[u/mdw/putty] / sshrand.c

/*
 * cryptographic random number generator for PuTTY's ssh client
 */

#include "ssh.h"

void noise_get_heavy(void (*func) (void *, int));
void noise_get_light(void (*func) (void *, int));

/*
 * `pool' itself is a pool of random data which we actually use: we
 * return bytes from `pool', at position `poolpos', until `poolpos'
 * reaches the end of the pool. At this point we generate more
 * random data, by adding noise, stirring well, and resetting
 * `poolpos' to point to just past the beginning of the pool (not
 * _the_ beginning, since otherwise we'd give away the whole
 * contents of our pool, and attackers would just have to guess the
 * next lot of noise).
 *
 * `incomingb' buffers acquired noise data, until it gets full, at
 * which point the acquired noise is SHA'ed into `incoming' and
 * `incomingb' is cleared. The noise in `incoming' is used as part
 * of the noise for each stirring of the pool, in addition to local
 * time, process listings, and other such stuff.
 */

#define HASHINPUT 64		       /* 64 bytes SHA input */
#define HASHSIZE 20		       /* 160 bits SHA output */
#define POOLSIZE 1200		       /* size of random pool */

struct RandPool {
    unsigned char pool[POOLSIZE];
    int poolpos;

    unsigned char incoming[HASHSIZE];

    unsigned char incomingb[HASHINPUT];
    int incomingpos;
};

static struct RandPool pool;

void random_stir(void) {
    word32 block[HASHINPUT/sizeof(word32)];
    word32 digest[HASHSIZE/sizeof(word32)];
    int i, j, k;

    noise_get_light(random_add_noise);

    SHATransform((word32 *)pool.incoming, (word32 *)pool.incomingb);
    pool.incomingpos = 0;

    /*
     * Chunks of this code are blatantly endianness-dependent, but
     * as it's all random bits anyway, WHO CARES?
     */
    memcpy(digest, pool.incoming, sizeof(digest));

    /*
     * Make two passes over the pool.
     */
    for (i = 0; i < 2; i++) {

	/*
	 * We operate SHA in CFB mode, repeatedly adding the same
	 * block of data to the digest. But we're also fiddling
	 * with the digest-so-far, so this shouldn't be Bad or
	 * anything.
	 */
	memcpy(block, pool.pool, sizeof(block));

	/*
	 * Each pass processes the pool backwards in blocks of
	 * HASHSIZE, just so that in general we get the output of
	 * SHA before the corresponding input, in the hope that
	 * things will be that much less predictable that way
	 * round, when we subsequently return bytes ...
	 */
	for (j = POOLSIZE; (j -= HASHSIZE) >= 0 ;) {
	    /*
	     * XOR the bit of the pool we're processing into the
	     * digest.
	     */

	    for (k = 0; k < sizeof(digest)/sizeof(*digest); k++)
		digest[k] ^= ((word32 *)(pool.pool+j))[k];

	    /*
	     * Munge our unrevealed first block of the pool into
	     * it.
	     */
	    SHATransform(digest, block);

	    /*
	     * Stick the result back into the pool.
	     */

	    for (k = 0; k < sizeof(digest)/sizeof(*digest); k++)
		((word32 *)(pool.pool+j))[k] = digest[k];
	}
    }

    /*
     * Might as well save this value back into `incoming', just so
     * there'll be some extra bizarreness there.
     */
    SHATransform(digest, block);
    memcpy(pool.incoming, digest, sizeof(digest));

    pool.poolpos = sizeof(pool.incoming);
}

void random_add_noise(void *noise, int length) {
    unsigned char *p = noise;
    int i;

    /*
     * This function processes HASHINPUT bytes into only HASHSIZE
     * bytes, so _if_ we were getting incredibly high entropy
     * sources then we would be throwing away valuable stuff.
     */
    while (length >= (HASHINPUT - pool.incomingpos)) {
	memcpy(pool.incomingb + pool.incomingpos, p,
	       HASHINPUT - pool.incomingpos);
	p += HASHINPUT - pool.incomingpos;
	length -= HASHINPUT - pool.incomingpos;
	SHATransform((word32 *)pool.incoming, (word32 *)pool.incomingb);
        for (i = 0; i < HASHSIZE; i++) {
            pool.pool[pool.poolpos++] ^= pool.incomingb[i];
            if (pool.poolpos >= POOLSIZE)
                pool.poolpos = 0;
        }
        if (pool.poolpos < HASHSIZE)
            random_stir();

	pool.incomingpos = 0;
    }

    memcpy(pool.incomingb + pool.incomingpos, p, length);
    pool.incomingpos += length;
}

void random_add_heavynoise(void *noise, int length) {
    unsigned char *p = noise;
    int i;

    while (length >= POOLSIZE) {
        for (i = 0; i < POOLSIZE; i++)
            pool.pool[i] ^= *p++;
	random_stir();
	length -= POOLSIZE;
    }

    for (i = 0; i < length; i++)
        pool.pool[i] ^= *p++;
    random_stir();
}

static void random_add_heavynoise_bitbybit(void *noise, int length) {
    unsigned char *p = noise;
    int i;

    while (length >= POOLSIZE - pool.poolpos) {
        for (i = 0; i < POOLSIZE - pool.poolpos; i++)
            pool.pool[pool.poolpos + i] ^= *p++;
	random_stir();
	length -= POOLSIZE - pool.poolpos;
        pool.poolpos = 0;
    }

    for (i = 0; i < length; i++)
        pool.pool[i] ^= *p++;
    pool.poolpos = i;
}

void random_init(void) {
    memset(&pool, 0, sizeof(pool));    /* just to start with */

    noise_get_heavy(random_add_heavynoise_bitbybit);
}

int random_byte(void) {
    if (pool.poolpos >= POOLSIZE)
	random_stir();

    return pool.pool[pool.poolpos++];
}

void random_get_savedata(void **data, int *len) {
    random_stir();
    *data = pool.pool+pool.poolpos;
    *len = POOLSIZE/2;
}
Commit	Line	Data
374330e2	1	/*
	2	* cryptographic random number generator for PuTTY's ssh client
	3	*/
	4
	5	#include "ssh.h"
	6
	7	void noise_get_heavy(void (func) (void , int));
	8	void noise_get_light(void (func) (void , int));
	9
	10	/*
	11	* `pool' itself is a pool of random data which we actually use: we
	12	* return bytes from `pool', at position `poolpos', until `poolpos'
	13	* reaches the end of the pool. At this point we generate more
	14	* random data, by adding noise, stirring well, and resetting
	15	* `poolpos' to point to just past the beginning of the pool (not
	16	* _the_ beginning, since otherwise we'd give away the whole
	17	* contents of our pool, and attackers would just have to guess the
	18	* next lot of noise).
	19	*
	20	* `incomingb' buffers acquired noise data, until it gets full, at
	21	* which point the acquired noise is SHA'ed into `incoming' and
	22	* `incomingb' is cleared. The noise in `incoming' is used as part
	23	* of the noise for each stirring of the pool, in addition to local
	24	* time, process listings, and other such stuff.
	25	*/
	26
	27	#define HASHINPUT 64 /* 64 bytes SHA input */
	28	#define HASHSIZE 20 /* 160 bits SHA output */
	29	#define POOLSIZE 1200 /* size of random pool */
	30
	31	struct RandPool {
	32	unsigned char pool[POOLSIZE];
	33	int poolpos;
	34
	35	unsigned char incoming[HASHSIZE];
	36
	37	unsigned char incomingb[HASHINPUT];
	38	int incomingpos;
	39	};
	40
	41	static struct RandPool pool;
	42
374330e2	43	void random_stir(void) {
	44	word32 block[HASHINPUT/sizeof(word32)];
	45	word32 digest[HASHSIZE/sizeof(word32)];
	46	int i, j, k;
	47
	48	noise_get_light(random_add_noise);
	49
	50	SHATransform((word32 )pool.incoming, (word32 )pool.incomingb);
	51	pool.incomingpos = 0;
	52
	53	/*
	54	* Chunks of this code are blatantly endianness-dependent, but
	55	* as it's all random bits anyway, WHO CARES?
	56	*/
	57	memcpy(digest, pool.incoming, sizeof(digest));
	58
	59	/*
	60	* Make two passes over the pool.
	61	*/
	62	for (i = 0; i < 2; i++) {
	63
	64	/*
	65	* We operate SHA in CFB mode, repeatedly adding the same
	66	* block of data to the digest. But we're also fiddling
	67	* with the digest-so-far, so this shouldn't be Bad or
	68	* anything.
	69	*/
	70	memcpy(block, pool.pool, sizeof(block));
	71
	72	/*
	73	* Each pass processes the pool backwards in blocks of
	74	* HASHSIZE, just so that in general we get the output of
	75	* SHA before the corresponding input, in the hope that
	76	* things will be that much less predictable that way
	77	* round, when we subsequently return bytes ...
	78	*/
	79	for (j = POOLSIZE; (j -= HASHSIZE) >= 0 ;) {
	80	/*
	81	* XOR the bit of the pool we're processing into the
	82	* digest.
	83	*/
	84
	85	for (k = 0; k < sizeof(digest)/sizeof(*digest); k++)
	86	digest[k] ^= ((word32 *)(pool.pool+j))[k];
	87
	88	/*
	89	* Munge our unrevealed first block of the pool into
	90	* it.
	91	*/
	92	SHATransform(digest, block);
	93
	94	/*
	95	* Stick the result back into the pool.
	96	*/
	97
	98	for (k = 0; k < sizeof(digest)/sizeof(*digest); k++)
	99	((word32 *)(pool.pool+j))[k] = digest[k];
	100	}
	101	}
	102
	103	/*
	104	* Might as well save this value back into `incoming', just so
	105	* there'll be some extra bizarreness there.
	106	*/
107	SHATransform(digest, block);
a1a27668	108	memcpy(pool.incoming, digest, sizeof(digest));
374330e2	109
	110	pool.poolpos = sizeof(pool.incoming);
	111	}
	112
6e522441	113	void random_add_noise(void *noise, int length) {
374330e2	114	unsigned char *p = noise;
6e522441	115	int i;
374330e2	116
6e522441	117	/*
	118	* This function processes HASHINPUT bytes into only HASHSIZE
	119	* bytes, so _if_ we were getting incredibly high entropy
	120	* sources then we would be throwing away valuable stuff.
	121	*/
	122	while (length >= (HASHINPUT - pool.incomingpos)) {
	123	memcpy(pool.incomingb + pool.incomingpos, p,
	124	HASHINPUT - pool.incomingpos);
	125	p += HASHINPUT - pool.incomingpos;
	126	length -= HASHINPUT - pool.incomingpos;
	127	SHATransform((word32 )pool.incoming, (word32 )pool.incomingb);
	128	for (i = 0; i < HASHSIZE; i++) {
	129	pool.pool[pool.poolpos++] ^= pool.incomingb[i];
	130	if (pool.poolpos >= POOLSIZE)
	131	pool.poolpos = 0;
	132	}
	133	if (pool.poolpos < HASHSIZE)
	134	random_stir();
	135
	136	pool.incomingpos = 0;
	137	}
	138
	139	memcpy(pool.incomingb + pool.incomingpos, p, length);
	140	pool.incomingpos += length;
	141	}
	142
	143	void random_add_heavynoise(void *noise, int length) {
	144	unsigned char *p = noise;
	145	int i;
	146
	147	while (length >= POOLSIZE) {
	148	for (i = 0; i < POOLSIZE; i++)
	149	pool.pool[i] ^= *p++;
	150	random_stir();
	151	length -= POOLSIZE;
	152	}
	153
	154	for (i = 0; i < length; i++)
	155	pool.pool[i] ^= *p++;
	156	random_stir();
	157	}
	158
	159	static void random_add_heavynoise_bitbybit(void *noise, int length) {
	160	unsigned char *p = noise;
	161	int i;
	162
	163	while (length >= POOLSIZE - pool.poolpos) {
	164	for (i = 0; i < POOLSIZE - pool.poolpos; i++)
	165	pool.pool[pool.poolpos + i] ^= *p++;
374330e2	166	random_stir();
6e522441	167	length -= POOLSIZE - pool.poolpos;
6e522441	168	pool.poolpos = 0;
374330e2	169	}
374330e2	170
6e522441	171	for (i = 0; i < length; i++)
	172	pool.pool[i] ^= *p++;
	173	pool.poolpos = i;
374330e2	174	}
	175
	176	void random_init(void) {
	177	memset(&pool, 0, sizeof(pool)); /* just to start with */
	178
6e522441	179	noise_get_heavy(random_add_heavynoise_bitbybit);
374330e2	180	}
	181
	182	int random_byte(void) {
	183	if (pool.poolpos >= POOLSIZE)
	184	random_stir();
	185
	186	return pool.pool[pool.poolpos++];
	187	}
	188
	189	void random_get_savedata(void *data, int len) {
	190	random_stir();
	191	*data = pool.pool+pool.poolpos;
	192	*len = POOLSIZE/2;
	193	}