3 * $Id: rand.c,v 1.4 1999/12/13 15:34:28 mdw Exp $
5 * Secure random number generator
7 * (c) 1998 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Revision history --------------------------------------------------*
33 * Revision 1.4 1999/12/13 15:34:28 mdw
34 * Increase the entropy threshhold in rand_getgood.
36 * Revision 1.3 1999/12/10 23:28:07 mdw
37 * Bug fix: rand_getgood didn't update buffer pointer.
39 * Revision 1.2 1999/10/12 21:00:15 mdw
40 * Make pool and buffer sizes more sensible.
42 * Revision 1.1 1999/09/03 08:41:12 mdw
47 /*----- Header files ------------------------------------------------------*/
53 #include <mLib/bits.h>
56 #include "blowfish-cbc.h"
60 #include "rmd160-hmac.h"
62 /*----- Static variables --------------------------------------------------*/
64 static const grand_ops gops
;
71 static gctx pool
= { { &gops
} }; /* Default random pool */
73 /*----- Macros ------------------------------------------------------------*/
75 #define RAND_RESOLVE(r) do { \
76 if ((r) == RAND_GLOBAL) \
80 #define TIMER(r) do { \
81 if ((r)->s && (r)->s->timer) \
85 /*----- Main code ---------------------------------------------------------*/
87 /* --- @rand_init@ --- *
89 * Arguments: @rand_pool *r@ = pointer to a randomness pool
93 * Use: Initializes a randomness pool. The pool doesn't start out
94 * very random: that's your job to sort out.
97 void rand_init(rand_pool
*r
)
100 memset(r
->pool
, 0, sizeof(r
->pool
));
101 memset(r
->buf
, 0, sizeof(r
->buf
));
104 r
->ibits
= r
->obits
= 0;
107 rmd160_hmacinit(&r
->k
, 0, 0);
111 /* --- @rand_noisesrc@ --- *
113 * Arguments: @rand_pool *r@ = pointer to a randomness pool
114 * @const rand_source *s@ = pointer to source definition
118 * Use: Sets a noise source for a randomness pool. When the pool's
119 * estimate of good random bits falls to zero, the @getnoise@
120 * function is called, passing the pool handle as an argument.
121 * It is expected to increase the number of good bits by at
122 * least one, because it'll be called over and over again until
123 * there are enough bits to satisfy the caller. The @timer@
124 * function is called frequently throughout the generator's
128 void rand_noisesrc(rand_pool
*r
, const rand_source
*s
)
134 /* --- @rand_key@ --- *
136 * Arguments: @rand_pool *r@ = pointer to a randomness pool
137 * @const void *k@ = pointer to key data
138 * @size_t sz@ = size of key data
142 * Use: Sets the secret key for a randomness pool. The key is used
143 * when mixing in new random bits.
146 void rand_key(rand_pool
*r
, const void *k
, size_t sz
)
149 rmd160_hmacinit(&r
->k
, k
, sz
);
152 /* --- @rand_add@ --- *
154 * Arguments: @rand_pool *r@ = pointer to a randomness pool
155 * @const void *p@ = pointer a buffer of data to add
156 * @size_t sz@ = size of the data buffer
157 * @unsigned goodbits@ = number of good bits estimated in buffer
161 * Use: Mixes the data in the buffer with the contents of the
162 * pool. The estimate of the number of good bits is added to
163 * the pool's own count. The mixing operation is not
164 * cryptographically strong. However, data in the input pool
165 * isn't output directly, only through the one-way gating
166 * operation, so that shouldn't matter.
169 void rand_add(rand_pool
*r
, const void *p
, size_t sz
, unsigned goodbits
)
174 #if RAND_POOLSZ != 128
175 # error Polynomial in rand_add is out of date. Fix it.
180 i
= r
->i
; rot
= r
->irot
;
184 r
->pool
[i
] ^= (ROL8(o
, rot
) ^
185 r
->pool
[(i
+ 1) % RAND_POOLSZ
] ^
186 r
->pool
[(i
+ 2) % RAND_POOLSZ
] ^
187 r
->pool
[(i
+ 7) % RAND_POOLSZ
]);
189 i
++; if (i
>= RAND_POOLSZ
) i
-= RAND_POOLSZ
;
195 r
->ibits
+= goodbits
;
196 if (r
->ibits
> RAND_IBITS
)
197 r
->ibits
= RAND_IBITS
;
200 /* --- @rand_goodbits@ --- *
202 * Arguments: @rand_pool *r@ = pointer to a randomness pool
204 * Returns: Estimate of the number of good bits remaining in the pool.
207 unsigned rand_goodbits(rand_pool
*r
)
210 return (r
->ibits
+ r
->obits
);
213 /* --- @rand_gate@ --- *
215 * Arguments: @rand_pool *r@ = pointer to a randomness pool
219 * Use: Mixes up the entire state of the generator in a nonreversible
223 void rand_gate(rand_pool
*r
)
225 octet mac
[RMD160_HASHSZ
];
230 /* --- Hash up all the data in the pool --- */
235 rmd160_macinit(&mc
, &r
->k
);
236 rmd160_machash(&mc
, r
->pool
, sizeof(r
->pool
));
237 rmd160_machash(&mc
, r
->buf
, sizeof(r
->buf
));
238 rmd160_macdone(&mc
, mac
);
242 /* --- Now mangle all of the data based on the hash --- */
247 blowfish_cbcinit(&bc
, mac
, sizeof(mac
), 0);
248 blowfish_cbcencrypt(&bc
, r
->pool
, r
->pool
, sizeof(r
->pool
));
249 blowfish_cbcencrypt(&bc
, r
->buf
, r
->buf
, sizeof(r
->buf
));
253 /* --- Reset the various state variables --- */
256 r
->obits
+= r
->ibits
;
257 if (r
->obits
> RAND_OBITS
) {
258 r
->ibits
= r
->obits
- r
->ibits
;
259 r
->obits
= RAND_OBITS
;
265 /* --- @rand_stretch@ --- *
267 * Arguments: @rand_pool *r@ = pointer to a randomness pool
271 * Use: Stretches the contents of the output buffer by transforming
272 * it in a nonreversible way. This doesn't add any entropy
273 * worth speaking about, but it works well enough when the
274 * caller doesn't care about that sort of thing.
277 void rand_stretch(rand_pool
*r
)
279 octet mac
[RMD160_HASHSZ
];
284 /* --- Hash up all the data in the buffer --- */
289 rmd160_macinit(&mc
, &r
->k
);
290 rmd160_machash(&mc
, r
->pool
, sizeof(r
->pool
));
291 rmd160_machash(&mc
, r
->buf
, sizeof(r
->buf
));
292 rmd160_macdone(&mc
, mac
);
296 /* --- Now mangle the buffer based on that hash --- */
301 blowfish_cbcinit(&bc
, mac
, sizeof(mac
), 0);
302 blowfish_cbcencrypt(&bc
, r
->buf
, r
->buf
, sizeof(r
->buf
));
306 /* --- Reset the various state variables --- */
312 /* --- @rand_get@ --- *
314 * Arguments: @rand_pool *r@ = pointer to a randomness pool
315 * @void *p@ = pointer to output buffer
316 * @size_t sz@ = size of output buffer
320 * Use: Gets random data from the pool. The pool's contents can't be
321 * determined from the output of this function; nor can the
322 * output data be determined from a knowledge of the data input
323 * to the pool wihtout also having knowledge of the secret key.
324 * The good bits counter is decremented, although no special
325 * action is taken if it reaches zero.
328 void rand_get(rand_pool
*r
, void *p
, size_t sz
)
338 if (r
->o
+ sz
<= RAND_BUFSZ
) {
339 memcpy(o
, r
->buf
+ r
->o
, sz
);
343 size_t chunk
= RAND_BUFSZ
- r
->o
;
345 memcpy(o
, r
->buf
+ r
->o
, chunk
);
353 if (r
->obits
> sz
* 8)
359 /* --- @rand_getgood@ --- *
361 * Arguments: @rand_pool *r@ = pointer to a randomness pool
362 * @void *p@ = pointer to output buffer
363 * @size_t sz@ = size of output buffer
367 * Use: Gets random data from the pool. The pool's contents can't be
368 * determined from the output of this function; nor can the
369 * output data be determined from a knowledge of the data input
370 * to the pool wihtout also having knowledge of the secret key.
371 * If a noise source is attached to the pool in question, it is
372 * called to replenish the supply of good bits in the pool;
373 * otherwise this call is equivalent to @rand_get@.
376 void rand_getgood(rand_pool
*r
, void *p
, size_t sz
)
384 if (!r
->s
|| !r
->s
->getnoise
) {
393 if (chunk
* 8 > r
->obits
) {
394 if (chunk
* 8 > r
->ibits
+ r
->obits
)
395 do r
->s
->getnoise(r
); while (r
->ibits
+ r
->obits
< 256);
397 if (chunk
* 8 > r
->obits
)
398 chunk
= r
->obits
/ 8;
401 if (chunk
+ r
->o
> RAND_BUFSZ
)
402 chunk
= RAND_BUFSZ
- r
->o
;
404 memcpy(o
, r
->buf
+ r
->o
, chunk
);
406 r
->obits
-= chunk
* 8;
412 /*----- Generic random number generator interface -------------------------*/
414 static void gdestroy(grand
*r
)
416 gctx
*g
= (r
== &rand_global ?
&pool
: (gctx
*)r
);
421 static int gmisc(grand
*r
, unsigned op
, ...)
423 gctx
*g
= (r
== &rand_global ?
&pool
: (gctx
*)r
);
430 switch (va_arg(ap
, unsigned)) {
433 case GRAND_SEEDUINT32
:
434 case GRAND_SEEDBLOCK
:
447 case GRAND_SEEDINT
: {
448 unsigned u
= va_arg(ap
, unsigned);
449 rand_add(&g
->p
, &u
, sizeof(u
), sizeof(u
));
451 case GRAND_SEEDUINT32
: {
452 uint32 i
= va_arg(ap
, uint32
);
453 rand_add(&g
->p
, &i
, sizeof(i
), 4);
455 case GRAND_SEEDBLOCK
: {
456 const void *p
= va_arg(ap
, const void *);
457 size_t sz
= va_arg(ap
, size_t);
458 rand_add(&g
->p
, p
, sz
, sz
);
460 case GRAND_SEEDRAND
: {
461 grand
*rr
= va_arg(ap
, grand
*);
463 rr
->ops
->fill(rr
, buf
, sizeof(buf
));
464 rand_add(&g
->p
, buf
, sizeof(buf
), 8);
473 const void *k
= va_arg(ap
, const void *);
474 size_t sz
= va_arg(ap
, size_t);
475 rand_key(&g
->p
, k
, sz
);
478 rand_noisesrc(&g
->p
, va_arg(ap
, const rand_source
*));
489 static octet
gbyte(grand
*r
)
491 gctx
*g
= (r
== &rand_global ?
&pool
: (gctx
*)r
);
493 rand_getgood(&g
->p
, &o
, 1);
497 static uint32
gword(grand
*r
)
499 gctx
*g
= (r
== &rand_global ?
&pool
: (gctx
*)r
);
501 rand_getgood(&g
->p
, &b
, sizeof(b
));
505 static void gfill(grand
*r
, void *p
, size_t sz
)
507 gctx
*g
= (r
== &rand_global ?
&pool
: (gctx
*)r
);
508 rand_getgood(&g
->p
, p
, sz
);
511 static const grand_ops gops
= {
515 gword
, gbyte
, gword
, grand_range
, gfill
518 grand rand_global
= { &gops
};
520 /* --- @rand_create@ --- *
524 * Returns: Pointer to a generic generator.
526 * Use: Constructs a generic generator interface over a Catacomb
527 * entropy pool generator.
530 grand
*rand_create(void)
532 gctx
*g
= CREATE(gctx
);
538 /*----- That's all, folks -------------------------------------------------*/