Mercurial > dropbear

comparison random.c @ 285:1b9e69c058d2

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
propagate from branch 'au.asn.ucc.matt.ltc.dropbear' (head 20dccfc09627970a312d77fb41dc2970b62689c3) to branch 'au.asn.ucc.matt.dropbear' (head fdf4a7a3b97ae5046139915de7e40399cceb2c01)
author Matt Johnston <matt@ucc.asn.au>
date Wed, 08 Mar 2006 13:23:58 +0000
parents 3be7ae2e8dfa
children 79bf1023cf11 7dad470ad4aa
comparison
equal deleted inserted replaced
281:997e6f7dc01e 285:1b9e69c058d2
1 /*
2 * Dropbear - a SSH2 server
3 *
4 * Copyright (c) 2002,2003 Matt Johnston
5 * All rights reserved.
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 * SOFTWARE. */
24
25 #include "includes.h"
26 #include "buffer.h"
27 #include "dbutil.h"
28 #include "bignum.h"
29
30 static int donerandinit = 0;
31
32 /* this is used to generate unique output from the same hashpool */
33 static uint32_t counter = 0;
34 #define MAX_COUNTER 1<<31 /* the max value for the counter, so it won't loop */
35
36 static unsigned char hashpool[SHA1_HASH_SIZE];
37
38 #define INIT_SEED_SIZE 32 /* 256 bits */
39
40 static void readrand(unsigned char* buf, unsigned int buflen);
41
42 /* The basic setup is we read some data from /dev/(u)random or prngd and hash it
43 * into hashpool. To read data, we hash together current hashpool contents,
44 * and a counter. We feed more data in by hashing the current pool and new
45 * data into the pool.
46 *
47 * It is important to ensure that counter doesn't wrap around before we
48 * feed in new entropy.
49 *
50 */
51
52 static void readrand(unsigned char* buf, unsigned int buflen) {
53
54 static int already_blocked = 0;
55 int readfd;
56 unsigned int readpos;
57 int readlen;
58 #ifdef DROPBEAR_PRNGD_SOCKET
59 struct sockaddr_un egdsock;
60 char egdcmd[2];
61 #endif
62
63 #ifdef DROPBEAR_RANDOM_DEV
64 readfd = open(DROPBEAR_RANDOM_DEV, O_RDONLY);
65 if (readfd < 0) {
66 dropbear_exit("couldn't open random device");
67 }
68 #endif
69
70 #ifdef DROPBEAR_PRNGD_SOCKET
71 memset((void*)&egdsock, 0x0, sizeof(egdsock));
72 egdsock.sun_family = AF_UNIX;
73 strlcpy(egdsock.sun_path, DROPBEAR_PRNGD_SOCKET,
74 sizeof(egdsock.sun_path));
75
76 readfd = socket(PF_UNIX, SOCK_STREAM, 0);
77 if (readfd < 0) {
78 dropbear_exit("couldn't open random device");
79 }
80 /* todo - try various common locations */
81 if (connect(readfd, (struct sockaddr*)&egdsock,
82 sizeof(struct sockaddr_un)) < 0) {
83 dropbear_exit("couldn't open random device");
84 }
85
86 if (buflen > 255)
87 dropbear_exit("can't request more than 255 bytes from egd");
88 egdcmd[0] = 0x02; /* blocking read */
89 egdcmd[1] = (unsigned char)buflen;
90 if (write(readfd, egdcmd, 2) < 0)
91 dropbear_exit("can't send command to egd");
92 #endif
93
94 /* read the actual random data */
95 readpos = 0;
96 do {
97 if (!already_blocked)
98 {
99 int ret;
100 struct timeval timeout;
101 fd_set read_fds;
102
103 timeout.tv_sec = 2; /* two seconds should be enough */
104 timeout.tv_usec = 0;
105
106 FD_ZERO(&read_fds);
107 FD_SET(readfd, &read_fds);
108 ret = select(readfd + 1, &read_fds, NULL, NULL, &timeout);
109 if (ret == 0)
110 {
111 dropbear_log(LOG_INFO, "Warning: Reading the random source seems to have blocked.\nIf you experience problems, you probably need to find a better entropy source.");
112 already_blocked = 1;
113 }
114 }
115 readlen = read(readfd, &buf[readpos], buflen - readpos);
116 if (readlen <= 0) {
117 if (readlen < 0 && errno == EINTR) {
118 continue;
119 }
120 dropbear_exit("error reading random source");
121 }
122 readpos += readlen;
123 } while (readpos < buflen);
124
125 close (readfd);
126 }
127
128 /* initialise the prng from /dev/(u)random or prngd */
129 void seedrandom() {
130
131 unsigned char readbuf[INIT_SEED_SIZE];
132
133 hash_state hs;
134
135 /* initialise so that things won't warn about
136 * hashing an undefined buffer */
137 if (!donerandinit) {
138 m_burn(hashpool, sizeof(hashpool));
139 }
140
141 /* get the seed data */
142 readrand(readbuf, sizeof(readbuf));
143
144 /* hash in the new seed data */
145 sha1_init(&hs);
146 sha1_process(&hs, (void*)hashpool, sizeof(hashpool));
147 sha1_process(&hs, (void*)readbuf, sizeof(readbuf));
148 sha1_done(&hs, hashpool);
149
150 counter = 0;
151 donerandinit = 1;
152 }
153
154 /* hash the current random pool with some unique identifiers
155 * for this process and point-in-time. this is used to separate
156 * the random pools for fork()ed processes. */
157 void reseedrandom() {
158
159 pid_t pid;
160 struct timeval tv;
161
162 if (!donerandinit) {
163 dropbear_exit("seedrandom not done");
164 }
165
166 pid = getpid();
167 gettimeofday(&tv, NULL);
168
169 hash_state hs;
170 unsigned char hash[SHA1_HASH_SIZE];
171 sha1_init(&hs);
172 sha1_process(&hs, (void*)hashpool, sizeof(hashpool));
173 sha1_process(&hs, (void*)&pid, sizeof(pid));
174 sha1_process(&hs, (void*)&tv, sizeof(tv));
175 sha1_done(&hs, hashpool);
176 }
177
178 /* return len bytes of pseudo-random data */
179 void genrandom(unsigned char* buf, unsigned int len) {
180
181 hash_state hs;
182 unsigned char hash[SHA1_HASH_SIZE];
183 unsigned int copylen;
184
185 if (!donerandinit) {
186 dropbear_exit("seedrandom not done");
187 }
188
189 while (len > 0) {
190 sha1_init(&hs);
191 sha1_process(&hs, (void*)hashpool, sizeof(hashpool));
192 sha1_process(&hs, (void*)&counter, sizeof(counter));
193 sha1_done(&hs, hash);
194
195 counter++;
196 if (counter > MAX_COUNTER) {
197 seedrandom();
198 }
199
200 copylen = MIN(len, SHA1_HASH_SIZE);
201 memcpy(buf, hash, copylen);
202 len -= copylen;
203 buf += copylen;
204 }
205 m_burn(hash, sizeof(hash));
206 }
207
208 /* Generates a random mp_int.
209 * max is a *mp_int specifying an upper bound.
210 * rand must be an initialised *mp_int for the result.
211 * the result rand satisfies: 0 < rand < max
212 * */
213 void gen_random_mpint(mp_int *max, mp_int *rand) {
214
215 unsigned char *randbuf = NULL;
216 unsigned int len = 0;
217 const char masks[] = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f};
218
219 const int size_bits = mp_count_bits(max);
220
221 len = size_bits / 8;
222 if ((size_bits % 8) != 0) {
223 len += 1;
224 }
225
226 randbuf = (unsigned char*)m_malloc(len);
227 do {
228 genrandom(randbuf, len);
229 /* Mask out the unrequired bits - mp_read_unsigned_bin expects
230 * MSB first.*/
231 randbuf[0] &= masks[size_bits % 8];
232
233 bytes_to_mp(rand, randbuf, len);
234
235 /* keep regenerating until we get one satisfying
236 * 0 < rand < max */
237 } while ( ( (max != NULL) && (mp_cmp(rand, max) != MP_LT) )
238 || (mp_cmp_d(rand, 0) != MP_GT) );
239 m_burn(randbuf, len);
240 m_free(randbuf);
241 }