clarify documentation
[heimdal.git] / lib / hcrypto / rand-fortuna.c
blob11027b46cf4acd2ffac6d4b708512c64d0240632
1 /*
2 * fortuna.c
3 * Fortuna-like PRNG.
5 * Copyright (c) 2005 Marko Kreen
6 * All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
29 * $PostgreSQL: pgsql/contrib/pgcrypto/fortuna.c,v 1.8 2006/10/04 00:29:46 momjian Exp $
32 #include <config.h>
34 #include <stdio.h>
35 #include <stdlib.h>
36 #include <rand.h>
37 #include <heim_threads.h>
39 #ifdef KRB5
40 #include <krb5-types.h>
41 #endif
42 #include <roken.h>
44 #include "randi.h"
45 #include "aes.h"
46 #include "sha.h"
49 * Why Fortuna-like: There does not seem to be any definitive reference
50 * on Fortuna in the net. Instead this implementation is based on
51 * following references:
53 * http://en.wikipedia.org/wiki/Fortuna_(PRNG)
54 * - Wikipedia article
55 * http://jlcooke.ca/random/
56 * - Jean-Luc Cooke Fortuna-based /dev/random driver for Linux.
60 * There is some confusion about whether and how to carry forward
61 * the state of the pools. Seems like original Fortuna does not
62 * do it, resetting hash after each request. I guess expecting
63 * feeding to happen more often that requesting. This is absolutely
64 * unsuitable for pgcrypto, as nothing asynchronous happens here.
66 * J.L. Cooke fixed this by feeding previous hash to new re-initialized
67 * hash context.
69 * Fortuna predecessor Yarrow requires ability to query intermediate
70 * 'final result' from hash, without affecting it.
72 * This implementation uses the Yarrow method - asking intermediate
73 * results, but continuing with old state.
78 * Algorithm parameters
81 #define NUM_POOLS 32
83 /* in microseconds */
84 #define RESEED_INTERVAL 100000 /* 0.1 sec */
86 /* for one big request, reseed after this many bytes */
87 #define RESEED_BYTES (1024*1024)
90 * Skip reseed if pool 0 has less than this many
91 * bytes added since last reseed.
93 #define POOL0_FILL (256/8)
96 * Algorithm constants
99 /* Both cipher key size and hash result size */
100 #define BLOCK 32
102 /* cipher block size */
103 #define CIPH_BLOCK 16
105 /* for internal wrappers */
106 #define MD_CTX SHA256_CTX
107 #define CIPH_CTX AES_KEY
109 struct fortuna_state
111 unsigned char counter[CIPH_BLOCK];
112 unsigned char result[CIPH_BLOCK];
113 unsigned char key[BLOCK];
114 MD_CTX pool[NUM_POOLS];
115 CIPH_CTX ciph;
116 unsigned reseed_count;
117 struct timeval last_reseed_time;
118 unsigned pool0_bytes;
119 unsigned rnd_pos;
120 int tricks_done;
121 pid_t pid;
123 typedef struct fortuna_state FState;
127 * Use our own wrappers here.
128 * - Need to get intermediate result from digest, without affecting it.
129 * - Need re-set key on a cipher context.
130 * - Algorithms are guaranteed to exist.
131 * - No memory allocations.
134 static void
135 ciph_init(CIPH_CTX * ctx, const unsigned char *key, int klen)
137 AES_set_encrypt_key(key, klen * 8, ctx);
140 static void
141 ciph_encrypt(CIPH_CTX * ctx, const unsigned char *in, unsigned char *out)
143 AES_encrypt(in, out, ctx);
146 static void
147 md_init(MD_CTX * ctx)
149 SHA256_Init(ctx);
152 static void
153 md_update(MD_CTX * ctx, const unsigned char *data, int len)
155 SHA256_Update(ctx, data, len);
158 static void
159 md_result(MD_CTX * ctx, unsigned char *dst)
161 SHA256_CTX tmp;
163 memcpy(&tmp, ctx, sizeof(*ctx));
164 SHA256_Final(dst, &tmp);
165 memset(&tmp, 0, sizeof(tmp));
169 * initialize state
171 static void
172 init_state(FState * st)
174 int i;
176 memset(st, 0, sizeof(*st));
177 for (i = 0; i < NUM_POOLS; i++)
178 md_init(&st->pool[i]);
179 st->pid = getpid();
183 * Endianess does not matter.
184 * It just needs to change without repeating.
186 static void
187 inc_counter(FState * st)
189 uint32_t *val = (uint32_t *) st->counter;
191 if (++val[0])
192 return;
193 if (++val[1])
194 return;
195 if (++val[2])
196 return;
197 ++val[3];
201 * This is called 'cipher in counter mode'.
203 static void
204 encrypt_counter(FState * st, unsigned char *dst)
206 ciph_encrypt(&st->ciph, st->counter, dst);
207 inc_counter(st);
212 * The time between reseed must be at least RESEED_INTERVAL
213 * microseconds.
215 static int
216 enough_time_passed(FState * st)
218 int ok;
219 struct timeval tv;
220 struct timeval *last = &st->last_reseed_time;
222 gettimeofday(&tv, NULL);
224 /* check how much time has passed */
225 ok = 0;
226 if (tv.tv_sec > last->tv_sec + 1)
227 ok = 1;
228 else if (tv.tv_sec == last->tv_sec + 1)
230 if (1000000 + tv.tv_usec - last->tv_usec >= RESEED_INTERVAL)
231 ok = 1;
233 else if (tv.tv_usec - last->tv_usec >= RESEED_INTERVAL)
234 ok = 1;
236 /* reseed will happen, update last_reseed_time */
237 if (ok)
238 memcpy(last, &tv, sizeof(tv));
240 memset(&tv, 0, sizeof(tv));
242 return ok;
246 * generate new key from all the pools
248 static void
249 reseed(FState * st)
251 unsigned k;
252 unsigned n;
253 MD_CTX key_md;
254 unsigned char buf[BLOCK];
256 /* set pool as empty */
257 st->pool0_bytes = 0;
260 * Both #0 and #1 reseed would use only pool 0. Just skip #0 then.
262 n = ++st->reseed_count;
265 * The goal: use k-th pool only 1/(2^k) of the time.
267 md_init(&key_md);
268 for (k = 0; k < NUM_POOLS; k++)
270 md_result(&st->pool[k], buf);
271 md_update(&key_md, buf, BLOCK);
273 if (n & 1 || !n)
274 break;
275 n >>= 1;
278 /* add old key into mix too */
279 md_update(&key_md, st->key, BLOCK);
281 /* add pid to make output diverse after fork() */
282 md_update(&key_md, (const unsigned char *)&st->pid, sizeof(st->pid));
284 /* now we have new key */
285 md_result(&key_md, st->key);
287 /* use new key */
288 ciph_init(&st->ciph, st->key, BLOCK);
290 memset(&key_md, 0, sizeof(key_md));
291 memset(buf, 0, BLOCK);
295 * Pick a random pool. This uses key bytes as random source.
297 static unsigned
298 get_rand_pool(FState * st)
300 unsigned rnd;
303 * This slightly prefers lower pools - thats OK.
305 rnd = st->key[st->rnd_pos] % NUM_POOLS;
307 st->rnd_pos++;
308 if (st->rnd_pos >= BLOCK)
309 st->rnd_pos = 0;
311 return rnd;
315 * update pools
317 static void
318 add_entropy(FState * st, const unsigned char *data, unsigned len)
320 unsigned pos;
321 unsigned char hash[BLOCK];
322 MD_CTX md;
324 /* hash given data */
325 md_init(&md);
326 md_update(&md, data, len);
327 md_result(&md, hash);
330 * Make sure the pool 0 is initialized, then update randomly.
332 if (st->reseed_count == 0)
333 pos = 0;
334 else
335 pos = get_rand_pool(st);
336 md_update(&st->pool[pos], hash, BLOCK);
338 if (pos == 0)
339 st->pool0_bytes += len;
341 memset(hash, 0, BLOCK);
342 memset(&md, 0, sizeof(md));
346 * Just take 2 next blocks as new key
348 static void
349 rekey(FState * st)
351 encrypt_counter(st, st->key);
352 encrypt_counter(st, st->key + CIPH_BLOCK);
353 ciph_init(&st->ciph, st->key, BLOCK);
357 * Hide public constants. (counter, pools > 0)
359 * This can also be viewed as spreading the startup
360 * entropy over all of the components.
362 static void
363 startup_tricks(FState * st)
365 int i;
366 unsigned char buf[BLOCK];
368 /* Use next block as counter. */
369 encrypt_counter(st, st->counter);
371 /* Now shuffle pools, excluding #0 */
372 for (i = 1; i < NUM_POOLS; i++)
374 encrypt_counter(st, buf);
375 encrypt_counter(st, buf + CIPH_BLOCK);
376 md_update(&st->pool[i], buf, BLOCK);
378 memset(buf, 0, BLOCK);
380 /* Hide the key. */
381 rekey(st);
383 /* This can be done only once. */
384 st->tricks_done = 1;
387 static void
388 extract_data(FState * st, unsigned count, unsigned char *dst)
390 unsigned n;
391 unsigned block_nr = 0;
392 pid_t pid = getpid();
394 /* Should we reseed? */
395 if (st->pool0_bytes >= POOL0_FILL || st->reseed_count == 0)
396 if (enough_time_passed(st))
397 reseed(st);
399 /* Do some randomization on first call */
400 if (!st->tricks_done)
401 startup_tricks(st);
403 /* If we forked, force a reseed again */
404 if (pid != st->pid) {
405 st->pid = pid;
406 reseed(st);
409 while (count > 0)
411 /* produce bytes */
412 encrypt_counter(st, st->result);
414 /* copy result */
415 if (count > CIPH_BLOCK)
416 n = CIPH_BLOCK;
417 else
418 n = count;
419 memcpy(dst, st->result, n);
420 dst += n;
421 count -= n;
423 /* must not give out too many bytes with one key */
424 block_nr++;
425 if (block_nr > (RESEED_BYTES / CIPH_BLOCK))
427 rekey(st);
428 block_nr = 0;
431 /* Set new key for next request. */
432 rekey(st);
436 * public interface
439 static FState main_state;
440 static int init_done;
441 static int have_entropy;
442 #define FORTUNA_RESEED_BYTE 10000
443 static unsigned resend_bytes;
446 * This mutex protects all of the above static elements from concurrent
447 * access by multiple threads
449 static HEIMDAL_MUTEX fortuna_mutex = HEIMDAL_MUTEX_INITIALIZER;
452 * Try our best to do an inital seed
454 #define INIT_BYTES 128
457 * fortuna_mutex must be held across calls to this function
460 static int
461 fortuna_reseed(void)
463 int entropy_p = 0;
465 if (!init_done)
466 abort();
468 #ifndef NO_RAND_UNIX_METHOD
470 unsigned char buf[INIT_BYTES];
471 if ((*hc_rand_unix_method.bytes)(buf, sizeof(buf)) == 1) {
472 add_entropy(&main_state, buf, sizeof(buf));
473 entropy_p = 1;
474 memset(buf, 0, sizeof(buf));
477 #endif
478 #ifdef HAVE_ARC4RANDOM
480 uint32_t buf[INIT_BYTES / sizeof(uint32_t)];
481 int i;
483 for (i = 0; i < sizeof(buf)/sizeof(buf[0]); i++)
484 buf[i] = arc4random();
485 add_entropy(&main_state, (void *)buf, sizeof(buf));
486 entropy_p = 1;
488 #endif
489 #ifndef NO_RAND_EGD_METHOD
491 * Only to get egd entropy if /dev/random or arc4rand failed since
492 * it can be horribly slow to generate new bits.
494 if (!entropy_p) {
495 unsigned char buf[INIT_BYTES];
496 if ((*hc_rand_egd_method.bytes)(buf, sizeof(buf)) == 1) {
497 add_entropy(&main_state, buf, sizeof(buf));
498 entropy_p = 1;
499 memset(buf, 0, sizeof(buf));
502 #endif
504 * Fall back to gattering data from timer and secret files, this
505 * is really the last resort.
507 if (!entropy_p) {
508 /* to save stackspace */
509 union {
510 unsigned char buf[INIT_BYTES];
511 unsigned char shad[1001];
512 } u;
513 int fd;
515 /* add timer info */
516 if ((*hc_rand_timer_method.bytes)(u.buf, sizeof(u.buf)) == 1)
517 add_entropy(&main_state, u.buf, sizeof(u.buf));
518 /* add /etc/shadow */
519 fd = open("/etc/shadow", O_RDONLY, 0);
520 if (fd >= 0) {
521 ssize_t n;
522 rk_cloexec(fd);
523 /* add_entropy will hash the buf */
524 while ((n = read(fd, (char *)u.shad, sizeof(u.shad))) > 0)
525 add_entropy(&main_state, u.shad, sizeof(u.shad));
526 close(fd);
529 memset(&u, 0, sizeof(u));
531 entropy_p = 1; /* sure about this ? */
534 pid_t pid = getpid();
535 add_entropy(&main_state, (void *)&pid, sizeof(pid));
538 struct timeval tv;
539 gettimeofday(&tv, NULL);
540 add_entropy(&main_state, (void *)&tv, sizeof(tv));
542 #ifdef HAVE_GETUID
544 uid_t u = getuid();
545 add_entropy(&main_state, (void *)&u, sizeof(u));
547 #endif
548 return entropy_p;
552 * fortuna_mutex must be held by callers of this function
554 static int
555 fortuna_init(void)
557 if (!init_done)
559 init_state(&main_state);
560 init_done = 1;
562 if (!have_entropy)
563 have_entropy = fortuna_reseed();
564 return (init_done && have_entropy);
569 static void
570 fortuna_seed(const void *indata, int size)
572 HEIMDAL_MUTEX_lock(&fortuna_mutex);
574 fortuna_init();
575 add_entropy(&main_state, indata, size);
576 if (size >= INIT_BYTES)
577 have_entropy = 1;
579 HEIMDAL_MUTEX_unlock(&fortuna_mutex);
582 static int
583 fortuna_bytes(unsigned char *outdata, int size)
585 int ret = 0;
587 HEIMDAL_MUTEX_lock(&fortuna_mutex);
589 if (!fortuna_init())
590 goto out;
592 resend_bytes += size;
593 if (resend_bytes > FORTUNA_RESEED_BYTE || resend_bytes < size) {
594 resend_bytes = 0;
595 fortuna_reseed();
597 extract_data(&main_state, size, outdata);
598 ret = 1;
600 out:
601 HEIMDAL_MUTEX_unlock(&fortuna_mutex);
603 return ret;
606 static void
607 fortuna_cleanup(void)
609 HEIMDAL_MUTEX_lock(&fortuna_mutex);
611 init_done = 0;
612 have_entropy = 0;
613 memset(&main_state, 0, sizeof(main_state));
615 HEIMDAL_MUTEX_unlock(&fortuna_mutex);
618 static void
619 fortuna_add(const void *indata, int size, double entropi)
621 fortuna_seed(indata, size);
624 static int
625 fortuna_pseudorand(unsigned char *outdata, int size)
627 return fortuna_bytes(outdata, size);
630 static int
631 fortuna_status(void)
633 int result;
635 HEIMDAL_MUTEX_lock(&fortuna_mutex);
636 result = fortuna_init();
637 HEIMDAL_MUTEX_unlock(&fortuna_mutex);
639 return result ? 1 : 0;
642 const RAND_METHOD hc_rand_fortuna_method = {
643 fortuna_seed,
644 fortuna_bytes,
645 fortuna_cleanup,
646 fortuna_add,
647 fortuna_pseudorand,
648 fortuna_status
651 const RAND_METHOD *
652 RAND_fortuna_method(void)
654 return &hc_rand_fortuna_method;