[PATCH v3 1/7] SP800-90A Deterministic Random Bit Generator

Stephan Mueller smueller at chronox.de
Wed Mar 19 08:35:42 CET 2014

This is a clean-room implementation of the DRBG defined in SP800-90A.
All three viable DRBGs defined in the standard are implemented:

 * HMAC: This is the leanest DRBG and compiled per default
 * Hash: The more complex DRBG can be enabled at compile time
 * CTR: The most complex DRBG can also be enabled at compile time

The DRBG implementation offers the following:

 * All three DRBG types are implemented with a derivation function.
 * All DRBG types are available with and without prediction resistance.
 * All SHA types of SHA-1, SHA-256, SHA-384, SHA-512 are available for
   the HMAC and Hash DRBGs.
 * All AES types of AES-128, AES-192 and AES-256 are available for the
 * A self test is implemented with drbg_healthcheck().
 * The FIPS 140-2 continuous self test is implemented.
 * Additional cipher primitives, such as Serpent or Twofish, can be
   added to the DRBG without changing the implementation. The only
   change necessary is to the DRBG definition given in the cores[]

Changes v3:

Changes to v1:

 * Overhauling code structure for simpler code as suggested on LKML:
     - each DRBG type exports only two crypto functions,
     - the individual DRBG implementations structure closely according to
       SP 800-90A,
     - using struct drbg_string to refer to buffers to avoid too many
       function parameters and prevent multiple data structure conversions
     - use inline more thoroughly
     - replace macros with small inline functions
     - remove unnecessary indirections
     - replace of large stack variables with a scratch buffer allocated at
       the beginning of DRBG operation -- see comments about scratchpad
       throughout the code
 * Revamping DRBG flags usage to avoid double information
 * Adding comments throughout the code to refer to the appropriate steps
   documented in SP 800-90A.
 * Perform thorough testing:
   - Performing of a full scale CAVS test with CAVS interface available at
   - Performing tests by obtaining data which is not a multiple of cipher 
     size and check it with the ent tool to ensure that the generation loop
     does not reuse stale buffers to avoid errors like CVE-2013-4345.

Signed-off-by: Stephan Mueller <smueller at chronox.de>

 create mode 100644 random/drbg.c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-SP800-90A-Deterministic-Random-Bit-Generator.patch.bz2
Type: application/x-bzip
Size: 16227 bytes
Desc: not available
URL: </pipermail/attachments/20140319/204a0a7c/attachment-0001.bin>

More information about the Gcrypt-devel mailing list