5 Author: Pekka Riikonen <priikone@silcnet.org>
7 Copyright (C) 1997 - 2002 Pekka Riikonen
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; version 2 of the License.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
21 * Created: Sun Mar 9 00:09:18 1997
23 * The original RNG was based on Secure Shell's random number generator
24 * by Tatu Ylönen and was used as reference when programming this RNG.
25 * This RNG has been rewritten twice since the creation.
28 #include "silcincludes.h"
32 extern pid_t getsid (pid_t __pid);
36 extern pid_t getpgid (pid_t __pid);
41 /*#define SILC_RNG_DEBUG*/
43 /* Number of states to fetch data from pool. */
44 #define SILC_RNG_STATE_NUM 4
46 /* Byte size of the random data pool. */
47 #define SILC_RNG_POOLSIZE (20 * 48)
49 static SilcUInt32 silc_rng_get_position(SilcRng rng);
50 static void silc_rng_stir_pool(SilcRng rng);
51 static void silc_rng_xor(SilcRng rng, SilcUInt32 val, unsigned int pos);
52 static void silc_rng_exec_command(SilcRng rng, char *command);
53 static void silc_rng_get_hard_noise(SilcRng rng);
54 static void silc_rng_get_medium_noise(SilcRng rng);
55 static void silc_rng_get_soft_noise(SilcRng rng);
58 SILC SilcRng State context.
60 This object is used by the random number generator to provide
61 variable points where the actual random number is fetched from
62 the random pool. This provides that the data is not fetched always
63 from the same point of the pool. Short description of the fields
69 The index for the random pool buffer. Lowest and current
72 SilcRngStateContext *next
74 Pointer to the next state. If this is the last state this
75 will point to the first state thus providing circular list.
78 typedef struct SilcRngStateContext {
81 struct SilcRngStateContext *next;
85 SILC Random Number Generator object.
87 This object holds random pool which is used to generate the random
88 numbers used by various routines needing cryptographically strong
89 random numbers. Following short descriptions of the fields.
93 The random pool. This buffer holds the random data. This is
94 frequently stirred thus providing ever changing randomnes.
98 Key used in stirring the random pool. The pool is encrypted
99 with SHA1 hash function in CFB (Cipher Feedback) mode.
101 SilcSilcRngState state
103 State object that is used to get the next position for the
104 random pool. This position is used to fetch data from pool
105 or to save the data to the pool. The state changes everytime
110 Hash object (SHA1) used to make the CFB encryption to the
111 random pool. This is allocated when RNG object is allocated and
112 free'd when RNG object is free'd.
116 Threshold to indicate when it is required to acquire more
117 noise from the environment. More soft noise is acquired after
118 64 bits of output and hard noise every 160 bits of output.
121 struct SilcRngStruct {
122 unsigned char pool[SILC_RNG_POOLSIZE];
123 unsigned char key[64];
131 /* Allocates new RNG object. */
133 SilcRng silc_rng_alloc(void)
137 SILC_LOG_DEBUG(("Allocating new RNG object"));
139 new = silc_calloc(1, sizeof(*new));
140 new->fd_devurandom = -1;
142 memset(new->pool, 0, sizeof(new->pool));
143 memset(new->key, 0, sizeof(new->key));
145 if (!silc_hash_alloc("sha1", &new->sha1)) {
147 SILC_LOG_ERROR(("Could not allocate sha1 hash, probably not registered"));
151 new->devrandom = strdup("/dev/random");
156 /* Free's RNG object. */
158 void silc_rng_free(SilcRng rng)
163 memset(rng->pool, 0, sizeof(rng->pool));
164 memset(rng->key, 0, sizeof(rng->key));
165 silc_hash_free(rng->sha1);
166 silc_free(rng->devrandom);
168 if (rng->fd_devurandom != -1)
169 close(rng->fd_devurandom);
171 for (t = rng->state->next; t != rng->state; ) {
176 silc_free(rng->state);
182 /* Initializes random number generator by getting noise from environment.
183 The environmental noise is our so called seed. One should not call
184 this function more than once. */
186 void silc_rng_init(SilcRng rng)
189 SilcRngState first, next;
193 SILC_LOG_DEBUG(("Initializing RNG object"));
195 /* Initialize the states for the RNG. */
196 rng->state = silc_calloc(1, sizeof(*rng->state));
199 rng->state->next = NULL;
201 for (i = SILC_RNG_STATE_NUM - 1; i >= 1; i--) {
202 next = silc_calloc(1, sizeof(*rng->state));
204 (i * (sizeof(rng->pool) / SILC_RNG_STATE_NUM));
206 (i * (sizeof(rng->pool) / SILC_RNG_STATE_NUM)) + 8;
207 next->next = rng->state;
213 memset(rng->pool, 0, sizeof(rng->pool));
215 /* Get noise from various environmental sources */
216 silc_rng_get_soft_noise(rng);
217 silc_rng_get_medium_noise(rng);
218 silc_rng_get_hard_noise(rng);
219 silc_rng_get_soft_noise(rng);
220 silc_free(rng->devrandom);
221 rng->devrandom = strdup("/dev/urandom");
224 /* This function gets 'soft' noise from environment. */
226 static void silc_rng_get_soft_noise(SilcRng rng)
233 pos = silc_rng_get_position(rng);
235 silc_rng_xor(rng, clock(), 0);
238 silc_rng_xor(rng, getpid(), 1);
240 silc_rng_xor(rng, getpgid(getpid()) << 8, 2);
241 silc_rng_xor(rng, getpgid(getpid()) << 8, 3);
243 silc_rng_xor(rng, getgid(), 4);
246 silc_rng_xor(rng, getpgrp(), 5);
249 silc_rng_xor(rng, getsid(getpid()) << 16, 6);
251 silc_rng_xor(rng, times(&ptime), 7);
252 silc_rng_xor(rng, ptime.tms_utime, 8);
253 silc_rng_xor(rng, (ptime.tms_utime + ptime.tms_stime), pos++);
254 silc_rng_xor(rng, (ptime.tms_stime + ptime.tms_cutime), pos++);
255 silc_rng_xor(rng, (ptime.tms_utime + ptime.tms_stime), pos++);
256 silc_rng_xor(rng, (ptime.tms_cutime ^ ptime.tms_stime), pos++);
257 silc_rng_xor(rng, (ptime.tms_cutime ^ ptime.tms_cstime), pos++);
258 silc_rng_xor(rng, (ptime.tms_utime ^ ptime.tms_stime), pos++);
259 silc_rng_xor(rng, (ptime.tms_stime ^ ptime.tms_cutime), pos++);
260 silc_rng_xor(rng, (ptime.tms_cutime + ptime.tms_stime), pos++);
261 silc_rng_xor(rng, (ptime.tms_stime << 8), pos++);
263 silc_rng_xor(rng, clock() << 4, pos++);
266 silc_rng_xor(rng, getpgid(getpid()) << 8, pos++);
269 silc_rng_xor(rng, getpgrp(), pos++);
272 silc_rng_xor(rng, getsid(getpid()) << 16, pos++);
274 silc_rng_xor(rng, times(&ptime), pos++);
275 silc_rng_xor(rng, ptime.tms_utime, pos++);
277 silc_rng_xor(rng, getpgrp(), pos++);
281 #ifdef SILC_RNG_DEBUG
282 SILC_LOG_HEXDUMP(("pool"), rng->pool, sizeof(rng->pool));
285 /* Stir random pool */
286 silc_rng_stir_pool(rng);
289 /* This function gets noise from different commands */
291 static void silc_rng_get_medium_noise(SilcRng rng)
293 silc_rng_exec_command(rng, "ps -leaww 2> /dev/null");
294 silc_rng_exec_command(rng, "ls -afiln ~ 2> /dev/null");
295 silc_rng_exec_command(rng, "ls -afiln /proc 2> /dev/null");
296 silc_rng_exec_command(rng, "ps -axww 2> /dev/null");
298 #ifdef SILC_RNG_DEBUG
299 SILC_LOG_HEXDUMP(("pool"), rng->pool, sizeof(rng->pool));
303 /* This function gets 'hard' noise from environment. This tries to
304 get the noise from /dev/random if available. */
306 static void silc_rng_get_hard_noise(SilcRng rng)
309 unsigned char buf[32];
312 /* Get noise from /dev/[u]random if available */
313 fd = open(rng->devrandom, O_RDONLY);
317 fcntl(fd, F_SETFL, O_NONBLOCK);
319 for (i = 0; i < 2; i++) {
320 len = read(fd, buf, sizeof(buf));
323 silc_rng_add_noise(rng, buf, len);
326 #ifdef SILC_RNG_DEBUG
327 SILC_LOG_HEXDUMP(("pool"), rng->pool, sizeof(rng->pool));
332 memset(buf, 0, sizeof(buf));
336 /* Execs command and gets noise from its output */
338 static void silc_rng_exec_command(SilcRng rng, char *command)
341 unsigned char buf[1024];
347 fd = popen(command, "r");
351 /* Get data as much as we can get into the buffer */
352 for (i = 0; i < sizeof(buf); i++) {
364 /* Add the buffer into random pool */
365 silc_rng_add_noise(rng, buf, i);
366 memset(buf, 0, sizeof(buf));
370 /* This function adds the contents of the buffer as noise into random
371 pool. After adding the noise the pool is stirred. */
373 void silc_rng_add_noise(SilcRng rng, unsigned char *buffer, SilcUInt32 len)
377 pos = silc_rng_get_position(rng);
379 /* Add the buffer one by one into the pool */
380 for(i = 0; i < len; i++, buffer++) {
381 if(pos >= SILC_RNG_POOLSIZE)
383 rng->pool[pos++] ^= *buffer;
386 /* Stir random pool */
387 silc_rng_stir_pool(rng);
390 /* XOR's data into the pool */
392 static void silc_rng_xor(SilcRng rng, SilcUInt32 val, unsigned int pos)
396 SILC_GET32_MSB(tmp, &rng->pool[pos]);
398 SILC_PUT32_MSB(val, &rng->pool[pos]);
401 /* This function stirs the random pool by encrypting buffer in CFB
402 (cipher feedback) mode with SHA1 algorithm. */
404 static void silc_rng_stir_pool(SilcRng rng)
407 SilcUInt32 iv[5], tmp;
410 SILC_GET32_MSB(iv[0], &rng->pool[16 ]);
411 SILC_GET32_MSB(iv[1], &rng->pool[16 + 4]);
412 SILC_GET32_MSB(iv[2], &rng->pool[16 + 8]);
413 SILC_GET32_MSB(iv[3], &rng->pool[16 + 12]);
414 SILC_GET32_MSB(iv[4], &rng->pool[16 + 16]);
417 for (i = 0; i < SILC_RNG_POOLSIZE; i += 20) {
418 silc_hash_transform(rng->sha1, iv, rng->key);
420 SILC_GET32_MSB(tmp, &rng->pool[i]);
422 SILC_PUT32_MSB(iv[0], &rng->pool[i]);
424 SILC_GET32_MSB(tmp, &rng->pool[i + 4]);
426 SILC_PUT32_MSB(iv[1], &rng->pool[i + 4]);
428 SILC_GET32_MSB(tmp, &rng->pool[i + 8]);
430 SILC_PUT32_MSB(iv[2], &rng->pool[i + 8]);
432 SILC_GET32_MSB(tmp, &rng->pool[i + 12]);
434 SILC_PUT32_MSB(iv[3], &rng->pool[i + 12]);
436 SILC_GET32_MSB(tmp, &rng->pool[i + 16]);
438 SILC_PUT32_MSB(iv[4], &rng->pool[i + 16]);
442 memcpy(rng->key, &rng->pool[silc_rng_get_position(rng)], sizeof(rng->key));
444 /* Second CFB pass */
445 for (i = 0; i < SILC_RNG_POOLSIZE; i += 20) {
446 silc_hash_transform(rng->sha1, iv, rng->key);
448 SILC_GET32_MSB(tmp, &rng->pool[i]);
450 SILC_PUT32_MSB(iv[0], &rng->pool[i]);
452 SILC_GET32_MSB(tmp, &rng->pool[i + 4]);
454 SILC_PUT32_MSB(iv[1], &rng->pool[i + 4]);
456 SILC_GET32_MSB(tmp, &rng->pool[i + 8]);
458 SILC_PUT32_MSB(iv[2], &rng->pool[i + 8]);
460 SILC_GET32_MSB(tmp, &rng->pool[i + 12]);
462 SILC_PUT32_MSB(iv[3], &rng->pool[i + 12]);
464 SILC_GET32_MSB(tmp, &rng->pool[i + 16]);
466 SILC_PUT32_MSB(iv[4], &rng->pool[i + 16]);
469 memset(iv, 0, sizeof(iv));
472 /* Returns next position where data is fetched from the pool or
475 static SilcUInt32 silc_rng_get_position(SilcRng rng)
480 next = rng->state->next;
482 pos = rng->state->pos++;
483 if ((next->low != 0 && pos >= next->low) || (pos >= SILC_RNG_POOLSIZE))
484 rng->state->pos = rng->state->low;
486 #ifdef SILC_RNG_DEBUG
487 fprintf(stderr, "state: %p: low: %lu, pos: %lu\n",
488 rng->state, rng->state->low, rng->state->pos);
496 /* Returns random byte. */
498 SilcUInt8 silc_rng_get_byte(SilcRng rng)
502 /* Get more soft noise after 64 bits threshold */
503 if (rng->threshold >= 8)
504 silc_rng_get_soft_noise(rng);
506 /* Get hard noise after 160 bits threshold, zero the threshold. */
507 if (rng->threshold >= 20) {
509 silc_rng_get_hard_noise(rng);
512 return rng->pool[silc_rng_get_position(rng)];
515 /* Return random byte as fast as possible. Reads from /dev/urandom if
516 available. If not then return from normal RNG (not so fast). */
518 SilcUInt8 silc_rng_get_byte_fast(SilcRng rng)
521 unsigned char buf[1];
523 if (rng->fd_devurandom == -1) {
524 rng->fd_devurandom = open("/dev/urandom", O_RDONLY);
526 return silc_rng_get_byte(rng);
527 fcntl(rng->fd_devurandom, F_SETFL, O_NONBLOCK);
530 if (read(rng->fd_devurandom, buf, sizeof(buf)) < 0)
531 return silc_rng_get_byte(rng);
535 return silc_rng_get_byte(rng);
539 /* Returns 16 bit random number */
541 SilcUInt16 silc_rng_get_rn16(SilcRng rng)
546 rn[0] = silc_rng_get_byte(rng);
547 rn[1] = silc_rng_get_byte(rng);
548 SILC_GET16_MSB(num, rn);
553 /* Returns 32 bit random number */
555 SilcUInt32 silc_rng_get_rn32(SilcRng rng)
560 rn[0] = silc_rng_get_byte(rng);
561 rn[1] = silc_rng_get_byte(rng);
562 rn[2] = silc_rng_get_byte(rng);
563 rn[3] = silc_rng_get_byte(rng);
564 SILC_GET32_MSB(num, rn);
569 /* Returns random number string. Returned string is in HEX format. */
571 unsigned char *silc_rng_get_rn_string(SilcRng rng, SilcUInt32 len)
574 unsigned char *string;
576 string = silc_calloc((len * 2 + 1), sizeof(unsigned char));
578 for (i = 0; i < len; i++)
579 sprintf(string + 2 * i, "%02x", silc_rng_get_byte(rng));
584 /* Returns random number binary data. */
586 unsigned char *silc_rng_get_rn_data(SilcRng rng, SilcUInt32 len)
591 data = silc_calloc(len + 1, sizeof(*data));
593 for (i = 0; i < len; i++)
594 data[i] = silc_rng_get_byte(rng);
599 /* Global RNG. This is global RNG that application can initialize so
600 that any part of code anywhere can use RNG without having to allocate
601 new RNG object everytime. If this is not initialized then these routines
602 will fail. Note: currently in SILC applications always initialize this. */
604 SilcRng global_rng = NULL;
606 /* Initialize global RNG. If `rng' is provided it is set as the global
607 RNG object (it can be allocated by the application for example). */
609 bool silc_rng_global_init(SilcRng rng)
614 global_rng = silc_rng_alloc();
619 /* Uninitialize global RNG */
621 bool silc_rng_global_uninit(void)
624 silc_rng_free(global_rng);
631 /* These are analogous to the functions above. */
633 SilcUInt8 silc_rng_global_get_byte(void)
635 return global_rng ? silc_rng_get_byte(global_rng) : 0;
638 /* Return random byte as fast as possible. Reads from /dev/urandom if
639 available. If not then return from normal RNG (not so fast). */
641 SilcUInt8 silc_rng_global_get_byte_fast(void)
643 return global_rng ? silc_rng_get_byte_fast(global_rng) : 0;
646 SilcUInt16 silc_rng_global_get_rn16(void)
648 return global_rng ? silc_rng_get_rn16(global_rng) : 0;
651 SilcUInt32 silc_rng_global_get_rn32(void)
653 return global_rng ? silc_rng_get_rn32(global_rng) : 0;
656 unsigned char *silc_rng_global_get_rn_string(SilcUInt32 len)
658 return global_rng ? silc_rng_get_rn_string(global_rng, len) : NULL;
661 unsigned char *silc_rng_global_get_rn_data(SilcUInt32 len)
663 return global_rng ? silc_rng_get_rn_data(global_rng, len) : NULL;
666 void silc_rng_global_add_noise(unsigned char *buffer, SilcUInt32 len)
669 silc_rng_add_noise(global_rng, buffer, len);