commit fe34a5fb832defac003841502fbb343299b2594f
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Jan 30 15:06:40 2014 +0100
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Jan 30 15:06:40 2014 +0100
tree 23a0643e96ff2f28b93281f3a94318661fab3361
parent 8208d167daf4e9b0e506adc9f9687cc2969bd261

Add entropy callbacks to HMAC_DRBG

library/ecdsa.c

diff --git a/library/ecdsa.c b/library/ecdsa.c
index 92f6eef..12076d5 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -193,7 +193,7 @@
     MPI_CHK( mpi_write_binary( d, data, grp_len ) );
     MPI_CHK( derive_mpi( grp, &h, buf, blen ) );
     MPI_CHK( mpi_write_binary( &h, data + grp_len, grp_len ) );
-    hmac_drbg_init( &rng_ctx, md_info, data, 2 * grp_len );
+    hmac_drbg_init_buf( &rng_ctx, md_info, data, 2 * grp_len );
 
     ret = ecdsa_sign( grp, r, s, d, buf, blen,
                       hmac_drbg_random, &rng_ctx );

library/hmac_drbg.c

diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c
index bc5b908..a8fe486 100644
--- a/library/hmac_drbg.c
+++ b/library/hmac_drbg.c
@@ -63,11 +63,11 @@
 }
 
 /*
- * Simplified HMAC_DRBG initialisation.
+ * Simplified HMAC_DRBG initialisation (for use with deterministic ECDSA)
  */
-int hmac_drbg_init( hmac_drbg_context *ctx,
-                    const md_info_t * md_info,
-                    const unsigned char *data, size_t data_len )
+int hmac_drbg_init_buf( hmac_drbg_context *ctx,
+                        const md_info_t * md_info,
+                        const unsigned char *data, size_t data_len )
 {
     int ret;
 
@@ -85,6 +85,78 @@
 }
 
 /*
+ * HMAC_DRBG initialisation
+ */
+int hmac_drbg_init( hmac_drbg_context *ctx,
+                    const md_info_t * md_info,
+                    int (*f_entropy)(void *, unsigned char *, size_t),
+                    void *p_entropy,
+                    const unsigned char *custom,
+                    size_t len )
+{
+    int ret;
+    unsigned char seed[HMAC_DRBG_MAX_SEED_INPUT];
+    size_t seedlen, init_entropy_len;
+
+    memset( ctx, 0, sizeof( hmac_drbg_context ) );
+
+    if( ( ret = md_init_ctx( &ctx->md_ctx, md_info ) ) != 0 )
+        return( ret );
+
+    /*
+     * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by
+     * each hash function, then according to SP800-90A rev1 10.1 table 2,
+     * min_entropy_len (in bits) is security_strength.
+     */
+    ctx->entropy_len = md_info->size <= 20 ? 16 : /* 160-bits hash -> 128 */
+                       md_info->size <= 28 ? 24 : /* 224-bits hash -> 192 */
+                                             32;  /* better (256+) -> 256 */
+
+    ctx->f_entropy = f_entropy;
+    ctx->p_entropy = p_entropy;
+
+    /*
+     * For initialisation, use more entropy to emulate a nonce
+     */
+    init_entropy_len = ctx->entropy_len * 3 / 2;
+
+    if( init_entropy_len + len > HMAC_DRBG_MAX_SEED_INPUT )
+        return( POLARSSL_ERR_HMAC_DRBG_INPUT_TOO_BIG );
+
+    memset( seed, 0, HMAC_DRBG_MAX_SEED_INPUT );
+
+    /*
+     * Gather init_entropy_len bytes of entropy for initial seed
+     */
+    if( 0 != ctx->f_entropy( ctx->p_entropy, seed,
+                             init_entropy_len ) )
+    {
+        return( POLARSSL_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED );
+    }
+
+    seedlen = init_entropy_len;
+
+    /*
+     * Add additional data
+     */
+    if( custom != NULL && len != 0 )
+    {
+        memcpy( seed + seedlen, custom, len );
+        seedlen += len;
+    }
+
+    /*
+     * Set initial state and update it with initialisation data
+     */
+    memset( ctx->V, 0x01, md_info->size );
+    /* ctx->K is already 0 */
+
+    hmac_drbg_update( ctx, seed, seedlen );
+
+    return( 0 );
+}
+
+/*
  * HMAC_DRBG random function with optional additional data (10.1.2.5)
  */
 int hmac_drbg_random_with_add( void *p_rng,