Replace random_byte() with random_read().

This is in preparation for a PRNG revamp which will want to have a well defined boundary for any given request-for-randomness, so that it can destroy the evidence afterwards. So no more looping round calling random_byte() and then stopping when we feel like it: now you say up front how many random bytes you want, and call random_read() which gives you that many in one go. Most of the call sites that had to be fixed are fairly mechanical, and quite a few ended up more concise afterwards. A few became more cumbersome, such as mp_random_bits, in which the new API doesn't let me load the random bytes directly into the target integer without triggering undefined behaviour, so instead I have to allocate a separate temporary buffer. The _most_ interesting call site was in the PKCS#1 v1.5 padding code in sshrsa.c (used in SSH-1), in which you need a stream of _nonzero_ random bytes. The previous code just looped on random_byte, retrying if it got a zero. Now I'm doing a much more interesting thing with an mpint, essentially scaling a binary fraction repeatedly to extract a number in the range [0,255) and then adding 1 to it.
2025-06-30 19:12:48 -05:00 · 2019-01-22 19:43:27 +00:00
parent 76aa3f6f7a
commit 628e794832
21 changed files with 108 additions and 101 deletions
--- a/import.c
+++ b/import.c
@ -988,7 +988,7 @@ static bool openssh_pem_write(
     */
    if (passphrase) {
 	unsigned char keybuf[32];
-        int origlen, outlen, pad, i;
+        int origlen, outlen, pad;

        /*
         * Padding on OpenSSH keys is deterministic. The number of
@ -1015,7 +1015,7 @@ static bool openssh_pem_write(
 	/*
 	 * Invent an iv, and derive the encryption key.
 	 */
-	for (i = 0; i < 8; i++) iv[i] = random_byte();
+        random_read(iv, 8);

        openssh_pem_derivekey(ptrlen_from_asciz(passphrase), iv, keybuf);

@ -1498,7 +1498,7 @@ static bool openssh_new_write(
    const Filename *filename, ssh2_userkey *key, const char *passphrase)
 {
    strbuf *pubblob, *privblob, *cblob;
-    int padvalue, i;
+    int padvalue;
    unsigned checkint;
    bool ret = false;
    unsigned char bcrypt_salt[16];
@ -1530,8 +1530,7 @@ static bool openssh_new_write(
    } else {
        strbuf *substr;

-        for (i = 0; i < (int)sizeof(bcrypt_salt); i++)
-            bcrypt_salt[i] = random_byte();
+        random_read(bcrypt_salt, sizeof(bcrypt_salt));
        put_stringz(cblob, "aes256-ctr");
        put_stringz(cblob, "bcrypt");
        substr = strbuf_new();
@ -1551,9 +1550,9 @@ static bool openssh_new_write(
        strbuf *cpblob = strbuf_new();

        /* checkint. */
-        checkint = 0;
-        for (i = 0; i < 4; i++)
-            checkint = (checkint << 8) + random_byte();
+        uint8_t checkint_buf[4];
+        random_read(checkint_buf, 4);
+        checkint = GET_32BIT_MSB_FIRST(checkint_buf);
        put_uint32(cpblob, checkint);
        put_uint32(cpblob, checkint);

@ -2279,8 +2278,9 @@ static bool sshcom_write(
    /* Pad encrypted blob to a multiple of cipher block size. */
    if (passphrase) {
 	int padding = -(outblob->len - (lenpos+4)) & 7;
-	while (padding--)
-	    put_byte(outblob, random_byte());
+        uint8_t padding_buf[8];
+        random_read(padding_buf, padding);
+        put_data(outblob, padding_buf, padding);
    }
    ciphertext = outblob->s + lenpos + 4;
    cipherlen = outblob->len - (lenpos + 4);