Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG wit...
details:   https://anonhg.NetBSD.org/src/rev/2ef70c69814b
branches:  trunk
changeset: 844791:2ef70c69814b
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Mon Sep 02 20:09:29 2019 +0000
description:
Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256.
Benefits:
- larger seeds -- a 128-bit key alone is not enough for `128-bit security'
- better resistance to timing side channels than AES
- a better-understood security story (https://eprint.iacr.org/2018/349)
- no loss in compliance with US government standards that nobody ever
  got fired for choosing, at least in the US-dominated western world
- no dirty endianness tricks
- self-tests
Drawbacks:
- performance hit: throughput is reduced to about 1/3 in naive measurements
  => possible to mitigate by using hardware SHA-256 instructions
  => all you really need is 32 bytes to seed a userland PRNG anyway
  => if we just used ChaCha this would go away...
XXX pullup-7
XXX pullup-8
XXX pullup-9
diffstat:
 sys/conf/files                                   |     6 +-
 sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg     |     3 -
 sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h |    82 -
 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c         |   664 ------------
 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h         |   106 --
 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h  |    80 -
 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h  |    80 -
 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h  |    72 -
 sys/crypto/nist_hash_drbg/files.nist_hash_drbg   |     3 +
 sys/crypto/nist_hash_drbg/nist_hash_drbg.c       |  1127 ++++++++++++++++++++++
 sys/crypto/nist_hash_drbg/nist_hash_drbg.h       |    85 +
 sys/dev/rndpseudo.c                              |     9 +-
 sys/kern/subr_cprng.c                            |    79 +-
 sys/rump/kern/lib/libcrypto/Makefile             |     5 +-
 sys/rump/librump/rumpkern/Makefile.rumpkern      |    10 +-
 sys/sys/cprng.h                                  |     6 +-
 16 files changed, 1273 insertions(+), 1144 deletions(-)
diffs (truncated from 2688 to 300 lines):
diff -r 1f1885f7c8e4 -r 2ef70c69814b sys/conf/files
--- a/sys/conf/files    Mon Sep 02 12:48:52 2019 +0000
+++ b/sys/conf/files    Mon Sep 02 20:09:29 2019 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: files,v 1.1237 2019/06/15 06:40:34 maxv Exp $
+#      $NetBSD: files,v 1.1238 2019/09/02 20:09:29 riastradh Exp $
 #      @(#)files.newconf       7.5 (Berkeley) 5/10/93
 
 version        20171118
@@ -196,8 +196,8 @@
 # General-purpose crypto processing framework.
 include "opencrypto/files.opencrypto"
 
-# NIST SP800.90 CTR DRBG
-include "crypto/nist_ctr_drbg/files.nist_ctr_drbg"
+# NIST SP800-90A Hash_DRBG
+include "crypto/nist_hash_drbg/files.nist_hash_drbg"
 
 # ChaCha-based fast PRNG
 include "crypto/cprng_fast/files.cprng_fast"
diff -r 1f1885f7c8e4 -r 2ef70c69814b sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg
--- a/sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg      Mon Sep 02 12:48:52 2019 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,3 +0,0 @@
-#      $NetBSD: files.nist_ctr_drbg,v 1.1 2011/11/19 22:51:22 tls Exp $
-
-file   crypto/nist_ctr_drbg/nist_ctr_drbg.c
diff -r 1f1885f7c8e4 -r 2ef70c69814b sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h
--- a/sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h  Mon Sep 02 12:48:52 2019 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,82 +0,0 @@
-/*     $NetBSD: nist_ctr_aes_rijndael.h,v 1.2 2018/04/19 21:50:08 christos Exp $ */
-
-/*-
- * Copyright (c) 2011 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Thor Lancelot Simon.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Copyright (c) 2007 Henric Jungheim <software%henric.info@localhost>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Interface adapter for Rijndael implmentation (for use by NIST SP 800-90 CTR_DRBG)
- */
-
-#ifndef NIST_AES_RIJNDAEL_H
-#define NIST_AES_RIJNDAEL_H
-
-#include <crypto/rijndael/rijndael.h>
-
-#define NIST_AES_MAXKEYBITS            256
-#define NIST_AES_MAXKEYBYTES   (NIST_AES_MAXKEYBITS / 8)
-#define NIST_AES_MAXKEYINTS    (NIST_AES_MAXKEYBYTES / sizeof(int))
-
-#define NIST_AES_BLOCKSIZEBITS 128
-#define NIST_AES_BLOCKSIZEBYTES        (NIST_AES_BLOCKSIZEBITS / 8)
-#define NIST_AES_BLOCKSIZEINTS (NIST_AES_BLOCKSIZEBYTES / sizeof(int))
-
-typedef rijndael_ctx NIST_AES_ENCRYPT_CTX;
-
-static __inline void
-NIST_AES_ECB_Encrypt(const NIST_AES_ENCRYPT_CTX *ctx,
-                    const void *src, void* dst)
-{
-       rijndael_encrypt(ctx, src, dst);
-}
-
-static __inline int
-NIST_AES_Schedule_Encryption(NIST_AES_ENCRYPT_CTX *ctx,
-                            const void *key, int bits)
-{
-       rijndael_set_key(ctx, key, bits);
-       return 0;
-}
-
-#endif /* NIST_AES_RIJNDAEL_H */
diff -r 1f1885f7c8e4 -r 2ef70c69814b sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c
--- a/sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c  Mon Sep 02 12:48:52 2019 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,664 +0,0 @@
-/*     $NetBSD: nist_ctr_drbg.c,v 1.1 2011/11/19 22:51:22 tls Exp $ */
-
-/*-
- * Copyright (c) 2011 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Thor Lancelot Simon.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Copyright (c) 2007 Henric Jungheim <software%henric.info@localhost>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * NIST SP 800-90 CTR_DRBG (Random Number Generator)
- */
-#include <sys/types.h>
-#include <sys/systm.h>
-
-#include <crypto/nist_ctr_drbg/nist_ctr_drbg.h>
-
-#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: nist_ctr_drbg.c,v 1.1 2011/11/19 22:51:22 tls Exp $");
-
-/*
- * NIST SP 800-90 March 2007
- * 10.4.2 Derivation Function Using a Block Cipher Algorithm
- * Global Constants
- */
-static NIST_Key nist_cipher_df_ctx;
-static unsigned char nist_cipher_df_encrypted_iv[NIST_BLOCK_SEEDLEN / NIST_BLOCK_OUTLEN][NIST_BLOCK_OUTLEN_BYTES];
-
-/*
- * NIST SP 800-90 March 2007
- * 10.2.1.3.2 The Process Steps for Instantiation When a Derivation
- *            Function is Used
- * Global Constants
- */
-static NIST_Key nist_cipher_zero_ctx;
-
-/*
- * NIST SP 800-90 March 2007
- * 10.2.1.5.2 The Process Steps for Generating Pseudorandom Bits When a
- *            Derivation Function is Used for the DRBG Implementation
- * Global Constants
- */
-static const unsigned int
-    nist_ctr_drgb_generate_null_input[NIST_BLOCK_SEEDLEN_INTS] = { 0 };
-
-/*
- * Utility
- */
-/*
- * nist_increment_block
- *    Increment the output block as a big-endian number.
- */
-static inline void
-nist_increment_block(unsigned long *V)
-{
-       int i;
-       unsigned long x;
-
-       for (i = NIST_BLOCK_OUTLEN_LONGS - 1; i >= 0; --i) {
-               x = NIST_NTOHL(V[i]) + 1;
-               V[i] = NIST_HTONL(x);
-               if (x)  /* There was only a carry if we are zero */
-                       return;
-       }
-}
-
-/*
- * NIST SP 800-90 March 2007
- * 10.4.3 BCC Function
- */
-static void
-nist_ctr_drbg_bcc_update(const NIST_Key *ctx, const unsigned int *data,
-                        int n, unsigned int *chaining_value)
-{
-       int i, j;
-       unsigned int input_block[NIST_BLOCK_OUTLEN_INTS];
-
-       /* [4] for i = 1 to n */
-       for (i = 0; i < n; ++i) {
-
-               /* [4.1] input_block = chaining_value XOR block_i */
-               for (j = 0; j < NIST_BLOCK_OUTLEN_INTS; ++j)
-                       input_block[j] = chaining_value[j] ^ *data++;
-
-               /* [4.2] chaining_value = Block_Encrypt(Key, input_block) */
-               Block_Encrypt(ctx, &input_block[0], &chaining_value[0]);
-       }
-
-       /* [5] output_block = chaining_value */
-       /* chaining_value already is output_block, so no copy is required */
-}
-
-static void
-nist_ctr_drbg_bcc(NIST_Key *ctx, const unsigned int *data,
-                 int n, unsigned int *output_block)
-{
-       unsigned int *chaining_value = output_block;
-
-       /* [1] chaining_value = 0^outlen */
-       memset(&chaining_value[0], 0, NIST_BLOCK_OUTLEN_BYTES);
-
-       nist_ctr_drbg_bcc_update(ctx, data, n, output_block);
-}
-
-/*
- * NIST SP 800-90 March 2007
- * 10.4.2 Derivation Function Using a Block Cipher Algorithm
- */
-
-typedef struct {
-       int index;
-       unsigned char S[NIST_BLOCK_OUTLEN_BYTES];
-} NIST_CTR_DRBG_DF_BCC_CTX;
-
-static inline int
-check_int_alignment(const void *p)
-{
-       intptr_t ip = (const char *)p - (const char *)0;
-
-       if (ip & (sizeof(int) - 1))
-               return 0;
-       
-       return 1;
-}
-
-static void
-nist_ctr_drbg_df_bcc_init(NIST_CTR_DRBG_DF_BCC_CTX *ctx, int L, int N)
-{
-       unsigned int *S = (unsigned int *)ctx->S;
-
-       /* [4] S = L || N || input_string || 0x80 */
-       S[0] = NIST_HTONL(L);
-       S[1] = NIST_HTONL(N);
-       ctx->index = 2 * sizeof(S[0]);
-}
-
-static void
-nist_ctr_drbg_df_bcc_update(NIST_CTR_DRBG_DF_BCC_CTX *ctx,
-                           const char *input_string,
-                           int input_string_length, unsigned int *temp)
-{
-       int i, len;
-       int index = ctx->index;
-       unsigned char *S = ctx->S;
-
Home |
Main Index |
Thread Index |
Old Index