aboutsummaryrefslogtreecommitdiffstats
path: root/src/rng
Commit message (Collapse)AuthorAgeFilesLines
* propagate from branch 'net.randombit.botan' (head ↵lloyd2010-06-178-34/+55
|\ | | | | | | | | | | 294e2082ce9231d6165276e2f2a4153a0116aca3) to branch 'net.randombit.botan.c++0x' (head 0b695fad10f924601e07b009fcd781191fafcb28)
| * Yet more Doxygen commentslloyd2010-06-166-32/+50
| |
| * More Doxygen updates/fixeslloyd2010-06-152-2/+5
| |
* | propagate from branch 'net.randombit.botan' (head ↵lloyd2010-04-282-35/+31
|\| | | | | | | | | | | a5f25a3b954f24c5d07fa0dab6c4d76f63767165) to branch 'net.randombit.botan.c++0x' (head a365694b70b4b84ca713272d56d496acca351cb5)
| * HMAC_RNG handling changes - split up reseed() and add_entropy()lloyd2010-04-272-35/+31
| | | | | | | | | | | | | | | | entirely. add_entropy() just adds the input into the extractor; if more than 1024 bytes of input have been added by the user since the last reseed, then force a reseed. Until that point, the data simply remains accumulating in the extractor, which is fast and helps ensure a large block of data is input when we finally do reseed.
| * Remove add_entropy_vec. Much cleaner way of doing this: add the entirelloyd2010-04-271-3/+0
| | | | | | | | contents of all SSL/TLS handshake messages into the PRNG input.
| * Add add_entropy_vec which calls add_entropy on the passed vector. Haslloyd2010-04-231-0/+3
| | | | | | | | | | to be named differently from add_entropy to deal with odd C++ overloading/virtual rules.
* | propagate from branch 'net.randombit.botan' (head ↵lloyd2010-04-091-1/+0
|\| | | | | | | | | | | 75d272c759511a9a99a371ddc74bd17b2c1453b6) to branch 'net.randombit.botan.c++0x' (head 2ce9ba37cb9287a3d875921240d6682100625b9f)
| * Don't delete the global RNG in AutoSeeded_RNG's destructorlloyd2010-03-231-1/+0
| |
* | propagate from branch 'net.randombit.botan' (head ↵lloyd2010-03-212-6/+5
|\ \ | |/ |/| | | | | | | 96d0a1885774b624812fd143d541c8bcda319217) to branch 'net.randombit.botan.c++0x' (head e14368ab9d7976f3e111c6bc0adf24eebeb7c114)
| * propagate from branch 'net.randombit.botan' (head ↵lloyd2010-02-142-6/+5
| |\ | | | | | | | | | | | | | | | 5bfc3e699003b86615c584f8ae40bd6e761f96c0) to branch 'net.randombit.botan.c++0x' (head 8c64a107b58d41f376bfffc69dfab4514d722c5c)
| | * propagate from branch 'net.randombit.botan' (head ↵lloyd2010-01-212-6/+5
| | |\ | | | | | | | | | | | | | | | | | | | | 12382647ef0a28fcb11c824c77b670cc88a4f721) to branch 'net.randombit.botan.c++0x' (head b586a3286d2c4d547ad3add5af9df1455bf4b87b)
| | | * propagate from branch 'net.randombit.botan' (head ↵lloyd2009-12-212-6/+5
| | | |\ | | | | | | | | | | | | | | | | | | | | | | | | | 14c1d4dc8696d2705a70ec3d2403e01d2ca95265) to branch 'net.randombit.botan.c++0x' (head c567fa7310ba082a837562092728c4b4b882bf82)
| | | | * Post-merge fixeslloyd2009-12-162-12/+2
| | | | |
| | | | * propagate from branch 'net.randombit.botan' (head ↵lloyd2009-12-168-46/+21
| | | | |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 744dccf92270cf16b80b50ee2759424c9866b256) to branch 'net.randombit.botan.c++0x' (head 2aa1acac1d05e8ea9991fe39015b1db9abc3b24e)
| | | | * \ propagate from branch 'net.randombit.botan' (head ↵lloyd2009-12-012-30/+4
| | | | |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | b3515264af291b4785d3d296e2cc0e877ca7816a) to branch 'net.randombit.botan.c++0x' (head 66ca78008f08bb5efc2eca52a3d4501f02ffd736)
| | | | * \ \ propagate from branch 'net.randombit.botan' (head ↵lloyd2009-11-173-7/+7
| | | | |\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | cfb19182987fc95b2a8885584a38edb10b4709b3) to branch 'net.randombit.botan.c++0x' (head 1570877c463fed4b632bc49a5b5ee27c57de2cb5)
| | | | * | | | Use auto for long iterator names, etc.lloyd2009-11-162-6/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It will be nice to convert to the range-based for loop once that's available.
| | | | * | | | propagate from branch 'net.randombit.botan' (head ↵lloyd2009-11-022-3/+4
| | | | |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 2773c2310e8c0a51975987a2dd6c5824c8d43882) to branch 'net.randombit.botan.c++0x' (head f13cf5d7e89706c882604299b508f356c20aae3a)
| | | | | * | | | Attic-ize all of src/timer, except for time_t_to_tm and system_timelloyd2009-10-131-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (which will go later) which will live in the new time.h
| | | | | * | | | propagate from branch 'net.randombit.botan' (head ↵lloyd2009-10-131-2/+4
| | | | | |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 139d6957d20f0b1202e0eacc63cb011588faffde) to branch 'net.randombit.botan.c++0x' (head c16676fa6c393bc3f46a044755ce525a013380a6)
| | | | | | * | | | Change call to system_time to use std::chronolloyd2009-09-301-2/+4
| | | | | | | | | |
* | | | | | | | | | In add_entropy(), additionally poll for 64 bits of system entropylloyd2010-03-191-15/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | to mix in with the user input. Check that the prf and extractor are compatible. For the initial PRF key, use all zeros of the appropriate size, and for the initial XTS key, use PRF("Botan HMAC_RNG XTS"). This ensures that only the one fixed key size is ever used with either the prf or extractor objects, allowing you to use, say HMAC(SHA-256)+CMAC(AES-256), or even CMAC(AES-128)+CMAC(AES-128) as the PRFs in the RNG.
* | | | | | | | | | There are some nasty API problems that are caused by having to pass alloyd2010-03-193-151/+10
|/ / / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | PRNG everywhere. The removal of the global PRNG was generated by a desire to remove the global library state entirely. However the real point of this was to remove the use of globally visible _mutable_ state; of the mutable state, the PRNG is probably the least important, and the most useful to share. And it seems unlikely that thread contention would be a major issue in the PRNG. Add back a global PRNG to Library_State. Use lazy initialization, so apps that don't ever use a PRNG don't need a seeding step. Then have AutoSeeded_RNG call that global PRNG. Offer once again RandomNumberGenerator& Library_State::global_rng(); which returns a reference to the global PRNG. This RNG object serializes access to itself with a mutex. Remove the hack known as Blinding::choose_nonce, replace with using the global PRNG to choose a blinding nonce
* / / / / / / / / Move the get_byte template to its own header, because many fileslloyd2010-02-022-2/+2
|/ / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | including loadstor.h actually just needed get_byte and nothing else.
* / / / / / / / Use Algorithm_Factory instead of instantiating directly; will allow the uselloyd2010-01-071-10/+14
|/ / / / / / / | | | | | | | | | | | | | | | | | | | | | of AES-NI instructions, etc, in the PRNGs.
* | | | | | / Un-internal loadstor.h (and its header deps, rotate.h andlloyd2009-12-212-2/+2
| |_|_|_|_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | bswap.h); too many external apps rely on loadstor.h existing. Define 64-bit generic bswap in terms of 32-bit bswap, since it's not much slower if 32-bit is also generic, and much faster if it's not. This may be quite helpful on 32-bit x86 in particular. Change formulation of generic 32-bit bswap. It may be faster or slower depending on the CPU, especially the latency and throuput of rotate instructions, but should be faster on an ideally superscalar processor with rotate instructions (ie, what I expect future CPUs to look more like).
* | | | | | Make many more headers internal-only.lloyd2009-12-163-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes for the amalgamation generator for internal headers. Remove BOTAN_DLL exporting macros from all internal-only headers; the classes/functions there don't need to be exported, and avoiding the PIC/GOT indirection can be a big win. Add missing BOTAN_DLLs where necessary, mostly gfpmath and cvc For GCC, use -fvisibility=hidden and set BOTAN_DLL to the visibility __attribute__ to export those classes/functions.
* | | | | | Full working amalgamation build, plus internal-only headers concept.lloyd2009-12-166-45/+10
| |_|_|_|/ |/| | | |
* | | | | Consolidate the non-canonical epoch timers, like cpuid and Win32'slloyd2009-12-013-30/+4
| |_|_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | QueryPerformanceCounter, into an entropy source hres_timer. Its results, if any, do not count as contributing entropy to the poll. Convert the other (monotonic/fixed epoch) timers to a single function get_nanoseconds_clock(), living in time.h, which statically chooses the 'best' timer type (clock_gettime, gettimeofday, std::clock, in that order depending on what is available). Add feature test macros for clock_gettime and gettimeofday. Remove the Timer class and timer.h. Remove the Timer& argument to the algorithm benchmark function.
* | | | Rename/remove some secmem member variables for better matching with STLlloyd2009-11-173-7/+7
|/ / / | | | | | | | | | | | | | | | | | | | | | containers (specifically vector). Rename is_empty to empty Remove has_items Rename create to resize
* | | Remove the 'realname' attribute on all modules and cc/cpu/os info files.lloyd2009-10-295-10/+0
| | | | | | | | | | | | | | | Pretty much useless and unused, except for listing the module names in build.h and the short versions totally suffice for that.
* | | Remove all exception specifications. The way these are designed in C++ islloyd2009-10-228-9/+9
|/ / | | | | | | | | | | just too fragile and not that useful. Something like Java's checked exceptions might be nice, but simply killing the process entirely if an unexpected exception is thrown is not exactly useful for something trying to be robust.
* | propagate from branch 'net.randombit.botan.1_8' (head ↵lloyd2009-10-133-3/+2
|\| | | | | | | | | | | c5ae189464f6ef16e3ce73ea7c563412460d76a3) to branch 'net.randombit.botan' (head e2b95b6ad31c7539cf9ac0ebddb1d80bf63b5b21)
| * Split up util.h into 3 fileslloyd2009-09-172-2/+1
| | | | | | | | | | | | | | - rounding.h (round_up, round_down) - workfactor.h (dl_work_factor) - timer.h (system_time) And update all users of the previous util.h
| * Throw Internal_Error instead of Algorithm_Not_Found if no usable RNGlloyd2009-09-081-1/+1
| | | | | | | | is enabled in the build.
* | Don't make auto_rng require AES; using it is optional as long as HMAC_RNGlloyd2009-10-132-4/+6
|/ | | | is being used and not Randpool.
* Add a script that reads the output of print_deps.py and rewriteslloyd2009-07-155-7/+20
| | | | | | the info.txt files with the right module dependencies. Apply it across the codebase.
* Improve handling of low-entropy situations in HMAC_RNG and Randpool.lloyd2009-06-212-8/+14
| | | | | | | | | | | When a reseed is attempted, up to poll_bits attempts will be made, running in order through the set of available sources. So for instance if poll_bits is set to the default 256, then up to 256 polls will be performed (some of which might not provide any entropy, of course) before stopping; of course if the accumulators goal is achived before that point, then the polling stops. This should greatly help to resolve the recent rash of PRNG unseeded problems some people have been having.
* Change the order of preference for /dev/*random polling tolloyd2009-06-091-1/+1
| | | | | | /dev/urandom /dev/random /dev/srandom (OpenBSD-specific)
* Many source files included bit_ops.h when what was really desired waslloyd2009-05-131-1/+0
| | | | | rotate.h, or when it was not needed at all. Remove or change the includes as needed.
* Make AutoSeeded_RNG::reseed's parameter default to 256 for compatabilitylloyd2009-04-161-1/+1
| | | | | with the version in earlier releases. Rickard Bondesson pointed out that this was a problem on the mailing list.
* Thomas Moschny passed along a request from the Fedora packagers which camelloyd2009-03-3010-26/+46
| | | | | | | | | | | | | | | up during the Fedora submission review, that each source file include some text about the license. One handy Perl script later and each file now has the line Distributed under the terms of the Botan license after the copyright notices. While I was in there modifying every file anyway, I also stripped out the remainder of the block comments (lots of astericks before and after the text); this is stylistic thing I picked up when I was first learning C++ but in retrospect it is not a good style as the structure makes it harder to modify comments (with the result that comments become fewer, shorter and are less likely to be updated, which are not good things).
* Remove the notion of counting entropy bits in HMAC_RNG or Randpool.lloyd2009-01-314-35/+14
| | | | | | | | | Instead simply consider the PRNG seeded if a poll kicked off from reseed met its goal, or if the user adds data. Doing anything else prevents creating (for instance) a PRNG seeded with 64 bits of entropy, which is unsafe for some purposes (key generation) but quite possibly safe enough for others (generating salts and such).
* Make Entropy_Accumulator a pure virtual to allow other accumulationlloyd2009-01-312-2/+2
| | | | | techniques, with the one using BufferedComputation being the new subclass with the charming name Entropy_Accumulator_BufferedComputation.
* In the X9.31 PRNG, move the code that rekeys the cipher and generates V tolloyd2009-01-312-44/+53
| | | | | | | | a new member function rekey, calling it from both reseed and add_entropy. Previously add_entropy worked without this because the PRNG would reseed itself automatically if it was not at the point when randomize() was called, but once this was removed it was necessary to ensure a rekey kicked off, if appropriate, when calling add_entropy.
* Have Entropy_Accumulator dump everything into a BufferedComputation.lloyd2009-01-272-5/+3
| | | | | | | | | | | | Since both Randpool and HMAC_RNG fed the input into a MAC anyway, this works nicely. (It would be nicer to use tr1::function but, argh, don't want to fully depend on TR1 quite yet. C++0x cannot come soon enough). This avoids requiring to do run length encoding, it just dumps everything as-is into the MAC. This ensures the buffer is not a potential narrow pipe for the entropy (for instance, one might imagine an entropy source which outputs one random byte every 16 bytes, and the rest some repeating pattern - using a 16 byte buffer, you would only get 8 bits of entropy total, no matter how many times you sampled).
* Major change in RNG semantics: you must call reseed before callinglloyd2009-01-273-20/+4
| | | | randomize, or PRNG_Unseeded will be thrown.
* Check in a branch with a major redesign on how entropy polling is performed.lloyd2009-01-279-238/+159
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Combine the fast and slow polls, into a single poll() operation. Instead of being given a buffer to write output into, the EntropySource is passed an Entropy_Accumulator. This handles the RLE encoding that xor_into_buf used to do. It also contains a cached I/O buffer so entropy sources do not individually need to allocate memory for that with each poll. When data is added to the accumulator, the source specifies an estimate of the number of bits of entropy per byte, as a double. This is tracked in the accumulator. Once the estimated entropy hits a target (set by the constructor), the accumulator's member function predicate polling_goal_achieved flips to true. This signals to the PRNG that it can stop performing polling on sources, also polls that take a long time periodically check this flag and return immediately. The Win32 and BeOS entropy sources have been updated, but blindly; testing is needed. The test_es example program has been modified: now it polls twice and outputs the XOR of the two collected results. That helps show if the output is consistent across polls (not a good thing). I have noticed on the Unix entropy source, occasionally there are many 0x00 bytes in the output, which is not optimal. This also needs to be investigated. The RLE is not actually RLE anymore. It works well for non-random inputs (ASCII text, etc), but I noticed that when /dev/random output was fed into it, the output buffer would end up being RR01RR01RR01 where RR is a random byte and 00 is the byte count. The buffer sizing also needs to be examined carefully. It might be useful to choose a prime number for the size to XOR stuff into, to help ensure an even distribution of entropy across the entire buffer space. Or: feed it all into a hash function? This change should (perhaps with further modifications) help WRT the concerns Zack W raised about the RNG on the monotone-dev list.
* Reduce size of I/O buffer in HMAC_RNG from 128 to 96 bytes. Unlikely that anylloyd2008-11-231-1/+1
| | | | | entropy source will realistically be able to provide even 768 bits of entropy, so this is probably overkill even still.