374330e2 |
1 | /* |
2 | * cryptographic random number generator for PuTTY's ssh client |
3 | */ |
4 | |
5 | #include "ssh.h" |
6 | |
7 | void noise_get_heavy(void (*func) (void *, int)); |
8 | void noise_get_light(void (*func) (void *, int)); |
9 | |
10 | /* |
11 | * `pool' itself is a pool of random data which we actually use: we |
12 | * return bytes from `pool', at position `poolpos', until `poolpos' |
13 | * reaches the end of the pool. At this point we generate more |
14 | * random data, by adding noise, stirring well, and resetting |
15 | * `poolpos' to point to just past the beginning of the pool (not |
16 | * _the_ beginning, since otherwise we'd give away the whole |
17 | * contents of our pool, and attackers would just have to guess the |
18 | * next lot of noise). |
19 | * |
20 | * `incomingb' buffers acquired noise data, until it gets full, at |
21 | * which point the acquired noise is SHA'ed into `incoming' and |
22 | * `incomingb' is cleared. The noise in `incoming' is used as part |
23 | * of the noise for each stirring of the pool, in addition to local |
24 | * time, process listings, and other such stuff. |
25 | */ |
26 | |
27 | #define HASHINPUT 64 /* 64 bytes SHA input */ |
28 | #define HASHSIZE 20 /* 160 bits SHA output */ |
29 | #define POOLSIZE 1200 /* size of random pool */ |
30 | |
31 | struct RandPool { |
32 | unsigned char pool[POOLSIZE]; |
33 | int poolpos; |
34 | |
35 | unsigned char incoming[HASHSIZE]; |
36 | |
37 | unsigned char incomingb[HASHINPUT]; |
38 | int incomingpos; |
39 | }; |
40 | |
41 | static struct RandPool pool; |
7d6ee6ff |
42 | static int random_active = 0; |
374330e2 |
43 | |
374330e2 |
44 | void random_stir(void) { |
45 | word32 block[HASHINPUT/sizeof(word32)]; |
46 | word32 digest[HASHSIZE/sizeof(word32)]; |
47 | int i, j, k; |
48 | |
49 | noise_get_light(random_add_noise); |
50 | |
51 | SHATransform((word32 *)pool.incoming, (word32 *)pool.incomingb); |
52 | pool.incomingpos = 0; |
53 | |
54 | /* |
55 | * Chunks of this code are blatantly endianness-dependent, but |
56 | * as it's all random bits anyway, WHO CARES? |
57 | */ |
58 | memcpy(digest, pool.incoming, sizeof(digest)); |
59 | |
60 | /* |
61 | * Make two passes over the pool. |
62 | */ |
63 | for (i = 0; i < 2; i++) { |
64 | |
65 | /* |
66 | * We operate SHA in CFB mode, repeatedly adding the same |
67 | * block of data to the digest. But we're also fiddling |
68 | * with the digest-so-far, so this shouldn't be Bad or |
69 | * anything. |
70 | */ |
71 | memcpy(block, pool.pool, sizeof(block)); |
72 | |
73 | /* |
74 | * Each pass processes the pool backwards in blocks of |
75 | * HASHSIZE, just so that in general we get the output of |
76 | * SHA before the corresponding input, in the hope that |
77 | * things will be that much less predictable that way |
78 | * round, when we subsequently return bytes ... |
79 | */ |
80 | for (j = POOLSIZE; (j -= HASHSIZE) >= 0 ;) { |
81 | /* |
82 | * XOR the bit of the pool we're processing into the |
83 | * digest. |
84 | */ |
85 | |
86 | for (k = 0; k < sizeof(digest)/sizeof(*digest); k++) |
87 | digest[k] ^= ((word32 *)(pool.pool+j))[k]; |
88 | |
89 | /* |
90 | * Munge our unrevealed first block of the pool into |
91 | * it. |
92 | */ |
93 | SHATransform(digest, block); |
94 | |
95 | /* |
96 | * Stick the result back into the pool. |
97 | */ |
98 | |
99 | for (k = 0; k < sizeof(digest)/sizeof(*digest); k++) |
100 | ((word32 *)(pool.pool+j))[k] = digest[k]; |
101 | } |
102 | } |
103 | |
104 | /* |
105 | * Might as well save this value back into `incoming', just so |
106 | * there'll be some extra bizarreness there. |
107 | */ |
108 | SHATransform(digest, block); |
a1a27668 |
109 | memcpy(pool.incoming, digest, sizeof(digest)); |
374330e2 |
110 | |
111 | pool.poolpos = sizeof(pool.incoming); |
112 | } |
113 | |
6e522441 |
114 | void random_add_noise(void *noise, int length) { |
374330e2 |
115 | unsigned char *p = noise; |
6e522441 |
116 | int i; |
374330e2 |
117 | |
7d6ee6ff |
118 | if (!random_active) |
119 | return; |
120 | |
6e522441 |
121 | /* |
122 | * This function processes HASHINPUT bytes into only HASHSIZE |
123 | * bytes, so _if_ we were getting incredibly high entropy |
124 | * sources then we would be throwing away valuable stuff. |
125 | */ |
126 | while (length >= (HASHINPUT - pool.incomingpos)) { |
127 | memcpy(pool.incomingb + pool.incomingpos, p, |
128 | HASHINPUT - pool.incomingpos); |
129 | p += HASHINPUT - pool.incomingpos; |
130 | length -= HASHINPUT - pool.incomingpos; |
131 | SHATransform((word32 *)pool.incoming, (word32 *)pool.incomingb); |
132 | for (i = 0; i < HASHSIZE; i++) { |
133 | pool.pool[pool.poolpos++] ^= pool.incomingb[i]; |
134 | if (pool.poolpos >= POOLSIZE) |
135 | pool.poolpos = 0; |
136 | } |
137 | if (pool.poolpos < HASHSIZE) |
138 | random_stir(); |
139 | |
140 | pool.incomingpos = 0; |
141 | } |
142 | |
143 | memcpy(pool.incomingb + pool.incomingpos, p, length); |
144 | pool.incomingpos += length; |
145 | } |
146 | |
147 | void random_add_heavynoise(void *noise, int length) { |
148 | unsigned char *p = noise; |
149 | int i; |
150 | |
151 | while (length >= POOLSIZE) { |
152 | for (i = 0; i < POOLSIZE; i++) |
153 | pool.pool[i] ^= *p++; |
154 | random_stir(); |
155 | length -= POOLSIZE; |
156 | } |
157 | |
158 | for (i = 0; i < length; i++) |
159 | pool.pool[i] ^= *p++; |
160 | random_stir(); |
161 | } |
162 | |
163 | static void random_add_heavynoise_bitbybit(void *noise, int length) { |
164 | unsigned char *p = noise; |
165 | int i; |
166 | |
167 | while (length >= POOLSIZE - pool.poolpos) { |
168 | for (i = 0; i < POOLSIZE - pool.poolpos; i++) |
169 | pool.pool[pool.poolpos + i] ^= *p++; |
374330e2 |
170 | random_stir(); |
6e522441 |
171 | length -= POOLSIZE - pool.poolpos; |
172 | pool.poolpos = 0; |
374330e2 |
173 | } |
174 | |
6e522441 |
175 | for (i = 0; i < length; i++) |
176 | pool.pool[i] ^= *p++; |
177 | pool.poolpos = i; |
374330e2 |
178 | } |
179 | |
180 | void random_init(void) { |
181 | memset(&pool, 0, sizeof(pool)); /* just to start with */ |
182 | |
7d6ee6ff |
183 | random_active = 1; |
184 | |
6e522441 |
185 | noise_get_heavy(random_add_heavynoise_bitbybit); |
c7d40766 |
186 | random_stir(); |
374330e2 |
187 | } |
188 | |
189 | int random_byte(void) { |
190 | if (pool.poolpos >= POOLSIZE) |
191 | random_stir(); |
192 | |
193 | return pool.pool[pool.poolpos++]; |
194 | } |
195 | |
196 | void random_get_savedata(void **data, int *len) { |
197 | random_stir(); |
198 | *data = pool.pool+pool.poolpos; |
199 | *len = POOLSIZE/2; |
200 | } |