2 * Dropbear - a SSH2 server
4 * Copyright (c) 2002,2003 Matt Johnston
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
30 static int donerandinit = 0;
32 /* this is used to generate unique output from the same hashpool */
33 static unsigned int counter = 0;
34 #define MAX_COUNTER 1000000/* the max value for the counter, so it won't loop */
36 static unsigned char hashpool[SHA1_HASH_SIZE];
38 #define INIT_SEED_SIZE 32 /* 256 bits */
40 static void readrand(unsigned char* buf, unsigned int buflen);
42 /* The basic setup is we read some data from /dev/(u)random or prngd and hash it
43 * into hashpool. To read data, we hash together current hashpool contents,
44 * and a counter. We feed more data in by hashing the current pool and new
47 * It is important to ensure that counter doesn't wrap around before we
48 * feed in new entropy.
52 static void readrand(unsigned char* buf, unsigned int buflen) {
54 static int already_blocked = 0;
58 #ifdef DROPBEAR_PRNGD_SOCKET
59 struct sockaddr_un egdsock;
63 #ifdef DROPBEAR_RANDOM_DEV
64 readfd = open(DROPBEAR_RANDOM_DEV, O_RDONLY);
66 dropbear_exit("couldn't open random device");
70 #ifdef DROPBEAR_PRNGD_SOCKET
71 memset((void*)&egdsock, 0x0, sizeof(egdsock));
72 egdsock.sun_family = AF_UNIX;
73 strlcpy(egdsock.sun_path, DROPBEAR_PRNGD_SOCKET,
74 sizeof(egdsock.sun_path));
76 readfd = socket(PF_UNIX, SOCK_STREAM, 0);
78 dropbear_exit("couldn't open random device");
80 /* todo - try various common locations */
81 if (connect(readfd, (struct sockaddr*)&egdsock,
82 sizeof(struct sockaddr_un)) < 0) {
83 dropbear_exit("couldn't open random device");
87 dropbear_exit("can't request more than 255 bytes from egd");
88 egdcmd[0] = 0x02; /* blocking read */
89 egdcmd[1] = (unsigned char)buflen;
90 if (write(readfd, egdcmd, 2) < 0)
91 dropbear_exit("can't send command to egd");
94 /* read the actual random data */
100 struct timeval timeout;
103 timeout.tv_sec = 2; /* two seconds should be enough */
107 FD_SET(readfd, &read_fds);
108 ret = select(readfd + 1, &read_fds, NULL, NULL, &timeout);
111 dropbear_log(LOG_INFO, "Warning: Reading the random source seems to have blocked.\nIf you experience problems, you probably need to find a better entropy source.");
115 readlen = read(readfd, &buf[readpos], buflen - readpos);
117 if (readlen < 0 && errno == EINTR) {
120 dropbear_exit("error reading random source");
123 } while (readpos < buflen);
128 /* initialise the prng from /dev/(u)random or prngd */
131 unsigned char readbuf[INIT_SEED_SIZE];
135 /* initialise so compilers will be happy about hashing it */
137 m_burn(hashpool, sizeof(hashpool));
140 /* get the seed data */
141 readrand(readbuf, sizeof(readbuf));
143 /* hash in the new seed data */
145 sha1_process(&hs, (void*)hashpool, sizeof(hashpool));
146 sha1_process(&hs, (void*)readbuf, sizeof(readbuf));
147 sha1_done(&hs, hashpool);
153 /* return len bytes of pseudo-random data */
154 void genrandom(unsigned char* buf, unsigned int len) {
157 unsigned char hash[SHA1_HASH_SIZE];
158 unsigned int copylen;
161 dropbear_exit("seedrandom not done");
166 sha1_process(&hs, (void*)hashpool, sizeof(hashpool));
167 sha1_process(&hs, (void*)&counter, sizeof(counter));
168 sha1_done(&hs, hash);
171 if (counter > MAX_COUNTER) {
175 copylen = MIN(len, SHA1_HASH_SIZE);
176 memcpy(buf, hash, copylen);
180 m_burn(hash, sizeof(hash));
183 /* Generates a random mp_int.
184 * max is a *mp_int specifying an upper bound.
185 * rand must be an initialised *mp_int for the result.
186 * the result rand satisfies: 0 < rand < max
188 void gen_random_mpint(mp_int *max, mp_int *rand) {
190 unsigned char *randbuf = NULL;
191 unsigned int len = 0;
192 const char masks[] = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f};
194 const int size_bits = mp_count_bits(max);
197 if ((size_bits % 8) != 0) {
201 randbuf = (unsigned char*)m_malloc(len);
203 genrandom(randbuf, len);
204 /* Mask out the unrequired bits - mp_read_unsigned_bin expects
206 randbuf[0] &= masks[size_bits % 8];
208 bytes_to_mp(rand, randbuf, len);
210 /* keep regenerating until we get one satisfying
212 } while ( ( (max != NULL) && (mp_cmp(rand, max) != MP_LT) )
213 || (mp_cmp_d(rand, 0) != MP_GT) );
214 m_burn(randbuf, len);