diff options
Diffstat (limited to 'dbrandom.c')
-rw-r--r-- | dbrandom.c | 312 |
1 files changed, 312 insertions, 0 deletions
diff --git a/dbrandom.c b/dbrandom.c new file mode 100644 index 0000000..e2f55c2 --- /dev/null +++ b/dbrandom.c @@ -0,0 +1,312 @@ +/* + * Dropbear - a SSH2 server + * + * Copyright (c) 2002,2003 Matt Johnston + * All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. */ + +#include "includes.h" +#include "buffer.h" +#include "dbutil.h" +#include "bignum.h" +#include "dbrandom.h" + + +/* this is used to generate unique output from the same hashpool */ +static uint32_t counter = 0; +/* the max value for the counter, so it won't integer overflow */ +#define MAX_COUNTER 1<<30 + +static unsigned char hashpool[SHA1_HASH_SIZE] = {0}; +static int donerandinit = 0; + +#define INIT_SEED_SIZE 32 /* 256 bits */ + +/* The basic setup is we read some data from /dev/(u)random or prngd and hash it + * into hashpool. To read data, we hash together current hashpool contents, + * and a counter. We feed more data in by hashing the current pool and new + * data into the pool. + * + * It is important to ensure that counter doesn't wrap around before we + * feed in new entropy. + * + */ + +/* Pass len=0 to hash an entire file */ +static int +process_file(hash_state *hs, const char *filename, + unsigned int len, int prngd) +{ + static int already_blocked = 0; + int readfd; + unsigned int readcount; + int ret = DROPBEAR_FAILURE; + +#ifdef DROPBEAR_PRNGD_SOCKET + if (prngd) + { + readfd = connect_unix(filename); + } + else +#endif + { + readfd = open(filename, O_RDONLY); + } + + if (readfd < 0) { + goto out; + } + + readcount = 0; + while (len == 0 || readcount < len) + { + int readlen, wantread; + unsigned char readbuf[4096]; + if (!already_blocked && !prngd) + { + int res; + struct timeval timeout; + fd_set read_fds; + + timeout.tv_sec = 2; + timeout.tv_usec = 0; + + FD_ZERO(&read_fds); + FD_SET(readfd, &read_fds); + res = select(readfd + 1, &read_fds, NULL, NULL, &timeout); + if (res == 0) + { + dropbear_log(LOG_WARNING, "Warning: Reading the randomness source '%s' seems to have blocked.\nYou may need to find a better entropy source.", filename); + already_blocked = 1; + } + } + + if (len == 0) + { + wantread = sizeof(readbuf); + } + else + { + wantread = MIN(sizeof(readbuf), len-readcount); + } + +#ifdef DROPBEAR_PRNGD_SOCKET + if (prngd) + { + char egdcmd[2]; + egdcmd[0] = 0x02; /* blocking read */ + egdcmd[1] = (unsigned char)wantread; + if (write(readfd, egdcmd, 2) < 0) + { + dropbear_exit("Can't send command to egd"); + } + } +#endif + + readlen = read(readfd, readbuf, wantread); + if (readlen <= 0) { + if (readlen < 0 && errno == EINTR) { + continue; + } + if (readlen == 0 && len == 0) + { + /* whole file was read as requested */ + break; + } + goto out; + } + sha1_process(hs, readbuf, readlen); + readcount += readlen; + } + ret = DROPBEAR_SUCCESS; +out: + close(readfd); + return ret; +} + +void addrandom(char * buf, unsigned int len) +{ + hash_state hs; + + /* hash in the new seed data */ + sha1_init(&hs); + /* existing state (zeroes on startup) */ + sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); + + /* new */ + sha1_process(&hs, buf, len); + sha1_done(&hs, hashpool); +} + +static void write_urandom() +{ +#ifndef DROPBEAR_PRNGD_SOCKET + /* This is opportunistic, don't worry about failure */ + unsigned char buf[INIT_SEED_SIZE]; + FILE *f = fopen(DROPBEAR_URANDOM_DEV, "w"); + if (!f) { + return; + } + genrandom(buf, sizeof(buf)); + fwrite(buf, sizeof(buf), 1, f); + fclose(f); +#endif +} + +/* Initialise the prng from /dev/urandom or prngd. This function can + * be called multiple times */ +void seedrandom() { + + hash_state hs; + + pid_t pid; + struct timeval tv; + clock_t clockval; + + /* hash in the new seed data */ + sha1_init(&hs); + /* existing state */ + sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); + +#ifdef DROPBEAR_PRNGD_SOCKET + if (process_file(&hs, DROPBEAR_PRNGD_SOCKET, INIT_SEED_SIZE, 1) + != DROPBEAR_SUCCESS) { + dropbear_exit("Failure reading random device %s", + DROPBEAR_PRNGD_SOCKET); + } +#else + /* non-blocking random source (probably /dev/urandom) */ + if (process_file(&hs, DROPBEAR_URANDOM_DEV, INIT_SEED_SIZE, 0) + != DROPBEAR_SUCCESS) { + dropbear_exit("Failure reading random device %s", + DROPBEAR_URANDOM_DEV); + } +#endif + + /* A few other sources to fall back on. + * Add more here for other platforms */ +#ifdef __linux__ + /* Seems to be a reasonable source of entropy from timers. Possibly hard + * for even local attackers to reproduce */ + process_file(&hs, "/proc/timer_list", 0, 0); + /* Might help on systems with wireless */ + process_file(&hs, "/proc/interrupts", 0, 0); + + process_file(&hs, "/proc/loadavg", 0, 0); + process_file(&hs, "/proc/sys/kernel/random/entropy_avail", 0, 0); + + /* Mostly network visible but useful in some situations. + * Limit size to avoid slowdowns on systems with lots of routes */ + process_file(&hs, "/proc/net/netstat", 4096, 0); + process_file(&hs, "/proc/net/dev", 4096, 0); + process_file(&hs, "/proc/net/tcp", 4096, 0); + /* Also includes interface lo */ + process_file(&hs, "/proc/net/rt_cache", 4096, 0); + process_file(&hs, "/proc/vmstat", 0, 0); +#endif + + pid = getpid(); + sha1_process(&hs, (void*)&pid, sizeof(pid)); + + /* gettimeofday() doesn't completely fill out struct timeval on + OS X (10.8.3), avoid valgrind warnings by clearing it first */ + memset(&tv, 0x0, sizeof(tv)); + gettimeofday(&tv, NULL); + sha1_process(&hs, (void*)&tv, sizeof(tv)); + + clockval = clock(); + sha1_process(&hs, (void*)&clockval, sizeof(clockval)); + + /* When a private key is read by the client or server it will + * be added to the hashpool - see runopts.c */ + + sha1_done(&hs, hashpool); + + counter = 0; + donerandinit = 1; + + /* Feed it all back into /dev/urandom - this might help if Dropbear + * is running from inetd and gets new state each time */ + write_urandom(); +} + +/* return len bytes of pseudo-random data */ +void genrandom(unsigned char* buf, unsigned int len) { + + hash_state hs; + unsigned char hash[SHA1_HASH_SIZE]; + unsigned int copylen; + + if (!donerandinit) { + dropbear_exit("seedrandom not done"); + } + + while (len > 0) { + sha1_init(&hs); + sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); + sha1_process(&hs, (void*)&counter, sizeof(counter)); + sha1_done(&hs, hash); + + counter++; + if (counter > MAX_COUNTER) { + seedrandom(); + } + + copylen = MIN(len, SHA1_HASH_SIZE); + memcpy(buf, hash, copylen); + len -= copylen; + buf += copylen; + } + m_burn(hash, sizeof(hash)); +} + +/* Generates a random mp_int. + * max is a *mp_int specifying an upper bound. + * rand must be an initialised *mp_int for the result. + * the result rand satisfies: 0 < rand < max + * */ +void gen_random_mpint(mp_int *max, mp_int *rand) { + + unsigned char *randbuf = NULL; + unsigned int len = 0; + const unsigned char masks[] = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f}; + + const int size_bits = mp_count_bits(max); + + len = size_bits / 8; + if ((size_bits % 8) != 0) { + len += 1; + } + + randbuf = (unsigned char*)m_malloc(len); + do { + genrandom(randbuf, len); + /* Mask out the unrequired bits - mp_read_unsigned_bin expects + * MSB first.*/ + randbuf[0] &= masks[size_bits % 8]; + + bytes_to_mp(rand, randbuf, len); + + /* keep regenerating until we get one satisfying + * 0 < rand < max */ + } while (mp_cmp(rand, max) != MP_LT); + m_burn(randbuf, len); + m_free(randbuf); +} |