Upgrade the random device to use a "real" hash instead of building

one out of a block cipher. This has 2 advantages: 1) The code is _much_ simpler 2) We aren't committing our security to one algorithm (much as we may think we trust AES). While I'm here, make an explicit reseed do a slow reseed instead of a fast; this is in line with what the original paper suggested.
svn path=/head/; revision=100082
2024-12-03 09:00:21 +00:00 · 2002-07-15 13:58:35 +00:00 · 2002-07-15 13:58:35 +00:00 · bbf09ad887 · 2020-12-20 02:59:44 +00:00
commit bbf09ad887
parent d56fb9ceb0
5 changed files with 14 additions and 55 deletions
--- a/sys/conf/files
+++ b/sys/conf/files
@ -507,6 +507,7 @@ dev/random/yarrow.c	optional random
 dev/random/hash.c	optional random
 crypto/rijndael/rijndael-alg-fst.c	optional random
 crypto/rijndael/rijndael-api-fst.c	optional random
+crypto/sha2/sha2.c	optional random
 dev/ray/if_ray.c	optional ray card
 dev/ray/if_ray.c	optional ray pccard
 dev/rp/rp.c		optional rp
--- a/sys/dev/random/hash.c
+++ b/sys/dev/random/hash.c
@ -30,47 +30,22 @@
 #include <sys/systm.h>

 #include <crypto/rijndael/rijndael.h>
+#include <crypto/sha2/sha2.h>

 #include <dev/random/hash.h>

-/* initialise the hash by zeroing it */
+/* initialise the hash */
 void
 yarrow_hash_init(struct yarrowhash *context)
 {
-	rijndael_cipherInit(&context->cipher, MODE_CBC, NULL);
-	bzero(context->hash, KEYSIZE);
-	context->partial = 0;
+	SHA256_Init(&context->sha);
 }

-/* Do a Davies-Meyer hash using a block cipher.
- * H_0 = I
- * H_i = E_M_i(H_i-1) ^ H_i-1
- */
+/* iterate the hash */
 void
 yarrow_hash_iterate(struct yarrowhash *context, void *data, size_t size)
 {
-	u_char temp[KEYSIZE];
-	u_int i, j;
-	union {
-		void *pv;
-		char *pc;
-	} trans;
-
-	trans.pv = data;
-	for (i = 0; i < size; i++) {
-		context->accum[context->partial++] = trans.pc[i];
-		if (context->partial == (KEYSIZE - 1)) {
-			rijndael_makeKey(&context->hashkey, DIR_ENCRYPT,
-				KEYSIZE*8, context->accum);
-			rijndael_blockEncrypt(&context->cipher,
-				&context->hashkey, context->hash,
-				KEYSIZE*8, temp);
-			for (j = 0; j < KEYSIZE; j++)
-				context->hash[j] ^= temp[j];
-			bzero(context->accum, KEYSIZE);
-			context->partial = 0;
-		}
-	}
+	SHA256_Update(&context->sha, data, size);
 }

 /* Conclude by returning the hash in the supplied /buf/ which must be
@ -80,20 +55,7 @@ yarrow_hash_iterate(struct yarrowhash *context, void *data, size_t size)
 void
 yarrow_hash_finish(struct yarrowhash *context, void *buf)
 {
-	u_char temp[KEYSIZE];
-	int i;
-
-	if (context->partial) {
-		rijndael_makeKey(&context->hashkey, DIR_ENCRYPT,
-			KEYSIZE*8, context->accum);
-		rijndael_blockEncrypt(&context->cipher,
-			&context->hashkey, context->hash,
-			KEYSIZE*8, temp);
-		for (i = 0; i < KEYSIZE; i++)
-			context->hash[i] ^= temp[i];
-	}
-	memcpy(buf, context->hash, KEYSIZE);
-	bzero(context->hash, KEYSIZE);
+	SHA256_Final(buf, &context->sha);
 }

 /* Initialise the encryption routine by setting up the key schedule
--- a/sys/dev/random/hash.h
+++ b/sys/dev/random/hash.h
@ -26,14 +26,10 @@
 * $FreeBSD$
 */

-#define KEYSIZE		32		/* in bytes - 32 bytes == 256 bits */
+#define KEYSIZE		32		/* (in bytes) 32 bytes == 256 bits */

 struct yarrowhash {		/* Big! Make static! */
-	keyInstance hashkey;	/* Data cycles through here */
-	cipherInstance cipher;	/* Rijndael internal */
-	u_char hash[KEYSIZE];	/* Repeatedly encrypted */
-	char accum[KEYSIZE];	/* Accumulate partial chunks */
-	u_int partial;		/* Keep track of < KEYSIZE chunks */
+	SHA256_CTX	sha;
 };

 struct yarrowkey {		/* Big! Make static! */
--- a/sys/dev/random/yarrow.c
+++ b/sys/dev/random/yarrow.c
@ -35,6 +35,7 @@
 #include <sys/sysctl.h>

 #include <crypto/rijndael/rijndael.h>
+#include <crypto/sha2/sha2.h>

 #include <dev/random/hash.h>
 #include <dev/random/randomdev.h>
@ -249,9 +250,7 @@ reseed(u_int fastslow)
 	random_unblock();
 }

-/* Internal function to do return processed entropy from the
- * Yarrow PRNG
- */
+/* Internal function to return processed entropy from the PRNG */
 int
 read_random_real(void *buf, int count)
 {
@ -343,5 +342,5 @@ generator_gate(void)
 void
 random_reseed(void)
 {
-	reseed(FAST);
+	reseed(SLOW);
 }
--- a/sys/modules/random/Makefile
+++ b/sys/modules/random/Makefile
@ -2,10 +2,11 @@

 .PATH: ${.CURDIR}/../../dev/random
 .PATH: ${.CURDIR}/../../crypto/rijndael
+.PATH: ${.CURDIR}/../../crypto/sha2

 KMOD=	random
 SRCS=	randomdev.c yarrow.c hash.c
-SRCS+=	rijndael-alg-fst.c rijndael-api-fst.c
+SRCS+=	rijndael-alg-fst.c rijndael-api-fst.c sha2.c
 SRCS+=	bus_if.h device_if.h vnode_if.h

 CFLAGS+= -I${.CURDIR}/../..