Mercurial > dropbear

comparison random.c @ 389:5ff8218bcee9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
propagate from branch 'au.asn.ucc.matt.ltm.dropbear' (head 2af95f00ebd5bb7a28b3817db1218442c935388e) to branch 'au.asn.ucc.matt.dropbear' (head ecd779509ef23a8cdf64888904fc9b31d78aa933)
author Matt Johnston <matt@ucc.asn.au>
date Thu, 11 Jan 2007 03:14:55 +0000
parents 36d21680a9d3
children 08b69964e408 959c66ccf1b5 00703f1df67a
comparison
equal deleted inserted replaced
388:fb54020f78e1 389:5ff8218bcee9
1 /*
2 * Dropbear - a SSH2 server
3 *
4 * Copyright (c) 2002,2003 Matt Johnston
5 * All rights reserved.
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 * SOFTWARE. */
24
25 #include "includes.h"
26 #include "buffer.h"
27 #include "dbutil.h"
28 #include "bignum.h"
29
30 static int donerandinit = 0;
31
32 /* this is used to generate unique output from the same hashpool */
33 static uint32_t counter = 0;
34 /* the max value for the counter, so it won't integer overflow */
35 #define MAX_COUNTER 1<<30
36
37 static unsigned char hashpool[SHA1_HASH_SIZE];
38
39 #define INIT_SEED_SIZE 32 /* 256 bits */
40
41 static void readrand(unsigned char* buf, unsigned int buflen);
42
43 /* The basic setup is we read some data from /dev/(u)random or prngd and hash it
44 * into hashpool. To read data, we hash together current hashpool contents,
45 * and a counter. We feed more data in by hashing the current pool and new
46 * data into the pool.
47 *
48 * It is important to ensure that counter doesn't wrap around before we
49 * feed in new entropy.
50 *
51 */
52
53 static void readrand(unsigned char* buf, unsigned int buflen) {
54
55 static int already_blocked = 0;
56 int readfd;
57 unsigned int readpos;
58 int readlen;
59 #ifdef DROPBEAR_PRNGD_SOCKET
60 struct sockaddr_un egdsock;
61 char egdcmd[2];
62 #endif
63
64 #ifdef DROPBEAR_RANDOM_DEV
65 readfd = open(DROPBEAR_RANDOM_DEV, O_RDONLY);
66 if (readfd < 0) {
67 dropbear_exit("couldn't open random device");
68 }
69 #endif
70
71 #ifdef DROPBEAR_PRNGD_SOCKET
72 memset((void*)&egdsock, 0x0, sizeof(egdsock));
73 egdsock.sun_family = AF_UNIX;
74 strlcpy(egdsock.sun_path, DROPBEAR_PRNGD_SOCKET,
75 sizeof(egdsock.sun_path));
76
77 readfd = socket(PF_UNIX, SOCK_STREAM, 0);
78 if (readfd < 0) {
79 dropbear_exit("couldn't open random device");
80 }
81 /* todo - try various common locations */
82 if (connect(readfd, (struct sockaddr*)&egdsock,
83 sizeof(struct sockaddr_un)) < 0) {
84 dropbear_exit("couldn't open random device");
85 }
86
87 if (buflen > 255)
88 dropbear_exit("can't request more than 255 bytes from egd");
89 egdcmd[0] = 0x02; /* blocking read */
90 egdcmd[1] = (unsigned char)buflen;
91 if (write(readfd, egdcmd, 2) < 0)
92 dropbear_exit("can't send command to egd");
93 #endif
94
95 /* read the actual random data */
96 readpos = 0;
97 do {
98 if (!already_blocked)
99 {
100 int ret;
101 struct timeval timeout;
102 fd_set read_fds;
103
104 timeout.tv_sec = 2; /* two seconds should be enough */
105 timeout.tv_usec = 0;
106
107 FD_ZERO(&read_fds);
108 FD_SET(readfd, &read_fds);
109 ret = select(readfd + 1, &read_fds, NULL, NULL, &timeout);
110 if (ret == 0)
111 {
112 dropbear_log(LOG_INFO, "Warning: Reading the random source seems to have blocked.\nIf you experience problems, you probably need to find a better entropy source.");
113 already_blocked = 1;
114 }
115 }
116 readlen = read(readfd, &buf[readpos], buflen - readpos);
117 if (readlen <= 0) {
118 if (readlen < 0 && errno == EINTR) {
119 continue;
120 }
121 dropbear_exit("error reading random source");
122 }
123 readpos += readlen;
124 } while (readpos < buflen);
125
126 close (readfd);
127 }
128
129 /* initialise the prng from /dev/(u)random or prngd */
130 void seedrandom() {
131
132 unsigned char readbuf[INIT_SEED_SIZE];
133
134 hash_state hs;
135
136 /* initialise so that things won't warn about
137 * hashing an undefined buffer */
138 if (!donerandinit) {
139 m_burn(hashpool, sizeof(hashpool));
140 }
141
142 /* get the seed data */
143 readrand(readbuf, sizeof(readbuf));
144
145 /* hash in the new seed data */
146 sha1_init(&hs);
147 sha1_process(&hs, (void*)hashpool, sizeof(hashpool));
148 sha1_process(&hs, (void*)readbuf, sizeof(readbuf));
149 sha1_done(&hs, hashpool);
150
151 counter = 0;
152 donerandinit = 1;
153 }
154
155 /* hash the current random pool with some unique identifiers
156 * for this process and point-in-time. this is used to separate
157 * the random pools for fork()ed processes. */
158 void reseedrandom() {
159
160 pid_t pid;
161 hash_state hs;
162 struct timeval tv;
163
164 if (!donerandinit) {
165 dropbear_exit("seedrandom not done");
166 }
167
168 pid = getpid();
169 gettimeofday(&tv, NULL);
170
171 sha1_init(&hs);
172 sha1_process(&hs, (void*)hashpool, sizeof(hashpool));
173 sha1_process(&hs, (void*)&pid, sizeof(pid));
174 sha1_process(&hs, (void*)&tv, sizeof(tv));
175 sha1_done(&hs, hashpool);
176 }
177
178 /* return len bytes of pseudo-random data */
179 void genrandom(unsigned char* buf, unsigned int len) {
180
181 hash_state hs;
182 unsigned char hash[SHA1_HASH_SIZE];
183 unsigned int copylen;
184
185 if (!donerandinit) {
186 dropbear_exit("seedrandom not done");
187 }
188
189 while (len > 0) {
190 sha1_init(&hs);
191 sha1_process(&hs, (void*)hashpool, sizeof(hashpool));
192 sha1_process(&hs, (void*)&counter, sizeof(counter));
193 sha1_done(&hs, hash);
194
195 counter++;
196 if (counter > MAX_COUNTER) {
197 seedrandom();
198 }
199
200 copylen = MIN(len, SHA1_HASH_SIZE);
201 memcpy(buf, hash, copylen);
202 len -= copylen;
203 buf += copylen;
204 }
205 m_burn(hash, sizeof(hash));
206 }
207
208 /* Generates a random mp_int.
209 * max is a *mp_int specifying an upper bound.
210 * rand must be an initialised *mp_int for the result.
211 * the result rand satisfies: 0 < rand < max
212 * */
213 void gen_random_mpint(mp_int *max, mp_int *rand) {
214
215 unsigned char *randbuf = NULL;
216 unsigned int len = 0;
217 const char masks[] = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f};
218
219 const int size_bits = mp_count_bits(max);
220
221 len = size_bits / 8;
222 if ((size_bits % 8) != 0) {
223 len += 1;
224 }
225
226 randbuf = (unsigned char*)m_malloc(len);
227 do {
228 genrandom(randbuf, len);
229 /* Mask out the unrequired bits - mp_read_unsigned_bin expects
230 * MSB first.*/
231 randbuf[0] &= masks[size_bits % 8];
232
233 bytes_to_mp(rand, randbuf, len);
234
235 /* keep regenerating until we get one satisfying
236 * 0 < rand < max */
237 } while ( ( (max != NULL) && (mp_cmp(rand, max) != MP_LT) )
238 || (mp_cmp_d(rand, 0) != MP_GT) );
239 m_burn(randbuf, len);
240 m_free(randbuf);
241 }