2 * cryptographic random number generator for PuTTY's ssh client
9 /* Collect environmental noise every 5 minutes */
10 #define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC)
12 void noise_get_heavy(void (*func
) (void *, int));
13 void noise_get_light(void (*func
) (void *, int));
16 * `pool' itself is a pool of random data which we actually use: we
17 * return bytes from `pool', at position `poolpos', until `poolpos'
18 * reaches the end of the pool. At this point we generate more
19 * random data, by adding noise, stirring well, and resetting
20 * `poolpos' to point to just past the beginning of the pool (not
21 * _the_ beginning, since otherwise we'd give away the whole
22 * contents of our pool, and attackers would just have to guess the
25 * `incomingb' buffers acquired noise data, until it gets full, at
26 * which point the acquired noise is SHA'ed into `incoming' and
27 * `incomingb' is cleared. The noise in `incoming' is used as part
28 * of the noise for each stirring of the pool, in addition to local
29 * time, process listings, and other such stuff.
32 #define HASHINPUT 64 /* 64 bytes SHA input */
33 #define HASHSIZE 20 /* 160 bits SHA output */
34 #define POOLSIZE 1200 /* size of random pool */
37 unsigned char pool
[POOLSIZE
];
40 unsigned char incoming
[HASHSIZE
];
42 unsigned char incomingb
[HASHINPUT
];
48 static struct RandPool pool
;
49 int random_active
= 0;
50 long next_noise_collection
;
52 #ifdef RANDOM_DIAGNOSTICS
53 int random_diagnostics
= 0;
56 static void random_stir(void)
58 word32 block
[HASHINPUT
/ sizeof(word32
)];
59 word32 digest
[HASHSIZE
/ sizeof(word32
)];
63 * noise_get_light will call random_add_noise, which may call
64 * back to here. Prevent recursive stirs.
66 if (pool
.stir_pending
)
68 pool
.stir_pending
= TRUE
;
70 noise_get_light(random_add_noise
);
72 #ifdef RANDOM_DIAGNOSTICS
75 printf("random stir starting\npool:\n");
76 for (p
= 0; p
< POOLSIZE
; p
+= HASHSIZE
) {
78 for (q
= 0; q
< HASHSIZE
; q
+= 4) {
79 printf(" %08x", *(word32
*)(pool
.pool
+ p
+ q
));
83 printf("incoming:\n ");
84 for (q
= 0; q
< HASHSIZE
; q
+= 4) {
85 printf(" %08x", *(word32
*)(pool
.incoming
+ q
));
87 printf("\nincomingb:\n ");
88 for (q
= 0; q
< HASHINPUT
; q
+= 4) {
89 printf(" %08x", *(word32
*)(pool
.incomingb
+ q
));
96 SHATransform((word32
*) pool
.incoming
, (word32
*) pool
.incomingb
);
100 * Chunks of this code are blatantly endianness-dependent, but
101 * as it's all random bits anyway, WHO CARES?
103 memcpy(digest
, pool
.incoming
, sizeof(digest
));
106 * Make two passes over the pool.
108 for (i
= 0; i
< 2; i
++) {
111 * We operate SHA in CFB mode, repeatedly adding the same
112 * block of data to the digest. But we're also fiddling
113 * with the digest-so-far, so this shouldn't be Bad or
116 memcpy(block
, pool
.pool
, sizeof(block
));
119 * Each pass processes the pool backwards in blocks of
120 * HASHSIZE, just so that in general we get the output of
121 * SHA before the corresponding input, in the hope that
122 * things will be that much less predictable that way
123 * round, when we subsequently return bytes ...
125 for (j
= POOLSIZE
; (j
-= HASHSIZE
) >= 0;) {
127 * XOR the bit of the pool we're processing into the
131 for (k
= 0; k
< sizeof(digest
) / sizeof(*digest
); k
++)
132 digest
[k
] ^= ((word32
*) (pool
.pool
+ j
))[k
];
135 * Munge our unrevealed first block of the pool into
138 SHATransform(digest
, block
);
141 * Stick the result back into the pool.
144 for (k
= 0; k
< sizeof(digest
) / sizeof(*digest
); k
++)
145 ((word32
*) (pool
.pool
+ j
))[k
] = digest
[k
];
148 #ifdef RANDOM_DIAGNOSTICS
151 printf("random stir midpoint\npool:\n");
152 for (p
= 0; p
< POOLSIZE
; p
+= HASHSIZE
) {
154 for (q
= 0; q
< HASHSIZE
; q
+= 4) {
155 printf(" %08x", *(word32
*)(pool
.pool
+ p
+ q
));
159 printf("incoming:\n ");
160 for (q
= 0; q
< HASHSIZE
; q
+= 4) {
161 printf(" %08x", *(word32
*)(pool
.incoming
+ q
));
163 printf("\nincomingb:\n ");
164 for (q
= 0; q
< HASHINPUT
; q
+= 4) {
165 printf(" %08x", *(word32
*)(pool
.incomingb
+ q
));
173 * Might as well save this value back into `incoming', just so
174 * there'll be some extra bizarreness there.
176 SHATransform(digest
, block
);
177 memcpy(pool
.incoming
, digest
, sizeof(digest
));
179 pool
.poolpos
= sizeof(pool
.incoming
);
181 pool
.stir_pending
= FALSE
;
183 #ifdef RANDOM_DIAGNOSTICS
186 printf("random stir done\npool:\n");
187 for (p
= 0; p
< POOLSIZE
; p
+= HASHSIZE
) {
189 for (q
= 0; q
< HASHSIZE
; q
+= 4) {
190 printf(" %08x", *(word32
*)(pool
.pool
+ p
+ q
));
194 printf("incoming:\n ");
195 for (q
= 0; q
< HASHSIZE
; q
+= 4) {
196 printf(" %08x", *(word32
*)(pool
.incoming
+ q
));
198 printf("\nincomingb:\n ");
199 for (q
= 0; q
< HASHINPUT
; q
+= 4) {
200 printf(" %08x", *(word32
*)(pool
.incomingb
+ q
));
203 random_diagnostics
--;
208 void random_add_noise(void *noise
, int length
)
210 unsigned char *p
= noise
;
217 * This function processes HASHINPUT bytes into only HASHSIZE
218 * bytes, so _if_ we were getting incredibly high entropy
219 * sources then we would be throwing away valuable stuff.
221 while (length
>= (HASHINPUT
- pool
.incomingpos
)) {
222 memcpy(pool
.incomingb
+ pool
.incomingpos
, p
,
223 HASHINPUT
- pool
.incomingpos
);
224 p
+= HASHINPUT
- pool
.incomingpos
;
225 length
-= HASHINPUT
- pool
.incomingpos
;
226 SHATransform((word32
*) pool
.incoming
, (word32
*) pool
.incomingb
);
227 for (i
= 0; i
< HASHSIZE
; i
++) {
228 pool
.pool
[pool
.poolpos
++] ^= pool
.incomingb
[i
];
229 if (pool
.poolpos
>= POOLSIZE
)
232 if (pool
.poolpos
< HASHSIZE
)
235 pool
.incomingpos
= 0;
238 memcpy(pool
.incomingb
+ pool
.incomingpos
, p
, length
);
239 pool
.incomingpos
+= length
;
242 void random_add_heavynoise(void *noise
, int length
)
244 unsigned char *p
= noise
;
247 while (length
>= POOLSIZE
) {
248 for (i
= 0; i
< POOLSIZE
; i
++)
249 pool
.pool
[i
] ^= *p
++;
254 for (i
= 0; i
< length
; i
++)
255 pool
.pool
[i
] ^= *p
++;
259 static void random_add_heavynoise_bitbybit(void *noise
, int length
)
261 unsigned char *p
= noise
;
264 while (length
>= POOLSIZE
- pool
.poolpos
) {
265 for (i
= 0; i
< POOLSIZE
- pool
.poolpos
; i
++)
266 pool
.pool
[pool
.poolpos
+ i
] ^= *p
++;
268 length
-= POOLSIZE
- pool
.poolpos
;
272 for (i
= 0; i
< length
; i
++)
273 pool
.pool
[i
] ^= *p
++;
277 static void random_timer(void *ctx
, unsigned long now
)
279 if (random_active
> 0 && now
== next_noise_collection
) {
281 next_noise_collection
=
282 schedule_timer(NOISE_REGULAR_INTERVAL
, random_timer
, &pool
);
286 void random_ref(void)
288 if (!random_active
) {
289 memset(&pool
, 0, sizeof(pool
)); /* just to start with */
293 noise_get_heavy(random_add_heavynoise_bitbybit
);
296 next_noise_collection
=
297 schedule_timer(NOISE_REGULAR_INTERVAL
, random_timer
, &pool
);
301 void random_unref(void)
303 assert(random_active
> 0);
304 if (random_active
== 1) {
306 expire_timer_context(&pool
);
311 int random_byte(void)
313 assert(random_active
);
315 if (pool
.poolpos
>= POOLSIZE
)
318 return pool
.pool
[pool
.poolpos
++];
321 void random_get_savedata(void **data
, int *len
)
323 void *buf
= snewn(POOLSIZE
/ 2, char);
325 memcpy(buf
, pool
.pool
+ pool
.poolpos
, POOLSIZE
/ 2);