/* * Dropbear - a SSH2 server * * Copyright (c) 2002,2003 Matt Johnston * All rights reserved. * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal * in the Software without restriction, including without limitation the rights * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE * SOFTWARE. */ #include "includes.h" #include "buffer.h" #include "dbutil.h" int donerandinit = 0; /* this is used to generate unique output from the same hashpool */ unsigned int counter = 0; #define MAX_COUNTER 1000000/* the max value for the counter, so it won't loop */ unsigned char hashpool[SHA1_HASH_SIZE]; #define INIT_SEED_SIZE 32 /* 256 bits */ static void readrand(unsigned char* buf, unsigned int buflen); /* The basic setup is we read some data from DEV_URANDOM or PRNGD and hash it * into hashpool. To read data, we hash together current hashpool contents, * and a counter. We feed more data in by hashing the current pool and new * data into the pool. * * It is important to ensure that counter doesn't wrap around before we * feed in new entropy. * */ static void readrand(unsigned char* buf, unsigned int buflen) { int readfd; unsigned int readpos; int readlen; #ifdef DROPBEAR_EGD struct sockaddr_un egdsock; char egdcmd[2]; #endif #ifdef DROPBEAR_DEV_URANDOM readfd = open(DEV_URANDOM, O_RDONLY); if (readfd < 0) { dropbear_exit("couldn't open random device"); } #endif #ifdef DROPBEAR_EGD memset((void*)&egdsock, 0x0, sizeof(egdsock)); egdsock.sun_family = AF_UNIX; strlcpy(egdsock.sun_path, DROPBEAR_EGD_SOCKET, sizeof(egdsock.sun_path)); readfd = socket(PF_UNIX, SOCK_STREAM, 0); if (readfd < 0) { dropbear_exit("couldn't open random device"); } /* todo - try various common locations */ if (connect(readfd, (struct sockaddr*)&egdsock, sizeof(struct sockaddr_un)) < 0) { dropbear_exit("couldn't open random device"); } if (buflen > 255) dropbear_exit("can't request more than 255 bytes from egd"); egdcmd[0] = 0x02; /* blocking read */ egdcmd[1] = (unsigned char)buflen; if (write(readfd, egdcmd, 2) < 0) dropbear_exit("can't send command to egd"); #endif /* read the actual random data */ readpos = 0; do { readlen = read(readfd, &buf[readpos], buflen - readpos); if (readlen <= 0) { if (readlen < 0 && errno == EINTR) { continue; } dropbear_exit("error reading random source"); } readpos += readlen; } while (readpos < buflen); close (readfd); } /* initialise the prng from /dev/urandom or prngd */ void seedrandom() { unsigned char readbuf[INIT_SEED_SIZE]; hash_state hs; /* initialise so compilers will be happy about hashing it */ if (!donerandinit) { m_burn(hashpool, sizeof(hashpool)); } /* get the seed data */ readrand(readbuf, sizeof(readbuf)); /* hash in the new seed data */ sha1_init(&hs); sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); sha1_process(&hs, (void*)readbuf, sizeof(readbuf)); sha1_done(&hs, hashpool); counter = 0; donerandinit = 1; } /* return len bytes of pseudo-random data */ void genrandom(unsigned char* buf, unsigned int len) { hash_state hs; unsigned char hash[SHA1_HASH_SIZE]; unsigned int copylen; if (!donerandinit) { dropbear_exit("seedrandom not done"); } while (len > 0) { sha1_init(&hs); sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); sha1_process(&hs, (void*)&counter, sizeof(counter)); sha1_done(&hs, hash); counter++; if (counter > MAX_COUNTER) { seedrandom(); } copylen = MIN(len, SHA1_HASH_SIZE); memcpy(buf, hash, copylen); len -= copylen; buf += copylen; } m_burn(hash, sizeof(hash)); } /* Adds entropy to the PRNG state. As long as the hash is strong, then we * don't need to worry about entropy being added "diluting" the current * state - it should only make it stronger. */ void addrandom(unsigned char* buf, unsigned int len) { hash_state hs; if (!donerandinit) { dropbear_exit("seedrandom not done"); } sha1_init(&hs); sha1_process(&hs, (void*)buf, len); sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); sha1_done(&hs, hashpool); counter = 0; }