3 * $Id: rand.c,v 1.1 1999/09/03 08:41:12 mdw Exp $
5 * Secure random number generator
7 * (c) 1998 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Revision history --------------------------------------------------*
33 * Revision 1.1 1999/09/03 08:41:12 mdw
38 /*----- Header files ------------------------------------------------------*/
43 #include <mLib/bits.h>
45 #include "blowfish-cbc.h"
49 #include "rmd160-hmac.h"
51 /*----- Static variables --------------------------------------------------*/
53 static rand_pool pool; /* Default random pool */
55 /*----- Macros ------------------------------------------------------------*/
57 #define RAND_RESOLVE(r) do { \
58 if ((r) == RAND_GLOBAL) \
62 #define TIMER(r) do { \
63 if ((r)->s && (r)->s->timer) \
67 /*----- Main code ---------------------------------------------------------*/
69 /* --- @rand_init@ --- *
71 * Arguments: @rand_pool *r@ = pointer to a randomness pool
75 * Use: Initializes a randomness pool. The pool doesn't start out
76 * very random: that's your job to sort out.
79 void rand_init(rand_pool *r)
82 memset(r->pool, 0, sizeof(r->pool));
83 memset(r->buf, 0, sizeof(r->buf));
86 r->ibits = r->obits = 0;
89 rmd160_hmac(&r->k, 0, 0);
93 /* --- @rand_noisesrc@ --- *
95 * Arguments: @rand_pool *r@ = pointer to a randomness pool
96 * @const rand_source *s@ = pointer to source definition
100 * Use: Sets a noise source for a randomness pool. When the pool's
101 * estimate of good random bits falls to zero, the @getnoise@
102 * function is called, passing the pool handle as an argument.
103 * It is expected to increase the number of good bits by at
104 * least one, because it'll be called over and over again until
105 * there are enough bits to satisfy the caller. The @timer@
106 * function is called frequently throughout the generator's
110 void rand_noisesrc(rand_pool *r, const rand_source *s)
116 /* --- @rand_key@ --- *
118 * Arguments: @rand_pool *r@ = pointer to a randomness pool
119 * @const void *k@ = pointer to key data
120 * @size_t sz@ = size of key data
124 * Use: Sets the secret key for a randomness pool. The key is used
125 * when mixing in new random bits.
128 void rand_key(rand_pool *r, const void *k, size_t sz)
131 rmd160_hmac(&r->k, k, sz);
134 /* --- @rand_add@ --- *
136 * Arguments: @rand_pool *r@ = pointer to a randomness pool
137 * @const void *p@ = pointer a buffer of data to add
138 * @size_t sz@ = size of the data buffer
139 * @unsigned goodbits@ = number of good bits estimated in buffer
143 * Use: Mixes the data in the buffer with the contents of the
144 * pool. The estimate of the number of good bits is added to
145 * the pool's own count. The mixing operation is not
146 * cryptographically strong. However, data in the input pool
147 * isn't output directly, only through the one-way gating
148 * operation, so that shouldn't matter.
151 void rand_add(rand_pool *r, const void *p, size_t sz, unsigned goodbits)
156 #if RAND_POOLSZ != 1279
157 # error Polynomial in rand_add is out of date. Fix it.
162 i = r->i; rot = r->irot; mid = i + 418;
163 if (mid >= RAND_POOLSZ) mid -= RAND_POOLSZ;
167 r->pool[i] ^= (ROL8(o, rot) ^ r->pool[mid]);
169 i++; if (i >= RAND_POOLSZ) i -= RAND_POOLSZ;
170 mid++; if (mid >= RAND_POOLSZ) mid -= RAND_POOLSZ;
176 r->ibits += goodbits;
177 if (r->ibits > RAND_IBITS)
178 r->ibits = RAND_IBITS;
181 /* --- @rand_goodbits@ --- *
183 * Arguments: @rand_pool *r@ = pointer to a randomness pool
185 * Returns: Estimate of the number of good bits remaining in the pool.
188 unsigned rand_goodbits(rand_pool *r)
191 return (r->ibits + r->obits);
194 /* --- @rand_gate@ --- *
196 * Arguments: @rand_pool *r@ = pointer to a randomness pool
200 * Use: Mixes up the entire state of the generator in a nonreversible
204 void rand_gate(rand_pool *r)
206 octet mac[RMD160_HASHSZ];
211 /* --- Hash up all the data in the pool --- */
216 rmd160_macinit(&mc, &r->k);
217 rmd160_mac(&mc, r->pool, sizeof(r->pool));
218 rmd160_mac(&mc, r->buf, sizeof(r->buf));
219 rmd160_macdone(&mc, mac);
223 /* --- Now mangle all of the data based on the hash --- */
228 blowfish_cbcinit(&bc, mac, sizeof(mac), 0);
229 blowfish_cbcencrypt(&bc, r->pool, r->pool, sizeof(r->pool));
230 blowfish_cbcencrypt(&bc, r->buf, r->buf, sizeof(r->buf));
234 /* --- Reset the various state variables --- */
237 r->obits += r->ibits;
238 if (r->obits > RAND_OBITS) {
239 r->ibits = r->obits - r->ibits;
240 r->obits = RAND_OBITS;
246 /* --- @rand_stretch@ --- *
248 * Arguments: @rand_pool *r@ = pointer to a randomness pool
252 * Use: Stretches the contents of the output buffer by transforming
253 * it in a nonreversible way. This doesn't add any entropy
254 * worth speaking about, but it works well enough when the
255 * caller doesn't care about that sort of thing.
258 void rand_stretch(rand_pool *r)
260 octet mac[RMD160_HASHSZ];
265 /* --- Hash up all the data in the buffer --- */
270 rmd160_macinit(&mc, &r->k);
271 rmd160_mac(&mc, r->pool, sizeof(r->pool));
272 rmd160_mac(&mc, r->buf, sizeof(r->buf));
273 rmd160_macdone(&mc, mac);
277 /* --- Now mangle the buffer based on that hash --- */
282 blowfish_cbcinit(&bc, mac, sizeof(mac), 0);
283 blowfish_cbcencrypt(&bc, r->buf, r->buf, sizeof(r->buf));
287 /* --- Reset the various state variables --- */
293 /* --- @rand_get@ --- *
295 * Arguments: @rand_pool *r@ = pointer to a randomness pool
296 * @void *p@ = pointer to output buffer
297 * @size_t sz@ = size of output buffer
301 * Use: Gets random data from the pool. The pool's contents can't be
302 * determined from the output of this function; nor can the
303 * output data be determined from a knowledge of the data input
304 * to the pool wihtout also having knowledge of the secret key.
305 * The good bits counter is decremented, although no special
306 * action is taken if it reaches zero.
309 void rand_get(rand_pool *r, void *p, size_t sz)
319 if (r->o + sz <= RAND_BUFSZ) {
320 memcpy(o, r->buf + r->o, sz);
324 size_t chunk = RAND_BUFSZ - r->o;
326 memcpy(o, r->buf + r->o, chunk);
334 if (r->obits > sz * 8)
340 /* --- @rand_getgood@ --- *
342 * Arguments: @rand_pool *r@ = pointer to a randomness pool
343 * @void *p@ = pointer to output buffer
344 * @size_t sz@ = size of output buffer
348 * Use: Gets random data from the pool. The pool's contents can't be
349 * determined from the output of this function; nor can the
350 * output data be determined from a knowledge of the data input
351 * to the pool wihtout also having knowledge of the secret key.
352 * If a noise source is attached to the pool in question, it is
353 * called to replenish the supply of good bits in the pool;
354 * otherwise this call is equivalent to @rand_get@.
357 void rand_getgood(rand_pool *r, void *p, size_t sz)
365 if (!r->s || !r->s->getnoise) {
374 if (chunk * 8 > r->obits) {
375 if (chunk * 8 > r->ibits + r->obits)
376 do r->s->getnoise(r); while (r->ibits + r->obits < 128);
378 if (chunk * 8 > r->obits)
379 chunk = r->obits / 8;
382 if (chunk + r->o > RAND_BUFSZ)
383 chunk = RAND_BUFSZ - r->o;
385 memcpy(o, r->buf + r->o, chunk);
386 r->obits -= chunk * 8;
392 /*----- That's all, folks -------------------------------------------------*/