~mdw / sgt / putty / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add an error check to every setsockopt call in uxnet.c.
[sgt/putty] / sshrand.c
1 /*
2 * cryptographic random number generator for PuTTY's ssh client
3 */
4
5 #include "putty.h"
6 #include "ssh.h"
7 #include <assert.h>
8
9 /* Collect environmental noise every 5 minutes */
10 #define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC)
11
12 void noise_get_heavy(void (*func) (void *, int));
13 void noise_get_light(void (*func) (void *, int));
14
15 /*
16 * `pool' itself is a pool of random data which we actually use: we
17 * return bytes from `pool', at position `poolpos', until `poolpos'
18 * reaches the end of the pool. At this point we generate more
19 * random data, by adding noise, stirring well, and resetting
20 * `poolpos' to point to just past the beginning of the pool (not
21 * _the_ beginning, since otherwise we'd give away the whole
22 * contents of our pool, and attackers would just have to guess the
23 * next lot of noise).
24 *
25 * `incomingb' buffers acquired noise data, until it gets full, at
26 * which point the acquired noise is SHA'ed into `incoming' and
27 * `incomingb' is cleared. The noise in `incoming' is used as part
28 * of the noise for each stirring of the pool, in addition to local
29 * time, process listings, and other such stuff.
30 */
31
32 #define HASHINPUT 64 /* 64 bytes SHA input */
33 #define HASHSIZE 20 /* 160 bits SHA output */
34 #define POOLSIZE 1200 /* size of random pool */
35
36 struct RandPool {
37 unsigned char pool[POOLSIZE];
38 int poolpos;
39
40 unsigned char incoming[HASHSIZE];
41
42 unsigned char incomingb[HASHINPUT];
43 int incomingpos;
44
45 int stir_pending;
46 };
47
48 static struct RandPool pool;
49 int random_active = 0;
50 long next_noise_collection;
51
52 #ifdef RANDOM_DIAGNOSTICS
53 int random_diagnostics = 0;
54 #endif
55
56 static void random_stir(void)
57 {
58 word32 block[HASHINPUT / sizeof(word32)];
59 word32 digest[HASHSIZE / sizeof(word32)];
60 int i, j, k;
61
62 /*
63 * noise_get_light will call random_add_noise, which may call
64 * back to here. Prevent recursive stirs.
65 */
66 if (pool.stir_pending)
67 return;
68 pool.stir_pending = TRUE;
69
70 noise_get_light(random_add_noise);
71
72 #ifdef RANDOM_DIAGNOSTICS
73 {
74 int p, q;
75 printf("random stir starting\npool:\n");
76 for (p = 0; p < POOLSIZE; p += HASHSIZE) {
77 printf(" ");
78 for (q = 0; q < HASHSIZE; q += 4) {
79 printf(" %08x", *(word32 *)(pool.pool + p + q));
80 }
81 printf("\n");
82 }
83 printf("incoming:\n ");
84 for (q = 0; q < HASHSIZE; q += 4) {
85 printf(" %08x", *(word32 *)(pool.incoming + q));
86 }
87 printf("\nincomingb:\n ");
88 for (q = 0; q < HASHINPUT; q += 4) {
89 printf(" %08x", *(word32 *)(pool.incomingb + q));
90 }
91 printf("\n");
92 random_diagnostics++;
93 }
94 #endif
95
96 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
97 pool.incomingpos = 0;
98
99 /*
100 * Chunks of this code are blatantly endianness-dependent, but
101 * as it's all random bits anyway, WHO CARES?
102 */
103 memcpy(digest, pool.incoming, sizeof(digest));
104
105 /*
106 * Make two passes over the pool.
107 */
108 for (i = 0; i < 2; i++) {
109
110 /*
111 * We operate SHA in CFB mode, repeatedly adding the same
112 * block of data to the digest. But we're also fiddling
113 * with the digest-so-far, so this shouldn't be Bad or
114 * anything.
115 */
116 memcpy(block, pool.pool, sizeof(block));
117
118 /*
119 * Each pass processes the pool backwards in blocks of
120 * HASHSIZE, just so that in general we get the output of
121 * SHA before the corresponding input, in the hope that
122 * things will be that much less predictable that way
123 * round, when we subsequently return bytes ...
124 */
125 for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {
126 /*
127 * XOR the bit of the pool we're processing into the
128 * digest.
129 */
130
131 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
132 digest[k] ^= ((word32 *) (pool.pool + j))[k];
133
134 /*
135 * Munge our unrevealed first block of the pool into
136 * it.
137 */
138 SHATransform(digest, block);
139
140 /*
141 * Stick the result back into the pool.
142 */
143
144 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
145 ((word32 *) (pool.pool + j))[k] = digest[k];
146 }
147
148 #ifdef RANDOM_DIAGNOSTICS
149 if (i == 0) {
150 int p, q;
151 printf("random stir midpoint\npool:\n");
152 for (p = 0; p < POOLSIZE; p += HASHSIZE) {
153 printf(" ");
154 for (q = 0; q < HASHSIZE; q += 4) {
155 printf(" %08x", *(word32 *)(pool.pool + p + q));
156 }
157 printf("\n");
158 }
159 printf("incoming:\n ");
160 for (q = 0; q < HASHSIZE; q += 4) {
161 printf(" %08x", *(word32 *)(pool.incoming + q));
162 }
163 printf("\nincomingb:\n ");
164 for (q = 0; q < HASHINPUT; q += 4) {
165 printf(" %08x", *(word32 *)(pool.incomingb + q));
166 }
167 printf("\n");
168 }
169 #endif
170 }
171
172 /*
173 * Might as well save this value back into `incoming', just so
174 * there'll be some extra bizarreness there.
175 */
176 SHATransform(digest, block);
177 memcpy(pool.incoming, digest, sizeof(digest));
178
179 pool.poolpos = sizeof(pool.incoming);
180
181 pool.stir_pending = FALSE;
182
183 #ifdef RANDOM_DIAGNOSTICS
184 {
185 int p, q;
186 printf("random stir done\npool:\n");
187 for (p = 0; p < POOLSIZE; p += HASHSIZE) {
188 printf(" ");
189 for (q = 0; q < HASHSIZE; q += 4) {
190 printf(" %08x", *(word32 *)(pool.pool + p + q));
191 }
192 printf("\n");
193 }
194 printf("incoming:\n ");
195 for (q = 0; q < HASHSIZE; q += 4) {
196 printf(" %08x", *(word32 *)(pool.incoming + q));
197 }
198 printf("\nincomingb:\n ");
199 for (q = 0; q < HASHINPUT; q += 4) {
200 printf(" %08x", *(word32 *)(pool.incomingb + q));
201 }
202 printf("\n");
203 random_diagnostics--;
204 }
205 #endif
206 }
207
208 void random_add_noise(void *noise, int length)
209 {
210 unsigned char *p = noise;
211 int i;
212
213 if (!random_active)
214 return;
215
216 /*
217 * This function processes HASHINPUT bytes into only HASHSIZE
218 * bytes, so _if_ we were getting incredibly high entropy
219 * sources then we would be throwing away valuable stuff.
220 */
221 while (length >= (HASHINPUT - pool.incomingpos)) {
222 memcpy(pool.incomingb + pool.incomingpos, p,
223 HASHINPUT - pool.incomingpos);
224 p += HASHINPUT - pool.incomingpos;
225 length -= HASHINPUT - pool.incomingpos;
226 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
227 for (i = 0; i < HASHSIZE; i++) {
228 pool.pool[pool.poolpos++] ^= pool.incomingb[i];
229 if (pool.poolpos >= POOLSIZE)
230 pool.poolpos = 0;
231 }
232 if (pool.poolpos < HASHSIZE)
233 random_stir();
234
235 pool.incomingpos = 0;
236 }
237
238 memcpy(pool.incomingb + pool.incomingpos, p, length);
239 pool.incomingpos += length;
240 }
241
242 void random_add_heavynoise(void *noise, int length)
243 {
244 unsigned char *p = noise;
245 int i;
246
247 while (length >= POOLSIZE) {
248 for (i = 0; i < POOLSIZE; i++)
249 pool.pool[i] ^= *p++;
250 random_stir();
251 length -= POOLSIZE;
252 }
253
254 for (i = 0; i < length; i++)
255 pool.pool[i] ^= *p++;
256 random_stir();
257 }
258
259 static void random_add_heavynoise_bitbybit(void *noise, int length)
260 {
261 unsigned char *p = noise;
262 int i;
263
264 while (length >= POOLSIZE - pool.poolpos) {
265 for (i = 0; i < POOLSIZE - pool.poolpos; i++)
266 pool.pool[pool.poolpos + i] ^= *p++;
267 random_stir();
268 length -= POOLSIZE - pool.poolpos;
269 pool.poolpos = 0;
270 }
271
272 for (i = 0; i < length; i++)
273 pool.pool[i] ^= *p++;
274 pool.poolpos = i;
275 }
276
277 static void random_timer(void *ctx, unsigned long now)
278 {
279 if (random_active > 0 && now == next_noise_collection) {
280 noise_regular();
281 next_noise_collection =
282 schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
283 }
284 }
285
286 void random_ref(void)
287 {
288 if (!random_active) {
289 memset(&pool, 0, sizeof(pool)); /* just to start with */
290
291 random_active++;
292
293 noise_get_heavy(random_add_heavynoise_bitbybit);
294 random_stir();
295
296 next_noise_collection =
297 schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
298 }
299 }
300
301 void random_unref(void)
302 {
303 assert(random_active > 0);
304 if (random_active == 1) {
305 random_save_seed();
306 expire_timer_context(&pool);
307 }
308 random_active--;
309 }
310
311 int random_byte(void)
312 {
313 assert(random_active);
314
315 if (pool.poolpos >= POOLSIZE)
316 random_stir();
317
318 return pool.pool[pool.poolpos++];
319 }
320
321 void random_get_savedata(void **data, int *len)
322 {
323 void *buf = snewn(POOLSIZE / 2, char);
324 random_stir();
325 memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2);
326 *len = POOLSIZE / 2;
327 *data = buf;
328 random_stir();
329 }
Simon Tatham's PuTTY GUI SSH client; import of svn://svn.tartarus.org/sgt/putty