diff options
| author | Simon Tatham <anakin@pobox.com> | 2019-01-23 01:42:41 +0300 |
|---|---|---|
| committer | Simon Tatham <anakin@pobox.com> | 2019-01-24 01:36:17 +0300 |
| commit | 320bf8479ff5bcbad239db4f9f4aa63656b0675e (patch) | |
| tree | 5a9ba420cd2366b4b758afb49043f85ffb87e542 /defs.h | |
| parent | 5087792440a04c87767c9bf9a966c1832ac58643 (diff) | |
Replace PuTTY's PRNG with a Fortuna-like system.
This tears out the entire previous random-pool system in sshrand.c. In
its place is a system pretty close to Ferguson and Schneier's
'Fortuna' generator, with the main difference being that I use SHA-256
instead of AES for the generation side of the system (rationale given
in comment).
The PRNG implementation lives in sshprng.c, and defines a self-
contained data type with no state stored outside the object, so you
can instantiate however many of them you like. The old sshrand.c still
exists, but in place of the previous random pool system, it's just
become a client of sshprng.c, whose job is to hold a single global
instance of the PRNG type, and manage its reference count, save file,
noise-collection timers and similar administrative business.
Advantages of this change include:
- Fortuna is designed with a more varied threat model in mind than my
old home-grown random pool. For example, after any request for
random numbers, it automatically re-seeds itself, so that if the
state of the PRNG should be leaked, it won't give enough
information to find out what past outputs _were_.
- The PRNG type can be instantiated with any hash function; the
instance used by the main tools is based on SHA-256, an improvement
on the old pool's use of SHA-1.
- The new PRNG only uses the completely standard interface to the
hash function API, instead of having to have privileged access to
the internal SHA-1 block transform function. This will make it
easier to revamp the hash code in general, and also it means that
hardware-accelerated versions of SHA-256 will automatically be used
for the PRNG as well as for everything else.
- The new PRNG can be _tested_! Because it has an actual (if not
quite explicit) specification for exactly what the output numbers
_ought_ to be derived from the hashes of, I can (and have) put
tests in cryptsuite that ensure the output really is being derived
in the way I think it is. The old pool could have been returning
any old nonsense and it would have been very hard to tell for sure.
Diffstat (limited to 'defs.h')
| -rw-r--r-- | defs.h | 1 |
1 files changed, 1 insertions, 0 deletions
@@ -90,6 +90,7 @@ typedef struct PortFwdManager PortFwdManager; typedef struct PortFwdRecord PortFwdRecord; typedef struct ConnectionLayer ConnectionLayer; +typedef struct prng prng; typedef struct ssh_hashalg ssh_hashalg; typedef struct ssh_hash ssh_hash; typedef struct ssh_kex ssh_kex; |