3 * Secure random number generator
5 * (c) 1998 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Catacomb.
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
28 /*----- Header files ------------------------------------------------------*/
36 #include <mLib/bits.h>
48 #include "twofish-counter.h"
51 #define CIPHER_CTX twofish_counterctx
52 #define CIPHER_INIT twofish_counterinit
53 #define CIPHER_ENCRYPT twofish_counterencrypt
54 #define CIPHER_IVSZ TWOFISH_BLKSZ
55 #define CIPHER_KEYSZ TWOFISH_KEYSZ
57 #define HASH_CTX sha256_ctx
58 #define HASH_INIT sha256_init
59 #define HASH sha256_hash
60 #define HASH_DONE sha256_done
61 #define HASH_SZ SHA256_HASHSZ
63 /*----- Static variables --------------------------------------------------*/
65 static const grand_ops gops;
67 typedef struct rand__gctx {
76 { "Catacomb global random byte pool" },
80 /*----- Macros ------------------------------------------------------------*/
82 #define RAND_RESOLVE(r) \
83 do { if ((r) == RAND_GLOBAL) r = &rand_global.p; } while (0)
85 #define GENCHECK(r) do { \
86 unsigned gen = rand_generation(); \
87 if (r->gen != gen) { r->gen = gen; rand_gate(r); } \
90 static int quick(rand_pool *);
91 #define QUICK(r) do { \
93 if ((r)->s && (r)->s->timer) (r)->s->timer(r); \
96 /*----- Main code ---------------------------------------------------------*/
98 /* --- @rand_init@ --- *
100 * Arguments: @rand_pool *r@ = pointer to a randomness pool
104 * Use: Initializes a randomness pool. The pool doesn't start out
105 * very random: that's your job to sort out. A good suggestion
106 * would be to attach an appropriate noise source and call
110 void rand_init(rand_pool *r)
113 memset(r->pool, 0, sizeof(r->pool));
114 memset(r->buf, 0, sizeof(r->buf));
115 r->gen = rand_generation();
118 r->ibits = r->obits = 0;
120 r->s = &noise_source;
125 /* --- @rand_noisesrc@ --- *
127 * Arguments: @rand_pool *r@ = pointer to a randomness pool
128 * @const rand_source *s@ = pointer to source definition
132 * Use: Sets a noise source for a randomness pool. When the pool's
133 * estimate of good random bits falls to zero, the @getnoise@
134 * function is called, passing the pool handle as an argument.
135 * It is expected to increase the number of good bits by at
136 * least one, because it'll be called over and over again until
137 * there are enough bits to satisfy the caller. The @timer@
138 * function is called frequently throughout the generator's
142 void rand_noisesrc(rand_pool *r, const rand_source *s)
148 /* --- @rand_quick@ --- *
150 * Arguments: @rand_pool *r@ = pointer to a randomness pool
152 * Returns: Zero on success; @-1@ on failure.
154 * Use Attempts to use some machine-specific `quick' source of
155 * entropy to top up @r@. This may not do anything at all on
159 CPU_DISPATCH(static, return, int, quick, (rand_pool *r), (r),
160 pick_quick, trivial_quick);
162 static int trivial_quick(rand_pool *r) { return (-1); }
164 #if CPUFAM_X86 || CPUFAM_AMD64
165 extern int rand_quick_x86ish_rdrand(rand_pool */*r*/);
166 extern int rand_quick_x86ish_rdseed(rand_pool */*r*/);
169 static quick__functype *pick_quick(void)
171 #if CPUFAM_X86 || CPUFAM_AMD64
172 DISPATCH_PICK_COND(rand_quick, rand_quick_x86ish_rdseed,
173 cpu_feature_p(CPUFEAT_X86_RDSEED));
174 DISPATCH_PICK_COND(rand_quick, rand_quick_x86ish_rdrand,
175 cpu_feature_p(CPUFEAT_X86_RDRAND));
177 DISPATCH_PICK_FALLBACK(rand_quick, trivial_quick);
180 int rand_quick(rand_pool *r) { RAND_RESOLVE(r); return (quick(r)); }
182 /* --- @rand_seed@ --- *
184 * Arguments: @rand_pool *r@ = pointer to a randomness pool
185 * @unsigned bits@ = number of bits to ensure
189 * Use: Ensures that there are at least @bits@ good bits of entropy
190 * in the pool. It is recommended that you call this after
191 * initializing a new pool. Requesting @bits > RAND_IBITS@ is
192 * doomed to failure (and is an error).
195 void rand_seed(rand_pool *r, unsigned bits)
199 assert(((void)"bits pointlessly large in rand_seed", bits <= RAND_IBITS));
200 assert(((void)"no noise source in rand_seed", r->s));
202 while (r->ibits < bits)
207 /* --- @rand_key@ --- *
209 * Arguments: @rand_pool *r@ = pointer to a randomness pool
210 * @const void *k@ = pointer to key data
211 * @size_t sz@ = size of key data
215 * Use: Sets the secret key for a randomness pool. The key is used
216 * when mixing in new random bits.
219 void rand_key(rand_pool *r, const void *k, size_t sz)
223 static const char label[] = "Catacomb random pool key";
227 assert(HASH_SZ >= RAND_KEYSZ);
229 HASH(&hc, label, sizeof(label));
230 if (sz) HASH(&hc, k, sz);
232 memcpy(r->k.k, h, RAND_KEYSZ);
235 /* --- @rand_add@ --- *
237 * Arguments: @rand_pool *r@ = pointer to a randomness pool
238 * @const void *p@ = pointer a buffer of data to add
239 * @size_t sz@ = size of the data buffer
240 * @unsigned goodbits@ = number of good bits estimated in buffer
244 * Use: Mixes the data in the buffer with the contents of the
245 * pool. The estimate of the number of good bits is added to
246 * the pool's own count. The mixing operation is not
247 * cryptographically strong. However, data in the input pool
248 * isn't output directly, only through the one-way gating
249 * operation, so that shouldn't matter.
252 void rand_add(rand_pool *r, const void *p, size_t sz, unsigned goodbits)
257 STATIC_ASSERT(RAND_POOLSZ == 128, "Polynomial doesn't match pool size");
261 i = r->i; rot = r->irot;
265 r->pool[i] ^= (ROL8(o, rot) ^
266 r->pool[(i + 1) % RAND_POOLSZ] ^
267 r->pool[(i + 2) % RAND_POOLSZ] ^
268 r->pool[(i + 7) % RAND_POOLSZ]);
270 i++; if (i >= RAND_POOLSZ) i -= RAND_POOLSZ;
276 r->ibits += goodbits;
277 if (r->ibits > RAND_IBITS)
278 r->ibits = RAND_IBITS;
281 /* --- @rand_goodbits@ --- *
283 * Arguments: @rand_pool *r@ = pointer to a randomness pool
285 * Returns: Estimate of the number of good bits remaining in the pool.
288 unsigned rand_goodbits(rand_pool *r)
291 return (r->ibits + r->obits);
294 /* --- @rand_gate@ --- *
296 * Arguments: @rand_pool *r@ = pointer to a randomness pool
300 * Use: Mixes up the entire state of the generator in a nonreversible
304 void rand_gate(rand_pool *r)
306 octet h[HASH_SZ], g[4];
310 STATIC_ASSERT(CIPHER_KEYSZ <= HASH_SZ, "rand cipher keysize too long");
315 /* --- Hash up all the data in the pool --- */
318 STORE32(g, r->gen); HASH(&hc, g, sizeof(g));
319 HASH(&hc, r->k.k, RAND_KEYSZ);
320 HASH(&hc, r->pool, RAND_POOLSZ);
321 HASH(&hc, r->buf, RAND_BUFSZ);
325 /* --- Now mangle all of the data based on the hash --- */
327 CIPHER_INIT(&cc, h, CIPHER_KEYSZ, 0);
328 CIPHER_ENCRYPT(&cc, r->pool, r->pool, RAND_POOLSZ);
329 CIPHER_ENCRYPT(&cc, r->buf, r->buf, RAND_BUFSZ);
332 /* --- Reset the various state variables --- */
335 r->obits += r->ibits;
336 if (r->obits > RAND_OBITS) {
337 r->ibits = r->obits - r->ibits;
338 r->obits = RAND_OBITS;
344 /* --- @rand_stretch@ --- *
346 * Arguments: @rand_pool *r@ = pointer to a randomness pool
350 * Use: Stretches the contents of the output buffer by transforming
351 * it in a nonreversible way. This doesn't add any entropy
352 * worth speaking about, but it works well enough when the
353 * caller doesn't care about that sort of thing.
356 void rand_stretch(rand_pool *r)
358 octet h[HASH_SZ], g[4];
362 STATIC_ASSERT(CIPHER_KEYSZ <= HASH_SZ, "rand cipher keysize too long");
367 /* --- Hash up all the data in the buffer --- */
370 STORE32(g, r->gen); HASH(&hc, g, sizeof(g));
371 HASH(&hc, r->k.k, RAND_KEYSZ);
372 HASH(&hc, r->pool, RAND_POOLSZ);
373 HASH(&hc, r->buf, RAND_BUFSZ);
377 /* --- Now mangle the buffer based on the hash --- */
379 CIPHER_INIT(&cc, h, CIPHER_KEYSZ, 0);
380 CIPHER_ENCRYPT(&cc, r->buf, r->buf, RAND_BUFSZ);
383 /* --- Reset the various state variables --- */
389 /* --- @rand_get@ --- *
391 * Arguments: @rand_pool *r@ = pointer to a randomness pool
392 * @void *p@ = pointer to output buffer
393 * @size_t sz@ = size of output buffer
397 * Use: Gets random data from the pool. The pool's contents can't be
398 * determined from the output of this function; nor can the
399 * output data be determined from a knowledge of the data input
400 * to the pool wihtout also having knowledge of the secret key.
401 * The good bits counter is decremented, although no special
402 * action is taken if it reaches zero.
405 void rand_get(rand_pool *r, void *p, size_t sz)
416 if (r->o + sz <= RAND_BUFSZ) {
417 memcpy(o, r->buf + r->o, sz);
421 size_t chunk = RAND_BUFSZ - r->o;
423 memcpy(o, r->buf + r->o, chunk);
431 if (r->obits > sz * 8)
437 /* --- @rand_getgood@ --- *
439 * Arguments: @rand_pool *r@ = pointer to a randomness pool
440 * @void *p@ = pointer to output buffer
441 * @size_t sz@ = size of output buffer
445 * Use: Gets random data from the pool, ensuring that there are
446 * enough good bits. This interface isn't recommended: it makes
447 * the generator slow, and doesn't provide much more security
448 * than @rand_get@, assuming you've previously done a
452 void rand_getgood(rand_pool *r, void *p, size_t sz)
460 if (!r->s || !r->s->getnoise) {
470 if (chunk * 8 > r->obits) {
471 if (chunk * 8 > r->ibits + r->obits)
472 do r->s->getnoise(r); while (r->ibits + r->obits < 256);
474 if (chunk * 8 > r->obits)
475 chunk = r->obits / 8;
478 if (chunk + r->o > RAND_BUFSZ)
479 chunk = RAND_BUFSZ - r->o;
481 memcpy(o, r->buf + r->o, chunk);
483 r->obits -= chunk * 8;
489 /*----- Generic random number generator interface -------------------------*/
491 static void gdestroy(grand *r)
494 if (g != &rand_global) {
500 static int gmisc(grand *r, unsigned op, ...)
509 switch (va_arg(ap, unsigned)) {
512 case GRAND_SEEDUINT32:
513 case GRAND_SEEDBLOCK:
530 case GRAND_SEEDINT: {
531 unsigned u = va_arg(ap, unsigned);
532 rand_add(&g->p, &u, sizeof(u), sizeof(u));
534 case GRAND_SEEDUINT32: {
535 uint32 i = va_arg(ap, uint32);
536 rand_add(&g->p, &i, sizeof(i), 4);
538 case GRAND_SEEDBLOCK: {
539 const void *p = va_arg(ap, const void *);
540 size_t sz = va_arg(ap, size_t);
541 rand_add(&g->p, p, sz, sz);
543 case GRAND_SEEDRAND: {
544 grand *rr = va_arg(ap, grand *);
546 rr->ops->fill(rr, buf, sizeof(buf));
547 rand_add(&g->p, buf, sizeof(buf), 8);
556 const void *k = va_arg(ap, const void *);
557 size_t sz = va_arg(ap, size_t);
558 rand_key(&g->p, k, sz);
561 rand_noisesrc(&g->p, va_arg(ap, const rand_source *));
564 rand_seed(&g->p, va_arg(ap, unsigned));
570 rc = rand_goodbits(&g->p);
573 const void *p = va_arg(ap, const void *);
574 size_t sz = va_arg(ap, size_t);
575 unsigned goodbits = va_arg(ap, unsigned);
576 rand_add(&g->p, p, sz, goodbits);
587 static octet gbyte(grand *r)
591 rand_getgood(&g->p, &o, 1);
595 static uint32 gword(grand *r)
599 rand_getgood(&g->p, &b, sizeof(b));
603 static void gfill(grand *r, void *p, size_t sz)
606 rand_get(&g->p, p, sz);
609 static const grand_ops gops = {
613 gword, gbyte, gword, grand_defaultrange, gfill
616 /* --- @rand_create@ --- *
620 * Returns: Pointer to a generic generator.
622 * Use: Constructs a generic generator interface over a Catacomb
623 * entropy pool generator.
626 grand *rand_create(void)
628 gctx *g = S_CREATE(gctx);
634 /*----- That's all, folks -------------------------------------------------*/
~mdw / catacomb / blob