mgf1: Refactored MGF1 as an XOF
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 20 Sep 2016 20:01:07 +0000 (22:01 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 21 Sep 2016 04:40:52 +0000 (06:40 +0200)
61 files changed:
configure.ac
src/libstrongswan/Makefile.am
src/libstrongswan/crypto/mgf1/mgf1.c [deleted file]
src/libstrongswan/crypto/mgf1/mgf1.h [deleted file]
src/libstrongswan/crypto/mgf1/mgf1_bitspender.c [deleted file]
src/libstrongswan/crypto/mgf1/mgf1_bitspender.h [deleted file]
src/libstrongswan/crypto/xofs/mgf1.h [new file with mode: 0644]
src/libstrongswan/crypto/xofs/xof.c
src/libstrongswan/crypto/xofs/xof.h
src/libstrongswan/crypto/xofs/xof_bitspender.c [new file with mode: 0644]
src/libstrongswan/crypto/xofs/xof_bitspender.h [new file with mode: 0644]
src/libstrongswan/plugins/bliss/bliss_private_key.c
src/libstrongswan/plugins/bliss/bliss_public_key.c
src/libstrongswan/plugins/bliss/bliss_sampler.c
src/libstrongswan/plugins/bliss/bliss_sampler.h
src/libstrongswan/plugins/bliss/bliss_utils.c
src/libstrongswan/plugins/bliss/bliss_utils.h
src/libstrongswan/plugins/chapoly/chapoly_xof.c
src/libstrongswan/plugins/mgf1/Makefile.am [new file with mode: 0644]
src/libstrongswan/plugins/mgf1/mgf1_plugin.c [new file with mode: 0644]
src/libstrongswan/plugins/mgf1/mgf1_plugin.h [new file with mode: 0644]
src/libstrongswan/plugins/mgf1/mgf1_xof.c [new file with mode: 0644]
src/libstrongswan/plugins/mgf1/mgf1_xof.h [new file with mode: 0644]
src/libstrongswan/plugins/ntru/ntru_poly.c
src/libstrongswan/plugins/ntru/ntru_poly.h
src/libstrongswan/plugins/ntru/ntru_private_key.c
src/libstrongswan/plugins/ntru/ntru_public_key.c
src/libstrongswan/plugins/ntru/ntru_trits.c
src/libstrongswan/plugins/ntru/ntru_trits.h
src/libstrongswan/plugins/sha3/sha3_shake.c
src/libstrongswan/tests/suites/test_mgf1.c
src/libstrongswan/tests/suites/test_ntru.c
testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf
testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf
testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf
testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf
testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf
testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf
testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf
testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf
testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf
testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf
testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf
testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf
testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf
testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf
testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf
testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf
testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf

index 3ac4572..9b65fd9 100644 (file)
@@ -149,6 +149,7 @@ ARG_DISBL_SET([sha1],           [disable SHA1 software implementation plugin.])
 ARG_DISBL_SET([sha2],           [disable SHA256/SHA384/SHA512 software implementation plugin.])
 ARG_ENABL_SET([sha3],           [enable SHA3_224/SHA3_256/SHA3_384/SHA3_512 software implementation plugin.])
 ARG_DISBL_SET([xcbc],           [disable xcbc crypto implementation plugin.])
+ARG_ENABL_SET([mgf1],           [enables the MGF1 software implementation plugin.])
 # encoding/decoding plugins
 ARG_DISBL_SET([dnskey],         [disable DNS RR key decoding plugin.])
 ARG_DISBL_SET([pem],            [disable PEM decoding plugin.])
@@ -465,6 +466,10 @@ if test x$aikpub2 = xtrue; then
        tss_tss2=true
 fi
 
+if test x$ntru = xtrue -o x$bliss = xtrue; then
+       mgf1=true
+fi
+
 # ===========================================
 #  check required libraries and header files
 # ===========================================
@@ -1327,6 +1332,7 @@ ADD_PLUGIN([sha3],                 [s charon scepclient pki scripts medsrv attes
 ADD_PLUGIN([sha1],                 [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
 ADD_PLUGIN([md4],                  [s charon scepclient pki nm cmd])
 ADD_PLUGIN([md5],                  [s charon scepclient pki scripts attest nm cmd aikgen])
+ADD_PLUGIN([mgf1],                 [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
 ADD_PLUGIN([rdrand],               [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
 ADD_PLUGIN([random],               [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
 ADD_PLUGIN([nonce],                [s charon nm cmd aikgen])
@@ -1482,6 +1488,7 @@ AM_CONDITIONAL(USE_MD5, test x$md5 = xtrue)
 AM_CONDITIONAL(USE_SHA1, test x$sha1 = xtrue)
 AM_CONDITIONAL(USE_SHA2, test x$sha2 = xtrue)
 AM_CONDITIONAL(USE_SHA3, test x$sha3 = xtrue)
+AM_CONDITIONAL(USE_MGF1, test x$mgf1 = xtrue)
 AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
 AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
 AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
@@ -1738,6 +1745,7 @@ AC_CONFIG_FILES([
        src/libstrongswan/plugins/sha1/Makefile
        src/libstrongswan/plugins/sha2/Makefile
        src/libstrongswan/plugins/sha3/Makefile
+       src/libstrongswan/plugins/mgf1/Makefile
        src/libstrongswan/plugins/fips_prf/Makefile
        src/libstrongswan/plugins/gmp/Makefile
        src/libstrongswan/plugins/rdrand/Makefile
index c9bcaa7..52ae7c6 100644 (file)
@@ -14,8 +14,7 @@ crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \
 crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
 crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \
 crypto/iv/iv_gen_null.c \
-crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \
-crypto/xofs/xof.c \
+crypto/xofs/xof.c crypto/xofs/xof_bitspender.c \
 credentials/credential_factory.c credentials/builder.c \
 credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
@@ -76,8 +75,7 @@ crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
 crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
 crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \
 crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h crypto/iv/iv_gen_null.h \
-crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \
-crypto/xofs/xof.h \
+crypto/xofs/xof.h crypto/xofs/xof_bitspender.h crypto/xofs/mgf1.h \
 credentials/credential_factory.h credentials/builder.h \
 credentials/cred_encoding.h credentials/keys/private_key.h \
 credentials/keys/public_key.h credentials/keys/shared_key.h \
@@ -588,6 +586,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_MGF1
+  SUBDIRS += plugins/mgf1
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/mgf1/libstrongswan-mgf1.la
+endif
+endif
+
 if USE_NTRU
   SUBDIRS += plugins/ntru
 if MONOLITHIC
diff --git a/src/libstrongswan/crypto/mgf1/mgf1.c b/src/libstrongswan/crypto/mgf1/mgf1.c
deleted file mode 100644 (file)
index 5116dfe..0000000
+++ /dev/null
@@ -1,180 +0,0 @@
-/*
- * Copyright (C) 2013-2014 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "mgf1.h"
-
-#include "crypto/hashers/hasher.h"
-#include "utils/debug.h"
-#include "utils/test.h"
-
-typedef struct private_mgf1_t private_mgf1_t;
-
-/**
- * Private data of an mgf1_t object.
- */
-struct private_mgf1_t {
-
-       /**
-        * Public mgf1_t interface.
-        */
-       mgf1_t public;
-
-       /**
-        * Hasher the MGF1 Mask Generation Function is based on
-        */
-       hasher_t *hasher;
-
-       /**
-        * Counter
-        */
-       uint32_t counter;
-
-       /**
-        * Set if counter has reached 2^32
-        */
-       bool overflow;
-
-       /**
-        * Current state to be hashed
-        */
-       chunk_t state;
-
-       /**
-        * Position of the 4 octet counter string
-        */
-       u_char *ctr_str;
-
-};
-
-METHOD(mgf1_t, get_hash_size, size_t,
-       private_mgf1_t *this)
-{
-       return this->hasher->get_hash_size(this->hasher);
-}
-
-METHOD(mgf1_t, get_mask, bool,
-       private_mgf1_t *this, size_t mask_len, u_char *mask)
-{
-       u_char buf[HASH_SIZE_SHA512];
-       size_t hash_len;
-
-       hash_len = this->hasher->get_hash_size(this->hasher);
-
-       while (mask_len > 0)
-       {
-               /* detect overflow, set counter string and increment counter */
-               if (this->overflow)
-               {
-                       return FALSE;
-               }
-               htoun32(this->ctr_str, this->counter++);
-               if (this->counter == 0)
-               {
-                       this->overflow = TRUE;
-               }
-
-               /* get the next or final mask block from the hash function */
-               if (!this->hasher->get_hash(this->hasher, this->state,
-                                                                  (mask_len < hash_len) ? buf : mask))
-               {
-                       return FALSE;
-               }
-               if (mask_len < hash_len)
-               {
-                       memcpy(mask, buf, mask_len);
-                       return TRUE;
-               }
-               mask_len -= hash_len;
-               mask += hash_len;
-       }
-       return TRUE;
-}
-
-METHOD(mgf1_t, allocate_mask, bool,
-       private_mgf1_t *this, size_t mask_len, chunk_t *mask)
-{
-       if (mask_len == 0)
-       {
-               *mask = chunk_empty;
-               return TRUE;
-       }
-       *mask = chunk_alloc(mask_len);
-
-       return get_mask(this, mask_len, mask->ptr);
-}
-
-METHOD(mgf1_t, destroy, void,
-       private_mgf1_t *this)
-{
-       this->hasher->destroy(this->hasher);
-       chunk_clear(&this->state);
-       free(this);
-}
-
-/*
- * Described in header.
- */
-mgf1_t *mgf1_create(hash_algorithm_t alg, chunk_t seed,
-                                                         bool hash_seed)
-{
-       private_mgf1_t *this;
-       hasher_t *hasher;
-       size_t state_len;
-
-       if (seed.len == 0)
-       {
-               DBG1(DBG_LIB, "empty seed for MGF1");
-               return NULL;
-       }
-
-       hasher = lib->crypto->create_hasher(lib->crypto, alg);
-       if (!hasher)
-       {
-               DBG1(DBG_LIB, "failed to create %N hasher for MGF1",
-                        hash_algorithm_names, alg);
-               return NULL;
-       }
-       state_len = (hash_seed ? hasher->get_hash_size(hasher) : seed.len) + 4;
-       
-       INIT(this,
-               .public = {
-                       .get_hash_size = _get_hash_size,
-                       .allocate_mask = _allocate_mask,
-                       .get_mask = _get_mask,
-                       .destroy = _destroy,
-               },
-               .hasher = hasher,
-               .state = chunk_alloc(state_len),
-       );
-
-       /* determine position of the 4 octet counter string */
-       this->ctr_str = this->state.ptr + state_len - 4;
-
-       if (hash_seed)
-       {
-               if (!hasher->get_hash(hasher, seed, this->state.ptr))
-               {
-                       DBG1(DBG_LIB, "failed to hash seed for MGF1");
-                       destroy(this);
-                       return NULL;
-               }
-       }
-       else
-       {
-               memcpy(this->state.ptr, seed.ptr, seed.len);
-       }
-
-       return &this->public;
-}
diff --git a/src/libstrongswan/crypto/mgf1/mgf1.h b/src/libstrongswan/crypto/mgf1/mgf1.h
deleted file mode 100644 (file)
index 592d315..0000000
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- * Copyright (C) 2013-2014 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup mgf1 mgf1
- * @{ @ingroup crypto
- */
-
-#ifndef MGF1_H_
-#define MGF1_H_
-
-typedef struct mgf1_t mgf1_t;
-
-#include <library.h>
-
-/**
- * Implements the PKCS#1 MGF1 Mask Generation Function based on a hash function
- * defined in section 10.2.1 of RFC 2437
- */
-struct mgf1_t {
-
-       /**
-        * Get the hash size of the underlying hash function
-        *
-        * @return                      hash size in bytes
-        */
-       size_t (*get_hash_size)(mgf1_t *this);
-
-       /**
-        * Generate a mask pattern and copy it to an output buffer
-        * If the maximum number of requests has been reached, reseeding occurs
-        *
-        * @param mask_len      number of mask bytes to generate
-        * @param mask          output buffer of minimum size mask_len
-        * @return                      TRUE if successful
-        */
-       bool (*get_mask)(mgf1_t *this, size_t mask_len, u_char *mask);
-
-       /**
-        * Generate a mask pattern and return it in an allocated chunk
-        *
-        * @param mask_len      number of mask bytes to generate
-        * @param mask          chunk containing generated mask
-        * @return                      TRUE if successful
-        */
-       bool (*allocate_mask)(mgf1_t *this, size_t mask_len, chunk_t *mask);
-
-       /**
-        * Destroy the MGF1 object
-        */
-       void (*destroy)(mgf1_t *this);
-};
-
-/**
- * Create an MGF1 object
- *
- * @param alg                  hash algorithm to be used by MGF1
- * @param seed                 seed used by MGF1 to generate mask from
- * @param hash_seed            hash seed before using it as a seed for MGF1
- */
-mgf1_t *mgf1_create(hash_algorithm_t alg, chunk_t seed,
-                                                         bool hash_seed);
-
-#endif /** MGF1_H_ @}*/
-
diff --git a/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c
deleted file mode 100644 (file)
index ef0a2bd..0000000
+++ /dev/null
@@ -1,208 +0,0 @@
-/*
- * Copyright (C) 2014 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "mgf1_bitspender.h"
-
-#include <crypto/mgf1/mgf1.h>
-
-typedef struct private_mgf1_bitspender_t private_mgf1_bitspender_t;
-
-/**
- * Private data structure for mgf1_bitspender_t object
- */
-struct private_mgf1_bitspender_t {
-       /**
-        * Public interface.
-        */
-       mgf1_bitspender_t public;
-
-       /**
-        * MGF1 bit mask generator
-        */
-       mgf1_t *mgf1;
-
-       /**
-        * Octet storage (accommodates up to 64 octets)
-        */
-       uint8_t octets[HASH_SIZE_SHA512];
-
-       /**
-        * Length of the returned hash value in octets
-        */
-       int hash_len;
-
-       /**
-        * Number of generated octets
-        */
-       int octets_count;
-
-       /**
-        * Number of available octets
-        */
-       int octets_left;
-
-       /**
-        * Bit storage (accommodates up to 32 bits)
-        */
-       uint32_t bits;
-
-       /**
-        * Number of available bits
-        */
-       int bits_left;
-
-       /**
-        * Byte storage (accommodates up to 4 bytes)
-        */
-       uint8_t bytes[4];
-
-       /**
-        * Number of available bytes
-        */
-       int bytes_left;
-
-};
-
-METHOD(mgf1_bitspender_t, get_bits, bool,
-       private_mgf1_bitspender_t *this, int bits_needed, uint32_t *bits)
-{
-       int bits_now;
-
-       *bits = 0x00000000;
-
-       if (bits_needed == 0)
-       {
-               /* trivial */
-               return TRUE;
-       }
-       if (bits_needed > 32)
-       {
-               /* too many bits requested */
-               return FALSE;
-       }
-
-       while (bits_needed)
-       {
-               if (this->bits_left == 0)
-               {
-                       if (this->octets_left == 0)
-                       {
-                               /* get another block from MGF1 */
-                               if (!this->mgf1->get_mask(this->mgf1, this->hash_len,
-                                                                                                         this->octets))
-                               {
-                                       /* no block available */
-                                       return FALSE;
-                               }
-                               this->octets_left = this->hash_len;
-                               this->octets_count += this->hash_len;
-                       }
-                       this->bits = untoh32(this->octets + this->hash_len -
-                                                                                               this->octets_left);
-                       this->bits_left = 32;
-                       this->octets_left -= 4;
-               }
-               if (bits_needed > this->bits_left)
-               {
-                       bits_now = this->bits_left;
-                       this->bits_left = 0;
-                       bits_needed -= bits_now;
-               }
-               else
-               {
-                       bits_now = bits_needed;
-                       this->bits_left -= bits_needed;
-                       bits_needed = 0;
-               }
-               if (bits_now == 32)
-               {
-                       *bits = this->bits;
-               }
-               else
-               {
-                       *bits <<= bits_now;
-                       *bits |= this->bits >> this->bits_left;
-                       if (this->bits_left)
-                       {
-                               this->bits &= 0xffffffff >> (32 - this->bits_left);
-                       }
-               }
-       }
-       return TRUE;
-}
-
-METHOD(mgf1_bitspender_t, get_byte, bool,
-       private_mgf1_bitspender_t *this, uint8_t *byte)
-{
-       if (this->bytes_left == 0)
-       {
-               if (this->octets_left == 0)
-               {
-                       /* get another block from MGF1 */
-                       if (!this->mgf1->get_mask(this->mgf1, this->hash_len, this->octets))
-                       {
-                               /* no block available */
-                               return FALSE;
-                       }
-                       this->octets_left = this->hash_len;
-                       this->octets_count += this->hash_len;
-               }
-               memcpy(this->bytes, this->octets + this->hash_len -     this->octets_left, 4);
-               this->bytes_left = 4;
-               this->octets_left -= 4;
-       }
-       *byte = this->bytes[4 - this->bytes_left--];
-
-       return TRUE;
-}
-
-METHOD(mgf1_bitspender_t, destroy, void,
-       private_mgf1_bitspender_t *this)
-{
-       DBG2(DBG_LIB, "mgf1 generated %u octets", this->octets_count);
-       memwipe(this->octets, sizeof(this->octets));
-       this->mgf1->destroy(this->mgf1);
-       free(this);
-}
-
-/**
- * See header.
- */
-mgf1_bitspender_t *mgf1_bitspender_create(hash_algorithm_t alg, chunk_t seed,
-                                                                                 bool hash_seed)
-{
-       private_mgf1_bitspender_t *this;
-       mgf1_t *mgf1;
-
-       mgf1 = mgf1_create(alg, seed, hash_seed);
-       if (!mgf1)
-       {
-           return NULL;
-       }
-       DBG2(DBG_LIB, "mgf1 based on %N is seeded with %u octets",
-                                  hash_algorithm_short_names, alg, seed.len);
-
-       INIT(this,
-               .public = {
-                       .get_bits = _get_bits,
-                       .get_byte = _get_byte,
-                       .destroy = _destroy,
-               },
-               .mgf1 = mgf1,
-               .hash_len = mgf1->get_hash_size(mgf1),
-       );
-
-       return &this->public;
-}
diff --git a/src/libstrongswan/crypto/mgf1/mgf1_bitspender.h b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.h
deleted file mode 100644 (file)
index f7df8e8..0000000
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright (C) 2014 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup mgf1_bitspender mgf1_bitspender
- * @{ @ingroup mgf1
- */
-
-#ifndef MGF1_BITSPENDER_H_
-#define MGF1_BITSPENDER_H_
-
-#include <library.h>
-#include <crypto/hashers/hasher.h>
-
-typedef struct mgf1_bitspender_t mgf1_bitspender_t;
-
-/**
- * Generates a given number of pseudo-random bits at a time using MGF1
- */
-struct mgf1_bitspender_t {
-
-       /**
-        * Get pseudo-random bits
-        *
-        * @param bits_needed   Number of needed bits (1..32)
-        * @param bits                  Pseudo-random bits
-        * @result                              FALSE if internal MGF1 error occurred
-        */
-       bool (*get_bits)(mgf1_bitspender_t *this, int bits_needed, uint32_t *bits);
-
-       /**
-        * Get a pseudo-random byte
-        *
-        * @param byte                  Pseudo-random byte
-        * @result                              FALSE if internal MGF1 error occurred
-        */
-       bool (*get_byte)(mgf1_bitspender_t *this, uint8_t *byte);
-
-       /**
-        * Destroy mgf1_bitspender_t object
-        */
-       void (*destroy)(mgf1_bitspender_t *this);
-};
-
-/**
- * Create a mgf1_bitspender_t object
- *
- * @param alg                          Hash algorithm to be used with MGF1
- * @param seed                         Seed used to initialize MGF1
- * @param hash_seed                    Hash seed before using it as a seed for MFG1
- */
-mgf1_bitspender_t *mgf1_bitspender_create(hash_algorithm_t alg, chunk_t seed,
-                                                                                 bool hash_seed);
-
-#endif /** MGF1_BITSPENDER_H_ @}*/
diff --git a/src/libstrongswan/crypto/xofs/mgf1.h b/src/libstrongswan/crypto/xofs/mgf1.h
new file mode 100644 (file)
index 0000000..5ad3a51
--- /dev/null
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mgf1 mgf1
+ * @{ @ingroup crypto
+ */
+
+#ifndef MGF1_H_
+#define MGF1_H_
+
+typedef struct mgf1_t mgf1_t;
+
+#include "xof.h"
+
+/**
+ * Implements the PKCS#1 MGF1 Mask Generation Function based on a hash function
+ * defined in section 10.2.1 of RFC 2437
+ */
+struct mgf1_t {
+
+       /**
+        * Generic xof_t interface for this Extended Output Function (XOF).
+        */
+       xof_t xof_interface;
+
+       /**
+        * Hash the seed before using it as a seed for MGF1
+        * 
+        * @param yes           TRUE if seed has to be hashed first
+        */
+       void (*set_hash_seed)(mgf1_t *this, bool yes);
+};
+
+#endif /** MGF1_H_ @}*/
index 3c5b5d6..1e9c283 100644 (file)
 
 ENUM(ext_out_function_names, XOF_UNDEFINED, XOF_CHACHA20,
        "XOF_UNDEFINED",
-       "XOF_SHAKE128",
-       "XOF_SHAKE256",
        "XOF_MGF1_SHA1",
        "XOF_MGF1_SHA256",
        "XOF_MGF1_SHA512",
+       "XOF_SHAKE128",
+       "XOF_SHAKE256",
        "XOF_CHACHA20"
 );
 
index e8acda3..8c9ae01 100644 (file)
@@ -31,16 +31,16 @@ typedef struct xof_t xof_t;
  */
 enum ext_out_function_t {
        XOF_UNDEFINED,
-       /** FIPS 202 */
-       XOF_SHAKE_128,
-       /** FIPS 202 */
-       XOF_SHAKE_256,
        /** RFC 2437 PKCS#1 */
        XOF_MGF1_SHA1,
        /** RFC 2437 PKCS#1 */
        XOF_MGF1_SHA256,
        /** RFC 2437 PKCS#1 */
        XOF_MGF1_SHA512,
+       /** FIPS 202 */
+       XOF_SHAKE_128,
+       /** FIPS 202 */
+       XOF_SHAKE_256,
        /** RFC 7539 ChaCha20 */
        XOF_CHACHA20,
 };
@@ -51,11 +51,18 @@ enum ext_out_function_t {
 extern enum_name_t *ext_out_function_names;
 
 /**
- * Generic interface for pseudo-random-functions.
+ * Generic interface for Extended Output Function (XOF)
  */
 struct xof_t {
 
        /**
+        * Return the type of the Extended Output Function
+        *
+        * @return                      XOF type
+        */
+       ext_out_function_t (*get_type)(xof_t *this);
+
+       /**
         * Generates pseudo random bytes and writes them in the buffer.
         *
         * @param out_len       number of output bytes requested
diff --git a/src/libstrongswan/crypto/xofs/xof_bitspender.c b/src/libstrongswan/crypto/xofs/xof_bitspender.c
new file mode 100644 (file)
index 0000000..f18b806
--- /dev/null
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 2014-2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xof_bitspender.h"
+#include "mgf1.h"
+
+typedef struct private_xof_bitspender_t private_xof_bitspender_t;
+
+/**
+ * Private data structure for xof_bitspender_t object
+ */
+struct private_xof_bitspender_t {
+       /**
+        * Public interface.
+        */
+       xof_bitspender_t public;
+
+       /**
+        * Extended Output Function (XOF)
+        */
+       xof_t *xof;
+
+       /**
+        * Length of the returned hash value in octets
+        */
+       int hash_len;
+
+       /**
+        * Bit storage (accommodates up to 32 bits)
+        */
+       uint32_t bits;
+
+       /**
+        * Number of available bits
+        */
+       int bits_left;
+
+       /**
+        * Byte storage (accommodates up to 4 bytes)
+        */
+       uint8_t bytes[4];
+
+       /**
+        * Number of available bytes
+        */
+       int bytes_left;
+
+       /**
+        * Number of octets spent
+        */
+       int octet_count;
+
+};
+
+static bool get_next_block(private_xof_bitspender_t *this, uint8_t *buffer)
+{
+       if (!this->xof->get_bytes(this->xof, 4, buffer))
+       {
+               /* no block available */
+               return FALSE;
+       }
+       this->octet_count += 4;
+
+       return TRUE;
+}
+
+METHOD(xof_bitspender_t, get_bits, bool,
+       private_xof_bitspender_t *this, int bits_needed, uint32_t *bits)
+{
+       int bits_now;
+
+       *bits = 0x00000000;
+
+       if (bits_needed == 0)
+       {
+               /* trivial */
+               return TRUE;
+       }
+       if (bits_needed > 32)
+       {
+               /* too many bits requested */
+               return FALSE;
+       }
+
+       while (bits_needed)
+       {
+               if (this->bits_left == 0)
+               {
+                       uint8_t buf[4];
+
+                       if (!get_next_block(this, buf))
+                       {
+                               return FALSE;
+                       }
+                       this->bits = untoh32(buf);
+                       this->bits_left = 32;
+               }
+               if (bits_needed > this->bits_left)
+               {
+                       bits_now = this->bits_left;
+                       this->bits_left = 0;
+                       bits_needed -= bits_now;
+               }
+               else
+               {
+                       bits_now = bits_needed;
+                       this->bits_left -= bits_needed;
+                       bits_needed = 0;
+               }
+               if (bits_now == 32)
+               {
+                       *bits = this->bits;
+               }
+               else
+               {
+                       *bits <<= bits_now;
+                       *bits |= this->bits >> this->bits_left;
+                       if (this->bits_left)
+                       {
+                               this->bits &= 0xffffffff >> (32 - this->bits_left);
+                       }
+               }
+       }
+
+       return TRUE;
+}
+
+METHOD(xof_bitspender_t, get_byte, bool,
+       private_xof_bitspender_t *this, uint8_t *byte)
+{
+       if (this->bytes_left == 0)
+       {
+               if (!get_next_block(this, this->bytes))
+               {
+                       return FALSE;
+               }
+               this->bytes_left = 4;
+       }
+       *byte = this->bytes[4 - this->bytes_left--];
+
+       return TRUE;
+}
+
+METHOD(xof_bitspender_t, destroy, void,
+       private_xof_bitspender_t *this)
+{
+       DBG2(DBG_LIB, "%N generated %u octets", ext_out_function_names,
+                                  this->xof->get_type(this->xof), this->octet_count);
+       memwipe(this->bytes, 4);
+       this->xof->destroy(this->xof);
+       free(this);
+}
+
+/**
+ * See header.
+ */
+xof_bitspender_t *xof_bitspender_create(ext_out_function_t alg, chunk_t seed,
+                                                                               bool hash_seed)
+{
+       private_xof_bitspender_t *this;
+       xof_t *xof;
+
+       xof = lib->crypto->create_xof(lib->crypto, alg);
+       if (!xof)
+       {
+               return NULL;
+       }
+
+       switch (alg)
+       {
+               case XOF_MGF1_SHA1:
+               case XOF_MGF1_SHA256:
+               case XOF_MGF1_SHA512:
+               {
+                       mgf1_t *mgf1 = (mgf1_t*)xof;
+
+                       mgf1->set_hash_seed(mgf1, hash_seed);
+                       break;
+               }
+               default:
+                       break;
+       }
+       if (!xof->set_seed(xof, seed))
+       {
+               xof->destroy(xof);
+               return NULL;
+       }
+       DBG2(DBG_LIB, "%N is seeded with %u octets", ext_out_function_names,
+                                  alg, seed.len);
+
+       INIT(this,
+               .public = {
+                       .get_bits = _get_bits,
+                       .get_byte = _get_byte,
+                       .destroy = _destroy,
+               },
+               .xof = xof,
+       );
+
+       return &this->public;
+}
diff --git a/src/libstrongswan/crypto/xofs/xof_bitspender.h b/src/libstrongswan/crypto/xofs/xof_bitspender.h
new file mode 100644 (file)
index 0000000..f422079
--- /dev/null
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2014-2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xof_bitspender xof_bitspender
+ * @{ @ingroup mgf1
+ */
+
+#ifndef XOF_BITSPENDER_H_
+#define XOF_BITSPENDER_H_
+
+#include "xof.h"
+
+#include <library.h>
+
+typedef struct xof_bitspender_t xof_bitspender_t;
+
+/**
+ * Generates a given number of pseudo-random bits at a time using an
+ * Extended Output Function (XOF)
+ */
+struct xof_bitspender_t {
+
+       /**
+        * Get pseudo-random bits
+        *
+        * @param bits_needed   Number of needed bits (1..32)
+        * @param bits                  Pseudo-random bits
+        * @result                              FALSE if internal MGF1 error occurred
+        */
+       bool (*get_bits)(xof_bitspender_t *this, int bits_needed, uint32_t *bits);
+
+       /**
+        * Get a pseudo-random byte
+        *
+        * @param byte                  Pseudo-random byte
+        * @result                              FALSE if internal MGF1 error occurred
+        */
+       bool (*get_byte)(xof_bitspender_t *this, uint8_t *byte);
+
+       /**
+        * Destroy xof_bitspender_t object
+        */
+       void (*destroy)(xof_bitspender_t *this);
+};
+
+/**
+ * Create a xof_bitspender_t object
+ *
+ * @param alg                          XOF to be used
+ * @param seed                         Seed used to initialize XOF
+ * @param hash_seed                    Hash seed before using it as a seed for MFG1
+ */
+xof_bitspender_t *xof_bitspender_create(ext_out_function_t alg, chunk_t seed,
+                                                                               bool hash_seed);
+
+#endif /** XOF_BITSPENDER_H_ @}*/
index 5ec4937..0479f0f 100644 (file)
@@ -23,7 +23,7 @@
 #include "ntt_fft.h"
 #include "ntt_fft_reduce.h"
 
-#include <crypto/mgf1/mgf1_bitspender.h>
+#include <crypto/xofs/xof_bitspender.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <asn1/oid.h>
@@ -174,7 +174,8 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg,
        bliss_sampler_t *sampler = NULL;
        rng_t *rng;
        hasher_t *hasher;
-       hash_algorithm_t mgf1_alg, oracle_alg;
+       hash_algorithm_t mgf1_alg;
+       ext_out_function_t oracle_alg;
        size_t mgf1_seed_len;
        uint8_t mgf1_seed_buf[HASH_SIZE_SHA512], data_hash_buf[HASH_SIZE_SHA512];
        chunk_t mgf1_seed, data_hash;
@@ -226,7 +227,7 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg,
        }
 
        /* MGF1 hash algorithm to be used for random oracle */
-       oracle_alg = HASH_SHA512;
+       oracle_alg = XOF_MGF1_SHA512;
 
        /* Initialize a couple of needed variables */
        n  = this->set->n;
@@ -834,14 +835,14 @@ static uint32_t invert(private_bliss_private_key_t *this, uint32_t x)
  * Create a vector with sparse and small coefficients from seed
  */
 static int8_t* create_vector_from_seed(private_bliss_private_key_t *this,
-                                                                          hash_algorithm_t alg, chunk_t seed)
+                                                                          ext_out_function_t alg, chunk_t seed)
 {
-       mgf1_bitspender_t *bitspender;
+       xof_bitspender_t *bitspender;
        uint32_t index, sign;
        int8_t *vector;
        int non_zero;
 
-       bitspender = mgf1_bitspender_create(alg, seed, FALSE);
+       bitspender = xof_bitspender_create(alg, seed, FALSE);
        if (!bitspender)
        {
            return NULL;
@@ -910,7 +911,7 @@ static bool create_secret(private_bliss_private_key_t *this, rng_t *rng,
        int i, n;
        chunk_t seed;
        size_t seed_len;
-       hash_algorithm_t alg;
+       ext_out_function_t alg;
 
        n = this->set->n;
        *s1 = NULL;
@@ -919,12 +920,12 @@ static bool create_secret(private_bliss_private_key_t *this, rng_t *rng,
        /* Set MGF1 hash algorithm and seed length based on security strength */
        if (this->set->strength > 160)
        {
-               alg = HASH_SHA256;
+               alg = XOF_MGF1_SHA256;
                seed_len = HASH_SIZE_SHA256;
        }
        else
        {
-               alg = HASH_SHA1;
+               alg = XOF_MGF1_SHA1;
                seed_len = HASH_SIZE_SHA1;
        }
        seed = chunk_create(seed_buf, seed_len);
index 0ef87e2..f7ddbbf 100644 (file)
@@ -76,7 +76,7 @@ static bool verify_bliss(private_bliss_public_key_t *this, hash_algorithm_t alg,
        uint8_t data_hash_buf[HASH_SIZE_SHA512];
        chunk_t data_hash;
        hasher_t *hasher;
-       hash_algorithm_t oracle_alg;
+       ext_out_function_t oracle_alg;
        ntt_fft_t *fft;
        bliss_signature_t *sig;
        bool success = FALSE;
@@ -110,7 +110,7 @@ static bool verify_bliss(private_bliss_public_key_t *this, hash_algorithm_t alg,
        }
 
        /* MGF1 hash algorithm to be used for random oracle */
-       oracle_alg = HASH_SHA512;
+       oracle_alg = XOF_MGF1_SHA512;
 
        /* Initialize a couple of needed variables */
        n  = this->set->n;
index 717c15f..fb29d66 100644 (file)
@@ -17,7 +17,7 @@
 
 typedef struct private_bliss_sampler_t private_bliss_sampler_t;
 
-#include <crypto/mgf1/mgf1_bitspender.h>
+#include <crypto/xofs/xof_bitspender.h>
 
 /**
  * Private data of a bliss_sampler_t object.
@@ -37,7 +37,7 @@ struct private_bliss_sampler_t {
        /**
         * Bitspender used for random rejection sampling
         */
-       mgf1_bitspender_t *bitspender;
+       xof_bitspender_t *bitspender;
 
 };
 
@@ -222,13 +222,13 @@ METHOD(bliss_sampler_t, destroy, void,
 /**
  * See header.
  */
-bliss_sampler_t *bliss_sampler_create(hash_algorithm_t alg, chunk_t seed,
+bliss_sampler_t *bliss_sampler_create(ext_out_function_t alg, chunk_t seed,
                                                                          const bliss_param_set_t *set)
 {
        private_bliss_sampler_t *this;
-       mgf1_bitspender_t *bitspender;
+       xof_bitspender_t *bitspender;
 
-       bitspender = mgf1_bitspender_create(alg, seed, FALSE);
+       bitspender = xof_bitspender_create(alg, seed, FALSE);
        if (!bitspender)
        {
                return NULL;
index 22562b2..3e6d3d0 100644 (file)
@@ -84,11 +84,11 @@ struct bliss_sampler_t {
 /**
  * Create a bliss_sampler_t object.
  *
- * @param alg          Hash algorithm to be used for the internal bitspender
+ * @param alg          XOF to be used for the internal bitspender
  * @param seed         Seed used to initialize the internal bitspender
  * @param set          BLISS parameter set to be used
  */
-bliss_sampler_t *bliss_sampler_create(hash_algorithm_t alg, chunk_t seed,
+bliss_sampler_t *bliss_sampler_create(ext_out_function_t alg, chunk_t seed,
                                                                          const bliss_param_set_t *set);
 
 #endif /** BLISS_SAMPLER_H_ @}*/
index 01b8af3..5baa1f8 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -17,7 +17,7 @@
 
 #include <asn1/asn1.h>
 #include <crypto/hashers/hasher.h>
-#include <crypto/mgf1/mgf1_bitspender.h>
+#include <crypto/xofs/xof_bitspender.h>
 #include <utils/debug.h>
 
 /**
@@ -56,7 +56,7 @@ void bliss_utils_round_and_drop(const bliss_param_set_t *set,
 /**
  * See header.
  */
-bool bliss_utils_generate_c(hash_algorithm_t alg, chunk_t data_hash,
+bool bliss_utils_generate_c(ext_out_function_t alg, chunk_t data_hash,
                                                        uint16_t *ud, const bliss_param_set_t *set,
                                                        uint16_t *c_indices)
 {
@@ -65,7 +65,7 @@ bool bliss_utils_generate_c(hash_algorithm_t alg, chunk_t data_hash,
        uint32_t index;
        uint8_t *seed_pos;
        chunk_t seed;
-       mgf1_bitspender_t *bitspender;
+       xof_bitspender_t *bitspender;
 
        seed = chunk_alloca(data_hash.len + set->n * sizeof(uint16_t));
 
@@ -80,7 +80,7 @@ bool bliss_utils_generate_c(hash_algorithm_t alg, chunk_t data_hash,
                seed_pos += sizeof(uint16_t);
        }
 
-       bitspender = mgf1_bitspender_create(alg, seed, FALSE);
+       bitspender = xof_bitspender_create(alg, seed, FALSE);
        if (!bitspender)
        {
            return NULL;
index 15c5671..bfaf3c4 100644 (file)
@@ -48,23 +48,23 @@ void bliss_utils_round_and_drop(const bliss_param_set_t *set,
 /**
  * Generate the binary challenge vector c as an array of kappa indices
  *
- * @param alg          hash algorithm to be used for the internal oracle
- * @param data_hash    hash of the data to be signed
- * @param ud           input vector ud of size n
- * @param set          BLISS parameter set to be used (n, n_bits, kappa)
- * @param c_indices    indexes of non-zero challenge coefficients
+ * @param alg                  XOF to be used for the internal oracle
+ * @param data_hash            hash of the data to be signed
+ * @param ud                   input vector ud of size n
+ * @param set                  BLISS parameter set to be used (n, n_bits, kappa)
+ * @param c_indices            indexes of non-zero challenge coefficients
  */
-bool bliss_utils_generate_c(hash_algorithm_t alg, chunk_t data_hash,
+bool bliss_utils_generate_c(ext_out_function_t alg, chunk_t data_hash,
                                                        uint16_t *ud, const bliss_param_set_t *set,
                                                        uint16_t *c_indices);
 
 /**
  * Check the infinity and l2 norms of the vectors z1 and z2d << d
  *
- * @param set  BLISS parameter set
- * @param z1   input vector
- * @param z2d  input vector
- * @result             TRUE if infinite and l2 norms do not exceed boundaries
+ * @param set          BLISS parameter set
+ * @param z1           input vector
+ * @param z2d          input vector
+ * @result                     TRUE if infinite and l2 norms do not exceed boundaries
  */
 bool bliss_utils_check_norms(const bliss_param_set_t *set,
                                                         int32_t *z1, int16_t *z2d);
index db55984..2740a55 100644 (file)
@@ -44,6 +44,12 @@ struct private_chapoly_xof_t {
        chapoly_drv_t *drv;
 };
 
+METHOD(xof_t, get_type, ext_out_function_t,
+       private_chapoly_xof_t *this)
+{
+       return XOF_CHACHA20;
+}
+
 METHOD(xof_t, get_bytes, bool,
        private_chapoly_xof_t *this, size_t out_len, uint8_t *buffer)
 {
@@ -53,7 +59,7 @@ METHOD(xof_t, get_bytes, bool,
        len = min(out_len, CHACHA_BLOCK_SIZE - this->stream_index);
        if (len)
        {
-               memcpy(buffer + index, this->stream + this->stream_index, len);
+               memcpy(buffer, this->stream + this->stream_index, len);
                index += len;
                this->stream_index += len;
        }
@@ -151,6 +157,7 @@ chapoly_xof_t *chapoly_xof_create(ext_out_function_t algorithm)
        INIT(this,
                .public = {
                        .xof_interface = {
+                               .get_type = _get_type,
                                .get_bytes = _get_bytes,
                                .allocate_bytes = _allocate_bytes,
                                .get_block_size = _get_block_size,
diff --git a/src/libstrongswan/plugins/mgf1/Makefile.am b/src/libstrongswan/plugins/mgf1/Makefile.am
new file mode 100644 (file)
index 0000000..8df227f
--- /dev/null
@@ -0,0 +1,17 @@
+AM_CPPFLAGS = \
+       -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+       $(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-mgf1.la
+else
+plugin_LTLIBRARIES = libstrongswan-mgf1.la
+endif
+
+libstrongswan_mgf1_la_SOURCES = \
+       mgf1_plugin.h mgf1_plugin.c \
+       mgf1_xof.h mgf1_xof.c
+
+libstrongswan_mgf1_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/mgf1/mgf1_plugin.c b/src/libstrongswan/plugins/mgf1/mgf1_plugin.c
new file mode 100644 (file)
index 0000000..8df3ac2
--- /dev/null
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mgf1_plugin.h"
+#include "mgf1_xof.h"
+
+#include <library.h>
+
+typedef struct private_mgf1_plugin_t private_mgf1_plugin_t;
+
+/**
+ * private data of mgf1_plugin
+ */
+struct private_mgf1_plugin_t {
+
+       /**
+        * public functions
+        */
+       mgf1_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+       private_mgf1_plugin_t *this)
+{
+       return "mgf1";
+}
+
+METHOD(plugin_t, get_features, int,
+       private_mgf1_plugin_t *this, plugin_feature_t *features[])
+{
+       static plugin_feature_t f[] = {
+               PLUGIN_REGISTER(XOF, mgf1_xof_create),
+                       PLUGIN_PROVIDE(XOF, XOF_MGF1_SHA1),
+                               PLUGIN_DEPENDS(HASHER, HASH_SHA1),
+                       PLUGIN_PROVIDE(XOF, XOF_MGF1_SHA256),
+                               PLUGIN_DEPENDS(HASHER, HASH_SHA256),
+                       PLUGIN_PROVIDE(XOF, XOF_MGF1_SHA512),
+                               PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+       };
+       *features = f;
+       return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+       private_mgf1_plugin_t *this)
+{
+       free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *mgf1_plugin_create()
+{
+       private_mgf1_plugin_t *this;
+
+       INIT(this,
+               .public = {
+                       .plugin = {
+                               .get_name = _get_name,
+                               .get_features = _get_features,
+                               .destroy = _destroy,
+                       },
+               },
+       );
+
+       return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/mgf1/mgf1_plugin.h b/src/libstrongswan/plugins/mgf1/mgf1_plugin.h
new file mode 100644 (file)
index 0000000..50105ca
--- /dev/null
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mgf1_p mgf1
+ * @ingroup plugins
+ *
+ * @defgroup mgf1_plugin mgf1_plugin
+ * @{ @ingroup mgf1_p
+ */
+
+#ifndef MGF1_PLUGIN_H_
+#define MGF1_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct mgf1_plugin_t mgf1_plugin_t;
+
+/**
+ * Plugin implementing the MGF1 Mask Generator Function in software.
+ */
+struct mgf1_plugin_t {
+
+       /**
+        * implements plugin interface
+        */
+       plugin_t plugin;
+};
+
+#endif /** MGF1_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/mgf1/mgf1_xof.c b/src/libstrongswan/plugins/mgf1/mgf1_xof.c
new file mode 100644 (file)
index 0000000..0f5fda9
--- /dev/null
@@ -0,0 +1,285 @@
+/*
+ * Copyright (C) 2013-2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mgf1_xof.h"
+
+#include "crypto/hashers/hasher.h"
+#include "utils/debug.h"
+
+typedef struct private_mgf1_xof_t private_mgf1_xof_t;
+
+/**
+ * Private data of an mgf1_xof_t object.
+ */
+struct private_mgf1_xof_t {
+
+       /**
+        * Public mgf1_xof_t interface.
+        */
+       mgf1_xof_t public;
+
+       /**
+        * XOF type of the MGF1 Mask Generation Function
+        */
+       ext_out_function_t type;
+
+       /**
+        * Hasher the MGF1 Mask Generation Function is based on
+        */
+       hasher_t *hasher;
+
+       /**
+        * Is the seed hashed before using it as a seed for MGF1 ?
+        */
+       bool hash_seed;
+
+       /**
+        * Counter
+        */
+       uint32_t counter;
+
+       /**
+        * Set if counter has reached 2^32
+        */
+       bool overflow;
+
+       /**
+        * Current state to be hashed
+        */
+       chunk_t state;
+
+       /**
+        * Position of the 4 octet counter string
+        */
+       uint8_t *ctr_str;
+
+       /**
+        * Latest hash block
+        */
+       uint8_t buf[HASH_SIZE_SHA512];
+
+       /**
+        * Index pointing to the current position in the hash block
+        */
+       size_t buf_index;
+
+};
+
+METHOD(xof_t, get_type, ext_out_function_t,
+       private_mgf1_xof_t *this)
+{
+       return this->type;
+}
+
+static bool get_next_block(private_mgf1_xof_t *this, uint8_t *buffer)
+{
+       /* detect overflow, set counter string and increment counter */
+       if (this->overflow)
+       {
+               DBG1(DBG_LIB, "MGF1 overflow occurred");
+               return FALSE;
+       }
+       htoun32(this->ctr_str, this->counter++);
+       if (this->counter == 0)
+       {
+               this->overflow = TRUE;
+       }
+
+       /* get the next block from the hash function */
+       if (!this->hasher->get_hash(this->hasher, this->state, buffer))
+       {
+               return FALSE;
+       }
+
+       return TRUE;
+}
+
+METHOD(xof_t, get_bytes, bool,
+       private_mgf1_xof_t *this, size_t out_len, uint8_t *buffer)
+{
+       size_t index = 0, blocks, len, hash_size;
+
+       hash_size = this->hasher->get_hash_size(this->hasher);
+
+       /* empty the current hash block buffer first */
+       len = min(out_len, hash_size - this->buf_index);
+       if (len)
+       {
+               memcpy(buffer, this->buf + this->buf_index, len);
+               index += len;
+               this->buf_index += len;
+       }
+
+       /* copy whole hash blocks directly to output buffer */
+       blocks = (out_len - index) / hash_size;
+       while (blocks--)
+       {
+               if (!get_next_block(this, buffer + index))
+               {
+                       return FALSE;
+               }
+               index += hash_size;
+       }
+
+       /* get another hash block if some more output bytes are needed */
+       len = out_len - index;
+       if (len)
+       {
+               if (!get_next_block(this, this->buf))
+               {
+                       return FALSE;
+               }
+               memcpy(buffer + index, this->buf, len);
+               this->buf_index = len;
+       }
+
+       return TRUE;
+}
+
+METHOD(xof_t, allocate_bytes, bool,
+       private_mgf1_xof_t *this, size_t out_len, chunk_t *chunk)
+{
+       *chunk = chunk_alloc(out_len);
+
+       if (!get_bytes(this, out_len, chunk->ptr))
+       {
+               chunk_free(chunk);
+               return FALSE;
+       }
+
+       return TRUE;
+}
+
+METHOD(xof_t, get_block_size, size_t,
+       private_mgf1_xof_t *this)
+{
+       return this->hasher->get_hash_size(this->hasher);
+}
+
+METHOD(xof_t, get_seed_size, size_t,
+       private_mgf1_xof_t *this)
+{
+       return this->hasher->get_hash_size(this->hasher);
+}
+
+METHOD(xof_t, set_seed, bool,
+       private_mgf1_xof_t *this, chunk_t seed)
+{
+       size_t hash_size, state_len;
+
+       if (seed.len == 0)
+       {
+               DBG1(DBG_LIB, "empty seed for MGF1");
+               return FALSE;
+       }
+
+       /* determine state size and allocate space accordingly */
+       hash_size = this->hasher->get_hash_size(this->hasher);
+       state_len = (this->hash_seed ? hash_size : seed.len) + 4;
+       chunk_clear(&this->state);
+       this->state = chunk_alloc(state_len);
+
+       /* hash block buffer is empty */
+       this->buf_index = hash_size;
+
+       /* reset counter */
+       this->counter = 0;
+
+       /* determine position of the 4 octet counter string */
+       this->ctr_str = this->state.ptr + state_len - 4;
+
+       if (this->hash_seed)
+       {
+               if (!this->hasher->get_hash(this->hasher, seed, this->state.ptr))
+               {
+                       DBG1(DBG_LIB, "failed to hash seed for MGF1");
+                       return FALSE;
+               }
+       }
+       else
+       {
+               memcpy(this->state.ptr, seed.ptr, seed.len);
+       }
+
+       return TRUE;
+}
+
+METHOD(xof_t, destroy, void,
+       private_mgf1_xof_t *this)
+{
+       this->hasher->destroy(this->hasher);
+       chunk_clear(&this->state);
+       free(this);
+}
+
+METHOD(mgf1_t, set_hash_seed, void,
+       private_mgf1_xof_t *this, bool yes)
+{
+       this->hash_seed = yes;
+}
+
+/*
+ * Described in header.
+ */
+mgf1_xof_t *mgf1_xof_create(ext_out_function_t algorithm)
+{
+       private_mgf1_xof_t *this;
+       hash_algorithm_t hash_alg;
+       hasher_t *hasher;
+
+       switch (algorithm)
+       {
+               case XOF_MGF1_SHA1:
+                       hash_alg = HASH_SHA1;
+                       break;
+               case XOF_MGF1_SHA256:
+                       hash_alg = HASH_SHA256;
+                       break;
+               case XOF_MGF1_SHA512:
+                       hash_alg = HASH_SHA512;
+                       break;
+               default:
+                       return NULL;
+       }
+
+       hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
+       if (!hasher)
+       {
+               DBG1(DBG_LIB, "failed to create %N hasher for MGF1",
+                        hash_algorithm_names, hash_alg);
+               return NULL;
+       }
+       
+       INIT(this,
+               .public = {
+                       .mgf1_interface = {
+                               .xof_interface = {
+                                       .get_type = _get_type,
+                                       .get_bytes = _get_bytes,
+                                       .allocate_bytes = _allocate_bytes,
+                                       .get_block_size = _get_block_size,
+                                       .get_seed_size = _get_seed_size,
+                                       .set_seed = _set_seed,
+                                       .destroy = _destroy,
+                               },
+                               .set_hash_seed = _set_hash_seed,
+                       },
+               },
+               .type = algorithm,
+               .hasher = hasher,
+       );
+
+       return &this->public;
+}
diff --git a/src/libstrongswan/plugins/mgf1/mgf1_xof.h b/src/libstrongswan/plugins/mgf1/mgf1_xof.h
new file mode 100644 (file)
index 0000000..9d60a80
--- /dev/null
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mgf1_xof mgf1_xof
+ * @{ @ingroup crypto
+ */
+
+#ifndef MGF1_XOF_H_
+#define MGF1_XOF_H_
+
+typedef struct mgf1_xof_t mgf1_xof_t;
+
+#include <crypto/xofs/mgf1.h>
+
+/**
+ * Implements the PKCS#1 MGF1_XOF Mask Generation Function based on a hash
+ * function defined in section 10.2.1 of RFC 2437
+ */
+struct mgf1_xof_t {
+
+       /**
+        * mgf1_t interface for this Extended Output Function (XOF).
+        */
+       mgf1_t mgf1_interface;
+};
+
+/**
+ * Create an mgf1_xof_t object
+ *
+ * @param algorithm            XOF_MGF1_SHA1, XOF_MGF1_SHA256 or XOF_MGF1_SHA512
+ * @return                             mgf1_xof_t object, NULL if not supported
+ */
+mgf1_xof_t *mgf1_xof_create(ext_out_function_t algorithm);
+
+#endif /** MGF1_XOF_H_ @}*/
+
index cb11601..b2fca2f 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2009-2013  Security Innovation
@@ -17,7 +17,7 @@
 
 #include "ntru_poly.h"
 
-#include <crypto/mgf1/mgf1_bitspender.h>
+#include <crypto/xofs/xof_bitspender.h>
 #include <utils/debug.h>
 #include <utils/test.h>
 
@@ -290,8 +290,9 @@ static private_ntru_poly_t* ntru_poly_create(uint16_t N, uint16_t q,
 /*
  * Described in header.
  */
-ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
-                                                                               uint8_t c_bits, uint16_t N, uint16_t q,
+ntru_poly_t *ntru_poly_create_from_seed(ext_out_function_t mgf1_type,
+                                                                               chunk_t seed, uint8_t c_bits,
+                                                                               uint16_t N, uint16_t q,
                                                                                uint32_t indices_len_p,
                                                                                uint32_t indices_len_m,
                                                                                bool is_product_form)
@@ -300,9 +301,9 @@ ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
        int n, num_indices, index_i = 0;
        uint32_t index, limit;
        uint8_t *used;
-       mgf1_bitspender_t *bitspender;
+       xof_bitspender_t *bitspender;
 
-       bitspender = mgf1_bitspender_create(alg, seed, TRUE);
+       bitspender = xof_bitspender_create(mgf1_type, seed, TRUE);
        if (!bitspender)
        {
            return NULL;
index 87c7710..765b72b 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -24,6 +24,7 @@
 typedef struct ntru_poly_t ntru_poly_t;
 
 #include <library.h>
+#include <crypto/xofs/xof.h>
 
 /**
  * Implements a trinary polynomial storing the indices of non-zero coefficients 
@@ -63,9 +64,9 @@ struct ntru_poly_t {
 };
 
 /**
- * Create a trits polynomial from a seed using MGF1 with a base hash function
+ * Create a trits polynomial from a seed using MGF1
  *
- * @param alg                          hash algorithm to be used by MGF1
+ * @param alg                          MGF1 algorithm used(XOF_MGF1_SHA1 or XOF_MGF_SHA256)
  * @param seed                         seed used by MGF1 to generate trits from
  * @param N                                    ring dimension, number of polynomial coefficients
  * @param q                                    large modulus
@@ -74,7 +75,7 @@ struct ntru_poly_t {
  * @param indices_len_m                number of indices for -1 coefficients
  * @param is_product_form      generate multiple polynomials
  */
-ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
+ntru_poly_t *ntru_poly_create_from_seed(ext_out_function_t alg,        chunk_t seed,
                                                                                uint8_t c_bits, uint16_t N, uint16_t q,
                                                                                uint32_t indices_len_p,
                                                                                uint32_t indices_len_m,
index c795c9d..844c8ba 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2009-2013  Security Innovation
@@ -178,7 +178,7 @@ bool ntru_check_min_weight(uint16_t N, uint8_t  *t, uint16_t min_wt)
 METHOD(ntru_private_key_t, decrypt, bool,
        private_ntru_private_key_t *this, chunk_t ciphertext, chunk_t *plaintext)
 {
-       hash_algorithm_t hash_algid;
+       ext_out_function_t alg;
        size_t t_len, seed1_len, seed2_len;
        uint16_t *t1, *t2, *t = NULL;
     uint16_t mod_q_mask, q_mod_p, cmprime_len, cm_len = 0, num_zeros;
@@ -206,9 +206,9 @@ METHOD(ntru_private_key_t, decrypt, bool,
        Mtrin = (uint8_t *)t1;
        M = Mtrin + this->params->N;
 
-       /* set hash algorithm based on security strength */
-       hash_algid = (this->params->sec_strength_len <= 20) ? HASH_SHA1 :
-                                                                                                                 HASH_SHA256;
+       /* set MGF1 algorithm type based on security strength */
+       alg = (this->params->sec_strength_len <= 20) ? XOF_MGF1_SHA1 :
+                                                                                                  XOF_MGF1_SHA256;
 
        /* set constants */
        mod_q_mask = this->params->q - 1;
@@ -307,7 +307,7 @@ METHOD(ntru_private_key_t, decrypt, bool,
        ntru_coeffs_mod4_2_octets(this->params->N, t2, seed.ptr);
 
        /* form mask */
-       mask = ntru_trits_create(this->params->N, hash_algid, seed);
+       mask = ntru_trits_create(this->params->N, alg, seed);
        if (!mask)
        {
                DBG1(DBG_LIB, "mask creation failed");
@@ -390,9 +390,8 @@ METHOD(ntru_private_key_t, decrypt, bool,
 
        /* generate cr */
        DBG2(DBG_LIB, "generate polynomial r");
-       r_poly = ntru_poly_create_from_seed(hash_algid, seed,
-                                               this->params->c_bits, this->params->N,
-                                               this->params->q, this->params->dF_r,
+       r_poly = ntru_poly_create_from_seed(alg, seed, this->params->c_bits,
+                                               this->params->N, this->params->q, this->params->dF_r,
                                                this->params->dF_r, this->params->is_product_form);
        if (!r_poly)
        {
@@ -648,7 +647,7 @@ ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg,
        size_t t_len;
        uint16_t *t1, *t2, *t = NULL;
        uint16_t mod_q_mask;
-    hash_algorithm_t hash_algid;
+    ext_out_function_t alg;
        ntru_poly_t *g_poly;
        chunk_t seed;
        int i;
@@ -667,14 +666,8 @@ ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg,
        );
 
        /* set hash algorithm and seed length based on security strength */
-       if (params->sec_strength_len <= 20)
-       {
-               hash_algid = HASH_SHA1;
-       }
-       else
-       {
-               hash_algid = HASH_SHA256;
-       }
+       alg = (params->sec_strength_len <= 20) ? XOF_MGF1_SHA1 :
+                                                                                        XOF_MGF1_SHA256;
        seed =chunk_alloc(params->sec_strength_len + 8);
 
        /* get random seed for generating trinary F as a list of indices */
@@ -685,7 +678,7 @@ ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg,
        }
 
        DBG2(DBG_LIB, "generate polynomial F");
-       this->privkey = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+       this->privkey = ntru_poly_create_from_seed(alg, seed, params->c_bits,
                                                                                           params->N, params->q,
                                                                                           params->dF_r, params->dF_r,
                                                                                           params->is_product_form);
@@ -729,7 +722,7 @@ ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg,
        }
 
        DBG2(DBG_LIB, "generate polynomial g");
-       g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+       g_poly = ntru_poly_create_from_seed(alg, seed, params->c_bits,
                                                                                params->N, params->q, params->dg + 1,
                                                                                params->dg, FALSE);
        if (!g_poly)
index 2b72d90..36d9abf 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2009-2013  Security Innovation
@@ -102,7 +102,7 @@ extern bool ntru_check_min_weight(uint16_t N, uint8_t  *t, uint16_t min_wt);
 METHOD(ntru_public_key_t, encrypt, bool,
        private_ntru_public_key_t *this, chunk_t plaintext, chunk_t *ciphertext)
 {
-       hash_algorithm_t hash_algid;
+       ext_out_function_t alg;
        size_t t_len, seed1_len, seed2_len;
        uint16_t *t1, *t = NULL;
        uint8_t b[MAX_SEC_STRENGTH_LEN];
@@ -139,8 +139,8 @@ METHOD(ntru_public_key_t, encrypt, bool,
        M = Mtrin + this->params->N;
 
        /* set hash algorithm based on security strength */
-       hash_algid = (this->params->sec_strength_len <= 20) ? HASH_SHA1 :
-                                                                                                                 HASH_SHA256;
+       alg = (this->params->sec_strength_len <= 20) ? XOF_MGF1_SHA1 :
+                                                                                                  XOF_MGF1_SHA256;
        /* set constants */
        mod_q_mask = this->params->q - 1;
 
@@ -173,7 +173,7 @@ METHOD(ntru_public_key_t, encrypt, bool,
                seed.len = seed2_len;
 
                DBG2(DBG_LIB, "generate polynomial r");
-               r_poly = ntru_poly_create_from_seed(hash_algid, seed, this->params->c_bits,
+               r_poly = ntru_poly_create_from_seed(alg, seed, this->params->c_bits,
                                                                                        this->params->N, this->params->q,
                                                                                        this->params->dF_r, this->params->dF_r,
                                                                                        this->params->is_product_form);
@@ -191,7 +191,7 @@ METHOD(ntru_public_key_t, encrypt, bool,
                seed.len = seed1_len;
 
                /* form mask */
-               mask = ntru_trits_create(this->params->N, hash_algid, seed);
+               mask = ntru_trits_create(this->params->N, alg, seed);
                if (!mask)
                {
                        DBG1(DBG_LIB, "mask creation failed");
index 57b3532..0bbbcc1 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -16,7 +16,7 @@
 #include "ntru_trits.h"
 #include "ntru_convert.h"
 
-#include <crypto/mgf1/mgf1_bitspender.h>
+#include <crypto/xofs/xof_bitspender.h>
 #include <utils/debug.h>
 #include <utils/test.h>
 
@@ -67,14 +67,15 @@ METHOD(ntru_trits_t, destroy, void,
 /*
  * Described in header.
  */
-ntru_trits_t *ntru_trits_create(size_t len, hash_algorithm_t alg, chunk_t seed)
+ntru_trits_t *ntru_trits_create(size_t len, ext_out_function_t alg,
+                                                               chunk_t seed)
 {
        private_ntru_trits_t *this;
        uint8_t octet, buf[5], *trits;
        size_t trits_needed;
-       mgf1_bitspender_t *bitspender;
+       xof_bitspender_t *bitspender;
 
-       bitspender = mgf1_bitspender_create(alg, seed, TRUE);
+       bitspender = xof_bitspender_create(alg, seed, TRUE);
        if (!bitspender)
        {
            return NULL;
index 524c51b..e489aae 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -24,6 +24,7 @@
 typedef struct ntru_trits_t ntru_trits_t;
 
 #include <library.h>
+#include <crypto/xofs/xof.h>
 
 /**
  * Implements an array of trinary elements (trits) 
@@ -52,10 +53,11 @@ struct ntru_trits_t {
  * Create a trits array from a seed using MGF1 with a base hash function
  *
  * @param size                 size of the trits array
- * @param alg                  hash algorithm to be used by MGF1
+ * @param alg                  MGF1 algorithm used (XOF_MGF1_SHA1 or XOF_MGF_SHA256)
  * @param seed                 seed used by MGF1 to generate trits from
  */
-ntru_trits_t *ntru_trits_create(size_t size, hash_algorithm_t alg, chunk_t seed);
+ntru_trits_t *ntru_trits_create(size_t size, ext_out_function_t alg,
+                                                               chunk_t seed);
 
 #endif /** NTRU_TRITS_H_ @}*/
 
index fef26bb..0f1af39 100644 (file)
@@ -46,6 +46,11 @@ struct private_sha3_shake_t {
 
 };
 
+METHOD(xof_t, get_type, ext_out_function_t,
+       private_sha3_shake_t *this)
+{
+       return this->algorithm;
+}
 
 METHOD(xof_t, get_bytes, bool,
        private_sha3_shake_t *this, size_t out_len, uint8_t *buffer)
@@ -114,6 +119,7 @@ sha3_shake_t* sha3_shake_create(ext_out_function_t algorithm)
        INIT(this,
                .public = {
                        .xof_interface = {
+                               .get_type = _get_type,
                                .get_bytes = _get_bytes,
                                .allocate_bytes = _allocate_bytes,
                                .get_block_size = _get_block_size,
index 9388b95..6945f5c 100644 (file)
 
 #include <tests/utils/test_rng.h>
 #include <utils/test.h>
-#include <crypto/mgf1/mgf1.h>
-#include <crypto/mgf1/mgf1_bitspender.h>
+#include <crypto/xofs/xof.h>
+#include <crypto/xofs/xof_bitspender.h>
+#include <crypto/xofs/mgf1.h>
 
 typedef struct {
-       hash_algorithm_t alg;
+       ext_out_function_t alg;
        size_t hash_size;
        size_t ml1, ml2, ml3, seed_len;
        chunk_t seed;
@@ -34,7 +35,7 @@ typedef struct {
  * MGF1 Mask Generation Function Test Vectors
  */
 mgf1_test_t mgf1_tests[] = {
-       {       HASH_SHA1, 20, 60, 20, 15, 24,
+       {       XOF_MGF1_SHA1, 20, 60, 20, 15, 24,
                chunk_from_chars(
                                                0xED, 0xA5, 0xC3, 0xBC, 0xAF, 0xB3, 0x20, 0x7D,
                                                0x14, 0xA1, 0x54, 0xF7, 0x8B, 0x37, 0xF2, 0x8D,
@@ -73,7 +74,7 @@ mgf1_test_t mgf1_tests[] = {
                { 0, 0, 0, 4, 1, 1, 46, 103, 38, 411, 848, 57, 3540, 4058, 12403,
                  0x63, 0x2B, 0xC9, 0x17, 0x56, 669409, 0xA407A43B },
        },
-       {       HASH_SHA256, 32, 64, 32, 33, 40,
+       {       XOF_MGF1_SHA256, 32, 64, 32, 33, 40,
                chunk_from_chars(
                                                0x52, 0xC5, 0xDD, 0x1E, 0xEF, 0x76, 0x1B, 0x53,
                                                0x08, 0xE4, 0x86, 0x3F, 0x91, 0x12, 0x98, 0x69,
@@ -127,6 +128,7 @@ mgf1_test_t mgf1_tests[] = {
 
 START_TEST(mgf1_test_mgf1)
 {
+       xof_t *xof;
        mgf1_t *mgf1;
        chunk_t mask, mask1, mask2, mask3;
 
@@ -137,72 +139,88 @@ START_TEST(mgf1_test_mgf1)
        mask2.len = mgf1_tests[_i].ml2;
        mask3.len = mgf1_tests[_i].ml3;
 
-       mgf1 = mgf1_create(HASH_UNKNOWN, mgf1_tests[_i].seed, TRUE);
-       ck_assert(mgf1 == NULL);
+       /* unknown XOF */
+       xof = lib->crypto->create_xof(lib->crypto, XOF_UNDEFINED);
+       ck_assert(xof == NULL);
 
-       mgf1 = mgf1_create(mgf1_tests[_i].alg, chunk_empty, TRUE);
-       ck_assert(mgf1 == NULL);
+       /* create MGF1 XOF */
+       xof = lib->crypto->create_xof(lib->crypto, mgf1_tests[_i].alg);
+       ck_assert(xof);
 
-       /* return mask in allocated chunk */
-       mgf1 = mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE);
-       ck_assert(mgf1);
+       /* hash the seed */
+       mgf1 = (mgf1_t*)xof;
+       mgf1->set_hash_seed(mgf1, TRUE);
 
-       /* check hash size */
-       ck_assert(mgf1->get_hash_size(mgf1) == mgf1_tests[_i].hash_size);
+       /* check MGF1 type */
+       ck_assert(xof->get_type(xof) == mgf1_tests[_i].alg);
 
-       /* get zero number of octets */
-       ck_assert(mgf1->allocate_mask(mgf1, 0, &mask));
+       /* check seed size */
+       ck_assert(xof->get_seed_size(xof) == mgf1_tests[_i].hash_size);
+
+       /* check block size */
+       ck_assert(xof->get_block_size(xof) == mgf1_tests[_i].hash_size);
+
+       /* empty seed */
+       ck_assert(!xof->set_seed(xof, chunk_empty));
+
+       /* initialize MGF1 with non-empty seed */
+       ck_assert(xof->set_seed(xof, mgf1_tests[_i].seed));
+
+       /* allocate zero number of octets */
+       ck_assert(xof->allocate_bytes(xof, 0, &mask));
        ck_assert(mask.len == 0 && mask.ptr == NULL);
 
-       /* get non-zero number of octets */
-       ck_assert(mgf1->allocate_mask(mgf1, mgf1_tests[_i].mask.len, &mask));
+       /* allocate non-zero number of octets */
+       ck_assert(xof->allocate_bytes(xof, mgf1_tests[_i].mask.len, &mask));
        ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
-       mgf1->destroy(mgf1);
+
+       /* re-initialize MGF1 with non-empty seed */
+       ck_assert(xof->set_seed(xof, mgf1_tests[_i].seed));
 
        /* copy mask to pre-allocated buffer */
-       mgf1 = mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE);
-       ck_assert(mgf1);
-       ck_assert(mgf1->get_mask(mgf1, mgf1_tests[_i].mask.len, mask.ptr));
+       ck_assert(xof->get_bytes(xof, mgf1_tests[_i].mask.len, mask.ptr));
        ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
-       mgf1->destroy(mgf1);
 
-       /* get mask in batches without hashing the seed */
-       mgf1 = mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].hashed_seed, FALSE);
-       ck_assert(mgf1);
+       /* do not hash the seed */
+       mgf1->set_hash_seed(mgf1, FALSE);
+
+       /* re-initialize MGF1 with non-empty seed */
+       ck_assert(xof->set_seed(xof, mgf1_tests[_i].hashed_seed));
 
        /* first batch */
-       ck_assert(mgf1->get_mask(mgf1, mask1.len, mask.ptr));
+       ck_assert(xof->get_bytes(xof, mask1.len, mask.ptr));
        mask.len = mask1.len;
        ck_assert(chunk_equals(mask, mask1));
 
        /* second batch */
-       ck_assert(mgf1->get_mask(mgf1, mask2.len, mask.ptr));
+       ck_assert(xof->get_bytes(xof, mask2.len, mask.ptr));
        mask.len = mask2.len;
        ck_assert(chunk_equals(mask, mask2));
 
        /* third batch */
-       ck_assert(mgf1->get_mask(mgf1, mask3.len, mask.ptr));
+       ck_assert(xof->get_bytes(xof, mask3.len, mask.ptr));
        mask.len = mask3.len;
        ck_assert(chunk_equals(mask, mask3));
 
-       mgf1->destroy(mgf1);
+       /* clean up */
+       xof->destroy(xof);
        chunk_free(&mask);
 }
 END_TEST
 
 START_TEST(mgf1_test_bitspender)
 {
-       mgf1_bitspender_t *bitspender;
+       xof_bitspender_t *bitspender;
        uint32_t bits;
        uint8_t byte;
        int j;
 
-       bitspender = mgf1_bitspender_create(HASH_UNKNOWN,
-                                                                               mgf1_tests[_i].hashed_seed, FALSE);
+       bitspender = xof_bitspender_create(XOF_UNDEFINED,
+                                                                          mgf1_tests[_i].hashed_seed, FALSE);
        ck_assert(bitspender == NULL);
 
-       bitspender = mgf1_bitspender_create(mgf1_tests[_i].alg,
-                                                                               mgf1_tests[_i].hashed_seed, FALSE);
+       bitspender = xof_bitspender_create(mgf1_tests[_i].alg,
+                                                                          mgf1_tests[_i].hashed_seed, FALSE);
        ck_assert(bitspender);
 
        for (j = 0; j < 15; j++)
index 0a6d24d..0b432e2 100644 (file)
@@ -17,7 +17,7 @@
 
 #include <tests/utils/test_rng.h>
 #include <utils/test.h>
-#include <crypto/mgf1/mgf1.h>
+#include <crypto/xofs/xof.h>
 #include <plugins/ntru/ntru_drbg.h>
 #include <plugins/ntru/ntru_trits.h>
 #include <plugins/ntru/ntru_poly.h>
@@ -28,10 +28,10 @@ IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_drbg_create, ntru_drbg_t*,
                                                  uint32_t strength, chunk_t pers_str, rng_t *entropy)
 
 IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_trits_create, ntru_trits_t*,
-                                                 size_t len, hash_algorithm_t alg, chunk_t seed)
+                                                 size_t len, ext_out_function_t alg, chunk_t seed)
 
 IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_poly_create_from_seed, ntru_poly_t*,
-                                                 hash_algorithm_t alg, chunk_t seed, uint8_t c_bits,
+                                                 ext_out_function_t alg, chunk_t seed, uint8_t c_bits,
                                                  uint16_t N, uint16_t q, uint32_t indices_len_p,
                                                  uint32_t indices_len_m, bool is_product_form)
 
@@ -329,7 +329,7 @@ typedef struct {
 } poly_test_t;
 
 typedef struct {
-       hash_algorithm_t alg;
+       ext_out_function_t alg;
        size_t hash_size;
        size_t seed_len;
        chunk_t seed;
@@ -384,7 +384,7 @@ uint16_t indices_ees1171ep1[] = {
  * Trits and Polynomial Test Vectors
  */
 static trits_test_t trits_tests[] = {
-       {       HASH_SHA1, 20, 24,
+       {       XOF_MGF1_SHA1, 20, 24,
                chunk_from_chars(
                                                0xED, 0xA5, 0xC3, 0xBC, 0xAF, 0xB3, 0x20, 0x7D,
                                                0x14, 0xA1, 0x54, 0xF7, 0x8B, 0x37, 0xF2, 0x8D,
@@ -432,7 +432,7 @@ static trits_test_t trits_tests[] = {
                        }
                }
        },
-       {       HASH_SHA256, 32, 40,
+       {       XOF_MGF1_SHA256, 32, 40,
                chunk_from_chars(
                                                0x52, 0xC5, 0xDD, 0x1E, 0xEF, 0x76, 0x1B, 0x53,
                                                0x08, 0xE4, 0x86, 0x3F, 0x91, 0x12, 0x98, 0x69,
@@ -501,7 +501,7 @@ START_TEST(test_ntru_trits)
        chunk_t trits;
 
        mask = TEST_FUNCTION(ntru, ntru_trits_create, trits_tests[_i].trits.len,
-                                                HASH_UNKNOWN, trits_tests[_i].seed);
+                                                XOF_UNDEFINED, trits_tests[_i].seed);
        ck_assert(mask == NULL);
 
        mask = TEST_FUNCTION(ntru, ntru_trits_create, trits_tests[_i].trits.len,
@@ -539,7 +539,7 @@ START_TEST(test_ntru_poly)
        seed.len = trits_tests[_i].seed_len;
 
        p = &trits_tests[_i].poly_test[0];
-       poly = TEST_FUNCTION(ntru, ntru_poly_create_from_seed, HASH_UNKNOWN, seed,
+       poly = TEST_FUNCTION(ntru, ntru_poly_create_from_seed, XOF_UNDEFINED, seed,
                                                 p->c_bits, p->N, p->q, p->indices_len, p->indices_len,
                                                 p->is_product_form);
        ck_assert(poly == NULL);
index 978b276..3925d92 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
 
   multiple_authentication = no
   send_vendor_id = yes
index c52a325..fafe267 100644 (file)
@@ -1,7 +1,8 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
+
   multiple_authentication = no
   send_vendor_id = yes
 }
index 079ea72..e7364f6 100644 (file)
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
index 079ea72..e7364f6 100644 (file)
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
index 079ea72..e7364f6 100644 (file)
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
index 9e655ea..278f98e 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = chapoly aes des sha1 sha2 md5 pem pkcs1 gmp ntru random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce chapoly aes sha1 sha2 md5 pem pkcs1 gmp mgf1 ntru x509 curl revocation hmac stroke kernel-netlink socket-default updown
 
   send_vendor_id = yes
 }
index 964c520..7d03051 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = chapoly aes des sha1 sha2 md5 pem pkcs1 gmp ntru random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce chapoly aes sha1 sha2 pem pkcs1 gmp mgf1 ntru x509 curl revocation hmac stroke kernel-netlink socket-default updown
 
   send_vendor_id = yes 
 }
index 577d74e..867949d 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
 
   multiple_authentication = no
   send_vendor_id = yes
index 9f1d9c4..e39c922 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
 
   multiple_authentication = no
   send_vendor_id = yes
index 978b276..3925d92 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
 
   multiple_authentication = no
   send_vendor_id = yes
index c52a325..a4cfc61 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
   send_vendor_id = yes
 }
index 9d202b4..6a6d398 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 
   integrity_test = yes
   crypto_test {
index 9d202b4..6a6d398 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 
   integrity_test = yes
   crypto_test {
index 9d202b4..6a6d398 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 
   integrity_test = yes
   crypto_test {
index 32eaea5..1d9f6e2 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 sha3 chapoly newhope bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 sha3 chapoly newhope mgf1 bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
   fragment_size = 1500
 }
index 32eaea5..1d9f6e2 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 sha3 chapoly newhope bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 sha3 chapoly newhope mgf1 bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
   fragment_size = 1500
 }
index 32eaea5..1d9f6e2 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 sha3 chapoly newhope bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 sha3 chapoly newhope mgf1 bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
   fragment_size = 1500
 }
index c47ca80..028dd8e 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 sha3 mgf1 ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
   fragment_size = 1500
 }
index c47ca80..028dd8e 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 sha3 mgf1 ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
   fragment_size = 1500
 }
index c47ca80..028dd8e 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 sha3 mgf1 ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
   fragment_size = 1500
 }
index 079ea72..e7364f6 100644 (file)
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
index 079ea72..e7364f6 100644 (file)
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
index 079ea72..e7364f6 100644 (file)
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
index 046773f..00576a8 100755 (executable)
@@ -5,7 +5,7 @@ swanctl {
 }
 
 charon {
-  load = random nonce sha1 sha2 sha3 aes chapoly newhope bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici 
+  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici 
 
   send_vendor_id = yes
   fragment_size = 1500
index 1253cba..83cfb4e 100755 (executable)
@@ -5,7 +5,7 @@ swanctl {
 }
 
 charon {
-  load = random nonce sha1 sha2 sha3 aes chapoly newhope bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici 
+  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici 
 
   send_vendor_id = yes
   fragment_size = 1500
index 29c2745..98de2c9 100755 (executable)
@@ -5,7 +5,7 @@ swanctl {
 }
 
 charon {
-  load = random nonce sha1 sha2 sha3 aes chapoly newhope bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
+  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
 
   send_vendor_id = yes
   fragment_size = 1500
index 1a8d362..b158ccd 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 sha3 hmac ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
 
   send_vendor_id = yes
   fragment_size = 1500
index 1a8d362..b158ccd 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 sha3 hmac ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
 
   send_vendor_id = yes
   fragment_size = 1500
index ec18f44..c6dd6be 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 sha3 hmac ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
 
   send_vendor_id = yes
   fragment_size = 1500