3 * $Id: rand.c,v 1.2 1999/10/12 21:00:15 mdw Exp $
5 * Secure random number generator
7 * (c) 1998 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Revision history --------------------------------------------------*
33 * Revision 1.2 1999/10/12 21:00:15 mdw
34 * Make pool and buffer sizes more sensible.
36 * Revision 1.1 1999/09/03 08:41:12 mdw
41 /*----- Header files ------------------------------------------------------*/
46 #include <mLib/bits.h>
48 #include "blowfish-cbc.h"
52 #include "rmd160-hmac.h"
54 /*----- Static variables --------------------------------------------------*/
56 static rand_pool pool
; /* Default random pool */
58 /*----- Macros ------------------------------------------------------------*/
60 #define RAND_RESOLVE(r) do { \
61 if ((r) == RAND_GLOBAL) \
65 #define TIMER(r) do { \
66 if ((r)->s && (r)->s->timer) \
70 /*----- Main code ---------------------------------------------------------*/
72 /* --- @rand_init@ --- *
74 * Arguments: @rand_pool *r@ = pointer to a randomness pool
78 * Use: Initializes a randomness pool. The pool doesn't start out
79 * very random: that's your job to sort out.
82 void rand_init(rand_pool
*r
)
85 memset(r
->pool
, 0, sizeof(r
->pool
));
86 memset(r
->buf
, 0, sizeof(r
->buf
));
89 r
->ibits
= r
->obits
= 0;
92 rmd160_hmac(&r
->k
, 0, 0);
96 /* --- @rand_noisesrc@ --- *
98 * Arguments: @rand_pool *r@ = pointer to a randomness pool
99 * @const rand_source *s@ = pointer to source definition
103 * Use: Sets a noise source for a randomness pool. When the pool's
104 * estimate of good random bits falls to zero, the @getnoise@
105 * function is called, passing the pool handle as an argument.
106 * It is expected to increase the number of good bits by at
107 * least one, because it'll be called over and over again until
108 * there are enough bits to satisfy the caller. The @timer@
109 * function is called frequently throughout the generator's
113 void rand_noisesrc(rand_pool
*r
, const rand_source
*s
)
119 /* --- @rand_key@ --- *
121 * Arguments: @rand_pool *r@ = pointer to a randomness pool
122 * @const void *k@ = pointer to key data
123 * @size_t sz@ = size of key data
127 * Use: Sets the secret key for a randomness pool. The key is used
128 * when mixing in new random bits.
131 void rand_key(rand_pool
*r
, const void *k
, size_t sz
)
134 rmd160_hmac(&r
->k
, k
, sz
);
137 /* --- @rand_add@ --- *
139 * Arguments: @rand_pool *r@ = pointer to a randomness pool
140 * @const void *p@ = pointer a buffer of data to add
141 * @size_t sz@ = size of the data buffer
142 * @unsigned goodbits@ = number of good bits estimated in buffer
146 * Use: Mixes the data in the buffer with the contents of the
147 * pool. The estimate of the number of good bits is added to
148 * the pool's own count. The mixing operation is not
149 * cryptographically strong. However, data in the input pool
150 * isn't output directly, only through the one-way gating
151 * operation, so that shouldn't matter.
154 void rand_add(rand_pool
*r
, const void *p
, size_t sz
, unsigned goodbits
)
159 #if RAND_POOLSZ != 128
160 # error Polynomial in rand_add is out of date. Fix it.
165 i
= r
->i
; rot
= r
->irot
;
169 r
->pool
[i
] ^= (ROL8(o
, rot
) ^
170 r
->pool
[(i
+ 1) % RAND_POOLSZ
] ^
171 r
->pool
[(i
+ 2) % RAND_POOLSZ
] ^
172 r
->pool
[(i
+ 7) % RAND_POOLSZ
]);
174 i
++; if (i
>= RAND_POOLSZ
) i
-= RAND_POOLSZ
;
180 r
->ibits
+= goodbits
;
181 if (r
->ibits
> RAND_IBITS
)
182 r
->ibits
= RAND_IBITS
;
185 /* --- @rand_goodbits@ --- *
187 * Arguments: @rand_pool *r@ = pointer to a randomness pool
189 * Returns: Estimate of the number of good bits remaining in the pool.
192 unsigned rand_goodbits(rand_pool
*r
)
195 return (r
->ibits
+ r
->obits
);
198 /* --- @rand_gate@ --- *
200 * Arguments: @rand_pool *r@ = pointer to a randomness pool
204 * Use: Mixes up the entire state of the generator in a nonreversible
208 void rand_gate(rand_pool
*r
)
210 octet mac
[RMD160_HASHSZ
];
215 /* --- Hash up all the data in the pool --- */
220 rmd160_macinit(&mc
, &r
->k
);
221 rmd160_mac(&mc
, r
->pool
, sizeof(r
->pool
));
222 rmd160_mac(&mc
, r
->buf
, sizeof(r
->buf
));
223 rmd160_macdone(&mc
, mac
);
227 /* --- Now mangle all of the data based on the hash --- */
232 blowfish_cbcinit(&bc
, mac
, sizeof(mac
), 0);
233 blowfish_cbcencrypt(&bc
, r
->pool
, r
->pool
, sizeof(r
->pool
));
234 blowfish_cbcencrypt(&bc
, r
->buf
, r
->buf
, sizeof(r
->buf
));
238 /* --- Reset the various state variables --- */
241 r
->obits
+= r
->ibits
;
242 if (r
->obits
> RAND_OBITS
) {
243 r
->ibits
= r
->obits
- r
->ibits
;
244 r
->obits
= RAND_OBITS
;
250 /* --- @rand_stretch@ --- *
252 * Arguments: @rand_pool *r@ = pointer to a randomness pool
256 * Use: Stretches the contents of the output buffer by transforming
257 * it in a nonreversible way. This doesn't add any entropy
258 * worth speaking about, but it works well enough when the
259 * caller doesn't care about that sort of thing.
262 void rand_stretch(rand_pool
*r
)
264 octet mac
[RMD160_HASHSZ
];
269 /* --- Hash up all the data in the buffer --- */
274 rmd160_macinit(&mc
, &r
->k
);
275 rmd160_mac(&mc
, r
->pool
, sizeof(r
->pool
));
276 rmd160_mac(&mc
, r
->buf
, sizeof(r
->buf
));
277 rmd160_macdone(&mc
, mac
);
281 /* --- Now mangle the buffer based on that hash --- */
286 blowfish_cbcinit(&bc
, mac
, sizeof(mac
), 0);
287 blowfish_cbcencrypt(&bc
, r
->buf
, r
->buf
, sizeof(r
->buf
));
291 /* --- Reset the various state variables --- */
297 /* --- @rand_get@ --- *
299 * Arguments: @rand_pool *r@ = pointer to a randomness pool
300 * @void *p@ = pointer to output buffer
301 * @size_t sz@ = size of output buffer
305 * Use: Gets random data from the pool. The pool's contents can't be
306 * determined from the output of this function; nor can the
307 * output data be determined from a knowledge of the data input
308 * to the pool wihtout also having knowledge of the secret key.
309 * The good bits counter is decremented, although no special
310 * action is taken if it reaches zero.
313 void rand_get(rand_pool
*r
, void *p
, size_t sz
)
323 if (r
->o
+ sz
<= RAND_BUFSZ
) {
324 memcpy(o
, r
->buf
+ r
->o
, sz
);
328 size_t chunk
= RAND_BUFSZ
- r
->o
;
330 memcpy(o
, r
->buf
+ r
->o
, chunk
);
338 if (r
->obits
> sz
* 8)
344 /* --- @rand_getgood@ --- *
346 * Arguments: @rand_pool *r@ = pointer to a randomness pool
347 * @void *p@ = pointer to output buffer
348 * @size_t sz@ = size of output buffer
352 * Use: Gets random data from the pool. The pool's contents can't be
353 * determined from the output of this function; nor can the
354 * output data be determined from a knowledge of the data input
355 * to the pool wihtout also having knowledge of the secret key.
356 * If a noise source is attached to the pool in question, it is
357 * called to replenish the supply of good bits in the pool;
358 * otherwise this call is equivalent to @rand_get@.
361 void rand_getgood(rand_pool
*r
, void *p
, size_t sz
)
369 if (!r
->s
|| !r
->s
->getnoise
) {
378 if (chunk
* 8 > r
->obits
) {
379 if (chunk
* 8 > r
->ibits
+ r
->obits
)
380 do r
->s
->getnoise(r
); while (r
->ibits
+ r
->obits
< 128);
382 if (chunk
* 8 > r
->obits
)
383 chunk
= r
->obits
/ 8;
386 if (chunk
+ r
->o
> RAND_BUFSZ
)
387 chunk
= RAND_BUFSZ
- r
->o
;
389 memcpy(o
, r
->buf
+ r
->o
, chunk
);
390 r
->obits
-= chunk
* 8;
396 /*----- That's all, folks -------------------------------------------------*/