mirror of
https://github.com/ElementsProject/lightning.git
synced 2025-01-10 07:37:05 +01:00
9387609c7b
There's no reason to think that the seed isn't reproducable from the output: we don't want to give away our siphash seed and allow hashbombing, so seed isaac with the SHA of the seed. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
46 lines
1.0 KiB
C
46 lines
1.0 KiB
C
#include "pseudorand.h"
|
|
#include <assert.h>
|
|
#include <ccan/crypto/sha256/sha256.h>
|
|
#include <ccan/crypto/siphash24/siphash24.h>
|
|
#include <ccan/err/err.h>
|
|
#include <ccan/isaac/isaac64.h>
|
|
#include <ccan/likely/likely.h>
|
|
#include <sodium/randombytes.h>
|
|
#include <stdbool.h>
|
|
#include <string.h>
|
|
|
|
static struct isaac64_ctx isaac64;
|
|
static struct siphash_seed siphashseed;
|
|
static bool pseudorand_initted = false;
|
|
|
|
static void init_if_needed(void)
|
|
{
|
|
if (unlikely(!pseudorand_initted)) {
|
|
unsigned char seedbuf[16];
|
|
struct sha256 sha;
|
|
|
|
randombytes_buf(seedbuf, sizeof(seedbuf));
|
|
memcpy(&siphashseed, seedbuf, sizeof(siphashseed));
|
|
|
|
/* In case isaac is reversible, don't leak seed. */
|
|
sha256(&sha, seedbuf, sizeof(seedbuf));
|
|
isaac64_init(&isaac64, sha.u.u8, sizeof(sha.u.u8));
|
|
pseudorand_initted = true;
|
|
}
|
|
}
|
|
|
|
uint64_t pseudorand(uint64_t max)
|
|
{
|
|
init_if_needed();
|
|
|
|
assert(max);
|
|
return isaac64_next_uint(&isaac64, max);
|
|
}
|
|
|
|
const struct siphash_seed *siphash_seed(void)
|
|
{
|
|
init_if_needed();
|
|
|
|
return &siphashseed;
|
|
}
|