git.distorted.org.uk Git - u/mdw/putty/blob - sshrand.c

   1 /*
   2  * cryptographic random number generator for PuTTY's ssh client
   3  */
   4
   5 #include "putty.h"
   6 #include "ssh.h"
   7
   8 /* Collect environmental noise every 5 minutes */
   9 #define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC)
  10
  11 void noise_get_heavy(void (*func) (void *, int));
  12 void noise_get_light(void (*func) (void *, int));
  13
  14 /*
  15  * `pool' itself is a pool of random data which we actually use: we
  16  * return bytes from `pool', at position `poolpos', until `poolpos'
  17  * reaches the end of the pool. At this point we generate more
  18  * random data, by adding noise, stirring well, and resetting
  19  * `poolpos' to point to just past the beginning of the pool (not
  20  * _the_ beginning, since otherwise we'd give away the whole
  21  * contents of our pool, and attackers would just have to guess the
  22  * next lot of noise).
  23  *
  24  * `incomingb' buffers acquired noise data, until it gets full, at
  25  * which point the acquired noise is SHA'ed into `incoming' and
  26  * `incomingb' is cleared. The noise in `incoming' is used as part
  27  * of the noise for each stirring of the pool, in addition to local
  28  * time, process listings, and other such stuff.
  29  */
  30
  31 #define HASHINPUT 64                   /* 64 bytes SHA input */
  32 #define HASHSIZE 20                    /* 160 bits SHA output */
  33 #define POOLSIZE 1200                  /* size of random pool */
  34
  35 struct RandPool {
  36     unsigned char pool[POOLSIZE];
  37     int poolpos;
  38
  39     unsigned char incoming[HASHSIZE];
  40
  41     unsigned char incomingb[HASHINPUT];
  42     int incomingpos;
  43
  44     int stir_pending;
  45 };
  46
  47 static struct RandPool pool;
  48 int random_active = 0;
  49 long next_noise_collection;
  50
  51 static void random_stir(void)
  52 {
  53     word32 block[HASHINPUT / sizeof(word32)];
  54     word32 digest[HASHSIZE / sizeof(word32)];
  55     int i, j, k;
  56
  57     /*
  58      * noise_get_light will call random_add_noise, which may call
  59      * back to here. Prevent recursive stirs.
  60      */
  61     if (pool.stir_pending)
  62         return;
  63     pool.stir_pending = TRUE;
  64
  65     noise_get_light(random_add_noise);
  66
  67     SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
  68     pool.incomingpos = 0;
  69
  70     /*
  71      * Chunks of this code are blatantly endianness-dependent, but
  72      * as it's all random bits anyway, WHO CARES?
  73      */
  74     memcpy(digest, pool.incoming, sizeof(digest));
  75
  76     /*
  77      * Make two passes over the pool.
  78      */
  79     for (i = 0; i < 2; i++) {
  80
  81         /*
  82          * We operate SHA in CFB mode, repeatedly adding the same
  83          * block of data to the digest. But we're also fiddling
  84          * with the digest-so-far, so this shouldn't be Bad or
  85          * anything.
  86          */
  87         memcpy(block, pool.pool, sizeof(block));
  88
  89         /*
  90          * Each pass processes the pool backwards in blocks of
  91          * HASHSIZE, just so that in general we get the output of
  92          * SHA before the corresponding input, in the hope that
  93          * things will be that much less predictable that way
  94          * round, when we subsequently return bytes ...
  95          */
  96         for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {
  97             /*
  98              * XOR the bit of the pool we're processing into the
  99              * digest.
 100              */
 101
 102             for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
 103                 digest[k] ^= ((word32 *) (pool.pool + j))[k];
 104
 105             /*
 106              * Munge our unrevealed first block of the pool into
 107              * it.
 108              */
 109             SHATransform(digest, block);
 110
 111             /*
 112              * Stick the result back into the pool.
 113              */
 114
 115             for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
 116                 ((word32 *) (pool.pool + j))[k] = digest[k];
 117         }
 118     }
 119
 120     /*
 121      * Might as well save this value back into `incoming', just so
 122      * there'll be some extra bizarreness there.
 123      */
 124     SHATransform(digest, block);
 125     memcpy(pool.incoming, digest, sizeof(digest));
 126
 127     pool.poolpos = sizeof(pool.incoming);
 128
 129     pool.stir_pending = FALSE;
 130 }
 131
 132 void random_add_noise(void *noise, int length)
 133 {
 134     unsigned char *p = noise;
 135     int i;
 136
 137     if (!random_active)
 138         return;
 139
 140     /*
 141      * This function processes HASHINPUT bytes into only HASHSIZE
 142      * bytes, so _if_ we were getting incredibly high entropy
 143      * sources then we would be throwing away valuable stuff.
 144      */
 145     while (length >= (HASHINPUT - pool.incomingpos)) {
 146         memcpy(pool.incomingb + pool.incomingpos, p,
 147                HASHINPUT - pool.incomingpos);
 148         p += HASHINPUT - pool.incomingpos;
 149         length -= HASHINPUT - pool.incomingpos;
 150         SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
 151         for (i = 0; i < HASHSIZE; i++) {
 152             pool.pool[pool.poolpos++] ^= pool.incomingb[i];
 153             if (pool.poolpos >= POOLSIZE)
 154                 pool.poolpos = 0;
 155         }
 156         if (pool.poolpos < HASHSIZE)
 157             random_stir();
 158
 159         pool.incomingpos = 0;
 160     }
 161
 162     memcpy(pool.incomingb + pool.incomingpos, p, length);
 163     pool.incomingpos += length;
 164 }
 165
 166 void random_add_heavynoise(void *noise, int length)
 167 {
 168     unsigned char *p = noise;
 169     int i;
 170
 171     while (length >= POOLSIZE) {
 172         for (i = 0; i < POOLSIZE; i++)
 173             pool.pool[i] ^= *p++;
 174         random_stir();
 175         length -= POOLSIZE;
 176     }
 177
 178     for (i = 0; i < length; i++)
 179         pool.pool[i] ^= *p++;
 180     random_stir();
 181 }
 182
 183 static void random_add_heavynoise_bitbybit(void *noise, int length)
 184 {
 185     unsigned char *p = noise;
 186     int i;
 187
 188     while (length >= POOLSIZE - pool.poolpos) {
 189         for (i = 0; i < POOLSIZE - pool.poolpos; i++)
 190             pool.pool[pool.poolpos + i] ^= *p++;
 191         random_stir();
 192         length -= POOLSIZE - pool.poolpos;
 193         pool.poolpos = 0;
 194     }
 195
 196     for (i = 0; i < length; i++)
 197         pool.pool[i] ^= *p++;
 198     pool.poolpos = i;
 199 }
 200
 201 static void random_timer(void *ctx, long now)
 202 {
 203     if (random_active > 0 && now - next_noise_collection >= 0) {
 204         noise_regular();
 205         next_noise_collection =
 206             schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
 207     }
 208 }
 209
 210 void random_ref(void)
 211 {
 212     if (!random_active) {
 213         memset(&pool, 0, sizeof(pool));    /* just to start with */
 214
 215         noise_get_heavy(random_add_heavynoise_bitbybit);
 216         random_stir();
 217
 218         next_noise_collection =
 219             schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
 220     }
 221
 222     random_active++;
 223 }
 224
 225 void random_unref(void)
 226 {
 227     random_active--;
 228 }
 229
 230 int random_byte(void)
 231 {
 232     if (pool.poolpos >= POOLSIZE)
 233         random_stir();
 234
 235     return pool.pool[pool.poolpos++];
 236 }
 237
 238 void random_get_savedata(void **data, int *len)
 239 {
 240     void *buf = snewn(POOLSIZE / 2, char);
 241     random_stir();
 242     memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2);
 243     *len = POOLSIZE / 2;
 244     *data = buf;
 245     random_stir();
 246 }