ext-cryptopp/randpool.h

// randpool.h - originally written and placed in the public domain by Wei Dai
//              OldRandPool added by JW in August, 2017.

/// \file randpool.h
/// \brief Class file for Randomness Pool
/// \details RandomPool can be used to generate cryptographic quality pseudorandom bytes
///  after seeding the pool with IncorporateEntropy(). Internally, the generator uses
///  AES-256 to produce the stream. Entropy is stirred in using SHA-256.
/// \details RandomPool used to follow the design of randpool in PGP 2.6.x. At version 5.5
///  RandomPool was redesigned to reduce the risk of reusing random numbers after state
///  rollback (which may occur when running in a virtual machine like VMware or a hosted
///  environment).
/// \details If you need the pre-Crypto++ 5.5 generator then use OldRandomPool class. You
///  should migrate away from OldRandomPool at the earliest opportunity. Use RandomPool
///  or AutoSeededRandomPool instead.
/// \since Crypto++ 4.0 (PGP 2.6.x style), Crypto++ 5.5 (AES-256 based)

#ifndef CRYPTOPP_RANDPOOL_H
#define CRYPTOPP_RANDPOOL_H

#include "cryptlib.h"
#include "filters.h"
#include "secblock.h"
#include "smartptr.h"
#include "aes.h"

NAMESPACE_BEGIN(CryptoPP)

/// \brief Randomness Pool based on AES-256
/// \details RandomPool can be used to generate cryptographic quality pseudorandom bytes
///  after seeding the pool with IncorporateEntropy(). Internally, the generator uses
///  AES-256 to produce the stream. Entropy is stirred in using SHA-256.
/// \details RandomPool used to follow the design of randpool in PGP 2.6.x. At version 5.5
///  RandomPool was redesigned to reduce the risk of reusing random numbers after state
///  rollback, which may occur when running in a virtual machine like VMware or a hosted
///  environment.
/// \details You should reseed the generator after a fork() to avoid multiple generators
///  with the same internal state.
/// \details If you need the pre-Crypto++ 5.5 generator then use OldRandomPool class. You
///  should migrate away from OldRandomPool at the earliest opportunity.
/// \sa OldRandomPool
/// \since Crypto++ 4.0 (PGP 2.6.x style), Crypto++ 5.5 (AES-256 based)
class CRYPTOPP_DLL RandomPool : public RandomNumberGenerator, public NotCopyable
{
public:
	/// \brief Construct a RandomPool
	RandomPool();

	bool CanIncorporateEntropy() const {return true;}
	void IncorporateEntropy(const byte *input, size_t length);
	void GenerateIntoBufferedTransformation(BufferedTransformation &target, const std::string &channel, lword size);

private:
	FixedSizeAlignedSecBlock<byte, 16, true> m_seed;
	FixedSizeAlignedSecBlock<byte, 32> m_key;
	member_ptr<BlockCipher> m_pCipher;
	bool m_keySet;
};

/// \brief Randomness Pool based on PGP 2.6.x with MDC
/// \details If you need the pre-Crypto++ 5.5 generator then use OldRandomPool class. The
///  OldRandomPool also provides the modern interface, including <tt>CanIncorporateEntropy</tt>,
///  <tt>IncorporateEntropy</tt> and <tt>GenerateIntoBufferedTransformation</tt>.
/// \details You should reseed the generator after a fork() to avoid multiple generators
///  with the same internal state.
/// \details You should migrate away from OldRandomPool at the earliest opportunity. Use a
///  modern random number generator or key derivation function, like AutoSeededRandomPool or
///  HKDF.
/// \warning This class uses an old style PGP 2.6.x with MDC. The generator risks reusing
///  random numbers after state rollback. You should migrate away from OldRandomPool at
///  the earliest opportunity.
/// \sa RandomPool, AutoSeededRandomPool, HKDF, P1363_KDF2, PKCS12_PBKDF, PKCS5_PBKDF2_HMAC
/// \since Crypto++ 6.0
class CRYPTOPP_DLL OldRandomPool : public RandomNumberGenerator
{
public:
	/// \brief Construct an OldRandomPool
	/// \param poolSize internal pool size of the generator
	/// \details poolSize must be greater than 16
	OldRandomPool(unsigned int poolSize=384);

	// RandomNumberGenerator interface (Crypto++ 5.5 and above)
	bool CanIncorporateEntropy() const {return true;}
	void IncorporateEntropy(const byte *input, size_t length);
	void GenerateIntoBufferedTransformation(BufferedTransformation &target, const std::string &channel, lword size);

	byte GenerateByte();
	void GenerateBlock(byte *output, size_t size);

	// Endian swapped on little-endian machines. This is different
	// behavior from Crypto++ 5.4. Provide an override to correct it.
	word32 GenerateWord32 (word32 min=0, word32 max=0xffffffffUL);

protected:
	void Stir();

private:
	SecByteBlock pool, key;
	size_t addPos, getPos;
};

NAMESPACE_END

#endif
Change file preamble to include "originally written by Wei Dai" We have made a fair number of changes, and we don't want WD to receive credit for issues he was not part of 2017-01-27 12:05:45 +00:00			`// randpool.h - originally written and placed in the public domain by Wei Dai`
Add OldRandomPool class (Issue 452) RandomPool used to be a PGP-style deterministic generator and folks used it as a key generation function. At Crypto++ 5.5 the design changed to harden it agianst rollback attacks. The design change resulted in an upgrade barrier. That is, some folks are stuck at Crypto++ 4.2 or Crypto++ 5.2 because they must interoperate with existing software. Below is the test program we used for the test vector. It was run against Crypto++ 5.4. RandomPool prng; SecByteBlock seed(0x00, 384), result(64); prng.Put(seed, seed.size()); prng.GenerateBlock(result, result.size()); HexEncoder encoder(new FileSink(std::cout)); std::cout << "RandomPool: "; encoder.Put(result, sizeof(result)); std::cout << std::endl; 2017-08-01 22:53:31 +00:00			`// OldRandPool added by JW in August, 2017.`
Cleared -Wcast-align (Issue 122) 2016-01-25 04:09:28 +00:00
Change Doxygen comment style from //! to /// Also see https://groups.google.com/forum/#!topic/cryptopp-users/A7-Xt5Knlzw 2017-11-29 15:54:33 +00:00			`/// \file randpool.h`
			`/// \brief Class file for Randomness Pool`
			`/// \details RandomPool can be used to generate cryptographic quality pseudorandom bytes`
Update documentation 2020-04-02 12:29:45 +00:00			`/// after seeding the pool with IncorporateEntropy(). Internally, the generator uses`
			`/// AES-256 to produce the stream. Entropy is stirred in using SHA-256.`
Change Doxygen comment style from //! to /// Also see https://groups.google.com/forum/#!topic/cryptopp-users/A7-Xt5Knlzw 2017-11-29 15:54:33 +00:00			`/// \details RandomPool used to follow the design of randpool in PGP 2.6.x. At version 5.5`
Update documentation 2020-04-02 12:29:45 +00:00			`/// RandomPool was redesigned to reduce the risk of reusing random numbers after state`
			`/// rollback (which may occur when running in a virtual machine like VMware or a hosted`
			`/// environment).`
Change Doxygen comment style from //! to /// Also see https://groups.google.com/forum/#!topic/cryptopp-users/A7-Xt5Knlzw 2017-11-29 15:54:33 +00:00			`/// \details If you need the pre-Crypto++ 5.5 generator then use OldRandomPool class. You`
Update documentation 2020-04-02 12:29:45 +00:00			`/// should migrate away from OldRandomPool at the earliest opportunity. Use RandomPool`
			`/// or AutoSeededRandomPool instead.`
Change Doxygen comment style from //! to /// Also see https://groups.google.com/forum/#!topic/cryptopp-users/A7-Xt5Knlzw 2017-11-29 15:54:33 +00:00			`/// \since Crypto++ 4.0 (PGP 2.6.x style), Crypto++ 5.5 (AES-256 based)`
Cleared -Wcast-align (Issue 122) 2016-01-25 04:09:28 +00:00
CRYPTOPP 5.6.3 RC6 checkin 2015-11-05 06:59:46 +00:00			`#ifndef CRYPTOPP_RANDPOOL_H`
			`#define CRYPTOPP_RANDPOOL_H`

			`#include "cryptlib.h"`
			`#include "filters.h"`
			`#include "secblock.h"`
			`#include "smartptr.h"`
			`#include "aes.h"`

			`NAMESPACE_BEGIN(CryptoPP)`

Change Doxygen comment style from //! to /// Also see https://groups.google.com/forum/#!topic/cryptopp-users/A7-Xt5Knlzw 2017-11-29 15:54:33 +00:00			`/// \brief Randomness Pool based on AES-256`
			`/// \details RandomPool can be used to generate cryptographic quality pseudorandom bytes`
Update documentation 2020-04-02 12:29:45 +00:00			`/// after seeding the pool with IncorporateEntropy(). Internally, the generator uses`
			`/// AES-256 to produce the stream. Entropy is stirred in using SHA-256.`
Change Doxygen comment style from //! to /// Also see https://groups.google.com/forum/#!topic/cryptopp-users/A7-Xt5Knlzw 2017-11-29 15:54:33 +00:00			`/// \details RandomPool used to follow the design of randpool in PGP 2.6.x. At version 5.5`
Update documentation 2020-04-02 12:29:45 +00:00			`/// RandomPool was redesigned to reduce the risk of reusing random numbers after state`
			`/// rollback, which may occur when running in a virtual machine like VMware or a hosted`
			`/// environment.`
			`/// \details You should reseed the generator after a fork() to avoid multiple generators`
			`/// with the same internal state.`
Change Doxygen comment style from //! to /// Also see https://groups.google.com/forum/#!topic/cryptopp-users/A7-Xt5Knlzw 2017-11-29 15:54:33 +00:00			`/// \details If you need the pre-Crypto++ 5.5 generator then use OldRandomPool class. You`
Update documentation 2020-04-02 12:29:45 +00:00			`/// should migrate away from OldRandomPool at the earliest opportunity.`
Change Doxygen comment style from //! to /// Also see https://groups.google.com/forum/#!topic/cryptopp-users/A7-Xt5Knlzw 2017-11-29 15:54:33 +00:00			`/// \sa OldRandomPool`
			`/// \since Crypto++ 4.0 (PGP 2.6.x style), Crypto++ 5.5 (AES-256 based)`
CRYPTOPP 5.6.3 RC6 checkin 2015-11-05 06:59:46 +00:00			`class CRYPTOPP_DLL RandomPool : public RandomNumberGenerator, public NotCopyable`
			`{`
			`public:`
Change Doxygen comment style from //! to /// Also see https://groups.google.com/forum/#!topic/cryptopp-users/A7-Xt5Knlzw 2017-11-29 15:54:33 +00:00			`/// \brief Construct a RandomPool`
CRYPTOPP 5.6.3 RC6 checkin 2015-11-05 06:59:46 +00:00			`RandomPool();`

			`bool CanIncorporateEntropy() const {return true;}`
			`void IncorporateEntropy(const byte *input, size_t length);`
			`void GenerateIntoBufferedTransformation(BufferedTransformation &target, const std::string &channel, lword size);`

			`private:`
Cleared -Wcast-align (Issue 122) 2016-01-25 04:09:28 +00:00			`FixedSizeAlignedSecBlock<byte, 16, true> m_seed;`
Fixed cast-align warning when casting buffer to TimerWord* 2016-01-08 16:02:03 +00:00			`FixedSizeAlignedSecBlock<byte, 32> m_key;`
CRYPTOPP 5.6.3 RC6 checkin 2015-11-05 06:59:46 +00:00			`member_ptr<BlockCipher> m_pCipher;`
			`bool m_keySet;`
			`};`

Change Doxygen comment style from //! to /// Also see https://groups.google.com/forum/#!topic/cryptopp-users/A7-Xt5Knlzw 2017-11-29 15:54:33 +00:00			`/// \brief Randomness Pool based on PGP 2.6.x with MDC`
			`/// \details If you need the pre-Crypto++ 5.5 generator then use OldRandomPool class. The`
Update comments 2020-12-28 21:44:29 +00:00			`/// OldRandomPool also provides the modern interface, including <tt>CanIncorporateEntropy</tt>,`
Update documentation 2020-04-02 12:29:45 +00:00			`/// <tt>IncorporateEntropy</tt> and <tt>GenerateIntoBufferedTransformation</tt>.`
			`/// \details You should reseed the generator after a fork() to avoid multiple generators`
			`/// with the same internal state.`
Change Doxygen comment style from //! to /// Also see https://groups.google.com/forum/#!topic/cryptopp-users/A7-Xt5Knlzw 2017-11-29 15:54:33 +00:00			`/// \details You should migrate away from OldRandomPool at the earliest opportunity. Use a`
Update documentation 2020-04-02 12:29:45 +00:00			`/// modern random number generator or key derivation function, like AutoSeededRandomPool or`
			`/// HKDF.`
Remove AsymmetricAlgorithm::BERDecode (GH #569) 2018-01-21 13:45:02 +00:00			`/// \warning This class uses an old style PGP 2.6.x with MDC. The generator risks reusing`
Update documentation 2020-04-02 12:29:45 +00:00			`/// random numbers after state rollback. You should migrate away from OldRandomPool at`
			`/// the earliest opportunity.`
Change Doxygen comment style from //! to /// Also see https://groups.google.com/forum/#!topic/cryptopp-users/A7-Xt5Knlzw 2017-11-29 15:54:33 +00:00			`/// \sa RandomPool, AutoSeededRandomPool, HKDF, P1363_KDF2, PKCS12_PBKDF, PKCS5_PBKDF2_HMAC`
Update comments 2020-12-28 21:44:29 +00:00			`/// \since Crypto++ 6.0`
Remove pre-Crypto++ 5.5 interface Users of OldRandomPool must use the new interface. All that means is they must call IncorporateEntropy instead of Put, and GenerateBlock instead of Get 2017-08-02 23:43:56 +00:00			`class CRYPTOPP_DLL OldRandomPool : public RandomNumberGenerator`
Add OldRandomPool class (Issue 452) RandomPool used to be a PGP-style deterministic generator and folks used it as a key generation function. At Crypto++ 5.5 the design changed to harden it agianst rollback attacks. The design change resulted in an upgrade barrier. That is, some folks are stuck at Crypto++ 4.2 or Crypto++ 5.2 because they must interoperate with existing software. Below is the test program we used for the test vector. It was run against Crypto++ 5.4. RandomPool prng; SecByteBlock seed(0x00, 384), result(64); prng.Put(seed, seed.size()); prng.GenerateBlock(result, result.size()); HexEncoder encoder(new FileSink(std::cout)); std::cout << "RandomPool: "; encoder.Put(result, sizeof(result)); std::cout << std::endl; 2017-08-01 22:53:31 +00:00			`{`
			`public:`
Change Doxygen comment style from //! to /// Also see https://groups.google.com/forum/#!topic/cryptopp-users/A7-Xt5Knlzw 2017-11-29 15:54:33 +00:00			`/// \brief Construct an OldRandomPool`
			`/// \param poolSize internal pool size of the generator`
			`/// \details poolSize must be greater than 16`
Whitespace check-in 2017-08-01 23:58:08 +00:00			`OldRandomPool(unsigned int poolSize=384);`
Add OldRandomPool class (Issue 452) RandomPool used to be a PGP-style deterministic generator and folks used it as a key generation function. At Crypto++ 5.5 the design changed to harden it agianst rollback attacks. The design change resulted in an upgrade barrier. That is, some folks are stuck at Crypto++ 4.2 or Crypto++ 5.2 because they must interoperate with existing software. Below is the test program we used for the test vector. It was run against Crypto++ 5.4. RandomPool prng; SecByteBlock seed(0x00, 384), result(64); prng.Put(seed, seed.size()); prng.GenerateBlock(result, result.size()); HexEncoder encoder(new FileSink(std::cout)); std::cout << "RandomPool: "; encoder.Put(result, sizeof(result)); std::cout << std::endl; 2017-08-01 22:53:31 +00:00
Cut-in RandomNumberGenerator interface to OldRandPool The existing interface still exists. The new interface is routed into the old methods. Without the new interface, using OldRandPool could result in: $ ./cryptest.exe v terminate called after throwing an instance of CryptoPP::NotImplemented what(): RandomNumberGenerator: IncorporateEntropy not implemented Aborted (core dumped) 2017-08-02 22:55:10 +00:00			`// RandomNumberGenerator interface (Crypto++ 5.5 and above)`
			`bool CanIncorporateEntropy() const {return true;}`
			`void IncorporateEntropy(const byte *input, size_t length);`
Remove pre-Crypto++ 5.5 interface Users of OldRandomPool must use the new interface. All that means is they must call IncorporateEntropy instead of Put, and GenerateBlock instead of Get 2017-08-02 23:43:56 +00:00			`void GenerateIntoBufferedTransformation(BufferedTransformation &target, const std::string &channel, lword size);`
Add OldRandomPool class (Issue 452) RandomPool used to be a PGP-style deterministic generator and folks used it as a key generation function. At Crypto++ 5.5 the design changed to harden it agianst rollback attacks. The design change resulted in an upgrade barrier. That is, some folks are stuck at Crypto++ 4.2 or Crypto++ 5.2 because they must interoperate with existing software. Below is the test program we used for the test vector. It was run against Crypto++ 5.4. RandomPool prng; SecByteBlock seed(0x00, 384), result(64); prng.Put(seed, seed.size()); prng.GenerateBlock(result, result.size()); HexEncoder encoder(new FileSink(std::cout)); std::cout << "RandomPool: "; encoder.Put(result, sizeof(result)); std::cout << std::endl; 2017-08-01 22:53:31 +00:00
Whitespace check-in 2017-08-01 23:58:08 +00:00			`byte GenerateByte();`
			`void GenerateBlock(byte *output, size_t size);`
Add OldRandomPool class (Issue 452) RandomPool used to be a PGP-style deterministic generator and folks used it as a key generation function. At Crypto++ 5.5 the design changed to harden it agianst rollback attacks. The design change resulted in an upgrade barrier. That is, some folks are stuck at Crypto++ 4.2 or Crypto++ 5.2 because they must interoperate with existing software. Below is the test program we used for the test vector. It was run against Crypto++ 5.4. RandomPool prng; SecByteBlock seed(0x00, 384), result(64); prng.Put(seed, seed.size()); prng.GenerateBlock(result, result.size()); HexEncoder encoder(new FileSink(std::cout)); std::cout << "RandomPool: "; encoder.Put(result, sizeof(result)); std::cout << std::endl; 2017-08-01 22:53:31 +00:00
Endian swap outptu OldRandomPool::GenerateWord32 Also see https://groups.google.com/g/cryptopp-users/c/YOl2FGXSp44 2021-06-17 21:19:50 +00:00			`// Endian swapped on little-endian machines. This is different`
			`// behavior from Crypto++ 5.4. Provide an override to correct it.`
			`word32 GenerateWord32 (word32 min=0, word32 max=0xffffffffUL);`

Add OldRandomPool class (Issue 452) RandomPool used to be a PGP-style deterministic generator and folks used it as a key generation function. At Crypto++ 5.5 the design changed to harden it agianst rollback attacks. The design change resulted in an upgrade barrier. That is, some folks are stuck at Crypto++ 4.2 or Crypto++ 5.2 because they must interoperate with existing software. Below is the test program we used for the test vector. It was run against Crypto++ 5.4. RandomPool prng; SecByteBlock seed(0x00, 384), result(64); prng.Put(seed, seed.size()); prng.GenerateBlock(result, result.size()); HexEncoder encoder(new FileSink(std::cout)); std::cout << "RandomPool: "; encoder.Put(result, sizeof(result)); std::cout << std::endl; 2017-08-01 22:53:31 +00:00			`protected:`
Whitespace check-in 2017-08-01 23:58:08 +00:00			`void Stir();`
Add OldRandomPool class (Issue 452) RandomPool used to be a PGP-style deterministic generator and folks used it as a key generation function. At Crypto++ 5.5 the design changed to harden it agianst rollback attacks. The design change resulted in an upgrade barrier. That is, some folks are stuck at Crypto++ 4.2 or Crypto++ 5.2 because they must interoperate with existing software. Below is the test program we used for the test vector. It was run against Crypto++ 5.4. RandomPool prng; SecByteBlock seed(0x00, 384), result(64); prng.Put(seed, seed.size()); prng.GenerateBlock(result, result.size()); HexEncoder encoder(new FileSink(std::cout)); std::cout << "RandomPool: "; encoder.Put(result, sizeof(result)); std::cout << std::endl; 2017-08-01 22:53:31 +00:00
			`private:`
Whitespace check-in 2017-08-01 23:58:08 +00:00			`SecByteBlock pool, key;`
			`size_t addPos, getPos;`
Add OldRandomPool class (Issue 452) RandomPool used to be a PGP-style deterministic generator and folks used it as a key generation function. At Crypto++ 5.5 the design changed to harden it agianst rollback attacks. The design change resulted in an upgrade barrier. That is, some folks are stuck at Crypto++ 4.2 or Crypto++ 5.2 because they must interoperate with existing software. Below is the test program we used for the test vector. It was run against Crypto++ 5.4. RandomPool prng; SecByteBlock seed(0x00, 384), result(64); prng.Put(seed, seed.size()); prng.GenerateBlock(result, result.size()); HexEncoder encoder(new FileSink(std::cout)); std::cout << "RandomPool: "; encoder.Put(result, sizeof(result)); std::cout << std::endl; 2017-08-01 22:53:31 +00:00			`};`

CRYPTOPP 5.6.3 RC6 checkin 2015-11-05 06:59:46 +00:00			`NAMESPACE_END`

			`#endif`