| blob | c09f7363396675a907780184a52236851bb75ba2 |
1 /*\r
2 * cryptographic random number generator for PuTTY's ssh client\r
3 */\r
4 \r
5 #include "putty.h"\r
6 #include "ssh.h"\r
7 #include <assert.h>\r
8 \r
9 /* Collect environmental noise every 5 minutes */\r
10 #define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC)\r
11 \r
12 void noise_get_heavy(void (*func) (void *, int));\r
13 void noise_get_light(void (*func) (void *, int));\r
14 \r
15 /*\r
16 * `pool' itself is a pool of random data which we actually use: we\r
17 * return bytes from `pool', at position `poolpos', until `poolpos'\r
18 * reaches the end of the pool. At this point we generate more\r
19 * random data, by adding noise, stirring well, and resetting\r
20 * `poolpos' to point to just past the beginning of the pool (not\r
21 * _the_ beginning, since otherwise we'd give away the whole\r
22 * contents of our pool, and attackers would just have to guess the\r
23 * next lot of noise).\r
24 *\r
25 * `incomingb' buffers acquired noise data, until it gets full, at\r
26 * which point the acquired noise is SHA'ed into `incoming' and\r
27 * `incomingb' is cleared. The noise in `incoming' is used as part\r
28 * of the noise for each stirring of the pool, in addition to local\r
29 * time, process listings, and other such stuff.\r
30 */\r
31 \r
32 #define HASHINPUT 64 /* 64 bytes SHA input */\r
33 #define HASHSIZE 20 /* 160 bits SHA output */\r
34 #define POOLSIZE 1200 /* size of random pool */\r
35 \r
36 struct RandPool {\r
37 unsigned char pool[POOLSIZE];\r
38 int poolpos;\r
39 \r
40 unsigned char incoming[HASHSIZE];\r
41 \r
42 unsigned char incomingb[HASHINPUT];\r
43 int incomingpos;\r
44 \r
45 int stir_pending;\r
46 };\r
47 \r
48 static struct RandPool pool;\r
49 int random_active = 0;\r
50 long next_noise_collection;\r
51 \r
52 #ifdef RANDOM_DIAGNOSTICS\r
53 int random_diagnostics = 0;\r
54 #endif\r
55 \r
56 static void random_stir(void)\r
57 {\r
58 word32 block[HASHINPUT / sizeof(word32)];\r
59 word32 digest[HASHSIZE / sizeof(word32)];\r
60 int i, j, k;\r
61 \r
62 /*\r
63 * noise_get_light will call random_add_noise, which may call\r
64 * back to here. Prevent recursive stirs.\r
65 */\r
66 if (pool.stir_pending)\r
67 return;\r
68 pool.stir_pending = TRUE;\r
69 \r
70 noise_get_light(random_add_noise);\r
71 \r
72 #ifdef RANDOM_DIAGNOSTICS\r
73 {\r
74 int p, q;\r
75 printf("random stir starting\npool:\n");\r
76 for (p = 0; p < POOLSIZE; p += HASHSIZE) {\r
77 printf(" ");\r
78 for (q = 0; q < HASHSIZE; q += 4) {\r
79 printf(" %08x", *(word32 *)(pool.pool + p + q)); \r
80 }\r
81 printf("\n");\r
82 }\r
83 printf("incoming:\n ");\r
84 for (q = 0; q < HASHSIZE; q += 4) {\r
85 printf(" %08x", *(word32 *)(pool.incoming + q));\r
86 }\r
87 printf("\nincomingb:\n ");\r
88 for (q = 0; q < HASHINPUT; q += 4) {\r
89 printf(" %08x", *(word32 *)(pool.incomingb + q));\r
90 }\r
91 printf("\n");\r
92 random_diagnostics++;\r
93 }\r
94 #endif\r
95 \r
96 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);\r
97 pool.incomingpos = 0;\r
98 \r
99 /*\r
100 * Chunks of this code are blatantly endianness-dependent, but\r
101 * as it's all random bits anyway, WHO CARES?\r
102 */\r
103 memcpy(digest, pool.incoming, sizeof(digest));\r
104 \r
105 /*\r
106 * Make two passes over the pool.\r
107 */\r
108 for (i = 0; i < 2; i++) {\r
109 \r
110 /*\r
111 * We operate SHA in CFB mode, repeatedly adding the same\r
112 * block of data to the digest. But we're also fiddling\r
113 * with the digest-so-far, so this shouldn't be Bad or\r
114 * anything.\r
115 */\r
116 memcpy(block, pool.pool, sizeof(block));\r
117 \r
118 /*\r
119 * Each pass processes the pool backwards in blocks of\r
120 * HASHSIZE, just so that in general we get the output of\r
121 * SHA before the corresponding input, in the hope that\r
122 * things will be that much less predictable that way\r
123 * round, when we subsequently return bytes ...\r
124 */\r
125 for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {\r
126 /*\r
127 * XOR the bit of the pool we're processing into the\r
128 * digest.\r
129 */\r
130 \r
131 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)\r
132 digest[k] ^= ((word32 *) (pool.pool + j))[k];\r
133 \r
134 /*\r
135 * Munge our unrevealed first block of the pool into\r
136 * it.\r
137 */\r
138 SHATransform(digest, block);\r
139 \r
140 /*\r
141 * Stick the result back into the pool.\r
142 */\r
143 \r
144 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)\r
145 ((word32 *) (pool.pool + j))[k] = digest[k];\r
146 }\r
147 \r
148 #ifdef RANDOM_DIAGNOSTICS\r
149 if (i == 0) {\r
150 int p, q;\r
151 printf("random stir midpoint\npool:\n");\r
152 for (p = 0; p < POOLSIZE; p += HASHSIZE) {\r
153 printf(" ");\r
154 for (q = 0; q < HASHSIZE; q += 4) {\r
155 printf(" %08x", *(word32 *)(pool.pool + p + q)); \r
156 }\r
157 printf("\n");\r
158 }\r
159 printf("incoming:\n ");\r
160 for (q = 0; q < HASHSIZE; q += 4) {\r
161 printf(" %08x", *(word32 *)(pool.incoming + q));\r
162 }\r
163 printf("\nincomingb:\n ");\r
164 for (q = 0; q < HASHINPUT; q += 4) {\r
165 printf(" %08x", *(word32 *)(pool.incomingb + q));\r
166 }\r
167 printf("\n");\r
168 }\r
169 #endif\r
170 }\r
171 \r
172 /*\r
173 * Might as well save this value back into `incoming', just so\r
174 * there'll be some extra bizarreness there.\r
175 */\r
176 SHATransform(digest, block);\r
177 memcpy(pool.incoming, digest, sizeof(digest));\r
178 \r
179 pool.poolpos = sizeof(pool.incoming);\r
180 \r
181 pool.stir_pending = FALSE;\r
182 \r
183 #ifdef RANDOM_DIAGNOSTICS\r
184 {\r
185 int p, q;\r
186 printf("random stir done\npool:\n");\r
187 for (p = 0; p < POOLSIZE; p += HASHSIZE) {\r
188 printf(" ");\r
189 for (q = 0; q < HASHSIZE; q += 4) {\r
190 printf(" %08x", *(word32 *)(pool.pool + p + q)); \r
191 }\r
192 printf("\n");\r
193 }\r
194 printf("incoming:\n ");\r
195 for (q = 0; q < HASHSIZE; q += 4) {\r
196 printf(" %08x", *(word32 *)(pool.incoming + q));\r
197 }\r
198 printf("\nincomingb:\n ");\r
199 for (q = 0; q < HASHINPUT; q += 4) {\r
200 printf(" %08x", *(word32 *)(pool.incomingb + q));\r
201 }\r
202 printf("\n");\r
203 random_diagnostics--;\r
204 }\r
205 #endif\r
206 }\r
207 \r
208 void random_add_noise(void *noise, int length)\r
209 {\r
210 unsigned char *p = noise;\r
211 int i;\r
212 \r
213 if (!random_active)\r
214 return;\r
215 \r
216 /*\r
217 * This function processes HASHINPUT bytes into only HASHSIZE\r
218 * bytes, so _if_ we were getting incredibly high entropy\r
219 * sources then we would be throwing away valuable stuff.\r
220 */\r
221 while (length >= (HASHINPUT - pool.incomingpos)) {\r
222 memcpy(pool.incomingb + pool.incomingpos, p,\r
223 HASHINPUT - pool.incomingpos);\r
224 p += HASHINPUT - pool.incomingpos;\r
225 length -= HASHINPUT - pool.incomingpos;\r
226 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);\r
227 for (i = 0; i < HASHSIZE; i++) {\r
228 pool.pool[pool.poolpos++] ^= pool.incomingb[i];\r
229 if (pool.poolpos >= POOLSIZE)\r
230 pool.poolpos = 0;\r
231 }\r
232 if (pool.poolpos < HASHSIZE)\r
233 random_stir();\r
234 \r
235 pool.incomingpos = 0;\r
236 }\r
237 \r
238 memcpy(pool.incomingb + pool.incomingpos, p, length);\r
239 pool.incomingpos += length;\r
240 }\r
241 \r
242 void random_add_heavynoise(void *noise, int length)\r
243 {\r
244 unsigned char *p = noise;\r
245 int i;\r
246 \r
247 while (length >= POOLSIZE) {\r
248 for (i = 0; i < POOLSIZE; i++)\r
249 pool.pool[i] ^= *p++;\r
250 random_stir();\r
251 length -= POOLSIZE;\r
252 }\r
253 \r
254 for (i = 0; i < length; i++)\r
255 pool.pool[i] ^= *p++;\r
256 random_stir();\r
257 }\r
258 \r
259 static void random_add_heavynoise_bitbybit(void *noise, int length)\r
260 {\r
261 unsigned char *p = noise;\r
262 int i;\r
263 \r
264 while (length >= POOLSIZE - pool.poolpos) {\r
265 for (i = 0; i < POOLSIZE - pool.poolpos; i++)\r
266 pool.pool[pool.poolpos + i] ^= *p++;\r
267 random_stir();\r
268 length -= POOLSIZE - pool.poolpos;\r
269 pool.poolpos = 0;\r
270 }\r
271 \r
272 for (i = 0; i < length; i++)\r
273 pool.pool[i] ^= *p++;\r
274 pool.poolpos = i;\r
275 }\r
276 \r
277 static void random_timer(void *ctx, unsigned long now)\r
278 {\r
279 if (random_active > 0 && now == next_noise_collection) {\r
280 noise_regular();\r
281 next_noise_collection =\r
282 schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);\r
283 }\r
284 }\r
285 \r
286 void random_ref(void)\r
287 {\r
288 if (!random_active) {\r
289 memset(&pool, 0, sizeof(pool)); /* just to start with */\r
290 \r
291 noise_get_heavy(random_add_heavynoise_bitbybit);\r
292 random_stir();\r
293 \r
294 next_noise_collection =\r
295 schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);\r
296 }\r
297 random_active++;\r
298 }\r
299 \r
300 void random_unref(void)\r
301 {\r
302 assert(random_active > 0);\r
303 if (random_active == 1) {\r
304 random_save_seed();\r
305 expire_timer_context(&pool);\r
306 }\r
307 random_active--;\r
308 }\r
309 \r
310 int random_byte(void)\r
311 {\r
312 assert(random_active);\r
313 \r
314 if (pool.poolpos >= POOLSIZE)\r
315 random_stir();\r
316 \r
317 return pool.pool[pool.poolpos++];\r
318 }\r
319 \r
320 void random_get_savedata(void **data, int *len)\r
321 {\r
322 void *buf = snewn(POOLSIZE / 2, char);\r
323 random_stir();\r
324 memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2);\r
325 *len = POOLSIZE / 2;\r
326 *data = buf;\r
327 random_stir();\r
328 }\r