random: Add SP800-90A DRBG

* random/drbg.c: New.
* random/random.c (_gcry_random_initialize): Replace rngfips init by
drbg init.
(__gcry_random_close_fds): Likewise.
(_gcry_random_dump_stats): Likewise.
(_gcry_random_is_faked): Likewise.
(do_randomize): Likewise.
(_gcry_random_selftest): Likewise.
(_gcry_create_nonce): Replace rngfips_create_noce by drbg_randomize.
(_gcry_random_init_external_test): Remove.
(_gcry_random_run_external_test): Remove.
(_gcry_random_deinit_external_test): Remove.
* random/random.h (struct gcry_drbg_test_vector): New.
* src/gcrypt.h.in (struct gcry_drbg_gen): New.
(struct gcry_drbg_string): New.
(gcry_drbg_string_fill): New.
(gcry_randomize_drbg): New.
(GCRY_DRBG_): Lots of new macros.
* src/global.c (_gcry_vcontrol) <Init external random test>: Turn into
a nop.
(_gcry_vcontrol) <Deinit external random test>: Ditto.
(_gcry_vcontrol) <Run external random test>: Change.
(_gcry_vcontrol) <GCRYCTL_DRBG_REINIT>: New.

--

This patch set adds the SP800-90A DRBG for AES128, AES192, AES256 with
derivation function, SHA-1 through SHA-512 with derivation function,
HMAC SHA-1 through HMAC SHA-512. All DRBGs are provided with and without
prediction resistance. In addition, all DRBGs allow reseeding by the
caller.

The default DRBG is HMAC SHA-256 without prediction resistance.

The caller may re-initialize the DRBG with the control
GCRYCTL_DRBG_REINIT:

The patch replaces the invocation of the existing ANSI X9.31 DRNG. This
covers the control calls of 58 through 60. Control call 58 and 60 are
simply deactivated. Control 59 is replaced with the DRBG CAVS test
interface.

Signed-off-by: Stephan Mueller <smueller@chronox.de>

ChangeLog entries added by -wk

1 files changed, 108 insertions, 0 deletions

diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
index f48f04fb..f1f13919 100644
--- a/src/gcrypt.h.in
+++ b/src/gcrypt.h.in
@@ -1722,6 +1722,114 @@ int gcry_is_secure (const void *a) _GCRY_GCC_ATTR_PURE;
 /* Return true if Libgcrypt is in FIPS mode.  */
 #define gcry_fips_mode_active()  !!gcry_control (GCRYCTL_FIPS_MODE_P, 0)
 
+/* DRBG input data structure for DRBG generate with additional information
+ * string */
+struct gcry_drbg_gen
+{
+  unsigned char *outbuf;	/* output buffer for random numbers */
+  unsigned int outlen;	/* size of output buffer */
+  struct gcry_drbg_string *addtl;	/* input buffer for
+					 * additional information string */
+};
+
+/*
+ * Concatenation Helper and string operation helper
+ *
+ * SP800-90A requires the concatenation of different data. To avoid copying
+ * buffers around or allocate additional memory, the following data structure
+ * is used to point to the original memory with its size. In addition, it
+ * is used to build a linked list. The linked list defines the concatenation
+ * of individual buffers. The order of memory block referenced in that
+ * linked list determines the order of concatenation.
+ */
+/* DRBG string definition */
+struct gcry_drbg_string
+{
+  const unsigned char *buf;
+  size_t len;
+  struct gcry_drbg_string *next;
+};
+
+static inline void gcry_drbg_string_fill(struct gcry_drbg_string *string,
+				    const unsigned char *buf, size_t len)
+{
+  string->buf = buf;
+  string->len = len;
+  string->next = NULL;
+}
+
+/* this is a wrapper function for users of libgcrypt */
+static inline void gcry_randomize_drbg(void *outbuf, size_t outlen,
+				       enum gcry_random_level level,
+				       struct gcry_drbg_string *addtl)
+{
+  struct gcry_drbg_gen genbuf;
+  genbuf.outbuf = (unsigned char *)outbuf;
+  genbuf.outlen = outlen;
+  genbuf.addtl = addtl;
+  gcry_randomize(&genbuf, 0, level);
+}
+
+/*
+ * DRBG flags bitmasks
+ *
+ * 31 (B) 28      19         (A)         0
+ *  +-+-+-+--------+---+-----------+-----+
+ *  |~|~|u|~~~~~~~~| 3 |     2     |  1  |
+ *  +-+-+-+--------+- -+-----------+-----+
+ * ctl flg|        |drbg use selection flags
+ *
+ */
+
+/* internal state control flags (B) */
+#define GCRY_DRBG_PREDICTION_RESIST	((u_int32_t)1<<28)
+
+/* CTR type modifiers (A.1)*/
+#define GCRY_DRBG_CTRAES		((u_int32_t)1<<0)
+#define GCRY_DRBG_CTRSERPENT		((u_int32_t)1<<1)
+#define GCRY_DRBG_CTRTWOFISH		((u_int32_t)1<<2)
+#define GCRY_DRBG_CTR_MASK	(GCRY_DRBG_CTRAES | GCRY_DRBG_CTRSERPENT | GCRY_DRBG_CTRTWOFISH)
+
+/* HASH type modifiers (A.2)*/
+#define GCRY_DRBG_HASHSHA1		((u_int32_t)1<<4)
+#define GCRY_DRBG_HASHSHA224		((u_int32_t)1<<5)
+#define GCRY_DRBG_HASHSHA256		((u_int32_t)1<<6)
+#define GCRY_DRBG_HASHSHA384		((u_int32_t)1<<7)
+#define GCRY_DRBG_HASHSHA512		((u_int32_t)1<<8)
+#define GCRY_DRBG_HASH_MASK		(GCRY_DRBG_HASHSHA1 | GCRY_DRBG_HASHSHA224 | \
+				 GCRY_DRBG_HASHSHA256 | GCRY_DRBG_HASHSHA384 | \
+				 GCRY_DRBG_HASHSHA512)
+/* type modifiers (A.3)*/
+#define GCRY_DRBG_HMAC		((u_int32_t)1<<12)
+#define GCRY_DRBG_SYM128		((u_int32_t)1<<13)
+#define GCRY_DRBG_SYM192		((u_int32_t)1<<14)
+#define GCRY_DRBG_SYM256		((u_int32_t)1<<15)
+#define GCRY_DRBG_TYPE_MASK		(GCRY_DRBG_HMAC | GCRY_DRBG_SYM128 | GCRY_DRBG_SYM192 | \
+				 GCRY_DRBG_SYM256)
+#define GCRY_DRBG_CIPHER_MASK (GCRY_DRBG_CTR_MASK | GCRY_DRBG_HASH_MASK | GCRY_DRBG_TYPE_MASK)
+
+#define GCRY_DRBG_PR_CTRAES128   (GCRY_DRBG_PREDICTION_RESIST | GCRY_DRBG_CTRAES | GCRY_DRBG_SYM128)
+#define GCRY_DRBG_PR_CTRAES192   (GCRY_DRBG_PREDICTION_RESIST | GCRY_DRBG_CTRAES | GCRY_DRBG_SYM192)
+#define GCRY_DRBG_PR_CTRAES256   (GCRY_DRBG_PREDICTION_RESIST | GCRY_DRBG_CTRAES | GCRY_DRBG_SYM256)
+#define GCRY_DRBG_NOPR_CTRAES128 (GCRY_DRBG_CTRAES | GCRY_DRBG_SYM128)
+#define GCRY_DRBG_NOPR_CTRAES192 (GCRY_DRBG_CTRAES | GCRY_DRBG_SYM192)
+#define GCRY_DRBG_NOPR_CTRAES256 (GCRY_DRBG_CTRAES | GCRY_DRBG_SYM256)
+#define GCRY_DRBG_PR_HASHSHA1    (GCRY_DRBG_PREDICTION_RESIST | GCRY_DRBG_HASHSHA1)
+#define GCRY_DRBG_PR_HASHSHA256  (GCRY_DRBG_PREDICTION_RESIST | GCRY_DRBG_HASHSHA256)
+#define GCRY_DRBG_PR_HASHSHA384  (GCRY_DRBG_PREDICTION_RESIST | GCRY_DRBG_HASHSHA384)
+#define GCRY_DRBG_PR_HASHSHA512  (GCRY_DRBG_PREDICTION_RESIST | GCRY_DRBG_HASHSHA512)
+#define GCRY_DRBG_NOPR_HASHSHA1  (GCRY_DRBG_HASHSHA1)
+#define GCRY_DRBG_NOPR_HASHSHA256 (GCRY_DRBG_HASHSHA256)
+#define GCRY_DRBG_NOPR_HASHSHA384 (GCRY_DRBG_HASHSHA384)
+#define GCRY_DRBG_NOPR_HASHSHA512 (GCRY_DRBG_HASHSHA512)
+#define GCRY_DRBG_PR_HMACSHA1    (GCRY_DRBG_PREDICTION_RESIST | GCRY_DRBG_HASHSHA1 | GCRY_DRBG_HMAC)
+#define GCRY_DRBG_PR_HMACSHA256  (GCRY_DRBG_PREDICTION_RESIST | GCRY_DRBG_HASHSHA256 | GCRY_DRBG_HMAC)
+#define GCRY_DRBG_PR_HMACSHA384  (GCRY_DRBG_PREDICTION_RESIST | GCRY_DRBG_HASHSHA384 | GCRY_DRBG_HMAC)
+#define GCRY_DRBG_PR_HMACSHA512  (GCRY_DRBG_PREDICTION_RESIST | GCRY_DRBG_HASHSHA512 | GCRY_DRBG_HMAC)
+#define GCRY_DRBG_NOPR_HMACSHA1  (GCRY_DRBG_HASHSHA1 | GCRY_DRBG_HMAC)
+#define GCRY_DRBG_NOPR_HMACSHA256 (GCRY_DRBG_HASHSHA256 | GCRY_DRBG_HMAC)
+#define GCRY_DRBG_NOPR_HMACSHA384 (GCRY_DRBG_HASHSHA384 | GCRY_DRBG_HMAC)
+#define GCRY_DRBG_NOPR_HMACSHA512 (GCRY_DRBG_HASHSHA512 | GCRY_DRBG_HMAC)
 
 #if 0 /* (Keep Emacsens' auto-indent happy.) */
 {