Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG wit...
details: https://anonhg.NetBSD.org/src/rev/a9d308d1a17d
branches: trunk
changeset: 463668:a9d308d1a17d
user: riastradh <riastradh%NetBSD.org@localhost>
date: Mon Sep 02 20:09:29 2019 +0000
description:
Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256.
Benefits:
- larger seeds -- a 128-bit key alone is not enough for `128-bit security'
- better resistance to timing side channels than AES
- a better-understood security story (https://eprint.iacr.org/2018/349)
- no loss in compliance with US government standards that nobody ever
got fired for choosing, at least in the US-dominated western world
- no dirty endianness tricks
- self-tests
Drawbacks:
- performance hit: throughput is reduced to about 1/3 in naive measurements
=> possible to mitigate by using hardware SHA-256 instructions
=> all you really need is 32 bytes to seed a userland PRNG anyway
=> if we just used ChaCha this would go away...
XXX pullup-7
XXX pullup-8
XXX pullup-9
diffstat:
sys/conf/files | 6 +-
sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg | 3 -
sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h | 82 -
sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c | 664 ------------
sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h | 106 --
sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h | 80 -
sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h | 80 -
sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h | 72 -
sys/crypto/nist_hash_drbg/files.nist_hash_drbg | 3 +
sys/crypto/nist_hash_drbg/nist_hash_drbg.c | 1127 ++++++++++++++++++++++
sys/crypto/nist_hash_drbg/nist_hash_drbg.h | 85 +
sys/dev/rndpseudo.c | 9 +-
sys/kern/subr_cprng.c | 79 +-
sys/rump/kern/lib/libcrypto/Makefile | 5 +-
sys/rump/librump/rumpkern/Makefile.rumpkern | 10 +-
sys/sys/cprng.h | 6 +-
16 files changed, 1273 insertions(+), 1144 deletions(-)
diffs (truncated from 2688 to 300 lines):
diff -r 8c03538544a9 -r a9d308d1a17d sys/conf/files
--- a/sys/conf/files Mon Sep 02 12:48:52 2019 +0000
+++ b/sys/conf/files Mon Sep 02 20:09:29 2019 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: files,v 1.1237 2019/06/15 06:40:34 maxv Exp $
+# $NetBSD: files,v 1.1238 2019/09/02 20:09:29 riastradh Exp $
# @(#)files.newconf 7.5 (Berkeley) 5/10/93
version 20171118
@@ -196,8 +196,8 @@
# General-purpose crypto processing framework.
include "opencrypto/files.opencrypto"
-# NIST SP800.90 CTR DRBG
-include "crypto/nist_ctr_drbg/files.nist_ctr_drbg"
+# NIST SP800-90A Hash_DRBG
+include "crypto/nist_hash_drbg/files.nist_hash_drbg"
# ChaCha-based fast PRNG
include "crypto/cprng_fast/files.cprng_fast"
diff -r 8c03538544a9 -r a9d308d1a17d sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg
--- a/sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg Mon Sep 02 12:48:52 2019 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,3 +0,0 @@
-# $NetBSD: files.nist_ctr_drbg,v 1.1 2011/11/19 22:51:22 tls Exp $
-
-file crypto/nist_ctr_drbg/nist_ctr_drbg.c
diff -r 8c03538544a9 -r a9d308d1a17d sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h
--- a/sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h Mon Sep 02 12:48:52 2019 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,82 +0,0 @@
-/* $NetBSD: nist_ctr_aes_rijndael.h,v 1.2 2018/04/19 21:50:08 christos Exp $ */
-
-/*-
- * Copyright (c) 2011 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Thor Lancelot Simon.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Copyright (c) 2007 Henric Jungheim <software%henric.info@localhost>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Interface adapter for Rijndael implmentation (for use by NIST SP 800-90 CTR_DRBG)
- */
-
-#ifndef NIST_AES_RIJNDAEL_H
-#define NIST_AES_RIJNDAEL_H
-
-#include <crypto/rijndael/rijndael.h>
-
-#define NIST_AES_MAXKEYBITS 256
-#define NIST_AES_MAXKEYBYTES (NIST_AES_MAXKEYBITS / 8)
-#define NIST_AES_MAXKEYINTS (NIST_AES_MAXKEYBYTES / sizeof(int))
-
-#define NIST_AES_BLOCKSIZEBITS 128
-#define NIST_AES_BLOCKSIZEBYTES (NIST_AES_BLOCKSIZEBITS / 8)
-#define NIST_AES_BLOCKSIZEINTS (NIST_AES_BLOCKSIZEBYTES / sizeof(int))
-
-typedef rijndael_ctx NIST_AES_ENCRYPT_CTX;
-
-static __inline void
-NIST_AES_ECB_Encrypt(const NIST_AES_ENCRYPT_CTX *ctx,
- const void *src, void* dst)
-{
- rijndael_encrypt(ctx, src, dst);
-}
-
-static __inline int
-NIST_AES_Schedule_Encryption(NIST_AES_ENCRYPT_CTX *ctx,
- const void *key, int bits)
-{
- rijndael_set_key(ctx, key, bits);
- return 0;
-}
-
-#endif /* NIST_AES_RIJNDAEL_H */
diff -r 8c03538544a9 -r a9d308d1a17d sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c
--- a/sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c Mon Sep 02 12:48:52 2019 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,664 +0,0 @@
-/* $NetBSD: nist_ctr_drbg.c,v 1.1 2011/11/19 22:51:22 tls Exp $ */
-
-/*-
- * Copyright (c) 2011 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Thor Lancelot Simon.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Copyright (c) 2007 Henric Jungheim <software%henric.info@localhost>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * NIST SP 800-90 CTR_DRBG (Random Number Generator)
- */
-#include <sys/types.h>
-#include <sys/systm.h>
-
-#include <crypto/nist_ctr_drbg/nist_ctr_drbg.h>
-
-#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: nist_ctr_drbg.c,v 1.1 2011/11/19 22:51:22 tls Exp $");
-
-/*
- * NIST SP 800-90 March 2007
- * 10.4.2 Derivation Function Using a Block Cipher Algorithm
- * Global Constants
- */
-static NIST_Key nist_cipher_df_ctx;
-static unsigned char nist_cipher_df_encrypted_iv[NIST_BLOCK_SEEDLEN / NIST_BLOCK_OUTLEN][NIST_BLOCK_OUTLEN_BYTES];
-
-/*
- * NIST SP 800-90 March 2007
- * 10.2.1.3.2 The Process Steps for Instantiation When a Derivation
- * Function is Used
- * Global Constants
- */
-static NIST_Key nist_cipher_zero_ctx;
-
-/*
- * NIST SP 800-90 March 2007
- * 10.2.1.5.2 The Process Steps for Generating Pseudorandom Bits When a
- * Derivation Function is Used for the DRBG Implementation
- * Global Constants
- */
-static const unsigned int
- nist_ctr_drgb_generate_null_input[NIST_BLOCK_SEEDLEN_INTS] = { 0 };
-
-/*
- * Utility
- */
-/*
- * nist_increment_block
- * Increment the output block as a big-endian number.
- */
-static inline void
-nist_increment_block(unsigned long *V)
-{
- int i;
- unsigned long x;
-
- for (i = NIST_BLOCK_OUTLEN_LONGS - 1; i >= 0; --i) {
- x = NIST_NTOHL(V[i]) + 1;
- V[i] = NIST_HTONL(x);
- if (x) /* There was only a carry if we are zero */
- return;
- }
-}
-
-/*
- * NIST SP 800-90 March 2007
- * 10.4.3 BCC Function
- */
-static void
-nist_ctr_drbg_bcc_update(const NIST_Key *ctx, const unsigned int *data,
- int n, unsigned int *chaining_value)
-{
- int i, j;
- unsigned int input_block[NIST_BLOCK_OUTLEN_INTS];
-
- /* [4] for i = 1 to n */
- for (i = 0; i < n; ++i) {
-
- /* [4.1] input_block = chaining_value XOR block_i */
- for (j = 0; j < NIST_BLOCK_OUTLEN_INTS; ++j)
- input_block[j] = chaining_value[j] ^ *data++;
-
- /* [4.2] chaining_value = Block_Encrypt(Key, input_block) */
- Block_Encrypt(ctx, &input_block[0], &chaining_value[0]);
- }
-
- /* [5] output_block = chaining_value */
- /* chaining_value already is output_block, so no copy is required */
-}
-
-static void
-nist_ctr_drbg_bcc(NIST_Key *ctx, const unsigned int *data,
- int n, unsigned int *output_block)
-{
- unsigned int *chaining_value = output_block;
-
- /* [1] chaining_value = 0^outlen */
- memset(&chaining_value[0], 0, NIST_BLOCK_OUTLEN_BYTES);
-
- nist_ctr_drbg_bcc_update(ctx, data, n, output_block);
-}
-
-/*
- * NIST SP 800-90 March 2007
- * 10.4.2 Derivation Function Using a Block Cipher Algorithm
- */
-
-typedef struct {
- int index;
- unsigned char S[NIST_BLOCK_OUTLEN_BYTES];
-} NIST_CTR_DRBG_DF_BCC_CTX;
-
-static inline int
-check_int_alignment(const void *p)
-{
- intptr_t ip = (const char *)p - (const char *)0;
-
- if (ip & (sizeof(int) - 1))
- return 0;
-
- return 1;
-}
-
-static void
-nist_ctr_drbg_df_bcc_init(NIST_CTR_DRBG_DF_BCC_CTX *ctx, int L, int N)
-{
- unsigned int *S = (unsigned int *)ctx->S;
-
- /* [4] S = L || N || input_string || 0x80 */
- S[0] = NIST_HTONL(L);
- S[1] = NIST_HTONL(N);
- ctx->index = 2 * sizeof(S[0]);
-}
-
-static void
-nist_ctr_drbg_df_bcc_update(NIST_CTR_DRBG_DF_BCC_CTX *ctx,
- const char *input_string,
- int input_string_length, unsigned int *temp)
-{
- int i, len;
- int index = ctx->index;
- unsigned char *S = ctx->S;
-
Home |
Main Index |
Thread Index |
Old Index