2 * cryptographic random number generator for PuTTY's ssh client
8 /* Collect environmental noise every 5 minutes */
9 #define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC)
11 void noise_get_heavy(void (*func
) (void *, int));
12 void noise_get_light(void (*func
) (void *, int));
15 * `pool' itself is a pool of random data which we actually use: we
16 * return bytes from `pool', at position `poolpos', until `poolpos'
17 * reaches the end of the pool. At this point we generate more
18 * random data, by adding noise, stirring well, and resetting
19 * `poolpos' to point to just past the beginning of the pool (not
20 * _the_ beginning, since otherwise we'd give away the whole
21 * contents of our pool, and attackers would just have to guess the
24 * `incomingb' buffers acquired noise data, until it gets full, at
25 * which point the acquired noise is SHA'ed into `incoming' and
26 * `incomingb' is cleared. The noise in `incoming' is used as part
27 * of the noise for each stirring of the pool, in addition to local
28 * time, process listings, and other such stuff.
31 #define HASHINPUT 64 /* 64 bytes SHA input */
32 #define HASHSIZE 20 /* 160 bits SHA output */
33 #define POOLSIZE 1200 /* size of random pool */
36 unsigned char pool
[POOLSIZE
];
39 unsigned char incoming
[HASHSIZE
];
41 unsigned char incomingb
[HASHINPUT
];
45 static struct RandPool pool
;
46 int random_active
= 0;
47 long next_noise_collection
;
49 static void random_stir(void)
51 word32 block
[HASHINPUT
/ sizeof(word32
)];
52 word32 digest
[HASHSIZE
/ sizeof(word32
)];
55 noise_get_light(random_add_noise
);
57 SHATransform((word32
*) pool
.incoming
, (word32
*) pool
.incomingb
);
61 * Chunks of this code are blatantly endianness-dependent, but
62 * as it's all random bits anyway, WHO CARES?
64 memcpy(digest
, pool
.incoming
, sizeof(digest
));
67 * Make two passes over the pool.
69 for (i
= 0; i
< 2; i
++) {
72 * We operate SHA in CFB mode, repeatedly adding the same
73 * block of data to the digest. But we're also fiddling
74 * with the digest-so-far, so this shouldn't be Bad or
77 memcpy(block
, pool
.pool
, sizeof(block
));
80 * Each pass processes the pool backwards in blocks of
81 * HASHSIZE, just so that in general we get the output of
82 * SHA before the corresponding input, in the hope that
83 * things will be that much less predictable that way
84 * round, when we subsequently return bytes ...
86 for (j
= POOLSIZE
; (j
-= HASHSIZE
) >= 0;) {
88 * XOR the bit of the pool we're processing into the
92 for (k
= 0; k
< sizeof(digest
) / sizeof(*digest
); k
++)
93 digest
[k
] ^= ((word32
*) (pool
.pool
+ j
))[k
];
96 * Munge our unrevealed first block of the pool into
99 SHATransform(digest
, block
);
102 * Stick the result back into the pool.
105 for (k
= 0; k
< sizeof(digest
) / sizeof(*digest
); k
++)
106 ((word32
*) (pool
.pool
+ j
))[k
] = digest
[k
];
111 * Might as well save this value back into `incoming', just so
112 * there'll be some extra bizarreness there.
114 SHATransform(digest
, block
);
115 memcpy(pool
.incoming
, digest
, sizeof(digest
));
117 pool
.poolpos
= sizeof(pool
.incoming
);
120 void random_add_noise(void *noise
, int length
)
122 unsigned char *p
= noise
;
129 * This function processes HASHINPUT bytes into only HASHSIZE
130 * bytes, so _if_ we were getting incredibly high entropy
131 * sources then we would be throwing away valuable stuff.
133 while (length
>= (HASHINPUT
- pool
.incomingpos
)) {
134 memcpy(pool
.incomingb
+ pool
.incomingpos
, p
,
135 HASHINPUT
- pool
.incomingpos
);
136 p
+= HASHINPUT
- pool
.incomingpos
;
137 length
-= HASHINPUT
- pool
.incomingpos
;
138 SHATransform((word32
*) pool
.incoming
, (word32
*) pool
.incomingb
);
139 for (i
= 0; i
< HASHSIZE
; i
++) {
140 pool
.pool
[pool
.poolpos
++] ^= pool
.incomingb
[i
];
141 if (pool
.poolpos
>= POOLSIZE
)
144 if (pool
.poolpos
< HASHSIZE
)
147 pool
.incomingpos
= 0;
150 memcpy(pool
.incomingb
+ pool
.incomingpos
, p
, length
);
151 pool
.incomingpos
+= length
;
154 void random_add_heavynoise(void *noise
, int length
)
156 unsigned char *p
= noise
;
159 while (length
>= POOLSIZE
) {
160 for (i
= 0; i
< POOLSIZE
; i
++)
161 pool
.pool
[i
] ^= *p
++;
166 for (i
= 0; i
< length
; i
++)
167 pool
.pool
[i
] ^= *p
++;
171 static void random_add_heavynoise_bitbybit(void *noise
, int length
)
173 unsigned char *p
= noise
;
176 while (length
>= POOLSIZE
- pool
.poolpos
) {
177 for (i
= 0; i
< POOLSIZE
- pool
.poolpos
; i
++)
178 pool
.pool
[pool
.poolpos
+ i
] ^= *p
++;
180 length
-= POOLSIZE
- pool
.poolpos
;
184 for (i
= 0; i
< length
; i
++)
185 pool
.pool
[i
] ^= *p
++;
189 static void random_timer(void *ctx
, long now
)
191 if (random_active
> 0 && now
- next_noise_collection
>= 0) {
193 next_noise_collection
=
194 schedule_timer(NOISE_REGULAR_INTERVAL
, random_timer
, &pool
);
198 void random_ref(void)
200 if (!random_active
) {
201 memset(&pool
, 0, sizeof(pool
)); /* just to start with */
203 noise_get_heavy(random_add_heavynoise_bitbybit
);
206 next_noise_collection
=
207 schedule_timer(NOISE_REGULAR_INTERVAL
, random_timer
, &pool
);
213 void random_unref(void)
218 int random_byte(void)
220 if (pool
.poolpos
>= POOLSIZE
)
223 return pool
.pool
[pool
.poolpos
++];
226 void random_get_savedata(void **data
, int *len
)
228 void *buf
= snewn(POOLSIZE
/ 2, char);
230 memcpy(buf
, pool
.pool
+ pool
.poolpos
, POOLSIZE
/ 2);