From: Mark Wooding Date: Mon, 22 Dec 2014 20:32:58 +0000 (+0000) Subject: rand/rand.[ch]: Spring-clean the random source cryptography. X-Git-Tag: 2.2.0~7^2~11 X-Git-Url: https://git.distorted.org.uk/~mdw/catacomb/commitdiff_plain/d6fab4f6ae209afd6799a2974ce2849123965170?hp=a7a76ebd30d6af9302fa58b4acad09c465cbac78 rand/rand.[ch]: Spring-clean the random source cryptography. * Use Twofish in counter mode for the main mixing function, because it has lighter-weight key scheduling. * Use SHA256 rather than HMAC(RIPEMD-160) for digesting. I don't think HMAC has anything useful to bring to the party here, and SHA256 is definitely closer to the security level we're aiming for now. * The context structure just contains a plain key now, rather than a scheduled HMAC key, but there's padding to retain binary compatibility. * Keys fed into `rand_key' are mangled by hashing with a constant prefix, mostly to sort out problems of length variation and so on. * We keep back 256 bits rather than 160 now. All of this obviously means that the generator will produce different output now if you try to use it in a deterministic mode. Don't do that. There are plenty of better deterministic generators in this library. I reserve the right to change this one again in the future. --- diff --git a/rand/rand.c b/rand/rand.c index be39d798..ab00e893 100644 --- a/rand/rand.c +++ b/rand/rand.c @@ -35,13 +35,27 @@ #include #include "arena.h" -#include "blowfish-cbc.h" #include "paranoia.h" #define RAND__HACKS #include "rand.h" -#include "rmd160.h" -#include "rmd160-hmac.h" + +#include "noise.h" + +#include "twofish-counter.h" +#include "sha256.h" + +#define CIPHER_CTX twofish_counterctx +#define CIPHER_INIT twofish_counterinit +#define CIPHER_ENCRYPT twofish_counterencrypt +#define CIPHER_IVSZ TWOFISH_BLKSZ +#define CIPHER_KEYSZ TWOFISH_KEYSZ + +#define HASH_CTX sha256_ctx +#define HASH_INIT sha256_init +#define HASH sha256_hash +#define HASH_DONE sha256_done +#define HASH_SZ SHA256_HASHSZ /*----- Static variables --------------------------------------------------*/ @@ -56,13 +70,8 @@ gctx rand_global = { { &gops }, { { 0 }, 0, 0, 0, { 0 }, RAND_SECSZ, 0, - { { 0xb7, 0xb0, 0xb4, 0xdb, 0x59, 0x75, 0x49, 0x32, - 0x1a, 0x8d, 0x4b, 0x86, 0x3a, 0x38, 0xfd, 0x59, - 0xc1, 0x63, 0x66, 0xd9 }, 64, - { 0x91, 0x9a, 0xe6, 0xa1, 0x9d, 0x3a, 0x86, 0xef, - 0xb2, 0xb9, 0xca, 0xfc, 0x26, 0xf8, 0xb1, 0x04, - 0x4a, 0x41, 0xc4, 0x7a }, 64 }, - 0 } + { "Catacomb global random byte pool" }, + &noise_source } }; /*----- Macros ------------------------------------------------------------*/ @@ -98,8 +107,8 @@ void rand_init(rand_pool *r) r->irot = 0; r->ibits = r->obits = 0; r->o = RAND_SECSZ; - r->s = 0; - rmd160_hmacinit(&r->k, 0, 0); + r->s = &noise_source; + rand_key(r, 0, 0); rand_gate(r); } @@ -165,8 +174,18 @@ void rand_seed(rand_pool *r, unsigned bits) void rand_key(rand_pool *r, const void *k, size_t sz) { + HASH_CTX hc; + octet h[HASH_SZ]; + static const char label[] = "Catacomb random pool key"; + RAND_RESOLVE(r); - rmd160_hmacinit(&r->k, k, sz); + + assert(HASH_SZ >= RAND_KEYSZ); + HASH_INIT(&hc); + HASH(&hc, label, sizeof(label)); + if (sz) HASH(&hc, k, sz); + HASH_DONE(&hc, h); + memcpy(r->k.k, h, RAND_KEYSZ); } /* --- @rand_add@ --- * @@ -242,33 +261,28 @@ unsigned rand_goodbits(rand_pool *r) void rand_gate(rand_pool *r) { - octet mac[RMD160_HASHSZ]; + octet h[HASH_SZ]; + HASH_CTX hc; + CIPHER_CTX cc; RAND_RESOLVE(r); TIMER(r); /* --- Hash up all the data in the pool --- */ - { - rmd160_macctx mc; - - rmd160_macinit(&mc, &r->k); - rmd160_machash(&mc, r->pool, sizeof(r->pool)); - rmd160_machash(&mc, r->buf, sizeof(r->buf)); - rmd160_macdone(&mc, mac); - BURN(mc); - } + HASH_INIT(&hc); + HASH(&hc, r->pool, RAND_POOLSZ); + HASH(&hc, r->buf, RAND_BUFSZ); + HASH_DONE(&hc, h); + BURN(hc); /* --- Now mangle all of the data based on the hash --- */ - { - blowfish_cbcctx bc; - - blowfish_cbcinit(&bc, mac, sizeof(mac), 0); - blowfish_cbcencrypt(&bc, r->pool, r->pool, sizeof(r->pool)); - blowfish_cbcencrypt(&bc, r->buf, r->buf, sizeof(r->buf)); - BURN(bc); - } + assert(CIPHER_KEYSZ <= HASH_SZ); + CIPHER_INIT(&cc, h, CIPHER_KEYSZ, 0); + CIPHER_ENCRYPT(&cc, r->pool, r->pool, RAND_POOLSZ); + CIPHER_ENCRYPT(&cc, r->buf, r->buf, RAND_BUFSZ); + BURN(cc); /* --- Reset the various state variables --- */ @@ -296,32 +310,27 @@ void rand_gate(rand_pool *r) void rand_stretch(rand_pool *r) { - octet mac[RMD160_HASHSZ]; + octet h[HASH_SZ]; + HASH_CTX hc; + CIPHER_CTX cc; RAND_RESOLVE(r); TIMER(r); /* --- Hash up all the data in the buffer --- */ - { - rmd160_macctx mc; + HASH_INIT(&hc); + HASH(&hc, r->pool, RAND_POOLSZ); + HASH(&hc, r->buf, RAND_BUFSZ); + HASH_DONE(&hc, h); + BURN(hc); - rmd160_macinit(&mc, &r->k); - rmd160_machash(&mc, r->pool, sizeof(r->pool)); - rmd160_machash(&mc, r->buf, sizeof(r->buf)); - rmd160_macdone(&mc, mac); - BURN(mc); - } + /* --- Now mangle the buffer based on the hash --- */ - /* --- Now mangle the buffer based on that hash --- */ - - { - blowfish_cbcctx bc; - - blowfish_cbcinit(&bc, mac, sizeof(mac), 0); - blowfish_cbcencrypt(&bc, r->buf, r->buf, sizeof(r->buf)); - BURN(bc); - } + assert(CIPHER_KEYSZ < HASH_SZ); + CIPHER_INIT(&cc, h, CIPHER_KEYSZ, 0); + CIPHER_ENCRYPT(&cc, r->buf, r->buf, RAND_BUFSZ); + BURN(cc); /* --- Reset the various state variables --- */ diff --git a/rand/rand.h b/rand/rand.h index 389526d2..3c2fa738 100644 --- a/rand/rand.h +++ b/rand/rand.h @@ -87,7 +87,8 @@ #define RAND_POOLSZ 128 /* Input pool size in bytes */ #define RAND_BUFSZ 512 /* Output buffer size in bytes */ -#define RAND_SECSZ 20 /* Secret octets in output buffer */ +#define RAND_SECSZ 32 /* Secret octets in output buffer */ +#define RAND_KEYSZ 32 /* Recommended random key size */ #define RAND_IBITS (RAND_POOLSZ * 8) #define RAND_OBITS (RAND_BUFSZ * 8) @@ -104,7 +105,7 @@ typedef struct rand_pool { octet buf[RAND_BUFSZ]; /* Random octet output buffer */ unsigned o; /* Current index into buffer */ unsigned obits; /* Number of good bits in buffer */ - rmd160_mackey k; /* Secret key for this pool */ + union { octet k[RAND_KEYSZ]; rmd160_mackey _; } k; /* Key for the pool */ const struct rand_source *s; /* System-specific noise source */ } rand_pool;