mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-10 09:58:01 +00:00
320bf8479f
This tears out the entire previous random-pool system in sshrand.c. In its place is a system pretty close to Ferguson and Schneier's 'Fortuna' generator, with the main difference being that I use SHA-256 instead of AES for the generation side of the system (rationale given in comment). The PRNG implementation lives in sshprng.c, and defines a self- contained data type with no state stored outside the object, so you can instantiate however many of them you like. The old sshrand.c still exists, but in place of the previous random pool system, it's just become a client of sshprng.c, whose job is to hold a single global instance of the PRNG type, and manage its reference count, save file, noise-collection timers and similar administrative business. Advantages of this change include: - Fortuna is designed with a more varied threat model in mind than my old home-grown random pool. For example, after any request for random numbers, it automatically re-seeds itself, so that if the state of the PRNG should be leaked, it won't give enough information to find out what past outputs _were_. - The PRNG type can be instantiated with any hash function; the instance used by the main tools is based on SHA-256, an improvement on the old pool's use of SHA-1. - The new PRNG only uses the completely standard interface to the hash function API, instead of having to have privileged access to the internal SHA-1 block transform function. This will make it easier to revamp the hash code in general, and also it means that hardware-accelerated versions of SHA-256 will automatically be used for the PRNG as well as for everything else. - The new PRNG can be _tested_! Because it has an actual (if not quite explicit) specification for exactly what the output numbers _ought_ to be derived from the hashes of, I can (and have) put tests in cryptsuite that ensure the output really is being derived in the way I think it is. The old pool could have been returning any old nonsense and it would have been very hard to tell for sure.
155 lines
4.2 KiB
C
155 lines
4.2 KiB
C
/*
|
|
* Noise generation for PuTTY's cryptographic random number
|
|
* generator.
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
|
|
#include "putty.h"
|
|
#include "ssh.h"
|
|
#include "storage.h"
|
|
|
|
#include <wincrypt.h>
|
|
|
|
DECL_WINDOWS_FUNCTION(static, BOOL, CryptAcquireContextA,
|
|
(HCRYPTPROV *, LPCTSTR, LPCTSTR, DWORD, DWORD));
|
|
DECL_WINDOWS_FUNCTION(static, BOOL, CryptGenRandom,
|
|
(HCRYPTPROV, DWORD, BYTE *));
|
|
DECL_WINDOWS_FUNCTION(static, BOOL, CryptReleaseContext,
|
|
(HCRYPTPROV, DWORD));
|
|
static HMODULE wincrypt_module = NULL;
|
|
|
|
bool win_read_random(void *buf, unsigned wanted)
|
|
{
|
|
bool toret = false;
|
|
HCRYPTPROV crypt_provider;
|
|
|
|
if (!wincrypt_module) {
|
|
wincrypt_module = load_system32_dll("advapi32.dll");
|
|
GET_WINDOWS_FUNCTION(wincrypt_module, CryptAcquireContextA);
|
|
GET_WINDOWS_FUNCTION(wincrypt_module, CryptGenRandom);
|
|
GET_WINDOWS_FUNCTION(wincrypt_module, CryptReleaseContext);
|
|
}
|
|
|
|
if (wincrypt_module && p_CryptAcquireContextA &&
|
|
p_CryptGenRandom && p_CryptReleaseContext &&
|
|
p_CryptAcquireContextA(&crypt_provider, NULL, NULL, PROV_RSA_FULL,
|
|
CRYPT_VERIFYCONTEXT)) {
|
|
toret = p_CryptGenRandom(crypt_provider, wanted, buf);
|
|
p_CryptReleaseContext(crypt_provider, 0);
|
|
}
|
|
|
|
return toret;
|
|
}
|
|
|
|
/*
|
|
* This function is called once, at PuTTY startup.
|
|
*/
|
|
|
|
void noise_get_heavy(void (*func) (void *, int))
|
|
{
|
|
HANDLE srch;
|
|
WIN32_FIND_DATA finddata;
|
|
DWORD pid;
|
|
char winpath[MAX_PATH + 3];
|
|
BYTE buf[32];
|
|
|
|
GetWindowsDirectory(winpath, sizeof(winpath));
|
|
strcat(winpath, "\\*");
|
|
srch = FindFirstFile(winpath, &finddata);
|
|
if (srch != INVALID_HANDLE_VALUE) {
|
|
do {
|
|
func(&finddata, sizeof(finddata));
|
|
} while (FindNextFile(srch, &finddata));
|
|
FindClose(srch);
|
|
}
|
|
|
|
pid = GetCurrentProcessId();
|
|
func(&pid, sizeof(pid));
|
|
|
|
if (win_read_random(buf, sizeof(buf))) {
|
|
func(buf, sizeof(buf));
|
|
smemclr(buf, sizeof(buf));
|
|
}
|
|
|
|
read_random_seed(func);
|
|
}
|
|
|
|
void random_save_seed(void)
|
|
{
|
|
int len;
|
|
void *data;
|
|
|
|
if (random_active) {
|
|
random_get_savedata(&data, &len);
|
|
write_random_seed(data, len);
|
|
sfree(data);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* This function is called on a timer, and it will monitor
|
|
* frequently changing quantities such as the state of physical and
|
|
* virtual memory, the state of the process's message queue, which
|
|
* window is in the foreground, which owns the clipboard, etc.
|
|
*/
|
|
void noise_regular(void)
|
|
{
|
|
HWND w;
|
|
DWORD z;
|
|
POINT pt;
|
|
MEMORYSTATUS memstat;
|
|
FILETIME times[4];
|
|
|
|
w = GetForegroundWindow();
|
|
random_add_noise(NOISE_SOURCE_FGWINDOW, &w, sizeof(w));
|
|
w = GetCapture();
|
|
random_add_noise(NOISE_SOURCE_CAPTURE, &w, sizeof(w));
|
|
w = GetClipboardOwner();
|
|
random_add_noise(NOISE_SOURCE_CLIPBOARD, &w, sizeof(w));
|
|
z = GetQueueStatus(QS_ALLEVENTS);
|
|
random_add_noise(NOISE_SOURCE_QUEUE, &z, sizeof(z));
|
|
|
|
GetCursorPos(&pt);
|
|
random_add_noise(NOISE_SOURCE_CURSORPOS, &pt, sizeof(pt));
|
|
|
|
GlobalMemoryStatus(&memstat);
|
|
random_add_noise(NOISE_SOURCE_MEMINFO, &memstat, sizeof(memstat));
|
|
|
|
GetThreadTimes(GetCurrentThread(), times, times + 1, times + 2,
|
|
times + 3);
|
|
random_add_noise(NOISE_SOURCE_THREADTIME, ×, sizeof(times));
|
|
GetProcessTimes(GetCurrentProcess(), times, times + 1, times + 2,
|
|
times + 3);
|
|
random_add_noise(NOISE_SOURCE_PROCTIME, ×, sizeof(times));
|
|
}
|
|
|
|
/*
|
|
* This function is called on every keypress or mouse move, and
|
|
* will add the current Windows time and performance monitor
|
|
* counter to the noise pool. It gets the scan code or mouse
|
|
* position passed in.
|
|
*/
|
|
void noise_ultralight(NoiseSourceId id, unsigned long data)
|
|
{
|
|
DWORD wintime;
|
|
LARGE_INTEGER perftime;
|
|
|
|
random_add_noise(id, &data, sizeof(DWORD));
|
|
|
|
wintime = GetTickCount();
|
|
random_add_noise(NOISE_SOURCE_TIME, &wintime, sizeof(DWORD));
|
|
|
|
if (QueryPerformanceCounter(&perftime))
|
|
random_add_noise(NOISE_SOURCE_PERFCOUNT, &perftime, sizeof(perftime));
|
|
}
|
|
|
|
uint64_t prng_reseed_time_ms(void)
|
|
{
|
|
FILETIME ft;
|
|
GetSystemTimeAsFileTime(&ft);
|
|
uint64_t value = ft.dwHighDateTime;
|
|
value = (value << 32) + ft.dwLowDateTime;
|
|
return value / 10000; /* 1 millisecond / 100ns */
|
|
}
|