5 Author: Pekka Riikonen <priikone@silcnet.org>
7 Copyright (C) 1997 - 2003 Pekka Riikonen
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; version 2 of the License.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
21 * Created: Sun Mar 9 00:09:18 1997
23 * The original RNG was based on Secure Shell's random number generator
24 * by Tatu Ylönen and was used as reference when programming this RNG.
25 * This RNG has been rewritten twice since the creation.
28 #include "silcincludes.h"
32 extern pid_t getsid (pid_t __pid);
36 extern pid_t getpgid (pid_t __pid);
41 /*#define SILC_RNG_DEBUG*/
43 /* Number of states to fetch data from pool. */
44 #define SILC_RNG_STATE_NUM 4
46 /* Byte size of the random data pool. */
47 #define SILC_RNG_POOLSIZE (20 * 48)
49 static SilcUInt32 silc_rng_get_position(SilcRng rng);
50 static void silc_rng_stir_pool(SilcRng rng);
51 static void silc_rng_xor(SilcRng rng, SilcUInt32 val, unsigned int pos);
52 static void silc_rng_exec_command(SilcRng rng, char *command);
53 static void silc_rng_get_hard_noise(SilcRng rng);
54 static void silc_rng_get_medium_noise(SilcRng rng);
55 static void silc_rng_get_soft_noise(SilcRng rng);
58 SILC SilcRng State context.
60 This object is used by the random number generator to provide
61 variable points where the actual random number is fetched from
62 the random pool. This provides that the data is not fetched always
63 from the same point of the pool. Short description of the fields
69 The index for the random pool buffer. Lowest and current
72 SilcRngStateContext *next
74 Pointer to the next state. If this is the last state this
75 will point to the first state thus providing circular list.
78 typedef struct SilcRngStateContext {
81 struct SilcRngStateContext *next;
85 SILC Random Number Generator object.
87 This object holds random pool which is used to generate the random
88 numbers used by various routines needing cryptographically strong
89 random numbers. Following short descriptions of the fields.
93 The random pool. This buffer holds the random data. This is
94 frequently stirred thus providing ever changing randomnes.
98 Key used in stirring the random pool. The pool is encrypted
99 with SHA1 hash function in CFB (Cipher Feedback) mode.
101 SilcSilcRngState state
103 State object that is used to get the next position for the
104 random pool. This position is used to fetch data from pool
105 or to save the data to the pool. The state changes everytime
110 Hash object (SHA1) used to make the CFB encryption to the
111 random pool. This is allocated when RNG object is allocated and
112 free'd when RNG object is free'd.
116 Threshold to indicate when it is required to acquire more
117 noise from the environment. More soft noise is acquired after
118 64 bits of output and hard noise every 160 bits of output.
121 struct SilcRngStruct {
122 unsigned char pool[SILC_RNG_POOLSIZE];
123 unsigned char key[64];
131 /* Allocates new RNG object. */
133 SilcRng silc_rng_alloc(void)
137 SILC_LOG_DEBUG(("Allocating new RNG object"));
139 new = silc_calloc(1, sizeof(*new));
140 new->fd_devurandom = -1;
142 memset(new->pool, 0, sizeof(new->pool));
143 memset(new->key, 0, sizeof(new->key));
145 if (!silc_hash_alloc("sha1", &new->sha1)) {
147 SILC_LOG_ERROR(("Could not allocate sha1 hash, probably not registered"));
151 new->devrandom = strdup("/dev/random");
156 /* Free's RNG object. */
158 void silc_rng_free(SilcRng rng)
163 memset(rng->pool, 0, sizeof(rng->pool));
164 memset(rng->key, 0, sizeof(rng->key));
165 silc_hash_free(rng->sha1);
166 silc_free(rng->devrandom);
168 if (rng->fd_devurandom != -1)
169 close(rng->fd_devurandom);
171 for (t = rng->state->next; t != rng->state; ) {
176 silc_free(rng->state);
182 /* Initializes random number generator by getting noise from environment.
183 The environmental noise is our so called seed. One should not call
184 this function more than once. */
186 void silc_rng_init(SilcRng rng)
189 SilcRngState first, next;
193 SILC_LOG_DEBUG(("Initializing RNG object"));
195 /* Initialize the states for the RNG. */
196 rng->state = silc_calloc(1, sizeof(*rng->state));
199 rng->state->next = NULL;
201 for (i = SILC_RNG_STATE_NUM - 1; i >= 1; i--) {
202 next = silc_calloc(1, sizeof(*rng->state));
204 (i * (sizeof(rng->pool) / SILC_RNG_STATE_NUM));
206 (i * (sizeof(rng->pool) / SILC_RNG_STATE_NUM)) + 8;
207 next->next = rng->state;
213 memset(rng->pool, 0, sizeof(rng->pool));
215 /* Get noise from various environmental sources */
216 silc_rng_get_soft_noise(rng);
217 silc_rng_get_medium_noise(rng);
218 silc_rng_get_hard_noise(rng);
219 silc_rng_get_soft_noise(rng);
220 silc_free(rng->devrandom);
221 rng->devrandom = strdup("/dev/urandom");
224 /* This function gets 'soft' noise from environment. */
226 static void silc_rng_get_soft_noise(SilcRng rng)
233 pos = silc_rng_get_position(rng);
235 silc_rng_xor(rng, clock(), 0);
238 silc_rng_xor(rng, getpid(), 1);
240 silc_rng_xor(rng, getpgid(getpid()) << 8, 2);
241 silc_rng_xor(rng, getpgid(getpid()) << 8, 3);
243 silc_rng_xor(rng, getgid(), 4);
246 silc_rng_xor(rng, getpgrp(), 5);
249 silc_rng_xor(rng, getsid(getpid()) << 16, 6);
251 silc_rng_xor(rng, times(&ptime), 7);
252 silc_rng_xor(rng, ptime.tms_utime, 8);
253 silc_rng_xor(rng, (ptime.tms_utime + ptime.tms_stime), pos++);
254 silc_rng_xor(rng, (ptime.tms_stime + ptime.tms_cutime), pos++);
255 silc_rng_xor(rng, (ptime.tms_utime + ptime.tms_stime), pos++);
256 silc_rng_xor(rng, (ptime.tms_cutime ^ ptime.tms_stime), pos++);
257 silc_rng_xor(rng, (ptime.tms_cutime ^ ptime.tms_cstime), pos++);
258 silc_rng_xor(rng, (ptime.tms_utime ^ ptime.tms_stime), pos++);
259 silc_rng_xor(rng, (ptime.tms_stime ^ ptime.tms_cutime), pos++);
260 silc_rng_xor(rng, (ptime.tms_cutime + ptime.tms_stime), pos++);
261 silc_rng_xor(rng, (ptime.tms_stime << 8), pos++);
263 silc_rng_xor(rng, clock() << 4, pos++);
266 silc_rng_xor(rng, getpgid(getpid()) << 8, pos++);
269 silc_rng_xor(rng, getpgrp(), pos++);
272 silc_rng_xor(rng, getsid(getpid()) << 16, pos++);
274 silc_rng_xor(rng, times(&ptime), pos++);
275 silc_rng_xor(rng, ptime.tms_utime, pos++);
277 silc_rng_xor(rng, getpgrp(), pos++);
281 #ifdef SILC_RNG_DEBUG
282 SILC_LOG_HEXDUMP(("pool"), rng->pool, sizeof(rng->pool));
285 /* Stir random pool */
286 silc_rng_stir_pool(rng);
289 /* This function gets noise from different commands */
291 static void silc_rng_get_medium_noise(SilcRng rng)
293 silc_rng_exec_command(rng, "ps -leaww 2> /dev/null");
294 silc_rng_exec_command(rng, "ls -afiln ~ 2> /dev/null");
295 silc_rng_exec_command(rng, "ls -afiln /proc 2> /dev/null");
296 silc_rng_exec_command(rng, "ps -axww 2> /dev/null");
298 #ifdef SILC_RNG_DEBUG
299 SILC_LOG_HEXDUMP(("pool"), rng->pool, sizeof(rng->pool));
303 /* This function gets 'hard' noise from environment. This tries to
304 get the noise from /dev/random if available. */
306 static void silc_rng_get_hard_noise(SilcRng rng)
309 unsigned char buf[32];
312 /* Get noise from /dev/[u]random if available */
313 fd = open(rng->devrandom, O_RDONLY);
317 fcntl(fd, F_SETFL, O_NONBLOCK);
319 for (i = 0; i < 2; i++) {
320 len = read(fd, buf, sizeof(buf));
323 silc_rng_add_noise(rng, buf, len);
326 #ifdef SILC_RNG_DEBUG
327 SILC_LOG_HEXDUMP(("pool"), rng->pool, sizeof(rng->pool));
332 memset(buf, 0, sizeof(buf));
336 /* Execs command and gets noise from its output */
338 static void silc_rng_exec_command(SilcRng rng, char *command)
341 unsigned char buf[1024];
347 fd = popen(command, "r");
351 /* Get data as much as we can get into the buffer */
352 for (i = 0; i < sizeof(buf); i++) {
362 /* Add the buffer into random pool */
363 silc_rng_add_noise(rng, buf, i);
364 memset(buf, 0, sizeof(buf));
369 /* This function adds the contents of the buffer as noise into random
370 pool. After adding the noise the pool is stirred. */
372 void silc_rng_add_noise(SilcRng rng, unsigned char *buffer, SilcUInt32 len)
376 pos = silc_rng_get_position(rng);
378 /* Add the buffer one by one into the pool */
379 for(i = 0; i < len; i++, buffer++) {
380 if(pos >= SILC_RNG_POOLSIZE)
382 rng->pool[pos++] ^= *buffer;
385 /* Stir random pool */
386 silc_rng_stir_pool(rng);
389 /* XOR's data into the pool */
391 static void silc_rng_xor(SilcRng rng, SilcUInt32 val, unsigned int pos)
395 SILC_GET32_MSB(tmp, &rng->pool[pos]);
397 SILC_PUT32_MSB(val, &rng->pool[pos]);
400 /* This function stirs the random pool by encrypting buffer in CFB
401 (cipher feedback) mode with SHA1 algorithm. */
403 static void silc_rng_stir_pool(SilcRng rng)
406 SilcUInt32 iv[5], tmp;
409 SILC_GET32_MSB(iv[0], &rng->pool[16 ]);
410 SILC_GET32_MSB(iv[1], &rng->pool[16 + 4]);
411 SILC_GET32_MSB(iv[2], &rng->pool[16 + 8]);
412 SILC_GET32_MSB(iv[3], &rng->pool[16 + 12]);
413 SILC_GET32_MSB(iv[4], &rng->pool[16 + 16]);
416 for (i = 0; i < SILC_RNG_POOLSIZE; i += 20) {
417 silc_hash_transform(rng->sha1, iv, rng->key);
419 SILC_GET32_MSB(tmp, &rng->pool[i]);
421 SILC_PUT32_MSB(iv[0], &rng->pool[i]);
423 SILC_GET32_MSB(tmp, &rng->pool[i + 4]);
425 SILC_PUT32_MSB(iv[1], &rng->pool[i + 4]);
427 SILC_GET32_MSB(tmp, &rng->pool[i + 8]);
429 SILC_PUT32_MSB(iv[2], &rng->pool[i + 8]);
431 SILC_GET32_MSB(tmp, &rng->pool[i + 12]);
433 SILC_PUT32_MSB(iv[3], &rng->pool[i + 12]);
435 SILC_GET32_MSB(tmp, &rng->pool[i + 16]);
437 SILC_PUT32_MSB(iv[4], &rng->pool[i + 16]);
441 memcpy(rng->key, &rng->pool[silc_rng_get_position(rng)], sizeof(rng->key));
443 /* Second CFB pass */
444 for (i = 0; i < SILC_RNG_POOLSIZE; i += 20) {
445 silc_hash_transform(rng->sha1, iv, rng->key);
447 SILC_GET32_MSB(tmp, &rng->pool[i]);
449 SILC_PUT32_MSB(iv[0], &rng->pool[i]);
451 SILC_GET32_MSB(tmp, &rng->pool[i + 4]);
453 SILC_PUT32_MSB(iv[1], &rng->pool[i + 4]);
455 SILC_GET32_MSB(tmp, &rng->pool[i + 8]);
457 SILC_PUT32_MSB(iv[2], &rng->pool[i + 8]);
459 SILC_GET32_MSB(tmp, &rng->pool[i + 12]);
461 SILC_PUT32_MSB(iv[3], &rng->pool[i + 12]);
463 SILC_GET32_MSB(tmp, &rng->pool[i + 16]);
465 SILC_PUT32_MSB(iv[4], &rng->pool[i + 16]);
468 memset(iv, 0, sizeof(iv));
471 /* Returns next position where data is fetched from the pool or
474 static SilcUInt32 silc_rng_get_position(SilcRng rng)
479 next = rng->state->next;
481 pos = rng->state->pos++;
482 if ((next->low != 0 && pos >= next->low) || (pos >= SILC_RNG_POOLSIZE))
483 rng->state->pos = rng->state->low;
485 #ifdef SILC_RNG_DEBUG
486 fprintf(stderr, "state: %p: low: %lu, pos: %lu\n",
487 rng->state, rng->state->low, rng->state->pos);
495 /* Returns random byte. */
497 SilcUInt8 silc_rng_get_byte(SilcRng rng)
503 /* Get more soft noise after 64 bits threshold */
504 if (rng->threshold >= 8)
505 silc_rng_get_soft_noise(rng);
507 /* Get hard noise after 160 bits threshold, zero the threshold. */
508 if (rng->threshold >= 20) {
510 silc_rng_get_hard_noise(rng);
513 do byte = rng->pool[silc_rng_get_position(rng)]; while (byte == 0x00);
517 /* Return random byte as fast as possible. Reads from /dev/urandom if
518 available. If not then return from normal RNG (not so fast). */
520 SilcUInt8 silc_rng_get_byte_fast(SilcRng rng)
523 unsigned char buf[1];
525 if (rng->fd_devurandom == -1) {
526 rng->fd_devurandom = open("/dev/urandom", O_RDONLY);
527 if (rng->fd_devurandom < 0)
528 return silc_rng_get_byte(rng);
529 fcntl(rng->fd_devurandom, F_SETFL, O_NONBLOCK);
532 if (read(rng->fd_devurandom, buf, sizeof(buf)) < 0)
533 return silc_rng_get_byte(rng);
535 return buf[0] != 0x00 ? buf[0] : silc_rng_get_byte(rng);
537 return silc_rng_get_byte(rng);
541 /* Returns 16 bit random number */
543 SilcUInt16 silc_rng_get_rn16(SilcRng rng)
548 rn[0] = silc_rng_get_byte(rng);
549 rn[1] = silc_rng_get_byte(rng);
550 SILC_GET16_MSB(num, rn);
555 /* Returns 32 bit random number */
557 SilcUInt32 silc_rng_get_rn32(SilcRng rng)
562 rn[0] = silc_rng_get_byte(rng);
563 rn[1] = silc_rng_get_byte(rng);
564 rn[2] = silc_rng_get_byte(rng);
565 rn[3] = silc_rng_get_byte(rng);
566 SILC_GET32_MSB(num, rn);
571 /* Returns non-zero random number string. Returned string is in HEX format. */
573 unsigned char *silc_rng_get_rn_string(SilcRng rng, SilcUInt32 len)
576 unsigned char *string;
578 string = silc_calloc((len * 2 + 1), sizeof(unsigned char));
580 for (i = 0; i < len; i++)
581 sprintf(string + 2 * i, "%02x", silc_rng_get_byte(rng));
586 /* Returns non-zero random number binary data. */
588 unsigned char *silc_rng_get_rn_data(SilcRng rng, SilcUInt32 len)
593 data = silc_calloc(len + 1, sizeof(*data));
595 for (i = 0; i < len; i++)
596 data[i] = silc_rng_get_byte(rng);
601 /* Global RNG. This is global RNG that application can initialize so
602 that any part of code anywhere can use RNG without having to allocate
603 new RNG object everytime. If this is not initialized then these routines
604 will fail. Note: currently in SILC applications always initialize this. */
606 SilcRng global_rng = NULL;
608 /* Initialize global RNG. If `rng' is provided it is set as the global
609 RNG object (it can be allocated by the application for example). */
611 bool silc_rng_global_init(SilcRng rng)
618 global_rng = silc_rng_alloc();
619 silc_rng_init(global_rng);
624 /* Uninitialize global RNG */
626 bool silc_rng_global_uninit(void)
629 silc_rng_free(global_rng);
636 /* These are analogous to the functions above. */
638 SilcUInt8 silc_rng_global_get_byte(void)
640 return global_rng ? silc_rng_get_byte(global_rng) : 0;
643 /* Return random byte as fast as possible. Reads from /dev/urandom if
644 available. If not then return from normal RNG (not so fast). */
646 SilcUInt8 silc_rng_global_get_byte_fast(void)
648 return global_rng ? silc_rng_get_byte_fast(global_rng) : 0;
651 SilcUInt16 silc_rng_global_get_rn16(void)
653 return global_rng ? silc_rng_get_rn16(global_rng) : 0;
656 SilcUInt32 silc_rng_global_get_rn32(void)
658 return global_rng ? silc_rng_get_rn32(global_rng) : 0;
661 unsigned char *silc_rng_global_get_rn_string(SilcUInt32 len)
663 return global_rng ? silc_rng_get_rn_string(global_rng, len) : NULL;
666 unsigned char *silc_rng_global_get_rn_data(SilcUInt32 len)
668 return global_rng ? silc_rng_get_rn_data(global_rng, len) : NULL;
671 void silc_rng_global_add_noise(unsigned char *buffer, SilcUInt32 len)
674 silc_rng_add_noise(global_rng, buffer, len);