2 * cryptographic random number generator for PuTTY's ssh client
7 void noise_get_heavy(void (*func) (void *, int));
8 void noise_get_light(void (*func) (void *, int));
11 * `pool' itself is a pool of random data which we actually use: we
12 * return bytes from `pool', at position `poolpos', until `poolpos'
13 * reaches the end of the pool. At this point we generate more
14 * random data, by adding noise, stirring well, and resetting
15 * `poolpos' to point to just past the beginning of the pool (not
16 * _the_ beginning, since otherwise we'd give away the whole
17 * contents of our pool, and attackers would just have to guess the
20 * `incomingb' buffers acquired noise data, until it gets full, at
21 * which point the acquired noise is SHA'ed into `incoming' and
22 * `incomingb' is cleared. The noise in `incoming' is used as part
23 * of the noise for each stirring of the pool, in addition to local
24 * time, process listings, and other such stuff.
27 #define HASHINPUT 64 /* 64 bytes SHA input */
28 #define HASHSIZE 20 /* 160 bits SHA output */
29 #define POOLSIZE 1200 /* size of random pool */
32 unsigned char pool[POOLSIZE];
35 unsigned char incoming[HASHSIZE];
37 unsigned char incomingb[HASHINPUT];
41 static struct RandPool pool;
42 static int random_active = 0;
44 void random_stir(void) {
45 word32 block[HASHINPUT/sizeof(word32)];
46 word32 digest[HASHSIZE/sizeof(word32)];
49 noise_get_light(random_add_noise);
51 SHATransform((word32 *)pool.incoming, (word32 *)pool.incomingb);
55 * Chunks of this code are blatantly endianness-dependent, but
56 * as it's all random bits anyway, WHO CARES?
58 memcpy(digest, pool.incoming, sizeof(digest));
61 * Make two passes over the pool.
63 for (i = 0; i < 2; i++) {
66 * We operate SHA in CFB mode, repeatedly adding the same
67 * block of data to the digest. But we're also fiddling
68 * with the digest-so-far, so this shouldn't be Bad or
71 memcpy(block, pool.pool, sizeof(block));
74 * Each pass processes the pool backwards in blocks of
75 * HASHSIZE, just so that in general we get the output of
76 * SHA before the corresponding input, in the hope that
77 * things will be that much less predictable that way
78 * round, when we subsequently return bytes ...
80 for (j = POOLSIZE; (j -= HASHSIZE) >= 0 ;) {
82 * XOR the bit of the pool we're processing into the
86 for (k = 0; k < sizeof(digest)/sizeof(*digest); k++)
87 digest[k] ^= ((word32 *)(pool.pool+j))[k];
90 * Munge our unrevealed first block of the pool into
93 SHATransform(digest, block);
96 * Stick the result back into the pool.
99 for (k = 0; k < sizeof(digest)/sizeof(*digest); k++)
100 ((word32 *)(pool.pool+j))[k] = digest[k];
105 * Might as well save this value back into `incoming', just so
106 * there'll be some extra bizarreness there.
108 SHATransform(digest, block);
109 memcpy(pool.incoming, digest, sizeof(digest));
111 pool.poolpos = sizeof(pool.incoming);
114 void random_add_noise(void *noise, int length) {
115 unsigned char *p = noise;
122 * This function processes HASHINPUT bytes into only HASHSIZE
123 * bytes, so _if_ we were getting incredibly high entropy
124 * sources then we would be throwing away valuable stuff.
126 while (length >= (HASHINPUT - pool.incomingpos)) {
127 memcpy(pool.incomingb + pool.incomingpos, p,
128 HASHINPUT - pool.incomingpos);
129 p += HASHINPUT - pool.incomingpos;
130 length -= HASHINPUT - pool.incomingpos;
131 SHATransform((word32 *)pool.incoming, (word32 *)pool.incomingb);
132 for (i = 0; i < HASHSIZE; i++) {
133 pool.pool[pool.poolpos++] ^= pool.incomingb[i];
134 if (pool.poolpos >= POOLSIZE)
137 if (pool.poolpos < HASHSIZE)
140 pool.incomingpos = 0;
143 memcpy(pool.incomingb + pool.incomingpos, p, length);
144 pool.incomingpos += length;
147 void random_add_heavynoise(void *noise, int length) {
148 unsigned char *p = noise;
151 while (length >= POOLSIZE) {
152 for (i = 0; i < POOLSIZE; i++)
153 pool.pool[i] ^= *p++;
158 for (i = 0; i < length; i++)
159 pool.pool[i] ^= *p++;
163 static void random_add_heavynoise_bitbybit(void *noise, int length) {
164 unsigned char *p = noise;
167 while (length >= POOLSIZE - pool.poolpos) {
168 for (i = 0; i < POOLSIZE - pool.poolpos; i++)
169 pool.pool[pool.poolpos + i] ^= *p++;
171 length -= POOLSIZE - pool.poolpos;
175 for (i = 0; i < length; i++)
176 pool.pool[i] ^= *p++;
180 void random_init(void) {
181 memset(&pool, 0, sizeof(pool)); /* just to start with */
185 noise_get_heavy(random_add_heavynoise_bitbybit);
189 int random_byte(void) {
190 if (pool.poolpos >= POOLSIZE)
193 return pool.pool[pool.poolpos++];
196 void random_get_savedata(void **data, int *len) {
198 *data = pool.pool+pool.poolpos;