|
 |
66e42d |
diff -up libgcrypt-1.8.3/random/random-drbg.c.fips-enttest libgcrypt-1.8.3/random/random-drbg.c
|
|
|
66e42d |
--- libgcrypt-1.8.3/random/random-drbg.c.fips-enttest 2017-11-23 19:16:58.000000000 +0100
|
|
|
9fe250 |
+++ libgcrypt-1.8.3/random/random-drbg.c 2019-06-24 10:04:23.219547141 +0200
|
|
|
9fe250 |
@@ -317,6 +317,7 @@ struct drbg_state_s
|
|
|
9fe250 |
unsigned char *ctr_null; /* CTR mode zero buffer */
|
|
|
9fe250 |
int seeded:1; /* DRBG fully seeded? */
|
|
|
9fe250 |
int pr:1; /* Prediction resistance enabled? */
|
|
|
9fe250 |
+ int ent_primed:1; /* Previous entropy data primed? */
|
|
|
9fe250 |
/* Taken from libgcrypt ANSI X9.31 DRNG: We need to keep track of the
|
|
|
9fe250 |
* process which did the initialization so that we can detect a fork.
|
|
|
9fe250 |
* The volatile modifier is required so that the compiler does not
|
|
|
9fe250 |
@@ -324,6 +325,7 @@ struct drbg_state_s
|
|
|
9fe250 |
pid_t seed_init_pid;
|
|
|
9fe250 |
const struct drbg_state_ops_s *d_ops;
|
|
|
9fe250 |
const struct drbg_core_s *core;
|
|
|
9fe250 |
+ unsigned char ent_hash[64]; /* Hash of previous entropy data */
|
|
|
9fe250 |
struct drbg_test_data_s *test_data;
|
|
|
9fe250 |
};
|
|
|
9fe250 |
|
|
|
9fe250 |
@@ -610,11 +612,13 @@ drbg_get_entropy (drbg_state_t drbg, uns
|
|
|
66e42d |
size_t len)
|
|
|
66e42d |
{
|
|
|
66e42d |
int rc = 0;
|
|
|
66e42d |
+ unsigned char newhash[64];
|
|
|
66e42d |
|
|
|
66e42d |
/* Perform testing as defined in 11.3.2 */
|
|
|
66e42d |
if (drbg->test_data && drbg->test_data->fail_seed_source)
|
|
|
9fe250 |
return -1;
|
|
|
9fe250 |
|
|
|
9fe250 |
+redo:
|
|
|
9fe250 |
read_cb_buffer = buffer;
|
|
|
9fe250 |
read_cb_size = len;
|
|
|
9fe250 |
read_cb_len = 0;
|
|
|
9fe250 |
@@ -634,6 +638,27 @@ drbg_get_entropy (drbg_state_t drbg, uns
|
|
|
66e42d |
#else
|
|
|
66e42d |
rc = -1;
|
|
|
66e42d |
#endif
|
|
|
66e42d |
+
|
|
|
66e42d |
+ /* to avoid storing the actual entropy obtained for indefinite
|
|
|
66e42d |
+ time, we just store the SHA-512 hash of the entropy gathered
|
|
|
66e42d |
+ */
|
|
|
66e42d |
+ _gcry_md_hash_buffer (GCRY_MD_SHA512, newhash, buffer, len);
|
|
|
66e42d |
+
|
|
|
9fe250 |
+ if (!drbg->ent_primed)
|
|
|
9fe250 |
+ {
|
|
|
9fe250 |
+ memcpy (drbg->ent_hash, newhash, sizeof (drbg->ent_hash));
|
|
|
9fe250 |
+ drbg->ent_primed = 1;
|
|
|
9fe250 |
+ goto redo;
|
|
|
9fe250 |
+ }
|
|
|
66e42d |
+
|
|
|
9fe250 |
+ if (memcmp (newhash, drbg->ent_hash, sizeof (drbg->ent_hash)) == 0)
|
|
|
9fe250 |
+ {
|
|
|
9fe250 |
+ fips_signal_error ("Entropy source failed the continuous test");
|
|
|
9fe250 |
+ return -1; /* continuous entropy test failed */
|
|
|
9fe250 |
+ }
|
|
|
9fe250 |
+
|
|
|
9fe250 |
+ memcpy (drbg->ent_hash, newhash, sizeof (drbg->ent_hash));
|
|
|
66e42d |
+
|
|
|
66e42d |
return rc;
|
|
|
66e42d |
}
|
|
|
66e42d |
|
|
|
9fe250 |
@@ -1341,26 +1366,38 @@ drbg_seed (drbg_state_t drbg, drbg_strin
|
|
|
9fe250 |
}
|
|
|
9fe250 |
else
|
|
|
9fe250 |
{
|
|
|
9fe250 |
+ int nonce = 0;
|
|
|
9fe250 |
/* Gather entropy equal to the security strength of the DRBG.
|
|
|
9fe250 |
* With a derivation function, a nonce is required in addition
|
|
|
9fe250 |
* to the entropy. A nonce must be at least 1/2 of the security
|
|
|
9fe250 |
* strength of the DRBG in size. Thus, entropy * nonce is 3/2
|
|
|
9fe250 |
* of the strength. The consideration of a nonce is only
|
|
|
9fe250 |
- * applicable during initial seeding. */
|
|
|
9fe250 |
+ * applicable during initial seeding.
|
|
|
9fe250 |
+ * To avoid pulling different length of data from entropy
|
|
|
9fe250 |
+ * source, we use 2 * strength for initial seeding. */
|
|
|
9fe250 |
entropylen = drbg_sec_strength (drbg->core->flags);
|
|
|
9fe250 |
if (!entropylen)
|
|
|
9fe250 |
return GPG_ERR_GENERAL;
|
|
|
9fe250 |
if (0 == reseed)
|
|
|
9fe250 |
- /* make sure we round up strength/2 in
|
|
|
9fe250 |
- * case it is not divisible by 2 */
|
|
|
9fe250 |
- entropylen = ((entropylen + 1) / 2) * 3;
|
|
|
9fe250 |
+ {
|
|
|
9fe250 |
+ nonce = 1;
|
|
|
9fe250 |
+ }
|
|
|
9fe250 |
dbg (("DRBG: (re)seeding with %lu bytes of entropy\n", entropylen));
|
|
|
9fe250 |
- entropy = xcalloc_secure (1, entropylen);
|
|
|
9fe250 |
+ entropy = xcalloc_secure (nonce + 1, entropylen);
|
|
|
9fe250 |
if (!entropy)
|
|
|
9fe250 |
return GPG_ERR_ENOMEM;
|
|
|
9fe250 |
ret = drbg_get_entropy (drbg, entropy, entropylen);
|
|
|
9fe250 |
if (ret)
|
|
|
9fe250 |
goto out;
|
|
|
9fe250 |
+ if (nonce)
|
|
|
9fe250 |
+ {
|
|
|
9fe250 |
+ ret = drbg_get_entropy (drbg, entropy + entropylen, entropylen);
|
|
|
9fe250 |
+ if (ret)
|
|
|
9fe250 |
+ goto out;
|
|
|
9fe250 |
+ /* make sure we round up strength/2 in
|
|
|
9fe250 |
+ * case it is not divisible by 2 */
|
|
|
9fe250 |
+ entropylen = 2 * entropylen;
|
|
|
9fe250 |
+ }
|
|
|
9fe250 |
drbg_string_fill (&data1, entropy, entropylen);
|
|
|
9fe250 |
}
|
|
|
9fe250 |
|
|
|
9fe250 |
@@ -1597,6 +1634,7 @@ drbg_instantiate (drbg_state_t drbg,
|
|
|
9fe250 |
drbg->core = &drbg_cores[coreref];
|
|
|
9fe250 |
drbg->pr = pr;
|
|
|
9fe250 |
drbg->seeded = 0;
|
|
|
9fe250 |
+ drbg->ent_primed = 0;
|
|
|
9fe250 |
if (drbg->core->flags & DRBG_HMAC)
|
|
|
9fe250 |
drbg->d_ops = &drbg_hmac_ops;
|
|
|
9fe250 |
else if (drbg->core->flags & DRBG_HASH_MASK)
|