mdw@git.distorted.org.uk Git - sgt/putty/blob - sshrand.c

   1 /*
   2  * cryptographic random number generator for PuTTY's ssh client
   3  */
   4
   5 #include "putty.h"
   6 #include "ssh.h"
   7 #include <assert.h>
   8
   9 /* Collect environmental noise every 5 minutes */
  10 #define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC)
  11
  12 void noise_get_heavy(void (*func) (void *, int));
  13 void noise_get_light(void (*func) (void *, int));
  14
  15 /*
  16  * `pool' itself is a pool of random data which we actually use: we
  17  * return bytes from `pool', at position `poolpos', until `poolpos'
  18  * reaches the end of the pool. At this point we generate more
  19  * random data, by adding noise, stirring well, and resetting
  20  * `poolpos' to point to just past the beginning of the pool (not
  21  * _the_ beginning, since otherwise we'd give away the whole
  22  * contents of our pool, and attackers would just have to guess the
  23  * next lot of noise).
  24  *
  25  * `incomingb' buffers acquired noise data, until it gets full, at
  26  * which point the acquired noise is SHA'ed into `incoming' and
  27  * `incomingb' is cleared. The noise in `incoming' is used as part
  28  * of the noise for each stirring of the pool, in addition to local
  29  * time, process listings, and other such stuff.
  30  */
  31
  32 #define HASHINPUT 64                   /* 64 bytes SHA input */
  33 #define HASHSIZE 20                    /* 160 bits SHA output */
  34 #define POOLSIZE 1200                  /* size of random pool */
  35
  36 struct RandPool {
  37     unsigned char pool[POOLSIZE];
  38     int poolpos;
  39
  40     unsigned char incoming[HASHSIZE];
  41
  42     unsigned char incomingb[HASHINPUT];
  43     int incomingpos;
  44
  45     int stir_pending;
  46 };
  47
  48 static struct RandPool pool;
  49 int random_active = 0;
  50 long next_noise_collection;
  51
  52 static void random_stir(void)
  53 {
  54     word32 block[HASHINPUT / sizeof(word32)];
  55     word32 digest[HASHSIZE / sizeof(word32)];
  56     int i, j, k;
  57
  58     /*
  59      * noise_get_light will call random_add_noise, which may call
  60      * back to here. Prevent recursive stirs.
  61      */
  62     if (pool.stir_pending)
  63         return;
  64     pool.stir_pending = TRUE;
  65
  66     noise_get_light(random_add_noise);
  67
  68     SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
  69     pool.incomingpos = 0;
  70
  71     /*
  72      * Chunks of this code are blatantly endianness-dependent, but
  73      * as it's all random bits anyway, WHO CARES?
  74      */
  75     memcpy(digest, pool.incoming, sizeof(digest));
  76
  77     /*
  78      * Make two passes over the pool.
  79      */
  80     for (i = 0; i < 2; i++) {
  81
  82         /*
  83          * We operate SHA in CFB mode, repeatedly adding the same
  84          * block of data to the digest. But we're also fiddling
  85          * with the digest-so-far, so this shouldn't be Bad or
  86          * anything.
  87          */
  88         memcpy(block, pool.pool, sizeof(block));
  89
  90         /*
  91          * Each pass processes the pool backwards in blocks of
  92          * HASHSIZE, just so that in general we get the output of
  93          * SHA before the corresponding input, in the hope that
  94          * things will be that much less predictable that way
  95          * round, when we subsequently return bytes ...
  96          */
  97         for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {
  98             /*
  99              * XOR the bit of the pool we're processing into the
 100              * digest.
 101              */
 102
 103             for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
 104                 digest[k] ^= ((word32 *) (pool.pool + j))[k];
 105
 106             /*
 107              * Munge our unrevealed first block of the pool into
 108              * it.
 109              */
 110             SHATransform(digest, block);
 111
 112             /*
 113              * Stick the result back into the pool.
 114              */
 115
 116             for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
 117                 ((word32 *) (pool.pool + j))[k] = digest[k];
 118         }
 119     }
 120
 121     /*
 122      * Might as well save this value back into `incoming', just so
 123      * there'll be some extra bizarreness there.
 124      */
 125     SHATransform(digest, block);
 126     memcpy(pool.incoming, digest, sizeof(digest));
 127
 128     pool.poolpos = sizeof(pool.incoming);
 129
 130     pool.stir_pending = FALSE;
 131 }
 132
 133 void random_add_noise(void *noise, int length)
 134 {
 135     unsigned char *p = noise;
 136     int i;
 137
 138     if (!random_active)
 139         return;
 140
 141     /*
 142      * This function processes HASHINPUT bytes into only HASHSIZE
 143      * bytes, so _if_ we were getting incredibly high entropy
 144      * sources then we would be throwing away valuable stuff.
 145      */
 146     while (length >= (HASHINPUT - pool.incomingpos)) {
 147         memcpy(pool.incomingb + pool.incomingpos, p,
 148                HASHINPUT - pool.incomingpos);
 149         p += HASHINPUT - pool.incomingpos;
 150         length -= HASHINPUT - pool.incomingpos;
 151         SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
 152         for (i = 0; i < HASHSIZE; i++) {
 153             pool.pool[pool.poolpos++] ^= pool.incomingb[i];
 154             if (pool.poolpos >= POOLSIZE)
 155                 pool.poolpos = 0;
 156         }
 157         if (pool.poolpos < HASHSIZE)
 158             random_stir();
 159
 160         pool.incomingpos = 0;
 161     }
 162
 163     memcpy(pool.incomingb + pool.incomingpos, p, length);
 164     pool.incomingpos += length;
 165 }
 166
 167 void random_add_heavynoise(void *noise, int length)
 168 {
 169     unsigned char *p = noise;
 170     int i;
 171
 172     while (length >= POOLSIZE) {
 173         for (i = 0; i < POOLSIZE; i++)
 174             pool.pool[i] ^= *p++;
 175         random_stir();
 176         length -= POOLSIZE;
 177     }
 178
 179     for (i = 0; i < length; i++)
 180         pool.pool[i] ^= *p++;
 181     random_stir();
 182 }
 183
 184 static void random_add_heavynoise_bitbybit(void *noise, int length)
 185 {
 186     unsigned char *p = noise;
 187     int i;
 188
 189     while (length >= POOLSIZE - pool.poolpos) {
 190         for (i = 0; i < POOLSIZE - pool.poolpos; i++)
 191             pool.pool[pool.poolpos + i] ^= *p++;
 192         random_stir();
 193         length -= POOLSIZE - pool.poolpos;
 194         pool.poolpos = 0;
 195     }
 196
 197     for (i = 0; i < length; i++)
 198         pool.pool[i] ^= *p++;
 199     pool.poolpos = i;
 200 }
 201
 202 static void random_timer(void *ctx, unsigned long now)
 203 {
 204     if (random_active > 0 && now == next_noise_collection) {
 205         noise_regular();
 206         next_noise_collection =
 207             schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
 208     }
 209 }
 210
 211 void random_ref(void)
 212 {
 213     if (!random_active) {
 214         memset(&pool, 0, sizeof(pool));    /* just to start with */
 215
 216         noise_get_heavy(random_add_heavynoise_bitbybit);
 217         random_stir();
 218
 219         next_noise_collection =
 220             schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
 221     }
 222
 223     random_active++;
 224 }
 225
 226 void random_unref(void)
 227 {
 228     random_active--;
 229     assert(random_active >= 0);
 230     if (random_active) return;
 231
 232     expire_timer_context(&pool);
 233 }
 234
 235 int random_byte(void)
 236 {
 237     assert(random_active);
 238
 239     if (pool.poolpos >= POOLSIZE)
 240         random_stir();
 241
 242     return pool.pool[pool.poolpos++];
 243 }
 244
 245 void random_get_savedata(void **data, int *len)
 246 {
 247     void *buf = snewn(POOLSIZE / 2, char);
 248     random_stir();
 249     memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2);
 250     *len = POOLSIZE / 2;
 251     *data = buf;
 252     random_stir();
 253 }