archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/ds/win32/ntcrypto/fips/driver/fipsapi.c

893 lines
21 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. /////////////////////////////////////////////////////////////////////////////
  2. // FILE : fipsdll.c //
  3. // DESCRIPTION : //
  4. // AUTHOR : //
  5. // HISTORY : //
  6. // Nov 29 1999 jeffspel Created //
  7. // //
  8. // Copyright (C) 1999 Microsoft Corporation All Rights Reserved //
  9. /////////////////////////////////////////////////////////////////////////////
  11. #include <ntddk.h>
  12. #include <fipsapi.h>
  13. #include <rsa_fast.h>
  14. #include <rsa_math.h>
  15. #include <randlib.h>
  17. //
  18. // Fill in the DESTable struct with the decrypt and encrypt
  19. // key expansions.
  20. //
  21. // Assumes that the second parameter points to DES_BLOCKLEN
  22. // bytes of key.
  23. //
  24. //
  26. #pragma alloc_text(PAGER32C, FipsDesKey)
  27. #pragma alloc_text(PAGER32C, FipsDes)
  28. #pragma alloc_text(PAGER32C, Fips3Des3Key)
  29. #pragma alloc_text(PAGER32C, Fips3Des)
  30. #pragma alloc_text(PAGER32C, FipsSHAInit)
  31. #pragma alloc_text(PAGER32C, FipsSHAUpdate)
  32. #pragma alloc_text(PAGER32C, FipsSHAFinal)
  33. #pragma alloc_text(PAGER32C, FipsCBC)
  34. #pragma alloc_text(PAGER32C, FIPSGenRandom)
  35. #pragma alloc_text(PAGER32C, FipsCBC)
  36. #pragma alloc_text(PAGER32C, FIPSGenRandom)
  37. #pragma alloc_text(PAGER32C, FipsBlockCBC)
  38. #pragma alloc_text(PAGER32C, FipsHmacSHAInit)
  39. #pragma alloc_text(PAGER32C, FipsHmacSHAUpdate)
  40. #pragma alloc_text(PAGER32C, FipsHmacSHAFinal)
  41. #pragma alloc_text(PAGER32C, HmacMD5Init)
  42. #pragma alloc_text(PAGER32C, HmacMD5Update)
  43. #pragma alloc_text(PAGER32C, HmacMD5Final)
  45. void *
  46. __stdcall
  47. RSA32Alloc(
  48. unsigned long cb
  49. )
  50. {
  51. return (void *)ExAllocatePool(PagedPool, cb);
  52. }
  54. void
  55. __stdcall
  56. RSA32Free(
  57. void *pv
  58. )
  59. {
  60. ExFreePool( pv );
  61. }
  63. VOID FipsDesKey(DESTable *DesTable, UCHAR *pbKey)
  64. {
  65. UCHAR rgbTmpKey[DES_KEYSIZE];
  67. RtlCopyMemory(rgbTmpKey, pbKey, DES_KEYSIZE);
  69. deskey(DesTable, rgbTmpKey);
  71. RtlZeroMemory(rgbTmpKey, DES_KEYSIZE);
  72. }
  74. //
  75. // Encrypt or decrypt with the key in DESTable
  76. //
  77. //
  79. VOID FipsDes(UCHAR *pbOut, UCHAR *pbIn, void *pKey, int iOp)
  80. {
  81. DESTable TmpDESTable;
  83. RtlCopyMemory(&TmpDESTable, pKey, sizeof(DESTable));
  85. des(pbOut, pbIn, &TmpDESTable, iOp);
  86. RtlZeroMemory(&TmpDESTable, sizeof(DESTable));
  87. }
  89. //
  90. // Fill in the DES3Table structs with the decrypt and encrypt
  91. // key expansions.
  92. //
  93. // Assumes that the second parameter points to 3 * DES_BLOCKLEN
  94. // bytes of key.
  95. //
  96. //
  98. VOID Fips3Des3Key(PDES3TABLE pDES3Table, UCHAR *pbKey)
  99. {
  100. UCHAR rgbTmpKey[DES3_KEYSIZE];
  102. RtlCopyMemory(rgbTmpKey, pbKey, DES3_KEYSIZE);
  104. tripledes3key(pDES3Table, rgbTmpKey);
  105. RtlZeroMemory(rgbTmpKey, DES3_KEYSIZE);
  106. }
  108. //
  109. // Encrypt or decrypt with the key in pKey
  110. //
  112. VOID Fips3Des(UCHAR *pbIn, UCHAR *pbOut, void *pKey, int op)
  113. {
  114. DES3TABLE Tmp3DESTable;
  116. RtlCopyMemory(&Tmp3DESTable, pKey, sizeof(DES3TABLE));
  118. tripledes(pbIn, pbOut, &Tmp3DESTable, op);
  119. RtlZeroMemory(&Tmp3DESTable, sizeof(DES3TABLE));
  120. }
  122. //
  123. // Initialize the SHA context.
  124. //
  126. VOID FipsSHAInit(A_SHA_CTX *pShaCtx)
  127. {
  128. A_SHAInit(pShaCtx);
  129. }
  131. //
  132. // Hash data into the hash context.
  133. //
  135. VOID FipsSHAUpdate(A_SHA_CTX *pShaCtx, UCHAR *pb, unsigned int cb)
  136. {
  137. A_SHAUpdate(pShaCtx, pb, cb);
  138. }
  140. //
  141. // Finish the SHA hash and copy the final hash value into the pbHash out param.
  142. //
  144. VOID FipsSHAFinal(A_SHA_CTX *pShaCtx, UCHAR *pbHash)
  145. {
  146. A_SHAFinal(pShaCtx, pbHash);
  147. }
  149. typedef void (*FIPSCIPHER)(UCHAR*, UCHAR*, void*, int);
  151. //
  152. // FipsCBC (cipher block chaining) performs a XOR of the feedback register
  153. // with the plain text before calling the block cipher
  154. //
  155. // NOTE - Currently this function assumes that the block length is
  156. // DES_BLOCKLEN (8 bytes).
  157. //
  158. // Return: Failure if FALSE is returned, TRUE if it succeeded.
  159. //
  161. BOOL FipsCBC(
  162. ULONG EncryptionAlg,
  163. PBYTE pbOutput,
  164. PBYTE pbInput,
  165. void *pKeyTable,
  166. int Operation,
  167. PBYTE pbFeedback
  168. )
  169. {
  170. UCHAR rgbTmpKeyTable[DES3_TABLESIZE]; // 3DES is the max table size
  171. ULONG cbKeyTable;
  172. FIPSCIPHER FipsCipher;
  173. BOOL fRet = TRUE;
  174. PBYTE pbOutputSave = NULL, pbInputSave = NULL, pbFeedbackSave = NULL;
  175. UINT64 OutputAlignedBuffer, InputAlignedBuffer, FeedbackAlignedBuffer;
  177. #ifdef IA64
  178. #define ALIGNMENT_BOUNDARY 7
  179. #else
  180. #define ALIGNMENT_BOUNDARY 3
  181. #endif
  183. // align input buffer
  184. if ((ULONG_PTR) pbInput & ALIGNMENT_BOUNDARY) {
  186. InputAlignedBuffer = *(UINT64 UNALIGNED *) pbInput;
  187. pbInputSave = pbInput;
  189. if (pbOutput == pbInput) {
  191. pbOutput = (PBYTE) &InputAlignedBuffer;
  192. }
  194. pbInput = (PBYTE) &InputAlignedBuffer;
  195. }
  197. // align output buffer
  198. if ((ULONG_PTR) pbOutput & ALIGNMENT_BOUNDARY) {
  200. OutputAlignedBuffer = *(UINT64 UNALIGNED *) pbOutput;
  201. pbOutputSave = pbOutput;
  202. pbOutput = (PBYTE) &OutputAlignedBuffer;
  203. }
  205. if ((ULONG_PTR) pbFeedback & ALIGNMENT_BOUNDARY) {
  207. FeedbackAlignedBuffer = *(UINT64 UNALIGNED *) pbFeedback;
  208. pbFeedbackSave = pbFeedback;
  209. pbFeedback = (PBYTE) &FeedbackAlignedBuffer;
  210. }
  214. //
  215. // determine the algorithm to use
  216. //
  217. switch(EncryptionAlg)
  218. {
  219. case FIPS_CBC_DES:
  220. {
  221. FipsCipher = des;
  222. cbKeyTable = DES_TABLESIZE;
  223. break;
  224. }
  225. case FIPS_CBC_3DES:
  226. {
  227. FipsCipher = tripledes;
  228. cbKeyTable = DES3_TABLESIZE;
  229. break;
  230. }
  231. default:
  232. fRet = FALSE;
  233. goto Ret;
  234. }
  236. RtlCopyMemory(rgbTmpKeyTable, (UCHAR*)pKeyTable, cbKeyTable);
  239. //
  240. // optimize very common codepath: 8 byte blocks
  241. //
  243. if (Operation == ENCRYPT)
  244. {
  245. ((PUINT64) pbOutput)[0] =
  246. ((PUINT64) pbInput)[0] ^ ((PUINT64) pbFeedback)[0];
  248. FipsCipher(pbOutput, pbOutput, rgbTmpKeyTable, ENCRYPT);
  250. ((PUINT64) pbFeedback)[0] = ((PUINT64) pbOutput)[0];
  251. }
  252. else
  253. {
  255. //
  256. // two cases for output:
  257. // input and output are separate buffers
  258. // input and output are same buffers
  259. //
  261. if( pbOutput != pbInput )
  262. {
  264. FipsCipher(pbOutput, pbInput, rgbTmpKeyTable, DECRYPT);
  266. ((PUINT64) pbOutput)[0] ^= ((PUINT64) pbFeedback)[0];
  267. ((PUINT64) pbFeedback)[0] = ((PUINT64) pbInput)[0];
  269. } else {
  271. UINT64 inputTemp;
  273. inputTemp = ((PUINT64) pbInput)[0];
  275. FipsCipher(pbOutput, pbInput, rgbTmpKeyTable, DECRYPT);
  277. ((PUINT64) pbOutput)[0] ^= ((PUINT64) pbFeedback)[0];
  278. ((PUINT64) pbFeedback)[0] = inputTemp;
  279. }
  280. }
  282. RtlZeroMemory(rgbTmpKeyTable, DES3_TABLESIZE);
  284. if (pbInputSave) {
  286. *(UINT64 UNALIGNED *) pbInputSave = InputAlignedBuffer;
  287. }
  289. if (pbOutputSave) {
  291. *(UINT64 UNALIGNED *) pbOutputSave = OutputAlignedBuffer;
  292. }
  294. if (pbFeedbackSave) {
  296. *(UINT64 UNALIGNED *) pbFeedbackSave = FeedbackAlignedBuffer;
  297. }
  299. Ret:
  300. return fRet;
  301. }
  304. //
  305. // FipsBlockCBC (cipher block chaining) performs a XOR of the feedback register
  306. // with the plain text before calling the block cipher
  307. //
  308. // NOTE - Currently this function assumes that the block length is
  309. // DES_BLOCKLEN (8 bytes).
  310. //
  311. // Return: Failure if FALSE is returned, TRUE if it succeeded.
  312. //
  314. BOOL FipsBlockCBC(
  315. ULONG EncryptionAlg,
  316. PBYTE pbOutput,
  317. PBYTE pbInput,
  318. ULONG Length,
  319. void *pKeyTable,
  320. int Operation,
  321. PBYTE pbFeedback
  322. )
  323. {
  324. UCHAR rgbTmpKeyTable[DES3_TABLESIZE]; // 3DES is the max table size
  325. ULONG cbKeyTable;
  326. FIPSCIPHER FipsCipher;
  327. BOOL fRet = TRUE;
  330. ASSERT ((Length % DESX_BLOCKLEN == 0) && (Length > 0));
  331. if ((Length % DESX_BLOCKLEN != 0) || (Length == 0)) {
  332. return FALSE;
  333. }
  335. //
  336. // determine the algorithm to use
  337. //
  338. switch(EncryptionAlg)
  339. {
  340. case FIPS_CBC_DES:
  341. {
  342. FipsCipher = des;
  343. cbKeyTable = DES_TABLESIZE;
  344. break;
  345. }
  346. case FIPS_CBC_3DES:
  347. {
  348. FipsCipher = tripledes;
  349. cbKeyTable = DES3_TABLESIZE;
  350. break;
  351. }
  352. default:
  353. fRet = FALSE;
  354. goto Ret;
  355. }
  357. RtlCopyMemory(rgbTmpKeyTable, (UCHAR*)pKeyTable, cbKeyTable);
  359. //
  360. // optimize very common codepath: 8 byte blocks
  361. //
  363. if (Operation == ENCRYPT)
  364. {
  365. ULONGLONG tmpData; // Make sure the input buffer not touched more than once. Else EFS will break mysteriously.
  366. ULONGLONG chainBlock;
  368. chainBlock = *(ULONGLONG *)pbFeedback;
  369. while (Length > 0){
  371. tmpData = *(ULONGLONG *)pbInput;
  372. tmpData ^= chainBlock;
  374. FipsCipher(pbOutput, (PUCHAR)&tmpData, rgbTmpKeyTable, ENCRYPT);
  375. chainBlock = *(ULONGLONG *)pbOutput;
  377. Length -= DES_BLOCKLEN;
  378. pbInput += DES_BLOCKLEN;
  379. pbOutput += DES_BLOCKLEN;
  382. }
  383. ((PUINT64) pbFeedback)[0] = chainBlock;
  384. }
  385. else
  386. {
  388. PUCHAR pBuffer;
  389. PUCHAR pOutBuffer;
  390. ULONGLONG SaveFeedBack;
  392. //
  393. // two cases for output:
  394. // input and output are separate buffers
  395. // input and output are same buffers
  396. //
  398. pBuffer = pbInput + Length - DES_BLOCKLEN;
  399. pOutBuffer = pbOutput + Length - DES_BLOCKLEN;
  400. SaveFeedBack = *(ULONGLONG *)pBuffer;
  402. while (pBuffer > pbInput) {
  404. FipsCipher(pOutBuffer, pBuffer, rgbTmpKeyTable, DECRYPT);
  405. ((PUINT64) pOutBuffer)[0] ^= *(ULONGLONG *)( pBuffer - DES_BLOCKLEN );
  407. pBuffer -= DES_BLOCKLEN;
  408. pOutBuffer -= DES_BLOCKLEN;
  410. }
  412. FipsCipher(pOutBuffer, pBuffer, rgbTmpKeyTable, DECRYPT);
  413. ((PUINT64) pOutBuffer)[0] ^= *(ULONGLONG *)pbFeedback;
  414. ((PUINT64) pbFeedback)[0] = SaveFeedBack;
  416. }
  418. RtlZeroMemory(rgbTmpKeyTable, DES3_TABLESIZE);
  421. Ret:
  422. return fRet;
  423. }
  425. //
  426. // Function: FipsHmacSHAInit
  427. //
  428. // Description: Initialize a SHA-HMAC context
  429. //
  431. VOID FipsHmacSHAInit(
  432. OUT A_SHA_CTX *pShaCtx,
  433. IN UCHAR *pKey,
  434. IN unsigned int cbKey)
  435. {
  436. PUCHAR key = pKey;
  437. ULONG key_len = cbKey;
  438. UCHAR k_ipad[MAX_LEN_PAD]; /* inner padding - key XORd with ipad */
  439. UCHAR tk[A_SHA_DIGEST_LEN];
  440. ULONG i;
  441. UCHAR tmpKey[MAX_KEYLEN_SHA];
  443. //
  444. // if key is longer than 64 bytes reset it to key=A_SHA_(key) */
  445. //
  446. if (key_len > MAX_KEYLEN_SHA) {
  447. A_SHA_CTX tctx;
  449. A_SHAInit(&tctx);
  450. A_SHAUpdate(&tctx, key, key_len);
  451. A_SHAFinal(&tctx, tk);
  453. key = tk;
  454. key_len = A_SHA_DIGEST_LEN;
  455. }
  457. // For FIPS compliance
  458. RtlCopyMemory(tmpKey, key, key_len);
  460. //
  461. // Zero out the scratch arrays
  462. //
  463. RtlZeroMemory(k_ipad, sizeof(k_ipad));
  465. RtlCopyMemory(k_ipad, tmpKey, key_len);
  467. //
  468. // XOR key with ipad and opad values
  469. //
  470. for (i = 0; i < MAX_KEYLEN_SHA/sizeof(unsigned __int64); i++) {
  471. ((unsigned __int64*)k_ipad)[i] ^= 0x3636363636363636;
  472. }
  474. //
  475. // Init the algorithm context
  476. //
  477. A_SHAInit(pShaCtx);
  479. //
  480. // Inner A_SHA_: start with inner pad
  481. //
  482. A_SHAUpdate(pShaCtx, k_ipad, MAX_KEYLEN_SHA);
  484. RtlZeroMemory(tmpKey, key_len);
  485. }
  487. //
  488. // Function: FipsHmacSHAUpdate
  489. //
  490. // Description: Add more data to a SHA-HMAC context
  491. //
  493. VOID FipsHmacSHAUpdate(
  494. IN OUT A_SHA_CTX *pShaCtx,
  495. IN UCHAR *pb,
  496. IN unsigned int cb)
  497. {
  498. A_SHAUpdate(pShaCtx, pb, cb);
  499. }
  501. //
  502. // Function: FipsHmacSHAFinal
  503. //
  504. // Description: Return result of SHA-HMAC
  505. //
  507. VOID FipsHmacSHAFinal(
  508. IN A_SHA_CTX *pShaCtx,
  509. IN UCHAR *pKey,
  510. IN unsigned int cbKey,
  511. OUT UCHAR *pHash)
  512. {
  513. UCHAR k_opad[MAX_LEN_PAD]; /* outer padding - key XORd with opad */
  514. UCHAR tk[A_SHA_DIGEST_LEN];
  515. PUCHAR key = pKey;
  516. ULONG key_len = cbKey;
  517. ULONG i;
  518. UCHAR tmpKey[MAX_KEYLEN_SHA];
  520. A_SHAFinal(pShaCtx, pHash);
  522. //
  523. // if key is longer than 64 bytes reset it to key=A_SHA_(key) */
  524. //
  525. if (key_len > MAX_KEYLEN_SHA) {
  526. A_SHA_CTX tctx;
  528. A_SHAInit(&tctx);
  529. A_SHAUpdate(&tctx, key, key_len);
  530. A_SHAFinal(&tctx, tk);
  532. key = tk;
  533. key_len = A_SHA_DIGEST_LEN;
  534. }
  536. // For FIPS Compliance
  537. RtlCopyMemory(tmpKey, key, key_len);
  539. RtlZeroMemory(k_opad, sizeof(k_opad));
  540. RtlCopyMemory(k_opad, tmpKey, key_len);
  542. //
  543. // XOR key with ipad and opad values
  544. //
  545. for (i = 0; i < MAX_KEYLEN_SHA/sizeof(unsigned __int64); i++) {
  546. ((unsigned __int64*)k_opad)[i] ^= 0x5c5c5c5c5c5c5c5c;
  547. }
  549. //
  550. // Now do outer A_SHA_
  551. //
  552. A_SHAInit(pShaCtx);
  554. //
  555. // start with outer pad
  556. //
  557. A_SHAUpdate(pShaCtx, k_opad, MAX_KEYLEN_SHA);
  559. //
  560. // then results of 1st hash
  561. //
  562. A_SHAUpdate(pShaCtx, pHash, A_SHA_DIGEST_LEN);
  564. A_SHAFinal(pShaCtx, pHash);
  566. RtlZeroMemory(tmpKey, key_len);
  567. }
  569. //
  570. // Function: HmacMD5Init
  571. //
  572. // Description: Initialize a MD5-HMAC context
  573. //
  575. VOID HmacMD5Init(
  576. OUT MD5_CTX *pMD5Ctx,
  577. IN UCHAR *pKey,
  578. IN unsigned int cbKey)
  579. {
  580. PUCHAR key = pKey;
  581. ULONG key_len = cbKey;
  582. UCHAR k_ipad[MAX_LEN_PAD]; /* inner padding - key XORd with ipad */
  583. UCHAR tk[MD5DIGESTLEN];
  584. ULONG i;
  586. //
  587. // if key is longer than 64 bytes reset it to key=MD5(key) */
  588. //
  589. if (key_len > MAX_KEYLEN_MD5) {
  590. MD5_CTX tctx;
  592. MD5Init(&tctx);
  593. MD5Update(&tctx, key, key_len);
  594. MD5Final(&tctx);
  596. //
  597. // Copy out the partial hash
  598. //
  599. RtlCopyMemory (tk, tctx.digest, MD5DIGESTLEN);
  601. key = tk;
  602. key_len = MD5DIGESTLEN;
  603. }
  605. //
  606. // Zero out the scratch arrays
  607. //
  608. RtlZeroMemory(k_ipad, sizeof(k_ipad));
  610. RtlCopyMemory(k_ipad, key, key_len);
  612. //
  613. // XOR key with ipad and opad values
  614. //
  615. for (i = 0; i < MAX_KEYLEN_MD5/sizeof(unsigned __int64); i++) {
  616. ((unsigned __int64*)k_ipad)[i] ^= 0x3636363636363636;
  617. }
  619. //
  620. // Init the algorithm context
  621. //
  622. MD5Init(pMD5Ctx);
  624. //
  625. // Inner MD5: start with inner pad
  626. //
  627. MD5Update(pMD5Ctx, k_ipad, MAX_KEYLEN_MD5);
  628. }
  630. //
  631. // Function: HmacMD5Update
  632. //
  633. // Description: Add more data to a MD5-HMAC context
  634. //
  636. VOID HmacMD5Update(
  637. IN OUT MD5_CTX *pMD5Ctx,
  638. IN UCHAR *pb,
  639. IN unsigned int cb)
  640. {
  641. MD5Update(pMD5Ctx, pb, cb);
  642. }
  644. //
  645. // Function: HmacMD5Final
  646. //
  647. // Description: Return result of MD5-HMAC
  648. //
  650. VOID HmacMD5Final(
  651. IN MD5_CTX *pMD5Ctx,
  652. IN UCHAR *pKey,
  653. IN unsigned int cbKey,
  654. OUT UCHAR *pHash)
  655. {
  656. UCHAR k_opad[MAX_LEN_PAD]; /* outer padding - key XORd with opad */
  657. UCHAR tk[MD5DIGESTLEN];
  658. PUCHAR key = pKey;
  659. ULONG key_len = cbKey;
  660. ULONG i;
  662. MD5Final(pMD5Ctx);
  664. //
  665. // Copy out the partial hash
  666. //
  667. RtlCopyMemory (pHash, pMD5Ctx->digest, MD5DIGESTLEN);
  669. //
  670. // if key is longer than 64 bytes reset it to key=MD5(key) */
  671. //
  672. if (key_len > MAX_KEYLEN_MD5) {
  673. MD5_CTX tctx;
  675. MD5Init(&tctx);
  676. MD5Update(&tctx, key, key_len);
  677. MD5Final(&tctx);
  679. //
  680. // Copy out the partial hash
  681. //
  682. RtlCopyMemory (tk, tctx.digest, MD5DIGESTLEN);
  684. key = tk;
  685. key_len = MD5DIGESTLEN;
  686. }
  688. RtlZeroMemory(k_opad, sizeof(k_opad));
  689. RtlCopyMemory(k_opad, key, key_len);
  691. //
  692. // XOR key with ipad and opad values
  693. //
  694. for (i = 0; i < MAX_KEYLEN_MD5/sizeof(unsigned __int64); i++) {
  695. ((unsigned __int64*)k_opad)[i] ^= 0x5c5c5c5c5c5c5c5c;
  696. }
  698. //
  699. // Now do outer MD5
  700. //
  701. MD5Init(pMD5Ctx);
  703. //
  704. // start with outer pad
  705. //
  706. MD5Update(pMD5Ctx, k_opad, MAX_KEYLEN_MD5);
  708. //
  709. // then results of 1st hash
  710. //
  711. MD5Update(pMD5Ctx, pHash, MD5DIGESTLEN);
  713. MD5Final(pMD5Ctx);
  715. RtlCopyMemory(pHash, pMD5Ctx->digest, MD5DIGESTLEN);
  716. }
  718. static UCHAR DSSPRIVATEKEYINIT[] =
  719. { 0x67, 0x45, 0x23, 0x01, 0xef, 0xcd, 0xab, 0x89,
  720. 0x98, 0xba, 0xdc, 0xfe, 0x10, 0x32, 0x54, 0x76,
  721. 0xc3, 0xd2, 0xe1, 0xf0};
  723. static UCHAR MODULUS[] =
  724. { 0xf5, 0xc1, 0x56, 0xb1, 0xd5, 0x48, 0x42, 0x2e,
  725. 0xbd, 0xa5, 0x44, 0x41, 0xc7, 0x1c, 0x24, 0x08,
  726. 0x3f, 0x80, 0x3c, 0x90};
  729. UCHAR g_rgbRNGState[A_SHA_DIGEST_LEN];
  731. //
  732. // Function : AddSeeds
  733. //
  734. // Description : This function adds the 160 bit seeds pointed to by pdwSeed1 and
  735. // pdwSeed2, it also adds 1 to this sum and mods the sum by
  736. // 2^160.
  737. //
  739. VOID AddSeeds(
  740. IN ULONG *pdwSeed1,
  741. IN OUT ULONG *pdwSeed2
  742. )
  743. {
  744. ULONG dwTmp;
  745. ULONG dwOverflow = 1;
  746. ULONG i;
  748. for (i = 0; i < 5; i++)
  749. {
  750. dwTmp = dwOverflow + pdwSeed1[i];
  751. dwOverflow = (dwOverflow > dwTmp);
  752. pdwSeed2[i] = pdwSeed2[i] + dwTmp;
  753. dwOverflow = ((dwTmp > pdwSeed2[i]) || dwOverflow);
  754. }
  755. }
  758. void SHA_mod_q(
  759. IN UCHAR *pbHash,
  760. IN UCHAR *pbQ,
  761. OUT UCHAR *pbNewHash
  762. )
  763. //
  764. // Given SHA(message), compute SHA(message) mod qdigit.
  765. // Output is in the interval [0, qdigit-1].
  766. // Although SHA(message) may exceed qdigit,
  767. // it cannot exceed 2*qdigit since the leftmost bit
  768. // of qdigit is 1.
  769. //
  771. {
  772. UCHAR rgbHash[A_SHA_DIGEST_LEN];
  774. if (-1 != Compare((DWORD*)rgbHash, // hash is greater so subtract
  775. (DWORD*)pbQ,
  776. A_SHA_DIGEST_LEN / sizeof(ULONG)))
  777. {
  778. Sub((DWORD*)pbNewHash,
  779. (DWORD*)rgbHash,
  780. (DWORD*)pbQ,
  781. A_SHA_DIGEST_LEN / sizeof(ULONG));
  782. }
  783. else
  784. {
  785. memcpy(pbNewHash, pbHash, A_SHA_DIGEST_LEN);
  786. }
  787. } // SHA_mod_q
  789. //
  790. // Function : RNG16BitStateCheck
  791. //
  792. // Description : This function compares each 160 bits of the buffer with
  793. // the next 160 bits and if they are the same the function
  794. // errors out. The IN buffer is expected to be A_SHA_DIGEST_LEN
  795. // bytes long. The function fails if the RNG is gets the same
  796. // input buffer of 160 bits twice in a row.
  797. //
  799. BOOL RNG16BitStateCheck(
  800. IN OUT ULONG *pdwOut,
  801. IN ULONG *pdwIn,
  802. IN ULONG cbNeeded
  803. )
  804. {
  805. BOOL fRet = FALSE;
  807. if (RtlEqualMemory(g_rgbRNGState, pdwIn, A_SHA_DIGEST_LEN))
  808. {
  809. RtlCopyMemory(g_rgbRNGState, (BYTE*)pdwIn, A_SHA_DIGEST_LEN);
  810. goto Ret;
  811. }
  813. RtlCopyMemory(g_rgbRNGState, (BYTE*)pdwIn, A_SHA_DIGEST_LEN);
  815. RtlCopyMemory((BYTE*)pdwOut, (BYTE*)pdwIn, cbNeeded);
  817. fRet = TRUE;
  818. Ret:
  819. return fRet;
  820. }
  822. //
  823. // Function : FIPSGenRandom
  824. //
  825. // Description : FIPS 186 RNG, the seed is generated by calling NewGenRandom.
  826. //
  828. BOOL FIPSGenRandom(
  829. IN OUT UCHAR *pb,
  830. IN ULONG cb
  831. )
  832. {
  833. ULONG rgdwSeed[A_SHA_DIGEST_LEN/sizeof(ULONG)]; // 160 bits
  834. ULONG rgdwNewSeed[A_SHA_DIGEST_LEN/sizeof(ULONG)]; // 160 bits
  835. A_SHA_CTX SHACtxt;
  836. UCHAR rgbBuf[A_SHA_DIGEST_LEN];
  837. ULONG cbBuf;
  838. UCHAR *pbTmp = pb;
  839. ULONG cbTmp = cb;
  840. ULONG i;
  841. BOOL fRet = FALSE;
  843. while (cbTmp)
  844. {
  845. // get a 160 bit random seed
  846. if (! NewGenRandom(
  847. NULL, NULL, (BYTE*)rgdwNewSeed, sizeof(rgdwNewSeed)))
  848. {
  849. goto Ret;
  850. }
  852. for (i = 0; i < A_SHA_DIGEST_LEN/sizeof(ULONG); i++)
  853. {
  854. rgdwSeed[i] ^= rgdwNewSeed[i];
  855. }
  857. A_SHAInit (&SHACtxt);
  858. RtlCopyMemory(SHACtxt.state, DSSPRIVATEKEYINIT, A_SHA_DIGEST_LEN);
  860. // perform the one way function
  861. A_SHAUpdate(&SHACtxt, (BYTE*)rgdwSeed, sizeof(rgdwSeed));
  862. A_SHAFinal(&SHACtxt, rgbBuf);
  864. // continuous 16 bit state check
  865. if (A_SHA_DIGEST_LEN < cbTmp)
  866. {
  867. cbBuf = A_SHA_DIGEST_LEN;
  868. }
  869. else
  870. {
  871. cbBuf = cbTmp;
  872. }
  873. if (!RNG16BitStateCheck((ULONG*)pbTmp, (ULONG*)rgbBuf, cbBuf))
  874. {
  875. goto Ret;
  876. }
  877. pbTmp += cbBuf;
  878. cbTmp -= cbBuf;
  879. if (0 == cbTmp)
  880. break;
  882. // modular reduction with modulus Q
  883. SHA_mod_q(rgbBuf, MODULUS, (UCHAR*)rgdwNewSeed);
  885. // (1 + previous seed + new random) mod 2^160
  886. AddSeeds(rgdwNewSeed, rgdwSeed);
  887. }
  889. fRet = TRUE;
  890. Ret:
  891. return fRet;
  892. }