projects / u / mdw / catacomb / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix a typo.
[u/mdw/catacomb] / rand.c
CommitLineData
d03ab969 1/* -*-c-*-
2 *
aacbc1c6 3 * $Id: rand.c,v 1.3 1999/12/10 23:28:07 mdw Exp $
d03ab969 4 *
5 * Secure random number generator
6 *
7 * (c) 1998 Straylight/Edgeware
8 */
9
10/*----- Licensing notice --------------------------------------------------*
11 *
12 * This file is part of Catacomb.
13 *
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
18 *
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
23 *
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
27 * MA 02111-1307, USA.
28 */
29
30/*----- Revision history --------------------------------------------------*
31 *
32 * $Log: rand.c,v $
aacbc1c6 33 * Revision 1.3 1999/12/10 23:28:07 mdw
34 * Bug fix: rand_getgood didn't update buffer pointer.
35 *
ba044e65 36 * Revision 1.2 1999/10/12 21:00:15 mdw
37 * Make pool and buffer sizes more sensible.
38 *
d03ab969 39 * Revision 1.1 1999/09/03 08:41:12 mdw
40 * Initial import.
41 *
42 */
43
44/*----- Header files ------------------------------------------------------*/
45
aacbc1c6 46#include <stdarg.h>
d03ab969 47#include <stdio.h>
48#include <string.h>
49
50#include <mLib/bits.h>
aacbc1c6 51#include <mLib/sub.h>
d03ab969 52
53#include "blowfish-cbc.h"
54#include "paranoia.h"
55#include "rand.h"
56#include "rmd160.h"
57#include "rmd160-hmac.h"
58
59/*----- Static variables --------------------------------------------------*/
60
aacbc1c6 61static const grand_ops gops;
62
63typedef struct gctx {
64 grand r;
65 rand_pool p;
66} gctx;
67
68static gctx pool = { { &gops } }; /* Default random pool */
d03ab969 69
70/*----- Macros ------------------------------------------------------------*/
71
72#define RAND_RESOLVE(r) do { \
73 if ((r) == RAND_GLOBAL) \
aacbc1c6 74 (r) = &pool.p; \
d03ab969 75} while (0)
76
77#define TIMER(r) do { \
78 if ((r)->s && (r)->s->timer) \
79 (r)->s->timer(r); \
80} while (0)
81
82/*----- Main code ---------------------------------------------------------*/
83
84/* --- @rand_init@ --- *
85 *
86 * Arguments: @rand_pool *r@ = pointer to a randomness pool
87 *
88 * Returns: ---
89 *
90 * Use: Initializes a randomness pool. The pool doesn't start out
91 * very random: that's your job to sort out.
92 */
93
94void rand_init(rand_pool *r)
95{
96 RAND_RESOLVE(r);
97 memset(r->pool, 0, sizeof(r->pool));
98 memset(r->buf, 0, sizeof(r->buf));
99 r->i = 0;
100 r->irot = 0;
101 r->ibits = r->obits = 0;
102 r->o = RAND_SECSZ;
103 r->s = 0;
aacbc1c6 104 rmd160_hmacinit(&r->k, 0, 0);
d03ab969 105 rand_gate(r);
106}
107
108/* --- @rand_noisesrc@ --- *
109 *
110 * Arguments: @rand_pool *r@ = pointer to a randomness pool
111 * @const rand_source *s@ = pointer to source definition
112 *
113 * Returns: ---
114 *
115 * Use: Sets a noise source for a randomness pool. When the pool's
116 * estimate of good random bits falls to zero, the @getnoise@
117 * function is called, passing the pool handle as an argument.
118 * It is expected to increase the number of good bits by at
119 * least one, because it'll be called over and over again until
120 * there are enough bits to satisfy the caller. The @timer@
121 * function is called frequently throughout the generator's
122 * operation.
123 */
124
125void rand_noisesrc(rand_pool *r, const rand_source *s)
126{
127 RAND_RESOLVE(r);
128 r->s = s;
129}
130
131/* --- @rand_key@ --- *
132 *
133 * Arguments: @rand_pool *r@ = pointer to a randomness pool
134 * @const void *k@ = pointer to key data
135 * @size_t sz@ = size of key data
136 *
137 * Returns: ---
138 *
139 * Use: Sets the secret key for a randomness pool. The key is used
140 * when mixing in new random bits.
141 */
142
143void rand_key(rand_pool *r, const void *k, size_t sz)
144{
145 RAND_RESOLVE(r);
aacbc1c6 146 rmd160_hmacinit(&r->k, k, sz);
d03ab969 147}
148
149/* --- @rand_add@ --- *
150 *
151 * Arguments: @rand_pool *r@ = pointer to a randomness pool
152 * @const void *p@ = pointer a buffer of data to add
153 * @size_t sz@ = size of the data buffer
154 * @unsigned goodbits@ = number of good bits estimated in buffer
155 *
156 * Returns: ---
157 *
158 * Use: Mixes the data in the buffer with the contents of the
159 * pool. The estimate of the number of good bits is added to
160 * the pool's own count. The mixing operation is not
161 * cryptographically strong. However, data in the input pool
162 * isn't output directly, only through the one-way gating
163 * operation, so that shouldn't matter.
164 */
165
166void rand_add(rand_pool *r, const void *p, size_t sz, unsigned goodbits)
167{
168 const octet *c = p;
ba044e65 169 int i, rot;
d03ab969 170
ba044e65 171#if RAND_POOLSZ != 128
d03ab969 172# error Polynomial in rand_add is out of date. Fix it.
173#endif
174
175 RAND_RESOLVE(r);
176
ba044e65 177 i = r->i; rot = r->irot;
d03ab969 178
179 while (sz) {
180 octet o = *c++;
ba044e65 181 r->pool[i] ^= (ROL8(o, rot) ^
182 r->pool[(i + 1) % RAND_POOLSZ] ^
183 r->pool[(i + 2) % RAND_POOLSZ] ^
184 r->pool[(i + 7) % RAND_POOLSZ]);
d03ab969 185 rot = (rot + 5) & 7;
186 i++; if (i >= RAND_POOLSZ) i -= RAND_POOLSZ;
d03ab969 187 sz--;
188 }
189
190 r->i = i;
191 r->irot = rot;
192 r->ibits += goodbits;
193 if (r->ibits > RAND_IBITS)
194 r->ibits = RAND_IBITS;
195}
196
197/* --- @rand_goodbits@ --- *
198 *
199 * Arguments: @rand_pool *r@ = pointer to a randomness pool
200 *
201 * Returns: Estimate of the number of good bits remaining in the pool.
202 */
203
204unsigned rand_goodbits(rand_pool *r)
205{
206 RAND_RESOLVE(r);
207 return (r->ibits + r->obits);
208}
209
210/* --- @rand_gate@ --- *
211 *
212 * Arguments: @rand_pool *r@ = pointer to a randomness pool
213 *
214 * Returns: ---
215 *
216 * Use: Mixes up the entire state of the generator in a nonreversible
217 * way.
218 */
219
220void rand_gate(rand_pool *r)
221{
222 octet mac[RMD160_HASHSZ];
223
224 RAND_RESOLVE(r);
225 TIMER(r);
226
227 /* --- Hash up all the data in the pool --- */
228
229 {
230 rmd160_macctx mc;
231
232 rmd160_macinit(&mc, &r->k);
aacbc1c6 233 rmd160_machash(&mc, r->pool, sizeof(r->pool));
234 rmd160_machash(&mc, r->buf, sizeof(r->buf));
d03ab969 235 rmd160_macdone(&mc, mac);
236 BURN(mc);
237 }
238
239 /* --- Now mangle all of the data based on the hash --- */
240
241 {
242 blowfish_cbcctx bc;
243
244 blowfish_cbcinit(&bc, mac, sizeof(mac), 0);
245 blowfish_cbcencrypt(&bc, r->pool, r->pool, sizeof(r->pool));
246 blowfish_cbcencrypt(&bc, r->buf, r->buf, sizeof(r->buf));
247 BURN(bc);
248 }
249
250 /* --- Reset the various state variables --- */
251
252 r->o = RAND_SECSZ;
253 r->obits += r->ibits;
254 if (r->obits > RAND_OBITS) {
255 r->ibits = r->obits - r->ibits;
256 r->obits = RAND_OBITS;
257 } else
258 r->ibits = 0;
259 TIMER(r);
260}
261
262/* --- @rand_stretch@ --- *
263 *
264 * Arguments: @rand_pool *r@ = pointer to a randomness pool
265 *
266 * Returns: ---
267 *
268 * Use: Stretches the contents of the output buffer by transforming
269 * it in a nonreversible way. This doesn't add any entropy
270 * worth speaking about, but it works well enough when the
271 * caller doesn't care about that sort of thing.
272 */
273
274void rand_stretch(rand_pool *r)
275{
276 octet mac[RMD160_HASHSZ];
277
278 RAND_RESOLVE(r);
279 TIMER(r);
280
281 /* --- Hash up all the data in the buffer --- */
282
283 {
284 rmd160_macctx mc;
285
286 rmd160_macinit(&mc, &r->k);
aacbc1c6 287 rmd160_machash(&mc, r->pool, sizeof(r->pool));
288 rmd160_machash(&mc, r->buf, sizeof(r->buf));
d03ab969 289 rmd160_macdone(&mc, mac);
290 BURN(mc);
291 }
292
293 /* --- Now mangle the buffer based on that hash --- */
294
295 {
296 blowfish_cbcctx bc;
297
298 blowfish_cbcinit(&bc, mac, sizeof(mac), 0);
299 blowfish_cbcencrypt(&bc, r->buf, r->buf, sizeof(r->buf));
300 BURN(bc);
301 }
302
303 /* --- Reset the various state variables --- */
304
305 r->o = RAND_SECSZ;
306 TIMER(r);
307}
308
309/* --- @rand_get@ --- *
310 *
311 * Arguments: @rand_pool *r@ = pointer to a randomness pool
312 * @void *p@ = pointer to output buffer
313 * @size_t sz@ = size of output buffer
314 *
315 * Returns: ---
316 *
317 * Use: Gets random data from the pool. The pool's contents can't be
318 * determined from the output of this function; nor can the
319 * output data be determined from a knowledge of the data input
320 * to the pool wihtout also having knowledge of the secret key.
321 * The good bits counter is decremented, although no special
322 * action is taken if it reaches zero.
323 */
324
325void rand_get(rand_pool *r, void *p, size_t sz)
326{
327 octet *o = p;
328
329 RAND_RESOLVE(r);
330 TIMER(r);
331
332 if (!sz)
333 return;
334 for (;;) {
335 if (r->o + sz <= RAND_BUFSZ) {
336 memcpy(o, r->buf + r->o, sz);
337 r->o += sz;
338 break;
339 } else {
340 size_t chunk = RAND_BUFSZ - r->o;
341 if (chunk) {
342 memcpy(o, r->buf + r->o, chunk);
343 sz -= chunk;
344 o += chunk;
345 }
346 rand_stretch(r);
347 }
348 }
349
350 if (r->obits > sz * 8)
351 r->obits -= sz * 8;
352 else
353 r->obits = 0;
354}
355
356/* --- @rand_getgood@ --- *
357 *
358 * Arguments: @rand_pool *r@ = pointer to a randomness pool
359 * @void *p@ = pointer to output buffer
360 * @size_t sz@ = size of output buffer
361 *
362 * Returns: ---
363 *
364 * Use: Gets random data from the pool. The pool's contents can't be
365 * determined from the output of this function; nor can the
366 * output data be determined from a knowledge of the data input
367 * to the pool wihtout also having knowledge of the secret key.
368 * If a noise source is attached to the pool in question, it is
369 * called to replenish the supply of good bits in the pool;
370 * otherwise this call is equivalent to @rand_get@.
371 */
372
373void rand_getgood(rand_pool *r, void *p, size_t sz)
374{
375 octet *o = p;
376
377 RAND_RESOLVE(r);
378
379 if (!sz)
380 return;
381 if (!r->s || !r->s->getnoise) {
382 rand_get(r, p, sz);
383 return;
384 }
385 TIMER(r);
386
387 while (sz) {
388 size_t chunk = sz;
389
390 if (chunk * 8 > r->obits) {
391 if (chunk * 8 > r->ibits + r->obits)
392 do r->s->getnoise(r); while (r->ibits + r->obits < 128);
393 rand_gate(r);
394 if (chunk * 8 > r->obits)
395 chunk = r->obits / 8;
396 }
397
398 if (chunk + r->o > RAND_BUFSZ)
399 chunk = RAND_BUFSZ - r->o;
400
401 memcpy(o, r->buf + r->o, chunk);
aacbc1c6 402 r->o += chunk;
d03ab969 403 r->obits -= chunk * 8;
404 o += chunk;
405 sz -= chunk;
406 }
407}
408
aacbc1c6 409/*----- Generic random number generator interface -------------------------*/
410
411static void gdestroy(grand *r)
412{
413 gctx *g = (r == &rand_global ? &pool : (gctx *)r);
414 if (g != &pool)
415 DESTROY(g);
416}
417
418static int gmisc(grand *r, unsigned op, ...)
419{
420 gctx *g = (r == &rand_global ? &pool : (gctx *)r);
421 va_list ap;
422 int rc = 0;
423 va_start(ap, op);
424
425 switch (op) {
426 case GRAND_CHECK:
427 switch (va_arg(ap, unsigned)) {
428 case GRAND_CHECK:
429 case GRAND_SEEDINT:
430 case GRAND_SEEDUINT32:
431 case GRAND_SEEDBLOCK:
432 case RAND_GATE:
433 case RAND_STRETCH:
434 case RAND_KEY:
435 case RAND_NOISESRC:
436 rc = 1;
437 break;
438 default:
439 rc = 0;
440 break;
441 }
442 break;
443 case GRAND_SEEDINT: {
444 unsigned u = va_arg(ap, unsigned);
445 rand_add(&g->p, &u, sizeof(u), sizeof(u));
446 } break;
447 case GRAND_SEEDUINT32: {
448 uint32 i = va_arg(ap, uint32);
449 rand_add(&g->p, &i, sizeof(i), 4);
450 } break;
451 case GRAND_SEEDBLOCK: {
452 const void *p = va_arg(ap, const void *);
453 size_t sz = va_arg(ap, size_t);
454 rand_add(&g->p, p, sz, sz);
455 } break;
456 case RAND_GATE:
457 rand_gate(&g->p);
458 break;
459 case RAND_STRETCH:
460 rand_stretch(&g->p);
461 break;
462 case RAND_KEY: {
463 const void *k = va_arg(ap, const void *);
464 size_t sz = va_arg(ap, size_t);
465 rand_key(&g->p, k, sz);
466 } break;
467 case RAND_NOISESRC:
468 rand_noisesrc(&g->p, va_arg(ap, const rand_source *));
469 break;
470 default:
471 GRAND_BADOP;
472 break;
473 }
474
475 va_end(ap);
476 return (rc);
477}
478
479static octet gbyte(grand *r)
480{
481 gctx *g = (r == &rand_global ? &pool : (gctx *)r);
482 octet o;
483 rand_getgood(&g->p, &o, 1);
484 return (o);
485}
486
487static uint32 gword(grand *r)
488{
489 gctx *g = (r == &rand_global ? &pool : (gctx *)r);
490 octet b[4];
491 rand_getgood(&g->p, &b, sizeof(b));
492 return (LOAD32(b));
493}
494
495static void gfill(grand *r, void *p, size_t sz)
496{
497 gctx *g = (r == &rand_global ? &pool : (gctx *)r);
498 rand_getgood(&g->p, p, sz);
499}
500
501static const grand_ops gops = {
502 "rand",
503 0,
504 gmisc, gdestroy,
505 gword, gbyte, gword, grand_range, gfill
506};
507
508grand rand_global = { &gops };
509
510/* --- @rand_create@ --- *
511 *
512 * Arguments: ---
513 *
514 * Returns: Pointer to a generic generator.
515 *
516 * Use: Constructs a generic generator interface over a Catacomb
517 * entropy pool generator.
518 */
519
520grand *rand_create(void)
521{
522 gctx *g = CREATE(gctx);
523 g->r.ops = &gops;
524 rand_init(&g->p);
525 return (&g->r);
526}
527
d03ab969 528/*----- That's all, folks -------------------------------------------------*/
Catacomb cryptographic library (downstream of http://git.distorted.org.uk/~mdw/catacomb/)