Provide RNG_TRUE quality in rdrand by mixing reseeded outputs using AES
authorMartin Willi <martin@revosec.ch>
Fri, 4 Jan 2013 16:34:07 +0000 (17:34 +0100)
committerMartin Willi <martin@revosec.ch>
Fri, 11 Jan 2013 09:45:14 +0000 (10:45 +0100)
src/libstrongswan/plugins/rdrand/rdrand_plugin.c
src/libstrongswan/plugins/rdrand/rdrand_rng.c

index 4462c5e..4bdfc25 100644 (file)
@@ -98,6 +98,8 @@ METHOD(plugin_t, get_features, int,
                PLUGIN_REGISTER(RNG, rdrand_rng_create),
                        PLUGIN_PROVIDE(RNG, RNG_WEAK),
                        PLUGIN_PROVIDE(RNG, RNG_STRONG),
+                       PLUGIN_PROVIDE(RNG, RNG_TRUE),
+                               PLUGIN_DEPENDS(CRYPTER, ENCR_AES_CBC, 16),
        };
        *features = f;
        return countof(f);
index 6ad0da2..8c219b4 100644 (file)
@@ -15,6 +15,8 @@
 
 #include "rdrand_rng.h"
 
+#include <unistd.h>
+
 typedef struct private_rdrand_rng_t private_rdrand_rng_t;
 
 /**
@@ -45,6 +47,11 @@ struct private_rdrand_rng_t {
 #define FORCE_RESEED 16
 
 /**
+ * How many times we mix reseeded RDRAND output when using RNG_TRUE
+ */
+#define MIX_ROUNDS 32
+
+/**
  * Get a two byte word using RDRAND
  */
 static bool rdrand16(u_int16_t *out)
@@ -128,6 +135,29 @@ static bool rdrand8(u_int8_t *out)
 }
 
 /**
+ * Get a 16 byte word using RDRAND
+ */
+static bool rdrand128(void *out)
+{
+#ifdef __x86_64__
+       if (!rdrand64(out) ||
+               !rdrand64(out + sizeof(u_int64_t)))
+       {
+               return FALSE;
+       }
+#else /* __i386__ */
+       if (!rdrand32(out) ||
+               !rdrand32(out + 1 * sizeof(u_int32_t)) ||
+               !rdrand32(out + 2 * sizeof(u_int32_t)) ||
+               !rdrand32(out + 3 * sizeof(u_int32_t)))
+       {
+               return FALSE;
+       }
+#endif /* __x86_64__ / __i386__ */
+       return TRUE;
+}
+
+/**
  * Enforce a DRNG reseed by reading 511 128-bit samples
  */
 static bool reseed()
@@ -158,13 +188,11 @@ static bool reseed()
        return TRUE;
 }
 
-METHOD(rng_t, get_bytes, bool,
-       private_rdrand_rng_t *this, size_t bytes, u_int8_t *buffer)
+/**
+ * Fill a preallocated chunk of data with random bytes
+ */
+static bool rdrand_chunk(private_rdrand_rng_t *this, chunk_t chunk)
 {
-       chunk_t chunk;
-
-       chunk = chunk_create(buffer, bytes);
-
        if (this->quality == RNG_STRONG)
        {
                if (!reseed())
@@ -293,6 +321,77 @@ METHOD(rng_t, get_bytes, bool,
        return TRUE;
 }
 
+/**
+ * Stronger variant mixing reseeded results of rdrand output
+ *
+ * This is based on the Intel DRNG "Software Implementation Guide", using
+ * AES-CBC to mix several reseeded RDRAND outputs.
+ */
+static bool rdrand_mixed(private_rdrand_rng_t *this, chunk_t chunk)
+{
+       u_char block[16], forward[16], key[16], iv[16];
+       crypter_t *crypter;
+       int i, len;
+
+       memset(iv, 0, sizeof(iv));
+       crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16);
+       if (!crypter)
+       {
+               return FALSE;
+       }
+       for (i = 0; i < sizeof(key); i++)
+       {
+               key[i] = i;
+       }
+       if (!crypter->set_key(crypter, chunk_from_thing(key)))
+       {
+               crypter->destroy(crypter);
+               return FALSE;
+       }
+       while (chunk.len > 0)
+       {
+               memset(forward, 0, sizeof(forward));
+               for (i = 0; i < MIX_ROUNDS; i++)
+               {
+                       /* sleep to reseed PRNG */
+                       usleep(10);
+                       if (!rdrand128(block))
+                       {
+                               crypter->destroy(crypter);
+                               return FALSE;
+                       }
+                       memxor(forward, block, sizeof(block));
+                       if (!crypter->encrypt(crypter, chunk_from_thing(forward),
+                                                                 chunk_from_thing(iv), NULL))
+                       {
+                               crypter->destroy(crypter);
+                               return FALSE;
+                       }
+               }
+               len = min(chunk.len, sizeof(forward));
+               memcpy(chunk.ptr, forward, len);
+               chunk = chunk_skip(chunk, len);
+       }
+       crypter->destroy(crypter);
+
+       return TRUE;
+}
+
+METHOD(rng_t, get_bytes, bool,
+       private_rdrand_rng_t *this, size_t bytes, u_int8_t *buffer)
+{
+       switch (this->quality)
+       {
+               case RNG_WEAK:
+               case RNG_STRONG:
+                       return rdrand_chunk(this, chunk_create(buffer, bytes));
+               case RNG_TRUE:
+                       return rdrand_mixed(this, chunk_create(buffer, bytes));
+               default:
+                       return FALSE;
+       }
+}
+
 METHOD(rng_t, allocate_bytes, bool,
        private_rdrand_rng_t *this, size_t bytes, chunk_t *chunk)
 {
@@ -322,10 +421,9 @@ rdrand_rng_t *rdrand_rng_create(rng_quality_t quality)
        {
                case RNG_WEAK:
                case RNG_STRONG:
-                       break;
                case RNG_TRUE:
+                       break;
                default:
-                       /* not yet */
                        return NULL;
        }