]>
git.ipfire.org Git - thirdparty/dhcp.git/blob - dst/prandom.c
b45c5332ddf6e48f43739479af68d7c0fb7dc6f4
2 static const char rcsid
[] = "$Header: /tmp/cvstest/DHCP/dst/prandom.c,v 1.3 2007/05/19 19:16:25 dhankins Exp $";
5 * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
6 * Portions Copyright (c) 2007 by Internet Systems Consortium, Inc.
8 * Permission to use, copy modify, and distribute this software for any
9 * purpose with or without fee is hereby granted, provided that the above
10 * copyright notice and this permission notice appear in all copies.
12 * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
13 * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
14 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
15 * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
16 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
17 * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
18 * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
19 * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
23 #include <sys/types.h>
30 #include <sys/param.h>
34 #include <netinet/in.h>
35 #include <sys/socket.h>
36 #define NEED_PRAND_CONF
37 #include "minires/minires.h"
38 #include "dst_internal.h"
39 #include "arpa/nameser.h"
42 #ifndef DST_NUM_HASHES
43 #define DST_NUM_HASHES 4
45 #ifndef DST_NUMBER_OF_COUNTERS
46 #define DST_NUMBER_OF_COUNTERS 5 /* 32 * 5 == 160 == SHA(1) > MD5 */
50 * the constant below is a prime number to make fixed data structues like
51 * stat and time wrap over blocks. This adds certain uncertanty to what is
52 * in each digested block.
53 * The prime number 2879 has the special property that when
54 * divided by 2,4 and 6 the result is also a prime numbers
57 #ifndef DST_RANDOM_BLOCK_SIZE
58 #define DST_RANDOM_BLOCK_SIZE 2879
62 * This constant dictatates how many bits we shift to the right before using a
69 * An initalizer that is as bad as any other with half the bits set
71 #ifndef DST_RANDOM_PATTERN
72 #define DST_RANDOM_PATTERN 0x8765CA93
75 * things must have changed in the last 3600 seconds to be used
80 * Define a single set of configuration for prand stuff. A superset
81 * works okay (failed commands return no data, missing directories
82 * are skipped, and so on.
84 static const char *cmds
[] = {
85 "/usr/bin/netstat -an 2>&1",
86 "/usr/sbin/netstat -an 2>&1",
87 "/usr/etc/netstat -an 2>&1",
88 "/bin/netstat -an 2>&1",
89 "/usr/ucb/netstat -an 2>&1",
94 "/usr/bin/uptime 2>&1",
95 "/usr/bin/printenv 2>&1",
96 "/usr/bin/netstat -s 2>&1",
99 "/usr/bin/dig com. soa +ti=1 +retry=0 2>&1",
100 "/usr/sbin/arp -an 2>&1",
101 "/usr/ucb/uptime 2>&1",
104 "/bin/ps -axlw 2>&1",
105 "/usr/sbin/iostat 2>&1",
106 "/usr/sbin/vmstat 2>&1",
108 "/usr/bin/vmstat 2>&1",
111 "/usr/bin/ps -ef 2>&1",
113 "/usr/etc/arp -a 2>&1",
114 "/usr/bsd/uptime 2>&1",
115 "/usr/bin/printenv 2>&1",
118 "/sbin/arp -an 2>&1",
119 "/usr/bin/vmstat 2>&1",
126 "/bin/sin memory 2>&1",
128 "/usr/ucb/uptime 2>&1",
129 "/usr/ucb/netstat -an 2>&1",
131 "/usr/bin/netstat -an 2>&1",
132 "/usr/sbin/netstat -an 2>&1",
133 "/usr/etc/netstat -an 2>&1",
134 "/bin/netstat -an 2>&1",
135 "/usr/ucb/netstat -an 2>&1",
139 static const char *dirs
[] = {
154 static const char *files
[] = {
173 * these two data structure are used to process input data into digests,
175 * The first structure is containts a pointer to a DST HMAC key
176 * the variables accompanying are used for
177 * step : select every step byte from input data for the hash
178 * block: number of data elements going into each hash
179 * digested: number of data elements digested so far
180 * curr: offset into the next input data for the first byte.
182 typedef struct hash
{
185 int digested
, block
, step
, curr
;
189 * This data structure controlls number of hashes and keeps track of
190 * overall progress in generating correct number of bytes of output.
191 * output : array to store the output data in
192 * needed : how many bytes of output are needed
193 * filled : number of bytes in output so far.
194 * bytes : total number of bytes processed by this structure
195 * file_digest : the HMAC key used to digest files.
197 typedef struct work
{
198 unsigned needed
, filled
, bytes
;
200 prand_hash
*hash
[DST_NUM_HASHES
];
201 DST_KEY
*file_digest
;
206 * forward function declarations
208 static int get_dev_random(u_char
*output
, unsigned size
);
209 static int do_time(dst_work
*work
);
210 static int do_ls(dst_work
*work
);
211 static int unix_cmd(dst_work
*work
);
212 static int digest_file(dst_work
*work
);
214 static void force_hash(dst_work
*work
, prand_hash
*hash
);
215 static int do_hash(dst_work
*work
, prand_hash
*hash
, const u_char
*input
,
217 static int my_digest(dst_work
*tmp
, const u_char
*input
, unsigned size
);
218 static prand_hash
*get_hmac_key(int step
, int block
);
220 static unsigned own_random(dst_work
*work
);
224 * variables used in the quick random number generator
226 static u_int32_t ran_val
= DST_RANDOM_PATTERN
;
227 static u_int32_t ran_cnt
= (DST_RANDOM_PATTERN
>> 10);
230 * setting the quick_random generator to particular values or if both
231 * input parameters are 0 then set it to initial vlaues
235 dst_s_quick_random_set(u_int32_t val
, u_int32_t cnt
)
237 ran_val
= (val
== 0) ? DST_RANDOM_PATTERN
: val
;
238 ran_cnt
= (cnt
== 0) ? (DST_RANDOM_PATTERN
>> 10) : cnt
;
242 * this is a quick and random number generator that seems to generate quite
243 * good distribution of data
246 dst_s_quick_random(int inc
)
248 ran_val
= ((ran_val
>> 13) ^ (ran_val
<< 19)) ^
249 ((ran_val
>> 7) ^ (ran_val
<< 25));
250 if (inc
> 0) /* only increasing values accepted */
252 ran_val
+= ran_cnt
++;
257 * get_dev_random: Function to read /dev/random reliably
258 * this function returns how many bytes where read from the device.
259 * port_after.h should set the control variable HAVE_DEV_RANDOM
262 get_dev_random(u_char
*output
, unsigned size
)
264 #ifdef HAVE_DEV_RANDOM
266 int n
= 0, fd
= -1, s
;
268 s
= stat("/dev/random", &st
);
269 if (s
== 0 && S_ISCHR(st
.st_mode
)) {
270 if ((fd
= open("/dev/random", O_RDONLY
| O_NONBLOCK
)) != -1) {
271 if ((n
= read(fd
, output
, size
)) < 0)
282 * Portable way of getting the time values if gettimeofday is missing
283 * then compile with -DMISSING_GETTIMEOFDAY time() is POSIX compliant but
284 * gettimeofday() is not.
285 * Time of day is predictable, we are looking for the randomness that comes
286 * the last few bits in the microseconds in the timer are hard to predict when
287 * this is invoked at the end of other operations
289 struct timeval
*mtime
;
291 do_time(dst_work
*work
)
294 static u_char tmp
[sizeof(struct timeval
) + sizeof(struct timezone
)];
295 struct timezone
*zone
;
297 zone
= (struct timezone
*) tmp
;
298 mtime
= (struct timeval
*)(tmp
+ sizeof(struct timezone
));
299 gettimeofday(mtime
, zone
);
301 my_digest(work
, tmp
, sizeof(tmp
));
307 * this function simulates the ls command, but it uses stat which gives more
308 * information and is harder to guess
309 * Each call to this function will visit the next directory on the list of
310 * directories, in a circular manner.
311 * return value is the number of bytes added to the temp buffer
313 * do_ls() does not visit subdirectories
314 * if attacker has access to machine it can guess most of the values seen
315 * thus it is important to only visit directories that are freqently updated
316 * Attacker that has access to the network can see network traffic
317 * when NFS mounted directories are accessed and know exactly the data used
318 * but may not know exactly in what order data is used.
319 * Returns the number of bytes that where returned in stat structures
322 do_ls(dst_work
*work
)
328 time_t atime
, mtime
, ctime
;
330 static struct dir_info dir_info
;
332 struct dirent
*entry
;
334 static unsigned long d_round
= 0;
336 int n
= 0, tb_i
= 0, out
= 0;
339 char file_name
[1024];
340 u_char tmp_buff
[1024];
343 if (dirs
[i
] == NULL
) /* if at the end of the list start over */
345 if (stat(dirs
[i
++], &buf
)) /* directory does not exist */
348 gettimeofday(&tv
,NULL
);
350 d_round
= tv
.tv_sec
- MAX_OLD
;
351 else if (i
==1) /* if starting a new round cut what we accept */
352 d_round
+= (tv
.tv_sec
- d_round
)/2;
354 if (buf
.st_atime
< d_round
)
357 EREPORT(("do_ls i %d filled %4d in_temp %4d\n",
358 i
-1, work
->filled
, work
->in_temp
));
359 memcpy(tmp_buff
, &buf
, sizeof(buf
));
363 if ((dir
= opendir(dirs
[i
-1])) == NULL
)/* open it for read */
365 strcpy(file_name
, dirs
[i
-1]);
366 dir_len
= strlen(file_name
);
367 file_name
[dir_len
++] = '/';
368 while ((entry
= readdir(dir
))) {
369 unsigned len
= strlen(entry
->d_name
);
371 if (my_digest(work
, (u_char
*)entry
->d_name
, len
))
374 memcpy(&file_name
[dir_len
], entry
->d_name
, len
);
375 file_name
[dir_len
+ len
] = 0x0;
376 /* for all entries in dir get the stats */
377 if (stat(file_name
, &buf
) == 0) {
378 n
++; /* count successfull stat calls */
379 /* copy non static fields */
380 dir_info
.uid
+= buf
.st_uid
;
381 dir_info
.gid
+= buf
.st_gid
;
382 dir_info
.size
+= buf
.st_size
;
383 dir_info
.atime
+= buf
.st_atime
;
384 dir_info
.mtime
+= buf
.st_mtime
;
385 dir_info
.ctime
+= buf
.st_ctime
;
386 out
+= sizeof(dir_info
);
387 if(my_digest(work
, (u_char
*)&dir_info
,
392 closedir(dir
); /* done */
393 out
+= do_time(work
); /* add a time stamp */
400 * this function executes the a command from the cmds[] list of unix commands
401 * configured in the prand_conf.h file
402 * return value is the number of bytes added to the randomness temp buffer
404 * it returns the number of bytes that where read in
405 * if more data is needed at the end time is added to the data.
406 * This function maintains a state to selects the next command to run
407 * returns the number of bytes read in from the command
410 unix_cmd(dst_work
*work
)
412 static int cmd_index
= 0;
417 if (cmds
[cmd_index
] == NULL
)
419 EREPORT(("unix_cmd() i %d filled %4d in_temp %4d\n",
420 cmd_index
, work
->filled
, work
->in_temp
));
421 pipe
= popen(cmds
[cmd_index
++], "r"); /* execute the command */
423 while ((n
= fread(buffer
, sizeof(char), sizeof(buffer
), pipe
)) > 0) {
424 cnt
+= n
; /* process the output */
425 if (my_digest(work
, buffer
, (unsigned)n
))
427 /* this adds some randomness to the output */
428 cnt
+= do_time(work
);
430 while ((n
= fread(buffer
, sizeof(char), sizeof(buffer
), pipe
)) > 0)
431 NULL
; /* drain the pipe */
433 return (cnt
); /* read how many bytes where read in */
437 * digest_file() This function will read a file and run hash over it
438 * input is a file name
441 digest_file(dst_work
*work
)
443 static int f_cnt
= 0;
444 static unsigned long f_round
= 0;
453 if (f_round
== 0 || files
[f_cnt
] == NULL
|| work
->file_digest
== NULL
)
454 if (gettimeofday(&tv
, NULL
)) /* only do this if needed */
456 if (f_round
== 0) /* first time called set to one hour ago */
457 f_round
= (tv
.tv_sec
- MAX_OLD
);
458 name
= files
[f_cnt
++];
459 if (files
[f_cnt
] == NULL
) { /* end of list of files */
460 if(f_cnt
<= 1) /* list is too short */
462 f_cnt
= 0; /* start again on list */
463 f_round
+= (tv
.tv_sec
- f_round
)/2; /* set new cutoff */
464 work
->file_digest
= dst_free_key(work
->file_digest
);
466 if (work
->file_digest
== NULL
) {
467 work
->file_digest
= dst_buffer_to_key("", KEY_HMAC_MD5
, 0, 0,
468 (u_char
*)&tv
, sizeof(tv
));
469 if (work
->file_digest
== NULL
)
472 if (access(name
, R_OK
) || stat(name
, &st
))
473 return (0); /* no such file or not allowed to read it */
474 if (strncmp(name
, "/proc/", 6) && st
.st_mtime
< f_round
)
475 return(0); /* file has not changed recently enough */
476 if (dst_sign_data(SIG_MODE_INIT
, work
->file_digest
, &ctx
,
478 work
->file_digest
= dst_free_key(work
->file_digest
);
481 if ((fp
= fopen(name
, "r")) == NULL
)
483 for (no
= 0; (i
= fread(buf
, sizeof(*buf
), sizeof(buf
), fp
)) > 0;
485 dst_sign_data(SIG_MODE_UPDATE
, work
->file_digest
, &ctx
,
486 buf
, (unsigned)i
, NULL
, 0);
490 i
= dst_sign_data(SIG_MODE_FINAL
, work
->file_digest
, &ctx
,
491 NULL
, 0, &work
->output
[work
->filled
],
497 my_digest(work
, buf
, (unsigned)i
);
498 my_digest(work
, (const u_char
*)name
, strlen(name
));
499 return (no
+ strlen(name
));
503 * function to perform the FINAL and INIT operation on a hash if allowed
506 force_hash(dst_work
*work
, prand_hash
*hash
)
511 * if more than half a block then add data to output
512 * otherwise adde the digest to the next hash
514 if ((hash
->digested
* 2) > hash
->block
) {
515 i
= dst_sign_data(SIG_MODE_FINAL
, hash
->key
, &hash
->ctx
,
516 NULL
, 0, &work
->output
[work
->filled
],
520 dst_sign_data(SIG_MODE_INIT
, hash
->key
, &hash
->ctx
,
529 * This function takes the input data does the selection of data specified
530 * by the hash control block.
531 * The step varialbe in the work sturcture determines which 1/step bytes
536 do_hash(dst_work
*work
, prand_hash
*hash
, const u_char
*input
, unsigned size
)
538 const u_char
*tmp
= input
;
539 u_char
*tp
, *abuf
= (u_char
*)0;
541 unsigned needed
, avail
, dig
, cnt
= size
;
542 unsigned tmp_size
= 0;
544 if (cnt
<= 0 || input
== NULL
)
547 if (hash
->step
> 1) { /* if using subset of input data */
548 tmp_size
= size
/ hash
->step
+ 2;
549 abuf
= tp
= malloc(tmp_size
);
551 for (cnt
= 0, i
= hash
->curr
; i
< size
; i
+= hash
->step
, cnt
++)
553 /* calcutate the starting point in the next input set */
554 hash
->curr
= (hash
->step
- (i
- size
)) % hash
->step
;
556 /* digest the data in block sizes */
557 for (n
= 0; n
< cnt
; n
+= needed
) {
559 needed
= hash
->block
- hash
->digested
;
560 dig
= (avail
< needed
) ? avail
: needed
;
561 dst_sign_data(SIG_MODE_UPDATE
, hash
->key
, &hash
->ctx
,
562 &tmp
[n
], dig
, NULL
, 0);
563 hash
->digested
+= dig
;
564 if (hash
->digested
>= hash
->block
)
565 force_hash(work
, hash
);
566 if (work
->needed
< work
->filled
) {
568 SAFE_FREE2(abuf
, tmp_size
);
573 SAFE_FREE2(abuf
, tmp_size
);
578 * Copy data from INPUT for length SIZE into the work-block TMP.
579 * If we fill the work-block, digest it; then,
580 * if work-block needs more data, keep filling with the rest of the input.
583 my_digest(dst_work
*work
, const u_char
*input
, unsigned size
)
587 static unsigned counter
;
590 /* first do each one of the hashes */
591 for (i
= 0; i
< DST_NUM_HASHES
&& full
== 0; i
++)
592 full
= do_hash(work
, work
->hash
[i
], input
, size
) +
593 do_hash(work
, work
->hash
[i
], (u_char
*) &counter
,
596 * if enough data has be generated do final operation on all hashes
597 * that have enough date for that
599 for (i
= 0; full
&& (i
< DST_NUM_HASHES
); i
++)
600 force_hash(work
, work
->hash
[i
]);
606 * this function gets some semi random data and sets that as an HMAC key
607 * If we get a valid key this function returns that key initalized
608 * otherwise it returns NULL;
611 get_hmac_key(int step
, int block
)
617 DST_KEY
*new_key
= NULL
;
618 prand_hash
*new = NULL
;
620 /* use key that is larger than digest algorithms (64) for key size */
624 /* do not memset the allocated memory to get random bytes there */
625 /* time of day is somewhat random expecialy in the last bytes */
626 gettimeofday((struct timeval
*) &buff
[n
], NULL
);
627 n
+= sizeof(struct timeval
);
629 /* get some semi random stuff in here stir it with micro seconds */
631 temp
= dst_s_quick_random((int) buff
[n
- 1]);
632 memcpy(&buff
[n
], &temp
, sizeof(temp
));
635 /* get the pid of this process and its parent */
637 temp
= (int) getpid();
638 memcpy(&buff
[n
], &temp
, sizeof(temp
));
642 temp
= (int) getppid();
643 memcpy(&buff
[n
], &temp
, sizeof(temp
));
646 /* get the user ID */
648 temp
= (int) getuid();
649 memcpy(&buff
[n
], &temp
, sizeof(temp
));
652 #ifndef GET_HOST_ID_MISSING
654 temp
= (int) gethostid();
655 memcpy(&buff
[n
], &temp
, sizeof(temp
));
659 /* get some more random data */
661 temp
= dst_s_quick_random((int) buff
[n
- 1]);
662 memcpy(&buff
[n
], &temp
, sizeof(temp
));
665 /* covert this into a HMAC key */
666 new_key
= dst_buffer_to_key("", KEY_HMAC_MD5
, 0, 0, buff
, size
);
669 /* get the control structure */
670 if ((new = malloc(sizeof(prand_hash
))) == NULL
)
672 new->digested
= new->curr
= 0;
676 if (dst_sign_data(SIG_MODE_INIT
, new_key
, &new->ctx
, NULL
, 0, NULL
, 0))
684 * This function goes out and from various sources tries to generate enough
685 * semi random data that a hash function can generate a random data.
686 * This function will iterate between the two main random source sources,
687 * information from programs and directores in random order.
688 * This function return the number of bytes added to the random output buffer.
691 own_random(dst_work
*work
)
694 int bytes
, n
, cmd
= 0, dig
= 0;
697 * now get the initial seed to put into the quick random function from
698 * the address of the work structure
700 bytes
= (int) getpid();
702 * proceed while needed
704 while (work
->filled
< work
->needed
) {
705 EREPORT(("own_random r %08x b %6d t %6d f %6d\n",
706 ran_val
, bytes
, work
->in_temp
, work
->filled
));
707 /* pick a random number in the range of 0..7 based on that random number
708 * perform some operations that yield random data
710 start
= work
->filled
;
711 n
= (dst_s_quick_random(bytes
) >> DST_SHIFT
) & 0x07;
715 if (sizeof(cmds
) > 2 *sizeof(*cmds
)) {
723 if (sizeof(dirs
) > 2 *sizeof(*dirs
)) {
731 /* retry getting data from /dev/random */
732 b
= get_dev_random(&work
->output
[work
->filled
],
733 work
->needed
- work
->filled
);
739 if (sizeof(files
) > 2 * sizeof(*files
)) {
740 b
= digest_file(work
);
746 default: /* to make sure we make some progress */
747 work
->output
[work
->filled
++] = 0xff &
748 dst_s_quick_random(bytes
);
755 return (work
->filled
);
760 * dst_s_random() This function will return the requested number of bytes
761 * of randomness to the caller it will use the best available sources of
763 * The current order is to use /dev/random, precalculated randomness, and
764 * finaly use some system calls and programs to generate semi random data that
765 * is then digested to generate randomness.
766 * This function is thread safe as each thread uses its own context, but
767 * concurrent treads will affect each other as they update shared state
769 * It is strongly recommended that this function be called requesting a size
770 * that is not a multiple of the output of the hash function used.
772 * If /dev/random is not available this function is not suitable to generate
773 * large ammounts of data, rather it is suitable to seed a pseudo-random
775 * Returns the number of bytes put in the output buffer
778 dst_s_random(u_char
*output
, unsigned size
)
782 static u_char old_unused
[DST_HASH_SIZE
* DST_NUM_HASHES
];
783 static unsigned unused
= 0;
785 if (size
<= 0 || output
== NULL
)
791 * Read from /dev/random
793 n
= get_dev_random(output
, size
);
795 * If old data is available and needed use it
797 if (n
< size
&& unused
> 0) {
798 unsigned need
= size
- n
;
799 if (unused
<= need
) {
800 memcpy(output
, old_unused
, unused
);
804 memcpy(output
, old_unused
, need
);
807 memcpy(old_unused
, &old_unused
[need
], unused
);
811 * If we need more use the simulated randomness here.
814 dst_work
*my_work
= (dst_work
*) malloc(sizeof(dst_work
));
817 my_work
->needed
= size
- n
;
819 my_work
->output
= (u_char
*) malloc(my_work
->needed
+
822 my_work
->file_digest
= NULL
;
823 if (my_work
->output
== NULL
)
825 memset(my_work
->output
, 0x0, my_work
->needed
);
826 /* allocate upto 4 different HMAC hash functions out of order */
827 #if DST_NUM_HASHES >= 3
828 my_work
->hash
[2] = get_hmac_key(3, DST_RANDOM_BLOCK_SIZE
/ 2);
830 #if DST_NUM_HASHES >= 2
831 my_work
->hash
[1] = get_hmac_key(7, DST_RANDOM_BLOCK_SIZE
/ 6);
833 #if DST_NUM_HASHES >= 4
834 my_work
->hash
[3] = get_hmac_key(5, DST_RANDOM_BLOCK_SIZE
/ 4);
836 my_work
->hash
[0] = get_hmac_key(1, DST_RANDOM_BLOCK_SIZE
);
837 if (my_work
->hash
[0] == NULL
) /* if failure bail out */
839 s
= own_random(my_work
);
840 /* if more generated than needed store it for future use */
841 if (s
>= my_work
->needed
) {
842 EREPORT(("dst_s_random(): More than needed %d >= %d\n",
843 s
, my_work
->needed
));
844 memcpy(&output
[n
], my_work
->output
, my_work
->needed
);
845 n
+= my_work
->needed
;
846 /* saving unused data for next time */
847 unused
= s
- my_work
->needed
;
848 memcpy(old_unused
, &my_work
->output
[my_work
->needed
],
851 /* XXXX This should not happen */
852 EREPORT(("Not enough %d >= %d\n", s
, my_work
->needed
));
853 memcpy(&output
[n
], my_work
->output
, s
);
854 n
+= my_work
->needed
;
857 /* delete the allocated work area */
858 for (i
= 0; i
< DST_NUM_HASHES
; i
++) {
859 dst_free_key(my_work
->hash
[i
]->key
);
860 SAFE_FREE(my_work
->hash
[i
]);
862 SAFE_FREE(my_work
->output
);
869 * A random number generator that is fast and strong
870 * this random number generator is based on HASHing data,
871 * the input to the digest function is a collection of <NUMBER_OF_COUNTERS>
872 * counters that is incremented between digest operations
873 * each increment operation amortizes to 2 bits changed in that value
874 * for 5 counters thus the input will amortize to have 10 bits changed
875 * The counters are initaly set using the strong random function above
876 * the HMAC key is selected by the same methold as the HMAC keys for the
877 * strong random function.
878 * Each set of counters is used for 2^25 operations
880 * returns the number of bytes written to the output buffer
881 * or negative number in case of error
884 dst_s_semi_random(u_char
*output
, unsigned size
)
886 static u_int32_t counter
[DST_NUMBER_OF_COUNTERS
];
887 static u_char semi_old
[DST_HASH_SIZE
];
888 static int semi_loc
= 0, cnt
= 0;
889 static unsigned hb_size
= 0;
890 static DST_KEY
*my_key
= NULL
;
896 if (output
== NULL
|| size
<= 0)
899 /* check if we need a new key */
900 if (my_key
== NULL
|| cnt
> (1 << 25)) { /* get HMAC KEY */
902 my_key
->dk_func
->destroy(my_key
);
903 if ((hash
= get_hmac_key(1, DST_RANDOM_BLOCK_SIZE
)) == NULL
)
906 /* check if the key works stir the new key using some old random data */
907 hb_size
= dst_sign_data(SIG_MODE_ALL
, my_key
, NULL
,
908 (u_char
*) counter
, sizeof(counter
),
909 semi_old
, sizeof(semi_old
));
911 EREPORT(("dst_s_semi_random() Sign of alg %d failed %d\n",
912 my_key
->dk_alg
, hb_size
));
915 /* new set the counters to random values */
916 dst_s_random((u_char
*) counter
, sizeof(counter
));
919 /* if old data around use it first */
920 if (semi_loc
< hb_size
) {
921 if (size
<= hb_size
- semi_loc
) { /* need less */
922 memcpy(output
, &semi_old
[semi_loc
], size
);
924 return (size
); /* DONE */
926 out
= hb_size
- semi_loc
;
927 memcpy(output
, &semi_old
[semi_loc
], out
);
931 /* generate more randome stuff */
934 * modify at least one bit by incrementing at least one counter
935 * based on the last bit of the last counter updated update
937 * minimaly this operation will modify at least 1 bit,
940 for (n
= 0; n
< DST_NUMBER_OF_COUNTERS
; n
++)
941 i
= (int) counter
[n
]++;
943 i
= dst_sign_data(SIG_MODE_ALL
, my_key
, NULL
,
944 (u_char
*) counter
, hb_size
,
945 semi_old
, sizeof(semi_old
));
947 EREPORT(("HMAC SIGNATURE FAILURE %d\n", i
));
949 if (size
- out
< i
) /* Not all data is needed */
950 semi_loc
= i
= size
- out
;
951 memcpy(&output
[out
], semi_old
, i
);