Re: [patch 2/2] Fortuna PRNG

Patch applied. Thanks.

---------------------------------------------------------------------------

Marko Kreen wrote:
> - Add Fortuna PRNG to pgcrypto.
> - Move openssl random provider to openssl.c and builtin provider
> to internal.c
> - Make px_random_bytes use Fortuna, instead of giving error.
> - Retarget random.c to aquiring system randomness, for initial seeding
> of Fortuna. There is ATM 2 functions for Windows,
> reader from /dev/urandom and the regular time()/getpid() silliness.
>
>
> Index: pgsql/contrib/pgcrypto/fortuna.c
> ===================================================================
> *** /dev/null
> --- pgsql/contrib/pgcrypto/fortuna.c
> ***************
> *** 0 ****
> --- 1,365 ----
> + /*
> + * fortuna.c
> + * Fortuna-like PRNG.
> + *
> + * Copyright (c) 2005 Marko Kreen
> + * All rights reserved.
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions
> + * are met:
> + * 1. Redistributions of source code must retain the above copyright
> + * notice, this list of conditions and the following disclaimer.
> + * 2. Redistributions in binary form must reproduce the above copyright
> + * notice, this list of conditions and the following disclaimer in the
> + * documentation and/or other materials provided with the distribution.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
> + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
> + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
> + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
> + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
> + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
> + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
> + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
> + * SUCH DAMAGE.
> + *
> + * $PostgreSQL$
> + */
> +
> + #include <postgres.h>
> + #include <sys/time.h>
> + #include <time.h>
> +
> + #include "rijndael.h"
> + #include "sha2.h"
> +
> + #include "fortuna.h"
> +
> +
> + /*
> + * Why Fortuna-like: There does not seem to be any definitive reference
> + * on Fortuna in the net. Instead this implementation is based on
> + * following references:
> + *
> + * http://en.wikipedia.org/wiki/Fortuna_(PRNG)
> + * - Wikipedia article
> + * http://jlcooke.ca/random/
> + * - Jean-Luc Cooke Fortuna-based /dev/random driver for Linux.
> + */
> +
> + /*
> + * There is some confusion about whether and how to carry forward
> + * the state of the pools. Seems like original Fortuna does not
> + * do it, resetting hash after each request. I guess expecting
> + * feeding to happen more often that requesting. This is absolutely
> + * unsuitable for pgcrypto, as nothing asynchronous happens here.
> + *
> + * J.L. Cooke fixed this by feeding previous hash to new re-initialized
> + * hash context.
> + *
> + * Fortuna predecessor Yarrow requires ability to query intermediate
> + * 'final result' from hash, without affecting it.
> + *
> + * This implementation uses the Yarrow method - asking intermediate
> + * results, but continuing with old state.
> + */
> +
> +
> + /*
> + * Algorithm parameters
> + */
> +
> + /*
> + * How many pools.
> + *
> + * Original Fortuna uses 32 pools, that means 32'th pool is
> + * used not earlier than in 13th year. This is a waste in
> + * pgcrypto, as we have very low-frequancy seeding. Here
> + * is preferable to have all entropy usable in reasonable time.
> + *
> + * With 23 pools, 23th pool is used after 9 days which seems
> + * more sane.
> + *
> + * In our case the minimal cycle time would be bit longer
> + * than the system-randomness feeding frequency.
> + */
> + #define NUM_POOLS 23
> +
> + /* in microseconds */
> + #define RESEED_INTERVAL 100000 /* 0.1 sec */
> +
> + /* for one big request, reseed after this many bytes */
> + #define RESEED_BYTES (1024*1024)
> +
> +
> + /*
> + * Algorithm constants
> + */
> +
> + /* max sources */
> + #define MAX_SOURCES 8
> +
> + /* Both cipher key size and hash result size */
> + #define BLOCK 32
> +
> + /* cipher block size */
> + #define CIPH_BLOCK 16
> +
> + /* for internal wrappers */
> + #define MD_CTX SHA256_CTX
> + #define CIPH_CTX rijndael_ctx
> +
> + struct fortuna_state {
> + uint8 counter[CIPH_BLOCK];
> + uint8 result[CIPH_BLOCK];
> + uint8 key[BLOCK];
> + MD_CTX pool[NUM_POOLS];
> + CIPH_CTX ciph;
> + unsigned source_pos[MAX_SOURCES];
> + unsigned reseed_count;
> + struct timeval last_reseed_time;
> + };
> + typedef struct fortuna_state FState;
> +
> +
> + /*
> + * Use our own wrappers here.
> + * - Need to get intermediate result from digest, without affecting it.
> + * - Need re-set key on a cipher context.
> + * - Algorithms are guaranteed to exist.
> + * - No memory allocations.
> + */
> +
> + static void ciph_init(CIPH_CTX *ctx, const uint8 *key, int klen)
> + {
> + rijndael_set_key(ctx, (const uint32 *)key, klen, 1);
> + }
> +
> + static void ciph_encrypt(CIPH_CTX *ctx, const uint8 *in, uint8 *out)
> + {
> + rijndael_encrypt(ctx, (const uint32 *)in, (uint32 *)out);
> + }
> +
> + static void md_init(MD_CTX *ctx)
> + {
> + SHA256_Init(ctx);
> + }
> +
> + static void md_update(MD_CTX *ctx, const uint8 *data, int len)
> + {
> + SHA256_Update(ctx, data, len);
> + }
> +
> + static void md_result(MD_CTX *ctx, uint8 *dst)
> + {
> + SHA256_CTX tmp;
> + memcpy(&tmp, ctx, sizeof(*ctx));
> + SHA256_Final(dst, &tmp);
> + memset(&tmp, 0, sizeof(tmp));
> + }
> +
> +
> + /*
> + * initialize state
> + */
> + static void init_state(FState *st)
> + {
> + int i;
> + memset(st, 0, sizeof(*st));
> + for (i = 0; i < NUM_POOLS; i++)
> + md_init(&st->pool[i]);
> + }
> +
> + /*
> + * Must not reseed more ofter than RESEED_PER_SEC
> + * times per second.
> + */
> + static int too_often(FState *st)
> + {
> + int ok;
> + struct timeval tv;
> + struct timeval *last = &st->last_reseed_time;
> +
> + gettimeofday(&tv, NULL);
> +
> + ok = 0;
> + if (tv.tv_sec != last->tv_sec)
> + ok = 1;
> + else if (tv.tv_usec - last->tv_usec >= RESEED_INTERVAL)
> + ok = 1;
> +
> + memcpy(last, &tv, sizeof(tv));
> + memset(&tv, 0, sizeof(tv));
> +
> + return ok;
> + }
> +
> + /*
> + * generate new key from all the pools
> + */
> + static void reseed(FState *st)
> + {
> + unsigned k;
> + unsigned n;
> + MD_CTX key_md;
> + uint8 buf[BLOCK];
> +
> + /* check frequency */
> + if (too_often(st))
> + return;
> +
> + /*
> + * Both #0 and #1 reseed would use only pool 0.
> + * Just skip #0 then.
> + */
> + n = ++st->reseed_count;
> +
> + /*
> + * The goal: use k-th pool only 1/(2^k) of the time.
> + */
> + md_init(&key_md);
> + for (k = 0; k < NUM_POOLS; k++) {
> + md_result(&st->pool[k], buf);
> + md_update(&key_md, buf, BLOCK);
> +
> + if (n & 1 || !n)
> + break;
> + n >>= 1;
> + }
> +
> + /* add old key into mix too */
> + md_update(&key_md, st->key, BLOCK);
> +
> + /* now we have new key */
> + md_result(&key_md, st->key);
> +
> + /* use new key */
> + ciph_init(&st->ciph, st->key, BLOCK);
> +
> + memset(&key_md, 0, sizeof(key_md));
> + memset(buf, 0, BLOCK);
> + n = k = 0;
> + }
> +
> + /*
> + * update pools
> + */
> + static void add_entropy(FState *st, unsigned src_id, const uint8 *data, unsigned len)
> + {
> + unsigned pos;
> + uint8 hash[BLOCK];
> + MD_CTX md;
> +
> + /* just in case there's a bug somewhere */
> + if (src_id >= MAX_SOURCES)
> + src_id = USER_ENTROPY;
> +
> + /* hash given data */
> + md_init(&md);
> + md_update(&md, data, len);
> + md_result(&md, hash);
> +
> + /* update pools round-robin manner */
> + pos = st->source_pos[src_id];
> + md_update( &st->pool[pos], hash, BLOCK);
> +
> + if (++pos >= NUM_POOLS)
> + pos = 0;
> + st->source_pos[src_id] = pos;
> +
> + memset(hash, 0, BLOCK);
> + memset(&md, 0, sizeof(md));
> + }
> +
> + /*
> + * Endianess does not matter.
> + * It just needs to change without repeating.
> + */
> + static void inc_counter(FState *st)
> + {
> + uint32 *val = (uint32*)st->counter;
> + if (++val[0])
> + return;
> + if (++val[1])
> + return;
> + if (++val[2])
> + return;
> + ++val[3];
> + }
> +
> + static void extract_data(FState *st, unsigned count, uint8 *dst)
> + {
> + unsigned n;
> + unsigned block_nr = 0;
> +
> + /*
> + * Every request should be with different key,
> + * if possible.
> + */
> + reseed(st);
> +
> + /*
> + * If the reseed didn't happen, don't use the old data
> + * rather encrypt again.
> + */
> +
> + while (count > 0) {
> + /* must not give out too many bytes with one key */
> + if (block_nr > (RESEED_BYTES / CIPH_BLOCK))
> + {
> + reseed(st);
> + block_nr = 0;
> + }
> +
> + /* produce bytes */
> + ciph_encrypt(&st->ciph, st->counter, st->result);
> + block_nr++;
> +
> + /* prepare for next time */
> + inc_counter(st);
> +
> + /* copy result */
> + if (count > CIPH_BLOCK)
> + n = CIPH_BLOCK;
> + else
> + n = count;
> + memcpy(dst, st->result, n);
> + dst += n;
> + count -= n;
> + }
> + }
> +
> + /*
> + * public interface
> + */
> +
> + static FState main_state;
> + static int init_done = 0;
> +
> + void fortuna_add_entropy(unsigned src_id, const uint8 *data, unsigned len)
> + {
> + if (!init_done)
> + {
> + init_state(&main_state);
> + init_done = 1;
> + }
> + if (!data || !len)
> + return;
> + add_entropy(&main_state, src_id, data, len);
> + }
> +
> + void fortuna_get_bytes(unsigned len, uint8 *dst)
> + {
> + if (!init_done)
> + {
> + init_state(&main_state);
> + init_done = 1;
> + }
> + if (!dst || !len)
> + return;
> + extract_data(&main_state, len, dst);
> + }
> +
> Index: pgsql/contrib/pgcrypto/fortuna.h
> ===================================================================
> *** /dev/null
> --- pgsql/contrib/pgcrypto/fortuna.h
> ***************
> *** 0 ****
> --- 1,45 ----
> + /*
> + * fortuna.c
> + * Fortuna PRNG.
> + *
> + * Copyright (c) 2005 Marko Kreen
> + * All rights reserved.
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions
> + * are met:
> + * 1. Redistributions of source code must retain the above copyright
> + * notice, this list of conditions and the following disclaimer.
> + * 2. Redistributions in binary form must reproduce the above copyright
> + * notice, this list of conditions and the following disclaimer in the
> + * documentation and/or other materials provided with the distribution.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
> + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
> + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
> + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
> + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
> + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
> + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
> + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
> + * SUCH DAMAGE.
> + *
> + * $PostgreSQL$
> + */
> +
> + #ifndef __FORTUNA_H
> + #define __FORTUNA_H
> +
> + /*
> + * Event source ID's
> + */
> + #define SYSTEM_ENTROPY 0
> + #define USER_ENTROPY 1
> +
> + void fortuna_get_bytes(unsigned len, uint8 *dst);
> + void fortuna_add_entropy(unsigned src_id, const uint8 *data, unsigned len);
> +
> + #endif
> +
> Index: pgsql/contrib/pgcrypto/Makefile
> ===================================================================
> *** pgsql.orig/contrib/pgcrypto/Makefile
> --- pgsql/contrib/pgcrypto/Makefile
> ***************
> *** 2,25 ****
> # $PostgreSQL: pgsql/contrib/pgcrypto/Makefile,v 1.16 2005/07/05 23:18:44 tgl Exp $
> #
>
> ! # if you don't have OpenSSL, you can use libc random() or /dev/urandom
> ! INT_CFLAGS = -DRAND_SILLY
> ! #INT_CFLAGS = -DRAND_DEV=\"/dev/urandom\"
> !
> ! INT_SRCS = md5.c sha1.c sha2.c internal.c blf.c rijndael.c
> INT_TESTS = sha2
>
> - OSSL_CFLAGS = -DRAND_OPENSSL
> OSSL_SRCS = openssl.c
> OSSL_TESTS = des 3des cast5
>
> CF_SRCS = $(if $(subst no,,$(with_openssl)), $(OSSL_SRCS), $(INT_SRCS))
> CF_TESTS = $(if $(subst no,,$(with_openssl)), $(OSSL_TESTS), $(INT_TESTS))
> ! CF_CFLAGS = $(if $(subst no,,$(with_openssl)), $(OSSL_CFLAGS), $(INT_CFLAGS))
>
> PG_CPPFLAGS = $(CF_CFLAGS)
>
> ! SRCS = pgcrypto.c px.c px-hmac.c px-crypt.c misc.c random.c \
> crypt-gensalt.c crypt-blowfish.c crypt-des.c \
> crypt-md5.c $(CF_SRCS)
>
> --- 2,21 ----
> # $PostgreSQL: pgsql/contrib/pgcrypto/Makefile,v 1.16 2005/07/05 23:18:44 tgl Exp $
> #
>
> ! INT_SRCS = md5.c sha1.c sha2.c internal.c blf.c rijndael.c \
> ! fortuna.c random.c
> INT_TESTS = sha2
>
> OSSL_SRCS = openssl.c
> OSSL_TESTS = des 3des cast5
>
> CF_SRCS = $(if $(subst no,,$(with_openssl)), $(OSSL_SRCS), $(INT_SRCS))
> CF_TESTS = $(if $(subst no,,$(with_openssl)), $(OSSL_TESTS), $(INT_TESTS))
> ! CF_CFLAGS =
>
> PG_CPPFLAGS = $(CF_CFLAGS)
>
> ! SRCS = pgcrypto.c px.c px-hmac.c px-crypt.c misc.c \
> crypt-gensalt.c crypt-blowfish.c crypt-des.c \
> crypt-md5.c $(CF_SRCS)
>
> Index: pgsql/contrib/pgcrypto/internal.c
> ===================================================================
> *** pgsql.orig/contrib/pgcrypto/internal.c
> --- pgsql/contrib/pgcrypto/internal.c
> ***************
> *** 31,36 ****
> --- 31,37 ----
>
>
> #include <postgres.h>
> + #include <time.h>
>
> #include "px.h"
>
> ***************
> *** 39,44 ****
> --- 40,52 ----
> #include "sha2.h"
> #include "blf.h"
> #include "rijndael.h"
> + #include "fortuna.h"
> +
> + /*
> + * How often to try to acquire system entropy. (In seconds)
> + */
> + #define SYSTEM_RESEED_FREQ (3*60*60)
> +
>
> #ifndef MD5_DIGEST_LENGTH
> #define MD5_DIGEST_LENGTH 16
> *************** px_find_cipher(const char *name, PX_Ciph
> *** 784,786 ****
> --- 792,849 ----
> *res = c;
> return 0;
> }
> +
> + /*
> + * Randomness provider
> + */
> +
> + /*
> + * Use libc for all 'public' bytes.
> + *
> + * That way we don't expose bytes from Fortuna
> + * to the public, in case it has some bugs.
> + */
> + int
> + px_get_pseudo_random_bytes(uint8 *dst, unsigned count)
> + {
> + int i;
> +
> + for (i = 0; i < count; i++)
> + *dst++ = random();
> + return i;
> + }
> +
> + static time_t seed_time = 0;
> + static void system_reseed()
> + {
> + uint8 buf[1024];
> + int n;
> + time_t t;
> +
> + t = time(NULL);
> + if (seed_time && (t - seed_time) < SYSTEM_RESEED_FREQ)
> + return;
> +
> + n = px_acquire_system_randomness(buf);
> + if (n > 0)
> + fortuna_add_entropy(SYSTEM_ENTROPY, buf, n);
> +
> + seed_time = t;
> + }
> +
> + int
> + px_get_random_bytes(uint8 *dst, unsigned count)
> + {
> + system_reseed();
> + fortuna_get_bytes(count, dst);
> + return 0;
> + }
> +
> + int
> + px_add_entropy(const uint8 *data, unsigned count)
> + {
> + system_reseed();
> + fortuna_add_entropy(USER_ENTROPY, data, count);
> + return 0;
> + }
> +
> Index: pgsql/contrib/pgcrypto/openssl.c
> ===================================================================
> *** pgsql.orig/contrib/pgcrypto/openssl.c
> --- pgsql/contrib/pgcrypto/openssl.c
> ***************
> *** 37,42 ****
> --- 37,45 ----
> #include <openssl/blowfish.h>
> #include <openssl/cast.h>
> #include <openssl/des.h>
> + #include <openssl/rand.h>
> + #include <openssl/err.h>
> +
>
> /*
> * Does OpenSSL support AES?
> *************** px_find_cipher(const char *name, PX_Ciph
> *** 759,761 ****
> --- 762,819 ----
> *res = c;
> return 0;
> }
> +
> +
> + static int openssl_random_init = 0;
> +
> + /*
> + * OpenSSL random should re-feeded occasionally. From /dev/urandom
> + * preferably.
> + */
> + static void init_openssl_rand()
> + {
> + if (RAND_get_rand_method() == NULL)
> + RAND_set_rand_method(RAND_SSLeay());
> + openssl_random_init = 1;
> + }
> +
> + int
> + px_get_random_bytes(uint8 *dst, unsigned count)
> + {
> + int res;
> +
> + if (!openssl_random_init)
> + init_openssl_rand();
> +
> + res = RAND_bytes(dst, count);
> + if (res == 1)
> + return count;
> +
> + return PXE_OSSL_RAND_ERROR;
> + }
> +
> + int
> + px_get_pseudo_random_bytes(uint8 *dst, unsigned count)
> + {
> + int res;
> +
> + if (!openssl_random_init)
> + init_openssl_rand();
> +
> + res = RAND_pseudo_bytes(dst, count);
> + if (res == 0 || res == 1)
> + return count;
> +
> + return PXE_OSSL_RAND_ERROR;
> + }
> +
> + int
> + px_add_entropy(const uint8 *data, unsigned count)
> + {
> + /*
> + * estimate 0 bits
> + */
> + RAND_add(data, count, 0);
> + return 0;
> + }
> +
> Index: pgsql/contrib/pgcrypto/px.h
> ===================================================================
> *** pgsql.orig/contrib/pgcrypto/px.h
> --- pgsql/contrib/pgcrypto/px.h
> *************** int px_find_combo(const char *name, PX
> *** 170,175 ****
> --- 170,178 ----
>
> int px_get_random_bytes(uint8 *dst, unsigned count);
> int px_get_pseudo_random_bytes(uint8 *dst, unsigned count);
> + int px_add_entropy(const uint8 *data, unsigned count);
> +
> + unsigned px_acquire_system_randomness(uint8 *dst);
>
> const char *px_strerror(int err);
>
> Index: pgsql/contrib/pgcrypto/random.c
> ===================================================================
> *** pgsql.orig/contrib/pgcrypto/random.c
> --- pgsql/contrib/pgcrypto/random.c
> ***************
> *** 1,6 ****
> /*
> * random.c
> ! * Random functions.
> *
> * Copyright (c) 2001 Marko Kreen
> * All rights reserved.
> --- 1,6 ----
> /*
> * random.c
> ! * Acquire randomness from system. For seeding RNG.
> *
> * Copyright (c) 2001 Marko Kreen
> * All rights reserved.
> ***************
> *** 34,41 ****
>
> #include "px.h"
>
>
> ! #if defined(RAND_DEV)
>
> #include <errno.h>
> #include <fcntl.h>
> --- 34,53 ----
>
> #include "px.h"
>
> + /* how many bytes to ask from system random provider */
> + #define RND_BYTES 32
>
> ! /*
> ! * Try to read from /dev/urandom or /dev/random on these OS'es.
> ! *
> ! * The list can be pretty liberal, as the device not existing
> ! * is expected event.
> ! */
> ! #if defined(__linux__) || defined(__FreeBSD__) || defined(__OpenBSD__) \
> ! || defined(__NetBSD__) || defined(__DragonFly__) \
> ! || defined(__darwin__) || defined(__SOLARIS__)
> !
> ! #define TRY_DEV_RANDOM
>
> #include <errno.h>
> #include <fcntl.h>
> *************** safe_read(int fd, void *buf, size_t coun
> *** 64,157 ****
> return done;
> }
>
> ! int
> ! px_get_random_bytes(uint8 *dst, unsigned count)
> {
> int fd;
> int res;
>
> ! fd = open(RAND_DEV, O_RDONLY);
> if (fd == -1)
> ! return PXE_DEV_READ_ERROR;
> ! res = safe_read(fd, dst, count);
> close(fd);
> ! return res;
> }
>
> ! int
> ! px_get_pseudo_random_bytes(uint8 *dst, unsigned count)
> ! {
> ! return px_get_random_bytes(dst, count);
> ! }
>
> ! #elif defined(RAND_SILLY)
>
> ! int
> ! px_get_pseudo_random_bytes(uint8 *dst, unsigned count)
> {
> ! int i;
>
> ! for (i = 0; i < count; i++)
> ! *dst++ = random();
> ! return i;
> }
>
> ! int
> ! px_get_random_bytes(uint8 *dst, unsigned count)
> {
> ! return PXE_NO_RANDOM;
> ! }
>
> ! #elif defined(RAND_OPENSSL)
>
> ! #include <openssl/evp.h>
> ! #include <openssl/blowfish.h>
> ! #include <openssl/rand.h>
> ! #include <openssl/err.h>
>
> - static int openssl_random_init = 0;
>
> /*
> ! * OpenSSL random should re-feeded occasionally. From /dev/urandom
> ! * preferably.
> */
> ! static void init_openssl()
> ! {
> ! if (RAND_get_rand_method() == NULL)
> ! RAND_set_rand_method(RAND_SSLeay());
> ! openssl_random_init = 1;
> ! }
>
> ! int
> ! px_get_random_bytes(uint8 *dst, unsigned count)
> ! {
> ! int res;
> !
> ! if (!openssl_random_init)
> ! init_openssl();
> !
> ! res = RAND_bytes(dst, count);
> ! if (res == 1)
> ! return count;
>
> ! return PXE_OSSL_RAND_ERROR;
> ! }
>
> ! int
> ! px_get_pseudo_random_bytes(uint8 *dst, unsigned count)
> {
> ! int res;
>
> ! if (!openssl_random_init)
> ! init_openssl();
>
> ! res = RAND_pseudo_bytes(dst, count);
> ! if (res == 0 || res == 1)
> ! return count;
>
> ! return PXE_OSSL_RAND_ERROR;
> }
>
> - #else
> - #error "Invalid random source"
> #endif
> --- 76,244 ----
> return done;
> }
>
> ! static uint8 *
> ! try_dev_random(uint8 *dst)
> {
> int fd;
> int res;
>
> ! fd = open("/dev/urandom", O_RDONLY);
> if (fd == -1)
> ! {
> ! fd = open("/dev/random", O_RDONLY);
> ! if (fd == -1)
> ! return dst;
> ! }
> ! res = safe_read(fd, dst, RND_BYTES);
> close(fd);
> ! if (res > 0)
> ! dst += res;
> ! return dst;
> }
>
> ! #endif
> !
> ! /*
> ! * Try to find randomness on Windows
> ! */
> ! #ifdef WIN32
> !
> ! #define TRY_WIN32_GENRAND
> ! #define TRY_WIN32_PERFC
>
> ! #define _WIN32_WINNT 0x0400
> ! #include <windows.h>
> ! #include <wincrypt.h>
>
> ! /*
> ! * this function is from libtomcrypt
> ! *
> ! * try to use Microsoft crypto API
> ! */
> ! static uint8 * try_win32_genrand(uint8 *dst)
> {
> ! int res;
> ! HCRYPTPROV h = 0;
> !
> ! res = CryptAcquireContext(&h, NULL, MS_DEF_PROV, PROV_RSA_FULL,
> ! (CRYPT_VERIFYCONTEXT | CRYPT_MACHINE_KEYSET));
> ! if (!res)
> ! res = CryptAcquireContext(&h, NULL, MS_DEF_PROV, PROV_RSA_FULL,
> ! CRYPT_VERIFYCONTEXT | CRYPT_MACHINE_KEYSET | CRYPT_NEWKEYSET);
> ! if (!res)
> ! return dst;
> !
> ! res = CryptGenRandom(h, NUM_BYTES, dst);
> ! if (res == TRUE)
> ! dst += len;
>
> ! CryptReleaseContext(h, 0);
> ! return dst;
> }
>
> ! static uint8 * try_win32_perfc(uint8 *dst)
> {
> ! int res;
> ! LARGE_INTEGER time;
>
> ! res = QueryPerformanceCounter(&time);
> ! if (!res)
> ! return dst;
>
> ! memcpy(dst, &time, sizeof(time));
> ! return dst + sizeof(time);
> ! }
> !
> ! #endif /* WIN32 */
>
>
> /*
> ! * If we are not on Windows, then hopefully we are
> ! * on a unix-like system. Use the usual suspects
> ! * for randomness.
> */
> ! #ifndef WIN32
>
> ! #define TRY_UNIXSTD
>
> ! #include <sys/types.h>
> ! #include <sys/time.h>
> ! #include <time.h>
> ! #include <unistd.h>
>
> ! /*
> ! * Everything here is predictible, only needs some patience.
> ! *
> ! * But there is a chance that the system-specific functions
> ! * did not work. So keep faith and try to slow the attacker down.
> ! */
> ! static uint8 *
> ! try_unix_std(uint8 *dst)
> {
> ! pid_t pid;
> ! int x;
> ! PX_MD *md;
> ! struct timeval tv;
> ! int res;
> !
> ! /* process id */
> ! pid = getpid();
> ! memcpy(dst, (uint8*)&pid, sizeof(pid));
> ! dst += sizeof(pid);
> !
> ! /* time */
> ! gettimeofday(&tv, NULL);
> ! memcpy(dst, (uint8*)&tv, sizeof(tv));
> ! dst += sizeof(tv);
> !
> ! /* pointless, but should not hurt */
> ! x = random();
> ! memcpy(dst, (uint8*)&x, sizeof(x));
> ! dst += sizeof(x);
> !
> ! /* let's be desperate */
> ! res = px_find_digest("sha1", &md);
> ! if (res >= 0) {
> ! uint8 *ptr;
> ! uint8 stack[8192];
> ! int alloc = 32*1024;
> !
> ! px_md_update(md, stack, sizeof(stack));
> ! ptr = px_alloc(alloc);
> ! px_md_update(md, ptr, alloc);
> ! px_free(ptr);
>
> ! px_md_finish(md, dst);
> ! px_md_free(md);
>
> ! dst += 20;
> ! }
>
> ! return dst;
> }
>
> #endif
> +
> + /*
> + * try to extract some randomness for initial seeding
> + *
> + * dst should have room for 1024 bytes.
> + */
> + unsigned px_acquire_system_randomness(uint8 *dst)
> + {
> + uint8 *p = dst;
> + #ifdef TRY_DEV_RANDOM
> + p = try_dev_random(p);
> + #endif
> + #ifdef TRY_WIN32_GENRAND
> + p = try_win32_genrand(p);
> + #endif
> + #ifdef TRY_WIN32_PERFC
> + p = try_win32_perfc(p);
> + #endif
> + #ifdef TRY_UNIXSTD
> + p = try_unix_std(p);
> + #endif
> + return p - dst;
> + }
> +
>
> --
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: don't forget to increase your free space map settings
>

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073