[u/mdw/putty] / sshrand.c

/*
 * cryptographic random number generator for PuTTY's ssh client
 */

#include "putty.h"
#include "ssh.h"
#include <assert.h>

/* Collect environmental noise every 5 minutes */
#define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC)

void noise_get_heavy(void (*func) (void *, int));
void noise_get_light(void (*func) (void *, int));

/*
 * `pool' itself is a pool of random data which we actually use: we
 * return bytes from `pool', at position `poolpos', until `poolpos'
 * reaches the end of the pool. At this point we generate more
 * random data, by adding noise, stirring well, and resetting
 * `poolpos' to point to just past the beginning of the pool (not
 * _the_ beginning, since otherwise we'd give away the whole
 * contents of our pool, and attackers would just have to guess the
 * next lot of noise).
 *
 * `incomingb' buffers acquired noise data, until it gets full, at
 * which point the acquired noise is SHA'ed into `incoming' and
 * `incomingb' is cleared. The noise in `incoming' is used as part
 * of the noise for each stirring of the pool, in addition to local
 * time, process listings, and other such stuff.
 */

#define HASHINPUT 64		       /* 64 bytes SHA input */
#define HASHSIZE 20		       /* 160 bits SHA output */
#define POOLSIZE 1200		       /* size of random pool */

struct RandPool {
    unsigned char pool[POOLSIZE];
    int poolpos;

    unsigned char incoming[HASHSIZE];

    unsigned char incomingb[HASHINPUT];
    int incomingpos;

    int stir_pending;
};

static struct RandPool pool;
int random_active = 0;
long next_noise_collection;

static void random_stir(void)
{
    word32 block[HASHINPUT / sizeof(word32)];
    word32 digest[HASHSIZE / sizeof(word32)];
    int i, j, k;

    /*
     * noise_get_light will call random_add_noise, which may call
     * back to here. Prevent recursive stirs.
     */
    if (pool.stir_pending)
	return;
    pool.stir_pending = TRUE;

    noise_get_light(random_add_noise);

    SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
    pool.incomingpos = 0;

    /*
     * Chunks of this code are blatantly endianness-dependent, but
     * as it's all random bits anyway, WHO CARES?
     */
    memcpy(digest, pool.incoming, sizeof(digest));

    /*
     * Make two passes over the pool.
     */
    for (i = 0; i < 2; i++) {

	/*
	 * We operate SHA in CFB mode, repeatedly adding the same
	 * block of data to the digest. But we're also fiddling
	 * with the digest-so-far, so this shouldn't be Bad or
	 * anything.
	 */
	memcpy(block, pool.pool, sizeof(block));

	/*
	 * Each pass processes the pool backwards in blocks of
	 * HASHSIZE, just so that in general we get the output of
	 * SHA before the corresponding input, in the hope that
	 * things will be that much less predictable that way
	 * round, when we subsequently return bytes ...
	 */
	for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {
	    /*
	     * XOR the bit of the pool we're processing into the
	     * digest.
	     */

	    for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
		digest[k] ^= ((word32 *) (pool.pool + j))[k];

	    /*
	     * Munge our unrevealed first block of the pool into
	     * it.
	     */
	    SHATransform(digest, block);

	    /*
	     * Stick the result back into the pool.
	     */

	    for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
		((word32 *) (pool.pool + j))[k] = digest[k];
	}
    }

    /*
     * Might as well save this value back into `incoming', just so
     * there'll be some extra bizarreness there.
     */
    SHATransform(digest, block);
    memcpy(pool.incoming, digest, sizeof(digest));

    pool.poolpos = sizeof(pool.incoming);

    pool.stir_pending = FALSE;
}

void random_add_noise(void *noise, int length)
{
    unsigned char *p = noise;
    int i;

    if (!random_active)
	return;

    /*
     * This function processes HASHINPUT bytes into only HASHSIZE
     * bytes, so _if_ we were getting incredibly high entropy
     * sources then we would be throwing away valuable stuff.
     */
    while (length >= (HASHINPUT - pool.incomingpos)) {
	memcpy(pool.incomingb + pool.incomingpos, p,
	       HASHINPUT - pool.incomingpos);
	p += HASHINPUT - pool.incomingpos;
	length -= HASHINPUT - pool.incomingpos;
	SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
	for (i = 0; i < HASHSIZE; i++) {
	    pool.pool[pool.poolpos++] ^= pool.incomingb[i];
	    if (pool.poolpos >= POOLSIZE)
		pool.poolpos = 0;
	}
	if (pool.poolpos < HASHSIZE)
	    random_stir();

	pool.incomingpos = 0;
    }

    memcpy(pool.incomingb + pool.incomingpos, p, length);
    pool.incomingpos += length;
}

void random_add_heavynoise(void *noise, int length)
{
    unsigned char *p = noise;
    int i;

    while (length >= POOLSIZE) {
	for (i = 0; i < POOLSIZE; i++)
	    pool.pool[i] ^= *p++;
	random_stir();
	length -= POOLSIZE;
    }

    for (i = 0; i < length; i++)
	pool.pool[i] ^= *p++;
    random_stir();
}

static void random_add_heavynoise_bitbybit(void *noise, int length)
{
    unsigned char *p = noise;
    int i;

    while (length >= POOLSIZE - pool.poolpos) {
	for (i = 0; i < POOLSIZE - pool.poolpos; i++)
	    pool.pool[pool.poolpos + i] ^= *p++;
	random_stir();
	length -= POOLSIZE - pool.poolpos;
	pool.poolpos = 0;
    }

    for (i = 0; i < length; i++)
	pool.pool[i] ^= *p++;
    pool.poolpos = i;
}

static void random_timer(void *ctx, unsigned long now)
{
    if (random_active > 0 && now == next_noise_collection) {
	noise_regular();
	next_noise_collection =
	    schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
    }
}

void random_ref(void)
{
    if (!random_active) {
	memset(&pool, 0, sizeof(pool));    /* just to start with */

	noise_get_heavy(random_add_heavynoise_bitbybit);
	random_stir();

	next_noise_collection =
	    schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
    }

    random_active++;
}

void random_unref(void)
{
    random_active--;
    assert(random_active >= 0);
    if (random_active) return;

    expire_timer_context(&pool);
}

int random_byte(void)
{
    if (pool.poolpos >= POOLSIZE)
	random_stir();

    return pool.pool[pool.poolpos++];
}

void random_get_savedata(void **data, int *len)
{
    void *buf = snewn(POOLSIZE / 2, char);
    random_stir();
    memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2);
    *len = POOLSIZE / 2;
    *data = buf;
    random_stir();
}
Commit	Line	Data
374330e2	1	/*
	2	* cryptographic random number generator for PuTTY's ssh client
	3	*/
	4
19ad0a17	5	#include "putty.h"
374330e2	6	#include "ssh.h"
b72bdf11	7	#include <assert.h>
374330e2	8
5d17ccfc	9	/* Collect environmental noise every 5 minutes */
	10	#define NOISE_REGULAR_INTERVAL (560TICKSPERSEC)
	11
374330e2	12	void noise_get_heavy(void (func) (void , int));
	13	void noise_get_light(void (func) (void , int));
	14
	15	/*
	16	* `pool' itself is a pool of random data which we actually use: we
	17	* return bytes from `pool', at position `poolpos', until `poolpos'
	18	* reaches the end of the pool. At this point we generate more
	19	* random data, by adding noise, stirring well, and resetting
	20	* `poolpos' to point to just past the beginning of the pool (not
	21	* _the_ beginning, since otherwise we'd give away the whole
	22	* contents of our pool, and attackers would just have to guess the
	23	* next lot of noise).
	24	*
	25	* `incomingb' buffers acquired noise data, until it gets full, at
	26	* which point the acquired noise is SHA'ed into `incoming' and
	27	* `incomingb' is cleared. The noise in `incoming' is used as part
	28	* of the noise for each stirring of the pool, in addition to local
	29	* time, process listings, and other such stuff.
	30	*/
	31
	32	#define HASHINPUT 64 /* 64 bytes SHA input */
	33	#define HASHSIZE 20 /* 160 bits SHA output */
	34	#define POOLSIZE 1200 /* size of random pool */
	35
	36	struct RandPool {
	37	unsigned char pool[POOLSIZE];
	38	int poolpos;
	39
	40	unsigned char incoming[HASHSIZE];
	41
	42	unsigned char incomingb[HASHINPUT];
	43	int incomingpos;
ab076e02	44
ab076e02	45	int stir_pending;
374330e2	46	};
	47
	48	static struct RandPool pool;
93b581bd	49	int random_active = 0;
5d17ccfc	50	long next_noise_collection;
374330e2	51
19ad0a17	52	static void random_stir(void)
32874aea	53	{
	54	word32 block[HASHINPUT / sizeof(word32)];
	55	word32 digest[HASHSIZE / sizeof(word32)];
374330e2	56	int i, j, k;
374330e2	57
ab076e02	58	/*
	59	* noise_get_light will call random_add_noise, which may call
	60	* back to here. Prevent recursive stirs.
	61	*/
	62	if (pool.stir_pending)
	63	return;
	64	pool.stir_pending = TRUE;
	65
374330e2	66	noise_get_light(random_add_noise);
374330e2	67
32874aea	68	SHATransform((word32 ) pool.incoming, (word32 ) pool.incomingb);
374330e2	69	pool.incomingpos = 0;
	70
	71	/*
	72	* Chunks of this code are blatantly endianness-dependent, but
	73	* as it's all random bits anyway, WHO CARES?
	74	*/
	75	memcpy(digest, pool.incoming, sizeof(digest));
	76
	77	/*
	78	* Make two passes over the pool.
	79	*/
	80	for (i = 0; i < 2; i++) {
	81
	82	/*
	83	* We operate SHA in CFB mode, repeatedly adding the same
	84	* block of data to the digest. But we're also fiddling
	85	* with the digest-so-far, so this shouldn't be Bad or
	86	* anything.
	87	*/
	88	memcpy(block, pool.pool, sizeof(block));
	89
	90	/*
	91	* Each pass processes the pool backwards in blocks of
	92	* HASHSIZE, just so that in general we get the output of
	93	* SHA before the corresponding input, in the hope that
	94	* things will be that much less predictable that way
	95	* round, when we subsequently return bytes ...
	96	*/
32874aea	97	for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {
374330e2	98	/*
	99	* XOR the bit of the pool we're processing into the
	100	* digest.
	101	*/
	102
32874aea	103	for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
32874aea	104	digest[k] ^= ((word32 *) (pool.pool + j))[k];
374330e2	105
	106	/*
	107	* Munge our unrevealed first block of the pool into
	108	* it.
	109	*/
	110	SHATransform(digest, block);
	111
	112	/*
	113	* Stick the result back into the pool.
	114	*/
	115
32874aea	116	for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
32874aea	117	((word32 *) (pool.pool + j))[k] = digest[k];
374330e2	118	}
	119	}
	120
	121	/*
	122	* Might as well save this value back into `incoming', just so
	123	* there'll be some extra bizarreness there.
	124	*/
	125	SHATransform(digest, block);
a1a27668	126	memcpy(pool.incoming, digest, sizeof(digest));
374330e2	127
374330e2	128	pool.poolpos = sizeof(pool.incoming);
ab076e02	129
ab076e02	130	pool.stir_pending = FALSE;
374330e2	131	}
374330e2	132
32874aea	133	void random_add_noise(void *noise, int length)
32874aea	134	{
374330e2	135	unsigned char *p = noise;
6e522441	136	int i;
374330e2	137
7d6ee6ff	138	if (!random_active)
32874aea	139	return;
7d6ee6ff	140
6e522441	141	/*
	142	* This function processes HASHINPUT bytes into only HASHSIZE
	143	* bytes, so _if_ we were getting incredibly high entropy
	144	* sources then we would be throwing away valuable stuff.
	145	*/
	146	while (length >= (HASHINPUT - pool.incomingpos)) {
	147	memcpy(pool.incomingb + pool.incomingpos, p,
	148	HASHINPUT - pool.incomingpos);
	149	p += HASHINPUT - pool.incomingpos;
	150	length -= HASHINPUT - pool.incomingpos;
32874aea	151	SHATransform((word32 ) pool.incoming, (word32 ) pool.incomingb);
	152	for (i = 0; i < HASHSIZE; i++) {
	153	pool.pool[pool.poolpos++] ^= pool.incomingb[i];
	154	if (pool.poolpos >= POOLSIZE)
	155	pool.poolpos = 0;
	156	}
	157	if (pool.poolpos < HASHSIZE)
	158	random_stir();
6e522441	159
	160	pool.incomingpos = 0;
	161	}
	162
	163	memcpy(pool.incomingb + pool.incomingpos, p, length);
	164	pool.incomingpos += length;
	165	}
	166
32874aea	167	void random_add_heavynoise(void *noise, int length)
32874aea	168	{
6e522441	169	unsigned char *p = noise;
	170	int i;
	171
	172	while (length >= POOLSIZE) {
32874aea	173	for (i = 0; i < POOLSIZE; i++)
32874aea	174	pool.pool[i] ^= *p++;
6e522441	175	random_stir();
	176	length -= POOLSIZE;
	177	}
	178
	179	for (i = 0; i < length; i++)
32874aea	180	pool.pool[i] ^= *p++;
6e522441	181	random_stir();
	182	}
	183
32874aea	184	static void random_add_heavynoise_bitbybit(void *noise, int length)
32874aea	185	{
6e522441	186	unsigned char *p = noise;
	187	int i;
	188
	189	while (length >= POOLSIZE - pool.poolpos) {
32874aea	190	for (i = 0; i < POOLSIZE - pool.poolpos; i++)
32874aea	191	pool.pool[pool.poolpos + i] ^= *p++;
374330e2	192	random_stir();
6e522441	193	length -= POOLSIZE - pool.poolpos;
32874aea	194	pool.poolpos = 0;
374330e2	195	}
374330e2	196
6e522441	197	for (i = 0; i < length; i++)
32874aea	198	pool.pool[i] ^= *p++;
6e522441	199	pool.poolpos = i;
374330e2	200	}
374330e2	201
d719927e	202	static void random_timer(void *ctx, unsigned long now)
5d17ccfc	203	{
d719927e	204	if (random_active > 0 && now == next_noise_collection) {
5d17ccfc	205	noise_regular();
	206	next_noise_collection =
	207	schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
	208	}
	209	}
	210
	211	void random_ref(void)
32874aea	212	{
bc0e1c6c	213	if (!random_active) {
bc0e1c6c	214	memset(&pool, 0, sizeof(pool)); /* just to start with */
374330e2	215
bc0e1c6c	216	noise_get_heavy(random_add_heavynoise_bitbybit);
bc0e1c6c	217	random_stir();
5d17ccfc	218
	219	next_noise_collection =
	220	schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
bc0e1c6c	221	}
5d17ccfc	222
	223	random_active++;
	224	}
	225
	226	void random_unref(void)
	227	{
	228	random_active--;
b72bdf11	229	assert(random_active >= 0);
	230	if (random_active) return;
	231
	232	expire_timer_context(&pool);
374330e2	233	}
374330e2	234
32874aea	235	int random_byte(void)
32874aea	236	{
374330e2	237	if (pool.poolpos >= POOLSIZE)
	238	random_stir();
	239
	240	return pool.pool[pool.poolpos++];
	241	}
	242
32874aea	243	void random_get_savedata(void *data, int len)
32874aea	244	{
3d88e64d	245	void *buf = snewn(POOLSIZE / 2, char);
374330e2	246	random_stir();
e3ac3c05	247	memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2);
32874aea	248	*len = POOLSIZE / 2;
e3ac3c05	249	*data = buf;
e3ac3c05	250	random_stir();
374330e2	251	}