2 * cryptographic random number generator for PuTTY's ssh client
8 /* Collect environmental noise every 5 minutes */
9 #define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC)
11 void noise_get_heavy(void (*func) (void *, int));
12 void noise_get_light(void (*func) (void *, int));
15 * `pool' itself is a pool of random data which we actually use: we
16 * return bytes from `pool', at position `poolpos', until `poolpos'
17 * reaches the end of the pool. At this point we generate more
18 * random data, by adding noise, stirring well, and resetting
19 * `poolpos' to point to just past the beginning of the pool (not
20 * _the_ beginning, since otherwise we'd give away the whole
21 * contents of our pool, and attackers would just have to guess the
24 * `incomingb' buffers acquired noise data, until it gets full, at
25 * which point the acquired noise is SHA'ed into `incoming' and
26 * `incomingb' is cleared. The noise in `incoming' is used as part
27 * of the noise for each stirring of the pool, in addition to local
28 * time, process listings, and other such stuff.
31 #define HASHINPUT 64 /* 64 bytes SHA input */
32 #define HASHSIZE 20 /* 160 bits SHA output */
33 #define POOLSIZE 1200 /* size of random pool */
36 unsigned char pool[POOLSIZE];
39 unsigned char incoming[HASHSIZE];
41 unsigned char incomingb[HASHINPUT];
47 static struct RandPool pool;
48 int random_active = 0;
49 long next_noise_collection;
51 static void random_stir(void)
53 word32 block[HASHINPUT / sizeof(word32)];
54 word32 digest[HASHSIZE / sizeof(word32)];
58 * noise_get_light will call random_add_noise, which may call
59 * back to here. Prevent recursive stirs.
61 if (pool.stir_pending)
63 pool.stir_pending = TRUE;
65 noise_get_light(random_add_noise);
67 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
71 * Chunks of this code are blatantly endianness-dependent, but
72 * as it's all random bits anyway, WHO CARES?
74 memcpy(digest, pool.incoming, sizeof(digest));
77 * Make two passes over the pool.
79 for (i = 0; i < 2; i++) {
82 * We operate SHA in CFB mode, repeatedly adding the same
83 * block of data to the digest. But we're also fiddling
84 * with the digest-so-far, so this shouldn't be Bad or
87 memcpy(block, pool.pool, sizeof(block));
90 * Each pass processes the pool backwards in blocks of
91 * HASHSIZE, just so that in general we get the output of
92 * SHA before the corresponding input, in the hope that
93 * things will be that much less predictable that way
94 * round, when we subsequently return bytes ...
96 for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {
98 * XOR the bit of the pool we're processing into the
102 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
103 digest[k] ^= ((word32 *) (pool.pool + j))[k];
106 * Munge our unrevealed first block of the pool into
109 SHATransform(digest, block);
112 * Stick the result back into the pool.
115 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)
116 ((word32 *) (pool.pool + j))[k] = digest[k];
121 * Might as well save this value back into `incoming', just so
122 * there'll be some extra bizarreness there.
124 SHATransform(digest, block);
125 memcpy(pool.incoming, digest, sizeof(digest));
127 pool.poolpos = sizeof(pool.incoming);
129 pool.stir_pending = FALSE;
132 void random_add_noise(void *noise, int length)
134 unsigned char *p = noise;
141 * This function processes HASHINPUT bytes into only HASHSIZE
142 * bytes, so _if_ we were getting incredibly high entropy
143 * sources then we would be throwing away valuable stuff.
145 while (length >= (HASHINPUT - pool.incomingpos)) {
146 memcpy(pool.incomingb + pool.incomingpos, p,
147 HASHINPUT - pool.incomingpos);
148 p += HASHINPUT - pool.incomingpos;
149 length -= HASHINPUT - pool.incomingpos;
150 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);
151 for (i = 0; i < HASHSIZE; i++) {
152 pool.pool[pool.poolpos++] ^= pool.incomingb[i];
153 if (pool.poolpos >= POOLSIZE)
156 if (pool.poolpos < HASHSIZE)
159 pool.incomingpos = 0;
162 memcpy(pool.incomingb + pool.incomingpos, p, length);
163 pool.incomingpos += length;
166 void random_add_heavynoise(void *noise, int length)
168 unsigned char *p = noise;
171 while (length >= POOLSIZE) {
172 for (i = 0; i < POOLSIZE; i++)
173 pool.pool[i] ^= *p++;
178 for (i = 0; i < length; i++)
179 pool.pool[i] ^= *p++;
183 static void random_add_heavynoise_bitbybit(void *noise, int length)
185 unsigned char *p = noise;
188 while (length >= POOLSIZE - pool.poolpos) {
189 for (i = 0; i < POOLSIZE - pool.poolpos; i++)
190 pool.pool[pool.poolpos + i] ^= *p++;
192 length -= POOLSIZE - pool.poolpos;
196 for (i = 0; i < length; i++)
197 pool.pool[i] ^= *p++;
201 static void random_timer(void *ctx, long now)
203 if (random_active > 0 && now - next_noise_collection >= 0) {
205 next_noise_collection =
206 schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
210 void random_ref(void)
212 if (!random_active) {
213 memset(&pool, 0, sizeof(pool)); /* just to start with */
215 noise_get_heavy(random_add_heavynoise_bitbybit);
218 next_noise_collection =
219 schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
225 void random_unref(void)
230 int random_byte(void)
232 if (pool.poolpos >= POOLSIZE)
235 return pool.pool[pool.poolpos++];
238 void random_get_savedata(void **data, int *len)
240 void *buf = snewn(POOLSIZE / 2, char);
242 memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2);