| 1 | /* |
| 2 | * cryptographic random number generator for PuTTY's ssh client |
| 3 | */ |
| 4 | |
| 5 | #include "putty.h" |
| 6 | #include "ssh.h" |
| 7 | #include <assert.h> |
| 8 | |
| 9 | /* Collect environmental noise every 5 minutes */ |
| 10 | #define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC) |
| 11 | |
| 12 | void noise_get_heavy(void (*func) (void *, int)); |
| 13 | void noise_get_light(void (*func) (void *, int)); |
| 14 | |
| 15 | /* |
| 16 | * `pool' itself is a pool of random data which we actually use: we |
| 17 | * return bytes from `pool', at position `poolpos', until `poolpos' |
| 18 | * reaches the end of the pool. At this point we generate more |
| 19 | * random data, by adding noise, stirring well, and resetting |
| 20 | * `poolpos' to point to just past the beginning of the pool (not |
| 21 | * _the_ beginning, since otherwise we'd give away the whole |
| 22 | * contents of our pool, and attackers would just have to guess the |
| 23 | * next lot of noise). |
| 24 | * |
| 25 | * `incomingb' buffers acquired noise data, until it gets full, at |
| 26 | * which point the acquired noise is SHA'ed into `incoming' and |
| 27 | * `incomingb' is cleared. The noise in `incoming' is used as part |
| 28 | * of the noise for each stirring of the pool, in addition to local |
| 29 | * time, process listings, and other such stuff. |
| 30 | */ |
| 31 | |
| 32 | #define HASHINPUT 64 /* 64 bytes SHA input */ |
| 33 | #define HASHSIZE 20 /* 160 bits SHA output */ |
| 34 | #define POOLSIZE 1200 /* size of random pool */ |
| 35 | |
| 36 | struct RandPool { |
| 37 | unsigned char pool[POOLSIZE]; |
| 38 | int poolpos; |
| 39 | |
| 40 | unsigned char incoming[HASHSIZE]; |
| 41 | |
| 42 | unsigned char incomingb[HASHINPUT]; |
| 43 | int incomingpos; |
| 44 | |
| 45 | int stir_pending; |
| 46 | }; |
| 47 | |
| 48 | static struct RandPool pool; |
| 49 | int random_active = 0; |
| 50 | long next_noise_collection; |
| 51 | |
| 52 | static void random_stir(void) |
| 53 | { |
| 54 | word32 block[HASHINPUT / sizeof(word32)]; |
| 55 | word32 digest[HASHSIZE / sizeof(word32)]; |
| 56 | int i, j, k; |
| 57 | |
| 58 | /* |
| 59 | * noise_get_light will call random_add_noise, which may call |
| 60 | * back to here. Prevent recursive stirs. |
| 61 | */ |
| 62 | if (pool.stir_pending) |
| 63 | return; |
| 64 | pool.stir_pending = TRUE; |
| 65 | |
| 66 | noise_get_light(random_add_noise); |
| 67 | |
| 68 | SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb); |
| 69 | pool.incomingpos = 0; |
| 70 | |
| 71 | /* |
| 72 | * Chunks of this code are blatantly endianness-dependent, but |
| 73 | * as it's all random bits anyway, WHO CARES? |
| 74 | */ |
| 75 | memcpy(digest, pool.incoming, sizeof(digest)); |
| 76 | |
| 77 | /* |
| 78 | * Make two passes over the pool. |
| 79 | */ |
| 80 | for (i = 0; i < 2; i++) { |
| 81 | |
| 82 | /* |
| 83 | * We operate SHA in CFB mode, repeatedly adding the same |
| 84 | * block of data to the digest. But we're also fiddling |
| 85 | * with the digest-so-far, so this shouldn't be Bad or |
| 86 | * anything. |
| 87 | */ |
| 88 | memcpy(block, pool.pool, sizeof(block)); |
| 89 | |
| 90 | /* |
| 91 | * Each pass processes the pool backwards in blocks of |
| 92 | * HASHSIZE, just so that in general we get the output of |
| 93 | * SHA before the corresponding input, in the hope that |
| 94 | * things will be that much less predictable that way |
| 95 | * round, when we subsequently return bytes ... |
| 96 | */ |
| 97 | for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) { |
| 98 | /* |
| 99 | * XOR the bit of the pool we're processing into the |
| 100 | * digest. |
| 101 | */ |
| 102 | |
| 103 | for (k = 0; k < sizeof(digest) / sizeof(*digest); k++) |
| 104 | digest[k] ^= ((word32 *) (pool.pool + j))[k]; |
| 105 | |
| 106 | /* |
| 107 | * Munge our unrevealed first block of the pool into |
| 108 | * it. |
| 109 | */ |
| 110 | SHATransform(digest, block); |
| 111 | |
| 112 | /* |
| 113 | * Stick the result back into the pool. |
| 114 | */ |
| 115 | |
| 116 | for (k = 0; k < sizeof(digest) / sizeof(*digest); k++) |
| 117 | ((word32 *) (pool.pool + j))[k] = digest[k]; |
| 118 | } |
| 119 | } |
| 120 | |
| 121 | /* |
| 122 | * Might as well save this value back into `incoming', just so |
| 123 | * there'll be some extra bizarreness there. |
| 124 | */ |
| 125 | SHATransform(digest, block); |
| 126 | memcpy(pool.incoming, digest, sizeof(digest)); |
| 127 | |
| 128 | pool.poolpos = sizeof(pool.incoming); |
| 129 | |
| 130 | pool.stir_pending = FALSE; |
| 131 | } |
| 132 | |
| 133 | void random_add_noise(void *noise, int length) |
| 134 | { |
| 135 | unsigned char *p = noise; |
| 136 | int i; |
| 137 | |
| 138 | if (!random_active) |
| 139 | return; |
| 140 | |
| 141 | /* |
| 142 | * This function processes HASHINPUT bytes into only HASHSIZE |
| 143 | * bytes, so _if_ we were getting incredibly high entropy |
| 144 | * sources then we would be throwing away valuable stuff. |
| 145 | */ |
| 146 | while (length >= (HASHINPUT - pool.incomingpos)) { |
| 147 | memcpy(pool.incomingb + pool.incomingpos, p, |
| 148 | HASHINPUT - pool.incomingpos); |
| 149 | p += HASHINPUT - pool.incomingpos; |
| 150 | length -= HASHINPUT - pool.incomingpos; |
| 151 | SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb); |
| 152 | for (i = 0; i < HASHSIZE; i++) { |
| 153 | pool.pool[pool.poolpos++] ^= pool.incomingb[i]; |
| 154 | if (pool.poolpos >= POOLSIZE) |
| 155 | pool.poolpos = 0; |
| 156 | } |
| 157 | if (pool.poolpos < HASHSIZE) |
| 158 | random_stir(); |
| 159 | |
| 160 | pool.incomingpos = 0; |
| 161 | } |
| 162 | |
| 163 | memcpy(pool.incomingb + pool.incomingpos, p, length); |
| 164 | pool.incomingpos += length; |
| 165 | } |
| 166 | |
| 167 | void random_add_heavynoise(void *noise, int length) |
| 168 | { |
| 169 | unsigned char *p = noise; |
| 170 | int i; |
| 171 | |
| 172 | while (length >= POOLSIZE) { |
| 173 | for (i = 0; i < POOLSIZE; i++) |
| 174 | pool.pool[i] ^= *p++; |
| 175 | random_stir(); |
| 176 | length -= POOLSIZE; |
| 177 | } |
| 178 | |
| 179 | for (i = 0; i < length; i++) |
| 180 | pool.pool[i] ^= *p++; |
| 181 | random_stir(); |
| 182 | } |
| 183 | |
| 184 | static void random_add_heavynoise_bitbybit(void *noise, int length) |
| 185 | { |
| 186 | unsigned char *p = noise; |
| 187 | int i; |
| 188 | |
| 189 | while (length >= POOLSIZE - pool.poolpos) { |
| 190 | for (i = 0; i < POOLSIZE - pool.poolpos; i++) |
| 191 | pool.pool[pool.poolpos + i] ^= *p++; |
| 192 | random_stir(); |
| 193 | length -= POOLSIZE - pool.poolpos; |
| 194 | pool.poolpos = 0; |
| 195 | } |
| 196 | |
| 197 | for (i = 0; i < length; i++) |
| 198 | pool.pool[i] ^= *p++; |
| 199 | pool.poolpos = i; |
| 200 | } |
| 201 | |
| 202 | static void random_timer(void *ctx, long now) |
| 203 | { |
| 204 | if (random_active > 0 && now - next_noise_collection >= 0) { |
| 205 | noise_regular(); |
| 206 | next_noise_collection = |
| 207 | schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool); |
| 208 | } |
| 209 | } |
| 210 | |
| 211 | void random_ref(void) |
| 212 | { |
| 213 | if (!random_active) { |
| 214 | memset(&pool, 0, sizeof(pool)); /* just to start with */ |
| 215 | |
| 216 | noise_get_heavy(random_add_heavynoise_bitbybit); |
| 217 | random_stir(); |
| 218 | |
| 219 | next_noise_collection = |
| 220 | schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool); |
| 221 | } |
| 222 | |
| 223 | random_active++; |
| 224 | } |
| 225 | |
| 226 | void random_unref(void) |
| 227 | { |
| 228 | random_active--; |
| 229 | assert(random_active >= 0); |
| 230 | if (random_active) return; |
| 231 | |
| 232 | expire_timer_context(&pool); |
| 233 | } |
| 234 | |
| 235 | int random_byte(void) |
| 236 | { |
| 237 | if (pool.poolpos >= POOLSIZE) |
| 238 | random_stir(); |
| 239 | |
| 240 | return pool.pool[pool.poolpos++]; |
| 241 | } |
| 242 | |
| 243 | void random_get_savedata(void **data, int *len) |
| 244 | { |
| 245 | void *buf = snewn(POOLSIZE / 2, char); |
| 246 | random_stir(); |
| 247 | memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2); |
| 248 | *len = POOLSIZE / 2; |
| 249 | *data = buf; |
| 250 | random_stir(); |
| 251 | } |