projects / u / mdw / putty / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
random_init() should be called at most once during the running of
[u/mdw/putty] / sshrand.c
1 /*
2 * cryptographic random number generator for PuTTY's ssh client
3 */
4
5 #include "putty.h"
6 #include "ssh.h"
7
8 void noise_get_heavy(void (*func) (void *, int));
9 void noise_get_light(void (*func) (void *, int));
10
11 /*
12 * `pool' itself is a pool of random data which we actually use: we
13 * return bytes from `pool', at position `poolpos', until `poolpos'
14 * reaches the end of the pool. At this point we generate more
15 * random data, by adding noise, stirring well, and resetting
16 * `poolpos' to point to just past the beginning of the pool (not
17 * _the_ beginning, since otherwise we'd give away the whole
18 * contents of our pool, and attackers would just have to guess the
19 * next lot of noise).
20 *
21 * `incomingb' buffers acquired noise data, until it gets full, at
22 * which point the acquired noise is SHA'ed into `incoming' and
23 * `incomingb' is cleared. The noise in `incoming' is used as part
24 * of the noise for each stirring of the pool, in addition to local
25 * time, process listings, and other such stuff.
26 */
27
28 #define HASHINPUT 64 /* 64 bytes SHA input */
29 #define HASHSIZE 20 /* 160 bits SHA output */
30 #define POOLSIZE 1200 /* size of random pool */
31
32 struct RandPool {
33 unsigned char pool[POOLSIZE];
34 int poolpos;
35
36 unsigned char incoming[HASHSIZE];
37
38 unsigned char incomingb[HASHINPUT];
39 int incomingpos;
40 };
41
42 static struct RandPool pool;
43 int random_active = 0;
44
45 static void random_stir(void)
46 {
47 word32 block[HASHINPUT / sizeof(word32)];
48 word32 digest[HASHSIZE / sizeof(word32)];
49 int i, j, k;
50
51 noise_get_light(random_add_noise);
52
53 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
54 pool.incomingpos = 0;
55
56 /*
57 * Chunks of this code are blatantly endianness-dependent, but
58 * as it's all random bits anyway, WHO CARES?
59 */
60 memcpy(digest, pool.incoming, sizeof(digest));
61
62 /*
63 * Make two passes over the pool.
64 */
65 for (i = 0; i < 2; i++) {
66
67 /*
68 * We operate SHA in CFB mode, repeatedly adding the same
69 * block of data to the digest. But we're also fiddling
70 * with the digest-so-far, so this shouldn't be Bad or
71 * anything.
72 */
73 memcpy(block, pool.pool, sizeof(block));
74
75 /*
76 * Each pass processes the pool backwards in blocks of
77 * HASHSIZE, just so that in general we get the output of
78 * SHA before the corresponding input, in the hope that
79 * things will be that much less predictable that way
80 * round, when we subsequently return bytes ...
81 */
82 for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {
83 /*
84 * XOR the bit of the pool we're processing into the
85 * digest.
86 */
87
88 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
89 digest[k] ^= ((word32 *) (pool.pool + j))[k];
90
91 /*
92 * Munge our unrevealed first block of the pool into
93 * it.
94 */
95 SHATransform(digest, block);
96
97 /*
98 * Stick the result back into the pool.
99 */
100
101 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
102 ((word32 *) (pool.pool + j))[k] = digest[k];
103 }
104 }
105
106 /*
107 * Might as well save this value back into `incoming', just so
108 * there'll be some extra bizarreness there.
109 */
110 SHATransform(digest, block);
111 memcpy(pool.incoming, digest, sizeof(digest));
112
113 pool.poolpos = sizeof(pool.incoming);
114 }
115
116 void random_add_noise(void *noise, int length)
117 {
118 unsigned char *p = noise;
119 int i;
120
121 if (!random_active)
122 return;
123
124 /*
125 * This function processes HASHINPUT bytes into only HASHSIZE
126 * bytes, so _if_ we were getting incredibly high entropy
127 * sources then we would be throwing away valuable stuff.
128 */
129 while (length >= (HASHINPUT - pool.incomingpos)) {
130 memcpy(pool.incomingb + pool.incomingpos, p,
131 HASHINPUT - pool.incomingpos);
132 p += HASHINPUT - pool.incomingpos;
133 length -= HASHINPUT - pool.incomingpos;
134 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
135 for (i = 0; i < HASHSIZE; i++) {
136 pool.pool[pool.poolpos++] ^= pool.incomingb[i];
137 if (pool.poolpos >= POOLSIZE)
138 pool.poolpos = 0;
139 }
140 if (pool.poolpos < HASHSIZE)
141 random_stir();
142
143 pool.incomingpos = 0;
144 }
145
146 memcpy(pool.incomingb + pool.incomingpos, p, length);
147 pool.incomingpos += length;
148 }
149
150 void random_add_heavynoise(void *noise, int length)
151 {
152 unsigned char *p = noise;
153 int i;
154
155 while (length >= POOLSIZE) {
156 for (i = 0; i < POOLSIZE; i++)
157 pool.pool[i] ^= *p++;
158 random_stir();
159 length -= POOLSIZE;
160 }
161
162 for (i = 0; i < length; i++)
163 pool.pool[i] ^= *p++;
164 random_stir();
165 }
166
167 static void random_add_heavynoise_bitbybit(void *noise, int length)
168 {
169 unsigned char *p = noise;
170 int i;
171
172 while (length >= POOLSIZE - pool.poolpos) {
173 for (i = 0; i < POOLSIZE - pool.poolpos; i++)
174 pool.pool[pool.poolpos + i] ^= *p++;
175 random_stir();
176 length -= POOLSIZE - pool.poolpos;
177 pool.poolpos = 0;
178 }
179
180 for (i = 0; i < length; i++)
181 pool.pool[i] ^= *p++;
182 pool.poolpos = i;
183 }
184
185 void random_init(void)
186 {
187 if (!random_active) {
188 memset(&pool, 0, sizeof(pool)); /* just to start with */
189
190 random_active = 1;
191
192 noise_get_heavy(random_add_heavynoise_bitbybit);
193 random_stir();
194 }
195 }
196
197 int random_byte(void)
198 {
199 if (pool.poolpos >= POOLSIZE)
200 random_stir();
201
202 return pool.pool[pool.poolpos++];
203 }
204
205 void random_get_savedata(void **data, int *len)
206 {
207 void *buf = snewn(POOLSIZE / 2, char);
208 random_stir();
209 memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2);
210 *len = POOLSIZE / 2;
211 *data = buf;
212 random_stir();
213 }
Local modifications for Simon Tatham's `PuTTY' SSH client and terminal emulator