1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
|
#include <assert.h>
#include <stdint.h>
#include <string.h>
#include "entropy.h"
#include "insecure_memzero.h"
#include "sha256.h"
#include "crypto_entropy.h"
/**
* This system implements the HMAC_DRBG pseudo-random number generator as
* specified in section 10.1.2 of the NIST SP 800-90 standard. In this
* implementation, the optional personalization_string and additional_input
* specified in the standard are not implemented.
*/
/* Internal HMAC_DRBG state. */
static struct {
uint8_t Key[32];
uint8_t V[32];
uint32_t reseed_counter;
} drbg;
/* Set to non-zero once the PRNG has been instantiated. */
static int instantiated = 0;
/* Could be as high as 2^48 if we wanted... */
#define RESEED_INTERVAL 256
/* Limited to 2^16 by specification. */
#define GENERATE_MAXLEN 65536
static int instantiate(void);
static void update(uint8_t *, size_t);
static int reseed(void);
static void generate(uint8_t *, size_t);
/**
* instantiate(void):
* Initialize the DRBG state. (Section 10.1.2.3)
*/
static int
instantiate(void)
{
uint8_t seed_material[48];
/* Obtain random seed_material = (entropy_input || nonce). */
if (entropy_read(seed_material, 48))
return (-1);
/* Initialize Key, V, and reseed_counter. */
memset(drbg.Key, 0x00, 32);
memset(drbg.V, 0x01, 32);
drbg.reseed_counter = 1;
/* Mix the random seed into the state. */
update(seed_material, 48);
/* Clean the stack. */
insecure_memzero(seed_material, 48);
/* Success! */
return (0);
}
/**
* update(data, datalen):
* Update the DRBG state using the provided data. (Section 10.1.2.2)
*/
static void
update(uint8_t * data, size_t datalen)
{
HMAC_SHA256_CTX ctx;
uint8_t K[32];
uint8_t Vx[33];
/* Load (Key, V) into (K, Vx). */
memcpy(K, drbg.Key, 32);
memcpy(Vx, drbg.V, 32);
/* K <- HMAC(K, V || 0x00 || data). */
Vx[32] = 0x00;
HMAC_SHA256_Init(&ctx, K, 32);
HMAC_SHA256_Update(&ctx, Vx, 33);
HMAC_SHA256_Update(&ctx, data, datalen);
HMAC_SHA256_Final(K, &ctx);
/* V <- HMAC(K, V). */
HMAC_SHA256_Buf(K, 32, Vx, 32, Vx);
/* If the provided data is non-Null, perform another mixing stage. */
if (datalen != 0) {
/* K <- HMAC(K, V || 0x01 || data). */
Vx[32] = 0x01;
HMAC_SHA256_Init(&ctx, K, 32);
HMAC_SHA256_Update(&ctx, Vx, 33);
HMAC_SHA256_Update(&ctx, data, datalen);
HMAC_SHA256_Final(K, &ctx);
/* V <- HMAC(K, V). */
HMAC_SHA256_Buf(K, 32, Vx, 32, Vx);
}
/* Copy (K, Vx) back to (Key, V). */
memcpy(drbg.Key, K, 32);
memcpy(drbg.V, Vx, 32);
/* Clean the stack. */
insecure_memzero(K, 32);
insecure_memzero(Vx, 33);
}
/**
* reseed(void):
* Reseed the DRBG state (mix in new entropy). (Section 10.1.2.4)
*/
static int
reseed(void)
{
uint8_t seed_material[32];
/* Obtain random seed_material = entropy_input. */
if (entropy_read(seed_material, 32))
return (-1);
/* Mix the random seed into the state. */
update(seed_material, 32);
/* Reset the reseed_counter. */
drbg.reseed_counter = 1;
/* Clean the stack. */
insecure_memzero(seed_material, 32);
/* Success! */
return (0);
}
/**
* generate(buf, buflen):
* Fill the provided buffer with random bits, assuming that reseed_counter
* is less than RESEED_INTERVAL (the caller is responsible for calling
* reseed() as needed) and ${buflen} is less than 2^16 (the caller is
* responsible for splitting up larger requests). (Section 10.1.2.5)
*/
static void
generate(uint8_t * buf, size_t buflen)
{
size_t bufpos;
assert(buflen <= GENERATE_MAXLEN);
assert(drbg.reseed_counter <= RESEED_INTERVAL);
/* Iterate until we've filled the buffer. */
for (bufpos = 0; bufpos < buflen; bufpos += 32) {
HMAC_SHA256_Buf(drbg.Key, 32, drbg.V, 32, drbg.V);
if (buflen - bufpos >= 32)
memcpy(&buf[bufpos], drbg.V, 32);
else
memcpy(&buf[bufpos], drbg.V, buflen - bufpos);
}
/* Mix up state. */
update(NULL, 0);
/* We're one data-generation step closer to needing a reseed. */
drbg.reseed_counter += 1;
}
/**
* crypto_entropy_read(buf, buflen):
* Fill the buffer with unpredictable bits.
*/
int
crypto_entropy_read(uint8_t * buf, size_t buflen)
{
size_t bytes_to_provide;
/* Instantiate if needed. */
if (instantiated == 0) {
/* Try to instantiate the PRNG. */
if (instantiate())
return (-1);
/* We have instantiated the PRNG. */
instantiated = 1;
}
/* Loop until we've filled the buffer. */
while (buflen > 0) {
/* Do we need to reseed? */
if (drbg.reseed_counter > RESEED_INTERVAL) {
if (reseed())
return (-1);
}
/* How much data are we generating in this step? */
if (buflen > GENERATE_MAXLEN)
bytes_to_provide = GENERATE_MAXLEN;
else
bytes_to_provide = buflen;
/* Generate bytes. */
generate(buf, bytes_to_provide);
/* We've done part of the buffer. */
buf += bytes_to_provide;
buflen -= bytes_to_provide;
}
/* Success! */
return (0);
}
|
