source: filezilla/trunk/fuentes/src/putty/sshrand.c @ 130

Last change on this file since 130 was 130, checked in by jrpelegrina, 3 years ago

First release to xenial

File size: 8.5 KB
Line 
1/*
2 * cryptographic random number generator for PuTTY's ssh client
3 */
4
5#include "putty.h"
6#include "ssh.h"
7#include <assert.h>
8
9/* Collect environmental noise every 5 minutes */
10#define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC)
11
12void noise_get_heavy(void (*func) (void *, int));
13void noise_get_light(void (*func) (void *, int));
14
15/*
16 * `pool' itself is a pool of random data which we actually use: we
17 * return bytes from `pool', at position `poolpos', until `poolpos'
18 * reaches the end of the pool. At this point we generate more
19 * random data, by adding noise, stirring well, and resetting
20 * `poolpos' to point to just past the beginning of the pool (not
21 * _the_ beginning, since otherwise we'd give away the whole
22 * contents of our pool, and attackers would just have to guess the
23 * next lot of noise).
24 *
25 * `incomingb' buffers acquired noise data, until it gets full, at
26 * which point the acquired noise is SHA'ed into `incoming' and
27 * `incomingb' is cleared. The noise in `incoming' is used as part
28 * of the noise for each stirring of the pool, in addition to local
29 * time, process listings, and other such stuff.
30 */
31
32#define HASHINPUT 64                   /* 64 bytes SHA input */
33#define HASHSIZE 20                    /* 160 bits SHA output */
34#define POOLSIZE 1200                  /* size of random pool */
35
36struct RandPool {
37    unsigned char pool[POOLSIZE];
38    int poolpos;
39
40    unsigned char incoming[HASHSIZE];
41
42    unsigned char incomingb[HASHINPUT];
43    int incomingpos;
44
45    int stir_pending;
46};
47
48static struct RandPool pool;
49int random_active = 0;
50long next_noise_collection;
51
52#ifdef RANDOM_DIAGNOSTICS
53int random_diagnostics = 0;
54#endif
55
56static void random_stir(void)
57{
58    word32 block[HASHINPUT / sizeof(word32)];
59    word32 digest[HASHSIZE / sizeof(word32)];
60    int i, j, k;
61
62    /*
63     * noise_get_light will call random_add_noise, which may call
64     * back to here. Prevent recursive stirs.
65     */
66    if (pool.stir_pending)
67        return;
68    pool.stir_pending = TRUE;
69
70    noise_get_light(random_add_noise);
71
72#ifdef RANDOM_DIAGNOSTICS
73    {
74        int p, q;
75        printf("random stir starting\npool:\n");
76        for (p = 0; p < POOLSIZE; p += HASHSIZE) {
77            printf("   ");
78            for (q = 0; q < HASHSIZE; q += 4) {
79                printf(" %08x", *(word32 *)(pool.pool + p + q));           
80            }
81            printf("\n");
82        }
83        printf("incoming:\n   ");
84        for (q = 0; q < HASHSIZE; q += 4) {
85            printf(" %08x", *(word32 *)(pool.incoming + q));
86        }
87        printf("\nincomingb:\n   ");
88        for (q = 0; q < HASHINPUT; q += 4) {
89            printf(" %08x", *(word32 *)(pool.incomingb + q));
90        }
91        printf("\n");
92        random_diagnostics++;
93    }
94#endif
95
96    SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
97    pool.incomingpos = 0;
98
99    /*
100     * Chunks of this code are blatantly endianness-dependent, but
101     * as it's all random bits anyway, WHO CARES?
102     */
103    memcpy(digest, pool.incoming, sizeof(digest));
104
105    /*
106     * Make two passes over the pool.
107     */
108    for (i = 0; i < 2; i++) {
109
110        /*
111         * We operate SHA in CFB mode, repeatedly adding the same
112         * block of data to the digest. But we're also fiddling
113         * with the digest-so-far, so this shouldn't be Bad or
114         * anything.
115         */
116        memcpy(block, pool.pool, sizeof(block));
117
118        /*
119         * Each pass processes the pool backwards in blocks of
120         * HASHSIZE, just so that in general we get the output of
121         * SHA before the corresponding input, in the hope that
122         * things will be that much less predictable that way
123         * round, when we subsequently return bytes ...
124         */
125        for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {
126            /*
127             * XOR the bit of the pool we're processing into the
128             * digest.
129             */
130
131            for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
132                digest[k] ^= ((word32 *) (pool.pool + j))[k];
133
134            /*
135             * Munge our unrevealed first block of the pool into
136             * it.
137             */
138            SHATransform(digest, block);
139
140            /*
141             * Stick the result back into the pool.
142             */
143
144            for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
145                ((word32 *) (pool.pool + j))[k] = digest[k];
146        }
147
148#ifdef RANDOM_DIAGNOSTICS
149        if (i == 0) {
150            int p, q;
151            printf("random stir midpoint\npool:\n");
152            for (p = 0; p < POOLSIZE; p += HASHSIZE) {
153                printf("   ");
154                for (q = 0; q < HASHSIZE; q += 4) {
155                    printf(" %08x", *(word32 *)(pool.pool + p + q));           
156                }
157                printf("\n");
158            }
159            printf("incoming:\n   ");
160            for (q = 0; q < HASHSIZE; q += 4) {
161                printf(" %08x", *(word32 *)(pool.incoming + q));
162            }
163            printf("\nincomingb:\n   ");
164            for (q = 0; q < HASHINPUT; q += 4) {
165                printf(" %08x", *(word32 *)(pool.incomingb + q));
166            }
167            printf("\n");
168        }
169#endif
170    }
171
172    /*
173     * Might as well save this value back into `incoming', just so
174     * there'll be some extra bizarreness there.
175     */
176    SHATransform(digest, block);
177    memcpy(pool.incoming, digest, sizeof(digest));
178
179    pool.poolpos = sizeof(pool.incoming);
180
181    pool.stir_pending = FALSE;
182
183#ifdef RANDOM_DIAGNOSTICS
184    {
185        int p, q;
186        printf("random stir done\npool:\n");
187        for (p = 0; p < POOLSIZE; p += HASHSIZE) {
188            printf("   ");
189            for (q = 0; q < HASHSIZE; q += 4) {
190                printf(" %08x", *(word32 *)(pool.pool + p + q));           
191            }
192            printf("\n");
193        }
194        printf("incoming:\n   ");
195        for (q = 0; q < HASHSIZE; q += 4) {
196            printf(" %08x", *(word32 *)(pool.incoming + q));
197        }
198        printf("\nincomingb:\n   ");
199        for (q = 0; q < HASHINPUT; q += 4) {
200            printf(" %08x", *(word32 *)(pool.incomingb + q));
201        }
202        printf("\n");
203        random_diagnostics--;
204    }
205#endif
206}
207
208void random_add_noise(void *noise, int length)
209{
210    unsigned char *p = noise;
211    int i;
212
213    if (!random_active)
214        return;
215
216    /*
217     * This function processes HASHINPUT bytes into only HASHSIZE
218     * bytes, so _if_ we were getting incredibly high entropy
219     * sources then we would be throwing away valuable stuff.
220     */
221    while (length >= (HASHINPUT - pool.incomingpos)) {
222        memcpy(pool.incomingb + pool.incomingpos, p,
223               HASHINPUT - pool.incomingpos);
224        p += HASHINPUT - pool.incomingpos;
225        length -= HASHINPUT - pool.incomingpos;
226        SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
227        for (i = 0; i < HASHSIZE; i++) {
228            pool.pool[pool.poolpos++] ^= pool.incomingb[i];
229            if (pool.poolpos >= POOLSIZE)
230                pool.poolpos = 0;
231        }
232        if (pool.poolpos < HASHSIZE)
233            random_stir();
234
235        pool.incomingpos = 0;
236    }
237
238    memcpy(pool.incomingb + pool.incomingpos, p, length);
239    pool.incomingpos += length;
240}
241
242void random_add_heavynoise(void *noise, int length)
243{
244    unsigned char *p = noise;
245    int i;
246
247    while (length >= POOLSIZE) {
248        for (i = 0; i < POOLSIZE; i++)
249            pool.pool[i] ^= *p++;
250        random_stir();
251        length -= POOLSIZE;
252    }
253
254    for (i = 0; i < length; i++)
255        pool.pool[i] ^= *p++;
256    random_stir();
257}
258
259static void random_add_heavynoise_bitbybit(void *noise, int length)
260{
261    unsigned char *p = noise;
262    int i;
263
264    while (length >= POOLSIZE - pool.poolpos) {
265        for (i = 0; i < POOLSIZE - pool.poolpos; i++)
266            pool.pool[pool.poolpos + i] ^= *p++;
267        random_stir();
268        length -= POOLSIZE - pool.poolpos;
269        pool.poolpos = 0;
270    }
271
272    for (i = 0; i < length; i++)
273        pool.pool[i] ^= *p++;
274    pool.poolpos = i;
275}
276
277static void random_timer(void *ctx, unsigned long now)
278{
279    if (random_active > 0 && now == next_noise_collection) {
280        noise_regular();
281        next_noise_collection =
282            schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
283    }
284}
285
286void random_ref(void)
287{
288    if (!random_active) {
289        memset(&pool, 0, sizeof(pool));    /* just to start with */
290
291        noise_get_heavy(random_add_heavynoise_bitbybit);
292        random_stir();
293
294        next_noise_collection =
295            schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
296    }
297    random_active++;
298}
299
300void random_unref(void)
301{
302    assert(random_active > 0);
303    if (random_active == 1) {
304        random_save_seed();
305        expire_timer_context(&pool);
306    }
307    random_active--;
308}
309
310int random_byte(void)
311{
312    assert(random_active);
313
314    if (pool.poolpos >= POOLSIZE)
315        random_stir();
316
317    return pool.pool[pool.poolpos++];
318}
319
320void random_get_savedata(void **data, int *len)
321{
322    void *buf = snewn(POOLSIZE / 2, char);
323    random_stir();
324    memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2);
325    *len = POOLSIZE / 2;
326    *data = buf;
327    random_stir();
328}
Note: See TracBrowser for help on using the repository browser.