1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
|
/*
* HMAC_RNG
* (C) 2008-2009 Jack Lloyd
*
* Distributed under the terms of the Botan license
*/
#include <botan/hmac_rng.h>
#include <botan/get_byte.h>
#include <botan/internal/xor_buf.h>
#include <algorithm>
namespace Botan {
namespace {
void hmac_prf(MessageAuthenticationCode* prf,
secure_vector<byte>& K,
u32bit& counter,
const std::string& label)
{
prf->update(K);
prf->update(label);
prf->update_be(counter);
prf->final(&K[0]);
++counter;
}
}
/*
* Generate a buffer of random bytes
*/
void HMAC_RNG::randomize(byte out[], size_t length)
{
if(!is_seeded())
throw PRNG_Unseeded(name());
/*
HMAC KDF as described in E-t-E, using a CTXinfo of "rng"
*/
while(length)
{
hmac_prf(prf, K, counter, "rng");
const size_t copied = std::min<size_t>(K.size() / 2, length);
copy_mem(out, &K[0], copied);
out += copied;
length -= copied;
if(counter % 1024 == 0)
reseed(128);
}
}
/*
* Poll for entropy and reset the internal keys
*/
void HMAC_RNG::reseed(size_t poll_bits)
{
/*
Using the terminology of E-t-E, XTR is the MAC function (normally
HMAC) seeded with XTS (below) and we form SKM, the key material, by
polling as many sources as we think needed to reach our polling
goal. We then also include feedback of the current PRK so that
a bad poll doesn't wipe us out.
*/
Entropy_Accumulator_BufferedComputation accum(*extractor, poll_bits);
if(!entropy_sources.empty())
{
size_t poll_attempt = 0;
while(!accum.polling_goal_achieved() && poll_attempt < poll_bits)
{
const size_t src_idx = poll_attempt % entropy_sources.size();
entropy_sources[src_idx]->poll(accum);
++poll_attempt;
}
}
/*
* It is necessary to feed forward poll data. Otherwise, a good poll
* (collecting a large amount of conditional entropy) followed by a
* bad one (collecting little) would be unsafe. Do this by
* generating new PRF outputs using the previous key and feeding
* them into the extractor function.
*
* Cycle the RNG once (CTXinfo="rng"), then generate a new PRF
* output using the CTXinfo "reseed". Provide these values as input
* to the extractor function.
*/
hmac_prf(prf, K, counter, "rng");
extractor->update(K); // K is the CTXinfo=rng PRF output
hmac_prf(prf, K, counter, "reseed");
extractor->update(K); // K is the CTXinfo=reseed PRF output
/* Now derive the new PRK using everything that has been fed into
the extractor, and set the PRF key to that */
prf->set_key(extractor->final());
// Now generate a new PRF output to use as the XTS extractor salt
hmac_prf(prf, K, counter, "xts");
extractor->set_key(K);
// Reset state
zeroise(K);
/*
* Consider ourselves seeded once we've collected an estimated 128 bits of
* entropy in a single poll.
*/
if(seeded == false && accum.bits_collected() >= 128)
seeded = true;
}
/*
* Add user-supplied entropy to the extractor input
*/
void HMAC_RNG::add_entropy(const byte input[], size_t length)
{
/*
* Simply include the data in the extractor input. During the
* next periodic reseed, the input will be incorporated into
* the state.
*/
extractor->update(input, length);
}
/*
* Add another entropy source to the list
*/
void HMAC_RNG::add_entropy_source(EntropySource* src)
{
entropy_sources.push_back(src);
}
/*
* Clear memory of sensitive data
*/
void HMAC_RNG::clear()
{
extractor->clear();
prf->clear();
zeroise(K);
counter = 0;
seeded = false;
}
/*
* Return the name of this type
*/
std::string HMAC_RNG::name() const
{
return "HMAC_RNG(" + extractor->name() + "," + prf->name() + ")";
}
/*
* HMAC_RNG Constructor
*/
HMAC_RNG::HMAC_RNG(MessageAuthenticationCode* extractor_mac,
MessageAuthenticationCode* prf_mac) :
extractor(extractor_mac), prf(prf_mac)
{
if(!prf->valid_keylength(extractor->output_length()) ||
!extractor->valid_keylength(prf->output_length()))
throw Invalid_Argument("HMAC_RNG: Bad algo combination " +
extractor->name() + " and " +
prf->name());
// First PRF inputs are all zero, as specified in section 2
K.resize(prf->output_length());
counter = 0;
seeded = false;
/*
Normally we want to feedback PRF output into the input to the
extractor function to ensure a single bad poll does not damage the
RNG, but obviously that is meaningless to do on the first poll.
We will want to use the PRF before we set the first key (in
reseed), and it is a pain to keep track if it is set or
not. Since the first time it doesn't matter anyway, just set the
PRF key to constant zero: randomize() will not produce output
unless is_seeded() returns true, and that will only be the case if
the estimated entropy counter is high enough. That variable is only
set when a reseeding is performed.
*/
secure_vector<byte> prf_key(extractor->output_length());
prf->set_key(prf_key);
/*
Use PRF("Botan HMAC_RNG XTS") as the intitial XTS key.
This will be used during the first extraction sequence; XTS values
after this one are generated using the PRF.
If I understand the E-t-E paper correctly (specifically Section 4),
using this fixed extractor key is safe to do.
*/
extractor->set_key(prf->process("Botan HMAC_RNG XTS"));
}
/*
* HMAC_RNG Destructor
*/
HMAC_RNG::~HMAC_RNG()
{
delete extractor;
delete prf;
for(auto src : entropy_sources)
delete src;
counter = 0;
}
}
|