source: filezilla/trunk/fuentes/src/putty/sshrand.c @ 3185

Last change on this file since 3185 was 3185, checked in by jrpelegrina, 3 years ago

Update new version: 3.15.02

File size: 8.9 KB
Line 
1/*
2 * cryptographic random number generator for PuTTY's ssh client
3 */
4
5#include "putty.h"
6#include "ssh.h"
7#include <assert.h>
8
9/* Collect environmental noise every 5 minutes */
10#define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC)
11
12void noise_get_heavy(void (*func) (void *, int));
13void noise_get_light(void (*func) (void *, int));
14
15/*
16 * `pool' itself is a pool of random data which we actually use: we
17 * return bytes from `pool', at position `poolpos', until `poolpos'
18 * reaches the end of the pool. At this point we generate more
19 * random data, by adding noise, stirring well, and resetting
20 * `poolpos' to point to just past the beginning of the pool (not
21 * _the_ beginning, since otherwise we'd give away the whole
22 * contents of our pool, and attackers would just have to guess the
23 * next lot of noise).
24 *
25 * `incomingb' buffers acquired noise data, until it gets full, at
26 * which point the acquired noise is SHA'ed into `incoming' and
27 * `incomingb' is cleared. The noise in `incoming' is used as part
28 * of the noise for each stirring of the pool, in addition to local
29 * time, process listings, and other such stuff.
30 */
31
32#define HASHINPUT 64                   /* 64 bytes SHA input */
33#define HASHSIZE 20                    /* 160 bits SHA output */
34#define POOLSIZE 1200                  /* size of random pool */
35
36struct RandPool {
37    unsigned char pool[POOLSIZE];
38    int poolpos;
39
40    unsigned char incoming[HASHSIZE];
41
42    unsigned char incomingb[HASHINPUT];
43    int incomingpos;
44
45    int stir_pending;
46};
47
48int random_active = 0;
49
50#ifdef FUZZING
51/*
52 * Special dummy version of the RNG for use when fuzzing.
53 */
54void random_add_noise(void *noise, int length) { }
55void random_add_heavynoise(void *noise, int length) { }
56void random_ref(void) { }
57void random_unref(void) { }
58int random_byte(void)
59{
60    return 0x45; /* Chosen by eight fair coin tosses */
61}
62void random_get_savedata(void **data, int *len) { }
63#else /* !FUZZING */
64static struct RandPool pool;
65long next_noise_collection;
66
67#ifdef RANDOM_DIAGNOSTICS
68int random_diagnostics = 0;
69#endif
70
71static void random_stir(void)
72{
73    word32 block[HASHINPUT / sizeof(word32)];
74    word32 digest[HASHSIZE / sizeof(word32)];
75    int i, j, k;
76
77    /*
78     * noise_get_light will call random_add_noise, which may call
79     * back to here. Prevent recursive stirs.
80     */
81    if (pool.stir_pending)
82        return;
83    pool.stir_pending = TRUE;
84
85    noise_get_light(random_add_noise);
86
87#ifdef RANDOM_DIAGNOSTICS
88    {
89        int p, q;
90        printf("random stir starting\npool:\n");
91        for (p = 0; p < POOLSIZE; p += HASHSIZE) {
92            printf("   ");
93            for (q = 0; q < HASHSIZE; q += 4) {
94                printf(" %08x", *(word32 *)(pool.pool + p + q));           
95            }
96            printf("\n");
97        }
98        printf("incoming:\n   ");
99        for (q = 0; q < HASHSIZE; q += 4) {
100            printf(" %08x", *(word32 *)(pool.incoming + q));
101        }
102        printf("\nincomingb:\n   ");
103        for (q = 0; q < HASHINPUT; q += 4) {
104            printf(" %08x", *(word32 *)(pool.incomingb + q));
105        }
106        printf("\n");
107        random_diagnostics++;
108    }
109#endif
110
111    SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
112    pool.incomingpos = 0;
113
114    /*
115     * Chunks of this code are blatantly endianness-dependent, but
116     * as it's all random bits anyway, WHO CARES?
117     */
118    memcpy(digest, pool.incoming, sizeof(digest));
119
120    /*
121     * Make two passes over the pool.
122     */
123    for (i = 0; i < 2; i++) {
124
125        /*
126         * We operate SHA in CFB mode, repeatedly adding the same
127         * block of data to the digest. But we're also fiddling
128         * with the digest-so-far, so this shouldn't be Bad or
129         * anything.
130         */
131        memcpy(block, pool.pool, sizeof(block));
132
133        /*
134         * Each pass processes the pool backwards in blocks of
135         * HASHSIZE, just so that in general we get the output of
136         * SHA before the corresponding input, in the hope that
137         * things will be that much less predictable that way
138         * round, when we subsequently return bytes ...
139         */
140        for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {
141            /*
142             * XOR the bit of the pool we're processing into the
143             * digest.
144             */
145
146            for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
147                digest[k] ^= ((word32 *) (pool.pool + j))[k];
148
149            /*
150             * Munge our unrevealed first block of the pool into
151             * it.
152             */
153            SHATransform(digest, block);
154
155            /*
156             * Stick the result back into the pool.
157             */
158
159            for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
160                ((word32 *) (pool.pool + j))[k] = digest[k];
161        }
162
163#ifdef RANDOM_DIAGNOSTICS
164        if (i == 0) {
165            int p, q;
166            printf("random stir midpoint\npool:\n");
167            for (p = 0; p < POOLSIZE; p += HASHSIZE) {
168                printf("   ");
169                for (q = 0; q < HASHSIZE; q += 4) {
170                    printf(" %08x", *(word32 *)(pool.pool + p + q));           
171                }
172                printf("\n");
173            }
174            printf("incoming:\n   ");
175            for (q = 0; q < HASHSIZE; q += 4) {
176                printf(" %08x", *(word32 *)(pool.incoming + q));
177            }
178            printf("\nincomingb:\n   ");
179            for (q = 0; q < HASHINPUT; q += 4) {
180                printf(" %08x", *(word32 *)(pool.incomingb + q));
181            }
182            printf("\n");
183        }
184#endif
185    }
186
187    /*
188     * Might as well save this value back into `incoming', just so
189     * there'll be some extra bizarreness there.
190     */
191    SHATransform(digest, block);
192    memcpy(pool.incoming, digest, sizeof(digest));
193
194    pool.poolpos = sizeof(pool.incoming);
195
196    pool.stir_pending = FALSE;
197
198#ifdef RANDOM_DIAGNOSTICS
199    {
200        int p, q;
201        printf("random stir done\npool:\n");
202        for (p = 0; p < POOLSIZE; p += HASHSIZE) {
203            printf("   ");
204            for (q = 0; q < HASHSIZE; q += 4) {
205                printf(" %08x", *(word32 *)(pool.pool + p + q));           
206            }
207            printf("\n");
208        }
209        printf("incoming:\n   ");
210        for (q = 0; q < HASHSIZE; q += 4) {
211            printf(" %08x", *(word32 *)(pool.incoming + q));
212        }
213        printf("\nincomingb:\n   ");
214        for (q = 0; q < HASHINPUT; q += 4) {
215            printf(" %08x", *(word32 *)(pool.incomingb + q));
216        }
217        printf("\n");
218        random_diagnostics--;
219    }
220#endif
221}
222
223void random_add_noise(void *noise, int length)
224{
225    unsigned char *p = noise;
226    int i;
227
228    if (!random_active)
229        return;
230
231    /*
232     * This function processes HASHINPUT bytes into only HASHSIZE
233     * bytes, so _if_ we were getting incredibly high entropy
234     * sources then we would be throwing away valuable stuff.
235     */
236    while (length >= (HASHINPUT - pool.incomingpos)) {
237        memcpy(pool.incomingb + pool.incomingpos, p,
238               HASHINPUT - pool.incomingpos);
239        p += HASHINPUT - pool.incomingpos;
240        length -= HASHINPUT - pool.incomingpos;
241        SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
242        for (i = 0; i < HASHSIZE; i++) {
243            pool.pool[pool.poolpos++] ^= pool.incomingb[i];
244            if (pool.poolpos >= POOLSIZE)
245                pool.poolpos = 0;
246        }
247        if (pool.poolpos < HASHSIZE)
248            random_stir();
249
250        pool.incomingpos = 0;
251    }
252
253    memcpy(pool.incomingb + pool.incomingpos, p, length);
254    pool.incomingpos += length;
255}
256
257void random_add_heavynoise(void *noise, int length)
258{
259    unsigned char *p = noise;
260    int i;
261
262    while (length >= POOLSIZE) {
263        for (i = 0; i < POOLSIZE; i++)
264            pool.pool[i] ^= *p++;
265        random_stir();
266        length -= POOLSIZE;
267    }
268
269    for (i = 0; i < length; i++)
270        pool.pool[i] ^= *p++;
271    random_stir();
272}
273
274static void random_add_heavynoise_bitbybit(void *noise, int length)
275{
276    unsigned char *p = noise;
277    int i;
278
279    while (length >= POOLSIZE - pool.poolpos) {
280        for (i = 0; i < POOLSIZE - pool.poolpos; i++)
281            pool.pool[pool.poolpos + i] ^= *p++;
282        random_stir();
283        length -= POOLSIZE - pool.poolpos;
284        pool.poolpos = 0;
285    }
286
287    for (i = 0; i < length; i++)
288        pool.pool[i] ^= *p++;
289    pool.poolpos = i;
290}
291
292static void random_timer(void *ctx, unsigned long now)
293{
294    if (random_active > 0 && now == next_noise_collection) {
295        noise_regular();
296        next_noise_collection =
297            schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
298    }
299}
300
301void random_ref(void)
302{
303    if (!random_active) {
304        memset(&pool, 0, sizeof(pool));    /* just to start with */
305
306        noise_get_heavy(random_add_heavynoise_bitbybit);
307        random_stir();
308
309        next_noise_collection =
310            schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
311    }
312    random_active++;
313}
314
315void random_unref(void)
316{
317    assert(random_active > 0);
318    if (random_active == 1) {
319        random_save_seed();
320        expire_timer_context(&pool);
321    }
322    random_active--;
323}
324
325int random_byte(void)
326{
327    assert(random_active);
328
329    if (pool.poolpos >= POOLSIZE)
330        random_stir();
331
332    return pool.pool[pool.poolpos++];
333}
334
335void random_get_savedata(void **data, int *len)
336{
337    void *buf = snewn(POOLSIZE / 2, char);
338    random_stir();
339    memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2);
340    *len = POOLSIZE / 2;
341    *data = buf;
342    random_stir();
343}
344#endif
Note: See TracBrowser for help on using the repository browser.