3 * Secure random number generator
5 * (c) 1998 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Catacomb.
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
28 /*----- Header files ------------------------------------------------------*/
34 #include <mLib/bits.h>
38 #include "blowfish-cbc.h"
44 #include "rmd160-hmac.h"
46 /*----- Static variables --------------------------------------------------*/
48 static const grand_ops gops
;
50 typedef struct rand__gctx
{
59 { { 0xb7, 0xb0, 0xb4, 0xdb, 0x59, 0x75, 0x49, 0x32,
60 0x1a, 0x8d, 0x4b, 0x86, 0x3a, 0x38, 0xfd, 0x59,
61 0xc1, 0x63, 0x66, 0xd9 }, 64,
62 { 0x91, 0x9a, 0xe6, 0xa1, 0x9d, 0x3a, 0x86, 0xef,
63 0xb2, 0xb9, 0xca, 0xfc, 0x26, 0xf8, 0xb1, 0x04,
64 0x4a, 0x41, 0xc4, 0x7a }, 64 },
68 /*----- Macros ------------------------------------------------------------*/
70 #define RAND_RESOLVE(r) \
71 do { if ((r) == RAND_GLOBAL) r = &rand_global.p; } while (0)
73 #define TIMER(r) do { \
74 if ((r)->s && (r)->s->timer) \
78 /*----- Main code ---------------------------------------------------------*/
80 /* --- @rand_init@ --- *
82 * Arguments: @rand_pool *r@ = pointer to a randomness pool
86 * Use: Initializes a randomness pool. The pool doesn't start out
87 * very random: that's your job to sort out. A good suggestion
88 * would be to attach an appropriate noise source and call
92 void rand_init(rand_pool
*r
)
95 memset(r
->pool
, 0, sizeof(r
->pool
));
96 memset(r
->buf
, 0, sizeof(r
->buf
));
99 r
->ibits
= r
->obits
= 0;
102 rmd160_hmacinit(&r
->k
, 0, 0);
106 /* --- @rand_noisesrc@ --- *
108 * Arguments: @rand_pool *r@ = pointer to a randomness pool
109 * @const rand_source *s@ = pointer to source definition
113 * Use: Sets a noise source for a randomness pool. When the pool's
114 * estimate of good random bits falls to zero, the @getnoise@
115 * function is called, passing the pool handle as an argument.
116 * It is expected to increase the number of good bits by at
117 * least one, because it'll be called over and over again until
118 * there are enough bits to satisfy the caller. The @timer@
119 * function is called frequently throughout the generator's
123 void rand_noisesrc(rand_pool
*r
, const rand_source
*s
)
129 /* --- @rand_seed@ --- *
131 * Arguments: @rand_pool *r@ = pointer to a randomness pool
132 * @unsigned bits@ = number of bits to ensure
136 * Use: Ensures that there are at least @bits@ good bits of entropy
137 * in the pool. It is recommended that you call this after
138 * initializing a new pool. Requesting @bits > RAND_IBITS@ is
139 * doomed to failure (and is an error).
142 void rand_seed(rand_pool
*r
, unsigned bits
)
146 assert(((void)"bits pointlessly large in rand_seed", bits
<= RAND_IBITS
));
147 assert(((void)"no noise source in rand_seed", r
->s
));
149 while (r
->ibits
< bits
)
154 /* --- @rand_key@ --- *
156 * Arguments: @rand_pool *r@ = pointer to a randomness pool
157 * @const void *k@ = pointer to key data
158 * @size_t sz@ = size of key data
162 * Use: Sets the secret key for a randomness pool. The key is used
163 * when mixing in new random bits.
166 void rand_key(rand_pool
*r
, const void *k
, size_t sz
)
169 rmd160_hmacinit(&r
->k
, k
, sz
);
172 /* --- @rand_add@ --- *
174 * Arguments: @rand_pool *r@ = pointer to a randomness pool
175 * @const void *p@ = pointer a buffer of data to add
176 * @size_t sz@ = size of the data buffer
177 * @unsigned goodbits@ = number of good bits estimated in buffer
181 * Use: Mixes the data in the buffer with the contents of the
182 * pool. The estimate of the number of good bits is added to
183 * the pool's own count. The mixing operation is not
184 * cryptographically strong. However, data in the input pool
185 * isn't output directly, only through the one-way gating
186 * operation, so that shouldn't matter.
189 void rand_add(rand_pool
*r
, const void *p
, size_t sz
, unsigned goodbits
)
194 #if RAND_POOLSZ != 128
195 # error Polynomial in rand_add is out of date. Fix it.
200 i
= r
->i
; rot
= r
->irot
;
204 r
->pool
[i
] ^= (ROL8(o
, rot
) ^
205 r
->pool
[(i
+ 1) % RAND_POOLSZ
] ^
206 r
->pool
[(i
+ 2) % RAND_POOLSZ
] ^
207 r
->pool
[(i
+ 7) % RAND_POOLSZ
]);
209 i
++; if (i
>= RAND_POOLSZ
) i
-= RAND_POOLSZ
;
215 r
->ibits
+= goodbits
;
216 if (r
->ibits
> RAND_IBITS
)
217 r
->ibits
= RAND_IBITS
;
220 /* --- @rand_goodbits@ --- *
222 * Arguments: @rand_pool *r@ = pointer to a randomness pool
224 * Returns: Estimate of the number of good bits remaining in the pool.
227 unsigned rand_goodbits(rand_pool
*r
)
230 return (r
->ibits
+ r
->obits
);
233 /* --- @rand_gate@ --- *
235 * Arguments: @rand_pool *r@ = pointer to a randomness pool
239 * Use: Mixes up the entire state of the generator in a nonreversible
243 void rand_gate(rand_pool
*r
)
245 octet mac
[RMD160_HASHSZ
];
250 /* --- Hash up all the data in the pool --- */
255 rmd160_macinit(&mc
, &r
->k
);
256 rmd160_machash(&mc
, r
->pool
, sizeof(r
->pool
));
257 rmd160_machash(&mc
, r
->buf
, sizeof(r
->buf
));
258 rmd160_macdone(&mc
, mac
);
262 /* --- Now mangle all of the data based on the hash --- */
267 blowfish_cbcinit(&bc
, mac
, sizeof(mac
), 0);
268 blowfish_cbcencrypt(&bc
, r
->pool
, r
->pool
, sizeof(r
->pool
));
269 blowfish_cbcencrypt(&bc
, r
->buf
, r
->buf
, sizeof(r
->buf
));
273 /* --- Reset the various state variables --- */
276 r
->obits
+= r
->ibits
;
277 if (r
->obits
> RAND_OBITS
) {
278 r
->ibits
= r
->obits
- r
->ibits
;
279 r
->obits
= RAND_OBITS
;
285 /* --- @rand_stretch@ --- *
287 * Arguments: @rand_pool *r@ = pointer to a randomness pool
291 * Use: Stretches the contents of the output buffer by transforming
292 * it in a nonreversible way. This doesn't add any entropy
293 * worth speaking about, but it works well enough when the
294 * caller doesn't care about that sort of thing.
297 void rand_stretch(rand_pool
*r
)
299 octet mac
[RMD160_HASHSZ
];
304 /* --- Hash up all the data in the buffer --- */
309 rmd160_macinit(&mc
, &r
->k
);
310 rmd160_machash(&mc
, r
->pool
, sizeof(r
->pool
));
311 rmd160_machash(&mc
, r
->buf
, sizeof(r
->buf
));
312 rmd160_macdone(&mc
, mac
);
316 /* --- Now mangle the buffer based on that hash --- */
321 blowfish_cbcinit(&bc
, mac
, sizeof(mac
), 0);
322 blowfish_cbcencrypt(&bc
, r
->buf
, r
->buf
, sizeof(r
->buf
));
326 /* --- Reset the various state variables --- */
332 /* --- @rand_get@ --- *
334 * Arguments: @rand_pool *r@ = pointer to a randomness pool
335 * @void *p@ = pointer to output buffer
336 * @size_t sz@ = size of output buffer
340 * Use: Gets random data from the pool. The pool's contents can't be
341 * determined from the output of this function; nor can the
342 * output data be determined from a knowledge of the data input
343 * to the pool wihtout also having knowledge of the secret key.
344 * The good bits counter is decremented, although no special
345 * action is taken if it reaches zero.
348 void rand_get(rand_pool
*r
, void *p
, size_t sz
)
358 if (r
->o
+ sz
<= RAND_BUFSZ
) {
359 memcpy(o
, r
->buf
+ r
->o
, sz
);
363 size_t chunk
= RAND_BUFSZ
- r
->o
;
365 memcpy(o
, r
->buf
+ r
->o
, chunk
);
373 if (r
->obits
> sz
* 8)
379 /* --- @rand_getgood@ --- *
381 * Arguments: @rand_pool *r@ = pointer to a randomness pool
382 * @void *p@ = pointer to output buffer
383 * @size_t sz@ = size of output buffer
387 * Use: Gets random data from the pool, ensuring that there are
388 * enough good bits. This interface isn't recommended: it makes
389 * the generator slow, and doesn't provide much more security
390 * than @rand_get@, assuming you've previously done a
394 void rand_getgood(rand_pool
*r
, void *p
, size_t sz
)
402 if (!r
->s
|| !r
->s
->getnoise
) {
411 if (chunk
* 8 > r
->obits
) {
412 if (chunk
* 8 > r
->ibits
+ r
->obits
)
413 do r
->s
->getnoise(r
); while (r
->ibits
+ r
->obits
< 256);
415 if (chunk
* 8 > r
->obits
)
416 chunk
= r
->obits
/ 8;
419 if (chunk
+ r
->o
> RAND_BUFSZ
)
420 chunk
= RAND_BUFSZ
- r
->o
;
422 memcpy(o
, r
->buf
+ r
->o
, chunk
);
424 r
->obits
-= chunk
* 8;
430 /*----- Generic random number generator interface -------------------------*/
432 static void gdestroy(grand
*r
)
435 if (g
!= &rand_global
) {
441 static int gmisc(grand
*r
, unsigned op
, ...)
450 switch (va_arg(ap
, unsigned)) {
453 case GRAND_SEEDUINT32
:
454 case GRAND_SEEDBLOCK
:
471 case GRAND_SEEDINT
: {
472 unsigned u
= va_arg(ap
, unsigned);
473 rand_add(&g
->p
, &u
, sizeof(u
), sizeof(u
));
475 case GRAND_SEEDUINT32
: {
476 uint32 i
= va_arg(ap
, uint32
);
477 rand_add(&g
->p
, &i
, sizeof(i
), 4);
479 case GRAND_SEEDBLOCK
: {
480 const void *p
= va_arg(ap
, const void *);
481 size_t sz
= va_arg(ap
, size_t);
482 rand_add(&g
->p
, p
, sz
, sz
);
484 case GRAND_SEEDRAND
: {
485 grand
*rr
= va_arg(ap
, grand
*);
487 rr
->ops
->fill(rr
, buf
, sizeof(buf
));
488 rand_add(&g
->p
, buf
, sizeof(buf
), 8);
497 const void *k
= va_arg(ap
, const void *);
498 size_t sz
= va_arg(ap
, size_t);
499 rand_key(&g
->p
, k
, sz
);
502 rand_noisesrc(&g
->p
, va_arg(ap
, const rand_source
*));
505 rand_seed(&g
->p
, va_arg(ap
, unsigned));
511 rc
= rand_goodbits(&g
->p
);
514 const void *p
= va_arg(ap
, const void *);
515 size_t sz
= va_arg(ap
, size_t);
516 unsigned goodbits
= va_arg(ap
, unsigned);
517 rand_add(&g
->p
, p
, sz
, goodbits
);
528 static octet
gbyte(grand
*r
)
532 rand_getgood(&g
->p
, &o
, 1);
536 static uint32
gword(grand
*r
)
540 rand_getgood(&g
->p
, &b
, sizeof(b
));
544 static void gfill(grand
*r
, void *p
, size_t sz
)
547 rand_get(&g
->p
, p
, sz
);
550 static const grand_ops gops
= {
554 gword
, gbyte
, gword
, grand_range
, gfill
557 /* --- @rand_create@ --- *
561 * Returns: Pointer to a generic generator.
563 * Use: Constructs a generic generator interface over a Catacomb
564 * entropy pool generator.
567 grand
*rand_create(void)
569 gctx
*g
= S_CREATE(gctx
);
575 /*----- That's all, folks -------------------------------------------------*/