update PRNG documentation/comments
This commit is contained in:
Bodo Möller
parent
2a99e8b9df
commit
c88a900fa1
3 changed files with 20 additions and 16 deletions
|
|
@ -186,7 +186,7 @@ static void ssleay_rand_add(const void *buf, int num, int add)
|
|||
/*
|
||||
* (Based on the rand(3) manpage)
|
||||
*
|
||||
* The input is chopped up into units of 16 bytes (or less for
|
||||
* The input is chopped up into units of 20 bytes (or less for
|
||||
* the last block). Each of these blocks is run through the hash
|
||||
* function as follows: The data passed to the hash function
|
||||
* is the current 'md', the same number of bytes from the 'state'
|
||||
|
|
@ -324,13 +324,15 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
|
|||
/*
|
||||
* (Based on the rand(3) manpage:)
|
||||
*
|
||||
* For each group of 8 bytes (or less), we do the following:
|
||||
* For each group of 10 bytes (or less), we do the following:
|
||||
*
|
||||
* Input into the hash function the top 8 bytes from 'md', the bytes
|
||||
* that are to be overwritten by the random bytes, and bytes from the
|
||||
* Input into the hash function the top 10 bytes from the
|
||||
* local 'md' (which is initialized from the global 'md'
|
||||
* before any bytes are generated), the bytes that are
|
||||
* to be overwritten by the random bytes, and bytes from the
|
||||
* 'state' (incrementing looping index). From this digest output
|
||||
* (which is kept in 'md'), the top (upto) 8 bytes are
|
||||
* returned to the caller and the bottom (upto) 8 bytes are xored
|
||||
* (which is kept in 'md'), the top (up to) 10 bytes are
|
||||
* returned to the caller and the bottom (up to) 10 bytes are xored
|
||||
* into the 'state'.
|
||||
* Finally, after we have finished 'num' random bytes for the
|
||||
* caller, 'count' (which is incremented) and the local and global 'md'
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ The prime number generation has a negligible error probability.
|
|||
|
||||
BN_is_prime() tests if the number B<a> is prime. This is done by
|
||||
performing a Miller-Rabin probabilistic primality test with B<checks>
|
||||
iterations. If B<checks == BN_prime_check>, it uses the minimal number
|
||||
iterations. If B<checks == BN_prime_check>, it uses a number
|
||||
of iterations that yields a false positive rate of at most 2^-80 for
|
||||
random input.
|
||||
|
||||
|
|
|
|||
|
|
@ -101,12 +101,12 @@ the RNG state or the next random number.
|
|||
The algorithm is as follows.
|
||||
|
||||
There is global state made up of a 1023 byte buffer (the 'state'), a
|
||||
working hash function ('md') and a counter ('count').
|
||||
working hash value ('md'), and a counter ('count').
|
||||
|
||||
Whenever seed data is added, it is inserted into the 'state' as
|
||||
follows.
|
||||
|
||||
The input is chopped up into units of 16 bytes (or less for
|
||||
The input is chopped up into units of 20 bytes (or less for
|
||||
the last block). Each of these blocks is run through the hash
|
||||
function as follows: The data passed to the hash function
|
||||
is the current 'md', the same number of bytes from the 'state'
|
||||
|
|
@ -121,13 +121,15 @@ SHA-1), 3 (the 'state'), 4 (via the 'md'), 5 (by the use of a hash
|
|||
function and xor).
|
||||
|
||||
When bytes are extracted from the RNG, the following process is used.
|
||||
For each group of 8 bytes (or less), we do the following,
|
||||
For each group of 10 bytes (or less), we do the following:
|
||||
|
||||
Input into the hash function the top 8 bytes from 'md', the bytes that
|
||||
are to be overwritten by the random bytes, and bytes from the 'state'
|
||||
(incrementing looping index). From this hash function output (which
|
||||
is kept in 'md'), the top (upto) 8 bytes are returned to the caller
|
||||
and the bottom (upto) 8 bytes are xored into the 'state'.
|
||||
Input into the hash function the top 10 bytes from the local 'md'
|
||||
(which is initialized from the global 'md' before any bytes are
|
||||
generated), the bytes that are to be overwritten by the random bytes,
|
||||
and bytes from the 'state' (incrementing looping index). From this
|
||||
digest output (which is kept in 'md'), the top (up to) 10 bytes are
|
||||
returned to the caller and the bottom (up to) 10 bytes are xored into
|
||||
the 'state'.
|
||||
|
||||
Finally, after we have finished 'num' random bytes for the caller,
|
||||
'count' (which is incremented) and the local and global 'md' are fed
|
||||
|
|
@ -135,7 +137,7 @@ into the hash function and the results are kept in the global 'md'.
|
|||
|
||||
I believe the above addressed points 1 (use of SHA-1), 6 (by hashing
|
||||
into the 'state' the 'old' data from the caller that is about to be
|
||||
overwritten) and 7 (by not using the 8 bytes given to the caller to
|
||||
overwritten) and 7 (by not using the 10 bytes given to the caller to
|
||||
update the 'state', but they are used to update 'md').
|
||||
|
||||
So of the points raised, only 2 is not addressed (but see
|
||||
|
|
|
|||
Loading…
Reference in a new issue