n"); + for (y = 0; y < len; y++) printf("%02x ", out[y]); + printf("\n"); +#endif + return CRYPT_FAIL_TESTVECTOR; + } + return CRYPT_OK; +#endif +} + +#endif diff --git a/src/prngs/sober128tab.c b/src/stream/sober128/sober128tab.c similarity index 100% rename from src/prngs/sober128tab.c rename to src/stream/sober128/sober128tab.c diff --git a/testprof/cipher_hash_test.c b/testprof/cipher_hash_test.c index d7f582a..b9e55df 100644 --- a/testprof/cipher_hash_test.c +++ b/testprof/cipher_hash_test.c @@ -14,10 +14,16 @@ int cipher_hash_test(void) DOX(cipher_descriptor[x].test(), cipher_descriptor[x].name); } -#ifdef LTC_CHACHA - /* ChaCha is a special case (stream cipher) */ + /* stream ciphers */ +#ifdef LTC_CHACHA_STREAM DO(chacha_test()); #endif +#ifdef LTC_RC4_STREAM + DO(rc4_test()); +#endif +#ifdef LTC_SOBER128_STREAM + DO(sober128_test()); +#endif /* test hashes */ for (x = 0; hash_descriptor[x].name != NULL; x++) { diff --git a/testprof/x86_prof.c b/testprof/x86_prof.c index b3ec43a..b640681 100644 --- a/testprof/x86_prof.c +++ b/testprof/x86_prof.c @@ -342,7 +342,7 @@ static void _unregister_all(void) #ifdef LTC_RC4 unregister_prng(&rc4_desc); #endif -#ifdef LTC_CHACHA +#ifdef LTC_CHACHA_PRNG unregister_prng(&chacha20_prng_desc); #endif #ifdef LTC_SOBER128 @@ -524,7 +524,7 @@ register_prng(&fortuna_desc); #ifdef LTC_RC4 register_prng(&rc4_desc); #endif -#ifdef LTC_CHACHA +#ifdef LTC_CHACHA_PRNG register_prng(&chacha20_prng_desc); #endif #ifdef LTC_SOBER128