From c88a900fa1348a47d69a13da7bb1205178a3472d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bodo=20M=C3=B6ller?= Date: Sat, 22 Jan 2000 23:11:13 +0000 Subject: [PATCH] update PRNG documentation/comments --- crypto/rand/md_rand.c | 14 ++++++++------ doc/crypto/BN_generate_prime.pod | 2 +- doc/crypto/rand.pod | 20 +++++++++++--------- 3 files changed, 20 insertions(+), 16 deletions(-) diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index 2836a4d409..88095b109d 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -186,7 +186,7 @@ static void ssleay_rand_add(const void *buf, int num, int add) /* * (Based on the rand(3) manpage) * - * The input is chopped up into units of 16 bytes (or less for + * The input is chopped up into units of 20 bytes (or less for * the last block). Each of these blocks is run through the hash * function as follows: The data passed to the hash function * is the current 'md', the same number of bytes from the 'state' @@ -324,13 +324,15 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) /* * (Based on the rand(3) manpage:) * - * For each group of 8 bytes (or less), we do the following: + * For each group of 10 bytes (or less), we do the following: * - * Input into the hash function the top 8 bytes from 'md', the bytes - * that are to be overwritten by the random bytes, and bytes from the + * Input into the hash function the top 10 bytes from the + * local 'md' (which is initialized from the global 'md' + * before any bytes are generated), the bytes that are + * to be overwritten by the random bytes, and bytes from the * 'state' (incrementing looping index). From this digest output - * (which is kept in 'md'), the top (upto) 8 bytes are - * returned to the caller and the bottom (upto) 8 bytes are xored + * (which is kept in 'md'), the top (up to) 10 bytes are + * returned to the caller and the bottom (up to) 10 bytes are xored * into the 'state'. * Finally, after we have finished 'num' random bytes for the * caller, 'count' (which is incremented) and the local and global 'md' diff --git a/doc/crypto/BN_generate_prime.pod b/doc/crypto/BN_generate_prime.pod index 6744d5d815..768149efe8 100644 --- a/doc/crypto/BN_generate_prime.pod +++ b/doc/crypto/BN_generate_prime.pod @@ -55,7 +55,7 @@ The prime number generation has a negligible error probability. BN_is_prime() tests if the number B is prime. This is done by performing a Miller-Rabin probabilistic primality test with B -iterations. If B, it uses the minimal number +iterations. If B, it uses a number of iterations that yields a false positive rate of at most 2^-80 for random input. diff --git a/doc/crypto/rand.pod b/doc/crypto/rand.pod index a6dbf516b3..b357f76ac3 100644 --- a/doc/crypto/rand.pod +++ b/doc/crypto/rand.pod @@ -101,12 +101,12 @@ the RNG state or the next random number. The algorithm is as follows. There is global state made up of a 1023 byte buffer (the 'state'), a -working hash function ('md') and a counter ('count'). +working hash value ('md'), and a counter ('count'). Whenever seed data is added, it is inserted into the 'state' as follows. -The input is chopped up into units of 16 bytes (or less for +The input is chopped up into units of 20 bytes (or less for the last block). Each of these blocks is run through the hash function as follows: The data passed to the hash function is the current 'md', the same number of bytes from the 'state' @@ -121,13 +121,15 @@ SHA-1), 3 (the 'state'), 4 (via the 'md'), 5 (by the use of a hash function and xor). When bytes are extracted from the RNG, the following process is used. -For each group of 8 bytes (or less), we do the following, +For each group of 10 bytes (or less), we do the following: -Input into the hash function the top 8 bytes from 'md', the bytes that -are to be overwritten by the random bytes, and bytes from the 'state' -(incrementing looping index). From this hash function output (which -is kept in 'md'), the top (upto) 8 bytes are returned to the caller -and the bottom (upto) 8 bytes are xored into the 'state'. +Input into the hash function the top 10 bytes from the local 'md' +(which is initialized from the global 'md' before any bytes are +generated), the bytes that are to be overwritten by the random bytes, +and bytes from the 'state' (incrementing looping index). From this +digest output (which is kept in 'md'), the top (up to) 10 bytes are +returned to the caller and the bottom (up to) 10 bytes are xored into +the 'state'. Finally, after we have finished 'num' random bytes for the caller, 'count' (which is incremented) and the local and global 'md' are fed @@ -135,7 +137,7 @@ into the hash function and the results are kept in the global 'md'. I believe the above addressed points 1 (use of SHA-1), 6 (by hashing into the 'state' the 'old' data from the caller that is about to be -overwritten) and 7 (by not using the 8 bytes given to the caller to +overwritten) and 7 (by not using the 10 bytes given to the caller to update the 'state', but they are used to update 'md'). So of the points raised, only 2 is not addressed (but see -- 2.25.1