2 * cryptographic random number generator for PuTTY's ssh client
9 /* Collect environmental noise every 5 minutes */
10 #define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC)
12 void noise_get_heavy(void (*func) (void *, int));
13 void noise_get_light(void (*func) (void *, int));
16 * `pool' itself is a pool of random data which we actually use: we
17 * return bytes from `pool', at position `poolpos', until `poolpos'
18 * reaches the end of the pool. At this point we generate more
19 * random data, by adding noise, stirring well, and resetting
20 * `poolpos' to point to just past the beginning of the pool (not
21 * _the_ beginning, since otherwise we'd give away the whole
22 * contents of our pool, and attackers would just have to guess the
25 * `incomingb' buffers acquired noise data, until it gets full, at
26 * which point the acquired noise is SHA'ed into `incoming' and
27 * `incomingb' is cleared. The noise in `incoming' is used as part
28 * of the noise for each stirring of the pool, in addition to local
29 * time, process listings, and other such stuff.
32 #define HASHINPUT 64 /* 64 bytes SHA input */
33 #define HASHSIZE 20 /* 160 bits SHA output */
34 #define POOLSIZE 1200 /* size of random pool */
37 unsigned char pool[POOLSIZE];
40 unsigned char incoming[HASHSIZE];
42 unsigned char incomingb[HASHINPUT];
48 int random_active = 0;
52 * Special dummy version of the RNG for use when fuzzing.
54 void random_add_noise(void *noise, int length) { }
55 void random_add_heavynoise(void *noise, int length) { }
56 void random_ref(void) { }
57 void random_unref(void) { }
60 return 0x45; /* Chosen by eight fair coin tosses */
62 void random_get_savedata(void **data, int *len) { }
64 static struct RandPool pool;
65 long next_noise_collection;
67 #ifdef RANDOM_DIAGNOSTICS
68 int random_diagnostics = 0;
71 static void random_stir(void)
73 word32 block[HASHINPUT / sizeof(word32)];
74 word32 digest[HASHSIZE / sizeof(word32)];
78 * noise_get_light will call random_add_noise, which may call
79 * back to here. Prevent recursive stirs.
81 if (pool.stir_pending)
83 pool.stir_pending = TRUE;
85 noise_get_light(random_add_noise);
87 #ifdef RANDOM_DIAGNOSTICS
90 printf("random stir starting\npool:\n");
91 for (p = 0; p < POOLSIZE; p += HASHSIZE) {
93 for (q = 0; q < HASHSIZE; q += 4) {
94 printf(" %08x", *(word32 *)(pool.pool + p + q));
98 printf("incoming:\n ");
99 for (q = 0; q < HASHSIZE; q += 4) {
100 printf(" %08x", *(word32 *)(pool.incoming + q));
102 printf("\nincomingb:\n ");
103 for (q = 0; q < HASHINPUT; q += 4) {
104 printf(" %08x", *(word32 *)(pool.incomingb + q));
107 random_diagnostics++;
111 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
112 pool.incomingpos = 0;
115 * Chunks of this code are blatantly endianness-dependent, but
116 * as it's all random bits anyway, WHO CARES?
118 memcpy(digest, pool.incoming, sizeof(digest));
121 * Make two passes over the pool.
123 for (i = 0; i < 2; i++) {
126 * We operate SHA in CFB mode, repeatedly adding the same
127 * block of data to the digest. But we're also fiddling
128 * with the digest-so-far, so this shouldn't be Bad or
131 memcpy(block, pool.pool, sizeof(block));
134 * Each pass processes the pool backwards in blocks of
135 * HASHSIZE, just so that in general we get the output of
136 * SHA before the corresponding input, in the hope that
137 * things will be that much less predictable that way
138 * round, when we subsequently return bytes ...
140 for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {
142 * XOR the bit of the pool we're processing into the
146 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
147 digest[k] ^= ((word32 *) (pool.pool + j))[k];
150 * Munge our unrevealed first block of the pool into
153 SHATransform(digest, block);
156 * Stick the result back into the pool.
159 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
160 ((word32 *) (pool.pool + j))[k] = digest[k];
163 #ifdef RANDOM_DIAGNOSTICS
166 printf("random stir midpoint\npool:\n");
167 for (p = 0; p < POOLSIZE; p += HASHSIZE) {
169 for (q = 0; q < HASHSIZE; q += 4) {
170 printf(" %08x", *(word32 *)(pool.pool + p + q));
174 printf("incoming:\n ");
175 for (q = 0; q < HASHSIZE; q += 4) {
176 printf(" %08x", *(word32 *)(pool.incoming + q));
178 printf("\nincomingb:\n ");
179 for (q = 0; q < HASHINPUT; q += 4) {
180 printf(" %08x", *(word32 *)(pool.incomingb + q));
188 * Might as well save this value back into `incoming', just so
189 * there'll be some extra bizarreness there.
191 SHATransform(digest, block);
192 memcpy(pool.incoming, digest, sizeof(digest));
194 pool.poolpos = sizeof(pool.incoming);
196 pool.stir_pending = FALSE;
198 #ifdef RANDOM_DIAGNOSTICS
201 printf("random stir done\npool:\n");
202 for (p = 0; p < POOLSIZE; p += HASHSIZE) {
204 for (q = 0; q < HASHSIZE; q += 4) {
205 printf(" %08x", *(word32 *)(pool.pool + p + q));
209 printf("incoming:\n ");
210 for (q = 0; q < HASHSIZE; q += 4) {
211 printf(" %08x", *(word32 *)(pool.incoming + q));
213 printf("\nincomingb:\n ");
214 for (q = 0; q < HASHINPUT; q += 4) {
215 printf(" %08x", *(word32 *)(pool.incomingb + q));
218 random_diagnostics--;
223 void random_add_noise(void *noise, int length)
225 unsigned char *p = noise;
232 * This function processes HASHINPUT bytes into only HASHSIZE
233 * bytes, so _if_ we were getting incredibly high entropy
234 * sources then we would be throwing away valuable stuff.
236 while (length >= (HASHINPUT - pool.incomingpos)) {
237 memcpy(pool.incomingb + pool.incomingpos, p,
238 HASHINPUT - pool.incomingpos);
239 p += HASHINPUT - pool.incomingpos;
240 length -= HASHINPUT - pool.incomingpos;
241 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
242 for (i = 0; i < HASHSIZE; i++) {
243 pool.pool[pool.poolpos++] ^= pool.incomingb[i];
244 if (pool.poolpos >= POOLSIZE)
247 if (pool.poolpos < HASHSIZE)
250 pool.incomingpos = 0;
253 memcpy(pool.incomingb + pool.incomingpos, p, length);
254 pool.incomingpos += length;
257 void random_add_heavynoise(void *noise, int length)
259 unsigned char *p = noise;
262 while (length >= POOLSIZE) {
263 for (i = 0; i < POOLSIZE; i++)
264 pool.pool[i] ^= *p++;
269 for (i = 0; i < length; i++)
270 pool.pool[i] ^= *p++;
274 static void random_add_heavynoise_bitbybit(void *noise, int length)
276 unsigned char *p = noise;
279 while (length >= POOLSIZE - pool.poolpos) {
280 for (i = 0; i < POOLSIZE - pool.poolpos; i++)
281 pool.pool[pool.poolpos + i] ^= *p++;
283 length -= POOLSIZE - pool.poolpos;
287 for (i = 0; i < length; i++)
288 pool.pool[i] ^= *p++;
292 static void random_timer(void *ctx, unsigned long now)
294 if (random_active > 0 && now == next_noise_collection) {
296 next_noise_collection =
297 schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
301 void random_ref(void)
303 if (!random_active) {
304 memset(&pool, 0, sizeof(pool)); /* just to start with */
306 noise_get_heavy(random_add_heavynoise_bitbybit);
309 next_noise_collection =
310 schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
315 void random_unref(void)
317 assert(random_active > 0);
318 if (random_active == 1) {
320 expire_timer_context(&pool);
325 int random_byte(void)
327 assert(random_active);
329 if (pool.poolpos >= POOLSIZE)
332 return pool.pool[pool.poolpos++];
335 void random_get_savedata(void **data, int *len)
337 void *buf = snewn(POOLSIZE / 2, char);
339 memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2);