374330e2 |
1 | /* |
2 | * cryptographic random number generator for PuTTY's ssh client |
3 | */ |
4 | |
19ad0a17 |
5 | #include "putty.h" |
374330e2 |
6 | #include "ssh.h" |
7 | |
5d17ccfc |
8 | /* Collect environmental noise every 5 minutes */ |
9 | #define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC) |
10 | |
374330e2 |
11 | void noise_get_heavy(void (*func) (void *, int)); |
12 | void noise_get_light(void (*func) (void *, int)); |
13 | |
14 | /* |
15 | * `pool' itself is a pool of random data which we actually use: we |
16 | * return bytes from `pool', at position `poolpos', until `poolpos' |
17 | * reaches the end of the pool. At this point we generate more |
18 | * random data, by adding noise, stirring well, and resetting |
19 | * `poolpos' to point to just past the beginning of the pool (not |
20 | * _the_ beginning, since otherwise we'd give away the whole |
21 | * contents of our pool, and attackers would just have to guess the |
22 | * next lot of noise). |
23 | * |
24 | * `incomingb' buffers acquired noise data, until it gets full, at |
25 | * which point the acquired noise is SHA'ed into `incoming' and |
26 | * `incomingb' is cleared. The noise in `incoming' is used as part |
27 | * of the noise for each stirring of the pool, in addition to local |
28 | * time, process listings, and other such stuff. |
29 | */ |
30 | |
31 | #define HASHINPUT 64 /* 64 bytes SHA input */ |
32 | #define HASHSIZE 20 /* 160 bits SHA output */ |
33 | #define POOLSIZE 1200 /* size of random pool */ |
34 | |
35 | struct RandPool { |
36 | unsigned char pool[POOLSIZE]; |
37 | int poolpos; |
38 | |
39 | unsigned char incoming[HASHSIZE]; |
40 | |
41 | unsigned char incomingb[HASHINPUT]; |
42 | int incomingpos; |
43 | }; |
44 | |
45 | static struct RandPool pool; |
93b581bd |
46 | int random_active = 0; |
5d17ccfc |
47 | long next_noise_collection; |
374330e2 |
48 | |
19ad0a17 |
49 | static void random_stir(void) |
32874aea |
50 | { |
51 | word32 block[HASHINPUT / sizeof(word32)]; |
52 | word32 digest[HASHSIZE / sizeof(word32)]; |
374330e2 |
53 | int i, j, k; |
54 | |
55 | noise_get_light(random_add_noise); |
56 | |
32874aea |
57 | SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb); |
374330e2 |
58 | pool.incomingpos = 0; |
59 | |
60 | /* |
61 | * Chunks of this code are blatantly endianness-dependent, but |
62 | * as it's all random bits anyway, WHO CARES? |
63 | */ |
64 | memcpy(digest, pool.incoming, sizeof(digest)); |
65 | |
66 | /* |
67 | * Make two passes over the pool. |
68 | */ |
69 | for (i = 0; i < 2; i++) { |
70 | |
71 | /* |
72 | * We operate SHA in CFB mode, repeatedly adding the same |
73 | * block of data to the digest. But we're also fiddling |
74 | * with the digest-so-far, so this shouldn't be Bad or |
75 | * anything. |
76 | */ |
77 | memcpy(block, pool.pool, sizeof(block)); |
78 | |
79 | /* |
80 | * Each pass processes the pool backwards in blocks of |
81 | * HASHSIZE, just so that in general we get the output of |
82 | * SHA before the corresponding input, in the hope that |
83 | * things will be that much less predictable that way |
84 | * round, when we subsequently return bytes ... |
85 | */ |
32874aea |
86 | for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) { |
374330e2 |
87 | /* |
88 | * XOR the bit of the pool we're processing into the |
89 | * digest. |
90 | */ |
91 | |
32874aea |
92 | for (k = 0; k < sizeof(digest) / sizeof(*digest); k++) |
93 | digest[k] ^= ((word32 *) (pool.pool + j))[k]; |
374330e2 |
94 | |
95 | /* |
96 | * Munge our unrevealed first block of the pool into |
97 | * it. |
98 | */ |
99 | SHATransform(digest, block); |
100 | |
101 | /* |
102 | * Stick the result back into the pool. |
103 | */ |
104 | |
32874aea |
105 | for (k = 0; k < sizeof(digest) / sizeof(*digest); k++) |
106 | ((word32 *) (pool.pool + j))[k] = digest[k]; |
374330e2 |
107 | } |
108 | } |
109 | |
110 | /* |
111 | * Might as well save this value back into `incoming', just so |
112 | * there'll be some extra bizarreness there. |
113 | */ |
114 | SHATransform(digest, block); |
a1a27668 |
115 | memcpy(pool.incoming, digest, sizeof(digest)); |
374330e2 |
116 | |
117 | pool.poolpos = sizeof(pool.incoming); |
118 | } |
119 | |
32874aea |
120 | void random_add_noise(void *noise, int length) |
121 | { |
374330e2 |
122 | unsigned char *p = noise; |
6e522441 |
123 | int i; |
374330e2 |
124 | |
7d6ee6ff |
125 | if (!random_active) |
32874aea |
126 | return; |
7d6ee6ff |
127 | |
6e522441 |
128 | /* |
129 | * This function processes HASHINPUT bytes into only HASHSIZE |
130 | * bytes, so _if_ we were getting incredibly high entropy |
131 | * sources then we would be throwing away valuable stuff. |
132 | */ |
133 | while (length >= (HASHINPUT - pool.incomingpos)) { |
134 | memcpy(pool.incomingb + pool.incomingpos, p, |
135 | HASHINPUT - pool.incomingpos); |
136 | p += HASHINPUT - pool.incomingpos; |
137 | length -= HASHINPUT - pool.incomingpos; |
32874aea |
138 | SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb); |
139 | for (i = 0; i < HASHSIZE; i++) { |
140 | pool.pool[pool.poolpos++] ^= pool.incomingb[i]; |
141 | if (pool.poolpos >= POOLSIZE) |
142 | pool.poolpos = 0; |
143 | } |
144 | if (pool.poolpos < HASHSIZE) |
145 | random_stir(); |
6e522441 |
146 | |
147 | pool.incomingpos = 0; |
148 | } |
149 | |
150 | memcpy(pool.incomingb + pool.incomingpos, p, length); |
151 | pool.incomingpos += length; |
152 | } |
153 | |
32874aea |
154 | void random_add_heavynoise(void *noise, int length) |
155 | { |
6e522441 |
156 | unsigned char *p = noise; |
157 | int i; |
158 | |
159 | while (length >= POOLSIZE) { |
32874aea |
160 | for (i = 0; i < POOLSIZE; i++) |
161 | pool.pool[i] ^= *p++; |
6e522441 |
162 | random_stir(); |
163 | length -= POOLSIZE; |
164 | } |
165 | |
166 | for (i = 0; i < length; i++) |
32874aea |
167 | pool.pool[i] ^= *p++; |
6e522441 |
168 | random_stir(); |
169 | } |
170 | |
32874aea |
171 | static void random_add_heavynoise_bitbybit(void *noise, int length) |
172 | { |
6e522441 |
173 | unsigned char *p = noise; |
174 | int i; |
175 | |
176 | while (length >= POOLSIZE - pool.poolpos) { |
32874aea |
177 | for (i = 0; i < POOLSIZE - pool.poolpos; i++) |
178 | pool.pool[pool.poolpos + i] ^= *p++; |
374330e2 |
179 | random_stir(); |
6e522441 |
180 | length -= POOLSIZE - pool.poolpos; |
32874aea |
181 | pool.poolpos = 0; |
374330e2 |
182 | } |
183 | |
6e522441 |
184 | for (i = 0; i < length; i++) |
32874aea |
185 | pool.pool[i] ^= *p++; |
6e522441 |
186 | pool.poolpos = i; |
374330e2 |
187 | } |
188 | |
5d17ccfc |
189 | static void random_timer(void *ctx, long now) |
190 | { |
191 | if (random_active > 0 && now - next_noise_collection >= 0) { |
192 | noise_regular(); |
193 | next_noise_collection = |
194 | schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool); |
195 | } |
196 | } |
197 | |
198 | void random_ref(void) |
32874aea |
199 | { |
bc0e1c6c |
200 | if (!random_active) { |
201 | memset(&pool, 0, sizeof(pool)); /* just to start with */ |
374330e2 |
202 | |
bc0e1c6c |
203 | noise_get_heavy(random_add_heavynoise_bitbybit); |
204 | random_stir(); |
5d17ccfc |
205 | |
206 | next_noise_collection = |
207 | schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool); |
bc0e1c6c |
208 | } |
5d17ccfc |
209 | |
210 | random_active++; |
211 | } |
212 | |
213 | void random_unref(void) |
214 | { |
215 | random_active--; |
374330e2 |
216 | } |
217 | |
32874aea |
218 | int random_byte(void) |
219 | { |
374330e2 |
220 | if (pool.poolpos >= POOLSIZE) |
221 | random_stir(); |
222 | |
223 | return pool.pool[pool.poolpos++]; |
224 | } |
225 | |
32874aea |
226 | void random_get_savedata(void **data, int *len) |
227 | { |
3d88e64d |
228 | void *buf = snewn(POOLSIZE / 2, char); |
374330e2 |
229 | random_stir(); |
e3ac3c05 |
230 | memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2); |
32874aea |
231 | *len = POOLSIZE / 2; |
e3ac3c05 |
232 | *data = buf; |
233 | random_stir(); |
374330e2 |
234 | } |