* [including the GNU Public Licence.]
*/
+#define ENTROPY_NEEDED 16 /* require 128 bits = 16 bytes of randomness */
+
#ifndef MD_RAND_DEBUG
# ifndef NDEBUG
# define NDEBUG
#include "openssl/e_os.h"
#include <openssl/crypto.h>
+#include <openssl/err.h>
#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
#if !defined(NO_SHA) && !defined(NO_SHA1)
#include <openssl/rand.h>
+#ifdef BN_DEBUG
+# define PREDICT
+#endif
+
/* #define NORAND 1 */
/* #define PREDICT 1 */
static unsigned char state[STATE_SIZE+MD_DIGEST_LENGTH];
static unsigned char md[MD_DIGEST_LENGTH];
static long md_count[2]={0,0};
+static double entropy=0;
+static int initialized=0;
+
+#ifdef PREDICT
+int rand_predictable=0;
+#endif
const char *RAND_version="RAND" OPENSSL_VERSION_PTEXT;
static void ssleay_rand_cleanup(void);
static void ssleay_rand_seed(const void *buf, int num);
-static void ssleay_rand_bytes(unsigned char *buf, int num);
+static void ssleay_rand_add(const void *buf, int num, double add_entropy);
+static int ssleay_rand_bytes(unsigned char *buf, int num);
+static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num);
RAND_METHOD rand_ssleay_meth={
ssleay_rand_seed,
ssleay_rand_bytes,
ssleay_rand_cleanup,
+ ssleay_rand_add,
+ ssleay_rand_pseudo_bytes,
};
RAND_METHOD *RAND_SSLeay(void)
memset(md,0,MD_DIGEST_LENGTH);
md_count[0]=0;
md_count[1]=0;
+ entropy=0;
}
-static void ssleay_rand_seed(const void *buf, int num)
+static void ssleay_rand_add(const void *buf, int num, double add)
{
int i,j,k,st_idx;
long md_c[2];
#endif
/*
- * (Based on doc/ssleay.txt, section rand.doc:)
+ * (Based on the rand(3) manpage)
*
- * The input is chopped up into units of 16 bytes (or less for
- * the last block). Each of these blocks is run through the MD5
- * message digest as follow: The data passed to the MD5 digest
+ * The input is chopped up into units of 20 bytes (or less for
+ * the last block). Each of these blocks is run through the hash
+ * function as follows: The data passed to the hash function
* is the current 'md', the same number of bytes from the 'state'
* (the location determined by in incremented looping index) as
* the current 'block', the new key data 'block', and 'count'
* (which is incremented after each use).
* The result of this is kept in 'md' and also xored into the
- * 'state' at the same locations that were used as input into the MD5.
+ * 'state' at the same locations that were used as input into the
+ * hash function.
*/
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
{
md[k] ^= local_md[k];
}
+ if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */
+ entropy += add;
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
#ifndef THREADS
#endif
}
-static void ssleay_rand_bytes(unsigned char *buf, int num)
+static void ssleay_rand_seed(const void *buf, int num)
+ {
+ ssleay_rand_add(buf, num, num);
+ }
+
+static void ssleay_rand_initialize(void)
{
- int i,j,k,st_num,st_idx;
- long md_c[2];
- unsigned char local_md[MD_DIGEST_LENGTH];
- MD_CTX m;
- static int init=1;
unsigned long l;
-#ifndef MSDOS
- static pid_t prev_pid = 0;
- pid_t curr_pid;
+#ifndef GETPID_IS_MEANINGLESS
+ pid_t curr_pid = getpid();
#endif
#ifdef DEVRANDOM
FILE *fh;
#endif
-#ifdef PREDICT
- {
- static unsigned char val=0;
-
- for (i=0; i<num; i++)
- buf[i]=val++;
+#ifdef NORAND
return;
+#endif
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ /* put in some default random data, we need more than just this */
+#ifndef GETPID_IS_MEANINGLESS
+ l=curr_pid;
+ RAND_add(&l,sizeof(l),0);
+ l=getuid();
+ RAND_add(&l,sizeof(l),0);
+#endif
+ l=time(NULL);
+ RAND_add(&l,sizeof(l),0);
+
+#ifdef DEVRANDOM
+ /* Use a random entropy pool device. Linux, FreeBSD and OpenBSD
+ * have this. Use /dev/urandom if you can as /dev/random may block
+ * if it runs out of random entries. */
+
+ if ((fh = fopen(DEVRANDOM, "r")) != NULL)
+ {
+ unsigned char tmpbuf[ENTROPY_NEEDED];
+ int n;
+
+ setvbuf(fh, NULL, _IONBF, 0);
+ n=fread((unsigned char *)tmpbuf,1,ENTROPY_NEEDED,fh);
+ fclose(fh);
+ RAND_add(tmpbuf,sizeof tmpbuf,n);
+ memset(tmpbuf,0,n);
+ }
+#endif
+#ifdef PURIFY
+ memset(state,0,STATE_SIZE);
+ memset(md,0,MD_DIGEST_LENGTH);
+#endif
+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ initialized=1;
}
+
+static int ssleay_rand_bytes(unsigned char *buf, int num)
+ {
+ int i,j,k,st_num,st_idx;
+ int ok;
+ long md_c[2];
+ unsigned char local_md[MD_DIGEST_LENGTH];
+ MD_CTX m;
+#ifndef GETPID_IS_MEANINGLESS
+ pid_t curr_pid = getpid();
+#endif
+
+#ifdef PREDICT
+ if (rand_predictable)
+ {
+ static unsigned char val=0;
+
+ for (i=0; i<num; i++)
+ buf[i]=val++;
+ return(1);
+ }
#endif
/*
- * (Based on doc/ssleay.txt, section rand.doc:)
+ * (Based on the rand(3) manpage:)
*
- * For each group of 8 bytes (or less), we do the following,
+ * For each group of 10 bytes (or less), we do the following:
*
- * Input into MD5, the top 8 bytes from 'md', the byte that are
- * to be overwritten by the random bytes and bytes from the
+ * Input into the hash function the top 10 bytes from the
+ * local 'md' (which is initialized from the global 'md'
+ * before any bytes are generated), the bytes that are
+ * to be overwritten by the random bytes, and bytes from the
* 'state' (incrementing looping index). From this digest output
- * (which is kept in 'md'), the top (upto) 8 bytes are
- * returned to the caller and the bottom (upto) 8 bytes are xored
+ * (which is kept in 'md'), the top (up to) 10 bytes are
+ * returned to the caller and the bottom (up to) 10 bytes are xored
* into the 'state'.
* Finally, after we have finished 'num' random bytes for the
- * caller, 'count' (which is incremented) and the local and globl 'md'
- * are fed into MD5 and the results are kept in the global 'md'.
+ * caller, 'count' (which is incremented) and the local and global 'md'
+ * are fed into the hash function and the results are kept in the
+ * global 'md'.
*/
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
- if (init)
- {
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
- /* put in some default random data, we need more than
- * just this */
- RAND_seed(&m,sizeof(m));
-#ifndef MSDOS
- prev_pid = getpid();
- l=prev_pid;
- RAND_seed(&l,sizeof(l));
- l=getuid();
- RAND_seed(&l,sizeof(l));
-#endif
- l=time(NULL);
- RAND_seed(&l,sizeof(l));
-
-#ifdef DEVRANDOM
- /*
- * Use a random entropy pool device.
- * Linux 1.3.x and FreeBSD-Current has
- * this. Use /dev/urandom if you can
- * as /dev/random will block if it runs out
- * of random entries.
- */
- if ((fh = fopen(DEVRANDOM, "r")) != NULL)
- {
- unsigned char tmpbuf[32];
-
- fread((unsigned char *)tmpbuf,1,32,fh);
- /* we don't care how many bytes we read,
- * we will just copy the 'stack' if there is
- * nothing else :-) */
- fclose(fh);
- RAND_seed(tmpbuf,32);
- memset(tmpbuf,0,32);
- }
-#endif
-#ifdef PURIFY
- memset(state,0,STATE_SIZE);
- memset(md,0,MD_DIGEST_LENGTH);
-#endif
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
- init=0;
- }
+ if (!initialized)
+ ssleay_rand_initialize();
-#ifndef MSDOS
- /* make sure we have unique states when a program forks
- * (new with OpenSSL 0.9.5; for earlier versions, applications
- * must take care of this) */
- curr_pid = getpid();
- if (prev_pid != curr_pid)
+ ok = (entropy >= ENTROPY_NEEDED);
+ if (!ok)
{
- prev_pid = curr_pid;
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
- RAND_seed(&curr_pid, sizeof curr_pid);
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ /* If the PRNG state is not yet unpredictable, then seeing
+ * the PRNG output may help attackers to determine the new
+ * state; thus we have to decrease the entropy estimate.
+ * Once we've had enough initial seeding we don't bother to
+ * adjust the entropy count, though, because we're not ambitious
+ * to provide *information-theoretic* randomness.
+ */
+ entropy -= num;
+ if (entropy < 0)
+ entropy = 0;
}
-#endif
st_idx=state_index;
st_num=state_num;
j=(num >= MD_DIGEST_LENGTH/2)?MD_DIGEST_LENGTH/2:num;
num-=j;
MD_Init(&m);
+#ifndef GETPID_IS_MEANINGLESS
+ if (curr_pid) /* just in the first iteration to save time */
+ {
+ MD_Update(&m,(unsigned char*)&curr_pid,sizeof curr_pid);
+ curr_pid = 0;
+ }
+#endif
MD_Update(&m,&(local_md[MD_DIGEST_LENGTH/2]),MD_DIGEST_LENGTH/2);
MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
#ifndef PURIFY
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
memset(&m,0,sizeof(m));
+ if (ok)
+ return(1);
+ else
+ {
+ RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED);
+ return(0);
+ }
+ }
+
+/* pseudo-random bytes that are guaranteed to be unique but not
+ unpredictable */
+static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num)
+ {
+ int ret, err;
+
+ ret = RAND_bytes(buf, num);
+ if (ret == 0)
+ {
+ err = ERR_peek_error();
+ if (ERR_GET_LIB(err) == ERR_LIB_RAND &&
+ ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED)
+ (void)ERR_get_error();
+ }
+ return (ret);
+ }
+
+int RAND_status(void)
+ {
+ if (!initialized)
+ ssleay_rand_initialize();
+ return (entropy >= ENTROPY_NEEDED);
}
#ifdef WINDOWS
*/
/*
* I have modified the loading of bytes via RAND_seed() mechanism since
- * the origional would have been very very CPU intensive since RAND_seed()
+ * the original would have been very very CPU intensive since RAND_seed()
* does an MD5 per 16 bytes of input. The cost to digest 16 bytes is the same
* as that to digest 56 bytes. So under the old system, a screen of
- * 1024*768*256 would have been CPU cost of approximatly 49,000 56 byte MD5
+ * 1024*768*256 would have been CPU cost of approximately 49,000 56 byte MD5
* digests or digesting 2.7 mbytes. What I have put in place would
- * be 48 16k MD5 digests, or efectivly 48*16+48 MD5 bytes or 816 kbytes
+ * be 48 16k MD5 digests, or effectively 48*16+48 MD5 bytes or 816 kbytes
* or about 3.5 times as much.
* - eric
*/