2 * cryptographic random number generator for PuTTY's ssh client
7 void noise_get_heavy(void (*func
) (void *, int));
8 void noise_get_light(void (*func
) (void *, int));
11 * `pool' itself is a pool of random data which we actually use: we
12 * return bytes from `pool', at position `poolpos', until `poolpos'
13 * reaches the end of the pool. At this point we generate more
14 * random data, by adding noise, stirring well, and resetting
15 * `poolpos' to point to just past the beginning of the pool (not
16 * _the_ beginning, since otherwise we'd give away the whole
17 * contents of our pool, and attackers would just have to guess the
20 * `incomingb' buffers acquired noise data, until it gets full, at
21 * which point the acquired noise is SHA'ed into `incoming' and
22 * `incomingb' is cleared. The noise in `incoming' is used as part
23 * of the noise for each stirring of the pool, in addition to local
24 * time, process listings, and other such stuff.
27 #define HASHINPUT 64 /* 64 bytes SHA input */
28 #define HASHSIZE 20 /* 160 bits SHA output */
29 #define POOLSIZE 1200 /* size of random pool */
32 unsigned char pool
[POOLSIZE
];
35 unsigned char incoming
[HASHSIZE
];
37 unsigned char incomingb
[HASHINPUT
];
41 static struct RandPool pool
;
43 void random_add_noise(void *noise
, int length
) {
44 unsigned char *p
= noise
;
46 while (length
>= (HASHINPUT
- pool
.incomingpos
)) {
47 memcpy(pool
.incomingb
+ pool
.incomingpos
, p
,
48 HASHINPUT
- pool
.incomingpos
);
49 p
+= HASHINPUT
- pool
.incomingpos
;
50 length
-= HASHINPUT
- pool
.incomingpos
;
51 SHATransform((word32
*)pool
.incoming
, (word32
*)pool
.incomingb
);
55 memcpy(pool
.incomingb
+ pool
.incomingpos
, p
, length
);
56 pool
.incomingpos
+= length
;
59 void random_stir(void) {
60 word32 block
[HASHINPUT
/sizeof(word32
)];
61 word32 digest
[HASHSIZE
/sizeof(word32
)];
64 noise_get_light(random_add_noise
);
66 SHATransform((word32
*)pool
.incoming
, (word32
*)pool
.incomingb
);
70 * Chunks of this code are blatantly endianness-dependent, but
71 * as it's all random bits anyway, WHO CARES?
73 memcpy(digest
, pool
.incoming
, sizeof(digest
));
76 * Make two passes over the pool.
78 for (i
= 0; i
< 2; i
++) {
81 * We operate SHA in CFB mode, repeatedly adding the same
82 * block of data to the digest. But we're also fiddling
83 * with the digest-so-far, so this shouldn't be Bad or
86 memcpy(block
, pool
.pool
, sizeof(block
));
89 * Each pass processes the pool backwards in blocks of
90 * HASHSIZE, just so that in general we get the output of
91 * SHA before the corresponding input, in the hope that
92 * things will be that much less predictable that way
93 * round, when we subsequently return bytes ...
95 for (j
= POOLSIZE
; (j
-= HASHSIZE
) >= 0 ;) {
97 * XOR the bit of the pool we're processing into the
101 for (k
= 0; k
< sizeof(digest
)/sizeof(*digest
); k
++)
102 digest
[k
] ^= ((word32
*)(pool
.pool
+j
))[k
];
105 * Munge our unrevealed first block of the pool into
108 SHATransform(digest
, block
);
111 * Stick the result back into the pool.
114 for (k
= 0; k
< sizeof(digest
)/sizeof(*digest
); k
++)
115 ((word32
*)(pool
.pool
+j
))[k
] = digest
[k
];
120 * Might as well save this value back into `incoming', just so
121 * there'll be some extra bizarreness there.
123 SHATransform(digest
, block
);
124 memcpy(pool
.incoming
, digest
, sizeof(digest
));
126 pool
.poolpos
= sizeof(pool
.incoming
);
129 static void random_add_heavynoise(void *noise
, int length
) {
130 unsigned char *p
= noise
;
132 while (length
>= (POOLSIZE
- pool
.poolpos
)) {
133 memcpy(pool
.pool
+ pool
.poolpos
, p
, POOLSIZE
- pool
.poolpos
);
134 p
+= POOLSIZE
- pool
.poolpos
;
135 length
-= POOLSIZE
- pool
.poolpos
;
140 memcpy(pool
.pool
+ pool
.poolpos
, p
, length
);
141 pool
.poolpos
+= length
;
144 void random_init(void) {
145 memset(&pool
, 0, sizeof(pool
)); /* just to start with */
148 * For noise_get_heavy, we temporarily use `poolpos' as the
149 * pointer for addition of noise, rather than extraction of
153 noise_get_heavy(random_add_heavynoise
);
158 int random_byte(void) {
159 if (pool
.poolpos
>= POOLSIZE
)
162 return pool
.pool
[pool
.poolpos
++];
165 void random_get_savedata(void **data
, int *len
) {
167 *data
= pool
.pool
+pool
.poolpos
;