From 2bc7cf16fe284fb118963c968898b0741c638d02 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Tue, 29 Nov 2011 10:50:51 +0000 Subject: [PATCH] - Cleaned up and further documented CTR_DRBG code --- include/polarssl/ctr_drbg.h | 13 ++++-- library/ctr_drbg.c | 88 +++++++++++++++++++------------------ 2 files changed, 54 insertions(+), 47 deletions(-) diff --git a/include/polarssl/ctr_drbg.h b/include/polarssl/ctr_drbg.h index da7061140..371e47077 100644 --- a/include/polarssl/ctr_drbg.h +++ b/include/polarssl/ctr_drbg.h @@ -35,11 +35,15 @@ #define POLARSSL_ERR_CTR_DRBG_REQUEST_TOO_BIG -0x0036 /**< Too many random requested in single call. */ #define POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG -0x0038 /**< Input too large (Entropy + additional). */ -#define CTR_DRBG_SEEDLEN 48 /**< The seed length (counter + AES key) */ +#define CTR_DRBG_BLOCKSIZE 16 /**< Block size used by the cipher */ +#define CTR_DRBG_KEYSIZE 32 /**< Key size used by the cipher */ +#define CTR_DRBG_KEYBITS ( CTR_DRBG_KEYSIZE * 8 ) +#define CTR_DRBG_SEEDLEN ( CTR_DRBG_KEYSIZE + CTR_DRBG_BLOCKSIZE ) + /**< The seed length (counter + AES key) */ #define CTR_DRBG_ENTROPY_LEN 32 /**< Amount of entropy used per seed by default */ #define CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ #define CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ -#define CTR_DRBG_MAX_REQUEST 500 /**< Maximum number of requested bytes per call */ +#define CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ #define CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ #define CTR_DRBG_PR_OFF 0 /**< No prediction resistance */ @@ -83,6 +87,7 @@ ctr_drbg_context; * length) * \param p_entropy Entropy context * \param custom Personalization data (Device specific identifiers) + * (Can be NULL) * \param len Length of personalization data * * \return 0 if successful, or @@ -130,7 +135,7 @@ void ctr_drbg_set_reseed_interval( ctr_drbg_context *ctx, * \brief CTR_DRBG reseeding (extracts data from entropy source) * * \param ctx CTR_DRBG context - * \param additional Additional data to add to state + * \param additional Additional data to add to state (Can be NULL) * \param len Length of additional data * * \return 0 if successful, or @@ -158,7 +163,7 @@ int ctr_drbg_update( ctr_drbg_context *ctx, * \param p_rng CTR_DRBG context * \param output Buffer to fill * \param output_len Length of the buffer - * \param additional Additional data to update with + * \param additional Additional data to update with (Can be NULL) * \param add_len Length of additional data * * \return 0 if successful, or diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index 3eab542a0..cc295c73f 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -41,10 +41,10 @@ int ctr_drbg_init( ctr_drbg_context *ctx, size_t len ) { int ret; - unsigned char key[32]; + unsigned char key[CTR_DRBG_KEYSIZE]; memset( ctx, 0, sizeof(ctr_drbg_context) ); - memset( key, 0, 32 ); + memset( key, 0, CTR_DRBG_KEYSIZE ); ctx->f_entropy = f_entropy; ctx->p_entropy = p_entropy; @@ -55,7 +55,7 @@ int ctr_drbg_init( ctr_drbg_context *ctx, /* * Initialize with an empty key */ - aes_setkey_enc( &ctx->aes_ctx, key, 256 ); + aes_setkey_enc( &ctx->aes_ctx, key, CTR_DRBG_KEYBITS ); if( ( ret = ctr_drbg_reseed( ctx, custom, len ) ) != 0 ) return( ret ); @@ -80,16 +80,16 @@ void ctr_drbg_set_reseed_interval( ctr_drbg_context *ctx, int interval ) int block_cipher_df( unsigned char *output, unsigned char *data, size_t data_len ) { - unsigned char buf[CTR_DRBG_MAX_INPUT + 32]; + unsigned char buf[CTR_DRBG_MAX_SEED_INPUT + CTR_DRBG_BLOCKSIZE + 16]; unsigned char tmp[CTR_DRBG_SEEDLEN]; - unsigned char key[32]; - unsigned char chain[16]; - unsigned char *p, *iv; + unsigned char key[CTR_DRBG_KEYSIZE]; + unsigned char chain[CTR_DRBG_BLOCKSIZE]; + unsigned char *p = buf, *iv; aes_context aes_ctx; int i, j, buf_len, use_len; - memset( buf, 0, CTR_DRBG_MAX_INPUT + 32 ); + memset( buf, 0, CTR_DRBG_MAX_SEED_INPUT + CTR_DRBG_BLOCKSIZE + 16 ); /* * Construct IV (16 bytes) and S in buffer @@ -98,41 +98,43 @@ int block_cipher_df( unsigned char *output, unsigned char *data, size_t data_len * data || 0x80 * (Total is padded to a multiple of 16-bytes with zeroes) */ - buf[16] = ( data_len >> 24 ) & 0xff; - buf[17] = ( data_len >> 16 ) & 0xff; - buf[18] = ( data_len >> 8 ) & 0xff; - buf[19] = ( data_len ) & 0xff; - buf[23] = CTR_DRBG_SEEDLEN; - memcpy( buf + 24, data, data_len ); - buf[24 + data_len] = 0x80; + p = buf + CTR_DRBG_BLOCKSIZE; + *p++ = ( data_len >> 24 ) & 0xff; + *p++ = ( data_len >> 16 ) & 0xff; + *p++ = ( data_len >> 8 ) & 0xff; + *p++ = ( data_len ) & 0xff; + p += 3; + *p++ = CTR_DRBG_SEEDLEN; + memcpy( p, data, data_len ); + p[data_len] = 0x80; - buf_len = 24 + data_len + 1; + buf_len = CTR_DRBG_BLOCKSIZE + 8 + data_len + 1; - for( i = 0; i < 32; i++ ) + for( i = 0; i < CTR_DRBG_KEYSIZE; i++ ) key[i] = i; - aes_setkey_enc( &aes_ctx, key, 256 ); + aes_setkey_enc( &aes_ctx, key, CTR_DRBG_KEYBITS ); /* * Reduce data to POLARSSL_CTR_DRBG_SEEDLEN bytes of data */ - for( j = 0; j < CTR_DRBG_SEEDLEN; j += 16 ) + for( j = 0; j < CTR_DRBG_SEEDLEN; j += CTR_DRBG_BLOCKSIZE ) { p = buf; - memset( chain, 0, 16 ); + memset( chain, 0, CTR_DRBG_BLOCKSIZE ); use_len = buf_len; while( use_len > 0 ) { - for( i = 0; i < 16; i++ ) + for( i = 0; i < CTR_DRBG_BLOCKSIZE; i++ ) chain[i] ^= p[i]; - p += 16; - use_len -= 16; + p += CTR_DRBG_BLOCKSIZE; + use_len -= CTR_DRBG_BLOCKSIZE; aes_crypt_ecb( &aes_ctx, AES_ENCRYPT, chain, chain ); } - memcpy( tmp + j, chain, 16 ); + memcpy( tmp + j, chain, CTR_DRBG_BLOCKSIZE ); /* * Update IV @@ -143,15 +145,15 @@ int block_cipher_df( unsigned char *output, unsigned char *data, size_t data_len /* * Do final encryption with reduced data */ - aes_setkey_enc( &aes_ctx, tmp, 256 ); - iv = tmp + 32; + aes_setkey_enc( &aes_ctx, tmp, CTR_DRBG_KEYBITS ); + iv = tmp + CTR_DRBG_KEYSIZE; p = output; - for( j = 0; j < CTR_DRBG_SEEDLEN; j += 16 ) + for( j = 0; j < CTR_DRBG_SEEDLEN; j += CTR_DRBG_BLOCKSIZE ) { aes_crypt_ecb( &aes_ctx, AES_ENCRYPT, iv, iv ); - memcpy( p, iv, 16 ); - p += 16; + memcpy( p, iv, CTR_DRBG_BLOCKSIZE ); + p += CTR_DRBG_BLOCKSIZE; } return( 0 ); @@ -162,7 +164,7 @@ int ctr_drbg_reseed( ctr_drbg_context *ctx, unsigned char *additional, size_t le unsigned char seed[CTR_DRBG_MAX_SEED_INPUT]; size_t seedlen = 0; - if( ctx->entropy_len + len > CTR_DRBG_MAX_INPUT ) + if( ctx->entropy_len + len > CTR_DRBG_MAX_SEED_INPUT ) return( POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG ); memset( seed, 0, CTR_DRBG_MAX_SEED_INPUT ); @@ -210,12 +212,12 @@ int ctr_drbg_update( ctr_drbg_context *ctx, memset( tmp, 0, CTR_DRBG_SEEDLEN ); - for( j = 0; j < CTR_DRBG_SEEDLEN; j += 16 ) + for( j = 0; j < CTR_DRBG_SEEDLEN; j += CTR_DRBG_BLOCKSIZE ) { /* * Increase counter */ - i = 15; + i = CTR_DRBG_BLOCKSIZE - 1; do { ctx->counter[i]++; cb = ctx->counter[i] == 0; @@ -226,7 +228,7 @@ int ctr_drbg_update( ctr_drbg_context *ctx, */ aes_crypt_ecb( &ctx->aes_ctx, AES_ENCRYPT, ctx->counter, p ); - p += 16; + p += CTR_DRBG_BLOCKSIZE; } for( i = 0; i < CTR_DRBG_SEEDLEN; i++ ) @@ -235,8 +237,8 @@ int ctr_drbg_update( ctr_drbg_context *ctx, /* * Update key and counter */ - aes_setkey_enc( &ctx->aes_ctx, tmp, 256 ); - memcpy( ctx->counter, tmp + 32, 16 ); + aes_setkey_enc( &ctx->aes_ctx, tmp, CTR_DRBG_KEYBITS ); + memcpy( ctx->counter, tmp + CTR_DRBG_KEYSIZE, CTR_DRBG_BLOCKSIZE ); return( 0 ); } @@ -249,7 +251,7 @@ int ctr_drbg_random_with_add( void *p_rng, ctr_drbg_context *ctx = (ctr_drbg_context *) p_rng; unsigned char add_input[CTR_DRBG_SEEDLEN]; unsigned char *p = output; - unsigned char tmp[16]; + unsigned char tmp[CTR_DRBG_BLOCKSIZE]; int cb, i; if( output_len > CTR_DRBG_MAX_REQUEST ) @@ -280,7 +282,7 @@ int ctr_drbg_random_with_add( void *p_rng, /* * Increase counter */ - i = 15; + i = CTR_DRBG_BLOCKSIZE - 1; do { ctx->counter[i]++; cb = ctx->counter[i] == 0; @@ -294,9 +296,9 @@ int ctr_drbg_random_with_add( void *p_rng, /* * Copy random block to destination */ - memcpy( p, tmp, (output_len > 16 ) ? 16 : output_len ); - p += 16; - output_len -= 16; + memcpy( p, tmp, (output_len > CTR_DRBG_BLOCKSIZE ) ? CTR_DRBG_BLOCKSIZE : output_len ); + p += CTR_DRBG_BLOCKSIZE; + output_len -= CTR_DRBG_BLOCKSIZE; } ctr_drbg_update( ctx, add_input ); @@ -387,7 +389,7 @@ int ctr_drbg_self_test( int verbose ) } ctr_drbg_set_prediction_resistance( &ctx, CTR_DRBG_PR_ON ); - if( ctr_drbg_random( &ctx, buf, 16 ) != 0 ) + if( ctr_drbg_random( &ctx, buf, CTR_DRBG_BLOCKSIZE ) != 0 ) { if( verbose != 0 ) printf( "failed\n" ); @@ -395,7 +397,7 @@ int ctr_drbg_self_test( int verbose ) return( 1 ); } - if( ctr_drbg_random( &ctx, buf, 16 ) != 0 ) + if( ctr_drbg_random( &ctx, buf, CTR_DRBG_BLOCKSIZE ) != 0 ) { if( verbose != 0 ) printf( "failed\n" ); @@ -403,7 +405,7 @@ int ctr_drbg_self_test( int verbose ) return( 1 ); } - if( memcmp( buf, result_pr, 16 ) != 0 ) + if( memcmp( buf, result_pr, CTR_DRBG_BLOCKSIZE ) != 0 ) { if( verbose != 0 ) printf( "failed\n" );