/* Initializes the nonce level random generator.
*
* the @new_key must be provided.
*
* @init must be non zero on first initialization, and
* zero on any subsequent reinitializations.
*/
static int single_prng_init(struct prng_ctx_st *ctx,
uint8_t new_key[PRNG_KEY_SIZE],
unsigned new_key_size,
unsigned init)
{
uint8_t nonce[CHACHA_NONCE_SIZE];
memset(nonce, 0, sizeof(nonce)); /* to prevent valgrind from whinning */
if (init == 0) {
/* use the previous key to generate IV as well */
chacha_crypt(&ctx->ctx, sizeof(nonce), nonce, nonce);
/* Add key continuity by XORing the new key with data generated
* from the old key */
chacha_crypt(&ctx->ctx, new_key_size, new_key, new_key);
} else {
struct timespec now; /* current time */
ctx->forkid = _gnutls_get_forkid();
gettime(&now);
memcpy(nonce, &now, MIN(sizeof(nonce), sizeof(now)));
ctx->last_reseed = now.tv_sec;
}
chacha_set_key(&ctx->ctx, new_key);
chacha_set_nonce(&ctx->ctx, nonce);
zeroize_key(new_key, new_key_size);
ctx->counter = 0;
return 0;
}
/* Initializes the nonce level random generator.
*
* the @nonce_key must be provided.
*
* @init must be non zero on first initialization, and
* zero on any subsequent reinitializations.
*/
static int nonce_rng_init(struct nonce_ctx_st *ctx,
uint8_t nonce_key[NONCE_KEY_SIZE],
unsigned nonce_key_size,
unsigned init)
{
uint8_t iv[8];
int ret;
if (init == 0) {
/* use the previous key to generate IV as well */
memset(iv, 0, sizeof(iv)); /* to prevent valgrind from whinning */
salsa20r12_crypt(&ctx->ctx, sizeof(iv), iv, iv);
/* Add key continuity by XORing the new key with data generated
* from the old key */
salsa20r12_crypt(&ctx->ctx, nonce_key_size, nonce_key, nonce_key);
} else {
ctx->forkid = _gnutls_get_forkid();
/* when initializing read the IV from the system randomness source */
ret = _rnd_get_system_entropy(iv, sizeof(iv));
if (ret < 0)
return gnutls_assert_val(ret);
}
salsa20_set_key(&ctx->ctx, nonce_key_size, nonce_key);
salsa20_set_iv(&ctx->ctx, iv);
zeroize_key(nonce_key, nonce_key_size);
ctx->counter = 0;
return 0;
}
static int wrap_nettle_rnd_init(void **ctx)
{
int ret;
struct event_st event;
uint8_t nonce_key[NONCE_KEY_SIZE];
memset(&rnd_ctx, 0, sizeof(rnd_ctx));
ret = gnutls_mutex_init(&nonce_ctx.mutex);
if (ret < 0) {
gnutls_assert();
return ret;
}
ret = gnutls_mutex_init(&rnd_ctx.mutex);
if (ret < 0) {
gnutls_assert();
return ret;
}
/* initialize the main RNG */
yarrow256_init(&rnd_ctx.yctx, SOURCES, rnd_ctx.ysources);
_rnd_get_event(&event);
rnd_ctx.forkid = _gnutls_get_forkid();
ret = do_device_source(&rnd_ctx, 1, &event);
if (ret < 0) {
gnutls_assert();
return ret;
}
ret = do_trivia_source(&rnd_ctx, 1, &event);
if (ret < 0) {
gnutls_assert();
return ret;
}
yarrow256_slow_reseed(&rnd_ctx.yctx);
/* initialize the nonce RNG */
ret = _rnd_get_system_entropy(nonce_key, sizeof(nonce_key));
if (ret < 0)
return gnutls_assert_val(ret);
ret = nonce_rng_init(&nonce_ctx, nonce_key, sizeof(nonce_key), 1);
if (ret < 0)
return gnutls_assert_val(ret);
return 0;
}
static int
wrap_nettle_rnd(void *_ctx, int level, void *data, size_t datasize)
{
int ret, reseed = 0;
struct event_st event;
if (level == GNUTLS_RND_NONCE)
return wrap_nettle_rnd_nonce(_ctx, data, datasize);
_rnd_get_event(&event);
RND_LOCK(&rnd_ctx);
if (_gnutls_detect_fork(rnd_ctx.forkid)) { /* fork() detected */
memset(&rnd_ctx.device_last_read, 0, sizeof(rnd_ctx.device_last_read));
reseed = 1;
}
/* reseed main */
ret = do_trivia_source(&rnd_ctx, 0, &event);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = do_device_source(&rnd_ctx, 0, &event);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
if (reseed != 0) {
yarrow256_slow_reseed(&rnd_ctx.yctx);
rnd_ctx.forkid = _gnutls_get_forkid();
}
yarrow256_random(&rnd_ctx.yctx, datasize, data);
ret = 0;
cleanup:
RND_UNLOCK(&rnd_ctx);
return ret;
}
static int
wrap_nettle_rnd_nonce(void *_ctx, void *data, size_t datasize)
{
int ret, reseed = 0;
uint8_t nonce_key[NONCE_KEY_SIZE];
/* we don't really need memset here, but otherwise we
* get filled with valgrind warnings */
memset(data, 0, datasize);
RND_LOCK(&nonce_ctx);
if (_gnutls_detect_fork(nonce_ctx.forkid)) {
reseed = 1;
}
if (reseed != 0 || nonce_ctx.counter > NONCE_RESEED_BYTES) {
/* reseed nonce */
ret = _rnd_get_system_entropy(nonce_key, sizeof(nonce_key));
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = nonce_rng_init(&nonce_ctx, nonce_key, sizeof(nonce_key), 0);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
nonce_ctx.forkid = _gnutls_get_forkid();
}
salsa20r12_crypt(&nonce_ctx.ctx, datasize, data, data);
nonce_ctx.counter += datasize;
ret = 0;
cleanup:
RND_UNLOCK(&nonce_ctx);
return ret;
}
static int
wrap_nettle_rnd(void *_ctx, int level, void *data, size_t datasize)
{
struct generators_ctx_st *ctx = _ctx;
struct prng_ctx_st *prng_ctx;
int ret, reseed = 0;
uint8_t new_key[PRNG_KEY_SIZE];
time_t now;
if (level == GNUTLS_RND_RANDOM || level == GNUTLS_RND_KEY)
prng_ctx = &ctx->normal;
else if (level == GNUTLS_RND_NONCE)
prng_ctx = &ctx->nonce;
else
return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
/* Two reasons for this memset():
* 1. avoid getting filled with valgrind warnings
* 2. avoid a cipher/PRNG failure to expose stack data
*/
memset(data, 0, datasize);
now = gnutls_time(0);
/* We re-seed based on time in addition to output data. That is,
* to prevent a temporal state compromise to become permanent for low
* traffic sites */
if (unlikely(_gnutls_detect_fork(prng_ctx->forkid))) {
reseed = 1;
} else {
if (now > prng_ctx->last_reseed + prng_reseed_time[level])
reseed = 1;
}
if (reseed != 0 || prng_ctx->counter > prng_reseed_limits[level]) {
if (level == GNUTLS_RND_NONCE) {
ret = wrap_nettle_rnd(_ctx, GNUTLS_RND_RANDOM, new_key, sizeof(new_key));
} else {
/* we also use the system entropy to reduce the impact
* of a temporal state compromise for these two levels. */
ret = _rnd_get_system_entropy(new_key, sizeof(new_key));
}
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = single_prng_init(prng_ctx, new_key, sizeof(new_key), 0);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
prng_ctx->last_reseed = now;
prng_ctx->forkid = _gnutls_get_forkid();
}
chacha_crypt(&prng_ctx->ctx, datasize, data, data);
prng_ctx->counter += datasize;
if (level == GNUTLS_RND_KEY) { /* prevent backtracking */
ret = wrap_nettle_rnd(_ctx, GNUTLS_RND_RANDOM, new_key, sizeof(new_key));
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = single_prng_init(prng_ctx, new_key, sizeof(new_key), 0);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
}
ret = 0;
cleanup:
return ret;
}
