[PATCH v3 1/7] SP800-90A Deterministic Random Bit Generator
smueller at chronox.de
Wed Mar 19 08:35:42 CET 2014
This is a clean-room implementation of the DRBG defined in SP800-90A.
All three viable DRBGs defined in the standard are implemented:
* HMAC: This is the leanest DRBG and compiled per default
* Hash: The more complex DRBG can be enabled at compile time
* CTR: The most complex DRBG can also be enabled at compile time
The DRBG implementation offers the following:
* All three DRBG types are implemented with a derivation function.
* All DRBG types are available with and without prediction resistance.
* All SHA types of SHA-1, SHA-256, SHA-384, SHA-512 are available for
the HMAC and Hash DRBGs.
* All AES types of AES-128, AES-192 and AES-256 are available for the
* A self test is implemented with drbg_healthcheck().
* The FIPS 140-2 continuous self test is implemented.
* Additional cipher primitives, such as Serpent or Twofish, can be
added to the DRBG without changing the implementation. The only
change necessary is to the DRBG definition given in the cores
Changes to v1:
* Overhauling code structure for simpler code as suggested on LKML:
- each DRBG type exports only two crypto functions,
- the individual DRBG implementations structure closely according to
- using struct drbg_string to refer to buffers to avoid too many
function parameters and prevent multiple data structure conversions
- use inline more thoroughly
- replace macros with small inline functions
- remove unnecessary indirections
- replace of large stack variables with a scratch buffer allocated at
the beginning of DRBG operation -- see comments about scratchpad
throughout the code
* Revamping DRBG flags usage to avoid double information
* Adding comments throughout the code to refer to the appropriate steps
documented in SP 800-90A.
* Perform thorough testing:
- Performing of a full scale CAVS test with CAVS interface available at
- Performing tests by obtaining data which is not a multiple of cipher
size and check it with the ent tool to ensure that the generation loop
does not reuse stale buffers to avoid errors like CVE-2013-4345.
Signed-off-by: Stephan Mueller <smueller at chronox.de>
create mode 100644 random/drbg.c
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 16227 bytes
Desc: not available
More information about the Gcrypt-devel