2 Copyright (c) 2006, John Hurst
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions
8 1. Redistributions of source code must retain the above copyright
9 notice, this list of conditions and the following disclaimer.
10 2. Redistributions in binary form must reproduce the above copyright
11 notice, this list of conditions and the following disclaimer in the
12 documentation and/or other materials provided with the distribution.
13 3. The name of the author may not be used to endorse or promote products
14 derived from this software without specific prior written permission.
16 THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 \brief Fortuna pseudo-random number generator
37 #include <openssl/aes.h>
38 #include <openssl/sha.h>
45 // make up a byte by sampling the perf counter LSB
46 static byte_t get_perf_byte(byte_t carry)
52 SHA1_Update(&SHA, &carry, sizeof(byte_t));
54 for ( int i = 0; i < 128; i++ )
56 QueryPerformanceCounter(&ticks);
57 SHA1_Update(&SHA, &ticks.LowPart, sizeof(ticks.LowPart));
60 SHA1_Final(sha_buf, &SHA);
66 #include <KM_fileio.h>
67 const char* DEV_URANDOM = "/dev/urandom";
72 const ui32_t RNG_KEY_SIZE = 512UL;
73 const ui32_t RNG_KEY_SIZE_BITS = 256UL;
74 const ui32_t RNG_BLOCK_SIZE = 16UL;
75 const ui32_t MAX_SEQUENCE_LEN = 0x00040000UL;
78 // internal implementation class
81 KM_NO_COPY_CONSTRUCT(h__RNG);
85 byte_t m_ctr_buf[RNG_BLOCK_SIZE];
90 memset(m_ctr_buf, 0, RNG_BLOCK_SIZE);
91 byte_t rng_key[RNG_KEY_SIZE];
93 { // this block scopes the following AutoMutex so that it will be
94 // released before the call to set_key() below.
95 AutoMutex Lock(m_Lock);
98 for ( ui32_t i = 0; i < RNG_KEY_SIZE; i++ )
100 byte_t carry = ( i == 0 ) ? 0xa3 : rng_key[i-1];
101 rng_key[i] = get_perf_byte(carry);
104 // on POSIX systems we simply read some seed from /dev/urandom
107 Result_t result = URandom.OpenRead(DEV_URANDOM);
109 if ( KM_SUCCESS(result) )
112 result = URandom.Read(rng_key, RNG_KEY_SIZE, &read_count);
115 if ( KM_FAILURE(result) )
116 DefaultLogSink().Error("Error opening random device: %s\n", DEV_URANDOM);
119 } // end AutoMutex context
126 set_key(const byte_t* key_fodder)
133 SHA1_Update(&SHA, (byte_t*)&m_Context, sizeof(m_Context));
134 SHA1_Update(&SHA, key_fodder, RNG_KEY_SIZE);
135 SHA1_Final(sha_buf, &SHA);
137 AutoMutex Lock(m_Lock);
138 AES_set_encrypt_key(sha_buf, RNG_KEY_SIZE_BITS, &m_Context);
139 *(ui32_t*)(m_ctr_buf + 12) = 1;
144 fill_rand(byte_t* buf, ui32_t len)
146 assert(len <= MAX_SEQUENCE_LEN);
147 ui32_t gen_count = 0;
148 AutoMutex Lock(m_Lock);
150 while ( gen_count + RNG_BLOCK_SIZE <= len )
152 AES_encrypt(m_ctr_buf, buf + gen_count, &m_Context);
153 *(ui32_t*)(m_ctr_buf + 12) += 1;
154 gen_count += RNG_BLOCK_SIZE;
157 if ( len != gen_count ) // partial count needed?
159 byte_t tmp[RNG_BLOCK_SIZE];
160 AES_encrypt(m_ctr_buf, tmp, &m_Context);
161 *(ui32_t*)(m_ctr_buf + 12) += 1;
162 memcpy(buf, tmp, len - gen_count);
168 static h__RNG* s_RNG = 0;
171 //------------------------------------------------------------------------------------------
175 Kumu::FortunaRNG::FortunaRNG()
181 Kumu::FortunaRNG::~FortunaRNG() {}
185 Kumu::FortunaRNG::FillRandom(byte_t* buf, ui32_t len)
192 // 2^20 bytes max per seeding, use 2^19 to save
193 // room for generating reseed values
194 ui32_t gen_size = xmin(len, MAX_SEQUENCE_LEN);
195 s_RNG->fill_rand(buf, gen_size);
199 // re-seed the generator
200 byte_t rng_key[RNG_KEY_SIZE];
201 s_RNG->fill_rand(rng_key, RNG_KEY_SIZE);
202 s_RNG->set_key(rng_key);
210 Kumu::FortunaRNG::FillRandom(Kumu::ByteString& Buffer)
212 FillRandom(Buffer.Data(), Buffer.Capacity());
213 Buffer.Length(Buffer.Capacity());
214 return Buffer.Data();