Botan  1.11.30
hmac_rng.cpp
Go to the documentation of this file.
1 /*
2 * HMAC_RNG
3 * (C) 2008,2009,2013,2015,2016 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/hmac_rng.h>
9 #include <botan/entropy_src.h>
10 #include <botan/internal/os_utils.h>
11 #include <algorithm>
12 #include <chrono>
13 
14 namespace Botan {
15 
16 /*
17 * HMAC_RNG Constructor
18 */
21  m_extractor(extractor), m_prf(prf)
22  {
23  if(!m_prf->valid_keylength(m_extractor->output_length()) ||
24  !m_extractor->valid_keylength(m_prf->output_length()))
25  {
26  throw Invalid_Argument("HMAC_RNG: Bad algo combination " +
27  m_extractor->name() + " and " +
28  m_prf->name());
29  }
30 
31  this->clear();
32  }
33 
35  {
36  m_collected_entropy_estimate = 0;
37  m_counter = 0;
38 
39  // First PRF inputs are all zero, as specified in section 2
40  m_K.resize(m_prf->output_length());
41  zeroise(m_K);
42 
43  /*
44  Normally we want to feedback PRF outputs to the extractor function
45  to ensure a single bad poll does not reduce entropy. Thus in reseed
46  we'll want to invoke the PRF before we reset the PRF key, but until
47  the first reseed the PRF is unkeyed. Rather than trying to keep
48  track of this, just set the initial PRF key to constant zero.
49  Since all PRF inputs in the first reseed are constants, this
50  amounts to suffixing the seed in the first poll with a fixed
51  constant string.
52 
53  The PRF key will not be used to generate outputs until after reseed
54  sets m_seeded to true.
55  */
56  std::vector<byte> prf_zero_key(m_extractor->output_length());
57  m_prf->set_key(prf_zero_key.data(), prf_zero_key.size());
58 
59  /*
60  Use PRF("Botan HMAC_RNG XTS") as the intitial XTS key.
61 
62  This will be used during the first extraction sequence; XTS values
63  after this one are generated using the PRF.
64 
65  If I understand the E-t-E paper correctly (specifically Section 4),
66  using this fixed initial extractor key is safe to do.
67  */
68  m_extractor->set_key(m_prf->process("Botan HMAC_RNG XTS"));
69  }
70 
71 void HMAC_RNG::new_K_value(byte label)
72  {
73  m_prf->update(m_K);
74  m_prf->update_be(m_pid);
75  m_prf->update_be(OS::get_processor_timestamp());
76  m_prf->update_be(OS::get_system_timestamp_ns());
77  m_prf->update_be(m_counter++);
78  m_prf->update(label);
79  m_prf->final(m_K.data());
80  }
81 
82 /*
83 * Generate a buffer of random bytes
84 */
85 void HMAC_RNG::randomize(byte out[], size_t length)
86  {
87  if(!is_seeded() || m_pid != OS::get_process_id())
88  {
89  reseed(256);
90  if(!is_seeded())
91  throw PRNG_Unseeded(name());
92  }
93 
94  const size_t max_per_prf_iter = m_prf->output_length() / 2;
95 
96  m_output_since_reseed += length;
97 
98  if(m_output_since_reseed >= BOTAN_RNG_MAX_OUTPUT_BEFORE_RESEED)
99  {
101  BOTAN_RNG_RESEED_POLL_BITS,
102  BOTAN_RNG_AUTO_RESEED_TIMEOUT);
103  }
104 
105  /*
106  HMAC KDF as described in E-t-E, using a CTXinfo of "rng"
107  */
108  while(length)
109  {
110  new_K_value(Running);
111 
112  const size_t copied = std::min<size_t>(length, max_per_prf_iter);
113 
114  copy_mem(out, m_K.data(), copied);
115  out += copied;
116  length -= copied;
117  }
118  }
119 
121  size_t poll_bits,
122  std::chrono::milliseconds timeout)
123  {
124  /*
125  Using the terminology of E-t-E, XTR is the MAC function (normally
126  HMAC) seeded with XTS (below) and we form SKM, the key material, by
127  polling as many sources as we think needed to reach our polling
128  goal. We then also include feedback of the current PRK so that
129  a bad poll doesn't wipe us out.
130  */
131 
132  typedef std::chrono::system_clock clock;
133  auto deadline = clock::now() + timeout;
134 
135  double bits_collected = 0;
136 
137  Entropy_Accumulator accum([&](const byte in[], size_t in_len, double entropy_estimate) {
138  m_extractor->update(in, in_len);
139  bits_collected += entropy_estimate;
140  return (bits_collected >= poll_bits || clock::now() > deadline);
141  });
142 
143  srcs.poll(accum);
144 
145  /*
146  * It is necessary to feed forward poll data. Otherwise, a good poll
147  * (collecting a large amount of conditional entropy) followed by a
148  * bad one (collecting little) would be unsafe. Do this by
149  * generating new PRF outputs using the previous key and feeding
150  * them into the extractor function.
151  */
152  new_K_value(Reseed);
153  m_extractor->update(m_K); // K is the CTXinfo=reseed PRF output
154 
155  /* Now derive the new PRK using everything that has been fed into
156  the extractor, and set the PRF key to that */
157  m_prf->set_key(m_extractor->final());
158 
159  // Now generate a new PRF output to use as the XTS extractor salt
160  new_K_value(ExtractorSeed);
161  m_extractor->set_key(m_K);
162 
163  // Reset state
164  zeroise(m_K);
165  m_counter = 0;
166 
167  m_collected_entropy_estimate =
168  std::min<size_t>(m_collected_entropy_estimate + static_cast<size_t>(bits_collected),
169  m_extractor->output_length() * 8);
170 
171  m_output_since_reseed = 0;
172  m_pid = OS::get_process_id();
173 
174  return static_cast<size_t>(bits_collected);
175  }
176 
178  {
179  return (m_collected_entropy_estimate >= 256);
180  }
181 
182 /*
183 * Add user-supplied entropy to the extractor input then reseed
184 * to incorporate it into the state
185 */
186 void HMAC_RNG::add_entropy(const byte input[], size_t length)
187  {
188  m_extractor->update(input, length);
189 
191  BOTAN_RNG_RESEED_POLL_BITS,
192  BOTAN_RNG_RESEED_DEFAULT_TIMEOUT);
193  }
194 
195 /*
196 * Return the name of this type
197 */
198 std::string HMAC_RNG::name() const
199  {
200  return "HMAC_RNG(" + m_extractor->name() + "," + m_prf->name() + ")";
201  }
202 
203 }
void add_entropy(const byte[], size_t) override
Definition: hmac_rng.cpp:186
size_t reseed(size_t bits_to_collect)
Definition: rng.cpp:14
uint32_t get_process_id()
Definition: os_utils.cpp:30
std::string name() const override
Definition: hmac_rng.cpp:198
uint64_t get_processor_timestamp()
Definition: os_utils.cpp:41
HMAC_RNG(MessageAuthenticationCode *extractor, MessageAuthenticationCode *prf)
Definition: hmac_rng.cpp:19
void clear() override
Definition: hmac_rng.cpp:34
uint64_t get_system_timestamp_ns()
Definition: os_utils.cpp:88
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:43
Definition: alg_id.cpp:13
bool is_seeded() const override
Definition: hmac_rng.cpp:177
static Entropy_Sources & global_sources()
void poll(Entropy_Accumulator &accum)
void randomize(byte buf[], size_t len) override
Definition: hmac_rng.cpp:85
size_t reseed_with_sources(Entropy_Sources &srcs, size_t poll_bits, std::chrono::milliseconds poll_timeout) override
Definition: hmac_rng.cpp:120
void zeroise(std::vector< T, Alloc > &vec)
Definition: secmem.h:186
std::uint8_t byte
Definition: types.h:31