summaryrefslogtreecommitdiffhomepage
path: root/libtomcrypt/src/prngs/sober128.c
diff options
context:
space:
mode:
authorMatt Johnston <matt@ucc.asn.au>2018-02-09 21:44:05 +0800
committerMatt Johnston <matt@ucc.asn.au>2018-02-09 21:44:05 +0800
commit4f2eb1914bdac3ed3ee504ad86061281dbe0d074 (patch)
tree078293375c3f3ee2d485cf9559a08d65d460786a /libtomcrypt/src/prngs/sober128.c
parentd72f50ff3284e15124a0f233c26339229fe305ac (diff)
Update to libtomcrypt 1.18.1, merged with Dropbear changes
Diffstat (limited to 'libtomcrypt/src/prngs/sober128.c')
-rw-r--r--libtomcrypt/src/prngs/sober128.c525
1 files changed, 137 insertions, 388 deletions
diff --git a/libtomcrypt/src/prngs/sober128.c b/libtomcrypt/src/prngs/sober128.c
index 9bc7727..8d95491 100644
--- a/libtomcrypt/src/prngs/sober128.c
+++ b/libtomcrypt/src/prngs/sober128.c
@@ -5,196 +5,45 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
+
#include "tomcrypt.h"
/**
- @file sober128.c
+ @file prngs/sober128.c
Implementation of SOBER-128 by Tom St Denis.
Based on s128fast.c reference code supplied by Greg Rose of QUALCOMM.
*/
#ifdef LTC_SOBER128
-#include "sober128tab.c"
-
-const struct ltc_prng_descriptor sober128_desc =
-{
- "sober128", 64,
- &sober128_start,
- &sober128_add_entropy,
- &sober128_ready,
- &sober128_read,
- &sober128_done,
- &sober128_export,
- &sober128_import,
- &sober128_test
+const struct ltc_prng_descriptor sober128_desc =
+{
+ "sober128",
+ 40,
+ &sober128_start,
+ &sober128_add_entropy,
+ &sober128_ready,
+ &sober128_read,
+ &sober128_done,
+ &sober128_export,
+ &sober128_import,
+ &sober128_test
};
-/* don't change these... */
-#define N 17
-#define FOLD N /* how many iterations of folding to do */
-#define INITKONST 0x6996c53a /* value of KONST to use during key loading */
-#define KEYP 15 /* where to insert key words */
-#define FOLDP 4 /* where to insert non-linear feedback */
-
-#define B(x,i) ((unsigned char)(((x) >> (8*i)) & 0xFF))
-
-static ulong32 BYTE2WORD(unsigned char *b)
-{
- ulong32 t;
- LOAD32L(t, b);
- return t;
-}
-
-#define WORD2BYTE(w, b) STORE32L(b, w)
-
-static void XORWORD(ulong32 w, unsigned char *b)
-{
- ulong32 t;
- LOAD32L(t, b);
- t ^= w;
- STORE32L(t, b);
-}
-
-/* give correct offset for the current position of the register,
- * where logically R[0] is at position "zero".
- */
-#define OFF(zero, i) (((zero)+(i)) % N)
-
-/* step the LFSR */
-/* After stepping, "zero" moves right one place */
-#define STEP(R,z) \
- R[OFF(z,0)] = R[OFF(z,15)] ^ R[OFF(z,4)] ^ (R[OFF(z,0)] << 8) ^ Multab[(R[OFF(z,0)] >> 24) & 0xFF];
-
-static void cycle(ulong32 *R)
-{
- ulong32 t;
- int i;
-
- STEP(R,0);
- t = R[0];
- for (i = 1; i < N; ++i) {
- R[i-1] = R[i];
- }
- R[N-1] = t;
-}
-
-/* Return a non-linear function of some parts of the register.
- */
-#define NLFUNC(c,z) \
-{ \
- t = c->R[OFF(z,0)] + c->R[OFF(z,16)]; \
- t ^= Sbox[(t >> 24) & 0xFF]; \
- t = RORc(t, 8); \
- t = ((t + c->R[OFF(z,1)]) ^ c->konst) + c->R[OFF(z,6)]; \
- t ^= Sbox[(t >> 24) & 0xFF]; \
- t = t + c->R[OFF(z,13)]; \
-}
-
-static ulong32 nltap(struct sober128_prng *c)
-{
- ulong32 t;
- NLFUNC(c, 0);
- return t;
-}
-
/**
Start the PRNG
@param prng [out] The PRNG state to initialize
@return CRYPT_OK if successful
-*/
+*/
int sober128_start(prng_state *prng)
{
- int i;
- struct sober128_prng *c;
-
- LTC_ARGCHK(prng != NULL);
-
- c = &(prng->sober128);
-
- /* Register initialised to Fibonacci numbers */
- c->R[0] = 1;
- c->R[1] = 1;
- for (i = 2; i < N; ++i) {
- c->R[i] = c->R[i-1] + c->R[i-2];
- }
- c->konst = INITKONST;
-
- /* next add_entropy will be the key */
- c->flag = 1;
- c->set = 0;
-
- return CRYPT_OK;
-}
-
-/* Save the current register state
- */
-static void s128_savestate(struct sober128_prng *c)
-{
- int i;
- for (i = 0; i < N; ++i) {
- c->initR[i] = c->R[i];
- }
-}
-
-/* initialise to previously saved register state
- */
-static void s128_reloadstate(struct sober128_prng *c)
-{
- int i;
-
- for (i = 0; i < N; ++i) {
- c->R[i] = c->initR[i];
- }
-}
-
-/* Initialise "konst"
- */
-static void s128_genkonst(struct sober128_prng *c)
-{
- ulong32 newkonst;
-
- do {
- cycle(c->R);
- newkonst = nltap(c);
- } while ((newkonst & 0xFF000000) == 0);
- c->konst = newkonst;
-}
-
-/* Load key material into the register
- */
-#define ADDKEY(k) \
- c->R[KEYP] += (k);
-
-#define XORNL(nl) \
- c->R[FOLDP] ^= (nl);
-
-/* nonlinear diffusion of register for key */
-#define DROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); c->R[OFF((z+1),FOLDP)] ^= t;
-static void s128_diffuse(struct sober128_prng *c)
-{
- ulong32 t;
- /* relies on FOLD == N == 17! */
- DROUND(0);
- DROUND(1);
- DROUND(2);
- DROUND(3);
- DROUND(4);
- DROUND(5);
- DROUND(6);
- DROUND(7);
- DROUND(8);
- DROUND(9);
- DROUND(10);
- DROUND(11);
- DROUND(12);
- DROUND(13);
- DROUND(14);
- DROUND(15);
- DROUND(16);
+ LTC_ARGCHK(prng != NULL);
+ prng->ready = 0;
+ XMEMSET(&prng->sober128.ent, 0, sizeof(prng->sober128.ent));
+ prng->sober128.idx = 0;
+ LTC_MUTEX_INIT(&prng->lock)
+ return CRYPT_OK;
}
/**
@@ -203,81 +52,63 @@ static void s128_diffuse(struct sober128_prng *c)
@param inlen Length of the data to add
@param prng PRNG state to update
@return CRYPT_OK if successful
-*/
+*/
int sober128_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *prng)
{
- struct sober128_prng *c;
- ulong32 i, k;
-
- LTC_ARGCHK(in != NULL);
- LTC_ARGCHK(prng != NULL);
- c = &(prng->sober128);
-
- if (c->flag == 1) {
- /* this is the first call to the add_entropy so this input is the key */
- /* inlen must be multiple of 4 bytes */
- if ((inlen & 3) != 0) {
- return CRYPT_INVALID_KEYSIZE;
- }
-
- for (i = 0; i < inlen; i += 4) {
- k = BYTE2WORD((unsigned char *)&in[i]);
- ADDKEY(k);
- cycle(c->R);
- XORNL(nltap(c));
- }
-
- /* also fold in the length of the key */
- ADDKEY(inlen);
-
- /* now diffuse */
- s128_diffuse(c);
-
- s128_genkonst(c);
- s128_savestate(c);
- c->nbuf = 0;
- c->flag = 0;
- c->set = 1;
- } else {
- /* ok we are adding an IV then... */
- s128_reloadstate(c);
-
- /* inlen must be multiple of 4 bytes */
- if ((inlen & 3) != 0) {
- return CRYPT_INVALID_KEYSIZE;
- }
-
- for (i = 0; i < inlen; i += 4) {
- k = BYTE2WORD((unsigned char *)&in[i]);
- ADDKEY(k);
- cycle(c->R);
- XORNL(nltap(c));
- }
-
- /* also fold in the length of the key */
- ADDKEY(inlen);
-
- /* now diffuse */
- s128_diffuse(c);
- c->nbuf = 0;
- }
+ unsigned char buf[40];
+ unsigned long i;
+ int err;
- return CRYPT_OK;
+ LTC_ARGCHK(prng != NULL);
+ LTC_ARGCHK(in != NULL);
+ LTC_ARGCHK(inlen > 0);
+
+ LTC_MUTEX_LOCK(&prng->lock);
+ if (prng->ready) {
+ /* sober128_ready() was already called, do "rekey" operation */
+ if ((err = sober128_stream_keystream(&prng->sober128.s, buf, sizeof(buf))) != CRYPT_OK) goto LBL_UNLOCK;
+ for(i = 0; i < inlen; i++) buf[i % sizeof(buf)] ^= in[i];
+ /* key 32 bytes, 20 rounds */
+ if ((err = sober128_stream_setup(&prng->sober128.s, buf, 32)) != CRYPT_OK) goto LBL_UNLOCK;
+ /* iv 8 bytes */
+ if ((err = sober128_stream_setiv(&prng->sober128.s, buf + 32, 8)) != CRYPT_OK) goto LBL_UNLOCK;
+ /* clear KEY + IV */
+ zeromem(buf, sizeof(buf));
+ }
+ else {
+ /* sober128_ready() was not called yet, add entropy to ent buffer */
+ while (inlen--) prng->sober128.ent[prng->sober128.idx++ % sizeof(prng->sober128.ent)] ^= *in++;
+ }
+ err = CRYPT_OK;
+LBL_UNLOCK:
+ LTC_MUTEX_UNLOCK(&prng->lock);
+ return err;
}
/**
Make the PRNG ready to read from
@param prng The PRNG to make active
@return CRYPT_OK if successful
-*/
+*/
int sober128_ready(prng_state *prng)
{
- return prng->sober128.set == 1 ? CRYPT_OK : CRYPT_ERROR;
-}
+ int err;
-/* XOR pseudo-random bytes into buffer
- */
-#define SROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); XORWORD(t, out+(z*4));
+ LTC_ARGCHK(prng != NULL);
+
+ LTC_MUTEX_LOCK(&prng->lock);
+ if (prng->ready) { err = CRYPT_OK; goto LBL_UNLOCK; }
+ /* key 32 bytes, 20 rounds */
+ if ((err = sober128_stream_setup(&prng->sober128.s, prng->sober128.ent, 32)) != CRYPT_OK) goto LBL_UNLOCK;
+ /* iv 8 bytes */
+ if ((err = sober128_stream_setiv(&prng->sober128.s, prng->sober128.ent + 32, 8)) != CRYPT_OK) goto LBL_UNLOCK;
+ XMEMSET(&prng->sober128.ent, 0, sizeof(prng->sober128.ent));
+ prng->sober128.idx = 0;
+ prng->ready = 1;
+LBL_UNLOCK:
+ LTC_MUTEX_UNLOCK(&prng->lock);
+ return err;
+}
/**
Read from the PRNG
@@ -285,90 +116,33 @@ int sober128_ready(prng_state *prng)
@param outlen Length of output
@param prng The active PRNG to read from
@return Number of octets read
-*/
+*/
unsigned long sober128_read(unsigned char *out, unsigned long outlen, prng_state *prng)
{
- struct sober128_prng *c;
- ulong32 t, tlen;
-
- LTC_ARGCHK(out != NULL);
- LTC_ARGCHK(prng != NULL);
-
-#ifdef LTC_VALGRIND
- zeromem(out, outlen);
-#endif
-
- c = &(prng->sober128);
- t = 0;
- tlen = outlen;
-
- /* handle any previously buffered bytes */
- while (c->nbuf != 0 && outlen != 0) {
- *out++ ^= c->sbuf & 0xFF;
- c->sbuf >>= 8;
- c->nbuf -= 8;
- --outlen;
- }
-
-#ifndef LTC_SMALL_CODE
- /* do lots at a time, if there's enough to do */
- while (outlen >= N*4) {
- SROUND(0);
- SROUND(1);
- SROUND(2);
- SROUND(3);
- SROUND(4);
- SROUND(5);
- SROUND(6);
- SROUND(7);
- SROUND(8);
- SROUND(9);
- SROUND(10);
- SROUND(11);
- SROUND(12);
- SROUND(13);
- SROUND(14);
- SROUND(15);
- SROUND(16);
- out += 4*N;
- outlen -= 4*N;
- }
-#endif
-
- /* do small or odd size buffers the slow way */
- while (4 <= outlen) {
- cycle(c->R);
- t = nltap(c);
- XORWORD(t, out);
- out += 4;
- outlen -= 4;
- }
-
- /* handle any trailing bytes */
- if (outlen != 0) {
- cycle(c->R);
- c->sbuf = nltap(c);
- c->nbuf = 32;
- while (c->nbuf != 0 && outlen != 0) {
- *out++ ^= c->sbuf & 0xFF;
- c->sbuf >>= 8;
- c->nbuf -= 8;
- --outlen;
- }
- }
-
- return tlen;
+ if (outlen == 0 || prng == NULL || out == NULL) return 0;
+ LTC_MUTEX_LOCK(&prng->lock);
+ if (!prng->ready) { outlen = 0; goto LBL_UNLOCK; }
+ if (sober128_stream_keystream(&prng->sober128.s, out, outlen) != CRYPT_OK) outlen = 0;
+LBL_UNLOCK:
+ LTC_MUTEX_UNLOCK(&prng->lock);
+ return outlen;
}
/**
Terminate the PRNG
@param prng The PRNG to terminate
@return CRYPT_OK if successful
-*/
+*/
int sober128_done(prng_state *prng)
{
+ int err;
LTC_ARGCHK(prng != NULL);
- return CRYPT_OK;
+ LTC_MUTEX_LOCK(&prng->lock);
+ prng->ready = 0;
+ err = sober128_stream_done(&prng->sober128.s);
+ LTC_MUTEX_UNLOCK(&prng->lock);
+ LTC_MUTEX_DESTROY(&prng->lock);
+ return err;
}
/**
@@ -377,124 +151,99 @@ int sober128_done(prng_state *prng)
@param outlen [in/out] Max size and resulting size of the state
@param prng The PRNG to export
@return CRYPT_OK if successful
-*/
+*/
int sober128_export(unsigned char *out, unsigned long *outlen, prng_state *prng)
{
- LTC_ARGCHK(outlen != NULL);
- LTC_ARGCHK(out != NULL);
+ unsigned long len = sober128_desc.export_size;
+
LTC_ARGCHK(prng != NULL);
+ LTC_ARGCHK(out != NULL);
+ LTC_ARGCHK(outlen != NULL);
- if (*outlen < 64) {
- *outlen = 64;
+ if (*outlen < len) {
+ *outlen = len;
return CRYPT_BUFFER_OVERFLOW;
}
- if (sober128_read(out, 64, prng) != 64) {
+ if (sober128_read(out, len, prng) != len) {
return CRYPT_ERROR_READPRNG;
}
- *outlen = 64;
+ *outlen = len;
return CRYPT_OK;
}
-
+
/**
Import a PRNG state
@param in The PRNG state
@param inlen Size of the state
@param prng The PRNG to import
@return CRYPT_OK if successful
-*/
+*/
int sober128_import(const unsigned char *in, unsigned long inlen, prng_state *prng)
{
int err;
- LTC_ARGCHK(in != NULL);
+
LTC_ARGCHK(prng != NULL);
+ LTC_ARGCHK(in != NULL);
+ if (inlen < (unsigned long)sober128_desc.export_size) return CRYPT_INVALID_ARG;
- if (inlen != 64) {
- return CRYPT_INVALID_ARG;
- }
-
- if ((err = sober128_start(prng)) != CRYPT_OK) {
- return err;
- }
- if ((err = sober128_add_entropy(in, 64, prng)) != CRYPT_OK) {
- return err;
- }
- return sober128_ready(prng);
+ if ((err = sober128_start(prng)) != CRYPT_OK) return err;
+ if ((err = sober128_add_entropy(in, sober128_desc.export_size, prng)) != CRYPT_OK) return err;
+ return CRYPT_OK;
}
/**
PRNG self-test
@return CRYPT_OK if successful, CRYPT_NOP if self-testing has been disabled
-*/
+*/
int sober128_test(void)
{
#ifndef LTC_TEST
return CRYPT_NOP;
#else
- static const struct {
- int keylen, ivlen, len;
- unsigned char key[16], iv[4], out[20];
- } tests[] = {
-
-{
- 16, 4, 20,
-
- /* key */
- { 0x74, 0x65, 0x73, 0x74, 0x20, 0x6b, 0x65, 0x79,
- 0x20, 0x31, 0x32, 0x38, 0x62, 0x69, 0x74, 0x73 },
-
- /* IV */
- { 0x00, 0x00, 0x00, 0x00 },
-
- /* expected output */
- { 0x43, 0x50, 0x0c, 0xcf, 0x89, 0x91, 0x9f, 0x1d,
- 0xaa, 0x37, 0x74, 0x95, 0xf4, 0xb4, 0x58, 0xc2,
- 0x40, 0x37, 0x8b, 0xbb }
-}
-
-};
- prng_state prng;
- unsigned char dst[20];
- int err, x;
+ prng_state st;
+ unsigned char en[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
+ 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14,
+ 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e,
+ 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28,
+ 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32 };
+ unsigned char dmp[300];
+ unsigned long dmplen = sizeof(dmp);
+ unsigned char out[500];
+ unsigned char t1[] = { 0x31, 0x82, 0xA7, 0xA5, 0x8B, 0xD7, 0xCB, 0x39, 0x86, 0x1A };
+ unsigned char t2[] = { 0x6B, 0x43, 0x9E, 0xBC, 0xE7, 0x62, 0x9B, 0xE6, 0x9B, 0x83 };
+ unsigned char t3[] = { 0x4A, 0x0E, 0x6C, 0xC1, 0xCF, 0xB4, 0x73, 0x49, 0x99, 0x05 };
+ int err;
- for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) {
- if ((err = sober128_start(&prng)) != CRYPT_OK) {
- return err;
- }
- if ((err = sober128_add_entropy(tests[x].key, tests[x].keylen, &prng)) != CRYPT_OK) {
- return err;
- }
- /* add IV */
- if ((err = sober128_add_entropy(tests[x].iv, tests[x].ivlen, &prng)) != CRYPT_OK) {
- return err;
- }
+ if ((err = sober128_start(&st)) != CRYPT_OK) return err;
+ /* add entropy to uninitialized prng */
+ if ((err = sober128_add_entropy(en, sizeof(en), &st)) != CRYPT_OK) return err;
+ if ((err = sober128_ready(&st)) != CRYPT_OK) return err;
+ if (sober128_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
+ if (compare_testvector(out, 10, t1, sizeof(t1), "SOBER128-PRNG", 1)) return CRYPT_FAIL_TESTVECTOR;
+ if (sober128_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
+ /* add entropy to already initialized prng */
+ if ((err = sober128_add_entropy(en, sizeof(en), &st)) != CRYPT_OK) return err;
+ if (sober128_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
+ if ((err = sober128_export(dmp, &dmplen, &st)) != CRYPT_OK) return err;
+ if (sober128_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
+ if (sober128_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
+ if (compare_testvector(out, 10, t2, sizeof(t2), "SOBER128-PRNG", 2)) return CRYPT_FAIL_TESTVECTOR;
+ if ((err = sober128_done(&st)) != CRYPT_OK) return err;
+ if ((err = sober128_import(dmp, dmplen, &st)) != CRYPT_OK) return err;
+ if ((err = sober128_ready(&st)) != CRYPT_OK) return err;
+ if (sober128_read(out, 500, &st) != 500) return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
+ if (sober128_read(out, 10, &st) != 10) return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
+ if (compare_testvector(out, 10, t3, sizeof(t3), "SOBER128-PRNG", 3)) return CRYPT_FAIL_TESTVECTOR;
+ if ((err = sober128_done(&st)) != CRYPT_OK) return err;
- /* ready up */
- if ((err = sober128_ready(&prng)) != CRYPT_OK) {
- return err;
- }
- XMEMSET(dst, 0, tests[x].len);
- if (sober128_read(dst, tests[x].len, &prng) != (unsigned long)tests[x].len) {
- return CRYPT_ERROR_READPRNG;
- }
- sober128_done(&prng);
- if (XMEMCMP(dst, tests[x].out, tests[x].len)) {
-#if 0
- printf("\n\nLTC_SOBER128 failed, I got:\n");
- for (y = 0; y < tests[x].len; y++) printf("%02x ", dst[y]);
- printf("\n");
-#endif
- return CRYPT_FAIL_TESTVECTOR;
- }
- }
return CRYPT_OK;
#endif
}
#endif
-
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-17 12:09:36 +0000