infnoise BLAKE3 Patch

1. diff --git a/software/Makefile.linux b/software/Makefile.linux
2. index db48aa5..c246dcc 100644
3. --- a/software/Makefile.linux
4. +++ b/software/Makefile.linux
5. @@ -4,7 +4,7 @@ GIT_DATE    := $(firstword $(shell git --no-pager show --date=iso-strict --forma
6.  
7.  PREFIX = $(DESTDIR)/usr/local
8.  
9. -CFLAGS = -Wall -Wextra -Werror -std=c99 -O3 -fPIC -I Keccak -I /usr/include/libftdi1 \
10. +CFLAGS = -Wall -Wextra -Werror -std=c99 -O3 -fPIC -I BLAKE3 -I /usr/include/libftdi1 \
11.   -DGIT_VERSION=\"$(GIT_VERSION)\"\
12.   -DGIT_COMMIT=\"$(GIT_COMMIT)\"\
13.   -DGIT_DATE=\"$(GIT_DATE)\"\
14. @@ -15,25 +15,22 @@ FTDI = $(shell $(CC) -o /dev/null -x c /dev/null -shared -lftdi 2>/dev/null && e
15.  all: libinfnoise.a libinfnoise.so infnoise
16.  
17.  infnoise: libinfnoise.a infnoise.o daemon.o
18. -   $(CC) $(CFLAGS) -o infnoise infnoise.o daemon.o libinfnoise.a $(FTDI) -lm -lrt -L.
19. +   $(CC) $(CFLAGS) -o infnoise infnoise.o daemon.o libinfnoise.a $(FTDI) -lm -lrt -L. -LBLAKE3 -lblake3
20.  
21.  %.o: %.c infnoise.h libinfnoise.h
22.     $(CC) -c -o $@ $< $(CFLAGS)
23.  
24. -KeccakF-1600-reference.o: Keccak/KeccakF-1600-reference.c Keccak/KeccakF-1600-interface.h Keccak/brg_endian.h
25. -   $(CC) -c -o $@ $< $(CFLAGS)
26. -
27.  # static lib compiled into infnoise binary
28.  libinfnoise.o: libinfnoise.c libinfnoise.h libinfnoise_private.h healthcheck.c
29.     $(CC) $(CFLAGS) -c libinfnoise.c
30.  
31. -libinfnoise.a: libinfnoise.o healthcheck.o KeccakF-1600-reference.o writeentropy.o
32. -   ar rcs libinfnoise.a libinfnoise.o healthcheck.o KeccakF-1600-reference.o writeentropy.o
33. +libinfnoise.a: libinfnoise.o healthcheck.o BLAKE3/blake3.o writeentropy.o
34. +   ar rcs libinfnoise.a libinfnoise.o healthcheck.o BLAKE3/blake3.o writeentropy.o
35.     ranlib libinfnoise.a
36.  
37.  # shared lib
38. -libinfnoise.so: libinfnoise.o healthcheck.o KeccakF-1600-reference.o writeentropy.o
39. -   $(CC) $(CFLAGS) -fvisibility=hidden -o libinfnoise.so libinfnoise.o healthcheck.o KeccakF-1600-reference.o writeentropy.o -Wl,--version-script=libinfnoise.version $(FTDI) -lm -shared
40. +libinfnoise.so: libinfnoise.o healthcheck.o BLAKE3/blake3.o writeentropy.o
41. +   $(CC) $(CFLAGS) -fvisibility=hidden -o libinfnoise.so libinfnoise.o healthcheck.o BLAKE3/blake3.o writeentropy.o -Wl,--version-script=libinfnoise.version $(FTDI) -lm -shared
42.  
43.  libs: libinfnoise.a
44.  
45. diff --git a/software/infnoise.c b/software/infnoise.c
46. index 0361b6a..a0f85a6 100644
47. --- a/software/infnoise.c
48. +++ b/software/infnoise.c
49. @@ -30,7 +30,6 @@ void term(int signum)
50.  }
51.  
52.  static void initOpts(struct opt_struct *opts) {
53. -    opts->outputMultiplier = 0u;
54.      opts->daemon = false;
55.      opts->debug = false;
56.      opts->devRandom = false;
57. @@ -50,7 +49,6 @@ static struct option longopts[] = {
58.          {"debug",        no_argument,       NULL, 'D'},
59.          {"dev-random",   no_argument,       NULL, 'R'},
60.          {"no-output",    no_argument,       NULL, 'n'},
61. -        {"multiplier",   required_argument, NULL, 'm'},
62.          {"pidfile",      required_argument, NULL, 'p'},
63.          {"serial",       required_argument, NULL, 's'},
64.          {"daemon",       no_argument,       NULL, 'd'},
65. @@ -104,7 +102,6 @@ int main(int argc, char **argv) {
66.      struct infnoise_context context;
67.      struct opt_struct opts;
68.      int ch;
69. -    bool multiplierAssigned = false;
70.  
71.      initOpts(&opts);
72.  
73. @@ -124,15 +121,6 @@ int main(int argc, char **argv) {
74.              case 'n':
75.                  opts.noOutput = true;
76.                  break;
77. -            case 'm':
78. -                multiplierAssigned = true;
79. -                int tmpOutputMult = atoi(optarg);
80. -                if (tmpOutputMult < 0) {
81. -                    fputs("Multiplier must be >= 0\n", stderr);
82. -                    return 1;
83. -                }
84. -                opts.outputMultiplier = tmpOutputMult;
85. -                break;
86.              case 'p':
87.                  opts.pidFileName = optarg;
88.                  if (opts.pidFileName == NULL || opts.pidFileName[0] == '\0') {
89. @@ -172,8 +160,6 @@ int main(int argc, char **argv) {
90.                "    -R, --dev-random - write entropy to /dev/random instead of "
91.                "stdout\n"
92.                "    -r, --raw - do not whiten the output\n"
93. -              "    -m, --multiplier <value> - write 256 bits * value for each 512 bits written to\n"
94. -              "      the Keccak sponge.  Default of 0 means write all the entropy.\n"
95.                "    -n, --no-output - do not write random output data\n"
96.                "    -p, --pidfile <file> - write process ID to file\n"
97.                "    -d, --daemon - run in the background\n"
98. @@ -203,23 +189,6 @@ int main(int argc, char **argv) {
99.                        && !strcmp("true", envDbg));
100.      }
101.  
102. -    if (!multiplierAssigned) {
103. -        char *envMultiplier = getenv("INFNOISE_MULTIPLIER");
104. -        if (envMultiplier != NULL) {
105. -            int tmpOutputMult = atoi(envMultiplier);
106. -            if (tmpOutputMult < 0) {
107. -                fputs("Multiplier must be >= 0\n", stderr);
108. -                return 1;
109. -            }
110. -            multiplierAssigned = true;
111. -            opts.outputMultiplier = tmpOutputMult;
112. -        }
113. -    }
114. -
115. -    if (!multiplierAssigned && opts.devRandom) {
116. -        opts.outputMultiplier = 2u; // Don't throw away entropy when writing to /dev/random unless told to do so
117. -    }
118. -
119.      if (opts.listDevices) {
120.          infnoise_devlist_node_t* devlist = listUSBDevices(&context.message);
121.          if (devlist == NULL) {
122. @@ -263,21 +232,12 @@ int main(int argc, char **argv) {
123.      // Optionally run in the background and optionally write a PID-file
124.      startDaemon(&opts);
125.  
126. -    // initialize USB device, health check and Keccak state (see libinfnoise)
127. +    // initialize USB device, health check and BLAKE3 (see libinfnoise)
128.      if (!initInfnoise(&context, opts.serial, !opts.raw, opts.debug)) {
129.          fprintf(stderr, "Error: %s\n", context.message);
130.          return 1; // ERROR
131.      }
132.  
133. -    // calculate output size based on the parameters:
134. -    uint64_t resultSize;
135. -    if (opts.outputMultiplier <= 2 || opts.raw) {
136. -        resultSize = 64u;
137. -    } else {
138. -        resultSize = 128u;
139. -    }
140. -    //fprintf(stderr, "resultsize: %lu\n", resultSize);
141. -
142.      // get proper shutdown
143.      struct sigaction action;
144.      memset(&action, 0, sizeof(action));
145. @@ -288,8 +248,8 @@ int main(int argc, char **argv) {
146.      // endless loop
147.      uint64_t totalBytesWritten = 0u;
148.      while (running) {
149. -        uint8_t result[resultSize];
150. -        uint64_t bytesWritten = readData(&context, result, opts.raw, opts.outputMultiplier);
151. +        uint8_t result[64u];
152. +        uint64_t bytesWritten = readData(&context, result, opts.raw);
153.          totalBytesWritten += bytesWritten;
154.  
155.          if (context.errorFlag) {
156. diff --git a/software/infnoise.h b/software/infnoise.h
157. index 3f894de..7ba96a1 100644
158. --- a/software/infnoise.h
159. +++ b/software/infnoise.h
160. @@ -9,7 +9,6 @@
161.  
162.  // Structure for parsed command line options
163.  struct opt_struct {
164. -        uint32_t outputMultiplier; // We output all the entropy when outputMultiplier == 0
165.          bool daemon;            // Run as daemon?
166.          bool debug;             // Print debugging info?
167.          bool devRandom;         // Feed /dev/random?
168. diff --git a/software/libinfnoise.c b/software/libinfnoise.c
169. index 7c7f9f5..14744a5 100644
170. --- a/software/libinfnoise.c
171. +++ b/software/libinfnoise.c
172. @@ -16,20 +16,18 @@
173.  #include <sys/types.h>
174.  #include <ftdi.h>
175.  #include "libinfnoise_private.h"
176. -#include "KeccakF-1600-interface.h"
177. +#include "blake3.h"
178.  
179.  #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__DragonFly__) || defined(__FreeBSD__)
180.  #include <fcntl.h>
181.  #endif
182.  
183. -uint8_t keccakState[KeccakPermutationSizeInBytes];
184. +blake3_hasher blake3hasher;
185.  
186. -bool initInfnoise(struct infnoise_context *context, char *serial, bool keccak, bool debug) {
187. +bool initInfnoise(struct infnoise_context *context, char *serial, bool blake3, bool debug) {
188.      context->message="";
189.      context->entropyThisTime=0;
190.      context->errorFlag=false;
191. -    context->bytesGiven=0;
192. -    context->bytesWritten=0;
193.  
194.      prepareOutputBuffer();
195.  
196. @@ -47,11 +45,9 @@ bool initInfnoise(struct infnoise_context *context, char *serial, bool keccak, b
197.          }
198.      }
199.  
200. -    // initialize keccak
201. -    if (keccak) {
202. -        KeccakInitialize();
203. -        KeccakInitializeState(keccakState);
204. -    }
205. +    // initialize blake3
206. +    if (blake3)
207. +        blake3_hasher_init(&blake3hasher);
208.  
209.      // let healthcheck collect some data
210.      uint32_t maxWarmupRounds = 5000;
211. @@ -59,7 +55,7 @@ bool initInfnoise(struct infnoise_context *context, char *serial, bool keccak, b
212.  
213.      //bool errorFlag = false;
214.      while (!inmHealthCheckOkToUseData()) {
215. -        readData(context, NULL, true, 1);
216. +        readData(context, NULL, true);
217.          warmupRounds++;
218.      }
219.  
220. @@ -120,15 +116,9 @@ uint32_t extractBytes(uint8_t *bytes, uint32_t length, uint8_t *inBuf, const cha
221.      return inmGetEntropyLevel();
222.  }
223.  
224. -// Whiten the output, if requested, with a Keccak sponge. Output bytes only if the health
225. -// checker says it's OK.  Using outputMultiplier > 1 is a nice way to generate a lot more
226. -// cryptographically secure pseudo-random data than the INM generates.  If
227. -// outputMultiplier is 0, we output only as many bits as we measure in entropy.
228. -// This allows a user to generate hundreds of MiB per second if needed, for use
229. -// as cryptographic keys.
230. -uint32_t processBytes(uint8_t *bytes, uint8_t *result, uint32_t *entropy,
231. -                      uint32_t *bytesGiven, uint32_t *bytesWritten,
232. -                      bool raw, uint32_t outputMultiplier) {
233. +// Whiten the output, if requested. Output bytes only if the health
234. +// checker says it's OK.
235. +uint32_t processBytes(uint8_t *bytes, uint8_t *result, uint32_t *entropy, bool raw) {
236.      //Use the lower of the measured entropy and the provable lower bound on
237.      //average entropy.
238.      if (*entropy > inmExpectedEntropyPerBit * BUFLEN / INM_ACCURACY) {
239. @@ -142,50 +132,11 @@ uint32_t processBytes(uint8_t *bytes, uint8_t *result, uint32_t *entropy,
240.          return BUFLEN / 8u;
241.      }
242.  
243. -    // Note that BUFLEN has to be less than 1600 by enough to make the sponge secure,
244. -    // since outputting all 1600 bits would tell an attacker the Keccak state, allowing
245. -    // him to predict any further output, when outputMultiplier > 1, until the next call
246. -    // to processBytes.  All 512 bits are absorbed before squeezing data out to ensure that
247. -    // we instantly recover (reseed) from a state compromise, which is when an attacker
248. -    // gets a snapshot of the keccak state.  BUFLEN must be a multiple of 64, since
249. -    // Keccak-1600 uses 64-bit "lanes".
250. -    uint8_t resultSize;
251. -    if (outputMultiplier <= 2) {
252. -        resultSize = 64u;
253. -    } else {
254. -        resultSize = 128u;
255. -    }
256. -
257. -    uint8_t dataOut[resultSize];
258. -    KeccakAbsorb(keccakState, bytes, BUFLEN / 64u);
259. -
260. -    if (outputMultiplier == 0u) {
261. -        // Output all the bytes of entropy we have
262. -        KeccakExtract(keccakState, dataOut, (*entropy + 63u) / 64u);
263. -        if (result != NULL) {
264. -            memcpy(result, dataOut, *entropy / 8u * sizeof(uint8_t));
265. -        }
266. -        return *entropy / 8u;
267. +    blake3_hasher_update(&blake3hasher, bytes, *entropy / 8u * sizeof(uint8_t));
268. +    if (result != NULL) {
269. +        blake3_hasher_finalize(&blake3hasher, result, *entropy / 8u * sizeof(uint8_t));
270.      }
271. -
272. -    // Output 256*outputMultipler bits (in chunks of 1024)
273. -    // only the first 1024 now,
274. -    if (*bytesGiven == 0u) {
275. -        *bytesGiven = outputMultiplier*256u / 8u;
276. -        *bytesWritten = 0u;
277. -
278. -        // Output up to 1024 bits at a time.
279. -        uint32_t bytesToWrite = 1024u / 8u;
280. -        if (bytesToWrite > *bytesGiven) {
281. -            bytesToWrite = *bytesGiven;
282. -        }
283. -
284. -        KeccakExtract(keccakState, result, bytesToWrite / 8u);
285. -        KeccakPermutation(keccakState);
286. -        *bytesWritten = bytesToWrite;
287. -        *bytesGiven -= bytesToWrite;
288. -    }
289. -    return *bytesWritten;
290. +    return *entropy / 8u;
291.  }
292.  
293.  // Return the difference in the times as a double in microseconds.
294. @@ -351,25 +302,7 @@ bool initializeUSB(struct ftdi_context *ftdic, const char **message, char *seria
295.      return true;
296.  }
297.  
298. -uint32_t readData(struct infnoise_context *context, uint8_t *result, bool raw, uint32_t outputMultiplier) {
299. -    // check if data can be squeezed from the keccak sponge from previous state (or we need to collect some new entropy to get bytesGiven >0)
300. -    if (context->bytesGiven > 0u) {
301. -        // squeeze the sponge!
302. -
303. -        // Output up to 1024 bits at a time.
304. -        uint32_t bytesToWrite = 1024u / 8u;
305. -
306. -        if (bytesToWrite > context->bytesGiven) {
307. -            bytesToWrite = context->bytesGiven;
308. -        }
309. -
310. -        KeccakExtract(keccakState, result, bytesToWrite / 8u);
311. -        KeccakPermutation(keccakState);
312. -
313. -        context->bytesWritten += bytesToWrite;
314. -        context->bytesGiven -= bytesToWrite;
315. -        return bytesToWrite;
316. -    } else { // collect new entropy
317. +uint32_t readData(struct infnoise_context *context, uint8_t *result, bool raw) {
318.          uint8_t inBuf[BUFLEN];
319.          struct timespec start;
320.          clock_gettime(CLOCK_REALTIME, &start);
321. @@ -400,10 +333,9 @@ uint32_t readData(struct infnoise_context *context, uint8_t *result, bool raw, u
322.              }
323.              // call health check and return bytes if OK
324.              if (inmHealthCheckOkToUseData() && inmEntropyOnTarget(context->entropyThisTime, BUFLEN)) {
325. -                return processBytes(bytes, result, &context->entropyThisTime, &context->bytesGiven, &context->bytesWritten,
326. -                raw, outputMultiplier);
327. +                return processBytes(bytes, result, &context->entropyThisTime, raw);
328.              }
329.          }
330. -    }
331. +
332.      return 0;
333.  }
334. diff --git a/software/libinfnoise.h b/software/libinfnoise.h
335. index 4c0b75b..a21c9e0 100644
336. --- a/software/libinfnoise.h
337. +++ b/software/libinfnoise.h
338. @@ -12,7 +12,6 @@
339.  #include <time.h>
340.  
341.  // The FT240X has a 512 byte buffer.  Must be multiple of 64
342. -// We also write this in one go to the Keccak sponge, which is at most 1600 bits
343.  #define BUFLEN 512u
344.  
345.  #ifdef __cplusplus
346. @@ -25,11 +24,6 @@ struct infnoise_context {
347.      uint32_t entropyThisTime;
348.      const char *message;
349.      bool errorFlag;
350. -    //uint8_t keccakState[KeccakPermutationSizeInBytes];
351. -
352. -    // used in multiplier mode to keep track of bytes to be put out
353. -    uint32_t bytesGiven;
354. -    uint32_t bytesWritten;
355.  };
356.  
357.  typedef struct _infnoise_devlist_node_t infnoise_devlist_node_t;
358. @@ -56,11 +50,11 @@ infnoise_devlist_node_t* listUSBDevices(const char **message);
359.   * parameters:
360.   *  - context: pointer to infnoise_context struct
361.   *  - serial: optional serial number of the device (NULL)
362. - *  - keccak: initialize Keccak sponge (required to use readData with raw=false)
363. + *  - blake3: use BLAKE3 (required to use readData with raw=false)
364.   *  - debug: debug flag
365.   * returns: boolean success indicator (0=success)
366.  */
367. -bool initInfnoise(struct infnoise_context *context, char *serial, bool keccak, bool debug);
368. +bool initInfnoise(struct infnoise_context *context, char *serial, bool blake3, bool debug);
369.  
370.  
371.  /*
372. @@ -74,7 +68,6 @@ void deinitInfnoise(struct infnoise_context *context);
373.  /*
374.   * Reads some bytes from the TRNG and stores them in the "result" byte array.
375.   * The array has to be of sufficient size. Please refer to the example programs.
376. - * (64 byte for normal operation or 128byte for multiplier mode)
377.   *
378.   * After every read operation, the infnoise_context's errorFlag must be checked,
379.   * and the data from this call has to be discarded when it returns true!
380. @@ -85,11 +78,10 @@ void deinitInfnoise(struct infnoise_context *context);
381.   *  - context: infnoise_context struct with device pointer and state variables
382.   *  - result: pointer to byte array to store the result
383.   *  - raw: boolean flag for raw or whitened output
384. - *  - outputMultiplier: only used for whitened output
385.   *
386.   * returns: number of bytes written to the byte-array
387.  */
388. -uint32_t readData(struct infnoise_context *context, uint8_t *result, bool raw, uint32_t outputMultiplier);
389. +uint32_t readData(struct infnoise_context *context, uint8_t *result, bool raw);
390.  
391.  #ifdef __cplusplus
392.  }
393. diff --git a/software/libinfnoise_private.h b/software/libinfnoise_private.h
394. index 6c10c34..2302439 100644
395. --- a/software/libinfnoise_private.h
396. +++ b/software/libinfnoise_private.h
397. @@ -70,7 +70,6 @@ uint32_t extractBytes(uint8_t *bytes, uint32_t length, uint8_t *inBuf, const cha
398.  
399.  bool outputBytes(uint8_t *bytes, uint32_t length, uint32_t entropy, bool writeDevRandom, const char **message);
400.  
401. -uint32_t processBytes(uint8_t *bytes, uint8_t *result, uint32_t *entropy, uint32_t *bytesGiven, uint32_t *bytesWritten, bool raw,
402. -                      uint32_t outputMultiplier);
403. +uint32_t processBytes(uint8_t *bytes, uint8_t *result, uint32_t *entropy, bool raw);
404.  
405.  #endif