| blob | 362b0fd8ef9ed04394a63e13030d12000082716e |
1 /*\r
2 * cryptographic random number generator for PuTTY's ssh client\r
3 */\r
4 \r
5 #include "putty.h"\r
6 #include "ssh.h"\r
7 #include <assert.h>\r
8 \r
9 /* Collect environmental noise every 5 minutes */\r
10 #define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC)\r
11 \r
12 void noise_get_heavy(void (*func) (void *, int));\r
13 void noise_get_light(void (*func) (void *, int));\r
14 \r
15 /*\r
16 * `pool' itself is a pool of random data which we actually use: we\r
17 * return bytes from `pool', at position `poolpos', until `poolpos'\r
18 * reaches the end of the pool. At this point we generate more\r
19 * random data, by adding noise, stirring well, and resetting\r
20 * `poolpos' to point to just past the beginning of the pool (not\r
21 * _the_ beginning, since otherwise we'd give away the whole\r
22 * contents of our pool, and attackers would just have to guess the\r
23 * next lot of noise).\r
24 *\r
25 * `incomingb' buffers acquired noise data, until it gets full, at\r
26 * which point the acquired noise is SHA'ed into `incoming' and\r
27 * `incomingb' is cleared. The noise in `incoming' is used as part\r
28 * of the noise for each stirring of the pool, in addition to local\r
29 * time, process listings, and other such stuff.\r
30 */\r
31 \r
32 #define HASHINPUT 64 /* 64 bytes SHA input */\r
33 #define HASHSIZE 20 /* 160 bits SHA output */\r
34 #define POOLSIZE 1200 /* size of random pool */\r
35 \r
36 struct RandPool {\r
37 unsigned char pool[POOLSIZE];\r
38 int poolpos;\r
39 \r
40 unsigned char incoming[HASHSIZE];\r
41 \r
42 unsigned char incomingb[HASHINPUT];\r
43 int incomingpos;\r
44 \r
45 int stir_pending;\r
46 };\r
47 \r
48 int random_active = 0;\r
49 \r
50 #ifdef FUZZING\r
51 /*\r
52 * Special dummy version of the RNG for use when fuzzing.\r
53 */\r
54 void random_add_noise(void *noise, int length) { }\r
55 void random_add_heavynoise(void *noise, int length) { }\r
56 void random_ref(void) { }\r
57 void random_unref(void) { }\r
58 int random_byte(void)\r
59 {\r
60 return 0x45; /* Chosen by eight fair coin tosses */\r
61 }\r
62 void random_get_savedata(void **data, int *len) { }\r
63 #else /* !FUZZING */\r
64 static struct RandPool pool;\r
65 long next_noise_collection;\r
66 \r
67 #ifdef RANDOM_DIAGNOSTICS\r
68 int random_diagnostics = 0;\r
69 #endif\r
70 \r
71 static void random_stir(void)\r
72 {\r
73 word32 block[HASHINPUT / sizeof(word32)];\r
74 word32 digest[HASHSIZE / sizeof(word32)];\r
75 int i, j, k;\r
76 \r
77 /*\r
78 * noise_get_light will call random_add_noise, which may call\r
79 * back to here. Prevent recursive stirs.\r
80 */\r
81 if (pool.stir_pending)\r
82 return;\r
83 pool.stir_pending = TRUE;\r
84 \r
85 noise_get_light(random_add_noise);\r
86 \r
87 #ifdef RANDOM_DIAGNOSTICS\r
88 {\r
89 int p, q;\r
90 printf("random stir starting\npool:\n");\r
91 for (p = 0; p < POOLSIZE; p += HASHSIZE) {\r
92 printf(" ");\r
93 for (q = 0; q < HASHSIZE; q += 4) {\r
94 printf(" %08x", *(word32 *)(pool.pool + p + q)); \r
95 }\r
96 printf("\n");\r
97 }\r
98 printf("incoming:\n ");\r
99 for (q = 0; q < HASHSIZE; q += 4) {\r
100 printf(" %08x", *(word32 *)(pool.incoming + q));\r
101 }\r
102 printf("\nincomingb:\n ");\r
103 for (q = 0; q < HASHINPUT; q += 4) {\r
104 printf(" %08x", *(word32 *)(pool.incomingb + q));\r
105 }\r
106 printf("\n");\r
107 random_diagnostics++;\r
108 }\r
109 #endif\r
110 \r
111 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);\r
112 pool.incomingpos = 0;\r
113 \r
114 /*\r
115 * Chunks of this code are blatantly endianness-dependent, but\r
116 * as it's all random bits anyway, WHO CARES?\r
117 */\r
118 memcpy(digest, pool.incoming, sizeof(digest));\r
119 \r
120 /*\r
121 * Make two passes over the pool.\r
122 */\r
123 for (i = 0; i < 2; i++) {\r
124 \r
125 /*\r
126 * We operate SHA in CFB mode, repeatedly adding the same\r
127 * block of data to the digest. But we're also fiddling\r
128 * with the digest-so-far, so this shouldn't be Bad or\r
129 * anything.\r
130 */\r
131 memcpy(block, pool.pool, sizeof(block));\r
132 \r
133 /*\r
134 * Each pass processes the pool backwards in blocks of\r
135 * HASHSIZE, just so that in general we get the output of\r
136 * SHA before the corresponding input, in the hope that\r
137 * things will be that much less predictable that way\r
138 * round, when we subsequently return bytes ...\r
139 */\r
140 for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {\r
141 /*\r
142 * XOR the bit of the pool we're processing into the\r
143 * digest.\r
144 */\r
145 \r
146 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)\r
147 digest[k] ^= ((word32 *) (pool.pool + j))[k];\r
148 \r
149 /*\r
150 * Munge our unrevealed first block of the pool into\r
151 * it.\r
152 */\r
153 SHATransform(digest, block);\r
154 \r
155 /*\r
156 * Stick the result back into the pool.\r
157 */\r
158 \r
159 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)\r
160 ((word32 *) (pool.pool + j))[k] = digest[k];\r
161 }\r
162 \r
163 #ifdef RANDOM_DIAGNOSTICS\r
164 if (i == 0) {\r
165 int p, q;\r
166 printf("random stir midpoint\npool:\n");\r
167 for (p = 0; p < POOLSIZE; p += HASHSIZE) {\r
168 printf(" ");\r
169 for (q = 0; q < HASHSIZE; q += 4) {\r
170 printf(" %08x", *(word32 *)(pool.pool + p + q)); \r
171 }\r
172 printf("\n");\r
173 }\r
174 printf("incoming:\n ");\r
175 for (q = 0; q < HASHSIZE; q += 4) {\r
176 printf(" %08x", *(word32 *)(pool.incoming + q));\r
177 }\r
178 printf("\nincomingb:\n ");\r
179 for (q = 0; q < HASHINPUT; q += 4) {\r
180 printf(" %08x", *(word32 *)(pool.incomingb + q));\r
181 }\r
182 printf("\n");\r
183 }\r
184 #endif\r
185 }\r
186 \r
187 /*\r
188 * Might as well save this value back into `incoming', just so\r
189 * there'll be some extra bizarreness there.\r
190 */\r
191 SHATransform(digest, block);\r
192 memcpy(pool.incoming, digest, sizeof(digest));\r
193 \r
194 pool.poolpos = sizeof(pool.incoming);\r
195 \r
196 pool.stir_pending = FALSE;\r
197 \r
198 #ifdef RANDOM_DIAGNOSTICS\r
199 {\r
200 int p, q;\r
201 printf("random stir done\npool:\n");\r
202 for (p = 0; p < POOLSIZE; p += HASHSIZE) {\r
203 printf(" ");\r
204 for (q = 0; q < HASHSIZE; q += 4) {\r
205 printf(" %08x", *(word32 *)(pool.pool + p + q)); \r
206 }\r
207 printf("\n");\r
208 }\r
209 printf("incoming:\n ");\r
210 for (q = 0; q < HASHSIZE; q += 4) {\r
211 printf(" %08x", *(word32 *)(pool.incoming + q));\r
212 }\r
213 printf("\nincomingb:\n ");\r
214 for (q = 0; q < HASHINPUT; q += 4) {\r
215 printf(" %08x", *(word32 *)(pool.incomingb + q));\r
216 }\r
217 printf("\n");\r
218 random_diagnostics--;\r
219 }\r
220 #endif\r
221 }\r
222 \r
223 void random_add_noise(void *noise, int length)\r
224 {\r
225 unsigned char *p = noise;\r
226 int i;\r
227 \r
228 if (!random_active)\r
229 return;\r
230 \r
231 /*\r
232 * This function processes HASHINPUT bytes into only HASHSIZE\r
233 * bytes, so _if_ we were getting incredibly high entropy\r
234 * sources then we would be throwing away valuable stuff.\r
235 */\r
236 while (length >= (HASHINPUT - pool.incomingpos)) {\r
237 memcpy(pool.incomingb + pool.incomingpos, p,\r
238 HASHINPUT - pool.incomingpos);\r
239 p += HASHINPUT - pool.incomingpos;\r
240 length -= HASHINPUT - pool.incomingpos;\r
241 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);\r
242 for (i = 0; i < HASHSIZE; i++) {\r
243 pool.pool[pool.poolpos++] ^= pool.incoming[i];\r
244 if (pool.poolpos >= POOLSIZE)\r
245 pool.poolpos = 0;\r
246 }\r
247 if (pool.poolpos < HASHSIZE)\r
248 random_stir();\r
249 \r
250 pool.incomingpos = 0;\r
251 }\r
252 \r
253 memcpy(pool.incomingb + pool.incomingpos, p, length);\r
254 pool.incomingpos += length;\r
255 }\r
256 \r
257 void random_add_heavynoise(void *noise, int length)\r
258 {\r
259 unsigned char *p = noise;\r
260 int i;\r
261 \r
262 while (length >= POOLSIZE) {\r
263 for (i = 0; i < POOLSIZE; i++)\r
264 pool.pool[i] ^= *p++;\r
265 random_stir();\r
266 length -= POOLSIZE;\r
267 }\r
268 \r
269 for (i = 0; i < length; i++)\r
270 pool.pool[i] ^= *p++;\r
271 random_stir();\r
272 }\r
273 \r
274 static void random_add_heavynoise_bitbybit(void *noise, int length)\r
275 {\r
276 unsigned char *p = noise;\r
277 int i;\r
278 \r
279 while (length >= POOLSIZE - pool.poolpos) {\r
280 for (i = 0; i < POOLSIZE - pool.poolpos; i++)\r
281 pool.pool[pool.poolpos + i] ^= *p++;\r
282 random_stir();\r
283 length -= POOLSIZE - pool.poolpos;\r
284 pool.poolpos = 0;\r
285 }\r
286 \r
287 for (i = 0; i < length; i++)\r
288 pool.pool[i] ^= *p++;\r
289 pool.poolpos = i;\r
290 }\r
291 \r
292 static void random_timer(void *ctx, unsigned long now)\r
293 {\r
294 if (random_active > 0 && now == next_noise_collection) {\r
295 noise_regular();\r
296 next_noise_collection =\r
297 schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);\r
298 }\r
299 }\r
300 \r
301 void random_ref(void)\r
302 {\r
303 if (!random_active) {\r
304 memset(&pool, 0, sizeof(pool)); /* just to start with */\r
305 \r
306 noise_get_heavy(random_add_heavynoise_bitbybit);\r
307 random_stir();\r
308 \r
309 next_noise_collection =\r
310 schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);\r
311 }\r
312 random_active++;\r
313 }\r
314 \r
315 void random_unref(void)\r
316 {\r
317 assert(random_active > 0);\r
318 if (random_active == 1) {\r
319 random_save_seed();\r
320 expire_timer_context(&pool);\r
321 }\r
322 random_active--;\r
323 }\r
324 \r
325 int random_byte(void)\r
326 {\r
327 assert(random_active);\r
328 \r
329 if (pool.poolpos >= POOLSIZE)\r
330 random_stir();\r
331 \r
332 return pool.pool[pool.poolpos++];\r
333 }\r
334 \r
335 void random_get_savedata(void **data, int *len)\r
336 {\r
337 void *buf = snewn(POOLSIZE / 2, char);\r
338 random_stir();\r
339 memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2);\r
340 *len = POOLSIZE / 2;\r
341 *data = buf;\r
342 random_stir();\r
343 }\r
344 #endif\r