5 * Random number generator for DSA
7 * (c) 1999 Straylight/Edgeware
8 * (c) 2000 Mark Wooding
11 /*----- Licensing notice --------------------------------------------------*
13 * Copyright (c) 2000 Mark Wooding
14 * All rights reserved.
16 * Redistribution and use in source and binary forms, with or without
17 * modification, are permitted provided that the following conditions are
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
23 * 2, Redistributions in binary form must reproduce the above copyright
24 * notice, this list of conditions and the following disclaimer in the
25 * documentation and/or other materials provided with the distribution.
27 * 3. The name of the authors may not be used to endorse or promote
28 * products derived from this software without specific prior written
31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
33 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
34 * NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
35 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
40 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
41 * POSSIBILITY OF SUCH DAMAGE.
43 * Instead of accepting the above terms, you may redistribute and/or modify
44 * this software under the terms of either the GNU General Public License,
45 * or the GNU Library General Public License, published by the Free
46 * Software Foundation; either version 2 of the License, or (at your
47 * option) any later version.
50 /*----- Revision history --------------------------------------------------*
53 * Revision 1.2 2000/07/02 15:21:20 mdw
56 * Revision 1.1 2000/05/21 11:28:30 mdw
59 * --- Past lives (Catacomb) --- *
61 * Revision 1.1 1999/12/22 15:53:12 mdw
62 * Random number generator for finding DSA parameters.
66 /*----- Header files ------------------------------------------------------*/
76 /*----- Main code ---------------------------------------------------------*/
80 * Arguments: @dsarand *d@ = pointer to context
82 * Use: Increments the buffer by one, interpreting it as a big-endian
83 * integer. Carries outside the integer are discarded.
86 #define STEP(d) do { \
89 octet *_q = _p + _d->sz; \
91 while (_c && _q > _p) { \
98 /* --- @dsarand_init@ --- *
100 * Arguments: @dsarand *d@ = pointer to context
101 * @const void *p@ = pointer to seed buffer
102 * @size_t sz@ = size of the buffer
106 * Use: Initializes a DSA random number generator.
109 void dsarand_init(dsarand
*d
, const void *p
, size_t sz
)
111 if ((d
->p
= malloc(sz
)) == 0) {
112 fputs("Out of memory in dsarand_init!\n", stderr
);
121 /* --- @dsarand_reseed@ --- *
123 * Arguments: @dsarand *d@ = pointer to context
124 * @const void *p@ = pointer to seed buffer
125 * @size_t sz@ = size of the buffer
129 * Use: Initializes a DSA random number generator.
132 void dsarand_reseed(dsarand
*d
, const void *p
, size_t sz
)
135 if ((d
->p
= malloc(sz
)) != 0) {
136 fputs("Out of memory in dsarand_init!\n", stderr
);
145 /* --- @dsarand_destroy@ --- *
147 * Arguments: @dsarand *d@ = pointer to context
151 * Use: Disposes of a DSA random number generation context.
154 void dsarand_destroy(dsarand
*d
)
159 /* --- @dsarand_fill@ --- *
161 * Arguments: @dsarand *d@ = pointer to context
162 * @void *p@ = pointer to output buffer
163 * @size_t sz@ = size of output buffer
167 * Use: Fills an output buffer with pseudorandom data.
169 * Let %$p$% be the numerical value of the input buffer, and let
170 * %$b$% be the number of bytes required. Let
171 * %$z = \lceil b / 20 \rceil$% be the number of SHA outputs
172 * required. Then the output of pass %$n$% is
174 * %$P_n = \sum_{0 \le i < z} 2^{160i} SHA(p + nz + i)$%
175 * %${} \bmod 2^{8b}$%
177 * and the actual result in the output buffer is the XOR of all
178 * of the output passes.
180 * The DSA procedure for choosing @q@ involves two passes with
181 * %$z = 1$%; the procedure for choosing @p@ involves one pass
182 * with larger %$z$%. This generalization of the DSA generation
183 * procedure is my own invention but it seems relatively sound.
186 void dsarand_fill(dsarand
*d
, void *p
, size_t sz
)
189 unsigned n
= d
->passes
;
191 /* --- Write out the first pass --- *
193 * This can write directly to the output buffer, so it's done differently
194 * from the latter passes.
203 /* --- Hash the input buffer --- */
206 sha_hash(&h
, d
->p
, d
->sz
);
208 /* --- If enough space, extract the hash output directly --- */
210 if (o
>= SHA_HASHSZ
) {
215 /* --- Otherwise take the hash result out of line and copy it --- */
218 octet hash
[SHA_HASHSZ
];
220 memcpy(q
, hash
+ (SHA_HASHSZ
- o
), o
);
224 /* --- Step the input buffer --- */
229 /* --- Another pass has been done --- */
234 /* --- Write out subsequent passes --- *
236 * The hash output has to be done offline, so this is slightly easier.
244 octet hash
[SHA_HASHSZ
];
248 /* --- Hash the input buffer --- */
251 sha_hash(&h
, d
->p
, d
->sz
);
254 /* --- Work out how much output is wanted --- */
261 /* --- XOR the data out --- */
263 for (pp
= hash
+ (SHA_HASHSZ
- n
), qq
= q
+ o
;
264 pp
< hash
+ SHA_HASHSZ
; pp
++, qq
++)
267 /* --- Step the input buffer --- */
272 /* --- Another pass is done --- */
278 /*----- That's all, folks -------------------------------------------------*/