Mercurial > dropbear
comparison random.c @ 285:1b9e69c058d2
propagate from branch 'au.asn.ucc.matt.ltc.dropbear' (head 20dccfc09627970a312d77fb41dc2970b62689c3)
to branch 'au.asn.ucc.matt.dropbear' (head fdf4a7a3b97ae5046139915de7e40399cceb2c01)
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Wed, 08 Mar 2006 13:23:58 +0000 |
parents | 3be7ae2e8dfa |
children | 79bf1023cf11 7dad470ad4aa |
comparison
equal
deleted
inserted
replaced
281:997e6f7dc01e | 285:1b9e69c058d2 |
---|---|
1 /* | |
2 * Dropbear - a SSH2 server | |
3 * | |
4 * Copyright (c) 2002,2003 Matt Johnston | |
5 * All rights reserved. | |
6 * | |
7 * Permission is hereby granted, free of charge, to any person obtaining a copy | |
8 * of this software and associated documentation files (the "Software"), to deal | |
9 * in the Software without restriction, including without limitation the rights | |
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
11 * copies of the Software, and to permit persons to whom the Software is | |
12 * furnished to do so, subject to the following conditions: | |
13 * | |
14 * The above copyright notice and this permission notice shall be included in | |
15 * all copies or substantial portions of the Software. | |
16 * | |
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | |
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | |
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | |
23 * SOFTWARE. */ | |
24 | |
25 #include "includes.h" | |
26 #include "buffer.h" | |
27 #include "dbutil.h" | |
28 #include "bignum.h" | |
29 | |
30 static int donerandinit = 0; | |
31 | |
32 /* this is used to generate unique output from the same hashpool */ | |
33 static uint32_t counter = 0; | |
34 #define MAX_COUNTER 1<<31 /* the max value for the counter, so it won't loop */ | |
35 | |
36 static unsigned char hashpool[SHA1_HASH_SIZE]; | |
37 | |
38 #define INIT_SEED_SIZE 32 /* 256 bits */ | |
39 | |
40 static void readrand(unsigned char* buf, unsigned int buflen); | |
41 | |
42 /* The basic setup is we read some data from /dev/(u)random or prngd and hash it | |
43 * into hashpool. To read data, we hash together current hashpool contents, | |
44 * and a counter. We feed more data in by hashing the current pool and new | |
45 * data into the pool. | |
46 * | |
47 * It is important to ensure that counter doesn't wrap around before we | |
48 * feed in new entropy. | |
49 * | |
50 */ | |
51 | |
52 static void readrand(unsigned char* buf, unsigned int buflen) { | |
53 | |
54 static int already_blocked = 0; | |
55 int readfd; | |
56 unsigned int readpos; | |
57 int readlen; | |
58 #ifdef DROPBEAR_PRNGD_SOCKET | |
59 struct sockaddr_un egdsock; | |
60 char egdcmd[2]; | |
61 #endif | |
62 | |
63 #ifdef DROPBEAR_RANDOM_DEV | |
64 readfd = open(DROPBEAR_RANDOM_DEV, O_RDONLY); | |
65 if (readfd < 0) { | |
66 dropbear_exit("couldn't open random device"); | |
67 } | |
68 #endif | |
69 | |
70 #ifdef DROPBEAR_PRNGD_SOCKET | |
71 memset((void*)&egdsock, 0x0, sizeof(egdsock)); | |
72 egdsock.sun_family = AF_UNIX; | |
73 strlcpy(egdsock.sun_path, DROPBEAR_PRNGD_SOCKET, | |
74 sizeof(egdsock.sun_path)); | |
75 | |
76 readfd = socket(PF_UNIX, SOCK_STREAM, 0); | |
77 if (readfd < 0) { | |
78 dropbear_exit("couldn't open random device"); | |
79 } | |
80 /* todo - try various common locations */ | |
81 if (connect(readfd, (struct sockaddr*)&egdsock, | |
82 sizeof(struct sockaddr_un)) < 0) { | |
83 dropbear_exit("couldn't open random device"); | |
84 } | |
85 | |
86 if (buflen > 255) | |
87 dropbear_exit("can't request more than 255 bytes from egd"); | |
88 egdcmd[0] = 0x02; /* blocking read */ | |
89 egdcmd[1] = (unsigned char)buflen; | |
90 if (write(readfd, egdcmd, 2) < 0) | |
91 dropbear_exit("can't send command to egd"); | |
92 #endif | |
93 | |
94 /* read the actual random data */ | |
95 readpos = 0; | |
96 do { | |
97 if (!already_blocked) | |
98 { | |
99 int ret; | |
100 struct timeval timeout; | |
101 fd_set read_fds; | |
102 | |
103 timeout.tv_sec = 2; /* two seconds should be enough */ | |
104 timeout.tv_usec = 0; | |
105 | |
106 FD_ZERO(&read_fds); | |
107 FD_SET(readfd, &read_fds); | |
108 ret = select(readfd + 1, &read_fds, NULL, NULL, &timeout); | |
109 if (ret == 0) | |
110 { | |
111 dropbear_log(LOG_INFO, "Warning: Reading the random source seems to have blocked.\nIf you experience problems, you probably need to find a better entropy source."); | |
112 already_blocked = 1; | |
113 } | |
114 } | |
115 readlen = read(readfd, &buf[readpos], buflen - readpos); | |
116 if (readlen <= 0) { | |
117 if (readlen < 0 && errno == EINTR) { | |
118 continue; | |
119 } | |
120 dropbear_exit("error reading random source"); | |
121 } | |
122 readpos += readlen; | |
123 } while (readpos < buflen); | |
124 | |
125 close (readfd); | |
126 } | |
127 | |
128 /* initialise the prng from /dev/(u)random or prngd */ | |
129 void seedrandom() { | |
130 | |
131 unsigned char readbuf[INIT_SEED_SIZE]; | |
132 | |
133 hash_state hs; | |
134 | |
135 /* initialise so that things won't warn about | |
136 * hashing an undefined buffer */ | |
137 if (!donerandinit) { | |
138 m_burn(hashpool, sizeof(hashpool)); | |
139 } | |
140 | |
141 /* get the seed data */ | |
142 readrand(readbuf, sizeof(readbuf)); | |
143 | |
144 /* hash in the new seed data */ | |
145 sha1_init(&hs); | |
146 sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); | |
147 sha1_process(&hs, (void*)readbuf, sizeof(readbuf)); | |
148 sha1_done(&hs, hashpool); | |
149 | |
150 counter = 0; | |
151 donerandinit = 1; | |
152 } | |
153 | |
154 /* hash the current random pool with some unique identifiers | |
155 * for this process and point-in-time. this is used to separate | |
156 * the random pools for fork()ed processes. */ | |
157 void reseedrandom() { | |
158 | |
159 pid_t pid; | |
160 struct timeval tv; | |
161 | |
162 if (!donerandinit) { | |
163 dropbear_exit("seedrandom not done"); | |
164 } | |
165 | |
166 pid = getpid(); | |
167 gettimeofday(&tv, NULL); | |
168 | |
169 hash_state hs; | |
170 unsigned char hash[SHA1_HASH_SIZE]; | |
171 sha1_init(&hs); | |
172 sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); | |
173 sha1_process(&hs, (void*)&pid, sizeof(pid)); | |
174 sha1_process(&hs, (void*)&tv, sizeof(tv)); | |
175 sha1_done(&hs, hashpool); | |
176 } | |
177 | |
178 /* return len bytes of pseudo-random data */ | |
179 void genrandom(unsigned char* buf, unsigned int len) { | |
180 | |
181 hash_state hs; | |
182 unsigned char hash[SHA1_HASH_SIZE]; | |
183 unsigned int copylen; | |
184 | |
185 if (!donerandinit) { | |
186 dropbear_exit("seedrandom not done"); | |
187 } | |
188 | |
189 while (len > 0) { | |
190 sha1_init(&hs); | |
191 sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); | |
192 sha1_process(&hs, (void*)&counter, sizeof(counter)); | |
193 sha1_done(&hs, hash); | |
194 | |
195 counter++; | |
196 if (counter > MAX_COUNTER) { | |
197 seedrandom(); | |
198 } | |
199 | |
200 copylen = MIN(len, SHA1_HASH_SIZE); | |
201 memcpy(buf, hash, copylen); | |
202 len -= copylen; | |
203 buf += copylen; | |
204 } | |
205 m_burn(hash, sizeof(hash)); | |
206 } | |
207 | |
208 /* Generates a random mp_int. | |
209 * max is a *mp_int specifying an upper bound. | |
210 * rand must be an initialised *mp_int for the result. | |
211 * the result rand satisfies: 0 < rand < max | |
212 * */ | |
213 void gen_random_mpint(mp_int *max, mp_int *rand) { | |
214 | |
215 unsigned char *randbuf = NULL; | |
216 unsigned int len = 0; | |
217 const char masks[] = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f}; | |
218 | |
219 const int size_bits = mp_count_bits(max); | |
220 | |
221 len = size_bits / 8; | |
222 if ((size_bits % 8) != 0) { | |
223 len += 1; | |
224 } | |
225 | |
226 randbuf = (unsigned char*)m_malloc(len); | |
227 do { | |
228 genrandom(randbuf, len); | |
229 /* Mask out the unrequired bits - mp_read_unsigned_bin expects | |
230 * MSB first.*/ | |
231 randbuf[0] &= masks[size_bits % 8]; | |
232 | |
233 bytes_to_mp(rand, randbuf, len); | |
234 | |
235 /* keep regenerating until we get one satisfying | |
236 * 0 < rand < max */ | |
237 } while ( ( (max != NULL) && (mp_cmp(rand, max) != MP_LT) ) | |
238 || (mp_cmp_d(rand, 0) != MP_GT) ); | |
239 m_burn(randbuf, len); | |
240 m_free(randbuf); | |
241 } |