projects / u / mdw / putty / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Run entire source base through GNU indent to tidy up the varying
[u/mdw/putty] / sshrand.c
1 /*
2 * cryptographic random number generator for PuTTY's ssh client
3 */
4
5 #include "ssh.h"
6
7 void noise_get_heavy(void (*func) (void *, int));
8 void noise_get_light(void (*func) (void *, int));
9
10 /*
11 * `pool' itself is a pool of random data which we actually use: we
12 * return bytes from `pool', at position `poolpos', until `poolpos'
13 * reaches the end of the pool. At this point we generate more
14 * random data, by adding noise, stirring well, and resetting
15 * `poolpos' to point to just past the beginning of the pool (not
16 * _the_ beginning, since otherwise we'd give away the whole
17 * contents of our pool, and attackers would just have to guess the
18 * next lot of noise).
19 *
20 * `incomingb' buffers acquired noise data, until it gets full, at
21 * which point the acquired noise is SHA'ed into `incoming' and
22 * `incomingb' is cleared. The noise in `incoming' is used as part
23 * of the noise for each stirring of the pool, in addition to local
24 * time, process listings, and other such stuff.
25 */
26
27 #define HASHINPUT 64 /* 64 bytes SHA input */
28 #define HASHSIZE 20 /* 160 bits SHA output */
29 #define POOLSIZE 1200 /* size of random pool */
30
31 struct RandPool {
32 unsigned char pool[POOLSIZE];
33 int poolpos;
34
35 unsigned char incoming[HASHSIZE];
36
37 unsigned char incomingb[HASHINPUT];
38 int incomingpos;
39 };
40
41 static struct RandPool pool;
42 static int random_active = 0;
43
44 void random_stir(void)
45 {
46 word32 block[HASHINPUT / sizeof(word32)];
47 word32 digest[HASHSIZE / sizeof(word32)];
48 int i, j, k;
49
50 noise_get_light(random_add_noise);
51
52 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
53 pool.incomingpos = 0;
54
55 /*
56 * Chunks of this code are blatantly endianness-dependent, but
57 * as it's all random bits anyway, WHO CARES?
58 */
59 memcpy(digest, pool.incoming, sizeof(digest));
60
61 /*
62 * Make two passes over the pool.
63 */
64 for (i = 0; i < 2; i++) {
65
66 /*
67 * We operate SHA in CFB mode, repeatedly adding the same
68 * block of data to the digest. But we're also fiddling
69 * with the digest-so-far, so this shouldn't be Bad or
70 * anything.
71 */
72 memcpy(block, pool.pool, sizeof(block));
73
74 /*
75 * Each pass processes the pool backwards in blocks of
76 * HASHSIZE, just so that in general we get the output of
77 * SHA before the corresponding input, in the hope that
78 * things will be that much less predictable that way
79 * round, when we subsequently return bytes ...
80 */
81 for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {
82 /*
83 * XOR the bit of the pool we're processing into the
84 * digest.
85 */
86
87 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
88 digest[k] ^= ((word32 *) (pool.pool + j))[k];
89
90 /*
91 * Munge our unrevealed first block of the pool into
92 * it.
93 */
94 SHATransform(digest, block);
95
96 /*
97 * Stick the result back into the pool.
98 */
99
100 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
101 ((word32 *) (pool.pool + j))[k] = digest[k];
102 }
103 }
104
105 /*
106 * Might as well save this value back into `incoming', just so
107 * there'll be some extra bizarreness there.
108 */
109 SHATransform(digest, block);
110 memcpy(pool.incoming, digest, sizeof(digest));
111
112 pool.poolpos = sizeof(pool.incoming);
113 }
114
115 void random_add_noise(void *noise, int length)
116 {
117 unsigned char *p = noise;
118 int i;
119
120 if (!random_active)
121 return;
122
123 /*
124 * This function processes HASHINPUT bytes into only HASHSIZE
125 * bytes, so _if_ we were getting incredibly high entropy
126 * sources then we would be throwing away valuable stuff.
127 */
128 while (length >= (HASHINPUT - pool.incomingpos)) {
129 memcpy(pool.incomingb + pool.incomingpos, p,
130 HASHINPUT - pool.incomingpos);
131 p += HASHINPUT - pool.incomingpos;
132 length -= HASHINPUT - pool.incomingpos;
133 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
134 for (i = 0; i < HASHSIZE; i++) {
135 pool.pool[pool.poolpos++] ^= pool.incomingb[i];
136 if (pool.poolpos >= POOLSIZE)
137 pool.poolpos = 0;
138 }
139 if (pool.poolpos < HASHSIZE)
140 random_stir();
141
142 pool.incomingpos = 0;
143 }
144
145 memcpy(pool.incomingb + pool.incomingpos, p, length);
146 pool.incomingpos += length;
147 }
148
149 void random_add_heavynoise(void *noise, int length)
150 {
151 unsigned char *p = noise;
152 int i;
153
154 while (length >= POOLSIZE) {
155 for (i = 0; i < POOLSIZE; i++)
156 pool.pool[i] ^= *p++;
157 random_stir();
158 length -= POOLSIZE;
159 }
160
161 for (i = 0; i < length; i++)
162 pool.pool[i] ^= *p++;
163 random_stir();
164 }
165
166 static void random_add_heavynoise_bitbybit(void *noise, int length)
167 {
168 unsigned char *p = noise;
169 int i;
170
171 while (length >= POOLSIZE - pool.poolpos) {
172 for (i = 0; i < POOLSIZE - pool.poolpos; i++)
173 pool.pool[pool.poolpos + i] ^= *p++;
174 random_stir();
175 length -= POOLSIZE - pool.poolpos;
176 pool.poolpos = 0;
177 }
178
179 for (i = 0; i < length; i++)
180 pool.pool[i] ^= *p++;
181 pool.poolpos = i;
182 }
183
184 void random_init(void)
185 {
186 memset(&pool, 0, sizeof(pool)); /* just to start with */
187
188 random_active = 1;
189
190 noise_get_heavy(random_add_heavynoise_bitbybit);
191 random_stir();
192 }
193
194 int random_byte(void)
195 {
196 if (pool.poolpos >= POOLSIZE)
197 random_stir();
198
199 return pool.pool[pool.poolpos++];
200 }
201
202 void random_get_savedata(void **data, int *len)
203 {
204 random_stir();
205 *data = pool.pool + pool.poolpos;
206 *len = POOLSIZE / 2;
207 }
Local modifications for Simon Tatham's `PuTTY' SSH client and terminal emulator