PuTTY snapshot 50877924 (Label random-noise sources with an enum of ids - 2019-01-24)

Source commit: a264c72abc7e7c95475f54170939cfb6e07b90a5

source/putty/import.c

@@ -988,7 +988,7 @@ static bool openssh_pem_write(
      */
     if (passphrase) {
 	unsigned char keybuf[32];
-        int origlen, outlen, pad, i;
+        int origlen, outlen, pad;
 
         /*
          * Padding on OpenSSH keys is deterministic. The number of
@@ -1015,7 +1015,7 @@ static bool openssh_pem_write(
 	/*
 	 * Invent an iv, and derive the encryption key.
 	 */
-	for (i = 0; i < 8; i++) iv[i] = random_byte();
+        random_read(iv, 8);
 
         openssh_pem_derivekey(ptrlen_from_asciz(passphrase), iv, keybuf);
 
@@ -1498,7 +1498,7 @@ static bool openssh_new_write(
     const Filename *filename, ssh2_userkey *key, const char *passphrase)
 {
     strbuf *pubblob, *privblob, *cblob;
-    int padvalue, i;
+    int padvalue;
     unsigned checkint;
     bool ret = false;
     unsigned char bcrypt_salt[16];
@@ -1530,8 +1530,7 @@ static bool openssh_new_write(
     } else {
         strbuf *substr;
 
-        for (i = 0; i < (int)sizeof(bcrypt_salt); i++)
-            bcrypt_salt[i] = random_byte();
+        random_read(bcrypt_salt, sizeof(bcrypt_salt));
         put_stringz(cblob, "aes256-ctr");
         put_stringz(cblob, "bcrypt");
         substr = strbuf_new();
@@ -1551,9 +1550,9 @@ static bool openssh_new_write(
         strbuf *cpblob = strbuf_new();
 
         /* checkint. */
-        checkint = 0;
-        for (i = 0; i < 4; i++)
-            checkint = (checkint << 8) + random_byte();
+        uint8_t checkint_buf[4];
+        random_read(checkint_buf, 4);
+        checkint = GET_32BIT_MSB_FIRST(checkint_buf);
         put_uint32(cpblob, checkint);
         put_uint32(cpblob, checkint);
 
@@ -2279,8 +2278,9 @@ static bool sshcom_write(
     /* Pad encrypted blob to a multiple of cipher block size. */
     if (passphrase) {
 	int padding = -(outblob->len - (lenpos+4)) & 7;
-	while (padding--)
-	    put_byte(outblob, random_byte());
+        uint8_t padding_buf[8];
+        random_read(padding_buf, padding);
+        put_data(outblob, padding_buf, padding);
     }
     ciphertext = outblob->s + lenpos + 4;
     cipherlen = outblob->len - (lenpos + 4);

source/putty/mpint.c

@@ -2302,21 +2302,20 @@ mp_int *monty_modsqrt(ModsqrtContext *sc, mp_int *x, unsigned *success)
     return toret;
 }
 
-mp_int *mp_random_bits_fn(size_t bits, int (*gen_byte)(void))
+mp_int *mp_random_bits_fn(size_t bits, random_read_fn_t random_read)
 {
     size_t bytes = (bits + 7) / 8;
-    size_t words = (bits + BIGNUM_INT_BITS - 1) / BIGNUM_INT_BITS;
-    mp_int *x = mp_make_sized(words);
-    for (size_t i = 0; i < bytes; i++) {
-        BignumInt byte = gen_byte();
-        unsigned mask = (1 << size_t_min(8, bits-i*8)) - 1;
-        x->w[i / BIGNUM_INT_BYTES] |=
-            (byte & mask) << (8*(i % BIGNUM_INT_BYTES));
-    }
-    return x;
+    uint8_t *randbuf = snewn(bytes, uint8_t);
+    random_read(randbuf, bytes);
+    if (bytes)
+        randbuf[0] &= (2 << ((bits-1) & 7)) - 1;
+    mp_int *toret = mp_from_bytes_be(make_ptrlen(randbuf, bytes));
+    smemclr(randbuf, bytes);
+    sfree(randbuf);
+    return toret;
 }
 
-mp_int *mp_random_in_range_fn(mp_int *lo, mp_int *hi, int (*gen_byte)(void))
+mp_int *mp_random_in_range_fn(mp_int *lo, mp_int *hi, random_read_fn_t rf)
 {
     mp_int *n_outcomes = mp_sub(hi, lo);
 
@@ -2329,8 +2328,7 @@ mp_int *mp_random_in_range_fn(mp_int *lo, mp_int *hi, int (*gen_byte)(void))
      * is acceptable on the grounds that you'd have to examine so many
      * outputs to even detect it.
      */
-    mp_int *unreduced = mp_random_bits_fn(
-        mp_max_bits(n_outcomes) + 128, gen_byte);
+    mp_int *unreduced = mp_random_bits_fn(mp_max_bits(n_outcomes) + 128, rf);
     mp_int *reduced = mp_mod(unreduced, n_outcomes);
     mp_add_into(reduced, reduced, lo);
     mp_free(unreduced);

source/putty/mpint.h

@@ -364,9 +364,9 @@ mp_int *mp_rshift_fixed(mp_int *x, size_t shift);
 /*
  * Generate a random mp_int.
  *
- * The _function_ definitions here will expect to be given a gen_byte
+ * The _function_ definitions here will expect to be given a gen_data
  * function that provides random data. Normally you'd use this using
- * random_byte() from random.c, and the macro wrappers automate that.
+ * random_read() from random.c, and the macro wrappers automate that.
  *
  * (This is a bit of a dodge to avoid mpint.c having a link-time
  * dependency on random.c, so that programs can link against one but
@@ -376,10 +376,11 @@ mp_int *mp_rshift_fixed(mp_int *x, size_t shift);
  * mp_random_bits[_fn] returns an integer 0 <= n < 2^bits.
  * mp_random_in_range[_fn](lo,hi) returns an integer lo <= n < hi.
  */
-mp_int *mp_random_bits_fn(size_t bits, int (*gen_byte)(void));
+typedef void (*random_read_fn_t)(void *, size_t);
+mp_int *mp_random_bits_fn(size_t bits, random_read_fn_t randfn);
 mp_int *mp_random_in_range_fn(
-    mp_int *lo_inclusive, mp_int *hi_exclusive, int (*gen_byte)(void));
-#define mp_random_bits(bits) mp_random_bits_fn(bits, random_byte)
-#define mp_random_in_range(lo, hi) mp_random_in_range_fn(lo, hi, random_byte)
+    mp_int *lo_inclusive, mp_int *hi_exclusive, random_read_fn_t randfn);
+#define mp_random_bits(bits) mp_random_bits_fn(bits, random_read)
+#define mp_random_in_range(lo, hi) mp_random_in_range_fn(lo, hi, random_read)
 
 #endif /* PUTTY_MPINT_H */

source/putty/putty.h

@@ -1456,10 +1456,30 @@ FontSpec *fontspec_deserialise(BinarySource *src);
 /*
  * Exports from noise.c.
  */
+typedef enum NoiseSourceId {
+    NOISE_SOURCE_TIME,
+    NOISE_SOURCE_IOID,
+    NOISE_SOURCE_IOLEN,
+    NOISE_SOURCE_KEY,
+    NOISE_SOURCE_MOUSEBUTTON,
+    NOISE_SOURCE_MOUSEPOS,
+    NOISE_SOURCE_MEMINFO,
+    NOISE_SOURCE_STAT,
+    NOISE_SOURCE_RUSAGE,
+    NOISE_SOURCE_FGWINDOW,
+    NOISE_SOURCE_CAPTURE,
+    NOISE_SOURCE_CLIPBOARD,
+    NOISE_SOURCE_QUEUE,
+    NOISE_SOURCE_CURSORPOS,
+    NOISE_SOURCE_THREADTIME,
+    NOISE_SOURCE_PROCTIME,
+    NOISE_SOURCE_PERFCOUNT,
+    NOISE_MAX_SOURCES
+} NoiseSourceId;
 void noise_get_heavy(void (*func) (void *, int));
 void noise_get_light(void (*func) (void *, int));
 void noise_regular(void);
-void noise_ultralight(unsigned long data);
+void noise_ultralight(NoiseSourceId id, unsigned long data);
 void random_save_seed(void);
 void random_destroy_seed(void);
 
@@ -1673,8 +1693,8 @@ void luni_send(Ldisc *, const wchar_t * widebuf, int len, bool interactive);
  * Exports from sshrand.c.
  */
 
-void random_add_noise(void *noise, int length);
-int random_byte(void);
+void random_add_noise(NoiseSourceId source, const void *noise, int length);
+void random_read(void *buf, size_t size);
 void random_get_savedata(void **data, int *len);
 extern int random_active;
 /* The random number subsystem is activated if at least one other entity

source/putty/ssh.h

@@ -892,7 +892,7 @@ void SHATransform(uint32_t *digest, uint32_t *data);
 #   undef COMPILER_SUPPORTS_SHA_NI
 #endif
 
-int random_byte(void);
+void random_read(void *out, size_t size);
 void random_add_noise(void *noise, int length);
 void random_add_heavynoise(void *noise, int length);
 

source/putty/ssh1bpp.c

@@ -295,7 +295,7 @@ static PktOut *ssh1_bpp_new_pktout(int pkt_type)
 
 static void ssh1_bpp_format_packet(struct ssh1_bpp_state *s, PktOut *pkt)
 {
-    int pad, biglen, i, pktoffs;
+    int pad, biglen, pktoffs;
     uint32_t crc;
     int len;
 
@@ -329,8 +329,7 @@ static void ssh1_bpp_format_packet(struct ssh1_bpp_state *s, PktOut *pkt)
     pktoffs = 8 - pad;
     biglen = len + pad;         /* len(padding+type+data+CRC) */
 
-    for (i = pktoffs; i < 4+8; i++)
-        pkt->data[i] = random_byte();
+    random_read(pkt->data + pktoffs, 4+8 - pktoffs);
     crc = crc32_ssh1(
         make_ptrlen(pkt->data + pktoffs + 4, biglen - 4)); /* all ex len */
     PUT_32BIT(pkt->data + pktoffs + 4 + biglen - 4, crc);

source/putty/ssh1login.c

@@ -201,8 +201,7 @@ static void ssh1_login_process_queue(PacketProtocolLayer *ppl)
     ssh1_compute_session_id(s->session_id, s->cookie,
                             &s->hostkey, &s->servkey);
 
-    for (i = 0; i < 32; i++)
-        s->session_key[i] = random_byte();
+    random_read(s->session_key, 32);
 
     /*
      * Verify that the `bits' and `bytes' parameters match.
@@ -986,10 +985,8 @@ static void ssh1_login_process_queue(PacketProtocolLayer *ppl)
                         put_stringz(pkt, s->cur_prompt->prompts[0]->result);
                         pq_push(s->ppl.out_pq, pkt);
                     } else {
-                        int j;
                         strbuf *random_data = strbuf_new();
-                        for (j = 0; j < i; j++)
-                            put_byte(random_data, random_byte());
+                        random_read(strbuf_append(random_data, i), i);
 
                         pkt = ssh_bpp_new_pktout(s->ppl.bpp, SSH1_MSG_IGNORE);
                         put_stringsb(pkt, random_data);
@@ -1009,9 +1006,8 @@ static void ssh1_login_process_queue(PacketProtocolLayer *ppl)
                 ppl_logevent("Sending length-padded password");
                 pkt = ssh_bpp_new_pktout(s->ppl.bpp, s->pwpkt_type);
                 put_asciz(padded_pw, s->cur_prompt->prompts[0]->result);
-                do {
-                    put_byte(padded_pw, random_byte());
-                } while (padded_pw->len % 64 != 0);
+                size_t pad = 63 & -padded_pw->len;
+                random_read(strbuf_append(padded_pw, pad), pad);
                 put_stringsb(pkt, padded_pw);
                 pq_push(s->ppl.out_pq, pkt);
             } else {

source/putty/ssh2bpp.c

@@ -726,7 +726,8 @@ static void ssh2_bpp_format_packet_inner(struct ssh2_bpp_state *s, PktOut *pkt)
     maclen = s->out.mac ? ssh2_mac_alg(s->out.mac)->len : 0;
     origlen = pkt->length;
     for (i = 0; i < padding; i++)
-        put_byte(pkt, random_byte());
+        put_byte(pkt, 0);              /* make space for random padding */
+    random_read(pkt->data + origlen, padding);
     pkt->data[4] = padding;
     PUT_32BIT(pkt->data, origlen + padding - 4);
 
@@ -820,8 +821,10 @@ static void ssh2_bpp_format_packet(struct ssh2_bpp_state *s, PktOut *pkt)
 
             ignore_pkt = ssh2_bpp_new_pktout(SSH2_MSG_IGNORE);
             put_uint32(ignore_pkt, length);
-            while (length-- > 0)
-                put_byte(ignore_pkt, random_byte());
+            size_t origlen = ignore_pkt->length;
+            for (size_t i = 0; i < length; i++)
+                put_byte(ignore_pkt, 0);  /* make space for random padding */
+            random_read(ignore_pkt->data + origlen, length);
             ssh2_bpp_format_packet_inner(s, ignore_pkt);
             bufchain_add(s->bpp.out_raw, ignore_pkt->data, ignore_pkt->length);
             ssh_free_pktout(ignore_pkt);

source/putty/ssh2kex-client.c

@@ -556,17 +556,12 @@ void ssh2kex_coroutine(struct ssh2_transport_state *s, bool *aborted)
         {
             int klen = ssh_rsakex_klen(s->rsa_kex_key);
             int nbits = klen - (2*s->kex_alg->hash->hlen*8 + 49);
-            int i, byte = 0;
             strbuf *buf, *outstr;
 
+            mp_int *tmp = mp_random_bits(nbits - 1);
             s->K = mp_power_2(nbits - 1);
-
-            for (i = 0; i < nbits; i++) {
-                if ((i & 7) == 0) {
-                    byte = random_byte();
-                }
-                mp_set_bit(s->K, i, (byte >> (i & 7)) & 1);
-            }
+            mp_add_into(s->K, s->K, tmp);
+            mp_free(tmp);
 
             /*
              * Encode this as an mpint.

source/putty/ssh2transport.c

@@ -1048,11 +1048,7 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
      */
     s->client_kexinit->len = 0;
     put_byte(s->outgoing_kexinit, SSH2_MSG_KEXINIT);
-    {
-        int i;
-        for (i = 0; i < 16; i++)
-            put_byte(s->outgoing_kexinit, (unsigned char) random_byte());
-    }
+    random_read(strbuf_append(s->outgoing_kexinit, 16), 16);
     ssh2_write_kexinit_lists(
         BinarySink_UPCAST(s->outgoing_kexinit), s->kexlists,
         s->conf, s->ppl.remote_bugs,

source/putty/sshecc.c

@@ -1269,8 +1269,8 @@ static void ssh_ecdhkex_w_setup(ecdh_key *dh)
 static void ssh_ecdhkex_m_setup(ecdh_key *dh)
 {
     strbuf *bytes = strbuf_new();
-    for (size_t i = 0; i < dh->curve->fieldBytes; ++i)
-        put_byte(bytes, random_byte());
+    random_read(strbuf_append(bytes, dh->curve->fieldBytes),
+                dh->curve->fieldBytes);
 
     bytes->u[0] &= 0xF8;
     bytes->u[bytes->len-1] &= 0x7F;

source/putty/sshpubk.c

@@ -333,12 +333,10 @@ bool rsa_ssh1_savekey(const Filename *filename, RSAKey *key,
      * Two bytes, then the same two bytes repeated.
      */
     {
-        unsigned char b0 = random_byte();
-        unsigned char b1 = random_byte();
-        put_byte(buf, b0);
-        put_byte(buf, b1);
-        put_byte(buf, b0);
-        put_byte(buf, b1);
+        uint8_t bytes[2];
+        random_read(bytes, 2);
+        put_data(buf, bytes, 2);
+        put_data(buf, bytes, 2);
     }
 
     /*

source/putty/sshrand.c

@@ -52,9 +52,10 @@ void random_add_noise(void *noise, int length) { }
 void random_add_heavynoise(void *noise, int length) { }
 void random_ref(void) { }
 void random_unref(void) { }
-int random_byte(void)
+void random_read(void *out, size_t size)
 {
     return 0x45; /* Chosen by eight fair coin tosses */
+    memset(out, 0x45, size); /* Chosen by eight fair coin tosses */
 }
 void random_get_savedata(void **data, int *len) { }
 #else /* !FUZZING */
@@ -319,14 +320,17 @@ void random_unref(void)
     random_active--;
 }
 
-int random_byte(void)
+void random_read(void *vout, size_t size)
 {
     assert(random_active);
 
-    if (pool.poolpos >= POOLSIZE)
-	random_stir();
+    uint8_t *out = (uint8_t *)vout;
+    while (size-- > 0) {
+        if (pool.poolpos >= POOLSIZE)
+            random_stir();
 
-    return pool.pool[pool.poolpos++];
+        *out++ = pool.pool[pool.poolpos++];
+    }
 }
 
 void random_get_savedata(void **data, int *len)

source/putty/sshrsa.c

@@ -56,11 +56,37 @@ bool rsa_ssh1_encrypt(unsigned char *data, int length, RSAKey *key)
     data[0] = 0;
     data[1] = 2;
 
+    size_t npad = key->bytes - length - 3;
+    /*
+     * Generate a sequence of nonzero padding bytes. We do this in a
+     * reasonably uniform way and without having to loop round
+     * retrying the random number generation, by first generating an
+     * integer in [0,2^n) for an appropriately large n; then we
+     * repeatedly multiply by 255 to give an integer in [0,255*2^n),
+     * extract the top 8 bits to give an integer in [0,255), and mask
+     * those bits off before multiplying up again for the next digit.
+     * This gives us a sequence of numbers in [0,255), and of course
+     * adding 1 to each of them gives numbers in [1,256) as we wanted.
+     *
+     * (You could imagine this being a sort of fixed-point operation:
+     * given a uniformly random binary _fraction_, multiplying it by k
+     * and subtracting off the integer part will yield you a sequence
+     * of integers each in [0,k). I'm just doing that scaled up by a
+     * power of 2 to avoid the fractions.)
+     */
+    size_t random_bits = (npad + 16) * 8;
+    mp_int *randval = mp_new(random_bits + 8);
+    mp_int *tmp = mp_random_bits(random_bits);
+    mp_copy_into(randval, tmp);
+    mp_free(tmp);
     for (i = 2; i < key->bytes - length - 1; i++) {
-	do {
-	    data[i] = random_byte();
-	} while (data[i] == 0);
+        mp_mul_integer_into(randval, randval, 255);
+        uint8_t byte = mp_get_byte(randval, random_bits / 8);
+        assert(byte != 255);
+        data[i] = byte + 1;
+        mp_reduce_mod_2to(randval, random_bits);
     }
+    mp_free(randval);
     data[key->bytes - length - 1] = 0;
 
     b1 = mp_from_bytes_be(make_ptrlen(data, key->bytes));
@@ -804,8 +830,7 @@ strbuf *ssh_rsakex_encrypt(RSAKey *rsa, const ssh_hashalg *h, ptrlen in)
     /* Leading byte zero. */
     out[0] = 0;
     /* At position 1, the seed: HLEN bytes of random data. */
-    for (i = 0; i < HLEN; i++)
-        out[i + 1] = random_byte();
+    random_read(out + 1, HLEN);
     /* At position 1+HLEN, the data block DB, consisting of: */
     /* The hash of the label (we only support an empty label here) */
     {

source/putty/windows/winhandl.c

@@ -689,7 +689,7 @@ void handle_got_event(HANDLE event)
 	    h->u.o.sentdata(h, -h->u.o.writeerr);
 	} else {
 	    bufchain_consume(&h->u.o.queued_data, h->u.o.lenwritten);
-            noise_ultralight(h->u.o.lenwritten);
+            noise_ultralight(NOISE_SOURCE_IOLEN, h->u.o.lenwritten);
 	    h->u.o.sentdata(h, bufchain_size(&h->u.o.queued_data));
 	    handle_try_output(&h->u.o);
 	}

source/putty/windows/winnet.c

@@ -1387,7 +1387,7 @@ void try_send(NetSocket *s)
 	    bufchain_prefix(&s->output_data, &data, &len);
 	}
 	nsent = p_send(s->s, data, len, urgentflag);
-	noise_ultralight(nsent);
+	noise_ultralight(NOISE_SOURCE_IOLEN, nsent);
 	if (nsent <= 0) {
 	    err = (nsent < 0 ? p_WSAGetLastError() : 0);
 	    if ((err < WSABASEERR && nsent < 0) || err == WSAEWOULDBLOCK) {
@@ -1538,7 +1538,7 @@ void select_result(WPARAM wParam, LPARAM lParam)
 	return;
     }
 
-    noise_ultralight(lParam);
+    noise_ultralight(NOISE_SOURCE_IOID, wParam);
 
     switch (WSAGETSELECTEVENT(lParam)) {
       case FD_CONNECT:
@@ -1582,7 +1582,7 @@ void select_result(WPARAM wParam, LPARAM lParam)
 	    atmark = true;
 
 	ret = p_recv(s->s, buf, sizeof(buf), 0);
-	noise_ultralight(ret);
+	noise_ultralight(NOISE_SOURCE_IOLEN, ret);
 	if (ret < 0) {
 	    err = p_WSAGetLastError();
 	    if (err == WSAEWOULDBLOCK) {
@@ -1605,7 +1605,7 @@ void select_result(WPARAM wParam, LPARAM lParam)
 	 * end with type==2 (urgent data).
 	 */
 	ret = p_recv(s->s, buf, sizeof(buf), MSG_OOB);
-	noise_ultralight(ret);
+	noise_ultralight(NOISE_SOURCE_IOLEN, ret);
 	if (ret <= 0) {
             int err = p_WSAGetLastError();
 	    plug_closing(s->plug, winsock_error_string(err), err, 0);

source/putty/windows/winnoise.c

@@ -122,26 +122,26 @@ void noise_regular(void)
     FILETIME times[4];
 
     w = GetForegroundWindow();
-    random_add_noise(&w, sizeof(w));
+    random_add_noise(NOISE_SOURCE_FGWINDOW, &w, sizeof(w));
     w = GetCapture();
-    random_add_noise(&w, sizeof(w));
+    random_add_noise(NOISE_SOURCE_CAPTURE, &w, sizeof(w));
     w = GetClipboardOwner();
-    random_add_noise(&w, sizeof(w));
+    random_add_noise(NOISE_SOURCE_CLIPBOARD, &w, sizeof(w));
     z = GetQueueStatus(QS_ALLEVENTS);
-    random_add_noise(&z, sizeof(z));
+    random_add_noise(NOISE_SOURCE_QUEUE, &z, sizeof(z));
 
     GetCursorPos(&pt);
-    random_add_noise(&pt, sizeof(pt));
+    random_add_noise(NOISE_SOURCE_CURSORPOS, &pt, sizeof(pt));
 
     GlobalMemoryStatus(&memstat);
-    random_add_noise(&memstat, sizeof(memstat));
+    random_add_noise(NOISE_SOURCE_MEMINFO, &memstat, sizeof(memstat));
 
     GetThreadTimes(GetCurrentThread(), times, times + 1, times + 2,
 		   times + 3);
-    random_add_noise(&times, sizeof(times));
+    random_add_noise(NOISE_SOURCE_THREADTIME, &times, sizeof(times));
     GetProcessTimes(GetCurrentProcess(), times, times + 1, times + 2,
 		    times + 3);
-    random_add_noise(&times, sizeof(times));
+    random_add_noise(NOISE_SOURCE_PROCTIME, &times, sizeof(times));
 }
 
 /*
@@ -150,16 +150,16 @@ void noise_regular(void)
  * counter to the noise pool. It gets the scan code or mouse
  * position passed in.
  */
-void noise_ultralight(unsigned long data)
+void noise_ultralight(NoiseSourceId id, unsigned long data)
 {
     DWORD wintime;
     LARGE_INTEGER perftime;
 
-    random_add_noise(&data, sizeof(DWORD));
+    random_add_noise(id, &data, sizeof(DWORD));
 
     wintime = GetTickCount();
-    random_add_noise(&wintime, sizeof(DWORD));
+    random_add_noise(NOISE_SOURCE_TIME, &wintime, sizeof(DWORD));
 
     if (QueryPerformanceCounter(&perftime))
-	random_add_noise(&perftime, sizeof(perftime));
+	random_add_noise(NOISE_SOURCE_PERFCOUNT, &perftime, sizeof(perftime));
 }

source/putty/x11fwd.c

@@ -93,8 +93,7 @@ struct X11FakeAuth *x11_invent_fake_auth(tree234 *authtree, int authtype)
         auth->xa1_firstblock = NULL;
 
         while (1) {
-            for (i = 0; i < auth->datalen; i++)
-                auth->data[i] = random_byte();
+            random_read(auth->data, auth->datalen);
             if (add234(authtree, auth) == auth)
                 break;
         }
@@ -111,8 +110,10 @@ struct X11FakeAuth *x11_invent_fake_auth(tree234 *authtree, int authtype)
         memset(auth->xa1_firstblock, 0, 8);
 
         while (1) {
-            for (i = 0; i < auth->datalen; i++)
-                auth->data[i] = (i == 8 ? 0 : random_byte());
+            random_read(auth->data, 15);
+            auth->data[15] = auth->data[8];
+            auth->data[8] = 0;
+
             memcpy(auth->xa1_firstblock, auth->data, 8);
             des_encrypt_xdmauth(auth->data + 9, auth->xa1_firstblock, 8);
             if (add234(authtree, auth) == auth)