Startseite Erkunden Hilfe
Anmelden
HSD
/
putty
Mirror von https://git.tartarus.org/simon/putty.git
Beobachten 1
Favorit hinzufügen 0
Fork 0
Dateien
Branch: ben-mac-port
Branches Tags
putty
/
sshrand.c

sshrand.c 4.6 KB
Permalink Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170 
  1. /*
    2. 

  2.  * cryptographic random number generator for PuTTY's ssh client
    3. 

  3.  */
    4. 

  4. 

  5. #include "ssh.h"
    6. 

  6. 

  7. void noise_get_heavy(void (*func) (void *, int));
    8. 

  8. void noise_get_light(void (*func) (void *, int));
    9. 

  9. 

  10. /*
    11. 

  11.  * `pool' itself is a pool of random data which we actually use: we
    12. 

  12.  * return bytes from `pool', at position `poolpos', until `poolpos'
    13. 

  13.  * reaches the end of the pool. At this point we generate more
    14. 

  14.  * random data, by adding noise, stirring well, and resetting
    15. 

  15.  * `poolpos' to point to just past the beginning of the pool (not
    16. 

  16.  * _the_ beginning, since otherwise we'd give away the whole
    17. 

  17.  * contents of our pool, and attackers would just have to guess the
    18. 

  18.  * next lot of noise).
    19. 

  19.  *
    20. 

  20.  * `incomingb' buffers acquired noise data, until it gets full, at
    21. 

  21.  * which point the acquired noise is SHA'ed into `incoming' and
    22. 

  22.  * `incomingb' is cleared. The noise in `incoming' is used as part
    23. 

  23.  * of the noise for each stirring of the pool, in addition to local
    24. 

  24.  * time, process listings, and other such stuff.
    25. 

  25.  */
    26. 

  26. 

  27. #define HASHINPUT 64		       /* 64 bytes SHA input */
    28. 

  28. #define HASHSIZE 20		       /* 160 bits SHA output */
    29. 

  29. #define POOLSIZE 1200		       /* size of random pool */
    30. 

  30. 

  31. struct RandPool {
    32. 

  32.     unsigned char pool[POOLSIZE];
    33. 

  33.     int poolpos;
    34. 

  34. 

  35.     unsigned char incoming[HASHSIZE];
    36. 

  36. 

  37.     unsigned char incomingb[HASHINPUT];
    38. 

  38.     int incomingpos;
    39. 

  39. };
    40. 

  40. 

  41. static struct RandPool pool;
    42. 

  42. 

  43. void random_add_noise(void *noise, int length) {
    44. 

  44.     unsigned char *p = noise;
    45. 

  45. 

  46.     while (length >= (HASHINPUT - pool.incomingpos)) {
    47. 

  47. 	memcpy(pool.incomingb + pool.incomingpos, p,
    48. 

  48. 	       HASHINPUT - pool.incomingpos);
    49. 

  49. 	p += HASHINPUT - pool.incomingpos;
    50. 

  50. 	length -= HASHINPUT - pool.incomingpos;
    51. 

  51. 	SHATransform((word32 *)pool.incoming, (word32 *)pool.incomingb);
    52. 

  52. 	pool.incomingpos = 0;
    53. 

  53.     }
    54. 

  54. 

  55.     memcpy(pool.incomingb + pool.incomingpos, p, length);
    56. 

  56.     pool.incomingpos += length;
    57. 

  57. }
    58. 

  58. 

  59. void random_stir(void) {
    60. 

  60.     word32 block[HASHINPUT/sizeof(word32)];
    61. 

  61.     word32 digest[HASHSIZE/sizeof(word32)];
    62. 

  62.     int i, j, k;
    63. 

  63. 

  64.     noise_get_light(random_add_noise);
    65. 

  65. 

  66.     SHATransform((word32 *)pool.incoming, (word32 *)pool.incomingb);
    67. 

  67.     pool.incomingpos = 0;
    68. 

  68. 

  69.     /*
    70. 

  70.      * Chunks of this code are blatantly endianness-dependent, but
    71. 

  71.      * as it's all random bits anyway, WHO CARES?
    72. 

  72.      */
    73. 

  73.     memcpy(digest, pool.incoming, sizeof(digest));
    74. 

  74. 

  75.     /*
    76. 

  76.      * Make two passes over the pool.
    77. 

  77.      */
    78. 

  78.     for (i = 0; i < 2; i++) {
    79. 

  79. 

  80. 	/*
    81. 

  81. 	 * We operate SHA in CFB mode, repeatedly adding the same
    82. 

  82. 	 * block of data to the digest. But we're also fiddling
    83. 

  83. 	 * with the digest-so-far, so this shouldn't be Bad or
    84. 

  84. 	 * anything.
    85. 

  85. 	 */
    86. 

  86. 	memcpy(block, pool.pool, sizeof(block));
    87. 

  87. 

  88. 	/*
    89. 

  89. 	 * Each pass processes the pool backwards in blocks of
    90. 

  90. 	 * HASHSIZE, just so that in general we get the output of
    91. 

  91. 	 * SHA before the corresponding input, in the hope that
    92. 

  92. 	 * things will be that much less predictable that way
    93. 

  93. 	 * round, when we subsequently return bytes ...
    94. 

  94. 	 */
    95. 

  95. 	for (j = POOLSIZE; (j -= HASHSIZE) >= 0 ;) {
    96. 

  96. 	    /*
    97. 

  97. 	     * XOR the bit of the pool we're processing into the
    98. 

  98. 	     * digest.
    99. 

  99. 	     */
    100. 

  100. 

  101. 	    for (k = 0; k < sizeof(digest)/sizeof(*digest); k++)
    102. 

  102. 		digest[k] ^= ((word32 *)(pool.pool+j))[k];
    103. 

  103. 

  104. 	    /*
    105. 

  105. 	     * Munge our unrevealed first block of the pool into
    106. 

  106. 	     * it.
    107. 

  107. 	     */
    108. 

  108. 	    SHATransform(digest, block);
    109. 

  109. 

  110. 	    /*
    111. 

  111. 	     * Stick the result back into the pool.
    112. 

  112. 	     */
    113. 

  113. 

  114. 	    for (k = 0; k < sizeof(digest)/sizeof(*digest); k++)
    115. 

  115. 		((word32 *)(pool.pool+j))[k] = digest[k];
    116. 

  116. 	}
    117. 

  117.     }
    118. 

  118. 

  119.     /*
    120. 

  120.      * Might as well save this value back into `incoming', just so
    121. 

  121.      * there'll be some extra bizarreness there.
    122. 

  122.      */
    123. 

  123.     SHATransform(digest, block);
    124. 

  124.     memcpy(pool.incoming, digest, sizeof(digest));
    125. 

  125. 

  126.     pool.poolpos = sizeof(pool.incoming);
    127. 

  127. }
    128. 

  128. 

  129. static void random_add_heavynoise(void *noise, int length) {
    130. 

  130.     unsigned char *p = noise;
    131. 

  131. 

  132.     while (length >= (POOLSIZE - pool.poolpos)) {
    133. 

  133. 	memcpy(pool.pool + pool.poolpos, p, POOLSIZE - pool.poolpos);
    134. 

  134. 	p += POOLSIZE - pool.poolpos;
    135. 

  135. 	length -= POOLSIZE - pool.poolpos;
    136. 

  136. 	random_stir();
    137. 

  137. 	pool.poolpos = 0;
    138. 

  138.     }
    139. 

  139. 

  140.     memcpy(pool.pool + pool.poolpos, p, length);
    141. 

  141.     pool.poolpos += length;
    142. 

  142. }
    143. 

  143. 

  144. void random_init(void) {
    145. 

  145.     memset(&pool, 0, sizeof(pool));    /* just to start with */
    146. 

  146. 

  147.     /*
    148. 

  148.      * For noise_get_heavy, we temporarily use `poolpos' as the
    149. 

  149.      * pointer for addition of noise, rather than extraction of
    150. 

  150.      * random numbers.
    151. 

  151.      */
    152. 

  152.     pool.poolpos = 0;
    153. 

  153.     noise_get_heavy(random_add_heavynoise);
    154. 

  154. 

  155.     random_stir();
    156. 

  156. }
    157. 

  157. 

  158. int random_byte(void) {
    159. 

  159.     if (pool.poolpos >= POOLSIZE)
    160. 

  160. 	random_stir();
    161. 

  161. 

  162.     return pool.pool[pool.poolpos++];
    163. 

  163. }
    164. 

  164. 

  165. void random_get_savedata(void **data, int *len) {
    166. 

  166.     random_stir();
    167. 

  167.     *data = pool.pool+pool.poolpos;
    168. 

  168.     *len = POOLSIZE/2;
    169. 

  169. }
    170. 

  170.