[svn] gcry - r1309 - in trunk: cipher doc random src tests
svn author wk
cvs at cvs.gnupg.org
Fri Aug 29 13:09:29 CEST 2008
Author: wk
Date: 2008-08-29 13:09:26 +0200 (Fri, 29 Aug 2008)
New Revision: 1309
Added:
trunk/tests/README
trunk/tests/rsa-16k.key
Modified:
trunk/cipher/ChangeLog
trunk/cipher/cipher.c
trunk/cipher/elgamal.c
trunk/cipher/primegen.c
trunk/doc/ChangeLog
trunk/doc/Makefile.am
trunk/doc/gcrypt.texi
trunk/random/ChangeLog
trunk/random/random-csprng.c
trunk/random/random-daemon.c
trunk/random/random-fips.c
trunk/random/rndunix.c
trunk/random/rndw32.c
trunk/src/ChangeLog
trunk/src/global.c
trunk/src/hwfeatures.c
trunk/tests/ChangeLog
trunk/tests/Makefile.am
trunk/tests/basic.c
trunk/tests/pkbench.c
Log:
Changed the way the FIPS RNG is seeded.
FIPS cleanups.
Documentation upodates.
[The diff below has been truncated]
Modified: trunk/cipher/ChangeLog
===================================================================
--- trunk/cipher/ChangeLog 2008-08-27 13:19:27 UTC (rev 1308)
+++ trunk/cipher/ChangeLog 2008-08-29 11:09:26 UTC (rev 1309)
@@ -1,3 +1,10 @@
+2008-08-28 Werner Koch <wk at g10code.com>
+
+ * cipher.c (cipher_decrypt, cipher_encrypt): Return an error if
+ mode NONE is used.
+ (gcry_cipher_open): Allow mode NONE only with a debug flag set and
+ if not in FIPS mode.
+
2008-08-26 Werner Koch <wk at g10code.com>
* pubkey.c (pubkey_generate): Add arg KEYGEN_FLAGS.
Modified: trunk/doc/ChangeLog
===================================================================
--- trunk/doc/ChangeLog 2008-08-27 13:19:27 UTC (rev 1308)
+++ trunk/doc/ChangeLog 2008-08-29 11:09:26 UTC (rev 1309)
@@ -1,3 +1,7 @@
+2008-08-27 Werner Koch <wk at g10code.com>
+
+ * Makefile.am (online): Take care of development versions.
+
2008-08-18 Werner Koch <wk at g10code.com>
* gcrypt.texi (Top): Remove the detailmenu.
Modified: trunk/random/ChangeLog
===================================================================
--- trunk/random/ChangeLog 2008-08-27 13:19:27 UTC (rev 1308)
+++ trunk/random/ChangeLog 2008-08-29 11:09:26 UTC (rev 1309)
@@ -1,3 +1,22 @@
+2008-08-29 Werner Koch <wk at g10code.com>
+
+ * random-fips.c (SEED_TTL): New.
+ (struct rng_context): Add USE_COUNTER, remove NEED_STRONG_ENTROPY.
+ (x931_aes_driver): Do re-seeding if required.
+ (x931_generate_key, x931_generate_seed): Factor common code out to ..
+ (get_entropy): .. new. Always use /dev/random.
+ (x931_generate_key): Seed key for nonce_context from std_rng_context.
+ (x931_reseed): New. Seed nonce context from std_rng_context.
+ (get_random): Use x931_reseed.
+ (_gcry_rngfips_selftest): Return an error if no /dev/radom support
+ has been compiled in.
+ (get_random): Remove locking.
+ (_gcry_rngfips_randomize, _gcry_rngfips_create_nonce): Lock here.
+
+2008-08-28 Werner Koch <wk at g10code.com>
+
+ * random-daemon.c (connect_to_socket): Use GPG_ERR_ENAMETOOLONG.
+
2008-08-25 Werner Koch <wk at g10code.com>
* random-fips.c (x931_aes): Take datetime_GT from an arg.
Modified: trunk/src/ChangeLog
===================================================================
--- trunk/src/ChangeLog 2008-08-27 13:19:27 UTC (rev 1308)
+++ trunk/src/ChangeLog 2008-08-29 11:09:26 UTC (rev 1309)
@@ -1,3 +1,8 @@
+2008-08-28 Werner Koch <wk at g10code.com>
+
+ * hwfeatures.c (_gcry_detect_hw_features): Disable hardware
+ detection in FIPS mode.
+
2008-08-27 Werner Koch <wk at g10code.com>
* global.c (_gcry_vcontrol): Allow running selftests from error
@@ -2,4 +7,9 @@
state.
+ (gcry_set_outofcore_handler): Only print a warning if used in FIPS
+ mode.
+ (gcry_xmalloc, gcry_xrealloc, gcry_xmalloc_secure, gcry_xstrdup):
+ Ignore an outofcore handler in FIPS mode.
+
* fips.c (_gcry_fips_test_error_or_operational): New.
- (fips_new_state): Allow transtion from error into selftest.
+ (fips_new_state): Allow transition from error into selftest.
Disallow error to init.
Modified: trunk/tests/ChangeLog
===================================================================
--- trunk/tests/ChangeLog 2008-08-27 13:19:27 UTC (rev 1308)
+++ trunk/tests/ChangeLog 2008-08-29 11:09:26 UTC (rev 1309)
@@ -1,5 +1,15 @@
+2008-08-28 Werner Koch <wk at g10code.com>
+
+ * rsa-16k.key: New sample key.
+
2008-08-27 Werner Koch <wk at g10code.com>
+ * pkbench.c (read_file): New.
+ (process_key_pair_file): Replace mmap by read_file.
+ (main): Add a --fips option.
+ * Makefile.am (EXTRA_DIST): Remove.
+ (EXTRA_PROGRAMS): Add pkbench.
+
* basic.c (main): Extended FIPS self-test test.
2008-08-26 Werner Koch <wk at g10code.com>
Modified: trunk/cipher/cipher.c
===================================================================
--- trunk/cipher/cipher.c 2008-08-27 13:19:27 UTC (rev 1308)
+++ trunk/cipher/cipher.c 2008-08-29 11:09:26 UTC (rev 1309)
@@ -731,7 +731,11 @@
break;
case GCRY_CIPHER_MODE_NONE:
- /* FIXME: issue a warning when this mode is used */
+ /* This mode may be used for debbuging. It copies the main
+ text verbatim to the ciphertext. We do not allow this in
+ fips mode or if no debug flag has been set. */
+ if (fips_mode () || !_gcry_get_debug_flag (0))
+ err = GPG_ERR_INV_CIPHER_MODE;
break;
default:
@@ -1421,8 +1425,16 @@
outbuf, (byte*)/*arggg*/inbuf, nbytes );
break;
case GCRY_CIPHER_MODE_NONE:
- if( inbuf != outbuf )
- memmove( outbuf, inbuf, nbytes );
+ if (fips_mode () || !_gcry_get_debug_flag (0))
+ {
+ fips_signal_error ("cipher mode NONE used");
+ rc = GPG_ERR_INV_CIPHER_MODE;
+ }
+ else
+ {
+ if ( inbuf != outbuf )
+ memmove (outbuf, inbuf, nbytes);
+ }
break;
default:
log_fatal("cipher_encrypt: invalid mode %d\n", c->mode );
@@ -1512,8 +1524,16 @@
outbuf, (byte*)/*arggg*/inbuf, nbytes );
break;
case GCRY_CIPHER_MODE_NONE:
- if( inbuf != outbuf )
- memmove( outbuf, inbuf, nbytes );
+ if (fips_mode () || !_gcry_get_debug_flag (0))
+ {
+ fips_signal_error ("cipher mode NONE used");
+ rc = GPG_ERR_INV_CIPHER_MODE;
+ }
+ else
+ {
+ if (inbuf != outbuf)
+ memmove (outbuf, inbuf, nbytes);
+ }
break;
default:
log_fatal ("cipher_decrypt: invalid mode %d\n", c->mode );
Modified: trunk/cipher/elgamal.c
===================================================================
--- trunk/cipher/elgamal.c 2008-08-27 13:19:27 UTC (rev 1308)
+++ trunk/cipher/elgamal.c 2008-08-29 11:09:26 UTC (rev 1309)
@@ -83,8 +83,9 @@
/****************
- * Michael Wiener's table on subgroup sizes to match field sizes
- * (floating around somewhere - Fixme: need a reference)
+ * Michael Wiener's table on subgroup sizes to match field sizes.
+ * (floating around somewhere, probably based on the paper from
+ * Eurocrypt 96, page 332)
*/
static unsigned int
wiener_map( unsigned int n )
Modified: trunk/cipher/primegen.c
===================================================================
--- trunk/cipher/primegen.c 2008-08-27 13:19:27 UTC (rev 1308)
+++ trunk/cipher/primegen.c 2008-08-29 11:09:26 UTC (rev 1309)
@@ -395,8 +395,7 @@
/* Make a pool of 3n+5 primes (this is an arbitrary value). We
require at least 30 primes for are useful selection process.
- FIXME: We need to do some reseacrh on the best formula for sizing
- the pool.
+ Fixme: We need to research the best formula for sizing the pool.
*/
m = n * 3 + 5;
if (need_q_factor) /* Need some more in this case. */
Modified: trunk/doc/Makefile.am
===================================================================
--- trunk/doc/Makefile.am 2008-08-27 13:19:27 UTC (rev 1308)
+++ trunk/doc/Makefile.am 2008-08-29 11:09:26 UTC (rev 1309)
@@ -45,11 +45,27 @@
fig2dev -L pdf `test -f '$<' || echo '$(srcdir)/'`$< $@
+# Make sure that gcrypt.texi is touched if any other source file has
+# been modified. This is required so that the version.texi magic
+# updates the release date.
+gnupg.texi : $(gcrypt_TEXINFOS)
+ touch $(srcdir)/gcrypt.texi
+
online: gcrypt.html gcrypt.pdf gcrypt.info
set -e; \
echo "Uploading current manuals to www.gnupg.org ..."; \
- user=werner ; dir="webspace/manuals/gcrypt-devel/" ; \
- (cd gcrypt.html && rsync -vr --exclude='.svn' . \
- $${user}@cvs.gnupg.org:$${dir} ); \
- rsync -v gcrypt.pdf gcrypt.info $${user}@cvs.gnupg.org:$${dir}
+ cp libgcrypt-modules.png gcrypt.html/; \
+ cp fips-fsm.png gcrypt.html/; \
+ user=werner ; dashdevel="" ; \
+ if echo "@PACKAGE_VERSION@" | grep -- "-svn" >/dev/null; then \
+ dashdevel="-devel" ; \
+ cp gcrypt.pdf gcrypt.html/; \
+ cp gcrypt.info gcrypt.html/; \
+ else \
+ rsync -v gcrypt.pdf gcrypt.info \
+ $${user}@cvs.gnupg.org:webspace/manuals/ ; \
+ fi ; \
+ cd gcrypt.html ; \
+ rsync -vr --exclude='.svn' . \
+ $${user}@cvs.gnupg.org:webspace/manuals/gcrypt$${dashdevel}/
Modified: trunk/doc/gcrypt.texi
===================================================================
--- trunk/doc/gcrypt.texi 2008-08-27 13:19:27 UTC (rev 1308)
+++ trunk/doc/gcrypt.texi 2008-08-29 11:09:26 UTC (rev 1309)
@@ -1540,8 +1540,9 @@
@table @code
@item GCRY_CIPHER_MODE_NONE
-No mode specified, may be set later using other functions. The value
-of this constant is always 0.
+No mode specified. This should not be used. The only exception is that
+if Libgcrypt is not used in FIPS mode and if any debug flag has been
+set, this mode may be used to bypass the actual encryption.
@item GCRY_CIPHER_MODE_ECB
Electronic Codebook mode.
@@ -4621,16 +4622,97 @@
@node FIPS Restrictions
@appendix Restrictions in FIPS mode
-If Libgcrypt is used FIPS mode these restrictions are effective:
+If Libgcrypt is used in FIPS mode these restrictions are effective:
@itemize
+ at item
+The cryptographic algorithms are restricted to this list:
+ at table @asis
+ at item GCRY_CIPHER_3DES
+3 key EDE Triple-DES symmetric encryption.
+ at item GCRY_CIPHER_AES128
+AES 128 bit symmetric encryption.
+ at item GCRY_CIPHER_AES192
+AES 192 bit symmetric encryption.
+ at item GCRY_CIPHER_AES256
+AES 256 bit symmetric encryption.
+ at item GCRY_MD_SHA1
+SHA-1 message digest.
+ at item GCRY_MD_SHA224
+SHA-224 message digest.
+ at item GCRY_MD_SHA256
+SHA-256 message digest.
+ at item GCRY_MD_SHA384
+SHA-384 message digest.
+ at item GCRY_MD_SHA512
+SHA-512 message digest.
+ at item GCRY_MD_SHA1,GCRY_MD_FLAG_HMAC
+HMAC using a SHA-1 message digest.
+ at item GCRY_MD_SHA224,GCRY_MD_FLAG_HMAC
+HMAC using a SHA-224 message digest.
+ at item GCRY_MD_SHA256,GCRY_MD_FLAG_HMAC
+HMAC using a SHA-256 message digest.
+ at item GCRY_MD_SHA384,GCRY_MD_FLAG_HMAC
+HMAC using a SHA-384 message digest.
+ at item GCRY_MD_SHA512,GCRY_MD_FLAG_HMAC
+HMAC using a SHA-512 message digest.
+ at item GCRY_PK_RSA
+RSA encryption and signing.
+ at item GCRY_PK_DSA
+DSA signing.
+ at end table
+
+Note that the CRC algorithms are not considered cryptographic algorithms
+and thus are in addition available.
+
+ at item
+RSA and DSA key generation refuses to create a key with a keysize of
+less than 1024 bits.
+
+ at item
+The @code{transient-key} flag for RSA key generation is ignored.
+
+ at item
+Support for the VIA Padlock engine is disabled.
+
@item
-It may only be used on systesm with a /dev/random device. Swicthing
-into FIPS mode on other systems will fail at runtime.
+FIPS mode may only be used on systems with a /dev/random device.
+Switching into FIPS mode on other systems will fail at runtime.
+ at item
+Saving and loading a random seed file is not ignored.
+ at item
+An X9.31 style random number generator is used in place of the
+large-pool-CSPRNG generator.
+ at item
+The Alternative Public Key Interface (@code{gcry_ac_xxx}) is not
+supported and all API calls return an error.
+
+ at item Registration of external modules is not supported.
+
+ at item
+Message digest debugging is disabled.
+
+ at item
+All debug output related to cryptographic data is suppressed.
+
+ at item
+On-the-fly self-tests are not performed, instead of this self-tests are
+run before entering operational state.
+
+ at item
+The function @code{gcry_set_allocation_handler} may not be used. If it
+is used Libgcrypt will enter the error state.
+
+ at item
+A handler set by @code{gcry_set_outofcore_handler} is ignored.
+ at item
+A handler set by @code{gcry_set_fatalerror_handler} is ignored.
+
+
@end itemize
@@ -4799,7 +4881,15 @@
@bye
+GCRYCTL_SET_RANDOM_DAEMON_SOCKET
+GCRYCTL_USE_RANDOM_DAEMON
+The random damon is still a bit experimental, thus we do not document
+them. Not ethat they should be used during initialization and that
+these functions are not really thread safe.
+
+
+
@c LocalWords: int HD
Modified: trunk/random/random-csprng.c
===================================================================
--- trunk/random/random-csprng.c 2008-08-27 13:19:27 UTC (rev 1308)
+++ trunk/random/random-csprng.c 2008-08-29 11:09:26 UTC (rev 1309)
@@ -367,9 +367,9 @@
void
_gcry_rngcsprng_dump_stats (void)
{
- /* FIXME: don't we need proper locking here? -mo.
- Yes. However this is usually called during cleanup and thenwe _
- might_ run into problems. Needs to be checked. -wk */
+ /* In theory we would need to lock the stats here. However this
+ function is usually called during cleanup and then we _might_ run
+ into problems. */
log_info ("random usage: poolsize=%d mixed=%lu polls=%lu/%lu added=%lu/%lu\n"
" outmix=%lu getlvl1=%lu/%lu getlvl2=%lu/%lu%s\n",
@@ -422,7 +422,11 @@
#ifdef USE_RANDOM_DAEMON
int last;
- /* FIXME: This is not really thread safe. */
+ /* This is not really thread safe. However it is expected that this
+ function is being called during initialization and at that point
+ we are for other reasons not really thread safe. We do not want
+ to lock it because we might eventually decide that this function
+ may even be called prior to gcry_check_version. */
last = allow_daemon;
if (onoff != -1)
allow_daemon = onoff;
Modified: trunk/random/random-daemon.c
===================================================================
--- trunk/random/random-daemon.c 2008-08-27 13:19:27 UTC (rev 1308)
+++ trunk/random/random-daemon.c 2008-08-29 11:09:26 UTC (rev 1309)
@@ -90,7 +90,7 @@
if (strlen (socketname) + 1 >= sizeof (srvr_addr->sun_path))
{
log_error ("socket name `%s' too long\n", socketname);
- err = gcry_error (GPG_ERR_INTERNAL); /* FIXME? */
+ err = gcry_error (GPG_ERR_ENAMETOOLONG);
goto out;
}
strcpy (srvr_addr->sun_path, socketname);
@@ -285,7 +285,7 @@
break;
}
- /* if (1)*/ /* FIXME, verbose */
+ /* if (1)*/ /* Do this in verbose mode? */
/* log_info ("received response with %d bytes of data\n", buf[1]);*/
if (buf[1] < nbytes)
Modified: trunk/random/random-fips.c
===================================================================
--- trunk/random/random-fips.c 2008-08-27 13:19:27 UTC (rev 1308)
+++ trunk/random/random-fips.c 2008-08-29 11:09:26 UTC (rev 1309)
@@ -21,8 +21,36 @@
The core of this deterministic random number generator is
implemented according to the document "NIST-Recommended Random
Number Generator Based on ANSI X9.31 Appendix A.2.4 Using the 3-Key
- Triple DES and AES Algorithms" (2005-01-31). This implementaion
+ Triple DES and AES Algorithms" (2005-01-31). This implementation
uses the AES variant.
+
+ There are 3 random context which map to the different levels of
+ random quality:
+
+ Generator Seed and Key Kernel entropy (init/reseed)
+ ------------------------------------------------------------
+ GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits
+ GCRY_STRONG_RANDOM /dev/random 256/128 bits
+ gcry_create_nonce GCRY_STRONG_RANDOM n/a
+
+ All random generators return their data in 128 bit blocks. If the
+ caller requested less bits, the extra bits are not used. The key
+ for each generator is only set once at the first time a generator
+ is used. The seed value is set with the key and again after 1000
+ (SEED_TTL) output blocks.
+
+ The GCRY_VERY_STRONG_RANDOM and GCRY_STRONG_RANDOM generators are
+ keyed and seeded from the /dev/random device. Thus these
+ generators may block until the kernel has collected enough entropy.
+
+ The gcry_create_nonce generator is keyed and seeded from the
+ GCRY_STRONG_RANDOM generator. It may also block if the
+ GCRY_STRONG_RANDOM generator has not yet been used before and thus
+ gets initialized on the first use by gcry_create_nonce. This
+ special treatment is justified by the weaker requirements for a
+ nonce generator and to save precious kernel entropy for use by the
+ real random generators.
+
*/
#include <config.h>
@@ -59,6 +87,11 @@
static unsigned char *tempvalue_for_x931_aes_driver;
+/* After having retrieved this number of blocks from the RNG, we want
+ to do a reseeding. */
+#define SEED_TTL 1000
+
+
/* The length of the key we use: 16 bytes (128 bit) for AES128. */
#define X931_AES_KEYLEN 16
/* A global buffer used to communicate between the x931_generate_key
@@ -83,10 +116,6 @@
established. */
gcry_cipher_hd_t cipher_hd;
- /* If this flag is true, this context requires strong entropy;
- i.e. from /dev/random. */
- int need_strong_entropy:1;
-
/* If this flag is true, the SEED_V buffer below carries a valid
seed. */
int is_seeded:1;
@@ -96,6 +125,9 @@
is available. */
int compare_value_valid:1;
+ /* A counter used to trigger re-seeding. */
+ unsigned int use_counter;
+
unsigned char guard_1[1];
/* The buffer containing the seed value V. */
@@ -140,7 +172,12 @@
static rng_context_t strong_rng_context;
+/* --- Local prototypes --- */
+static void x931_reseed (rng_context_t rng_ctx);
+static void get_random (void *buffer, size_t length, rng_context_t rng_ctx);
+
+
�
/* --- Functions --- */
@@ -412,6 +449,13 @@
while (length)
{
+ /* We require a new seed after some time. */
+ if (rng_ctx->use_counter > SEED_TTL)
+ {
+ x931_reseed (rng_ctx);
+ rng_ctx->use_counter = 0;
+ }
+
/* Due to the design of the RNG, we always receive 16 bytes (128
bit) of random even if we require less. The extra bytes
returned are not used. Intheory we could save them for the
@@ -423,6 +467,7 @@
x931_aes (result_buffer,
datetime_DT, rng_ctx->seed_V, rng_ctx->cipher_hd,
intermediate_I, temp_buffer);
+ rng_ctx->use_counter++;
/* Do a basic check on the output to avoid a stuck generator. */
if (!rng_ctx->compare_value_valid)
@@ -455,9 +500,9 @@
/* Callback for x931_generate_key. Note that this callback uses the
- global ENTROPY_COLLECT_BUFFER which has been setup by
- x931_generate_key. ORIGIN is not used but required due to the
- emtropy gathering module. */
+ global ENTROPY_COLLECT_BUFFER which has been setup by get_entropy.
+ ORIGIN is not used but required due to the design of entropy
+ gathering module. */
static void
entropy_collect_cb (const void *buffer, size_t length,
enum random_origins origin)
@@ -476,15 +521,49 @@
}
}
+
+/* Get NBYTES of entropy from the kernel device. The callers needs to
+ free the returned buffer. The function either succeeds or
+ terminates the process in case of a fatal error. */
+static void *
+get_entropy (size_t nbytes)
+{
+#if USE_RNDLINUX
+ void *result;
+
+ gcry_assert (!entropy_collect_buffer);
+ entropy_collect_buffer = gcry_xmalloc_secure (nbytes);
+ entropy_collect_buffer_size = nbytes;
+ entropy_collect_buffer_len = 0;
+ if (_gcry_rndlinux_gather_random (entropy_collect_cb, 0,
+ X931_AES_KEYLEN,
+ GCRY_VERY_STRONG_RANDOM) < 0
+ || entropy_collect_buffer_len != entropy_collect_buffer_size)
+ {
+ gcry_free (entropy_collect_buffer);
+ entropy_collect_buffer = NULL;
+ log_fatal ("error getting entropy data\n");
+ }
+ result = entropy_collect_buffer;
+ entropy_collect_buffer = NULL;
+ return result;
+#else
+ log_fatal ("/dev/random support is not compiled in\n");
+ return NULL; /* NOTREACHED */
+#endif
+}
+
+
/* Generate a key for use with x931_aes. The function returns a
handle to the cipher context readily prepared for ECB encryption.
- If VERY_STRONG is true the key is read from /dev/random, otherwise
- from /dev/urandom. On error NULL is returned. */
+ If FOR_NONCE is true, the key is retrieved by readong random from
+ the standard generator. On error NULL is returned. */
static gcry_cipher_hd_t
-x931_generate_key (int very_strong)
+x931_generate_key (int for_nonce)
{
gcry_cipher_hd_t hd;
gpg_error_t err;
+ void *buffer;
gcry_assert (fips_rng_is_locked);
@@ -498,34 +577,22 @@
return NULL;
}
- /* Get a key from the entropy source. */
-#if USE_RNDLINUX
- gcry_assert (!entropy_collect_buffer);
- entropy_collect_buffer = gcry_xmalloc_secure (X931_AES_KEYLEN);
- entropy_collect_buffer_size = X931_AES_KEYLEN;
- entropy_collect_buffer_len = 0;
- if (_gcry_rndlinux_gather_random (entropy_collect_cb, 0, X931_AES_KEYLEN,
More information about the Gnupg-commits
mailing list