5 * Copyright (c) 2005 Marko Kreen
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * $PostgreSQL: pgsql/contrib/pgcrypto/fortuna.c,v 1.8 2006/10/04 00:29:46 momjian Exp $
45 * Why Fortuna-like: There does not seem to be any definitive reference
46 * on Fortuna in the net. Instead this implementation is based on
47 * following references:
49 * http://en.wikipedia.org/wiki/Fortuna_(PRNG)
51 * http://jlcooke.ca/random/
52 * - Jean-Luc Cooke Fortuna-based /dev/random driver for Linux.
56 * There is some confusion about whether and how to carry forward
57 * the state of the pools. Seems like original Fortuna does not
58 * do it, resetting hash after each request. I guess expecting
59 * feeding to happen more often that requesting. This is absolutely
60 * unsuitable for pgcrypto, as nothing asynchronous happens here.
62 * J.L. Cooke fixed this by feeding previous hash to new re-initialized
65 * Fortuna predecessor Yarrow requires ability to query intermediate
66 * 'final result' from hash, without affecting it.
68 * This implementation uses the Yarrow method - asking intermediate
69 * results, but continuing with old state.
74 * Algorithm parameters
80 #define RESEED_INTERVAL 100000 /* 0.1 sec */
82 /* for one big request, reseed after this many bytes */
83 #define RESEED_BYTES (1024*1024)
86 * Skip reseed if pool 0 has less than this many
87 * bytes added since last reseed.
89 #define POOL0_FILL (256/8)
95 /* Both cipher key size and hash result size */
98 /* cipher block size */
101 /* for internal wrappers */
102 #define MD_CTX SHA256_CTX
103 #define CIPH_CTX AES_KEY
107 unsigned char counter
[CIPH_BLOCK
];
108 unsigned char result
[CIPH_BLOCK
];
109 unsigned char key
[BLOCK
];
110 MD_CTX pool
[NUM_POOLS
];
112 unsigned reseed_count
;
113 struct timeval last_reseed_time
;
114 unsigned pool0_bytes
;
119 typedef struct fortuna_state FState
;
123 * Use our own wrappers here.
124 * - Need to get intermediate result from digest, without affecting it.
125 * - Need re-set key on a cipher context.
126 * - Algorithms are guaranteed to exist.
127 * - No memory allocations.
131 ciph_init(CIPH_CTX
* ctx
, const unsigned char *key
, int klen
)
133 AES_set_encrypt_key(key
, klen
* 8, ctx
);
137 ciph_encrypt(CIPH_CTX
* ctx
, const unsigned char *in
, unsigned char *out
)
139 AES_encrypt(in
, out
, ctx
);
143 md_init(MD_CTX
* ctx
)
149 md_update(MD_CTX
* ctx
, const unsigned char *data
, int len
)
151 SHA256_Update(ctx
, data
, len
);
155 md_result(MD_CTX
* ctx
, unsigned char *dst
)
159 memcpy(&tmp
, ctx
, sizeof(*ctx
));
160 SHA256_Final(dst
, &tmp
);
161 memset(&tmp
, 0, sizeof(tmp
));
168 init_state(FState
* st
)
172 memset(st
, 0, sizeof(*st
));
173 for (i
= 0; i
< NUM_POOLS
; i
++)
174 md_init(&st
->pool
[i
]);
179 * Endianess does not matter.
180 * It just needs to change without repeating.
183 inc_counter(FState
* st
)
185 uint32_t *val
= (uint32_t *) st
->counter
;
197 * This is called 'cipher in counter mode'.
200 encrypt_counter(FState
* st
, unsigned char *dst
)
202 ciph_encrypt(&st
->ciph
, st
->counter
, dst
);
208 * The time between reseed must be at least RESEED_INTERVAL
212 enough_time_passed(FState
* st
)
216 struct timeval
*last
= &st
->last_reseed_time
;
218 gettimeofday(&tv
, NULL
);
220 /* check how much time has passed */
222 if (tv
.tv_sec
> last
->tv_sec
+ 1)
224 else if (tv
.tv_sec
== last
->tv_sec
+ 1)
226 if (1000000 + tv
.tv_usec
- last
->tv_usec
>= RESEED_INTERVAL
)
229 else if (tv
.tv_usec
- last
->tv_usec
>= RESEED_INTERVAL
)
232 /* reseed will happen, update last_reseed_time */
234 memcpy(last
, &tv
, sizeof(tv
));
236 memset(&tv
, 0, sizeof(tv
));
242 * generate new key from all the pools
250 unsigned char buf
[BLOCK
];
252 /* set pool as empty */
256 * Both #0 and #1 reseed would use only pool 0. Just skip #0 then.
258 n
= ++st
->reseed_count
;
261 * The goal: use k-th pool only 1/(2^k) of the time.
264 for (k
= 0; k
< NUM_POOLS
; k
++)
266 md_result(&st
->pool
[k
], buf
);
267 md_update(&key_md
, buf
, BLOCK
);
274 /* add old key into mix too */
275 md_update(&key_md
, st
->key
, BLOCK
);
277 /* add pid to make output diverse after fork() */
278 md_update(&key_md
, (const unsigned char *)&st
->pid
, sizeof(st
->pid
));
280 /* now we have new key */
281 md_result(&key_md
, st
->key
);
284 ciph_init(&st
->ciph
, st
->key
, BLOCK
);
286 memset(&key_md
, 0, sizeof(key_md
));
287 memset(buf
, 0, BLOCK
);
291 * Pick a random pool. This uses key bytes as random source.
294 get_rand_pool(FState
* st
)
299 * This slightly prefers lower pools - thats OK.
301 rnd
= st
->key
[st
->rnd_pos
] % NUM_POOLS
;
304 if (st
->rnd_pos
>= BLOCK
)
314 add_entropy(FState
* st
, const unsigned char *data
, unsigned len
)
317 unsigned char hash
[BLOCK
];
320 /* hash given data */
322 md_update(&md
, data
, len
);
323 md_result(&md
, hash
);
326 * Make sure the pool 0 is initialized, then update randomly.
328 if (st
->reseed_count
== 0)
331 pos
= get_rand_pool(st
);
332 md_update(&st
->pool
[pos
], hash
, BLOCK
);
335 st
->pool0_bytes
+= len
;
337 memset(hash
, 0, BLOCK
);
338 memset(&md
, 0, sizeof(md
));
342 * Just take 2 next blocks as new key
347 encrypt_counter(st
, st
->key
);
348 encrypt_counter(st
, st
->key
+ CIPH_BLOCK
);
349 ciph_init(&st
->ciph
, st
->key
, BLOCK
);
353 * Hide public constants. (counter, pools > 0)
355 * This can also be viewed as spreading the startup
356 * entropy over all of the components.
359 startup_tricks(FState
* st
)
362 unsigned char buf
[BLOCK
];
364 /* Use next block as counter. */
365 encrypt_counter(st
, st
->counter
);
367 /* Now shuffle pools, excluding #0 */
368 for (i
= 1; i
< NUM_POOLS
; i
++)
370 encrypt_counter(st
, buf
);
371 encrypt_counter(st
, buf
+ CIPH_BLOCK
);
372 md_update(&st
->pool
[i
], buf
, BLOCK
);
374 memset(buf
, 0, BLOCK
);
379 /* This can be done only once. */
384 extract_data(FState
* st
, unsigned count
, unsigned char *dst
)
387 unsigned block_nr
= 0;
388 pid_t pid
= getpid();
390 /* Should we reseed? */
391 if (st
->pool0_bytes
>= POOL0_FILL
|| st
->reseed_count
== 0)
392 if (enough_time_passed(st
))
395 /* Do some randomization on first call */
396 if (!st
->tricks_done
)
399 /* If we forked, force a reseed again */
400 if (pid
!= st
->pid
) {
408 encrypt_counter(st
, st
->result
);
411 if (count
> CIPH_BLOCK
)
415 memcpy(dst
, st
->result
, n
);
419 /* must not give out too many bytes with one key */
421 if (block_nr
> (RESEED_BYTES
/ CIPH_BLOCK
))
427 /* Set new key for next request. */
435 static FState main_state
;
436 static int init_done
;
437 static int have_entropy
;
438 #define FORTUNA_RESEED_BYTE 10000
439 static unsigned resend_bytes
;
442 * Try our best to do an inital seed
444 #define INIT_BYTES 128
455 unsigned char buf
[INIT_BYTES
];
456 if ((*hc_rand_unix_method
.bytes
)(buf
, sizeof(buf
)) == 1) {
457 add_entropy(&main_state
, buf
, sizeof(buf
));
459 memset(buf
, 0, sizeof(buf
));
462 #ifdef HAVE_ARC4RANDOM
464 uint32_t buf
[INIT_BYTES
/ sizeof(uint32_t)];
467 for (i
= 0; i
< sizeof(buf
)/sizeof(buf
[0]); i
++)
468 buf
[i
] = arc4random();
469 add_entropy(&main_state
, (void *)buf
, sizeof(buf
));
474 * Only to get egd entropy if /dev/random or arc4rand failed since
475 * it can be horribly slow to generate new bits.
478 unsigned char buf
[INIT_BYTES
];
479 if ((*hc_rand_egd_method
.bytes
)(buf
, sizeof(buf
)) == 1) {
480 add_entropy(&main_state
, buf
, sizeof(buf
));
482 memset(buf
, 0, sizeof(buf
));
486 * Fall back to gattering data from timer and secret files, this
487 * is really the last resort.
490 /* to save stackspace */
492 unsigned char buf
[INIT_BYTES
];
493 unsigned char shad
[1001];
498 if ((*hc_rand_timer_method
.bytes
)(u
.buf
, sizeof(u
.buf
)) == 1)
499 add_entropy(&main_state
, u
.buf
, sizeof(u
.buf
));
500 /* add /etc/shadow */
501 fd
= open("/etc/shadow", O_RDONLY
, 0);
505 /* add_entropy will hash the buf */
506 while ((n
= read(fd
, (char *)u
.shad
, sizeof(u
.shad
))) > 0)
507 add_entropy(&main_state
, u
.shad
, sizeof(u
.shad
));
511 memset(&u
, 0, sizeof(u
));
513 entropy_p
= 1; /* sure about this ? */
516 pid_t pid
= getpid();
517 add_entropy(&main_state
, (void *)&pid
, sizeof(pid
));
521 gettimeofday(&tv
, NULL
);
522 add_entropy(&main_state
, (void *)&tv
, sizeof(tv
));
526 add_entropy(&main_state
, (void *)&u
, sizeof(u
));
536 init_state(&main_state
);
540 have_entropy
= fortuna_reseed();
541 return (init_done
&& have_entropy
);
547 fortuna_seed(const void *indata
, int size
)
550 add_entropy(&main_state
, indata
, size
);
551 if (size
>= INIT_BYTES
)
556 fortuna_bytes(unsigned char *outdata
, int size
)
560 resend_bytes
+= size
;
561 if (resend_bytes
> FORTUNA_RESEED_BYTE
|| resend_bytes
< size
) {
565 extract_data(&main_state
, size
, outdata
);
570 fortuna_cleanup(void)
574 memset(&main_state
, 0, sizeof(main_state
));
578 fortuna_add(const void *indata
, int size
, double entropi
)
580 fortuna_seed(indata
, size
);
584 fortuna_pseudorand(unsigned char *outdata
, int size
)
586 return fortuna_bytes(outdata
, size
);
592 return fortuna_init() ? 1 : 0;
595 const RAND_METHOD hc_rand_fortuna_method
= {
605 RAND_fortuna_method(void)
607 return &hc_rand_fortuna_method
;