374330e2 |
1 | /* |
2 | * cryptographic random number generator for PuTTY's ssh client |
3 | */ |
4 | |
19ad0a17 |
5 | #include "putty.h" |
374330e2 |
6 | #include "ssh.h" |
b72bdf11 |
7 | #include <assert.h> |
374330e2 |
8 | |
5d17ccfc |
9 | /* Collect environmental noise every 5 minutes */ |
10 | #define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC) |
11 | |
374330e2 |
12 | void noise_get_heavy(void (*func) (void *, int)); |
13 | void noise_get_light(void (*func) (void *, int)); |
14 | |
15 | /* |
16 | * `pool' itself is a pool of random data which we actually use: we |
17 | * return bytes from `pool', at position `poolpos', until `poolpos' |
18 | * reaches the end of the pool. At this point we generate more |
19 | * random data, by adding noise, stirring well, and resetting |
20 | * `poolpos' to point to just past the beginning of the pool (not |
21 | * _the_ beginning, since otherwise we'd give away the whole |
22 | * contents of our pool, and attackers would just have to guess the |
23 | * next lot of noise). |
24 | * |
25 | * `incomingb' buffers acquired noise data, until it gets full, at |
26 | * which point the acquired noise is SHA'ed into `incoming' and |
27 | * `incomingb' is cleared. The noise in `incoming' is used as part |
28 | * of the noise for each stirring of the pool, in addition to local |
29 | * time, process listings, and other such stuff. |
30 | */ |
31 | |
32 | #define HASHINPUT 64 /* 64 bytes SHA input */ |
33 | #define HASHSIZE 20 /* 160 bits SHA output */ |
34 | #define POOLSIZE 1200 /* size of random pool */ |
35 | |
36 | struct RandPool { |
37 | unsigned char pool[POOLSIZE]; |
38 | int poolpos; |
39 | |
40 | unsigned char incoming[HASHSIZE]; |
41 | |
42 | unsigned char incomingb[HASHINPUT]; |
43 | int incomingpos; |
ab076e02 |
44 | |
45 | int stir_pending; |
374330e2 |
46 | }; |
47 | |
48 | static struct RandPool pool; |
93b581bd |
49 | int random_active = 0; |
5d17ccfc |
50 | long next_noise_collection; |
374330e2 |
51 | |
d2be8a43 |
52 | #ifdef RANDOM_DIAGNOSTICS |
53 | int random_diagnostics = 0; |
54 | #endif |
55 | |
19ad0a17 |
56 | static void random_stir(void) |
32874aea |
57 | { |
58 | word32 block[HASHINPUT / sizeof(word32)]; |
59 | word32 digest[HASHSIZE / sizeof(word32)]; |
374330e2 |
60 | int i, j, k; |
61 | |
ab076e02 |
62 | /* |
63 | * noise_get_light will call random_add_noise, which may call |
64 | * back to here. Prevent recursive stirs. |
65 | */ |
66 | if (pool.stir_pending) |
67 | return; |
68 | pool.stir_pending = TRUE; |
69 | |
374330e2 |
70 | noise_get_light(random_add_noise); |
71 | |
d2be8a43 |
72 | #ifdef RANDOM_DIAGNOSTICS |
73 | { |
74 | int p, q; |
75 | printf("random stir starting\npool:\n"); |
76 | for (p = 0; p < POOLSIZE; p += HASHSIZE) { |
77 | printf(" "); |
78 | for (q = 0; q < HASHSIZE; q += 4) { |
79 | printf(" %08x", *(word32 *)(pool.pool + p + q)); |
80 | } |
81 | printf("\n"); |
82 | } |
83 | printf("incoming:\n "); |
84 | for (q = 0; q < HASHSIZE; q += 4) { |
85 | printf(" %08x", *(word32 *)(pool.incoming + q)); |
86 | } |
87 | printf("\nincomingb:\n "); |
88 | for (q = 0; q < HASHINPUT; q += 4) { |
89 | printf(" %08x", *(word32 *)(pool.incomingb + q)); |
90 | } |
91 | printf("\n"); |
92 | random_diagnostics++; |
93 | } |
94 | #endif |
95 | |
32874aea |
96 | SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb); |
374330e2 |
97 | pool.incomingpos = 0; |
98 | |
99 | /* |
100 | * Chunks of this code are blatantly endianness-dependent, but |
101 | * as it's all random bits anyway, WHO CARES? |
102 | */ |
103 | memcpy(digest, pool.incoming, sizeof(digest)); |
104 | |
105 | /* |
106 | * Make two passes over the pool. |
107 | */ |
108 | for (i = 0; i < 2; i++) { |
109 | |
110 | /* |
111 | * We operate SHA in CFB mode, repeatedly adding the same |
112 | * block of data to the digest. But we're also fiddling |
113 | * with the digest-so-far, so this shouldn't be Bad or |
114 | * anything. |
115 | */ |
116 | memcpy(block, pool.pool, sizeof(block)); |
117 | |
118 | /* |
119 | * Each pass processes the pool backwards in blocks of |
120 | * HASHSIZE, just so that in general we get the output of |
121 | * SHA before the corresponding input, in the hope that |
122 | * things will be that much less predictable that way |
123 | * round, when we subsequently return bytes ... |
124 | */ |
32874aea |
125 | for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) { |
374330e2 |
126 | /* |
127 | * XOR the bit of the pool we're processing into the |
128 | * digest. |
129 | */ |
130 | |
32874aea |
131 | for (k = 0; k < sizeof(digest) / sizeof(*digest); k++) |
132 | digest[k] ^= ((word32 *) (pool.pool + j))[k]; |
374330e2 |
133 | |
134 | /* |
135 | * Munge our unrevealed first block of the pool into |
136 | * it. |
137 | */ |
138 | SHATransform(digest, block); |
139 | |
140 | /* |
141 | * Stick the result back into the pool. |
142 | */ |
143 | |
32874aea |
144 | for (k = 0; k < sizeof(digest) / sizeof(*digest); k++) |
145 | ((word32 *) (pool.pool + j))[k] = digest[k]; |
374330e2 |
146 | } |
d2be8a43 |
147 | |
148 | #ifdef RANDOM_DIAGNOSTICS |
149 | if (i == 0) { |
150 | int p, q; |
151 | printf("random stir midpoint\npool:\n"); |
152 | for (p = 0; p < POOLSIZE; p += HASHSIZE) { |
153 | printf(" "); |
154 | for (q = 0; q < HASHSIZE; q += 4) { |
155 | printf(" %08x", *(word32 *)(pool.pool + p + q)); |
156 | } |
157 | printf("\n"); |
158 | } |
159 | printf("incoming:\n "); |
160 | for (q = 0; q < HASHSIZE; q += 4) { |
161 | printf(" %08x", *(word32 *)(pool.incoming + q)); |
162 | } |
163 | printf("\nincomingb:\n "); |
164 | for (q = 0; q < HASHINPUT; q += 4) { |
165 | printf(" %08x", *(word32 *)(pool.incomingb + q)); |
166 | } |
167 | printf("\n"); |
168 | } |
169 | #endif |
374330e2 |
170 | } |
171 | |
172 | /* |
173 | * Might as well save this value back into `incoming', just so |
174 | * there'll be some extra bizarreness there. |
175 | */ |
176 | SHATransform(digest, block); |
a1a27668 |
177 | memcpy(pool.incoming, digest, sizeof(digest)); |
374330e2 |
178 | |
179 | pool.poolpos = sizeof(pool.incoming); |
ab076e02 |
180 | |
181 | pool.stir_pending = FALSE; |
d2be8a43 |
182 | |
183 | #ifdef RANDOM_DIAGNOSTICS |
184 | { |
185 | int p, q; |
186 | printf("random stir done\npool:\n"); |
187 | for (p = 0; p < POOLSIZE; p += HASHSIZE) { |
188 | printf(" "); |
189 | for (q = 0; q < HASHSIZE; q += 4) { |
190 | printf(" %08x", *(word32 *)(pool.pool + p + q)); |
191 | } |
192 | printf("\n"); |
193 | } |
194 | printf("incoming:\n "); |
195 | for (q = 0; q < HASHSIZE; q += 4) { |
196 | printf(" %08x", *(word32 *)(pool.incoming + q)); |
197 | } |
198 | printf("\nincomingb:\n "); |
199 | for (q = 0; q < HASHINPUT; q += 4) { |
200 | printf(" %08x", *(word32 *)(pool.incomingb + q)); |
201 | } |
202 | printf("\n"); |
203 | random_diagnostics--; |
204 | } |
205 | #endif |
374330e2 |
206 | } |
207 | |
32874aea |
208 | void random_add_noise(void *noise, int length) |
209 | { |
374330e2 |
210 | unsigned char *p = noise; |
6e522441 |
211 | int i; |
374330e2 |
212 | |
7d6ee6ff |
213 | if (!random_active) |
32874aea |
214 | return; |
7d6ee6ff |
215 | |
6e522441 |
216 | /* |
217 | * This function processes HASHINPUT bytes into only HASHSIZE |
218 | * bytes, so _if_ we were getting incredibly high entropy |
219 | * sources then we would be throwing away valuable stuff. |
220 | */ |
221 | while (length >= (HASHINPUT - pool.incomingpos)) { |
222 | memcpy(pool.incomingb + pool.incomingpos, p, |
223 | HASHINPUT - pool.incomingpos); |
224 | p += HASHINPUT - pool.incomingpos; |
225 | length -= HASHINPUT - pool.incomingpos; |
32874aea |
226 | SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb); |
227 | for (i = 0; i < HASHSIZE; i++) { |
228 | pool.pool[pool.poolpos++] ^= pool.incomingb[i]; |
229 | if (pool.poolpos >= POOLSIZE) |
230 | pool.poolpos = 0; |
231 | } |
232 | if (pool.poolpos < HASHSIZE) |
233 | random_stir(); |
6e522441 |
234 | |
235 | pool.incomingpos = 0; |
236 | } |
237 | |
238 | memcpy(pool.incomingb + pool.incomingpos, p, length); |
239 | pool.incomingpos += length; |
240 | } |
241 | |
32874aea |
242 | void random_add_heavynoise(void *noise, int length) |
243 | { |
6e522441 |
244 | unsigned char *p = noise; |
245 | int i; |
246 | |
247 | while (length >= POOLSIZE) { |
32874aea |
248 | for (i = 0; i < POOLSIZE; i++) |
249 | pool.pool[i] ^= *p++; |
6e522441 |
250 | random_stir(); |
251 | length -= POOLSIZE; |
252 | } |
253 | |
254 | for (i = 0; i < length; i++) |
32874aea |
255 | pool.pool[i] ^= *p++; |
6e522441 |
256 | random_stir(); |
257 | } |
258 | |
32874aea |
259 | static void random_add_heavynoise_bitbybit(void *noise, int length) |
260 | { |
6e522441 |
261 | unsigned char *p = noise; |
262 | int i; |
263 | |
264 | while (length >= POOLSIZE - pool.poolpos) { |
32874aea |
265 | for (i = 0; i < POOLSIZE - pool.poolpos; i++) |
266 | pool.pool[pool.poolpos + i] ^= *p++; |
374330e2 |
267 | random_stir(); |
6e522441 |
268 | length -= POOLSIZE - pool.poolpos; |
32874aea |
269 | pool.poolpos = 0; |
374330e2 |
270 | } |
271 | |
6e522441 |
272 | for (i = 0; i < length; i++) |
32874aea |
273 | pool.pool[i] ^= *p++; |
6e522441 |
274 | pool.poolpos = i; |
374330e2 |
275 | } |
276 | |
d719927e |
277 | static void random_timer(void *ctx, unsigned long now) |
5d17ccfc |
278 | { |
d719927e |
279 | if (random_active > 0 && now == next_noise_collection) { |
5d17ccfc |
280 | noise_regular(); |
281 | next_noise_collection = |
282 | schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool); |
283 | } |
284 | } |
285 | |
286 | void random_ref(void) |
32874aea |
287 | { |
bc0e1c6c |
288 | if (!random_active) { |
289 | memset(&pool, 0, sizeof(pool)); /* just to start with */ |
374330e2 |
290 | |
4f60602b |
291 | random_active++; |
292 | |
bc0e1c6c |
293 | noise_get_heavy(random_add_heavynoise_bitbybit); |
294 | random_stir(); |
5d17ccfc |
295 | |
296 | next_noise_collection = |
297 | schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool); |
bc0e1c6c |
298 | } |
5d17ccfc |
299 | } |
300 | |
301 | void random_unref(void) |
302 | { |
4f60602b |
303 | assert(random_active > 0); |
304 | if (random_active == 1) { |
305 | random_save_seed(); |
306 | expire_timer_context(&pool); |
307 | } |
5d17ccfc |
308 | random_active--; |
374330e2 |
309 | } |
310 | |
32874aea |
311 | int random_byte(void) |
312 | { |
a924e32d |
313 | assert(random_active); |
314 | |
374330e2 |
315 | if (pool.poolpos >= POOLSIZE) |
316 | random_stir(); |
317 | |
318 | return pool.pool[pool.poolpos++]; |
319 | } |
320 | |
32874aea |
321 | void random_get_savedata(void **data, int *len) |
322 | { |
3d88e64d |
323 | void *buf = snewn(POOLSIZE / 2, char); |
374330e2 |
324 | random_stir(); |
e3ac3c05 |
325 | memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2); |
32874aea |
326 | *len = POOLSIZE / 2; |
e3ac3c05 |
327 | *data = buf; |
328 | random_stir(); |
374330e2 |
329 | } |