aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorlloyd <[email protected]>2010-03-19 18:49:38 +0000
committerlloyd <[email protected]>2010-03-19 18:49:38 +0000
commit8b0d3575e794073f6e6658544d8167e399762ce0 (patch)
tree82ecf55f0d4efb083ef7cb66d6ea1afc4795b929 /src
parent7ac5dc634e2448392b298376936d3f57abc9c40b (diff)
In add_entropy(), additionally poll for 64 bits of system entropy
to mix in with the user input. Check that the prf and extractor are compatible. For the initial PRF key, use all zeros of the appropriate size, and for the initial XTS key, use PRF("Botan HMAC_RNG XTS"). This ensures that only the one fixed key size is ever used with either the prf or extractor objects, allowing you to use, say HMAC(SHA-256)+CMAC(AES-256), or even CMAC(AES-128)+CMAC(AES-128) as the PRFs in the RNG.
Diffstat (limited to 'src')
-rw-r--r--src/rng/hmac_rng/hmac_rng.cpp35
1 files changed, 20 insertions, 15 deletions
diff --git a/src/rng/hmac_rng/hmac_rng.cpp b/src/rng/hmac_rng/hmac_rng.cpp
index 84a7b1c13..51d10f641 100644
--- a/src/rng/hmac_rng/hmac_rng.cpp
+++ b/src/rng/hmac_rng/hmac_rng.cpp
@@ -115,7 +115,7 @@ void HMAC_RNG::reseed_with_input(u32bit poll_bits,
K.clear();
counter = 0;
- if(input_length || accum.bits_collected() >= poll_bits)
+ if(input_length > 64 || accum.bits_collected() >= 128)
seeded = true;
}
@@ -133,7 +133,7 @@ void HMAC_RNG::reseed(u32bit poll_bits)
*/
void HMAC_RNG::add_entropy(const byte input[], u32bit length)
{
- reseed_with_input(0, input, length);
+ reseed_with_input(64, input, length);
}
/**
@@ -171,6 +171,12 @@ HMAC_RNG::HMAC_RNG(MessageAuthenticationCode* extractor_mac,
MessageAuthenticationCode* prf_mac) :
extractor(extractor_mac), prf(prf_mac)
{
+ if(!prf->valid_keylength(extractor->OUTPUT_LENGTH) ||
+ !extractor->valid_keylength(prf->OUTPUT_LENGTH))
+ throw Invalid_Argument("HMAC_RNG: Bad algo combination " +
+ extractor->name() + " and " +
+ prf->name());
+
// First PRF inputs are all zero, as specified in section 2
K.resize(prf->OUTPUT_LENGTH);
counter = 0;
@@ -183,26 +189,25 @@ HMAC_RNG::HMAC_RNG(MessageAuthenticationCode* extractor_mac,
We will want to use the PRF before we set the first key (in
reseed_with_input), and it is a pain to keep track if it is set or
- not. Since the first time it doesn't matter anyway, just set it to
- a constant: randomize() will not produce output unless is_seeded()
- returns true, and that will only be the case if the estimated
- entropy counter is high enough. That variable is only set when a
- reseeding is performed.
+ not. Since the first time it doesn't matter anyway, just set the
+ PRF key to constant zero: randomize() will not produce output
+ unless is_seeded() returns true, and that will only be the case if
+ the estimated entropy counter is high enough. That variable is only
+ set when a reseeding is performed.
*/
- std::string prf_key = "Botan HMAC_RNG PRF";
- prf->set_key(reinterpret_cast<const byte*>(prf_key.c_str()),
- prf_key.length());
+ MemoryVector<byte> prf_key(extractor->OUTPUT_LENGTH);
+ prf->set_key(prf_key);
/*
- This will be used as the first XTS value when extracting input.
- XTS values after this one are generated using the PRF.
+ Use PRF("Botan HMAC_RNG XTS") as the intitial XTS key.
+
+ This will be used during the first extraction sequence; XTS values
+ after this one are generated using the PRF.
If I understand the E-t-E paper correctly (specifically Section 4),
using this fixed extractor key is safe to do.
*/
- std::string xts = "Botan HMAC_RNG XTS";
- extractor->set_key(reinterpret_cast<const byte*>(xts.c_str()),
- xts.length());
+ extractor->set_key(prf->process("Botan HMAC_RNG XTS"));
}
/**