Upgrade the random device to use a "real" hash instead of building

one out of a block cipher. This has 2 advantages:
1) The code is _much_ simpler
2) We aren't committing our security to one algorithm (much as we
   may think we trust AES).

While I'm here, make an explicit reseed do a slow reseed instead
of a fast; this is in line with what the original paper suggested.

3 files changed, 11 insertions, 54 deletions

diff --git a/sys/dev/random/hash.c b/sys/dev/random/hash.c
index a9246c3..98bd253 100644
--- a/sys/dev/random/hash.c
+++ b/sys/dev/random/hash.c
@@ -30,47 +30,22 @@
 #include <sys/systm.h>
 
 #include <crypto/rijndael/rijndael.h>
+#include <crypto/sha2/sha2.h>
 
 #include <dev/random/hash.h>
 
-/* initialise the hash by zeroing it */
+/* initialise the hash */
 void
 yarrow_hash_init(struct yarrowhash *context)
 {
-	rijndael_cipherInit(&context->cipher, MODE_CBC, NULL);
-	bzero(context->hash, KEYSIZE);
-	context->partial = 0;
+	SHA256_Init(&context->sha);
 }
 
-/* Do a Davies-Meyer hash using a block cipher.
- * H_0 = I
- * H_i = E_M_i(H_i-1) ^ H_i-1
- */
+/* iterate the hash */
 void
 yarrow_hash_iterate(struct yarrowhash *context, void *data, size_t size)
 {
-	u_char temp[KEYSIZE];
-	u_int i, j;
-	union {
-		void *pv;
-		char *pc;
-	} trans;
-
-	trans.pv = data;
-	for (i = 0; i < size; i++) {
-		context->accum[context->partial++] = trans.pc[i];
-		if (context->partial == (KEYSIZE - 1)) {
-			rijndael_makeKey(&context->hashkey, DIR_ENCRYPT,
-				KEYSIZE*8, context->accum);
-			rijndael_blockEncrypt(&context->cipher,
-				&context->hashkey, context->hash,
-				KEYSIZE*8, temp);
-			for (j = 0; j < KEYSIZE; j++)
-				context->hash[j] ^= temp[j];
-			bzero(context->accum, KEYSIZE);
-			context->partial = 0;
-		}
-	}
+	SHA256_Update(&context->sha, data, size);
 }
 
 /* Conclude by returning the hash in the supplied /buf/ which must be
@@ -80,20 +55,7 @@ yarrow_hash_iterate(struct yarrowhash *context, void *data, size_t size)
 void
 yarrow_hash_finish(struct yarrowhash *context, void *buf)
 {
-	u_char temp[KEYSIZE];
-	int i;
-
-	if (context->partial) {
-		rijndael_makeKey(&context->hashkey, DIR_ENCRYPT,
-			KEYSIZE*8, context->accum);
-		rijndael_blockEncrypt(&context->cipher,
-			&context->hashkey, context->hash,
-			KEYSIZE*8, temp);
-		for (i = 0; i < KEYSIZE; i++)
-			context->hash[i] ^= temp[i];
-	}
-	memcpy(buf, context->hash, KEYSIZE);
-	bzero(context->hash, KEYSIZE);
+	SHA256_Final(buf, &context->sha);
 }
 
 /* Initialise the encryption routine by setting up the key schedule
diff --git a/sys/dev/random/hash.h b/sys/dev/random/hash.h
index 5a30821..b307bfc 100644
--- a/sys/dev/random/hash.h
+++ b/sys/dev/random/hash.h
@@ -26,14 +26,10 @@
  * $FreeBSD$
  */
 
-#define KEYSIZE		32		/* in bytes - 32 bytes == 256 bits */
+#define KEYSIZE		32		/* (in bytes) 32 bytes == 256 bits */
 
 struct yarrowhash {		/* Big! Make static! */
-	keyInstance hashkey;	/* Data cycles through here */
-	cipherInstance cipher;	/* Rijndael internal */
-	u_char hash[KEYSIZE];	/* Repeatedly encrypted */
-	char accum[KEYSIZE];	/* Accumulate partial chunks */
-	u_int partial;		/* Keep track of < KEYSIZE chunks */
+	SHA256_CTX	sha;
 };
 
 struct yarrowkey {		/* Big! Make static! */
diff --git a/sys/dev/random/yarrow.c b/sys/dev/random/yarrow.c
index dd79c34..9407892 100644
--- a/sys/dev/random/yarrow.c
+++ b/sys/dev/random/yarrow.c
@@ -35,6 +35,7 @@
 #include <sys/sysctl.h>
 
 #include <crypto/rijndael/rijndael.h>
+#include <crypto/sha2/sha2.h>
 
 #include <dev/random/hash.h>
 #include <dev/random/randomdev.h>
@@ -249,9 +250,7 @@ reseed(u_int fastslow)
 	random_unblock();
 }
 
-/* Internal function to do return processed entropy from the
- * Yarrow PRNG
- */
+/* Internal function to return processed entropy from the PRNG */
 int
 read_random_real(void *buf, int count)
 {
@@ -343,5 +342,5 @@ generator_gate(void)
 void
 random_reseed(void)
 {
-	reseed(FAST);
+	reseed(SLOW);
 }