libtom
diff --git a/‎changes‎
Lines changed: 43 additions & 1 deletion b/‎changes‎
Lines changed: 43 additions & 1 deletion
diff --git a/‎crypt.c‎
Lines changed: 29 additions & 15 deletions b/‎crypt.c‎
Lines changed: 29 additions & 15 deletions
diff --git a/‎crypt.tex‎
Lines changed: 148 additions & 13 deletions b/‎crypt.tex‎
Lines changed: 148 additions & 13 deletions
diff --git a/‎demos/test/cipher_hash_test.c‎
Lines changed: 22 additions & 1 deletion b/‎demos/test/cipher_hash_test.c‎
Lines changed: 22 additions & 1 deletion
@@ -1,3 +1,45 @@
+August 6th, 2004
+v0.98  -- Update to hmac_init to free all allocated memory on error
+       -- Update to PRNG API to fix import/export functions of Fortuna and Yarrow
+       -- Added test functions to PRNG api, RC4 now conforms ;-) [was a minor issue]
+       -- Added the SOBER-128 PRNG based off of code donated by Greg Rose.
+       -- Added Tech Note #4 [notes/tech0004.txt] 
+       -- Changed RC4 back [due to request].  It will now XOR the output so you can use it like 
+          a stream cipher easily.
+       -- Update Fortuna's export() to emit a hash of each pool.  This means that the accumulated 
+          entropy that was spread over all the pools isn't entirely lost when you export/import.
+       -- Zhi Chen suggested a comment for rsa_encrypt_key() to let users know [easily] that it was
+          PKCS #1 v2.0 padding.  (updated other rsa_* functions)
+       -- Cleaned up Noekeon to remove unrolling [wasn't required, was messy and actually slower with GCC/ICC]
+       -- Updated RC4 so that when you feed it >256 bytes of entropy it quietly ignores additional
+          bytes.  Also removed the % from the key setup to speed it up a bit.
+       -- Added cipher/hash/prng tests to x86_prof to help catch bugs while testing
+       -- Made the PRNG "done" return int, fixed sprng_done to not require prng* to be non-null
+       -- Spruced up mycrypt_custom.h to trap more errors and also help prevent LTMSSE from being defined
+          on non-i386 platforms by accident.
+       -- Added RSA/ECC/DH speed tests to x86_prof and cleaned it up to build with zero warnings
+       -- Changed Fortuna to count only entropy [not the 2 byte header] added to pool[0] into the 
+          reseed mechanism.  
+       -- Added "export_size" member to prng_descriptor tables so you can know in advance the size of 
+          the exported state for any given PRNG.  
+       -- Ported over patch on LTM 0.30 [not ready to release LTM 0.31] that fixes bug in mp_mul()/mp_div()
+          that used to result in negative zeroes when you multiplied zero by a negative integer.  
+          (patch due to "Wolfgang Ehrhardt" <Wolfgang.Ehrhardt@munich.netsurf.de>)
+       -- Fixed rsa_*decrypt_key() and rsa_*verify_hash() to default to invalid "stat" or "res".  This way
+          if any of the higher level functions fail [before you get to the padding] the result will be in
+          a known state].  Applied to both v2 and v1.5 padding helpers.
+       -- Added MACs to x86_prof
+       -- Fixed up "warnings" in x86_prof and tv_gen
+       -- Added a "profiled" target back [for GCC 3.4 and ICC v8].  Doesn't seem to help but might be worth
+          tinkering with.
+       -- Beefed up load/store test in demos/test
+
+       ++ New note, in order to use the optimized LOAD/STORE macros your platform
+          must support unaligned 32/64 bit load/stores.  The x86s support this
+          but some [ARM for instance] do not.  If your platform cannot perform
+          unaligned operations you must use the endian neutral code which is safe for 
+          any sort of platform.
+
 July 23rd, 2004
 v0.97b -- Added PKCS #1 v1.5 RSA encrypt/sign helpers (like rsa_sign_hash, etc...)
        -- Added missing prng check to rsa_decrypt_key() [not critical as I don't use 
@@ -62,7 +104,7 @@ v0.96  -- Removed GF and Keyring code
        -- Changed PSS/OAEP API slightly to be more consistent with other PK functions (order of arguments)
        -- rsa_exptmod() now pads with leading zeroes as per I2OSP.
        -- added error checking to yarrow code
-       -- Mike Frysinger pointed out that tommath.h from this distro will overwrite tommath.h
+       --  pointed out that tommath.h from this distro will overwrite tommath.h
           from libtommath.  I changed this to ltc_tommath.h to avoid any such problems.
        -- Fixed bug in PSS encoder/decoder that didn't handle the MSB properly
        -- refactored AES, now sports an "encrypt only" descriptor which uses half as much code space.
 
@@ -141,6 +141,26 @@ const char *crypt_build_settings =
     "   CTR\n"
 #endif
 
+    "\nMACs:\n"
+#if defined(HMAC)
+    "   HMAC\n"
+#endif
+#if defined(OMAC)
+    "   OMAC\n"
+#endif
+#if defined(PMAC)
+    "   PMAC\n"
+#endif
+
+    "\nENC + AUTH modes:\n"
+#if defined(EAX_MODE)
+    "   EAX_MODE\n"
+#endif
+#if defined(OCB_MODE)
+    "   OCB_MODE\n"
+#endif
+
+
     "\nPRNG:\n"
 #if defined(YARROW)
     "   Yarrow\n"
@@ -151,6 +171,12 @@ const char *crypt_build_settings =
 #if defined(RC4)
     "   RC4\n"
 #endif
+#if defined(FORTUNA)
+    "   Fortuna\n"
+#endif
+#if defined(SOBER128)
+    "   SOBER128\n"
+#endif
 
     "\nPK Algs:\n"
 #if defined(MRSA)
@@ -197,21 +223,6 @@ const char *crypt_build_settings =
 #if defined(MPI)
     " MPI "
 #endif
-#if defined(HMAC)
-    " HMAC "
-#endif
-#if defined(OMAC)
-    " OMAC "
-#endif
-#if defined(PMAC)
-    " PMAC "
-#endif
-#if defined(EAX_MODE)
-    " EAX_MODE "
-#endif
-#if defined(OCB_MODE)
-    " OCB_MODE "
-#endif
 #if defined(TRY_UNRANDOM_FIRST)
     " TRY_UNRANDOM_FIRST "
 #endif
@@ -229,6 +240,9 @@ const char *crypt_build_settings =
 #endif
 #if defined(NO_FILE)
     " NO_FILE "
+#endif
+#if defined(LTMSSE)
+    " LTMSSE "
 #endif
     "\n"
     "\n\n\n"
 
@@ -47,7 +47,7 @@
 \def\gap{\vspace{0.5ex}}
 \makeindex
 \begin{document}
-\title{LibTomCrypt \\ Version 0.97b}
+\title{LibTomCrypt \\ Version 0.98}
 \author{Tom St Denis \\
 \\
 tomstdenis@iahu.ca \\
@@ -1687,37 +1687,101 @@ \section{PMAC Support}
 Which returns {\bf CRYPT\_OK} if the code passes otherwise it returns an error code.
 
 
+
+
+
 \chapter{Pseudo-Random Number Generators}
 \section{Core Functions}
-
 The library provides an array of core functions for Pseudo-Random Number Generators (PRNGs) as well.  A cryptographic PRNG is
 used to expand a shorter bit string into a longer bit string.  PRNGs are used wherever random data is required such as Public Key (PK)
 key generation.  There is a universal structure called ``prng\_state''.  To initialize a PRNG call:
+\index{PRNG start}
 \begin{verbatim}
 int XXX_start(prng_state *prng);
 \end{verbatim}
 
 This will setup the PRNG for future use and not seed it.  In order 
 for the PRNG to be cryptographically useful you must give it entropy.  Ideally you'd have some OS level source to tap 
 like in UNIX (see section 5.3).  To add entropy to the PRNG call:
+\index{PRNG add\_entropy}
 \begin{verbatim}
 int XXX_add_entropy(const unsigned char *in, unsigned long len, 
                     prng_state *prng);
 \end{verbatim}
 
 Which returns {\bf CRYPTO\_OK} if the entropy was accepted.  Once you think you have enough entropy you call another
 function to put the entropy into action.
+\index{PRNG ready}
 \begin{verbatim}
 int XXX_ready(prng_state *prng);
 \end{verbatim}
 
 Which returns {\bf CRYPTO\_OK} if it is ready.  Finally to actually read bytes call:
+\index{PRNG read}
 \begin{verbatim}
 unsigned long XXX_read(unsigned char *out, unsigned long len,
                        prng_state *prng);
 \end{verbatim}
 
-Which returns the number of bytes read from the PRNG.
+Which returns the number of bytes read from the PRNG.  When you are finished with a PRNG state you call
+the following.
+
+\index{PRNG done}
+\begin{verbatim}
+void XXX_done(prng_state *prng);
+\end{verbatim}
+
+This will terminate a PRNG state and free any memory (if any) allocated.  To export a PRNG state
+so that you can later resume the PRNG call the following.
+
+\index{PRNG export}
+\begin{verbatim}
+int XXX_export(unsigned char *out, unsigned long *outlen, 
+               prng_state    *prng);
+\end{verbatim}
+
+This will write a ``PRNG state'' to the buffer ``out'' of length ``outlen'' bytes.  The idea of 
+the export is meant to be used as a ``seed file''.  That is, when the program starts up there will not likely
+be that much entropy available.   To import a state to seed a PRNG call the following function.
+
+\index{PRNG import}
+\begin{verbatim}
+int XXX_import(const unsigned char *in, unsigned long inlen, 
+                     prng_state     *prng);
+\end{verbatim}
+
+This will call the start and add\_entropy functions of the given PRNG.  It will use the state in
+``in'' of length ``inlen'' as the initial seed.  You must pass the same seed length as was exported
+by the corresponding export function.
+
+Note that importing a state will not ``resume'' the PRNG from where it left off.  That is, if you export
+a state, emit (say) 8 bytes and then import the previously exported state the next 8 bytes will not 
+specifically equal the 8 bytes you generated previously.
+
+When a program is first executed the normal course of operation is 
+
+\begin{enumerate}
+   \item Gather entropy from your sources for a given period of time or number of events.
+   \item Start, use your entropy via add\_entropy and ready the PRNG yourself.
+\end{enumerate}
+
+When your program is finished you simply call the export function and save the state to a medium (disk,
+flash memory, etc).  The next time your application starts up you can detect the state, feed it to the 
+import function and go on your way.  It is ideal that (as soon as possible) after startup you export a
+fresh state.  This helps in the case that the program aborts or the machine is powered down without
+being given a chance to exit properly.  
+
+Note that even if you have a state to import it is important to add new entropy to the state.  However,
+there is less pressure to do so.  
+
+To test a PRNG for operational conformity call the following functions.
+
+\index{PRNG test}
+\begin{verbatim}
+int XXX_test(void);
+\end{verbatim}
+
+This will return \textbf{CRYPT\_OK} if PRNG is operating properly.
 
 \subsection{Remarks}
 
@@ -1728,8 +1792,8 @@ \subsection{Remarks}
 
 \subsection{Example}
 
-Below is a simple snippet to read 10 bytes from yarrow.  Its important to note that this snippet is {\bf NOT} secure since
-the entropy added is not random.
+Below is a simple snippet to read 10 bytes from yarrow.  Its important to note that this snippet is 
+{\bf NOT} secure since the entropy added is not random.
 
 \begin{verbatim}
 #include <mycrypt.h>
@@ -1762,10 +1826,15 @@ \section{PRNG Descriptors}
 \begin{verbatim}
 struct _prng_descriptor {
     char *name;
+    int  export_size;    /* size in bytes of exported state */
     int (*start)      (prng_state *);
     int (*add_entropy)(const unsigned char *, unsigned long, prng_state *);
     int (*ready)      (prng_state *);
     unsigned long (*read)(unsigned char *, unsigned long len, prng_state *);
+    void (*done)(prng_state *);
+    int (*export)(unsigned char *, unsigned long *, prng_state *);
+    int (*import)(const unsigned char *, unsigned long, prng_state *);
+    int (*test)(void);
 };
 \end{verbatim}
 
@@ -1779,16 +1848,82 @@ \section{PRNG Descriptors}
 int unregister_prng(const struct _prng_descriptor *prng);
 \end{verbatim}
 
-\subsubsection{PRNGs Provided}
-Currently Yarrow (yarrow\_desc), RC4 (rc4\_desc) and the secure RNG (sprng\_desc) are provided as PRNGs within the 
-library.  
+\subsection{PRNGs Provided}
+\begin{figure}[here]
+\begin{center}
+\begin{small}
+\begin{tabular}{|c|c|l|}
+\hline \textbf{Name} & \textbf{Descriptor} & \textbf{Usage} \\
+\hline Yarrow & yarrow\_desc & Fast short-term PRNG \\
+\hline Fortuna & fortuna\_desc & Fast long-term PRNG (recommended) \\
+\hline RC4 & rc4\_desc & Stream Cipher \\
+\hline SOBER-128 & sober128\_desc & Stream Cipher (also very fast PRNG) \\
+\hline
+\end{tabular}
+\end{small}
+\end{center}
+\caption{List of Provided PRNGs}
+\end{figure}
+
+\subsubsection{Yarrow}
+Yarrow is fast PRNG meant to collect an unspecified amount of entropy from sources 
+(keyboard, mouse, interrupts, etc) and produce an unbounded string of random bytes.  
+
+\textit{Note:} This PRNG is still secure for most taskings but is no longer recommended.  Users
+should use Fortuna instead.
+
+\subsubsection{Fortuna}
+
+Fortuna is a fast attack tolerant and more thoroughly designed PRNG suitable for long term
+usage.  It is faster than the default implementation of Yarrow\footnote{Yarrow has been implemented
+to work with most cipher and hash combos based on which you have chosen to build into the library.} while
+providing more security.  
+
+Fortuna is slightly less flexible than Yarrow in the sense that it only works with the AES block cipher 
+and SHA--256 hash function.  Technically Fortuna will work with any block cipher that accepts a 256--bit
+key and any hash that produces at least a 256--bit output.  However, to make the implementation simpler
+it has been fixed to those choices.
+
+Fortuna is more secure than Yarrow in the sense that attackers who learn parts of the entropy being 
+added to the PRNG learn far less about the state than that of Yarrow.  Without getting into to many
+details Fortuna has the ability to recover from state determination attacks where the attacker starts
+to learn information from the PRNGs output about the internal state.  Yarrow on the other hand cannot 
+recover from that problem until new entropy is added to the pool and put to use through the ready() function.
+
+\subsubsection{RC4}
+
+RC4 is an old stream cipher that can also double duty as a PRNG in a pinch.  You ``key'' it by
+calling add\_entropy() and setup the key by calling ready().  You can only add upto 256 bytes via
+add\_entropy().  
+
+When you read from RC4 the output of the RC4 algorithm is XOR'd against your buffer you provide.  In this
+manner you can use rc4\_read() as an encrypt (and decrypt) function.  
+
+You really shouldn't use RC4 anymore.  This isn't because RC4 is weak (though biases are known to exist) just
+simply that faster alternatives exist.
+
+\subsubsection{SOBER-128}
+
+SOBER-128 is a stream cipher designed by the QUALCOMM Australia team.  Like RC4 you ``key'' it by 
+calling add\_entropy().  There is no need to call ready() for this PRNG as it does not do anything.  
+
+Note that this cipher has several oddities about how it operates.  The first time you call 
+add\_entropy() that sets the cipher's key.  Every other time you call the same function it sets
+the cipher's IV variable.  The IV mechanism allows you to encrypt several messages with the same
+key and not re--use the same key material.
+
+Unlike Yarrow and Fortuna all of the entropy (and hence security) of this algorithm rests in the data
+you pass it on the first call to add\_entropy().  All buffers sent to add\_entropy() must have a length
+that is a multiple of four bytes.
+
+Like RC4 the output of SOBER--128 is XOR'ed against the buffer you provide it.  In this manner you can use
+sober128\_read() as an encrypt (and decrypt) function.
 
-RC4 is provided with a PRNG interface because it is a stream cipher and not well suited for the symmetric block cipher
-interface.  You provide the key for RC4 via the rc4\_add\_entropy() function.  By calling rc4\_ready() the key will be used
-to setup the RC4 state for encryption or decryption.  The rc4\_read() function has been modified from RC4 since it will 
-XOR the output of the RC4 keystream generator against the input buffer you provide.  The following snippet will demonstrate
-how to encrypt a buffer with RC4:
+Since SOBER-128 has a fixed keying scheme and is very fast (faster than RC4) the ideal usage of SOBER-128 is to 
+key it from the output of Fortuna (or Yarrow) and use it to encrypt messages.  It is also ideal for
+simulations which need a high quality (and fast) stream of bytes.  
 
+\subsubsection{Example Usage}
 \begin{small}
 \begin{verbatim}
 #include <mycrypt.h>
 
@@ -4,7 +4,10 @@
 
 int cipher_hash_test(void)
 {
-   int x;
+   int           x;
+   unsigned char buf[4096];
+   unsigned long n;
+   prng_state    nprng;
 
    /* test ciphers */
    for (x = 0; cipher_descriptor[x].name != NULL; x++) {
@@ -15,6 +18,24 @@ int cipher_hash_test(void)
    for (x = 0; hash_descriptor[x].name != NULL; x++) {
       DO(hash_descriptor[x].test());
    }
+ 
+   /* test prngs (test, import/export */
+   for (x = 0; prng_descriptor[x].name != NULL; x++) {
+      DO(prng_descriptor[x].test());
+      DO(prng_descriptor[x].start(&nprng));
+      DO(prng_descriptor[x].add_entropy("helloworld12", 12, &nprng));
+      DO(prng_descriptor[x].ready(&nprng));
+      n = sizeof(buf);
+      DO(prng_descriptor[x].export(buf, &n, &nprng));
+      prng_descriptor[x].done(&nprng);
+      DO(prng_descriptor[x].import(buf, n, &nprng));
+      DO(prng_descriptor[x].ready(&nprng));
+      if (prng_descriptor[x].read(buf, 100, &nprng) != 100) {
+         fprintf(stderr, "Error reading from imported PRNG!\n");
+         exit(EXIT_FAILURE);
+      }
+      prng_descriptor[x].done(&nprng);
+   }
 
    return 0;
 }