2 * HAVEGE: HArdware Volatile Entropy Gathering and Expansion
4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
14 * * Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * * Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * * Neither the names of PolarSSL or XySSL nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
26 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36 * The HAVEGE RNG was designed by Andre Seznec in 2002.
38 * http://www.irisa.fr/caps/projects/hipsor/publi.php
40 * Contact: seznec(at)irisa_dot_fr - orocheco(at)irisa_dot_fr
46 #include "tropicssl/config.h"
48 #if defined(TROPICSSL_HAVEGE_C)
50 #include "tropicssl/havege.h"
51 #include "tropicssl/timing.h"
53 /* ------------------------------------------------------------------------
54 * On average, one iteration accesses two 8-word blocks in the havege WALK
55 * table, and generates 16 words in the RES array.
57 * The data read in the WALK table is updated and permuted after each use.
58 * The result of the hardware clock counter read is used for this update.
60 * 25 conditional tests are present. The conditional tests are grouped in
61 * two nested groups of 12 conditional tests and 1 test that controls the
62 * permutation; on average, there should be 6 tests executed and 3 of them
63 * should be mispredicted.
64 * ------------------------------------------------------------------------
67 #define SWAP(X,Y) { int *T = X; X = Y; Y = T; }
69 #define TST1_ENTER if( PTEST & 1 ) { PTEST ^= 3; PTEST >>= 1;
70 #define TST2_ENTER if( PTEST & 1 ) { PTEST ^= 3; PTEST >>= 1;
72 #define TST1_LEAVE U1++; }
73 #define TST2_LEAVE U2++; }
75 #define ONE_ITERATION \
79 TST1_ENTER TST1_ENTER TST1_ENTER TST1_ENTER \
80 TST1_ENTER TST1_ENTER TST1_ENTER TST1_ENTER \
81 TST1_ENTER TST1_ENTER TST1_ENTER TST1_ENTER \
83 TST1_LEAVE TST1_LEAVE TST1_LEAVE TST1_LEAVE \
84 TST1_LEAVE TST1_LEAVE TST1_LEAVE TST1_LEAVE \
85 TST1_LEAVE TST1_LEAVE TST1_LEAVE TST1_LEAVE \
87 PTX = (PT1 >> 18) & 7; \
90 CLK = (int) hardclock(); \
93 A = &WALK[PT1 ]; RES[i++] ^= *A; \
94 B = &WALK[PT2 ]; RES[i++] ^= *B; \
95 C = &WALK[PT1 ^ 1]; RES[i++] ^= *C; \
96 D = &WALK[PT2 ^ 4]; RES[i++] ^= *D; \
98 IN = (*A >> (1)) ^ (*A << (31)) ^ CLK; \
99 *A = (*B >> (2)) ^ (*B << (30)) ^ CLK; \
101 *C = (*C >> (3)) ^ (*C << (29)) ^ CLK; \
102 *D = (*D >> (4)) ^ (*D << (28)) ^ CLK; \
104 A = &WALK[PT1 ^ 2]; RES[i++] ^= *A; \
105 B = &WALK[PT2 ^ 2]; RES[i++] ^= *B; \
106 C = &WALK[PT1 ^ 3]; RES[i++] ^= *C; \
107 D = &WALK[PT2 ^ 6]; RES[i++] ^= *D; \
109 if( PTEST & 1 ) SWAP( A, C ); \
111 IN = (*A >> (5)) ^ (*A << (27)) ^ CLK; \
112 *A = (*B >> (6)) ^ (*B << (26)) ^ CLK; \
113 *B = IN; CLK = (int) hardclock(); \
114 *C = (*C >> (7)) ^ (*C << (25)) ^ CLK; \
115 *D = (*D >> (8)) ^ (*D << (24)) ^ CLK; \
117 A = &WALK[PT1 ^ 4]; \
118 B = &WALK[PT2 ^ 1]; \
122 PT2 = (RES[(i - 8) ^ PTY] ^ WALK[PT2 ^ PTY ^ 7]); \
123 PT2 = ((PT2 & 0x1FFF) & (~8)) ^ ((PT1 ^ 8) & 0x8); \
124 PTY = (PT2 >> 10) & 7; \
126 TST2_ENTER TST2_ENTER TST2_ENTER TST2_ENTER \
127 TST2_ENTER TST2_ENTER TST2_ENTER TST2_ENTER \
128 TST2_ENTER TST2_ENTER TST2_ENTER TST2_ENTER \
130 TST2_LEAVE TST2_LEAVE TST2_LEAVE TST2_LEAVE \
131 TST2_LEAVE TST2_LEAVE TST2_LEAVE TST2_LEAVE \
132 TST2_LEAVE TST2_LEAVE TST2_LEAVE TST2_LEAVE \
134 C = &WALK[PT1 ^ 5]; \
135 D = &WALK[PT2 ^ 5]; \
142 IN = (*A >> ( 9)) ^ (*A << (23)) ^ CLK; \
143 *A = (*B >> (10)) ^ (*B << (22)) ^ CLK; \
145 *C = (*C >> (11)) ^ (*C << (21)) ^ CLK; \
146 *D = (*D >> (12)) ^ (*D << (20)) ^ CLK; \
148 A = &WALK[PT1 ^ 6]; RES[i++] ^= *A; \
149 B = &WALK[PT2 ^ 3]; RES[i++] ^= *B; \
150 C = &WALK[PT1 ^ 7]; RES[i++] ^= *C; \
151 D = &WALK[PT2 ^ 7]; RES[i++] ^= *D; \
153 IN = (*A >> (13)) ^ (*A << (19)) ^ CLK; \
154 *A = (*B >> (14)) ^ (*B << (18)) ^ CLK; \
156 *C = (*C >> (15)) ^ (*C << (17)) ^ CLK; \
157 *D = (*D >> (16)) ^ (*D << (16)) ^ CLK; \
159 PT1 = ( RES[(i - 8) ^ PTX] ^ \
160 WALK[PT1 ^ PTX ^ 7] ) & (~1); \
161 PT1 ^= (PT2 ^ 0x10) & 0x10; \
163 for( n++, i = 0; i < 16; i++ ) \
164 hs->pool[n % COLLECT_SIZE] ^= RES[i];
167 * Entropy gathering function
169 static void havege_fill(havege_state
* hs
)
172 int U1
, U2
, *A
, *B
, *C
, *D
;
173 int PT1
, PT2
, *WALK
, RES
[16];
174 int PTX
, PTY
, CLK
, PTEST
, IN
;
183 memset(RES
, 0, sizeof(RES
));
185 while (n
< COLLECT_SIZE
* 4) {
186 ONE_ITERATION ONE_ITERATION ONE_ITERATION ONE_ITERATION
} hs
->PT1
= PT1
;
190 hs
->offset
[1] = COLLECT_SIZE
/ 2;
194 * HAVEGE initialization
196 void havege_init(havege_state
* hs
)
198 memset(hs
, 0, sizeof(havege_state
));
204 * HAVEGE rand function
206 int havege_rand(void *p_rng
)
209 havege_state
*hs
= (havege_state
*) p_rng
;
211 if (hs
->offset
[1] >= COLLECT_SIZE
)
214 ret
= hs
->pool
[hs
->offset
[0]++];
215 ret
^= hs
->pool
[hs
->offset
[1]++];
220 #if defined(TROPICSSL_RAND_TEST)
224 int main(int argc
, char *argv
[])
230 unsigned char buf
[1024];
233 fprintf(stderr
, "usage: %s <output filename>\n", argv
[0]);
237 if ((f
= fopen(argv
[1], "wb+")) == NULL
) {
238 printf("failed to open '%s' for writing.\n", argv
[0]);
246 for (i
= 0, k
= 32768; i
< k
; i
++) {
247 for (j
= 0; j
< sizeof(buf
); j
++)
248 buf
[j
] = havege_rand(&hs
);
250 fwrite(buf
, sizeof(buf
), 1, f
);
252 printf("Generating 32Mb of data in file '%s'... %04.1f"
253 "%% done\r", argv
[1], (100 * (float)(i
+ 1)) / k
);