]>
git.ipfire.org Git - thirdparty/dhcp.git/blob - dst/prandom.c
2 * Portions Copyright (c) 2012-2014 by Internet Systems Consortium, Inc. ("ISC")
3 * Portions Copyright (c) 2007,2009 by Internet Systems Consortium, Inc. ("ISC")
4 * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
6 * Permission to use, copy modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
11 * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
12 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
13 * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
14 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
15 * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
16 * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
17 * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
21 #include <sys/types.h>
28 #include <sys/param.h>
32 #include <netinet/in.h>
33 #include <sys/socket.h>
34 #define NEED_PRAND_CONF
38 #include "dst_internal.h"
39 #include "arpa/nameser.h"
42 #ifndef DST_NUM_HASHES
43 #define DST_NUM_HASHES 4
45 #ifndef DST_NUMBER_OF_COUNTERS
46 #define DST_NUMBER_OF_COUNTERS 5 /* 32 * 5 == 160 == SHA(1) > MD5 */
50 * the constant below is a prime number to make fixed data structures like
51 * stat and time wrap over blocks. This adds certain randomness to what is
52 * in each digested block.
53 * The prime number 2879 has the special property that when
54 * divided by 2,4 and 6 the result is also a prime numbers
57 #ifndef DST_RANDOM_BLOCK_SIZE
58 #define DST_RANDOM_BLOCK_SIZE 2879
62 * This constant dictates how many bits we shift to the right before using a
69 * An initializer that is as bad as any other with half the bits set
71 #ifndef DST_RANDOM_PATTERN
72 #define DST_RANDOM_PATTERN 0x8765CA93
75 * things must have changed in the last 3600 seconds to be used
80 * Define a single set of configuration for prand stuff. A superset
81 * works okay (failed commands return no data, missing directories
82 * are skipped, and so on.
84 static const char *cmds
[] = {
85 "/usr/bin/netstat -an 2>&1",
86 "/usr/sbin/netstat -an 2>&1",
87 "/usr/etc/netstat -an 2>&1",
88 "/bin/netstat -an 2>&1",
89 "/usr/ucb/netstat -an 2>&1",
94 "/usr/bin/uptime 2>&1",
95 "/usr/bin/printenv 2>&1",
96 "/usr/bin/netstat -s 2>&1",
99 "/usr/bin/dig com. soa +ti=1 +retry=0 2>&1",
100 "/usr/sbin/arp -an 2>&1",
101 "/usr/ucb/uptime 2>&1",
104 "/bin/ps -axlw 2>&1",
105 "/usr/sbin/iostat 2>&1",
106 "/usr/sbin/vmstat 2>&1",
108 "/usr/bin/vmstat 2>&1",
111 "/usr/bin/ps -ef 2>&1",
113 "/usr/etc/arp -a 2>&1",
114 "/usr/bsd/uptime 2>&1",
115 "/usr/bin/printenv 2>&1",
118 "/sbin/arp -an 2>&1",
119 "/usr/bin/vmstat 2>&1",
126 "/bin/sin memory 2>&1",
128 "/usr/ucb/uptime 2>&1",
129 "/usr/ucb/netstat -an 2>&1",
131 "/usr/bin/netstat -an 2>&1",
132 "/usr/sbin/netstat -an 2>&1",
133 "/usr/etc/netstat -an 2>&1",
134 "/bin/netstat -an 2>&1",
135 "/usr/ucb/netstat -an 2>&1",
139 static const char *dirs
[] = {
154 static const char *files
[] = {
173 * these two data structure are used to process input data into digests,
175 * The first structure contains a pointer to a DST HMAC key
176 * the variables accompanying are used for
177 * step : select every step byte from input data for the hash
178 * block: number of data elements going into each hash
179 * digested: number of data elements digested so far
180 * curr: offset into the next input data for the first byte.
182 typedef struct hash
{
185 int digested
, block
, step
, curr
;
189 * This data structure controls number of hashes and keeps track of
190 * overall progress in generating correct number of bytes of output.
191 * output : array to store the output data in
192 * needed : how many bytes of output are needed
193 * filled : number of bytes in output so far.
194 * bytes : total number of bytes processed by this structure
195 * file_digest : the HMAC key used to digest files.
197 typedef struct work
{
198 unsigned needed
, filled
, bytes
;
200 prand_hash
*hash
[DST_NUM_HASHES
];
201 DST_KEY
*file_digest
;
206 * forward function declarations
208 static int get_dev_random(u_char
*output
, unsigned size
);
209 static int do_time(dst_work
*work
);
210 static int do_ls(dst_work
*work
);
211 static int unix_cmd(dst_work
*work
);
212 static int digest_file(dst_work
*work
);
214 static void force_hash(dst_work
*work
, prand_hash
*hash
);
215 static int do_hash(dst_work
*work
, prand_hash
*hash
, const u_char
*input
,
217 static int my_digest(dst_work
*tmp
, const u_char
*input
, unsigned size
);
218 static prand_hash
*get_hmac_key(int step
, int block
);
220 static unsigned own_random(dst_work
*work
);
224 * variables used in the quick random number generator
226 static u_int32_t ran_val
= DST_RANDOM_PATTERN
;
227 static u_int32_t ran_cnt
= (DST_RANDOM_PATTERN
>> 10);
230 * setting the quick_random generator to particular values or if both
231 * input parameters are 0 then set it to initial values
235 dst_s_quick_random_set(u_int32_t val
, u_int32_t cnt
)
237 ran_val
= (val
== 0) ? DST_RANDOM_PATTERN
: val
;
238 ran_cnt
= (cnt
== 0) ? (DST_RANDOM_PATTERN
>> 10) : cnt
;
242 * this is a quick and random number generator that seems to generate quite
243 * good distribution of data
246 dst_s_quick_random(int inc
)
248 ran_val
= ((ran_val
>> 13) ^ (ran_val
<< 19)) ^
249 ((ran_val
>> 7) ^ (ran_val
<< 25));
250 if (inc
> 0) /* only increasing values accepted */
252 ran_val
+= ran_cnt
++;
257 * get_dev_random: Function to read /dev/random reliably
258 * this function returns how many bytes where read from the device.
259 * port_after.h should set the control variable HAVE_DEV_RANDOM
262 get_dev_random(u_char
*output
, unsigned size
)
264 #ifdef HAVE_DEV_RANDOM
266 int n
= 0, fd
= -1, s
;
268 s
= stat("/dev/random", &st
);
269 if (s
== 0 && S_ISCHR(st
.st_mode
)) {
270 if ((fd
= open("/dev/random", O_RDONLY
| O_NONBLOCK
)) != -1) {
271 if ((n
= read(fd
, output
, size
)) < 0)
282 * Portable way of getting the time values if gettimeofday is missing
283 * then compile with -DMISSING_GETTIMEOFDAY time() is POSIX compliant but
284 * gettimeofday() is not.
285 * Time of day is predictable, we are looking for the randomness that comes
286 * the last few bits in the microseconds in the timer are hard to predict when
287 * this is invoked at the end of other operations
289 struct timeval
*mtime
;
291 do_time(dst_work
*work
)
294 static u_char tmp
[sizeof(struct timeval
) + sizeof(struct timezone
)];
295 struct timezone
*zone
;
297 zone
= (struct timezone
*) tmp
;
298 mtime
= (struct timeval
*)(tmp
+ sizeof(struct timezone
));
299 gettimeofday(mtime
, zone
);
301 my_digest(work
, tmp
, sizeof(tmp
));
307 * this function simulates the ls command, but it uses stat which gives more
308 * information and is harder to guess
309 * Each call to this function will visit the next directory on the list of
310 * directories, in a circular manner.
311 * return value is the number of bytes added to the temp buffer
313 * do_ls() does not visit subdirectories
314 * if attacker has access to machine it can guess most of the values seen
315 * thus it is important to only visit directories that are frequently updated
316 * Attacker that has access to the network can see network traffic
317 * when NFS mounted directories are accessed and know exactly the data used
318 * but may not know exactly in what order data is used.
319 * Returns the number of bytes that where returned in stat structures
322 do_ls(dst_work
*work
)
328 time_t atime
, mtime
, ctime
;
330 static struct dir_info dir_info
;
332 struct dirent
*entry
;
334 static unsigned long d_round
= 0;
339 char file_name
[1024];
340 u_char tmp_buff
[1024];
343 if (dirs
[i
] == NULL
) /* if at the end of the list start over */
345 if (stat(dirs
[i
++], &buf
)) /* directory does not exist */
348 gettimeofday(&tv
,NULL
);
350 d_round
= tv
.tv_sec
- MAX_OLD
;
351 else if (i
==1) /* if starting a new round cut what we accept */
352 d_round
+= (tv
.tv_sec
- d_round
)/2;
354 if (buf
.st_atime
< d_round
)
357 EREPORT(("do_ls i %d filled %4d in_temp %4d\n",
358 i
-1, work
->filled
, work
->in_temp
));
359 memcpy(tmp_buff
, &buf
, sizeof(buf
));
362 if ((dir
= opendir(dirs
[i
-1])) == NULL
)/* open it for read */
364 strcpy(file_name
, dirs
[i
-1]);
365 dir_len
= strlen(file_name
);
366 file_name
[dir_len
++] = '/';
367 while ((entry
= readdir(dir
))) {
368 unsigned len
= strlen(entry
->d_name
);
370 if (my_digest(work
, (u_char
*)entry
->d_name
, len
))
373 memcpy(&file_name
[dir_len
], entry
->d_name
, len
);
374 file_name
[dir_len
+ len
] = 0x0;
375 /* for all entries in dir get the stats */
376 if (stat(file_name
, &buf
) == 0) {
377 n
++; /* count successful stat calls */
378 /* copy non static fields */
379 dir_info
.uid
+= buf
.st_uid
;
380 dir_info
.gid
+= buf
.st_gid
;
381 dir_info
.size
+= buf
.st_size
;
382 dir_info
.atime
+= buf
.st_atime
;
383 dir_info
.mtime
+= buf
.st_mtime
;
384 dir_info
.ctime
+= buf
.st_ctime
;
385 out
+= sizeof(dir_info
);
386 if(my_digest(work
, (u_char
*)&dir_info
,
391 closedir(dir
); /* done */
392 out
+= do_time(work
); /* add a time stamp */
399 * this function executes the a command from the cmds[] list of unix commands
400 * configured in the prand_conf.h file
401 * return value is the number of bytes added to the randomness temp buffer
403 * it returns the number of bytes that where read in
404 * if more data is needed at the end time is added to the data.
405 * This function maintains a state to selects the next command to run
406 * returns the number of bytes read in from the command
409 unix_cmd(dst_work
*work
)
411 static int cmd_index
= 0;
416 if (cmds
[cmd_index
] == NULL
)
418 EREPORT(("unix_cmd() i %d filled %4d in_temp %4d\n",
419 cmd_index
, work
->filled
, work
->in_temp
));
420 pipe
= popen(cmds
[cmd_index
++], "r"); /* execute the command */
422 while ((n
= fread(buffer
, sizeof(char), sizeof(buffer
), pipe
)) > 0) {
423 cnt
+= n
; /* process the output */
424 if (my_digest(work
, buffer
, (unsigned)n
))
426 /* this adds some randomness to the output */
427 cnt
+= do_time(work
);
429 while ((n
= fread(buffer
, sizeof(char), sizeof(buffer
), pipe
)) > 0)
430 ; /* drain the pipe */
432 return (cnt
); /* read how many bytes where read in */
436 * digest_file() This function will read a file and run hash over it
437 * input is a file name
440 digest_file(dst_work
*work
)
442 static int f_cnt
= 0;
443 static unsigned long f_round
= 0;
452 name
= files
[f_cnt
++];
453 if (f_round
== 0 || files
[f_cnt
] == NULL
|| work
->file_digest
== NULL
)
454 if (gettimeofday(&tv
, NULL
)) /* only do this if needed */
456 if (f_round
== 0) /* first time called set to one hour ago */
457 f_round
= (tv
.tv_sec
- MAX_OLD
);
458 if (files
[f_cnt
] == NULL
) { /* end of list of files */
459 if(f_cnt
<= 1) /* list is too short */
461 f_cnt
= 0; /* start again on list */
462 f_round
+= (tv
.tv_sec
- f_round
)/2; /* set new cutoff */
463 work
->file_digest
= dst_free_key(work
->file_digest
);
465 if (work
->file_digest
== NULL
) {
466 work
->file_digest
= dst_buffer_to_key("", KEY_HMAC_MD5
, 0, 0,
467 (u_char
*)&tv
, sizeof(tv
));
468 if (work
->file_digest
== NULL
)
471 if (access(name
, R_OK
) || stat(name
, &st
))
472 return (0); /* no such file or not allowed to read it */
473 if (strncmp(name
, "/proc/", 6) && st
.st_mtime
< f_round
)
474 return(0); /* file has not changed recently enough */
475 if (dst_sign_data(SIG_MODE_INIT
, work
->file_digest
, &ctx
,
477 work
->file_digest
= dst_free_key(work
->file_digest
);
480 if ((fp
= fopen(name
, "r")) == NULL
)
482 for (no
= 0; (i
= fread(buf
, sizeof(*buf
), sizeof(buf
), fp
)) > 0;
484 dst_sign_data(SIG_MODE_UPDATE
, work
->file_digest
, &ctx
,
485 buf
, (unsigned)i
, NULL
, 0);
489 i
= dst_sign_data(SIG_MODE_FINAL
, work
->file_digest
, &ctx
,
490 NULL
, 0, &work
->output
[work
->filled
],
496 my_digest(work
, (const u_char
*)name
, strlen(name
));
497 return (no
+ strlen(name
));
501 * function to perform the FINAL and INIT operation on a hash if allowed
504 force_hash(dst_work
*work
, prand_hash
*hash
)
509 * if more than half a block then add data to output
510 * otherwise add the digest to the next hash
512 if ((hash
->digested
* 2) > hash
->block
) {
513 i
= dst_sign_data(SIG_MODE_FINAL
, hash
->key
, &hash
->ctx
,
514 NULL
, 0, &work
->output
[work
->filled
],
518 dst_sign_data(SIG_MODE_INIT
, hash
->key
, &hash
->ctx
,
527 * This function takes the input data does the selection of data specified
528 * by the hash control block.
529 * The step variable in the work structure determines which 1/step bytes
534 do_hash(dst_work
*work
, prand_hash
*hash
, const u_char
*input
, unsigned size
)
536 const u_char
*tmp
= input
;
537 u_char
*tp
, *abuf
= (u_char
*)0;
539 unsigned needed
, avail
, dig
, cnt
= size
;
540 unsigned tmp_size
= 0;
542 if (cnt
<= 0 || input
== NULL
)
545 if (hash
->step
> 1) { /* if using subset of input data */
546 tmp_size
= size
/ hash
->step
+ 2;
547 abuf
= tp
= malloc(tmp_size
);
548 /* no good return code but at least don't step on things */
553 for (cnt
= 0, i
= hash
->curr
; i
< size
; i
+= hash
->step
, cnt
++)
555 /* calculate the starting point in the next input set */
556 hash
->curr
= (hash
->step
- (i
- size
)) % hash
->step
;
558 /* digest the data in block sizes */
559 for (n
= 0; n
< cnt
; n
+= needed
) {
561 needed
= hash
->block
- hash
->digested
;
562 dig
= (avail
< needed
) ? avail
: needed
;
563 dst_sign_data(SIG_MODE_UPDATE
, hash
->key
, &hash
->ctx
,
564 &tmp
[n
], dig
, NULL
, 0);
565 hash
->digested
+= dig
;
566 if (hash
->digested
>= hash
->block
)
567 force_hash(work
, hash
);
568 if (work
->needed
< work
->filled
) {
570 SAFE_FREE2(abuf
, tmp_size
);
575 SAFE_FREE2(abuf
, tmp_size
);
580 * Copy data from INPUT for length SIZE into the work-block TMP.
581 * If we fill the work-block, digest it; then,
582 * if work-block needs more data, keep filling with the rest of the input.
585 my_digest(dst_work
*work
, const u_char
*input
, unsigned size
)
589 static unsigned counter
;
592 /* first do each one of the hashes */
593 for (i
= 0; i
< DST_NUM_HASHES
&& full
== 0; i
++)
594 full
= do_hash(work
, work
->hash
[i
], input
, size
) +
595 do_hash(work
, work
->hash
[i
], (u_char
*) &counter
,
598 * if enough data has be generated do final operation on all hashes
599 * that have enough date for that
601 for (i
= 0; full
&& (i
< DST_NUM_HASHES
); i
++)
602 force_hash(work
, work
->hash
[i
]);
608 * this function gets some semi random data and sets that as an HMAC key
609 * If we get a valid key this function returns that key initialized
610 * otherwise it returns NULL;
613 get_hmac_key(int step
, int block
)
619 DST_KEY
*new_key
= NULL
;
620 prand_hash
*new = NULL
;
622 /* use key that is larger than digest algorithms (64) for key size */
626 /* do not memset the allocated memory to get random bytes there */
627 /* time of day is somewhat random especially in the last bytes */
628 gettimeofday((struct timeval
*) &buff
[n
], NULL
);
629 n
+= sizeof(struct timeval
);
631 /* get some semi random stuff in here stir it with micro seconds */
633 temp
= dst_s_quick_random((int) buff
[n
- 1]);
634 memcpy(&buff
[n
], &temp
, sizeof(temp
));
637 /* get the pid of this process and its parent */
639 temp
= (int) getpid();
640 memcpy(&buff
[n
], &temp
, sizeof(temp
));
644 temp
= (int) getppid();
645 memcpy(&buff
[n
], &temp
, sizeof(temp
));
648 /* get the user ID */
650 temp
= (int) getuid();
651 memcpy(&buff
[n
], &temp
, sizeof(temp
));
654 #ifndef GET_HOST_ID_MISSING
656 temp
= (int) gethostid();
657 memcpy(&buff
[n
], &temp
, sizeof(temp
));
661 /* get some more random data */
663 temp
= dst_s_quick_random((int) buff
[n
- 1]);
664 memcpy(&buff
[n
], &temp
, sizeof(temp
));
666 /* covert this into a HMAC key */
667 new_key
= dst_buffer_to_key("", KEY_HMAC_MD5
, 0, 0, buff
, size
);
670 /* get the control structure */
671 if ((new = malloc(sizeof(prand_hash
))) == NULL
)
673 new->digested
= new->curr
= 0;
677 if (dst_sign_data(SIG_MODE_INIT
, new_key
, &new->ctx
, NULL
, 0, NULL
, 0)) {
687 * This function goes out and from various sources tries to generate enough
688 * semi random data that a hash function can generate a random data.
689 * This function will iterate between the two main random source sources,
690 * information from programs and directories in random order.
691 * This function return the number of bytes added to the random output buffer.
694 own_random(dst_work
*work
)
697 int bytes
, n
, cmd
= 0, dig
= 0;
699 * now get the initial seed to put into the quick random function from
700 * the address of the work structure
702 bytes
= (int) getpid();
704 * proceed while needed
706 while (work
->filled
< work
->needed
) {
707 EREPORT(("own_random r %08x b %6d t %6d f %6d\n",
708 ran_val
, bytes
, work
->in_temp
, work
->filled
));
709 /* pick a random number in the range of 0..7 based on that random number
710 * perform some operations that yield random data
712 n
= (dst_s_quick_random(bytes
) >> DST_SHIFT
) & 0x07;
716 if (sizeof(cmds
) > 2 *sizeof(*cmds
)) {
724 if (sizeof(dirs
) > 2 *sizeof(*dirs
)) {
732 /* retry getting data from /dev/random */
733 b
= get_dev_random(&work
->output
[work
->filled
],
734 work
->needed
- work
->filled
);
740 if (sizeof(files
) > 2 * sizeof(*files
)) {
741 b
= digest_file(work
);
747 default: /* to make sure we make some progress */
748 work
->output
[work
->filled
++] = 0xff &
749 dst_s_quick_random(bytes
);
756 return (work
->filled
);
761 * dst_s_random() This function will return the requested number of bytes
762 * of randomness to the caller it will use the best available sources of
764 * The current order is to use /dev/random, precalculated randomness, and
765 * finally use some system calls and programs to generate semi random data
766 * that is then digested to generate randomness.
767 * This function is thread safe as each thread uses its own context, but
768 * concurrent treads will affect each other as they update shared state
770 * It is strongly recommended that this function be called requesting a size
771 * that is not a multiple of the output of the hash function used.
773 * If /dev/random is not available this function is not suitable to generate
774 * large amounts of data, rather it is suitable to seed a pseudo-random
776 * Returns the number of bytes put in the output buffer
779 dst_s_random(u_char
*output
, unsigned size
)
783 static u_char old_unused
[DST_HASH_SIZE
* DST_NUM_HASHES
];
784 static unsigned unused
= 0;
786 if (size
<= 0 || output
== NULL
)
792 * Read from /dev/random
794 n
= get_dev_random(output
, size
);
796 * If old data is available and needed use it
798 if (n
< size
&& unused
> 0) {
799 unsigned need
= size
- n
;
800 if (unused
<= need
) {
801 memcpy(output
, old_unused
, unused
);
805 memcpy(output
, old_unused
, need
);
808 memcpy(old_unused
, &old_unused
[need
], unused
);
812 * If we need more use the simulated randomness here.
815 dst_work
*my_work
= (dst_work
*) malloc(sizeof(dst_work
));
818 my_work
->needed
= size
- n
;
820 my_work
->output
= (u_char
*) malloc(my_work
->needed
+
823 my_work
->file_digest
= NULL
;
824 if (my_work
->output
== NULL
) {
828 memset(my_work
->output
, 0x0, my_work
->needed
);
829 /* allocate upto 4 different HMAC hash functions out of order */
830 #if DST_NUM_HASHES >= 3
831 my_work
->hash
[2] = get_hmac_key(3, DST_RANDOM_BLOCK_SIZE
/ 2);
833 #if DST_NUM_HASHES >= 2
834 my_work
->hash
[1] = get_hmac_key(7, DST_RANDOM_BLOCK_SIZE
/ 6);
836 #if DST_NUM_HASHES >= 4
837 my_work
->hash
[3] = get_hmac_key(5, DST_RANDOM_BLOCK_SIZE
/ 4);
839 my_work
->hash
[0] = get_hmac_key(1, DST_RANDOM_BLOCK_SIZE
);
840 if (my_work
->hash
[0] == NULL
) { /* if failure bail out */
841 for (i
= 1; i
< DST_NUM_HASHES
; i
++) {
842 if (my_work
->hash
[i
] != NULL
) {
843 dst_free_key(my_work
->hash
[i
]->key
);
844 SAFE_FREE(my_work
->hash
[i
]);
847 SAFE_FREE(my_work
->output
);
851 s
= own_random(my_work
);
852 /* if more generated than needed store it for future use */
853 if (s
>= my_work
->needed
) {
854 EREPORT(("dst_s_random(): More than needed %d >= %d\n",
855 s
, my_work
->needed
));
856 memcpy(&output
[n
], my_work
->output
, my_work
->needed
);
857 n
+= my_work
->needed
;
858 /* saving unused data for next time */
859 unused
= s
- my_work
->needed
;
860 if (unused
> sizeof(old_unused
)) {
861 unused
= sizeof(old_unused
);
863 memcpy(old_unused
, &my_work
->output
[my_work
->needed
],
866 /* XXXX This should not happen */
867 EREPORT(("Not enough %d >= %d\n", s
, my_work
->needed
));
868 memcpy(&output
[n
], my_work
->output
, s
);
869 n
+= my_work
->needed
;
872 /* delete the allocated work area */
873 for (i
= 0; i
< DST_NUM_HASHES
; i
++) {
874 if (my_work
->hash
[i
] != NULL
) {
875 dst_free_key(my_work
->hash
[i
]->key
);
876 SAFE_FREE(my_work
->hash
[i
]);
879 SAFE_FREE(my_work
->output
);
886 * A random number generator that is fast and strong
887 * this random number generator is based on HASHing data,
888 * the input to the digest function is a collection of <NUMBER_OF_COUNTERS>
889 * counters that is incremented between digest operations
890 * each increment operation amortizes to 2 bits changed in that value
891 * for 5 counters thus the input will amortize to have 10 bits changed
892 * The counters are initially set using the strong random function above
893 * the HMAC key is selected by the same method as the HMAC keys for the
894 * strong random function.
895 * Each set of counters is used for 2^25 operations
897 * returns the number of bytes written to the output buffer
898 * or negative number in case of error
901 dst_s_semi_random(u_char
*output
, unsigned size
)
903 static u_int32_t counter
[DST_NUMBER_OF_COUNTERS
];
904 static u_char semi_old
[DST_HASH_SIZE
];
905 static int semi_loc
= 0, cnt
= 0;
906 static unsigned hb_size
= 0;
907 static DST_KEY
*my_key
= NULL
;
913 if (output
== NULL
|| size
<= 0)
916 /* check if we need a new key */
917 if (my_key
== NULL
|| cnt
> (1 << 25)) { /* get HMAC KEY */
919 my_key
->dk_func
->destroy(my_key
);
920 if ((hash
= get_hmac_key(1, DST_RANDOM_BLOCK_SIZE
)) == NULL
)
923 /* check if the key works stir the new key using some old random data */
924 hb_size
= dst_sign_data(SIG_MODE_ALL
, my_key
, NULL
,
925 (u_char
*) counter
, sizeof(counter
),
926 semi_old
, sizeof(semi_old
));
928 EREPORT(("dst_s_semi_random() Sign of alg %d failed %d\n",
929 my_key
->dk_alg
, hb_size
));
932 /* new set the counters to random values */
933 dst_s_random((u_char
*) counter
, sizeof(counter
));
936 /* if old data around use it first */
937 if (semi_loc
< hb_size
) {
938 if (size
<= hb_size
- semi_loc
) { /* need less */
939 memcpy(output
, &semi_old
[semi_loc
], size
);
941 return (size
); /* DONE */
943 out
= hb_size
- semi_loc
;
944 memcpy(output
, &semi_old
[semi_loc
], out
);
948 /* generate more random stuff */
951 * modify at least one bit by incrementing at least one counter
952 * based on the last bit of the last counter updated update
954 * minimally this operation will modify at least 1 bit,
957 for (n
= 0; n
< DST_NUMBER_OF_COUNTERS
; n
++)
958 i
= (int) counter
[n
]++;
960 res
= dst_sign_data(SIG_MODE_ALL
, my_key
, NULL
,
961 (u_char
*) counter
, hb_size
,
962 semi_old
, sizeof(semi_old
));
968 EREPORT(("HMAC SIGNATURE FAILURE %d\n", i
));
970 if (size
- out
< i
) /* Not all data is needed */
971 semi_loc
= i
= size
- out
;
972 memcpy(&output
[out
], semi_old
, i
);