Update files for OpenSSL-1.0.0f import.
[dragonfly.git] / secure / lib / libcrypto / man / rand.3
CommitLineData
e3261593 1.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.19)
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
8b0cefbb 5.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
6.if t .sp .5v
7.if n .sp
8..
8b0cefbb 9.de Vb \" Begin verbatim text
984263bc
MD
10.ft CW
11.nf
12.ne \\$1
13..
8b0cefbb 14.de Ve \" End verbatim text
984263bc 15.ft R
984263bc
MD
16.fi
17..
8b0cefbb
JR
18.\" Set up some character translations and predefined strings. \*(-- will
19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
e257b235
PA
20.\" double quote, and \*(R" will give a right double quote. \*(C+ will
21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23.\" nothing in troff, for use with C<>.
24.tr \(*W-
8b0cefbb 25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 26.ie n \{\
8b0cefbb
JR
27. ds -- \(*W-
28. ds PI pi
29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31. ds L" ""
32. ds R" ""
33. ds C` ""
34. ds C' ""
984263bc
MD
35'br\}
36.el\{\
8b0cefbb
JR
37. ds -- \|\(em\|
38. ds PI \(*p
39. ds L" ``
40. ds R" ''
984263bc 41'br\}
8b0cefbb 42.\"
e257b235
PA
43.\" Escape single quotes in literal strings from groff's Unicode transform.
44.ie \n(.g .ds Aq \(aq
45.el .ds Aq '
46.\"
8b0cefbb 47.\" If the F register is turned on, we'll generate index entries on stderr for
01185282 48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
8b0cefbb
JR
49.\" entries marked with X<> in POD. Of course, you'll have to process the
50.\" output yourself in some meaningful fashion.
e257b235 51.ie \nF \{\
8b0cefbb
JR
52. de IX
53. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 54..
8b0cefbb
JR
55. nr % 0
56. rr F
984263bc 57.\}
e257b235
PA
58.el \{\
59. de IX
60..
61.\}
aac4ff6f 62.\"
8b0cefbb
JR
63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
64.\" Fear. Run. Save yourself. No user-serviceable parts.
65. \" fudge factors for nroff and troff
984263bc 66.if n \{\
8b0cefbb
JR
67. ds #H 0
68. ds #V .8m
69. ds #F .3m
70. ds #[ \f1
71. ds #] \fP
984263bc
MD
72.\}
73.if t \{\
8b0cefbb
JR
74. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
75. ds #V .6m
76. ds #F 0
77. ds #[ \&
78. ds #] \&
984263bc 79.\}
8b0cefbb 80. \" simple accents for nroff and troff
984263bc 81.if n \{\
8b0cefbb
JR
82. ds ' \&
83. ds ` \&
84. ds ^ \&
85. ds , \&
86. ds ~ ~
87. ds /
984263bc
MD
88.\}
89.if t \{\
8b0cefbb
JR
90. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
91. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
92. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
93. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
94. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
95. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 96.\}
8b0cefbb 97. \" troff and (daisy-wheel) nroff accents
984263bc
MD
98.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
99.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
100.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
101.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
102.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
103.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
104.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
105.ds ae a\h'-(\w'a'u*4/10)'e
106.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 107. \" corrections for vroff
984263bc
MD
108.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
109.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 110. \" for low resolution devices (crt and lpr)
984263bc
MD
111.if \n(.H>23 .if \n(.V>19 \
112\{\
8b0cefbb
JR
113. ds : e
114. ds 8 ss
115. ds o a
116. ds d- d\h'-1'\(ga
117. ds D- D\h'-1'\(hy
118. ds th \o'bp'
119. ds Th \o'LP'
120. ds ae ae
121. ds Ae AE
984263bc
MD
122.\}
123.rm #[ #] #H #V #F C
8b0cefbb
JR
124.\" ========================================================================
125.\"
126.IX Title "rand 3"
e3261593 127.TH rand 3 "2012-01-04" "1.0.0f" "OpenSSL"
e257b235
PA
128.\" For nroff, turn off justification. Always turn off hyphenation; it makes
129.\" way too many mistakes in technical documents.
130.if n .ad l
131.nh
984263bc 132.SH "NAME"
8b0cefbb 133rand \- pseudo\-random number generator
984263bc 134.SH "SYNOPSIS"
8b0cefbb 135.IX Header "SYNOPSIS"
984263bc
MD
136.Vb 1
137\& #include <openssl/rand.h>
e257b235 138\&
984263bc 139\& int RAND_set_rand_engine(ENGINE *engine);
e257b235 140\&
984263bc
MD
141\& int RAND_bytes(unsigned char *buf, int num);
142\& int RAND_pseudo_bytes(unsigned char *buf, int num);
e257b235 143\&
984263bc
MD
144\& void RAND_seed(const void *buf, int num);
145\& void RAND_add(const void *buf, int num, int entropy);
146\& int RAND_status(void);
e257b235 147\&
984263bc
MD
148\& int RAND_load_file(const char *file, long max_bytes);
149\& int RAND_write_file(const char *file);
150\& const char *RAND_file_name(char *file, size_t num);
e257b235 151\&
984263bc 152\& int RAND_egd(const char *path);
e257b235 153\&
984263bc
MD
154\& void RAND_set_rand_method(const RAND_METHOD *meth);
155\& const RAND_METHOD *RAND_get_rand_method(void);
156\& RAND_METHOD *RAND_SSLeay(void);
e257b235 157\&
984263bc 158\& void RAND_cleanup(void);
e257b235 159\&
984263bc
MD
160\& /* For Win32 only */
161\& void RAND_screen(void);
162\& int RAND_event(UINT, WPARAM, LPARAM);
163.Ve
164.SH "DESCRIPTION"
8b0cefbb
JR
165.IX Header "DESCRIPTION"
166Since the introduction of the \s-1ENGINE\s0 \s-1API\s0, the recommended way of controlling
167default implementations is by using the \s-1ENGINE\s0 \s-1API\s0 functions. The default
168\&\fB\s-1RAND_METHOD\s0\fR, as set by \fIRAND_set_rand_method()\fR and returned by
169\&\fIRAND_get_rand_method()\fR, is only used if no \s-1ENGINE\s0 has been set as the default
170\&\*(L"rand\*(R" implementation. Hence, these two functions are no longer the recommened
984263bc
MD
171way to control defaults.
172.PP
8b0cefbb
JR
173If an alternative \fB\s-1RAND_METHOD\s0\fR implementation is being used (either set
174directly or as provided by an \s-1ENGINE\s0 module), then it is entirely responsible
175for the generation and management of a cryptographically secure \s-1PRNG\s0 stream. The
176mechanisms described below relate solely to the software \s-1PRNG\s0 implementation
984263bc
MD
177built in to OpenSSL and used by default.
178.PP
179These functions implement a cryptographically secure pseudo-random
8b0cefbb 180number generator (\s-1PRNG\s0). It is used by other library functions for
984263bc
MD
181example to generate random keys, and applications can use it when they
182need randomness.
183.PP
8b0cefbb 184A cryptographic \s-1PRNG\s0 must be seeded with unpredictable data such as
984263bc 185mouse movements or keys pressed at random by the user. This is
8b0cefbb
JR
186described in \fIRAND_add\fR\|(3). Its state can be saved in a seed file
187(see \fIRAND_load_file\fR\|(3)) to avoid having to go through the
984263bc
MD
188seeding process whenever the application is started.
189.PP
8b0cefbb 190\&\fIRAND_bytes\fR\|(3) describes how to obtain random data from the
e257b235 191\&\s-1PRNG\s0.
984263bc 192.SH "INTERNALS"
8b0cefbb
JR
193.IX Header "INTERNALS"
194The \fIRAND_SSLeay()\fR method implements a \s-1PRNG\s0 based on a cryptographic
984263bc
MD
195hash function.
196.PP
197The following description of its design is based on the SSLeay
198documentation:
199.PP
8b0cefbb 200First up I will state the things I believe I need for a good \s-1RNG\s0.
e257b235 201.IP "1." 4
8b0cefbb 202A good hashing algorithm to mix things up and to convert the \s-1RNG\s0 'state'
984263bc 203to random numbers.
e257b235 204.IP "2." 4
8b0cefbb 205An initial source of random 'state'.
e257b235 206.IP "3." 4
984263bc
MD
207The state should be very large. If the \s-1RNG\s0 is being used to generate
2084096 bit \s-1RSA\s0 keys, 2 2048 bit random strings are required (at a minimum).
209If your \s-1RNG\s0 state only has 128 bits, you are obviously limiting the
210search space to 128 bits, not 2048. I'm probably getting a little
211carried away on this last point but it does indicate that it may not be
212a bad idea to keep quite a lot of \s-1RNG\s0 state. It should be easier to
213break a cipher than guess the \s-1RNG\s0 seed data.
e257b235 214.IP "4." 4
984263bc
MD
215Any \s-1RNG\s0 seed data should influence all subsequent random numbers
216generated. This implies that any random seed data entered will have
217an influence on all subsequent random numbers generated.
e257b235 218.IP "5." 4
984263bc
MD
219When using data to seed the \s-1RNG\s0 state, the data used should not be
220extractable from the \s-1RNG\s0 state. I believe this should be a
8b0cefbb 221requirement because one possible source of 'secret' semi random
984263bc
MD
222data would be a private key or a password. This data must
223not be disclosed by either subsequent random numbers or a
8b0cefbb 224\&'core' dump left by a program crash.
e257b235 225.IP "6." 4
8b0cefbb 226Given the same initial 'state', 2 systems should deviate in their \s-1RNG\s0 state
984263bc 227(and hence the random numbers generated) over time if at all possible.
e257b235 228.IP "7." 4
984263bc
MD
229Given the random number output stream, it should not be possible to determine
230the \s-1RNG\s0 state or the next random number.
231.PP
232The algorithm is as follows.
233.PP
8b0cefbb 234There is global state made up of a 1023 byte buffer (the 'state'), a
984263bc
MD
235working hash value ('md'), and a counter ('count').
236.PP
8b0cefbb 237Whenever seed data is added, it is inserted into the 'state' as
984263bc
MD
238follows.
239.PP
240The input is chopped up into units of 20 bytes (or less for
241the last block). Each of these blocks is run through the hash
242function as follows: The data passed to the hash function
8b0cefbb 243is the current 'md', the same number of bytes from the 'state'
984263bc 244(the location determined by in incremented looping index) as
8b0cefbb 245the current 'block', the new key data 'block', and 'count'
984263bc 246(which is incremented after each use).
8b0cefbb
JR
247The result of this is kept in 'md' and also xored into the
248\&'state' at the same locations that were used as input into the
984263bc
MD
249hash function. I
250believe this system addresses points 1 (hash function; currently
8b0cefbb 251\&\s-1SHA\-1\s0), 3 (the 'state'), 4 (via the 'md'), 5 (by the use of a hash
984263bc
MD
252function and xor).
253.PP
254When bytes are extracted from the \s-1RNG\s0, the following process is used.
255For each group of 10 bytes (or less), we do the following:
256.PP
8b0cefbb
JR
257Input into the hash function the local 'md' (which is initialized from
258the global 'md' before any bytes are generated), the bytes that are to
259be overwritten by the random bytes, and bytes from the 'state'
984263bc 260(incrementing looping index). From this digest output (which is kept
8b0cefbb
JR
261in 'md'), the top (up to) 10 bytes are returned to the caller and the
262bottom 10 bytes are xored into the 'state'.
984263bc 263.PP
8b0cefbb
JR
264Finally, after we have finished 'num' random bytes for the caller,
265\&'count' (which is incremented) and the local and global 'md' are fed
266into the hash function and the results are kept in the global 'md'.
984263bc 267.PP
8b0cefbb
JR
268I believe the above addressed points 1 (use of \s-1SHA\-1\s0), 6 (by hashing
269into the 'state' the 'old' data from the caller that is about to be
984263bc 270overwritten) and 7 (by not using the 10 bytes given to the caller to
8b0cefbb 271update the 'state', but they are used to update 'md').
984263bc
MD
272.PP
273So of the points raised, only 2 is not addressed (but see
8b0cefbb 274\&\fIRAND_add\fR\|(3)).
984263bc 275.SH "SEE ALSO"
74dab6c2 276.IX Header "SEE ALSO"
8b0cefbb
JR
277\&\fIBN_rand\fR\|(3), \fIRAND_add\fR\|(3),
278\&\fIRAND_load_file\fR\|(3), \fIRAND_egd\fR\|(3),
279\&\fIRAND_bytes\fR\|(3),
280\&\fIRAND_set_rand_method\fR\|(3),
e257b235 281\&\fIRAND_cleanup\fR\|(3)