root/drivers/char/random.c

/* [previous][next][first][last][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. rand_initialize
  2. rand_initialize_irq
  3. rand_initialize_blkdev
  4. add_entropy_word
  5. add_timer_randomness
  6. add_keyboard_randomness
  7. add_mouse_randomness
  8. add_interrupt_randomness
  9. add_blkdev_randomness
  10. MD5Transform
  11. extract_entropy
  12. get_random_bytes
  13. read_random
  14. read_random_unlimited
  15. write_random
  16. random_ioctl

   1 /*
   2  * random.c -- A strong random number generator
   3  *
   4  * Version 0.94, last modified 11-Oct-95
   5  * 
   6  * Copyright Theodore Ts'o, 1994, 1995.  All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  * 1. Redistributions of source code must retain the above copyright
  12  *    notice, and the entire permission notice in its entirety,
  13  *    including the disclaimer of warranties.
  14  * 2. Redistributions in binary form must reproduce the above copyright
  15  *    notice, this list of conditions and the following disclaimer in the
  16  *    documentation and/or other materials provided with the distribution.
  17  * 3. The name of the author may not be used to endorse or promote
  18  *    products derived from this software without specific prior
  19  *    written permission.
  20  * 
  21  * ALTERNATIVELY, this product may be distributed under the terms of
  22  * the GNU Public License, in which case the provisions of the GPL are
  23  * required INSTEAD OF the above restrictions.  (This clause is
  24  * necessary due to a potential bad interaction between the GPL and
  25  * the restrictions contained in a BSD-style copyright.)
  26  * 
  27  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
  28  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  29  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  30  * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
  31  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  32  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  33  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  34  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  35  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  36  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  37  * OF THE POSSIBILITY OF SUCH DAMAGE.
  38  */
  39 
  40 /*
  41  * (now, with legal B.S. out of the way.....) 
  42  * 
  43  * This routine gathers environmental noise from device drivers, etc.,
  44  * and returns good random numbers, suitable for cryptographic use.
  45  * Besides the obvious cryptographic uses, these numbers are also good
  46  * for seeding TCP sequence numbers, and other places where it is
  47  * desireable to have numbers which are not only random, but hard to
  48  * predict by an attacker.
  49  *
  50  * Theory of operation
  51  * ===================
  52  * 
  53  * Computers are very predictable devices.  Hence it is extremely hard
  54  * to produce truely random numbers on a computer --- as opposed to
  55  * pseudo-random numbers, which can easily generated by using a
  56  * algorithm.  Unfortunately, it is very easy for attackers to guess
  57  * the sequence of pseudo-random number generators, and for some
  58  * applications this is not acceptable.  So instead, we must try to
  59  * gather "environmental noise" from the computer's environment, which
  60  * must be hard for outside attackers to observe, and use that to
  61  * generate random numbers.  In a Unix environment, this is best done
  62  * from inside the kernel.
  63  * 
  64  * Sources of randomness from the environment include inter-keyboard
  65  * timings, inter-interrupt timings from some interrupts, and other
  66  * events which are both (a) non-deterministic and (b) hard for an
  67  * outside observer to measure.  Randomness from these sources are
  68  * added to an "entropy pool", which is mixed using a CRC-like function.
  69  * This is not cryptographically strong, but it is adequate assuming
  70  * the randomness is not chosen maliciously, and it is fast enough that
  71  * the overhead of doing it on every interrupt is very reasonable.
  72  * As random bytes are mixed into the entropy pool, the routines keep
  73  * an *estimate* of how many bits of randomness have been stored into
  74  * the random number generator's internal state.
  75  * 
  76  * When random bytes are desired, they are obtained by taking the MD5
  77  * hash of the contents of the "entropy pool".  The MD5 hash avoids
  78  * exposing the internal state of the entropy pool.  It is believed to
  79  * be computationally infeasible to derive any useful information
  80  * about the input of MD5 from its output.  Even if it is possible to
  81  * analyze MD5 in some clever way, as long as the amount of data
  82  * returned from the generator is less than the inherent entropy in
  83  * the pool, the output data is totally unpredictable.  For this
  84  * reason, the routine decreases its internal estimate of how many
  85  * bits of "true randomness" are contained in the entropy pool as it
  86  * outputs random numbers.
  87  * 
  88  * If this estimate goes to zero, the routine can still generate
  89  * random numbers; however, an attacker may (at least in theory) be
  90  * able to infer the future output of the generator from prior
  91  * outputs.  This requires successful cryptanalysis of MD5, which is
  92  * not believed to be feasible, but there is a remote possiblility.
  93  * Nonetheless, these numbers should be useful for the vast majority
  94  * of purposes.
  95  * 
  96  * Exported interfaces ---- output
  97  * ===============================
  98  * 
  99  * There are three exported interfaces; the first is one designed to
 100  * be used from within the kernel:
 101  *
 102  *      void get_random_bytes(void *buf, int nbytes);
 103  *
 104  * This interface will return the requested number of random bytes,
 105  * and place it in the requested buffer.
 106  * 
 107  * The two other interfaces are two character devices /dev/random and
 108  * /dev/urandom.  /dev/random is suitable for use when very high
 109  * quality randomness is desired (for example, for key generation or
 110  * one-time pads), as it will only return a maximum of the number of
 111  * bits of randomness (as estimated by the random number generator)
 112  * contained in the entropy pool.
 113  * 
 114  * The /dev/urandom device does not have this limit, and will return
 115  * as many bytes as are requested.  As more and more random bytes are
 116  * requested without giving time for the entropy pool to recharge,
 117  * this will result in random numbers that are merely cryptographically
 118  * strong.  For many applications, however, this is acceptable.
 119  *
 120  * Exported interfaces ---- input
 121  * ==============================
 122  * 
 123  * The current exported interfaces for gathering environmental noise
 124  * from the devices are:
 125  * 
 126  *      void add_keyboard_randomness(unsigned char scancode);
 127  *      void add_mouse_randomness(__u32 mouse_data);
 128  *      void add_interrupt_randomness(int irq);
 129  *      void add_blkdev_randomness(int irq);
 130  * 
 131  * add_keyboard_randomness() uses the inter-keypress timing, as well as the
 132  * scancode as random inputs into the "entropy pool".
 133  * 
 134  * add_mouse_randomness() uses the mouse interrupt timing, as well as
 135  * the reported position of the mouse from the hardware.
 136  *
 137  * add_interrupt_randomness() uses the inter-interrupt timing as random
 138  * inputs to the entropy pool.  Note that not all interrupts are good
 139  * sources of randomness!  For example, the timer interrupts is not a
 140  * good choice, because the periodicity of the interrupts is to
 141  * regular, and hence predictable to an attacker.  Disk interrupts are
 142  * a better measure, since the timing of the disk interrupts are more
 143  * unpredictable.
 144  * 
 145  * add_blkdev_randomness() times the finishing time of block requests.
 146  * 
 147  * All of these routines try to estimate how many bits of randomness a
 148  * particular randomness source.  They do this by keeping track of the
 149  * first and second order deltas of the event timings.
 150  *
 151  * Acknowledgements:
 152  * =================
 153  *
 154  * Ideas for constructing this random number generator were derived
 155  * from the Pretty Good Privacy's random number generator, and from
 156  * private discussions with Phil Karn.  Colin Plumb provided a faster
 157  * random number generator, which speed up the mixing function of the
 158  * entropy pool, taken from PGP 3.0 (under development).  It has since
 159  * been modified by myself to provide better mixing in the case where
 160  * the input values to add_entropy_word() are mostly small numbers.
 161  * 
 162  * Any flaws in the design are solely my responsibility, and should
 163  * not be attributed to the Phil, Colin, or any of authors of PGP.
 164  * 
 165  * The code for MD5 transform was taken from Colin Plumb's
 166  * implementation, which has been placed in the public domain.  The
 167  * MD5 cryptographic checksum was devised by Ronald Rivest, and is
 168  * documented in RFC 1321, "The MD5 Message Digest Algorithm".
 169  * 
 170  * Further background information on this topic may be obtained from
 171  * RFC 1750, "Randomness Recommendations for Security", by Donald
 172  * Eastlake, Steve Crocker, and Jeff Schiller.
 173  */
 174 
 175 #include <linux/sched.h>
 176 #include <linux/kernel.h>
 177 #include <linux/major.h>
 178 #include <linux/string.h>
 179 #include <linux/fcntl.h>
 180 #include <linux/malloc.h>
 181 #include <linux/random.h>
 182 
 183 #include <asm/segment.h>
 184 #include <asm/irq.h>
 185 #include <asm/io.h>
 186 
 187 /*
 188  * The pool is stirred with a primitive polynomial of degree 128
 189  * over GF(2), namely x^128 + x^119 + x^72 + x^64 + x^14 + x^8 + 1.
 190  * For a pool of size 64, try x^64+x^62+x^38+x^10+x^6+x+1.
 191  */
 192 #define POOLWORDS 128    /* Power of 2 - note that this is 32-bit words */
 193 #define POOLBITS (POOLWORDS*32)
 194 #if POOLWORDS == 128
 195 #define TAP1    119     /* The polynomial taps */
 196 #define TAP2    72
 197 #define TAP3    64
 198 #define TAP4    14
 199 #define TAP5    8
 200 #elif POOLWORDS == 64
 201 #define TAP1    62      /* The polynomial taps */
 202 #define TAP2    38
 203 #define TAP3    10
 204 #define TAP4    6
 205 #define TAP5    1
 206 #else
 207 #error No primitive polynomial available for chosen POOLWORDS
 208 #endif
 209 
 210 /* There is actually only one of these, globally. */
 211 struct random_bucket {
 212         unsigned add_ptr;
 213         unsigned entropy_count;
 214         int input_rotate;
 215         __u32 *pool;
 216 };
 217 
 218 /* There is one of these per entropy source */
 219 struct timer_rand_state {
 220         unsigned long   last_time;
 221         int             last_delta;
 222         int             nbits;
 223 };
 224 
 225 static struct random_bucket random_state;
 226 static __u32 random_pool[POOLWORDS];
 227 static struct timer_rand_state keyboard_timer_state;
 228 static struct timer_rand_state mouse_timer_state;
 229 static struct timer_rand_state extract_timer_state;
 230 static struct timer_rand_state *irq_timer_state[NR_IRQS];
 231 static struct timer_rand_state *blkdev_timer_state[MAX_BLKDEV];
 232 static struct wait_queue *random_wait;
 233 
 234 #ifndef MIN
 235 #define MIN(a,b) (((a) < (b)) ? (a) : (b))
 236 #endif
 237         
 238 void rand_initialize(void)
     /* [previous][next][first][last][top][bottom][index][help] */
 239 {
 240         random_state.add_ptr = 0;
 241         random_state.entropy_count = 0;
 242         random_state.pool = random_pool;
 243         memset(irq_timer_state, 0, sizeof(irq_timer_state));
 244         memset(blkdev_timer_state, 0, sizeof(blkdev_timer_state));
 245         random_wait = NULL;}
 246 
 247 void rand_initialize_irq(int irq)
     /* [previous][next][first][last][top][bottom][index][help] */
 248 {
 249         if (irq >= NR_IRQS || irq_timer_state[irq])
 250                 return;
 251 
 252         /*
 253          * If kamlloc returns null, we just won't use that entropy
 254          * source.
 255          */
 256         irq_timer_state[irq] = kmalloc(sizeof(struct timer_rand_state), 
 257                                        GFP_KERNEL);
 258 }
 259 
 260 void rand_initialize_blkdev(int major)
     /* [previous][next][first][last][top][bottom][index][help] */
 261 {
 262         if (major >= MAX_BLKDEV || blkdev_timer_state[major])
 263                 return;
 264 
 265         /*
 266          * If kamlloc returns null, we just won't use that entropy
 267          * source.
 268          */
 269         blkdev_timer_state[major] = kmalloc(sizeof(struct timer_rand_state), 
 270                                             GFP_KERNEL);
 271 }
 272 
 273 /*
 274  * This function adds a byte into the entropy "pool".  It does not
 275  * update the entropy estimate.  The caller must do this if appropriate.
 276  *
 277  * The pool is stirred with a primitive polynomial of degree 128
 278  * over GF(2), namely x^128 + x^119 + x^72 + x^64 + x^14 + x^8 + 1.
 279  * For a pool of size 64, try x^64+x^62+x^38+x^10+x^6+x+1.
 280  * 
 281  * We rotate the input word by a changing number of bits, to help
 282  * assure that all bits in the entropy get toggled.  Otherwise, if we
 283  * consistently feed the entropy pool small numbers (like jiffies and
 284  * scancodes, for example), the upper bits of the entropy pool don't
 285  * get affected. --- TYT, 10/11/95
 286  */
 287 static inline void add_entropy_word(struct random_bucket *r,
     /* [previous][next][first][last][top][bottom][index][help] */
 288                                     const __u32 input)
 289 {
 290         unsigned i;
 291         __u32 w;
 292 
 293         w = (input << r->input_rotate) | (input >> (32 - r->input_rotate));
 294         i = r->add_ptr = (r->add_ptr - 1) & (POOLWORDS-1);
 295         if (i)
 296                 r->input_rotate = (r->input_rotate + 7) & 31;
 297         else
 298                 /*
 299                  * At the beginning of the pool, add an extra 7 bits
 300                  * rotation, so that successive passes spread the
 301                  * input bits across the pool evenly.
 302                  */
 303                 r->input_rotate = (r->input_rotate + 14) & 31;
 304 
 305         /* XOR in the various taps */
 306         w ^= r->pool[(i+TAP1)&(POOLWORDS-1)];
 307         w ^= r->pool[(i+TAP2)&(POOLWORDS-1)];
 308         w ^= r->pool[(i+TAP3)&(POOLWORDS-1)];
 309         w ^= r->pool[(i+TAP4)&(POOLWORDS-1)];
 310         w ^= r->pool[(i+TAP5)&(POOLWORDS-1)];
 311         w ^= r->pool[i];
 312         /* Rotate w left 1 bit (stolen from SHA) and store */
 313         r->pool[i] = (w << 1) | (w >> 31);
 314 }
 315 
 316 /*
 317  * This function adds entropy to the entropy "pool" by using timing
 318  * delays.  It uses the timer_rand_state structure to make an estimate
 319  * of how many bits of entropy this call has added to the pool.
 320  *
 321  * The number "num" is also added to the pool - it should somehow describe
 322  * the type of event which just happened.  This is currently 0-255 for
 323  * keyboard scan codes, and 256 upwards for interrupts.
 324  * On the i386, this is assumed to be at most 16 bits, and the high bits
 325  * are used for a high-resolution timer.
 326  *
 327  * TODO: Read the time stamp register on the Pentium.
 328  */
 329 static void add_timer_randomness(struct random_bucket *r,
     /* [previous][next][first][last][top][bottom][index][help] */
 330                                  struct timer_rand_state *state, unsigned num)
 331 {
 332         int     delta, delta2;
 333         unsigned        nbits;
 334         __u32           time;
 335 
 336 #if defined (__i386__)
 337         if (x86_capability & 16) {
 338                 unsigned long low, high;
 339                 __asm__(".byte 0x0f,0x31"
 340                         :"=a" (low), "=d" (high));
 341                 time = (__u32) low;
 342                 num ^= (__u32) high;
 343         } else {
 344 #if 0
 345                 /*
 346                  * On a 386, read the high resolution timer.  We assume that
 347                  * this gives us 2 bits of randomness.
 348                  *
 349                  * This is turned off for now because of the speed hit
 350                  * it entails.
 351                  */ 
 352                 outb_p(0x00, 0x43);     /* latch the count ASAP */
 353                 num |= inb_p(0x40) << 16;
 354                 num |= inb(0x40) << 24;
 355                 r->entropy_count += 2;
 356 #endif
 357                 
 358                 time = jiffies;
 359         }
 360 #else
 361         time = jiffies;
 362 #endif
 363 
 364         add_entropy_word(r, (__u32) num);
 365         add_entropy_word(r, time);
 366 
 367         /*
 368          * Calculate number of bits of randomness we probably
 369          * added.  We take into account the first and second order
 370          * deltas in order to make our estimate.
 371          */
 372         delta = time - state->last_time;
 373         state->last_time = time;
 374 
 375         delta2 = delta - state->last_delta;
 376         state->last_delta = delta;
 377 
 378         if (delta < 0) delta = -delta;
 379         if (delta2 < 0) delta2 = -delta2;
 380         delta = MIN(delta, delta2) >> 1;
 381         for (nbits = 0; delta; nbits++)
 382                 delta >>= 1;
 383 
 384         r->entropy_count += nbits;
 385         
 386         /* Prevent overflow */
 387         if (r->entropy_count > POOLBITS)
 388                 r->entropy_count = POOLBITS;
 389         
 390         wake_up_interruptible(&random_wait);    
 391 }
 392 
 393 void add_keyboard_randomness(unsigned char scancode)
     /* [previous][next][first][last][top][bottom][index][help] */
 394 {
 395         add_timer_randomness(&random_state, &keyboard_timer_state, scancode);
 396 }
 397 
 398 void add_mouse_randomness(__u32 mouse_data)
     /* [previous][next][first][last][top][bottom][index][help] */
 399 {
 400         add_timer_randomness(&random_state, &mouse_timer_state, mouse_data);
 401 }
 402 
 403 void add_interrupt_randomness(int irq)
     /* [previous][next][first][last][top][bottom][index][help] */
 404 {
 405         if (irq >= NR_IRQS || irq_timer_state[irq] == 0)
 406                 return;
 407 
 408         add_timer_randomness(&random_state, irq_timer_state[irq], 0x100+irq);
 409 }
 410 
 411 void add_blkdev_randomness(int major)
     /* [previous][next][first][last][top][bottom][index][help] */
 412 {
 413         if (major >= MAX_BLKDEV || blkdev_timer_state[major] == 0)
 414                 return;
 415 
 416         add_timer_randomness(&random_state, blkdev_timer_state[major],
 417                              0x200+major);
 418 }
 419 
 420 /*
 421  * MD5 transform algorithm, taken from code written by Colin Plumb,
 422  * and put into the public domain
 423  *
 424  * QUESTION: Replace this with SHA, which as generally received better
 425  * reviews from the cryptographic community?
 426  */
 427 
 428 /* The four core functions - F1 is optimized somewhat */
 429 
 430 /* #define F1(x, y, z) (x & y | ~x & z) */
 431 #define F1(x, y, z) (z ^ (x & (y ^ z)))
 432 #define F2(x, y, z) F1(z, x, y)
 433 #define F3(x, y, z) (x ^ y ^ z)
 434 #define F4(x, y, z) (y ^ (x | ~z))
 435 
 436 /* This is the central step in the MD5 algorithm. */
 437 #define MD5STEP(f, w, x, y, z, data, s) \
 438         ( w += f(x, y, z) + data,  w = w<<s | w>>(32-s),  w += x )
 439 
 440 /*
 441  * The core of the MD5 algorithm, this alters an existing MD5 hash to
 442  * reflect the addition of 16 longwords of new data.  MD5Update blocks
 443  * the data and converts bytes into longwords for this routine.
 444  */
 445 static void MD5Transform(__u32 buf[4],
     /* [previous][next][first][last][top][bottom][index][help] */
 446                          __u32 const in[16])
 447 {
 448         __u32 a, b, c, d;
 449 
 450         a = buf[0];
 451         b = buf[1];
 452         c = buf[2];
 453         d = buf[3];
 454 
 455         MD5STEP(F1, a, b, c, d, in[ 0]+0xd76aa478,  7);
 456         MD5STEP(F1, d, a, b, c, in[ 1]+0xe8c7b756, 12);
 457         MD5STEP(F1, c, d, a, b, in[ 2]+0x242070db, 17);
 458         MD5STEP(F1, b, c, d, a, in[ 3]+0xc1bdceee, 22);
 459         MD5STEP(F1, a, b, c, d, in[ 4]+0xf57c0faf,  7);
 460         MD5STEP(F1, d, a, b, c, in[ 5]+0x4787c62a, 12);
 461         MD5STEP(F1, c, d, a, b, in[ 6]+0xa8304613, 17);
 462         MD5STEP(F1, b, c, d, a, in[ 7]+0xfd469501, 22);
 463         MD5STEP(F1, a, b, c, d, in[ 8]+0x698098d8,  7);
 464         MD5STEP(F1, d, a, b, c, in[ 9]+0x8b44f7af, 12);
 465         MD5STEP(F1, c, d, a, b, in[10]+0xffff5bb1, 17);
 466         MD5STEP(F1, b, c, d, a, in[11]+0x895cd7be, 22);
 467         MD5STEP(F1, a, b, c, d, in[12]+0x6b901122,  7);
 468         MD5STEP(F1, d, a, b, c, in[13]+0xfd987193, 12);
 469         MD5STEP(F1, c, d, a, b, in[14]+0xa679438e, 17);
 470         MD5STEP(F1, b, c, d, a, in[15]+0x49b40821, 22);
 471 
 472         MD5STEP(F2, a, b, c, d, in[ 1]+0xf61e2562,  5);
 473         MD5STEP(F2, d, a, b, c, in[ 6]+0xc040b340,  9);
 474         MD5STEP(F2, c, d, a, b, in[11]+0x265e5a51, 14);
 475         MD5STEP(F2, b, c, d, a, in[ 0]+0xe9b6c7aa, 20);
 476         MD5STEP(F2, a, b, c, d, in[ 5]+0xd62f105d,  5);
 477         MD5STEP(F2, d, a, b, c, in[10]+0x02441453,  9);
 478         MD5STEP(F2, c, d, a, b, in[15]+0xd8a1e681, 14);
 479         MD5STEP(F2, b, c, d, a, in[ 4]+0xe7d3fbc8, 20);
 480         MD5STEP(F2, a, b, c, d, in[ 9]+0x21e1cde6,  5);
 481         MD5STEP(F2, d, a, b, c, in[14]+0xc33707d6,  9);
 482         MD5STEP(F2, c, d, a, b, in[ 3]+0xf4d50d87, 14);
 483         MD5STEP(F2, b, c, d, a, in[ 8]+0x455a14ed, 20);
 484         MD5STEP(F2, a, b, c, d, in[13]+0xa9e3e905,  5);
 485         MD5STEP(F2, d, a, b, c, in[ 2]+0xfcefa3f8,  9);
 486         MD5STEP(F2, c, d, a, b, in[ 7]+0x676f02d9, 14);
 487         MD5STEP(F2, b, c, d, a, in[12]+0x8d2a4c8a, 20);
 488 
 489         MD5STEP(F3, a, b, c, d, in[ 5]+0xfffa3942,  4);
 490         MD5STEP(F3, d, a, b, c, in[ 8]+0x8771f681, 11);
 491         MD5STEP(F3, c, d, a, b, in[11]+0x6d9d6122, 16);
 492         MD5STEP(F3, b, c, d, a, in[14]+0xfde5380c, 23);
 493         MD5STEP(F3, a, b, c, d, in[ 1]+0xa4beea44,  4);
 494         MD5STEP(F3, d, a, b, c, in[ 4]+0x4bdecfa9, 11);
 495         MD5STEP(F3, c, d, a, b, in[ 7]+0xf6bb4b60, 16);
 496         MD5STEP(F3, b, c, d, a, in[10]+0xbebfbc70, 23);
 497         MD5STEP(F3, a, b, c, d, in[13]+0x289b7ec6,  4);
 498         MD5STEP(F3, d, a, b, c, in[ 0]+0xeaa127fa, 11);
 499         MD5STEP(F3, c, d, a, b, in[ 3]+0xd4ef3085, 16);
 500         MD5STEP(F3, b, c, d, a, in[ 6]+0x04881d05, 23);
 501         MD5STEP(F3, a, b, c, d, in[ 9]+0xd9d4d039,  4);
 502         MD5STEP(F3, d, a, b, c, in[12]+0xe6db99e5, 11);
 503         MD5STEP(F3, c, d, a, b, in[15]+0x1fa27cf8, 16);
 504         MD5STEP(F3, b, c, d, a, in[ 2]+0xc4ac5665, 23);
 505 
 506         MD5STEP(F4, a, b, c, d, in[ 0]+0xf4292244,  6);
 507         MD5STEP(F4, d, a, b, c, in[ 7]+0x432aff97, 10);
 508         MD5STEP(F4, c, d, a, b, in[14]+0xab9423a7, 15);
 509         MD5STEP(F4, b, c, d, a, in[ 5]+0xfc93a039, 21);
 510         MD5STEP(F4, a, b, c, d, in[12]+0x655b59c3,  6);
 511         MD5STEP(F4, d, a, b, c, in[ 3]+0x8f0ccc92, 10);
 512         MD5STEP(F4, c, d, a, b, in[10]+0xffeff47d, 15);
 513         MD5STEP(F4, b, c, d, a, in[ 1]+0x85845dd1, 21);
 514         MD5STEP(F4, a, b, c, d, in[ 8]+0x6fa87e4f,  6);
 515         MD5STEP(F4, d, a, b, c, in[15]+0xfe2ce6e0, 10);
 516         MD5STEP(F4, c, d, a, b, in[ 6]+0xa3014314, 15);
 517         MD5STEP(F4, b, c, d, a, in[13]+0x4e0811a1, 21);
 518         MD5STEP(F4, a, b, c, d, in[ 4]+0xf7537e82,  6);
 519         MD5STEP(F4, d, a, b, c, in[11]+0xbd3af235, 10);
 520         MD5STEP(F4, c, d, a, b, in[ 2]+0x2ad7d2bb, 15);
 521         MD5STEP(F4, b, c, d, a, in[ 9]+0xeb86d391, 21);
 522 
 523         buf[0] += a;
 524         buf[1] += b;
 525         buf[2] += c;
 526         buf[3] += d;
 527 }
 528 
 529 #undef F1
 530 #undef F2
 531 #undef F3
 532 #undef F4
 533 #undef MD5STEP
 534 
 535 
 536 #if POOLWORDS % 16
 537 #error extract_entropy() assumes that POOLWORDS is a multiple of 16 words.
 538 #endif
 539 /*
 540  * This function extracts randomness from the "entropy pool", and
 541  * returns it in a buffer.  This function computes how many remaining
 542  * bits of entropy are left in the pool, but it does not restrict the
 543  * number of bytes that are actually obtained.
 544  */
 545 static inline int extract_entropy(struct random_bucket *r, char * buf,
     /* [previous][next][first][last][top][bottom][index][help] */
 546                                   int nbytes, int to_user)
 547 {
 548         int ret, i;
 549         __u32 tmp[4];
 550         
 551         add_timer_randomness(r, &extract_timer_state, nbytes);
 552         
 553         /* Redundant, but just in case... */
 554         if (r->entropy_count > POOLBITS) 
 555                 r->entropy_count = POOLBITS;
 556         /* Why is this here?  Left in from Ted Ts'o.  Perhaps to limit time. */
 557         if (nbytes > 32768)
 558                 nbytes = 32768;
 559 
 560         ret = nbytes;
 561         if (r->entropy_count / 8 >= nbytes)
 562                 r->entropy_count -= nbytes*8;
 563         else
 564                 r->entropy_count = 0;
 565 
 566         while (nbytes) {
 567                 /* Hash the pool to get the output */
 568                 tmp[0] = 0x67452301;
 569                 tmp[1] = 0xefcdab89;
 570                 tmp[2] = 0x98badcfe;
 571                 tmp[3] = 0x10325476;
 572                 for (i = 0; i < POOLWORDS; i += 16)
 573                         MD5Transform(tmp, r->pool+i);
 574                 /* Modify pool so next hash will produce different results */
 575                 add_entropy_word(r, tmp[0]);
 576                 add_entropy_word(r, tmp[1]);
 577                 add_entropy_word(r, tmp[2]);
 578                 add_entropy_word(r, tmp[3]);
 579                 /*
 580                  * Run the MD5 Transform one more time, since we want
 581                  * to add at least minimal obscuring of the inputs to
 582                  * add_entropy_word().  --- TYT
 583                  */
 584                 MD5Transform(tmp, r->pool);
 585                 
 586                 /* Copy data to destination buffer */
 587                 i = MIN(nbytes, 16);
 588                 if (to_user)
 589                         memcpy_tofs(buf, (__u8 const *)tmp, i);
 590                 else
 591                         memcpy(buf, (__u8 const *)tmp, i);
 592                 nbytes -= i;
 593                 buf += i;
 594         }
 595 
 596         /* Wipe data from memory */
 597         memset(tmp, 0, sizeof(tmp));
 598         
 599         return ret;
 600 }
 601 
 602 /*
 603  * This function is the exported kernel interface.  It returns some
 604  * number of good random numbers, suitable for seeding TCP sequence
 605  * numbers, etc.
 606  */
 607 void get_random_bytes(void *buf, int nbytes)
     /* [previous][next][first][last][top][bottom][index][help] */
 608 {
 609         extract_entropy(&random_state, (char *) buf, nbytes, 0);
 610 }
 611 
 612 int read_random(struct inode * inode, struct file * file,
     /* [previous][next][first][last][top][bottom][index][help] */
 613                 char * buf, int nbytes)
 614 {
 615         if (nbytes > random_state.entropy_count / 8)
 616                 nbytes = random_state.entropy_count / 8;
 617         
 618         return extract_entropy(&random_state, buf, nbytes, 1);
 619 }
 620 
 621 int read_random_unlimited(struct inode * inode, struct file * file,
     /* [previous][next][first][last][top][bottom][index][help] */
 622                           char * buf, int nbytes)
 623 {
 624         return extract_entropy(&random_state, buf, nbytes, 1);
 625 }
 626 
 627 int write_random(struct inode * inode, struct file * file,
     /* [previous][next][first][last][top][bottom][index][help] */
 628                  const char * buffer, int count)
 629 {
 630         int i;
 631         __u32 word, *p;
 632 
 633         for (i = count, p = (__u32 *)buffer;
 634              i >= sizeof(__u32);
 635              i-= sizeof(__u32), p++) {
 636                 memcpy_fromfs(&word, p, sizeof(__u32));
 637                 add_entropy_word(&random_state, word);
 638         }
 639         if (i) {
 640                 word = 0;
 641                 memcpy_fromfs(&word, p, i);
 642                 add_entropy_word(&random_state, word);
 643         }
 644         inode->i_mtime = CURRENT_TIME;
 645         return count;
 646 }
 647 
 648 int random_ioctl(struct inode * inode, struct file * file,
     /* [previous][next][first][last][top][bottom][index][help] */
 649                         unsigned int cmd, unsigned long arg)
 650 {
 651         int *p, max_size;
 652         
 653         switch (cmd) {
 654         case RNDGETENTCNT:
 655                 put_user(random_state.entropy_count, (int *) arg);
 656                 return 0;
 657         case RNDADDTOENTCNT:
 658                 if (!suser())
 659                         return -EPERM;
 660                 random_state.entropy_count += get_user((int *) arg);
 661                 if (random_state.entropy_count > POOLBITS)
 662                         random_state.entropy_count = POOLBITS;
 663                 return 0;
 664         case RNDGETPOOL:
 665                 if (!suser())
 666                         return -EPERM;
 667                 p = (int *) arg;
 668                 put_user(random_state.entropy_count, p);
 669                 max_size = get_user(++p);
 670                 put_user(POOLWORDS, p);
 671                 if (max_size < 0)
 672                         return -EINVAL;
 673                 if (max_size > POOLWORDS)
 674                         max_size = POOLWORDS;
 675                 memcpy_tofs(++p, random_state.pool,
 676                             max_size*sizeof(__u32));
 677                 return 0;
 678         default:
 679                 return -EINVAL;
 680         }
 681 }

/* [previous][next][first][last][top][bottom][index][help] */