aboutsummaryrefslogtreecommitdiffstats
path: root/src/rng/hmac_rng
Commit message (Collapse)AuthorAgeFilesLines
* Shuffle things around. Add NIST X.509 test to build.lloyd2014-01-013-267/+0
|
* Give everything setting a feature test macro in build.h a version codelloyd2013-11-281-1/+1
| | | | | | so application code can check for the specific API it expects without having to keep track of what versions APIs x,y,z changed. Arbitrarily set all current API versions to 20131128.
* Move RNG reseed controls to build.hlloyd2013-11-091-9/+9
|
* In HMAC_RNG record number of bytes since last poll and reseed based onlloyd2013-11-092-17/+26
| | | | that rather than the counter.
* Include a timestamp as part of the HMAC_RNG PRF inputslloyd2013-11-091-0/+6
|
* Previously, AutoRNG was just a reference to the global rng, which canlloyd2013-11-082-134/+98
| | | | | | | | | | | cause a huge amount of lock contention in heavily multithreaded code. Now each AutoRNG is its own uniquely seeded HMAC_RNG. The set of entropy sources is shared rather than being per-RNG (so there is only one open fd to /dev/random, etc). So reseeding is still a global lock, but sharing the resources (open file descriptors, etc) across RNGs seems worth the contention. Remove Randpool, which was only used if HMAC_RNG was disabled at build.
* Some changes to HMAC_RNG:lloyd2012-07-182-23/+13
| | | | | | | | | | | | | - Only give out half of K in each iteration. This prevents an attacker who recovers the PRF key and knows some RNG outputs from being able to determine other RNG outputs. - Don't reset the counter on a reseed, and every 1024 outputs (16 Kbytes with default PRF) initiate a poll. - Don't ever reseed when called with add_entropy, just give it to the extractor, as we know that eventually we'll reseed at which time that input will be incorporated.
* Fairly huge update that replaces the old secmem types with std::vectorlloyd2012-05-182-3/+3
| | | | | | using a custom allocator. Currently our allocator just does new/delete with a memset before deletion, and the mmap and mlock allocators have been removed.
* propagate from branch 'net.randombit.botan' (head ↵lloyd2012-05-181-2/+2
|\ | | | | | | | | | | 6332543aa5a8a4cc13662008ff9ac0f0016d9a4d) to branch 'net.randombit.botan.cxx11' (head 5517c9f8f6d1990f269afb94f569a97a80c5a5f4)
| * Partially roll back b2aef16225863cef27cdee4b91703966b3ed1458, itlloyd2012-04-281-2/+2
| | | | | | | | caused huge performance issues with DSA/ECDSA signing performance.
* | propagate from branch 'net.randombit.botan' (head ↵lloyd2012-02-201-6/+14
|\| | | | | | | | | | | c247a55e7c0bcd239fcfc672139b59ef63d7ee84) to branch 'net.randombit.botan.cxx11' (head 16d7756c6b8933d0d543ebdda9c7e8f4908a4a33)
| * Avoid blocking more than 100 ms in the random device reader. Scale uplloyd2012-02-201-1/+2
| | | | | | | | | | | | | | how much we ask for on the basis of how many bits we're counting each byte as contributing. Change /dev/*random estimate to 7 bits per byte. Small cleanup in HMAC_RNG.
| * Force a reseed in HMAC_RNG after 20 bytes have been added, rather thanlloyd2012-02-151-5/+12
| | | | | | | | | | | | waiting for a full kilobyte. This is for the benefit of DSA/ECDSA which want a call to add_entropy to update the state in some way, passing just a hash input which might be as small as 20 bytes.
* | Add string_join; inverse of split_on.lloyd2011-06-171-2/+2
| | | | | | | | | | | | | | | | | | Use auto in a few more places. Use GCC 4.6's range-for Delete rather than hide Algorithm copy constructor/assignment Move version to more or less randomly chosen 1.99 so there is no ambiguity about versions.
* | propagate from branch 'net.randombit.botan' (head ↵lloyd2010-10-131-3/+2
|\ \ | |/ |/| | | | | | | 2898d79f992f27a328a3e41d34b46eb1052da0de) to branch 'net.randombit.botan.c++0x' (head 6cba76268fd69a73195760c021b7f881b8a6552c)
| * propagate from branch 'net.randombit.botan' (head ↵lloyd2010-06-172-8/+12
| |\ | | | | | | | | | | | | | | | 294e2082ce9231d6165276e2f2a4153a0116aca3) to branch 'net.randombit.botan.c++0x' (head 0b695fad10f924601e07b009fcd781191fafcb28)
| * \ propagate from branch 'net.randombit.botan' (head ↵lloyd2010-04-282-35/+31
| |\ \ | | | | | | | | | | | | | | | | | | | | a5f25a3b954f24c5d07fa0dab6c4d76f63767165) to branch 'net.randombit.botan.c++0x' (head a365694b70b4b84ca713272d56d496acca351cb5)
| * \ \ propagate from branch 'net.randombit.botan' (head ↵lloyd2010-03-211-3/+2
| |\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | 96d0a1885774b624812fd143d541c8bcda319217) to branch 'net.randombit.botan.c++0x' (head e14368ab9d7976f3e111c6bc0adf24eebeb7c114)
| | * \ \ propagate from branch 'net.randombit.botan' (head ↵lloyd2010-02-141-3/+2
| | |\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 5bfc3e699003b86615c584f8ae40bd6e761f96c0) to branch 'net.randombit.botan.c++0x' (head 8c64a107b58d41f376bfffc69dfab4514d722c5c)
| | | * \ \ propagate from branch 'net.randombit.botan' (head ↵lloyd2009-12-211-3/+2
| | | |\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 14c1d4dc8696d2705a70ec3d2403e01d2ca95265) to branch 'net.randombit.botan.c++0x' (head c567fa7310ba082a837562092728c4b4b882bf82)
| | | | * | | Post-merge fixeslloyd2009-12-161-10/+0
| | | | | | |
| | | | * | | propagate from branch 'net.randombit.botan' (head ↵lloyd2009-12-162-7/+10
| | | | |\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 744dccf92270cf16b80b50ee2759424c9866b256) to branch 'net.randombit.botan.c++0x' (head 2aa1acac1d05e8ea9991fe39015b1db9abc3b24e)
| | | | * \ \ \ propagate from branch 'net.randombit.botan' (head ↵lloyd2009-11-171-1/+1
| | | | |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | cfb19182987fc95b2a8885584a38edb10b4709b3) to branch 'net.randombit.botan.c++0x' (head 1570877c463fed4b632bc49a5b5ee27c57de2cb5)
| | | | * | | | | Use auto for long iterator names, etc.lloyd2009-11-161-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It will be nice to convert to the range-based for loop once that's available.
* | | | | | | | | Use output_length() instead of OUTPUT_LENGTH pseudo-propertylloyd2010-10-131-4/+4
| | | | | | | | |
* | | | | | | | | Use size_t instead of u32bit in entropy and rnglloyd2010-10-122-11/+11
| | | | | | | | |
* | | | | | | | | More changes to avoid vector to pointer implicit conversionslloyd2010-09-141-3/+3
| | | | | | | | |
* | | | | | | | | Handle the case that container size() returns something other than u32bitlloyd2010-09-141-1/+1
| | | | | | | | |
* | | | | | | | | Anywhere where we use MemoryRegion::begin to get access to the raw pointerlloyd2010-09-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | representation (rather than in an interator context), instead use &buf[0], which works for both MemoryRegion and std::vector
* | | | | | | | | Big, invasive but mostly automated change, with a further attempt atlloyd2010-09-071-2/+2
| |_|_|_|_|_|_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | harmonising MemoryRegion with std::vector: The MemoryRegion::clear() function would zeroise the buffer, but keep the memory allocated and the size unchanged. This is very different from STL's clear(), which is basically the equivalent to what is called destroy() in MemoryRegion. So to be able to replace MemoryRegion with a std::vector, we have to rename destroy() to clear() and we have to expose the current functionality of clear() in some other way, since vector doesn't support this operation. Do so by adding a global function named zeroise() which takes a MemoryRegion which is zeroed. Remove clear() to ensure all callers are updated.
* | | | | | | | Yet more Doxygen commentslloyd2010-06-162-8/+12
| |_|_|_|_|_|/ |/| | | | | |
* | | | | | | HMAC_RNG handling changes - split up reseed() and add_entropy()lloyd2010-04-272-35/+31
|/ / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | entirely. add_entropy() just adds the input into the extractor; if more than 1024 bytes of input have been added by the user since the last reseed, then force a reseed. Until that point, the data simply remains accumulating in the extractor, which is fast and helps ensure a large block of data is input when we finally do reseed.
* / / / / / In add_entropy(), additionally poll for 64 bits of system entropylloyd2010-03-191-15/+20
|/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | to mix in with the user input. Check that the prf and extractor are compatible. For the initial PRF key, use all zeros of the appropriate size, and for the initial XTS key, use PRF("Botan HMAC_RNG XTS"). This ensures that only the one fixed key size is ever used with either the prf or extractor objects, allowing you to use, say HMAC(SHA-256)+CMAC(AES-256), or even CMAC(AES-128)+CMAC(AES-128) as the PRFs in the RNG.
* / / / / Move the get_byte template to its own header, because many fileslloyd2010-02-021-1/+1
|/ / / / | | | | | | | | | | | | including loadstor.h actually just needed get_byte and nothing else.
* | | / Un-internal loadstor.h (and its header deps, rotate.h andlloyd2009-12-211-1/+1
| |_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | bswap.h); too many external apps rely on loadstor.h existing. Define 64-bit generic bswap in terms of 32-bit bswap, since it's not much slower if 32-bit is also generic, and much faster if it's not. This may be quite helpful on 32-bit x86 in particular. Change formulation of generic 32-bit bswap. It may be faster or slower depending on the CPU, especially the latency and throuput of rotate instructions, but should be faster on an ideally superscalar processor with rotate instructions (ie, what I expect future CPUs to look more like).
* | | Make many more headers internal-only.lloyd2009-12-161-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes for the amalgamation generator for internal headers. Remove BOTAN_DLL exporting macros from all internal-only headers; the classes/functions there don't need to be exported, and avoiding the PIC/GOT indirection can be a big win. Add missing BOTAN_DLLs where necessary, mostly gfpmath and cvc For GCC, use -fvisibility=hidden and set BOTAN_DLL to the visibility __attribute__ to export those classes/functions.
* | | Full working amalgamation build, plus internal-only headers concept.lloyd2009-12-161-7/+0
| |/ |/|
* | Rename/remove some secmem member variables for better matching with STLlloyd2009-11-171-1/+1
|/ | | | | | | | containers (specifically vector). Rename is_empty to empty Remove has_items Rename create to resize
* Remove the 'realname' attribute on all modules and cc/cpu/os info files.lloyd2009-10-291-2/+0
| | | | | Pretty much useless and unused, except for listing the module names in build.h and the short versions totally suffice for that.
* Remove all exception specifications. The way these are designed in C++ islloyd2009-10-222-2/+2
| | | | | | just too fragile and not that useful. Something like Java's checked exceptions might be nice, but simply killing the process entirely if an unexpected exception is thrown is not exactly useful for something trying to be robust.
* Split up util.h into 3 fileslloyd2009-09-171-1/+0
| | | | | | | - rounding.h (round_up, round_down) - workfactor.h (dl_work_factor) - timer.h (system_time) And update all users of the previous util.h
* Add a script that reads the output of print_deps.py and rewriteslloyd2009-07-151-0/+4
| | | | | | the info.txt files with the right module dependencies. Apply it across the codebase.
* Improve handling of low-entropy situations in HMAC_RNG and Randpool.lloyd2009-06-211-4/+7
| | | | | | | | | | | When a reseed is attempted, up to poll_bits attempts will be made, running in order through the set of available sources. So for instance if poll_bits is set to the default 256, then up to 256 polls will be performed (some of which might not provide any entropy, of course) before stopping; of course if the accumulators goal is achived before that point, then the polling stops. This should greatly help to resolve the recent rash of PRNG unseeded problems some people have been having.
* Many source files included bit_ops.h when what was really desired waslloyd2009-05-131-1/+0
| | | | | rotate.h, or when it was not needed at all. Remove or change the includes as needed.
* Thomas Moschny passed along a request from the Fedora packagers which camelloyd2009-03-302-0/+4
| | | | | | | | | | | | | | | up during the Fedora submission review, that each source file include some text about the license. One handy Perl script later and each file now has the line Distributed under the terms of the Botan license after the copyright notices. While I was in there modifying every file anyway, I also stripped out the remainder of the block comments (lots of astericks before and after the text); this is stylistic thing I picked up when I was first learning C++ but in retrospect it is not a good style as the structure makes it harder to modify comments (with the result that comments become fewer, shorter and are less likely to be updated, which are not good things).
* Remove the notion of counting entropy bits in HMAC_RNG or Randpool.lloyd2009-01-312-17/+6
| | | | | | | | | Instead simply consider the PRNG seeded if a poll kicked off from reseed met its goal, or if the user adds data. Doing anything else prevents creating (for instance) a PRNG seeded with 64 bits of entropy, which is unsafe for some purposes (key generation) but quite possibly safe enough for others (generating salts and such).
* Make Entropy_Accumulator a pure virtual to allow other accumulationlloyd2009-01-311-1/+1
| | | | | techniques, with the one using BufferedComputation being the new subclass with the charming name Entropy_Accumulator_BufferedComputation.
* Have Entropy_Accumulator dump everything into a BufferedComputation.lloyd2009-01-271-3/+1
| | | | | | | | | | | | Since both Randpool and HMAC_RNG fed the input into a MAC anyway, this works nicely. (It would be nicer to use tr1::function but, argh, don't want to fully depend on TR1 quite yet. C++0x cannot come soon enough). This avoids requiring to do run length encoding, it just dumps everything as-is into the MAC. This ensures the buffer is not a potential narrow pipe for the entropy (for instance, one might imagine an entropy source which outputs one random byte every 16 bytes, and the rest some repeating pattern - using a 16 byte buffer, you would only get 8 bits of entropy total, no matter how many times you sampled).
* Major change in RNG semantics: you must call reseed before callinglloyd2009-01-271-13/+2
| | | | randomize, or PRNG_Unseeded will be thrown.
* Check in a branch with a major redesign on how entropy polling is performed.lloyd2009-01-272-120/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Combine the fast and slow polls, into a single poll() operation. Instead of being given a buffer to write output into, the EntropySource is passed an Entropy_Accumulator. This handles the RLE encoding that xor_into_buf used to do. It also contains a cached I/O buffer so entropy sources do not individually need to allocate memory for that with each poll. When data is added to the accumulator, the source specifies an estimate of the number of bits of entropy per byte, as a double. This is tracked in the accumulator. Once the estimated entropy hits a target (set by the constructor), the accumulator's member function predicate polling_goal_achieved flips to true. This signals to the PRNG that it can stop performing polling on sources, also polls that take a long time periodically check this flag and return immediately. The Win32 and BeOS entropy sources have been updated, but blindly; testing is needed. The test_es example program has been modified: now it polls twice and outputs the XOR of the two collected results. That helps show if the output is consistent across polls (not a good thing). I have noticed on the Unix entropy source, occasionally there are many 0x00 bytes in the output, which is not optimal. This also needs to be investigated. The RLE is not actually RLE anymore. It works well for non-random inputs (ASCII text, etc), but I noticed that when /dev/random output was fed into it, the output buffer would end up being RR01RR01RR01 where RR is a random byte and 00 is the byte count. The buffer sizing also needs to be examined carefully. It might be useful to choose a prime number for the size to XOR stuff into, to help ensure an even distribution of entropy across the entire buffer space. Or: feed it all into a hash function? This change should (perhaps with further modifications) help WRT the concerns Zack W raised about the RNG on the monotone-dev list.
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-23 18:44:02 +0000