Provided by: libhavege-dev_1.9.1-6ubuntu1_amd64
NAME
libhavege, havege_create, havege_run, havege_rng, havege_destroy, havege_status, havege_status_dump, havege_version - haveged RNG
SYNOPSIS
#include <haveged/havege.h> H_PARAMS params = {0}; h_status status; char status_buf[512]; if (NULL==havege_version(HAVEGE_PREP_VERSION)) exit(1); H_PTR handle = havege_create(¶ms); havege_status(handle, &status); havege_run(handle); rc = havege_rng(handle, handle->io_buf, handle->i_readSz/sizeof(H_UINT)); havege_status_dump(handle, H_SD_TOPIC_BUILD, status_buf, sizeof(status_buf)); havege_destroy(handle);
DESCRIPTION
The libhavege library provides the haveged random number generator and it's associated tuning and testing facilities in a development sub-package. All haveged conditional build features are preserved and all haveged options not directly related to it's daemon or file system interfaces are available. This means that the same haveged tuning and testing components are present in the library with the equivalent controls provided by the haveged command line.
API METHODS
The libhavege library uses the opaque handle technique to manage it's required resources. Errors are returned in the "error" member of the handle. The havege_destroy() method should be called to dispose of any resources claimed by havege_create(). H_PTR havege_create(H_PARAMS *params); Create an anchor. Most members of the H_PARAMS input to this call correspond closely to haveged command line options (see haveged(8) for details). The caller should check for a non-null return value with a error value of H_NOERR. Any non-null return should be disposed of by a call to havege_destroy() to free any resources. Possible error values: H_NOERR, H_NOTESTSPEC, H_NOBUF, H_NOTESTMEM, H_NOINIT void havege_destroy(H_PTR hptr); Free all allocated anchor resources. If the multi-core option is used, this method should be called from a signal handler to prevent zombie processes. If called by the process that called haveged_create(), hptr will be freed when all child processes (if any) have terminated. If called by a child process, H_EXIT will be set and all children awakened to exit. int havege_rng(H_PTR hptr, H_UINT *buf, H_UINT sz); Read random bytes from an active anchor. The RNG must have been previously readied by a call to havege_run(). The read must take place within the allocated buffer, hptr->io_buf. The range specified is the number of H_UINT to read. If the multi-core option is used, this buffer is memory mapped between collectors. Possible error values: H_NOERR, H_NOTESRUN, H_NOPOST, H_NODONE, H_NORQST, H_NOCOMP, H_EXIT int havege_run(H_PTR hptr); Warm up the RNG and run the start-up tests. The operation succeeded if the error member of the handle is H_NOERR. A failed handle should be disposed of by a call to havege_destroy(). Possible error values: H_NOERR, H_NOCOLLECT, H_NOWALK, H_NOTESTMEM, H_NOTASK, H_NOTESTTOT, H_NOWAIT, H_NOTIMER, and any havege_rng() error. void havege_status(H_PTR hptr, H_STATUS hsts); Fills in the h_status structure with read-only information collected from the package build, run-time tuning, and test components. int havege_status_dump(H_PTR hptr, H_SD_TOPIC topic, char *buf, size_t len); Calls havege_status() and formats standard presentations of havege status in the supplied buffer. The standard formats are: H_SD_TOPIC_BUILD ver: %s; arch: %s; vend: %s; build: (%s); collect: %dK H_SD_TOPIC_TUNE cpu: (%s); data: %dK (%s); inst: %dK (%s); idx: %d/%d; sz: %d/%d H_SD_TOPIC_TEST [tot tests(%s): A:%d/%d B: %d/%d;][continuous tests(%s): A:%d/%d B: %d/%d;][last entropy estimate %g] H_SD_TOPIC_SUM fills: %d, generated: %.4g %c bytes const char *havege_version(const char *version); Return/check library prep version. The prep version is the package version used to build the library. A null argument returns the prep version unconditionally. Using the definition of the prep string in havege.h as input returns the prep version if the header file is compatible with the library, or NULL if it is not. Intended to be called before attempting any initialization.
NOTES
The sizes of the processor level 1 instruction and data caches are used to tune the HAVEGE algorithm for maximum sensitivity. If these sizes not specified, haveged will attempt to determine the sizes dynamically from the Linux sysfs and/or cpuid instruction with a fallback to a compiled default if no better information is not available. The haveged RNG includes a run time test facility based upon the test suite defined in the AIS-31 specification from the The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik). The test suite consists of 11 statistical tests packaged into two test suites ("A" and "B"). The tests can be run at initialization (a.k.a. a "tot" test), or continuously to monitor all output. Failure of a suite will abort operation unless the behavior is explicitly waived in the test setup options. Procedure A contains 6 test procedures designed to ensure statistically inconspicuous behavior. The first test, "test0", checks the disjointedness of 65k six-bit strings. The remainder of the procedure consists of 257 repetitions of the FIPS140-1 tests, "test1" through "test4", and an auto-correlation test, "test5". The fixed size of the Procedure A input makes it ideal for continuous use, but the procedure is slow and resource intensive. In particular, test5 is several orders of magnitude slower than any other individual AIS test. As an alternative for those who cannot tolerate this load, procedure A variants A<n> are provided that execute all included tests but execute test5 only every 2^n repetitions. Even with this accommodation, procedure A is much slower than procedure B. Procedure B contains 5 tests, "test6a", "test6b', "test7a", "test7b", and "test8". The first 4 tests verify the expected frequencies for samples 100,000 one-step, two-step, three-step, and four-step bit transitions. The last test provides an empirical entropy estimate of the input. The input required to complete these tests is variable, resulting in an ever-shifting bit alignment that guards against buffering artifacts. Each test procedure requires more than 1MB of data. Test input is managed by a bit index into the collection buffer. An independent index manages where integer output is taken from the same buffer. A buffer fill is triggered when the output index indicates all data has been extracted from the buffer. Online testing takes place after the buffer has been refilled but before the output index update allows output to resume. If any online test fails while processing the buffer, the buffer will be refilled and reprocessed until any retry is complete and the buffer contains no failed online tests or the online test procedure has failed and the RNG is considered broken. It is recommend to run both AIS test procedures at start-up to ensure the RNG is properly initialized. If resources are in short supply, omitting procedure A will save memory and time, with little risk in circumstances where output is mixed with other sources in /dev/random or other csprng. Continuous testing is also recommended where the throughput penalty is acceptable. One recent assessment of testing throughput costs is shown below. haveged -n0 -oc | pv > /dev/null 400MiB/s haveged -n0 -ocb | pv > /dev/null 70MiB/s haveged -n0 -oca8b | pv > /dev/null 13MiB/s haveged -n0 -oca8 | pv > /dev/null 8MiB/s haveged -n0 -oca | pv > /dev/null 100kiB/s Continuous testing also exposes another possible pitfall. Even an ideal RNG has a 10e-4 chance of failing either test procedure. The strict retry policy of AIS-31 is designed to guarantee an ideal RNG will "almost never" fail a test procedure. A single retry is mandated only to recover from a previous attempt that experienced a single individual test failure. The haveged implementation logs all retries and terminates on test procedure failures unless the procedure has been flagged as advisory by the "w" argument (see --onlinetest in haveged(8) ). Little evidence of the retry mechanism is seen unless large data sets are processed. Procedure A is too slow to be practical in these situations, so procedure B has been the best studied. Retries are observed at the approximate rate of 0.7-0.8 failures/GB, mostly in the test7 multi-step transition checks. The probability that procedureB will fail two times in a row (in which case the program will be terminated unless w option was specified) is 4e-7 which is expected to happen at an approximate rate of once per 3,000 TB. When producing large amounts of data in order of TBs it's recommended to use -w option to make sure that program will not prematurely terminate because of a failed retry and carefully examine the stderr output for any problems.
FILES
Tuning information may be extracted from the following virtual file paths if tuning is required and the path exists. /proc/cpuinfo /proc/self/status /sys/devices/system/cpu/online /sys/devices/system/cpu/cpu%d/cache/index%d/level
DIAGNOSTICS
To enable diagnostic output, supply a msg_out callback when creating the handle. All possible errors are enumerated in havege.h and reproduced here for reference. 01 H_NOHANDLE No memory for handle 02 H_NOBUF Output buffer allocation failed 03 H_NOINIT Semaphore init failed 04 H_NOCOLLECT Collector allocation failed 05 H_NOWALK Walk buffer allocation failed 06 H_NOTESTSPEC Invalid test specification 07 H_NOTESTINIT Test setup failed 08 H_NOTESTMEM Unable to allocate test memory 09 H_NOTESTTOT Power on (i.e. 'tot') test failed 10 H_NOTESTRUN Continuous test failed 11 H_NOCORES Too many cores specified 12 H_NOTASK Unable to create child task 13 H_NOWAIT sem_wait failed 14 H_NOPOST sem_post failed 15 H_NODONE sem_post done failed 16 H_NORQST sem_post request failed 17 H_NOCOMP wait for completion failed 18 H_EXIT Exit signal 19 H_NOTIMER Timer failed
EXAMPLE
The following minimal program writes the contents of 16 collection buffers of random data to stdout with continuous testing. #include <stdio.h> #include <haveged/havege.h> int main(void) { H_PTR havege_state; H_PARAMS havege_parameters = {0}; int i, rc; if (NULL==havege_version(HAVEGE_PREP_VERSION)) { fprintf(stderr, "Incompatible library %s\n", havege_version(NULL)); return 1; } havege_parameters.testSpec="ta8bcb"; havege_state = havege_create(&havege_parameters); rc = havege_state==NULL? H_NOHANDLE : havege_state->error; if (H_NOERR==rc) { if (0==havege_run(havege_state)) { H_UINT *buf = havege_state->io_buf; int size = havege_state->i_readSz /sizeof(H_UINT); char info[256]; for(i=0;i<16;i++) { rc = havege_rng(havege_state, buf, size); if (rc != size) { fprintf(stderr, "RNG read failed %d\n", havege_state->error); break; } rc = fwrite(buf, 1, size*sizeof(H_UINT), stdout); if ( rc < size ) { fprintf(stderr, "Write failed\n"); break; } } i = havege_status_dump(havege_state, H_SD_TOPIC_TEST, info, sizeof(info)); info[i++] = '\n'; havege_status_dump(havege_state, H_SD_TOPIC_SUM, info+i, sizeof(info)-i); fprintf(stderr, "%s\n", info); } else fprintf(stderr, "Initialize failed %d\n", havege_state->error); havege_destroy(havege_state); } else fprintf(stderr, "Create failed %d\n", rc); return rc; } Defaults are provided for all inputs to havege_create() as documented in havege.h. In this case for example, (16*4kb=65kb) will be written to stdout because the default size for i_readsz in 4kb.
SEE ALSO
haveged(8)
REFERENCES
haveged(8) references provides a basic reading list. The following links are suggested as sources for further exploration. The origins of the HAVEGE concept can be found at: http://www.irisa.fr/caps/projects/hipsor/ Tuning concepts inspired by (the complexity) at: http://www.open-mpi.org/projects/hwloc/ Reference documentation for the AIS-31 test suite can be found at: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Interpretationen/AIS_31_Functionality_classes_for_random_number_generators_e.pdf?__blob=publicationFile Implementation and design information available at: http://www.issihosts.com/haveged/
AUTHORS
Gary Wuertz <gary@issiweb.com> and Jirka Hladky <hladky jiri AT gmail DOT com>