2 * cryptographic random number generator for PuTTY's ssh client
\r
9 /* Collect environmental noise every 5 minutes */
\r
10 #define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC)
\r
12 void noise_get_heavy(void (*func) (void *, int));
\r
13 void noise_get_light(void (*func) (void *, int));
\r
16 * `pool' itself is a pool of random data which we actually use: we
\r
17 * return bytes from `pool', at position `poolpos', until `poolpos'
\r
18 * reaches the end of the pool. At this point we generate more
\r
19 * random data, by adding noise, stirring well, and resetting
\r
20 * `poolpos' to point to just past the beginning of the pool (not
\r
21 * _the_ beginning, since otherwise we'd give away the whole
\r
22 * contents of our pool, and attackers would just have to guess the
\r
23 * next lot of noise).
\r
25 * `incomingb' buffers acquired noise data, until it gets full, at
\r
26 * which point the acquired noise is SHA'ed into `incoming' and
\r
27 * `incomingb' is cleared. The noise in `incoming' is used as part
\r
28 * of the noise for each stirring of the pool, in addition to local
\r
29 * time, process listings, and other such stuff.
\r
32 #define HASHINPUT 64 /* 64 bytes SHA input */
\r
33 #define HASHSIZE 20 /* 160 bits SHA output */
\r
34 #define POOLSIZE 1200 /* size of random pool */
\r
37 unsigned char pool[POOLSIZE];
\r
40 unsigned char incoming[HASHSIZE];
\r
42 unsigned char incomingb[HASHINPUT];
\r
48 static struct RandPool pool;
\r
49 int random_active = 0;
\r
50 long next_noise_collection;
\r
52 static void random_stir(void)
\r
54 word32 block[HASHINPUT / sizeof(word32)];
\r
55 word32 digest[HASHSIZE / sizeof(word32)];
\r
59 * noise_get_light will call random_add_noise, which may call
\r
60 * back to here. Prevent recursive stirs.
\r
62 if (pool.stir_pending)
\r
64 pool.stir_pending = TRUE;
\r
66 noise_get_light(random_add_noise);
\r
68 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
\r
69 pool.incomingpos = 0;
\r
72 * Chunks of this code are blatantly endianness-dependent, but
\r
73 * as it's all random bits anyway, WHO CARES?
\r
75 memcpy(digest, pool.incoming, sizeof(digest));
\r
78 * Make two passes over the pool.
\r
80 for (i = 0; i < 2; i++) {
\r
83 * We operate SHA in CFB mode, repeatedly adding the same
\r
84 * block of data to the digest. But we're also fiddling
\r
85 * with the digest-so-far, so this shouldn't be Bad or
\r
88 memcpy(block, pool.pool, sizeof(block));
\r
91 * Each pass processes the pool backwards in blocks of
\r
92 * HASHSIZE, just so that in general we get the output of
\r
93 * SHA before the corresponding input, in the hope that
\r
94 * things will be that much less predictable that way
\r
95 * round, when we subsequently return bytes ...
\r
97 for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {
\r
99 * XOR the bit of the pool we're processing into the
\r
103 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
\r
104 digest[k] ^= ((word32 *) (pool.pool + j))[k];
\r
107 * Munge our unrevealed first block of the pool into
\r
110 SHATransform(digest, block);
\r
113 * Stick the result back into the pool.
\r
116 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
\r
117 ((word32 *) (pool.pool + j))[k] = digest[k];
\r
122 * Might as well save this value back into `incoming', just so
\r
123 * there'll be some extra bizarreness there.
\r
125 SHATransform(digest, block);
\r
126 memcpy(pool.incoming, digest, sizeof(digest));
\r
128 pool.poolpos = sizeof(pool.incoming);
\r
130 pool.stir_pending = FALSE;
\r
133 void random_add_noise(void *noise, int length)
\r
135 unsigned char *p = noise;
\r
138 if (!random_active)
\r
142 * This function processes HASHINPUT bytes into only HASHSIZE
\r
143 * bytes, so _if_ we were getting incredibly high entropy
\r
144 * sources then we would be throwing away valuable stuff.
\r
146 while (length >= (HASHINPUT - pool.incomingpos)) {
\r
147 memcpy(pool.incomingb + pool.incomingpos, p,
\r
148 HASHINPUT - pool.incomingpos);
\r
149 p += HASHINPUT - pool.incomingpos;
\r
150 length -= HASHINPUT - pool.incomingpos;
\r
151 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
\r
152 for (i = 0; i < HASHSIZE; i++) {
\r
153 pool.pool[pool.poolpos++] ^= pool.incomingb[i];
\r
154 if (pool.poolpos >= POOLSIZE)
\r
157 if (pool.poolpos < HASHSIZE)
\r
160 pool.incomingpos = 0;
\r
163 memcpy(pool.incomingb + pool.incomingpos, p, length);
\r
164 pool.incomingpos += length;
\r
167 void random_add_heavynoise(void *noise, int length)
\r
169 unsigned char *p = noise;
\r
172 while (length >= POOLSIZE) {
\r
173 for (i = 0; i < POOLSIZE; i++)
\r
174 pool.pool[i] ^= *p++;
\r
176 length -= POOLSIZE;
\r
179 for (i = 0; i < length; i++)
\r
180 pool.pool[i] ^= *p++;
\r
184 static void random_add_heavynoise_bitbybit(void *noise, int length)
\r
186 unsigned char *p = noise;
\r
189 while (length >= POOLSIZE - pool.poolpos) {
\r
190 for (i = 0; i < POOLSIZE - pool.poolpos; i++)
\r
191 pool.pool[pool.poolpos + i] ^= *p++;
\r
193 length -= POOLSIZE - pool.poolpos;
\r
197 for (i = 0; i < length; i++)
\r
198 pool.pool[i] ^= *p++;
\r
202 static void random_timer(void *ctx, long now)
\r
204 if (random_active > 0 && now - next_noise_collection >= 0) {
\r
206 next_noise_collection =
\r
207 schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
\r
211 void random_ref(void)
\r
213 if (!random_active) {
\r
214 memset(&pool, 0, sizeof(pool)); /* just to start with */
\r
216 noise_get_heavy(random_add_heavynoise_bitbybit);
\r
219 next_noise_collection =
\r
220 schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
\r
226 void random_unref(void)
\r
229 assert(random_active >= 0);
\r
230 if (random_active) return;
\r
232 expire_timer_context(&pool);
\r
235 int random_byte(void)
\r
237 if (pool.poolpos >= POOLSIZE)
\r
240 return pool.pool[pool.poolpos++];
\r
243 void random_get_savedata(void **data, int *len)
\r
245 void *buf = snewn(POOLSIZE / 2, char);
\r
247 memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2);
\r
248 *len = POOLSIZE / 2;
\r
OSDN Git Service
