3 * Secure random number generator
5 * (c) 1998 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Catacomb.
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
28 /*----- Header files ------------------------------------------------------*/
34 #include <mLib/bits.h>
38 #include "blowfish-cbc.h"
42 #include "rmd160-hmac.h"
44 /*----- Static variables --------------------------------------------------*/
46 static const grand_ops gops;
53 static gctx *pool = 0; /* Default random pool */
55 /*----- Macros ------------------------------------------------------------*/
57 #define RAND_RESOLVE(r) do { \
58 if ((r) == RAND_GLOBAL) { \
60 pool = (gctx *)rand_create(); \
65 #define TIMER(r) do { \
66 if ((r)->s && (r)->s->timer) \
70 /*----- Main code ---------------------------------------------------------*/
72 /* --- @rand_init@ --- *
74 * Arguments: @rand_pool *r@ = pointer to a randomness pool
78 * Use: Initializes a randomness pool. The pool doesn't start out
79 * very random: that's your job to sort out. A good suggestion
80 * would be to attach an appropriate noise source and call
84 void rand_init(rand_pool *r)
87 memset(r->pool, 0, sizeof(r->pool));
88 memset(r->buf, 0, sizeof(r->buf));
91 r->ibits = r->obits = 0;
94 rmd160_hmacinit(&r->k, 0, 0);
98 /* --- @rand_noisesrc@ --- *
100 * Arguments: @rand_pool *r@ = pointer to a randomness pool
101 * @const rand_source *s@ = pointer to source definition
105 * Use: Sets a noise source for a randomness pool. When the pool's
106 * estimate of good random bits falls to zero, the @getnoise@
107 * function is called, passing the pool handle as an argument.
108 * It is expected to increase the number of good bits by at
109 * least one, because it'll be called over and over again until
110 * there are enough bits to satisfy the caller. The @timer@
111 * function is called frequently throughout the generator's
115 void rand_noisesrc(rand_pool *r, const rand_source *s)
121 /* --- @rand_seed@ --- *
123 * Arguments: @rand_pool *r@ = pointer to a randomness pool
124 * @unsigned bits@ = number of bits to ensure
128 * Use: Ensures that there are at least @bits@ good bits of entropy
129 * in the pool. It is recommended that you call this after
130 * initializing a new pool. Requesting @bits > RAND_IBITS@ is
131 * doomed to failure (and is an error).
134 void rand_seed(rand_pool *r, unsigned bits)
138 assert(((void)"bits pointlessly large in rand_seed", bits <= RAND_IBITS));
139 assert(((void)"no noise source in rand_seed", r->s));
141 while (r->ibits < bits)
146 /* --- @rand_key@ --- *
148 * Arguments: @rand_pool *r@ = pointer to a randomness pool
149 * @const void *k@ = pointer to key data
150 * @size_t sz@ = size of key data
154 * Use: Sets the secret key for a randomness pool. The key is used
155 * when mixing in new random bits.
158 void rand_key(rand_pool *r, const void *k, size_t sz)
161 rmd160_hmacinit(&r->k, k, sz);
164 /* --- @rand_add@ --- *
166 * Arguments: @rand_pool *r@ = pointer to a randomness pool
167 * @const void *p@ = pointer a buffer of data to add
168 * @size_t sz@ = size of the data buffer
169 * @unsigned goodbits@ = number of good bits estimated in buffer
173 * Use: Mixes the data in the buffer with the contents of the
174 * pool. The estimate of the number of good bits is added to
175 * the pool's own count. The mixing operation is not
176 * cryptographically strong. However, data in the input pool
177 * isn't output directly, only through the one-way gating
178 * operation, so that shouldn't matter.
181 void rand_add(rand_pool *r, const void *p, size_t sz, unsigned goodbits)
186 #if RAND_POOLSZ != 128
187 # error Polynomial in rand_add is out of date. Fix it.
192 i = r->i; rot = r->irot;
196 r->pool[i] ^= (ROL8(o, rot) ^
197 r->pool[(i + 1) % RAND_POOLSZ] ^
198 r->pool[(i + 2) % RAND_POOLSZ] ^
199 r->pool[(i + 7) % RAND_POOLSZ]);
201 i++; if (i >= RAND_POOLSZ) i -= RAND_POOLSZ;
207 r->ibits += goodbits;
208 if (r->ibits > RAND_IBITS)
209 r->ibits = RAND_IBITS;
212 /* --- @rand_goodbits@ --- *
214 * Arguments: @rand_pool *r@ = pointer to a randomness pool
216 * Returns: Estimate of the number of good bits remaining in the pool.
219 unsigned rand_goodbits(rand_pool *r)
222 return (r->ibits + r->obits);
225 /* --- @rand_gate@ --- *
227 * Arguments: @rand_pool *r@ = pointer to a randomness pool
231 * Use: Mixes up the entire state of the generator in a nonreversible
235 void rand_gate(rand_pool *r)
237 octet mac[RMD160_HASHSZ];
242 /* --- Hash up all the data in the pool --- */
247 rmd160_macinit(&mc, &r->k);
248 rmd160_machash(&mc, r->pool, sizeof(r->pool));
249 rmd160_machash(&mc, r->buf, sizeof(r->buf));
250 rmd160_macdone(&mc, mac);
254 /* --- Now mangle all of the data based on the hash --- */
259 blowfish_cbcinit(&bc, mac, sizeof(mac), 0);
260 blowfish_cbcencrypt(&bc, r->pool, r->pool, sizeof(r->pool));
261 blowfish_cbcencrypt(&bc, r->buf, r->buf, sizeof(r->buf));
265 /* --- Reset the various state variables --- */
268 r->obits += r->ibits;
269 if (r->obits > RAND_OBITS) {
270 r->ibits = r->obits - r->ibits;
271 r->obits = RAND_OBITS;
277 /* --- @rand_stretch@ --- *
279 * Arguments: @rand_pool *r@ = pointer to a randomness pool
283 * Use: Stretches the contents of the output buffer by transforming
284 * it in a nonreversible way. This doesn't add any entropy
285 * worth speaking about, but it works well enough when the
286 * caller doesn't care about that sort of thing.
289 void rand_stretch(rand_pool *r)
291 octet mac[RMD160_HASHSZ];
296 /* --- Hash up all the data in the buffer --- */
301 rmd160_macinit(&mc, &r->k);
302 rmd160_machash(&mc, r->pool, sizeof(r->pool));
303 rmd160_machash(&mc, r->buf, sizeof(r->buf));
304 rmd160_macdone(&mc, mac);
308 /* --- Now mangle the buffer based on that hash --- */
313 blowfish_cbcinit(&bc, mac, sizeof(mac), 0);
314 blowfish_cbcencrypt(&bc, r->buf, r->buf, sizeof(r->buf));
318 /* --- Reset the various state variables --- */
324 /* --- @rand_get@ --- *
326 * Arguments: @rand_pool *r@ = pointer to a randomness pool
327 * @void *p@ = pointer to output buffer
328 * @size_t sz@ = size of output buffer
332 * Use: Gets random data from the pool. The pool's contents can't be
333 * determined from the output of this function; nor can the
334 * output data be determined from a knowledge of the data input
335 * to the pool wihtout also having knowledge of the secret key.
336 * The good bits counter is decremented, although no special
337 * action is taken if it reaches zero.
340 void rand_get(rand_pool *r, void *p, size_t sz)
350 if (r->o + sz <= RAND_BUFSZ) {
351 memcpy(o, r->buf + r->o, sz);
355 size_t chunk = RAND_BUFSZ - r->o;
357 memcpy(o, r->buf + r->o, chunk);
365 if (r->obits > sz * 8)
371 /* --- @rand_getgood@ --- *
373 * Arguments: @rand_pool *r@ = pointer to a randomness pool
374 * @void *p@ = pointer to output buffer
375 * @size_t sz@ = size of output buffer
379 * Use: Gets random data from the pool, ensuring that there are
380 * enough good bits. This interface isn't recommended: it makes
381 * the generator slow, and doesn't provide much more security
382 * than @rand_get@, assuming you've previously done a
386 void rand_getgood(rand_pool *r, void *p, size_t sz)
394 if (!r->s || !r->s->getnoise) {
403 if (chunk * 8 > r->obits) {
404 if (chunk * 8 > r->ibits + r->obits)
405 do r->s->getnoise(r); while (r->ibits + r->obits < 256);
407 if (chunk * 8 > r->obits)
408 chunk = r->obits / 8;
411 if (chunk + r->o > RAND_BUFSZ)
412 chunk = RAND_BUFSZ - r->o;
414 memcpy(o, r->buf + r->o, chunk);
416 r->obits -= chunk * 8;
422 /*----- Generic random number generator interface -------------------------*/
424 #define GRESOLVE(g, r) do { \
425 if (r != &rand_global) \
429 pool = (gctx *)rand_create(); \
434 static void gdestroy(grand *r)
444 static int gmisc(grand *r, unsigned op, ...)
454 switch (va_arg(ap, unsigned)) {
457 case GRAND_SEEDUINT32:
458 case GRAND_SEEDBLOCK:
475 case GRAND_SEEDINT: {
476 unsigned u = va_arg(ap, unsigned);
477 rand_add(&g->p, &u, sizeof(u), sizeof(u));
479 case GRAND_SEEDUINT32: {
480 uint32 i = va_arg(ap, uint32);
481 rand_add(&g->p, &i, sizeof(i), 4);
483 case GRAND_SEEDBLOCK: {
484 const void *p = va_arg(ap, const void *);
485 size_t sz = va_arg(ap, size_t);
486 rand_add(&g->p, p, sz, sz);
488 case GRAND_SEEDRAND: {
489 grand *rr = va_arg(ap, grand *);
491 rr->ops->fill(rr, buf, sizeof(buf));
492 rand_add(&g->p, buf, sizeof(buf), 8);
501 const void *k = va_arg(ap, const void *);
502 size_t sz = va_arg(ap, size_t);
503 rand_key(&g->p, k, sz);
506 rand_noisesrc(&g->p, va_arg(ap, const rand_source *));
509 rand_seed(&g->p, va_arg(ap, unsigned));
515 rc = rand_goodbits(&g->p);
518 const void *p = va_arg(ap, const void *);
519 size_t sz = va_arg(ap, size_t);
520 unsigned goodbits = va_arg(ap, unsigned);
521 rand_add(&g->p, p, sz, goodbits);
532 static octet gbyte(grand *r)
537 rand_getgood(&g->p, &o, 1);
541 static uint32 gword(grand *r)
546 rand_getgood(&g->p, &b, sizeof(b));
550 static void gfill(grand *r, void *p, size_t sz)
554 rand_get(&g->p, p, sz);
557 static const grand_ops gops = {
561 gword, gbyte, gword, grand_range, gfill
564 grand rand_global = { &gops };
566 /* --- @rand_create@ --- *
570 * Returns: Pointer to a generic generator.
572 * Use: Constructs a generic generator interface over a Catacomb
573 * entropy pool generator.
576 grand *rand_create(void)
578 gctx *g = S_CREATE(gctx);
584 /*----- That's all, folks -------------------------------------------------*/
~mdw / catacomb / blob