--- /dev/null
+/*\r
+ * cryptographic random number generator for PuTTY's ssh client\r
+ */\r
+\r
+#include "putty.h"\r
+#include "ssh.h"\r
+#include <assert.h>\r
+\r
+/* Collect environmental noise every 5 minutes */\r
+#define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC)\r
+\r
+void noise_get_heavy(void (*func) (void *, int));\r
+void noise_get_light(void (*func) (void *, int));\r
+\r
+/*\r
+ * `pool' itself is a pool of random data which we actually use: we\r
+ * return bytes from `pool', at position `poolpos', until `poolpos'\r
+ * reaches the end of the pool. At this point we generate more\r
+ * random data, by adding noise, stirring well, and resetting\r
+ * `poolpos' to point to just past the beginning of the pool (not\r
+ * _the_ beginning, since otherwise we'd give away the whole\r
+ * contents of our pool, and attackers would just have to guess the\r
+ * next lot of noise).\r
+ *\r
+ * `incomingb' buffers acquired noise data, until it gets full, at\r
+ * which point the acquired noise is SHA'ed into `incoming' and\r
+ * `incomingb' is cleared. The noise in `incoming' is used as part\r
+ * of the noise for each stirring of the pool, in addition to local\r
+ * time, process listings, and other such stuff.\r
+ */\r
+\r
+#define HASHINPUT 64 /* 64 bytes SHA input */\r
+#define HASHSIZE 20 /* 160 bits SHA output */\r
+#define POOLSIZE 1200 /* size of random pool */\r
+\r
+struct RandPool {\r
+ unsigned char pool[POOLSIZE];\r
+ int poolpos;\r
+\r
+ unsigned char incoming[HASHSIZE];\r
+\r
+ unsigned char incomingb[HASHINPUT];\r
+ int incomingpos;\r
+\r
+ int stir_pending;\r
+};\r
+\r
+static struct RandPool pool;\r
+int random_active = 0;\r
+long next_noise_collection;\r
+\r
+static void random_stir(void)\r
+{\r
+ word32 block[HASHINPUT / sizeof(word32)];\r
+ word32 digest[HASHSIZE / sizeof(word32)];\r
+ int i, j, k;\r
+\r
+ /*\r
+ * noise_get_light will call random_add_noise, which may call\r
+ * back to here. Prevent recursive stirs.\r
+ */\r
+ if (pool.stir_pending)\r
+ return;\r
+ pool.stir_pending = TRUE;\r
+\r
+ noise_get_light(random_add_noise);\r
+\r
+ SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);\r
+ pool.incomingpos = 0;\r
+\r
+ /*\r
+ * Chunks of this code are blatantly endianness-dependent, but\r
+ * as it's all random bits anyway, WHO CARES?\r
+ */\r
+ memcpy(digest, pool.incoming, sizeof(digest));\r
+\r
+ /*\r
+ * Make two passes over the pool.\r
+ */\r
+ for (i = 0; i < 2; i++) {\r
+\r
+ /*\r
+ * We operate SHA in CFB mode, repeatedly adding the same\r
+ * block of data to the digest. But we're also fiddling\r
+ * with the digest-so-far, so this shouldn't be Bad or\r
+ * anything.\r
+ */\r
+ memcpy(block, pool.pool, sizeof(block));\r
+\r
+ /*\r
+ * Each pass processes the pool backwards in blocks of\r
+ * HASHSIZE, just so that in general we get the output of\r
+ * SHA before the corresponding input, in the hope that\r
+ * things will be that much less predictable that way\r
+ * round, when we subsequently return bytes ...\r
+ */\r
+ for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {\r
+ /*\r
+ * XOR the bit of the pool we're processing into the\r
+ * digest.\r
+ */\r
+\r
+ for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)\r
+ digest[k] ^= ((word32 *) (pool.pool + j))[k];\r
+\r
+ /*\r
+ * Munge our unrevealed first block of the pool into\r
+ * it.\r
+ */\r
+ SHATransform(digest, block);\r
+\r
+ /*\r
+ * Stick the result back into the pool.\r
+ */\r
+\r
+ for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)\r
+ ((word32 *) (pool.pool + j))[k] = digest[k];\r
+ }\r
+ }\r
+\r
+ /*\r
+ * Might as well save this value back into `incoming', just so\r
+ * there'll be some extra bizarreness there.\r
+ */\r
+ SHATransform(digest, block);\r
+ memcpy(pool.incoming, digest, sizeof(digest));\r
+\r
+ pool.poolpos = sizeof(pool.incoming);\r
+\r
+ pool.stir_pending = FALSE;\r
+}\r
+\r
+void random_add_noise(void *noise, int length)\r
+{\r
+ unsigned char *p = noise;\r
+ int i;\r
+\r
+ if (!random_active)\r
+ return;\r
+\r
+ /*\r
+ * This function processes HASHINPUT bytes into only HASHSIZE\r
+ * bytes, so _if_ we were getting incredibly high entropy\r
+ * sources then we would be throwing away valuable stuff.\r
+ */\r
+ while (length >= (HASHINPUT - pool.incomingpos)) {\r
+ memcpy(pool.incomingb + pool.incomingpos, p,\r
+ HASHINPUT - pool.incomingpos);\r
+ p += HASHINPUT - pool.incomingpos;\r
+ length -= HASHINPUT - pool.incomingpos;\r
+ SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);\r
+ for (i = 0; i < HASHSIZE; i++) {\r
+ pool.pool[pool.poolpos++] ^= pool.incomingb[i];\r
+ if (pool.poolpos >= POOLSIZE)\r
+ pool.poolpos = 0;\r
+ }\r
+ if (pool.poolpos < HASHSIZE)\r
+ random_stir();\r
+\r
+ pool.incomingpos = 0;\r
+ }\r
+\r
+ memcpy(pool.incomingb + pool.incomingpos, p, length);\r
+ pool.incomingpos += length;\r
+}\r
+\r
+void random_add_heavynoise(void *noise, int length)\r
+{\r
+ unsigned char *p = noise;\r
+ int i;\r
+\r
+ while (length >= POOLSIZE) {\r
+ for (i = 0; i < POOLSIZE; i++)\r
+ pool.pool[i] ^= *p++;\r
+ random_stir();\r
+ length -= POOLSIZE;\r
+ }\r
+\r
+ for (i = 0; i < length; i++)\r
+ pool.pool[i] ^= *p++;\r
+ random_stir();\r
+}\r
+\r
+static void random_add_heavynoise_bitbybit(void *noise, int length)\r
+{\r
+ unsigned char *p = noise;\r
+ int i;\r
+\r
+ while (length >= POOLSIZE - pool.poolpos) {\r
+ for (i = 0; i < POOLSIZE - pool.poolpos; i++)\r
+ pool.pool[pool.poolpos + i] ^= *p++;\r
+ random_stir();\r
+ length -= POOLSIZE - pool.poolpos;\r
+ pool.poolpos = 0;\r
+ }\r
+\r
+ for (i = 0; i < length; i++)\r
+ pool.pool[i] ^= *p++;\r
+ pool.poolpos = i;\r
+}\r
+\r
+static void random_timer(void *ctx, long now)\r
+{\r
+ if (random_active > 0 && now - next_noise_collection >= 0) {\r
+ noise_regular();\r
+ next_noise_collection =\r
+ schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);\r
+ }\r
+}\r
+\r
+void random_ref(void)\r
+{\r
+ if (!random_active) {\r
+ memset(&pool, 0, sizeof(pool)); /* just to start with */\r
+\r
+ noise_get_heavy(random_add_heavynoise_bitbybit);\r
+ random_stir();\r
+\r
+ next_noise_collection =\r
+ schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);\r
+ }\r
+\r
+ random_active++;\r
+}\r
+\r
+void random_unref(void)\r
+{\r
+ random_active--;\r
+ assert(random_active >= 0);\r
+ if (random_active) return;\r
+\r
+ expire_timer_context(&pool);\r
+}\r
+\r
+int random_byte(void)\r
+{\r
+ if (pool.poolpos >= POOLSIZE)\r
+ random_stir();\r
+\r
+ return pool.pool[pool.poolpos++];\r
+}\r
+\r
+void random_get_savedata(void **data, int *len)\r
+{\r
+ void *buf = snewn(POOLSIZE / 2, char);\r
+ random_stir();\r
+ memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2);\r
+ *len = POOLSIZE / 2;\r
+ *data = buf;\r
+ random_stir();\r
+}\r