1999-01-08 13:02:13 +00:00
|
|
|
/*
|
|
|
|
|
* cryptographic random number generator for PuTTY's ssh client
|
|
|
|
|
*/
|
|
|
|
|
|
2003-01-05 23:30:48 +00:00
|
|
|
#include "putty.h"
|
1999-01-08 13:02:13 +00:00
|
|
|
#include "ssh.h"
|
2010-01-17 16:20:45 +00:00
|
|
|
#include <assert.h>
|
1999-01-08 13:02:13 +00:00
|
|
|
|
2004-11-27 19:56:38 +00:00
|
|
|
/* Collect environmental noise every 5 minutes */
|
|
|
|
|
#define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC)
|
|
|
|
|
|
1999-01-08 13:02:13 +00:00
|
|
|
/*
|
|
|
|
|
* `pool' itself is a pool of random data which we actually use: we
|
|
|
|
|
* return bytes from `pool', at position `poolpos', until `poolpos'
|
|
|
|
|
* reaches the end of the pool. At this point we generate more
|
|
|
|
|
* random data, by adding noise, stirring well, and resetting
|
|
|
|
|
* `poolpos' to point to just past the beginning of the pool (not
|
|
|
|
|
* _the_ beginning, since otherwise we'd give away the whole
|
|
|
|
|
* contents of our pool, and attackers would just have to guess the
|
|
|
|
|
* next lot of noise).
|
|
|
|
|
*
|
|
|
|
|
* `incomingb' buffers acquired noise data, until it gets full, at
|
|
|
|
|
* which point the acquired noise is SHA'ed into `incoming' and
|
|
|
|
|
* `incomingb' is cleared. The noise in `incoming' is used as part
|
|
|
|
|
* of the noise for each stirring of the pool, in addition to local
|
|
|
|
|
* time, process listings, and other such stuff.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#define HASHINPUT 64 /* 64 bytes SHA input */
|
|
|
|
|
#define HASHSIZE 20 /* 160 bits SHA output */
|
|
|
|
|
#define POOLSIZE 1200 /* size of random pool */
|
|
|
|
|
|
|
|
|
|
struct RandPool {
|
|
|
|
|
unsigned char pool[POOLSIZE];
|
|
|
|
|
int poolpos;
|
|
|
|
|
|
|
|
|
|
unsigned char incoming[HASHSIZE];
|
|
|
|
|
|
|
|
|
|
unsigned char incomingb[HASHINPUT];
|
|
|
|
|
int incomingpos;
|
2005-01-22 14:51:29 +00:00
|
|
|
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool stir_pending;
|
1999-01-08 13:02:13 +00:00
|
|
|
};
|
|
|
|
|
|
2002-03-06 20:13:22 +00:00
|
|
|
int random_active = 0;
|
2015-10-17 15:26:51 +00:00
|
|
|
|
|
|
|
|
#ifdef FUZZING
|
|
|
|
|
/*
|
|
|
|
|
* Special dummy version of the RNG for use when fuzzing.
|
|
|
|
|
*/
|
|
|
|
|
void random_add_noise(void *noise, int length) { }
|
|
|
|
|
void random_add_heavynoise(void *noise, int length) { }
|
|
|
|
|
void random_ref(void) { }
|
|
|
|
|
void random_unref(void) { }
|
Replace random_byte() with random_read().
This is in preparation for a PRNG revamp which will want to have a
well defined boundary for any given request-for-randomness, so that it
can destroy the evidence afterwards. So no more looping round calling
random_byte() and then stopping when we feel like it: now you say up
front how many random bytes you want, and call random_read() which
gives you that many in one go.
Most of the call sites that had to be fixed are fairly mechanical, and
quite a few ended up more concise afterwards. A few became more
cumbersome, such as mp_random_bits, in which the new API doesn't let
me load the random bytes directly into the target integer without
triggering undefined behaviour, so instead I have to allocate a
separate temporary buffer.
The _most_ interesting call site was in the PKCS#1 v1.5 padding code
in sshrsa.c (used in SSH-1), in which you need a stream of _nonzero_
random bytes. The previous code just looped on random_byte, retrying
if it got a zero. Now I'm doing a much more interesting thing with an
mpint, essentially scaling a binary fraction repeatedly to extract a
number in the range [0,255) and then adding 1 to it.
2019-01-22 19:43:27 +00:00
|
|
|
void random_read(void *out, size_t size)
|
2015-10-17 15:26:51 +00:00
|
|
|
{
|
|
|
|
|
return 0x45; /* Chosen by eight fair coin tosses */
|
Replace random_byte() with random_read().
This is in preparation for a PRNG revamp which will want to have a
well defined boundary for any given request-for-randomness, so that it
can destroy the evidence afterwards. So no more looping round calling
random_byte() and then stopping when we feel like it: now you say up
front how many random bytes you want, and call random_read() which
gives you that many in one go.
Most of the call sites that had to be fixed are fairly mechanical, and
quite a few ended up more concise afterwards. A few became more
cumbersome, such as mp_random_bits, in which the new API doesn't let
me load the random bytes directly into the target integer without
triggering undefined behaviour, so instead I have to allocate a
separate temporary buffer.
The _most_ interesting call site was in the PKCS#1 v1.5 padding code
in sshrsa.c (used in SSH-1), in which you need a stream of _nonzero_
random bytes. The previous code just looped on random_byte, retrying
if it got a zero. Now I'm doing a much more interesting thing with an
mpint, essentially scaling a binary fraction repeatedly to extract a
number in the range [0,255) and then adding 1 to it.
2019-01-22 19:43:27 +00:00
|
|
|
memset(out, 0x45, size); /* Chosen by eight fair coin tosses */
|
2015-10-17 15:26:51 +00:00
|
|
|
}
|
|
|
|
|
void random_get_savedata(void **data, int *len) { }
|
|
|
|
|
#else /* !FUZZING */
|
|
|
|
|
static struct RandPool pool;
|
2004-11-27 19:56:38 +00:00
|
|
|
long next_noise_collection;
|
1999-01-08 13:02:13 +00:00
|
|
|
|
2013-07-19 17:44:58 +00:00
|
|
|
#ifdef RANDOM_DIAGNOSTICS
|
|
|
|
|
int random_diagnostics = 0;
|
|
|
|
|
#endif
|
|
|
|
|
|
2003-01-05 23:30:48 +00:00
|
|
|
static void random_stir(void)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2018-10-26 22:08:58 +00:00
|
|
|
uint32_t block[HASHINPUT / sizeof(uint32_t)];
|
|
|
|
|
uint32_t digest[HASHSIZE / sizeof(uint32_t)];
|
1999-01-08 13:02:13 +00:00
|
|
|
int i, j, k;
|
|
|
|
|
|
2005-01-22 14:51:29 +00:00
|
|
|
/*
|
|
|
|
|
* noise_get_light will call random_add_noise, which may call
|
|
|
|
|
* back to here. Prevent recursive stirs.
|
|
|
|
|
*/
|
|
|
|
|
if (pool.stir_pending)
|
|
|
|
|
return;
|
2018-10-29 19:50:29 +00:00
|
|
|
pool.stir_pending = true;
|
2005-01-22 14:51:29 +00:00
|
|
|
|
1999-01-08 13:02:13 +00:00
|
|
|
noise_get_light(random_add_noise);
|
|
|
|
|
|
2013-07-19 17:44:58 +00:00
|
|
|
#ifdef RANDOM_DIAGNOSTICS
|
|
|
|
|
{
|
|
|
|
|
int p, q;
|
|
|
|
|
printf("random stir starting\npool:\n");
|
|
|
|
|
for (p = 0; p < POOLSIZE; p += HASHSIZE) {
|
|
|
|
|
printf(" ");
|
|
|
|
|
for (q = 0; q < HASHSIZE; q += 4) {
|
2018-10-26 22:08:58 +00:00
|
|
|
printf(" %08x", *(uint32_t *)(pool.pool + p + q));
|
2013-07-19 17:44:58 +00:00
|
|
|
}
|
|
|
|
|
printf("\n");
|
|
|
|
|
}
|
|
|
|
|
printf("incoming:\n ");
|
|
|
|
|
for (q = 0; q < HASHSIZE; q += 4) {
|
2018-10-26 22:08:58 +00:00
|
|
|
printf(" %08x", *(uint32_t *)(pool.incoming + q));
|
2013-07-19 17:44:58 +00:00
|
|
|
}
|
|
|
|
|
printf("\nincomingb:\n ");
|
|
|
|
|
for (q = 0; q < HASHINPUT; q += 4) {
|
2018-10-26 22:08:58 +00:00
|
|
|
printf(" %08x", *(uint32_t *)(pool.incomingb + q));
|
2013-07-19 17:44:58 +00:00
|
|
|
}
|
|
|
|
|
printf("\n");
|
|
|
|
|
random_diagnostics++;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2018-10-26 22:08:58 +00:00
|
|
|
SHATransform((uint32_t *) pool.incoming, (uint32_t *) pool.incomingb);
|
1999-01-08 13:02:13 +00:00
|
|
|
pool.incomingpos = 0;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Chunks of this code are blatantly endianness-dependent, but
|
|
|
|
|
* as it's all random bits anyway, WHO CARES?
|
|
|
|
|
*/
|
|
|
|
|
memcpy(digest, pool.incoming, sizeof(digest));
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Make two passes over the pool.
|
|
|
|
|
*/
|
|
|
|
|
for (i = 0; i < 2; i++) {
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We operate SHA in CFB mode, repeatedly adding the same
|
|
|
|
|
* block of data to the digest. But we're also fiddling
|
|
|
|
|
* with the digest-so-far, so this shouldn't be Bad or
|
|
|
|
|
* anything.
|
|
|
|
|
*/
|
|
|
|
|
memcpy(block, pool.pool, sizeof(block));
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Each pass processes the pool backwards in blocks of
|
|
|
|
|
* HASHSIZE, just so that in general we get the output of
|
|
|
|
|
* SHA before the corresponding input, in the hope that
|
|
|
|
|
* things will be that much less predictable that way
|
|
|
|
|
* round, when we subsequently return bytes ...
|
|
|
|
|
*/
|
2001-05-06 14:35:20 +00:00
|
|
|
for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {
|
1999-01-08 13:02:13 +00:00
|
|
|
/*
|
|
|
|
|
* XOR the bit of the pool we're processing into the
|
|
|
|
|
* digest.
|
|
|
|
|
*/
|
|
|
|
|
|
2019-01-04 07:13:08 +00:00
|
|
|
for (k = 0; k < lenof(digest); k++)
|
2018-10-26 22:08:58 +00:00
|
|
|
digest[k] ^= ((uint32_t *) (pool.pool + j))[k];
|
1999-01-08 13:02:13 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Munge our unrevealed first block of the pool into
|
|
|
|
|
* it.
|
|
|
|
|
*/
|
|
|
|
|
SHATransform(digest, block);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Stick the result back into the pool.
|
|
|
|
|
*/
|
|
|
|
|
|
2019-01-04 07:13:08 +00:00
|
|
|
for (k = 0; k < lenof(digest); k++)
|
2018-10-26 22:08:58 +00:00
|
|
|
((uint32_t *) (pool.pool + j))[k] = digest[k];
|
1999-01-08 13:02:13 +00:00
|
|
|
}
|
2013-07-19 17:44:58 +00:00
|
|
|
|
|
|
|
|
#ifdef RANDOM_DIAGNOSTICS
|
|
|
|
|
if (i == 0) {
|
|
|
|
|
int p, q;
|
|
|
|
|
printf("random stir midpoint\npool:\n");
|
|
|
|
|
for (p = 0; p < POOLSIZE; p += HASHSIZE) {
|
|
|
|
|
printf(" ");
|
|
|
|
|
for (q = 0; q < HASHSIZE; q += 4) {
|
2018-10-26 22:08:58 +00:00
|
|
|
printf(" %08x", *(uint32_t *)(pool.pool + p + q));
|
2013-07-19 17:44:58 +00:00
|
|
|
}
|
|
|
|
|
printf("\n");
|
|
|
|
|
}
|
|
|
|
|
printf("incoming:\n ");
|
|
|
|
|
for (q = 0; q < HASHSIZE; q += 4) {
|
2018-10-26 22:08:58 +00:00
|
|
|
printf(" %08x", *(uint32_t *)(pool.incoming + q));
|
2013-07-19 17:44:58 +00:00
|
|
|
}
|
|
|
|
|
printf("\nincomingb:\n ");
|
|
|
|
|
for (q = 0; q < HASHINPUT; q += 4) {
|
2018-10-26 22:08:58 +00:00
|
|
|
printf(" %08x", *(uint32_t *)(pool.incomingb + q));
|
2013-07-19 17:44:58 +00:00
|
|
|
}
|
|
|
|
|
printf("\n");
|
|
|
|
|
}
|
|
|
|
|
#endif
|
1999-01-08 13:02:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Might as well save this value back into `incoming', just so
|
|
|
|
|
* there'll be some extra bizarreness there.
|
|
|
|
|
*/
|
|
|
|
|
SHATransform(digest, block);
|
1999-08-02 08:35:11 +00:00
|
|
|
memcpy(pool.incoming, digest, sizeof(digest));
|
1999-01-08 13:02:13 +00:00
|
|
|
|
|
|
|
|
pool.poolpos = sizeof(pool.incoming);
|
2005-01-22 14:51:29 +00:00
|
|
|
|
2018-10-29 19:50:29 +00:00
|
|
|
pool.stir_pending = false;
|
2013-07-19 17:44:58 +00:00
|
|
|
|
|
|
|
|
#ifdef RANDOM_DIAGNOSTICS
|
|
|
|
|
{
|
|
|
|
|
int p, q;
|
|
|
|
|
printf("random stir done\npool:\n");
|
|
|
|
|
for (p = 0; p < POOLSIZE; p += HASHSIZE) {
|
|
|
|
|
printf(" ");
|
|
|
|
|
for (q = 0; q < HASHSIZE; q += 4) {
|
2018-10-26 22:08:58 +00:00
|
|
|
printf(" %08x", *(uint32_t *)(pool.pool + p + q));
|
2013-07-19 17:44:58 +00:00
|
|
|
}
|
|
|
|
|
printf("\n");
|
|
|
|
|
}
|
|
|
|
|
printf("incoming:\n ");
|
|
|
|
|
for (q = 0; q < HASHSIZE; q += 4) {
|
2018-10-26 22:08:58 +00:00
|
|
|
printf(" %08x", *(uint32_t *)(pool.incoming + q));
|
2013-07-19 17:44:58 +00:00
|
|
|
}
|
|
|
|
|
printf("\nincomingb:\n ");
|
|
|
|
|
for (q = 0; q < HASHINPUT; q += 4) {
|
2018-10-26 22:08:58 +00:00
|
|
|
printf(" %08x", *(uint32_t *)(pool.incomingb + q));
|
2013-07-19 17:44:58 +00:00
|
|
|
}
|
|
|
|
|
printf("\n");
|
|
|
|
|
random_diagnostics--;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
1999-01-08 13:02:13 +00:00
|
|
|
}
|
|
|
|
|
|
2001-05-06 14:35:20 +00:00
|
|
|
void random_add_noise(void *noise, int length)
|
|
|
|
|
{
|
1999-01-08 13:02:13 +00:00
|
|
|
unsigned char *p = noise;
|
2000-10-19 15:43:08 +00:00
|
|
|
int i;
|
1999-01-08 13:02:13 +00:00
|
|
|
|
2000-10-23 15:20:05 +00:00
|
|
|
if (!random_active)
|
2001-05-06 14:35:20 +00:00
|
|
|
return;
|
2000-10-23 15:20:05 +00:00
|
|
|
|
2000-10-19 15:43:08 +00:00
|
|
|
/*
|
|
|
|
|
* This function processes HASHINPUT bytes into only HASHSIZE
|
|
|
|
|
* bytes, so _if_ we were getting incredibly high entropy
|
|
|
|
|
* sources then we would be throwing away valuable stuff.
|
|
|
|
|
*/
|
|
|
|
|
while (length >= (HASHINPUT - pool.incomingpos)) {
|
|
|
|
|
memcpy(pool.incomingb + pool.incomingpos, p,
|
|
|
|
|
HASHINPUT - pool.incomingpos);
|
|
|
|
|
p += HASHINPUT - pool.incomingpos;
|
|
|
|
|
length -= HASHINPUT - pool.incomingpos;
|
2018-10-26 22:08:58 +00:00
|
|
|
SHATransform((uint32_t *) pool.incoming, (uint32_t *) pool.incomingb);
|
2001-05-06 14:35:20 +00:00
|
|
|
for (i = 0; i < HASHSIZE; i++) {
|
2016-12-28 14:41:40 +00:00
|
|
|
pool.pool[pool.poolpos++] ^= pool.incoming[i];
|
2001-05-06 14:35:20 +00:00
|
|
|
if (pool.poolpos >= POOLSIZE)
|
|
|
|
|
pool.poolpos = 0;
|
|
|
|
|
}
|
|
|
|
|
if (pool.poolpos < HASHSIZE)
|
|
|
|
|
random_stir();
|
2000-10-19 15:43:08 +00:00
|
|
|
|
|
|
|
|
pool.incomingpos = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
memcpy(pool.incomingb + pool.incomingpos, p, length);
|
|
|
|
|
pool.incomingpos += length;
|
|
|
|
|
}
|
|
|
|
|
|
2001-05-06 14:35:20 +00:00
|
|
|
void random_add_heavynoise(void *noise, int length)
|
|
|
|
|
{
|
2000-10-19 15:43:08 +00:00
|
|
|
unsigned char *p = noise;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
while (length >= POOLSIZE) {
|
2001-05-06 14:35:20 +00:00
|
|
|
for (i = 0; i < POOLSIZE; i++)
|
|
|
|
|
pool.pool[i] ^= *p++;
|
2000-10-19 15:43:08 +00:00
|
|
|
random_stir();
|
|
|
|
|
length -= POOLSIZE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < length; i++)
|
2001-05-06 14:35:20 +00:00
|
|
|
pool.pool[i] ^= *p++;
|
2000-10-19 15:43:08 +00:00
|
|
|
random_stir();
|
|
|
|
|
}
|
|
|
|
|
|
2001-05-06 14:35:20 +00:00
|
|
|
static void random_add_heavynoise_bitbybit(void *noise, int length)
|
|
|
|
|
{
|
2000-10-19 15:43:08 +00:00
|
|
|
unsigned char *p = noise;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
while (length >= POOLSIZE - pool.poolpos) {
|
2001-05-06 14:35:20 +00:00
|
|
|
for (i = 0; i < POOLSIZE - pool.poolpos; i++)
|
|
|
|
|
pool.pool[pool.poolpos + i] ^= *p++;
|
1999-01-08 13:02:13 +00:00
|
|
|
random_stir();
|
2000-10-19 15:43:08 +00:00
|
|
|
length -= POOLSIZE - pool.poolpos;
|
2001-05-06 14:35:20 +00:00
|
|
|
pool.poolpos = 0;
|
1999-01-08 13:02:13 +00:00
|
|
|
}
|
|
|
|
|
|
2000-10-19 15:43:08 +00:00
|
|
|
for (i = 0; i < length; i++)
|
2001-05-06 14:35:20 +00:00
|
|
|
pool.pool[i] ^= *p++;
|
2000-10-19 15:43:08 +00:00
|
|
|
pool.poolpos = i;
|
1999-01-08 13:02:13 +00:00
|
|
|
}
|
|
|
|
|
|
2012-09-18 21:42:48 +00:00
|
|
|
static void random_timer(void *ctx, unsigned long now)
|
2004-11-27 19:56:38 +00:00
|
|
|
{
|
2012-09-18 21:42:48 +00:00
|
|
|
if (random_active > 0 && now == next_noise_collection) {
|
2004-11-27 19:56:38 +00:00
|
|
|
noise_regular();
|
|
|
|
|
next_noise_collection =
|
|
|
|
|
schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void random_ref(void)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2004-11-24 19:53:31 +00:00
|
|
|
if (!random_active) {
|
|
|
|
|
memset(&pool, 0, sizeof(pool)); /* just to start with */
|
1999-01-08 13:02:13 +00:00
|
|
|
|
2004-11-24 19:53:31 +00:00
|
|
|
noise_get_heavy(random_add_heavynoise_bitbybit);
|
|
|
|
|
random_stir();
|
2004-11-27 19:56:38 +00:00
|
|
|
|
|
|
|
|
next_noise_collection =
|
|
|
|
|
schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);
|
2004-11-24 19:53:31 +00:00
|
|
|
}
|
2013-10-09 18:38:35 +00:00
|
|
|
random_active++;
|
2004-11-27 19:56:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void random_unref(void)
|
|
|
|
|
{
|
2013-07-19 17:44:42 +00:00
|
|
|
assert(random_active > 0);
|
|
|
|
|
if (random_active == 1) {
|
|
|
|
|
random_save_seed();
|
|
|
|
|
expire_timer_context(&pool);
|
|
|
|
|
}
|
2004-11-27 19:56:38 +00:00
|
|
|
random_active--;
|
1999-01-08 13:02:13 +00:00
|
|
|
}
|
|
|
|
|
|
Replace random_byte() with random_read().
This is in preparation for a PRNG revamp which will want to have a
well defined boundary for any given request-for-randomness, so that it
can destroy the evidence afterwards. So no more looping round calling
random_byte() and then stopping when we feel like it: now you say up
front how many random bytes you want, and call random_read() which
gives you that many in one go.
Most of the call sites that had to be fixed are fairly mechanical, and
quite a few ended up more concise afterwards. A few became more
cumbersome, such as mp_random_bits, in which the new API doesn't let
me load the random bytes directly into the target integer without
triggering undefined behaviour, so instead I have to allocate a
separate temporary buffer.
The _most_ interesting call site was in the PKCS#1 v1.5 padding code
in sshrsa.c (used in SSH-1), in which you need a stream of _nonzero_
random bytes. The previous code just looped on random_byte, retrying
if it got a zero. Now I'm doing a much more interesting thing with an
mpint, essentially scaling a binary fraction repeatedly to extract a
number in the range [0,255) and then adding 1 to it.
2019-01-22 19:43:27 +00:00
|
|
|
void random_read(void *vout, size_t size)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2013-07-19 17:44:20 +00:00
|
|
|
assert(random_active);
|
|
|
|
|
|
Replace random_byte() with random_read().
This is in preparation for a PRNG revamp which will want to have a
well defined boundary for any given request-for-randomness, so that it
can destroy the evidence afterwards. So no more looping round calling
random_byte() and then stopping when we feel like it: now you say up
front how many random bytes you want, and call random_read() which
gives you that many in one go.
Most of the call sites that had to be fixed are fairly mechanical, and
quite a few ended up more concise afterwards. A few became more
cumbersome, such as mp_random_bits, in which the new API doesn't let
me load the random bytes directly into the target integer without
triggering undefined behaviour, so instead I have to allocate a
separate temporary buffer.
The _most_ interesting call site was in the PKCS#1 v1.5 padding code
in sshrsa.c (used in SSH-1), in which you need a stream of _nonzero_
random bytes. The previous code just looped on random_byte, retrying
if it got a zero. Now I'm doing a much more interesting thing with an
mpint, essentially scaling a binary fraction repeatedly to extract a
number in the range [0,255) and then adding 1 to it.
2019-01-22 19:43:27 +00:00
|
|
|
uint8_t *out = (uint8_t *)vout;
|
|
|
|
|
while (size-- > 0) {
|
|
|
|
|
if (pool.poolpos >= POOLSIZE)
|
|
|
|
|
random_stir();
|
1999-01-08 13:02:13 +00:00
|
|
|
|
Replace random_byte() with random_read().
This is in preparation for a PRNG revamp which will want to have a
well defined boundary for any given request-for-randomness, so that it
can destroy the evidence afterwards. So no more looping round calling
random_byte() and then stopping when we feel like it: now you say up
front how many random bytes you want, and call random_read() which
gives you that many in one go.
Most of the call sites that had to be fixed are fairly mechanical, and
quite a few ended up more concise afterwards. A few became more
cumbersome, such as mp_random_bits, in which the new API doesn't let
me load the random bytes directly into the target integer without
triggering undefined behaviour, so instead I have to allocate a
separate temporary buffer.
The _most_ interesting call site was in the PKCS#1 v1.5 padding code
in sshrsa.c (used in SSH-1), in which you need a stream of _nonzero_
random bytes. The previous code just looped on random_byte, retrying
if it got a zero. Now I'm doing a much more interesting thing with an
mpint, essentially scaling a binary fraction repeatedly to extract a
number in the range [0,255) and then adding 1 to it.
2019-01-22 19:43:27 +00:00
|
|
|
*out++ = pool.pool[pool.poolpos++];
|
|
|
|
|
}
|
1999-01-08 13:02:13 +00:00
|
|
|
}
|
|
|
|
|
|
2001-05-06 14:35:20 +00:00
|
|
|
void random_get_savedata(void **data, int *len)
|
|
|
|
|
{
|
2003-03-29 16:14:26 +00:00
|
|
|
void *buf = snewn(POOLSIZE / 2, char);
|
1999-01-08 13:02:13 +00:00
|
|
|
random_stir();
|
2002-11-07 20:01:04 +00:00
|
|
|
memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2);
|
2001-05-06 14:35:20 +00:00
|
|
|
*len = POOLSIZE / 2;
|
2002-11-07 20:01:04 +00:00
|
|
|
*data = buf;
|
|
|
|
|
random_stir();
|
1999-01-08 13:02:13 +00:00
|
|
|
}
|
2015-10-17 15:26:51 +00:00
|
|
|
#endif
|