3 * $Id: dsarand.c,v 1.1 2000/05/21 11:28:30 mdw Exp $
5 * Random number generator for DSA
7 * (c) 1999 Straylight/Edgeware
8 * (c) 2000 Mark Wooding
11 /*----- Licensing notice --------------------------------------------------*
13 * Copyright (c) 2000 Mark Wooding
14 * All rights reserved.
16 * Redistribution and use in source and binary forms, with or without
17 * modification, are permitted provided that the following conditions are
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
23 * 2, Redistributions in binary form must reproduce the above copyright
24 * notice, this list of conditions and the following disclaimer in the
25 * documentation and/or other materials provided with the distribution.
27 * 3. The name of the authors may not be used to endorse or promote
28 * products derived from this software without specific prior written
31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
33 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
34 * NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
35 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
40 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
41 * POSSIBILITY OF SUCH DAMAGE.
43 * Instead of accepting the above terms, you may redistribute and/or modify
44 * this software under the terms of either the GNU General Public License,
45 * or the GNU Library General Public License, published by the Free
46 * Software Foundation; either version 2 of the License, or (at your
47 * option) any later version.
50 /*----- Revision history --------------------------------------------------*
53 * Revision 1.1 2000/05/21 11:28:30 mdw
56 * --- Past lives (Catacomb) --- *
58 * Revision 1.1 1999/12/22 15:53:12 mdw
59 * Random number generator for finding DSA parameters.
63 /*----- Header files ------------------------------------------------------*/
73 /*----- Main code ---------------------------------------------------------*/
77 * Arguments: @dsarand *d@ = pointer to context
79 * Use: Increments the buffer by one, interpreting it as a big-endian
80 * integer. Carries outside the integer are discarded.
83 #define STEP(d) do { \
86 octet *_q = _p + _d->sz; \
88 while (_c && _q > _p) { \
95 /* --- @dsarand_init@ --- *
97 * Arguments: @dsarand *d@ = pointer to context
98 * @const void *p@ = pointer to seed buffer
99 * @size_t sz@ = size of the buffer
103 * Use: Initializes a DSA random number generator.
106 void dsarand_init(dsarand
*d
, const void *p
, size_t sz
)
108 if ((d
->p
= malloc(sz
)) == 0) {
109 fputs("Out of memory in dsarand_init!\n", stderr
);
118 /* --- @dsarand_reseed@ --- *
120 * Arguments: @dsarand *d@ = pointer to context
121 * @const void *p@ = pointer to seed buffer
122 * @size_t sz@ = size of the buffer
126 * Use: Initializes a DSA random number generator.
129 void dsarand_reseed(dsarand
*d
, const void *p
, size_t sz
)
132 if ((d
->p
= malloc(sz
)) != 0) {
133 fputs("Out of memory in dsarand_init!\n", stderr
);
142 /* --- @dsarand_destroy@ --- *
144 * Arguments: @dsarand *d@ = pointer to context
148 * Use: Disposes of a DSA random number generation context.
151 void dsarand_destroy(dsarand
*d
)
156 /* --- @dsarand_fill@ --- *
158 * Arguments: @dsarand *d@ = pointer to context
159 * @void *p@ = pointer to output buffer
160 * @size_t sz@ = size of output buffer
164 * Use: Fills an output buffer with pseudorandom data.
166 * Let %$p$% be the numerical value of the input buffer, and let
167 * %$b$% be the number of bytes required. Let
168 * %$z = \lceil b / 20 \rceil$% be the number of SHA outputs
169 * required. Then the output of pass %$n$% is
171 * %$P_n = \sum_{0 \le i < z} 2^{160i} SHA(p + nz + i)$%
172 * %${} \bmod 2^{8b}$%
174 * and the actual result in the output buffer is the XOR of all
175 * of the output passes.
177 * The DSA procedure for choosing @q@ involves two passes with
178 * %$z = 1$%; the procedure for choosing @p@ involves one pass
179 * with larger %$z$%. This generalization of the DSA generation
180 * procedure is my own invention but it seems relatively sound.
183 void dsarand_fill(dsarand
*d
, void *p
, size_t sz
)
186 unsigned n
= d
->passes
;
188 /* --- Write out the first pass --- *
190 * This can write directly to the output buffer, so it's done differently
191 * from the latter passes.
200 /* --- Hash the input buffer --- */
203 sha_hash(&h
, d
->p
, d
->sz
);
205 /* --- If enough space, extract the hash output directly --- */
207 if (o
>= SHA_HASHSZ
) {
212 /* --- Otherwise take the hash result out of line and copy it --- */
215 octet hash
[SHA_HASHSZ
];
217 memcpy(q
, hash
+ (SHA_HASHSZ
- o
), o
);
221 /* --- Step the input buffer --- */
226 /* --- Another pass has been done --- */
231 /* --- Write out subsequent passes --- *
233 * The hash output has to be done offline, so this is slightly easier.
241 octet hash
[SHA_HASHSZ
];
245 /* --- Hash the input buffer --- */
248 sha_hash(&h
, d
->p
, d
->sz
);
251 /* --- Work out how much output is wanted --- */
258 /* --- XOR the data out --- */
260 for (pp
= hash
+ (SHA_HASHSZ
- n
), qq
= q
+ o
;
261 pp
< hash
+ SHA_HASHSZ
; pp
++, qq
++)
264 /* --- Step the input buffer --- */
269 /* --- Another pass is done --- */
275 /*----- That's all, folks -------------------------------------------------*/