Force a reseed in HMAC_RNG after 20 bytes have been added, rather than

waiting for a full kilobyte. This is for the benefit of DSA/ECDSA
which want a call to add_entropy to update the state in some way,
passing just a hash input which might be as small as 20 bytes.

1 files changed, 12 insertions, 5 deletions

diff --git a/src/rng/hmac_rng/hmac_rng.cpp b/src/rng/hmac_rng/hmac_rng.cpp
index 7912e58af..55503382a 100644
--- a/src/rng/hmac_rng/hmac_rng.cpp
+++ b/src/rng/hmac_rng/hmac_rng.cpp
@@ -110,7 +110,11 @@ void HMAC_RNG::reseed(size_t poll_bits)
    counter = 0;
    user_input_len = 0;
 
-   if(accum.bits_collected() >= 128)
+   /*
+   Consider ourselves seeded once we've collected an estimated 128 bits of
+   entropy in a single poll.
+   */
+   if(seeded == false && accum.bits_collected() >= 128)
       seeded = true;
    }
 
@@ -119,15 +123,18 @@ void HMAC_RNG::reseed(size_t poll_bits)
 */
 void HMAC_RNG::add_entropy(const byte input[], size_t length)
    {
+   const size_t USER_ENTROPY_WATERSHED = 20;
+
    extractor->update(input, length);
    user_input_len += length;
 
    /*
-   * After we've accumulated >= 1024 bytes of user input, reseed.
-   * This input will automatically have been included if reseed was
-   * called already, as it's just included in the extractor input.
+   * After we've accumulated at least USER_ENTROPY_WATERSHED bytes of
+   * user input, reseed.  This input will automatically have been
+   * included if reseed was called already, as it's just included in
+   * the extractor input.
    */
-   if(user_input_len >= 1024)
+   if(user_input_len >= USER_ENTROPY_WATERSHED)
       reseed(128);
    }