OLD | NEW |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
4 | 4 |
5 #ifdef FREEBL_NO_DEPEND | 5 #ifdef FREEBL_NO_DEPEND |
6 #include "stubs.h" | 6 #include "stubs.h" |
7 #endif | 7 #endif |
8 | 8 |
9 #include "prerror.h" | 9 #include "prerror.h" |
10 #include "secerr.h" | 10 #include "secerr.h" |
11 | 11 |
12 #include "prtypes.h" | 12 #include "prtypes.h" |
13 #include "prinit.h" | 13 #include "prinit.h" |
14 #include "blapi.h" | 14 #include "blapi.h" |
15 #include "blapii.h" | 15 #include "blapii.h" |
16 #include "nssilock.h" | 16 #include "nssilock.h" |
17 #include "secitem.h" | 17 #include "secitem.h" |
18 #include "sha_fast.h" | 18 #include "sha_fast.h" |
19 #include "sha256.h" | 19 #include "sha256.h" |
20 #include "secrng.h" /* for RNG_SystemRNG() */ | 20 #include "secrng.h" /* for RNG_SystemRNG() */ |
21 #include "secmpi.h" | 21 #include "secmpi.h" |
22 | 22 |
23 /* PRNG_SEEDLEN defined in NIST SP 800-90 section 10.1 | 23 /* PRNG_SEEDLEN defined in NIST SP 800-90 section 10.1 |
24 * for SHA-1, SHA-224, and SHA-256 it's 440 bits. | 24 * for SHA-1, SHA-224, and SHA-256 it's 440 bits. |
25 * for SHA-384 and SHA-512 it's 888 bits */ | 25 * for SHA-384 and SHA-512 it's 888 bits */ |
26 #define PRNG_SEEDLEN (440/PR_BITS_PER_BYTE) | 26 #define PRNG_SEEDLEN (440/PR_BITS_PER_BYTE) |
27 static const PRInt64 PRNG_MAX_ADDITIONAL_BYTES = LL_INIT(0x1, 0x0); | 27 #define PRNG_MAX_ADDITIONAL_BYTES PR_INT64(0x100000000) |
28 /* 2^35 bits or 2^32 bytes */ | 28 /* 2^35 bits or 2^32 bytes */ |
29 #define PRNG_MAX_REQUEST_SIZE 0x10000 /* 2^19 bits or 2^16 bytes */ | 29 #define PRNG_MAX_REQUEST_SIZE 0x10000 /* 2^19 bits or 2^16 bytes */ |
30 #define PRNG_ADDITONAL_DATA_CACHE_SIZE (8*1024) /* must be less than | 30 #define PRNG_ADDITONAL_DATA_CACHE_SIZE (8*1024) /* must be less than |
31 * PRNG_MAX_ADDITIONAL_BYTES | 31 * PRNG_MAX_ADDITIONAL_BYTES |
32 */ | 32 */ |
33 | 33 |
34 /* RESEED_COUNT is how many calls to the prng before we need to reseed | 34 /* RESEED_COUNT is how many calls to the prng before we need to reseed |
35 * under normal NIST rules, you must return an error. In the NSS case, we | 35 * under normal NIST rules, you must return an error. In the NSS case, we |
36 * self-reseed with RNG_SystemRNG(). Count can be a large number. For code | 36 * self-reseed with RNG_SystemRNG(). Count can be a large number. For code |
37 * simplicity, we specify count with 2 components: RESEED_BYTE (which is | 37 * simplicity, we specify count with 2 components: RESEED_BYTE (which is |
(...skipping 202 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
240 rng->isValid = PR_FALSE; | 240 rng->isValid = PR_FALSE; |
241 return SECFailure; | 241 return SECFailure; |
242 } | 242 } |
243 return prng_reseed(rng, entropy, entropy_len, | 243 return prng_reseed(rng, entropy, entropy_len, |
244 additional_input, additional_input_len); | 244 additional_input, additional_input_len); |
245 } | 245 } |
246 | 246 |
247 /* | 247 /* |
248 * build some fast inline functions for adding. | 248 * build some fast inline functions for adding. |
249 */ | 249 */ |
250 #define PRNG_ADD_CARRY_ONLY(dest, start, cy) \ | 250 #define PRNG_ADD_CARRY_ONLY(dest, start, carry) \ |
251 carry = cy; \ | 251 { \ |
252 for (k1=start; carry && k1 >=0 ; k1--) { \ | 252 int k1; \ |
253 » carry = !(++dest[k1]); \ | 253 for (k1 = start; carry && k1 >= 0; k1--) { \ |
254 } | 254 carry = !(++dest[k1]); \ |
| 255 } \ |
| 256 } |
255 | 257 |
256 /* | 258 /* |
257 * NOTE: dest must be an array for the following to work. | 259 * NOTE: dest must be an array for the following to work. |
258 */ | 260 */ |
259 #define PRNG_ADD_BITS(dest, dest_len, add, len) \ | 261 #define PRNG_ADD_BITS(dest, dest_len, add, len, carry) \ |
260 carry = 0; \ | 262 carry = 0; \ |
261 for (k1=dest_len -1, k2=len-1; k2 >= 0; --k1, --k2) { \ | 263 PORT_Assert((dest_len) >= (len)); \ |
262 » carry += dest[k1]+ add[k2]; \ | 264 { \ |
263 » dest[k1] = (PRUint8) carry; \ | 265 int k1, k2; \ |
264 » carry >>= 8; \ | 266 for (k1 = dest_len - 1, k2 = len - 1; k2 >= 0; --k1, --k2) { \ |
| 267 carry += dest[k1] + add[k2]; \ |
| 268 dest[k1] = (PRUint8) carry; \ |
| 269 carry >>= 8; \ |
| 270 } \ |
265 } | 271 } |
266 | 272 |
267 #define PRNG_ADD_BITS_AND_CARRY(dest, dest_len, add, len) \ | 273 #define PRNG_ADD_BITS_AND_CARRY(dest, dest_len, add, len, carry) \ |
268 PRNG_ADD_BITS(dest, dest_len, add, len) \ | 274 PRNG_ADD_BITS(dest, dest_len, add, len, carry) \ |
269 PRNG_ADD_CARRY_ONLY(dest, k1, carry) | 275 PRNG_ADD_CARRY_ONLY(dest, dest_len - len, carry) |
270 | 276 |
271 /* | 277 /* |
272 * This function expands the internal state of the prng to fulfill any number | 278 * This function expands the internal state of the prng to fulfill any number |
273 * of bytes we need for this request. We only use this call if we need more | 279 * of bytes we need for this request. We only use this call if we need more |
274 * than can be supplied by a single call to SHA256_HashBuf. | 280 * than can be supplied by a single call to SHA256_HashBuf. |
275 * | 281 * |
276 * This function is specified in NIST SP 800-90 section 10.1.1.4, Hashgen | 282 * This function is specified in NIST SP 800-90 section 10.1.1.4, Hashgen |
277 */ | 283 */ |
278 static void | 284 static void |
279 prng_Hashgen(RNGContext *rng, PRUint8 *returned_bytes, | 285 prng_Hashgen(RNGContext *rng, PRUint8 *returned_bytes, |
280 unsigned int no_of_returned_bytes) | 286 unsigned int no_of_returned_bytes) |
281 { | 287 { |
282 PRUint8 data[VSize(rng)]; | 288 PRUint8 data[VSize(rng)]; |
283 | 289 |
284 PORT_Memcpy(data, V(rng), VSize(rng)); | 290 PORT_Memcpy(data, V(rng), VSize(rng)); |
285 while (no_of_returned_bytes) { | 291 while (no_of_returned_bytes) { |
286 SHA256Context ctx; | 292 SHA256Context ctx; |
287 unsigned int len; | 293 unsigned int len; |
288 unsigned int carry; | 294 unsigned int carry; |
289 int k1; | |
290 | 295 |
291 SHA256_Begin(&ctx); | 296 SHA256_Begin(&ctx); |
292 SHA256_Update(&ctx, data, sizeof data); | 297 SHA256_Update(&ctx, data, sizeof data); |
293 SHA256_End(&ctx, returned_bytes, &len, no_of_returned_bytes); | 298 SHA256_End(&ctx, returned_bytes, &len, no_of_returned_bytes); |
294 returned_bytes += len; | 299 returned_bytes += len; |
295 no_of_returned_bytes -= len; | 300 no_of_returned_bytes -= len; |
296 /* The carry parameter is a bool (increment or not). | 301 /* The carry parameter is a bool (increment or not). |
297 * This increments data if no_of_returned_bytes is not zero */ | 302 * This increments data if no_of_returned_bytes is not zero */ |
298 » PRNG_ADD_CARRY_ONLY(data, (sizeof data)- 1, no_of_returned_bytes); | 303 carry = no_of_returned_bytes; |
| 304 » PRNG_ADD_CARRY_ONLY(data, (sizeof data)- 1, carry); |
299 } | 305 } |
300 PORT_Memset(data, 0, sizeof data); | 306 PORT_Memset(data, 0, sizeof data); |
301 } | 307 } |
302 | 308 |
303 /* | 309 /* |
304 * Generates new random bytes and advances the internal prng state. | 310 * Generates new random bytes and advances the internal prng state. |
305 * additional bytes are only used in algorithm testing. | 311 * additional bytes are only used in algorithm testing. |
306 * | 312 * |
307 * This function is specified in NIST SP 800-90 section 10.1.1.4 | 313 * This function is specified in NIST SP 800-90 section 10.1.1.4 |
308 */ | 314 */ |
309 static SECStatus | 315 static SECStatus |
310 prng_generateNewBytes(RNGContext *rng, | 316 prng_generateNewBytes(RNGContext *rng, |
311 PRUint8 *returned_bytes, unsigned int no_of_returned_bytes, | 317 PRUint8 *returned_bytes, unsigned int no_of_returned_bytes, |
312 const PRUint8 *additional_input, | 318 const PRUint8 *additional_input, |
313 unsigned int additional_input_len) | 319 unsigned int additional_input_len) |
314 { | 320 { |
315 PRUint8 H[SHA256_LENGTH]; /* both H and w since they | 321 PRUint8 H[SHA256_LENGTH]; /* both H and w since they |
316 * aren't used concurrently */ | 322 * aren't used concurrently */ |
317 unsigned int carry; | 323 unsigned int carry; |
318 int k1, k2; | |
319 | 324 |
320 if (!rng->isValid) { | 325 if (!rng->isValid) { |
321 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 326 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
322 return SECFailure; | 327 return SECFailure; |
323 } | 328 } |
324 /* This code only triggers during tests, normal | 329 /* This code only triggers during tests, normal |
325 * prng operation does not use additional_input */ | 330 * prng operation does not use additional_input */ |
326 if (additional_input){ | 331 if (additional_input){ |
327 SHA256Context ctx; | 332 SHA256Context ctx; |
328 /* NIST SP 800-90 defines two temporaries in their calculations, | 333 /* NIST SP 800-90 defines two temporaries in their calculations, |
329 * w and H. These temporaries are the same lengths, and used | 334 * w and H. These temporaries are the same lengths, and used |
330 * at different times, so we use the following macro to collapse | 335 * at different times, so we use the following macro to collapse |
331 * them to the same variable, but keeping their unique names for | 336 * them to the same variable, but keeping their unique names for |
332 * easy comparison to the spec */ | 337 * easy comparison to the spec */ |
333 #define w H | 338 #define w H |
334 rng->V_type = prngAdditionalDataType; | 339 rng->V_type = prngAdditionalDataType; |
335 SHA256_Begin(&ctx); | 340 SHA256_Begin(&ctx); |
336 SHA256_Update(&ctx, rng->V_Data, sizeof rng->V_Data); | 341 SHA256_Update(&ctx, rng->V_Data, sizeof rng->V_Data); |
337 SHA256_Update(&ctx, additional_input, additional_input_len); | 342 SHA256_Update(&ctx, additional_input, additional_input_len); |
338 SHA256_End(&ctx, w, NULL, sizeof w); | 343 SHA256_End(&ctx, w, NULL, sizeof w); |
339 » PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), w, sizeof w) | 344 » PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), w, sizeof w, carry) |
340 PORT_Memset(w, 0, sizeof w); | 345 PORT_Memset(w, 0, sizeof w); |
341 #undef w | 346 #undef w |
342 } | 347 } |
343 | 348 |
344 if (no_of_returned_bytes == SHA256_LENGTH) { | 349 if (no_of_returned_bytes == SHA256_LENGTH) { |
345 /* short_cut to hashbuf and save a copy and a clear */ | 350 /* short_cut to hashbuf and save a copy and a clear */ |
346 SHA256_HashBuf(returned_bytes, V(rng), VSize(rng) ); | 351 SHA256_HashBuf(returned_bytes, V(rng), VSize(rng) ); |
347 } else { | 352 } else { |
348 prng_Hashgen(rng, returned_bytes, no_of_returned_bytes); | 353 prng_Hashgen(rng, returned_bytes, no_of_returned_bytes); |
349 } | 354 } |
350 /* advance our internal state... */ | 355 /* advance our internal state... */ |
351 rng->V_type = prngGenerateByteType; | 356 rng->V_type = prngGenerateByteType; |
352 SHA256_HashBuf(H, rng->V_Data, sizeof rng->V_Data); | 357 SHA256_HashBuf(H, rng->V_Data, sizeof rng->V_Data); |
353 PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), H, sizeof H) | 358 PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), H, sizeof H, carry) |
354 PRNG_ADD_BITS(V(rng), VSize(rng), rng->C, sizeof rng->C); | 359 PRNG_ADD_BITS(V(rng), VSize(rng), rng->C, sizeof rng->C, carry); |
355 PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), rng->reseed_counter, | 360 PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), rng->reseed_counter, |
356 » » » » » sizeof rng->reseed_counter) | 361 » » » » » sizeof rng->reseed_counter, carry) |
357 PRNG_ADD_CARRY_ONLY(rng->reseed_counter,(sizeof rng->reseed_counter)-1, 1); | 362 carry = 1; |
| 363 PRNG_ADD_CARRY_ONLY(rng->reseed_counter,(sizeof rng->reseed_counter)-1, carr
y); |
358 | 364 |
359 /* continuous rng check */ | 365 /* continuous rng check */ |
360 if (memcmp(V(rng), rng->oldV, sizeof rng->oldV) == 0) { | 366 if (memcmp(V(rng), rng->oldV, sizeof rng->oldV) == 0) { |
361 rng->isValid = PR_FALSE; | 367 rng->isValid = PR_FALSE; |
362 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 368 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
363 return SECFailure; | 369 return SECFailure; |
364 } | 370 } |
365 PORT_Memcpy(rng->oldV, V(rng), sizeof rng->oldV); | 371 PORT_Memcpy(rng->oldV, V(rng), sizeof rng->oldV); |
366 return SECSuccess; | 372 return SECSuccess; |
367 } | 373 } |
(...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
503 * sizeof(size_t) to be greater than 4, but it wasn't. Setting | 509 * sizeof(size_t) to be greater than 4, but it wasn't. Setting |
504 * NS_PTR_LE_32 will correct that mistake. | 510 * NS_PTR_LE_32 will correct that mistake. |
505 * | 511 * |
506 * if 'sizeof(size_t) <= 4' is triggered, it means that we were expecting | 512 * if 'sizeof(size_t) <= 4' is triggered, it means that we were expecting |
507 * sizeof(size_t) to be less than or equal to 4, but it wasn't. Setting | 513 * sizeof(size_t) to be less than or equal to 4, but it wasn't. Setting |
508 * NS_PTR_GT_32 will correct that mistake. | 514 * NS_PTR_GT_32 will correct that mistake. |
509 */ | 515 */ |
510 | 516 |
511 PR_STATIC_ASSERT(sizeof(size_t) > 4); | 517 PR_STATIC_ASSERT(sizeof(size_t) > 4); |
512 | 518 |
513 if (bytes > PRNG_MAX_ADDITIONAL_BYTES) { | 519 if (bytes > (size_t)PRNG_MAX_ADDITIONAL_BYTES) { |
514 bytes = PRNG_MAX_ADDITIONAL_BYTES; | 520 bytes = PRNG_MAX_ADDITIONAL_BYTES; |
515 } | 521 } |
516 #else | 522 #else |
517 PR_STATIC_ASSERT(sizeof(size_t) <= 4); | 523 PR_STATIC_ASSERT(sizeof(size_t) <= 4); |
518 #endif | 524 #endif |
519 | 525 |
520 PZ_Lock(globalrng->lock); | 526 PZ_Lock(globalrng->lock); |
521 /* if we're passed more than our additionalDataCache, simply | 527 /* if we're passed more than our additionalDataCache, simply |
522 * call reseed with that data */ | 528 * call reseed with that data */ |
523 if (bytes > sizeof (globalrng->additionalDataCache)) { | 529 if (bytes > sizeof (globalrng->additionalDataCache)) { |
(...skipping 381 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
905 if (rng_status == SECSuccess) { | 911 if (rng_status == SECSuccess) { |
906 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 912 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
907 return SECFailure; | 913 return SECFailure; |
908 } | 914 } |
909 if (PORT_GetError() != SEC_ERROR_LIBRARY_FAILURE) { | 915 if (PORT_GetError() != SEC_ERROR_LIBRARY_FAILURE) { |
910 return rng_status; | 916 return rng_status; |
911 } | 917 } |
912 | 918 |
913 return SECSuccess; | 919 return SECSuccess; |
914 } | 920 } |
OLD | NEW |