search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Import 2.1.118
[davej-history.git] / drivers / char / random.c
blob5db97f906d35648fad5a2787828ae626ec8f2bbe
1 /*
2 * random.c -- A strong random number generator
3 *
4 * Version 1.04, last modified 26-Apr-98
5 *
6 * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998. All rights
7 * reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, and the entire permission notice in its entirety,
14 * including the disclaimer of warranties.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. The name of the author may not be used to endorse or promote
19 * products derived from this software without specific prior
20 * written permission.
21 *
22 * ALTERNATIVELY, this product may be distributed under the terms of
23 * the GNU Public License, in which case the provisions of the GPL are
24 * required INSTEAD OF the above restrictions. (This clause is
25 * necessary due to a potential bad interaction between the GPL and
26 * the restrictions contained in a BSD-style copyright.)
27 *
28 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
29 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
30 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
31 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
32 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
33 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
34 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
36 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
37 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
38 * OF THE POSSIBILITY OF SUCH DAMAGE.
39 */
40
41 /*
42 * (now, with legal B.S. out of the way.....)
43 *
44 * This routine gathers environmental noise from device drivers, etc.,
45 * and returns good random numbers, suitable for cryptographic use.
46 * Besides the obvious cryptographic uses, these numbers are also good
47 * for seeding TCP sequence numbers, and other places where it is
48 * desirable to have numbers which are not only random, but hard to
49 * predict by an attacker.
50 *
51 * Theory of operation
52 * ===================
53 *
54 * Computers are very predictable devices. Hence it is extremely hard
55 * to produce truly random numbers on a computer --- as opposed to
56 * pseudo-random numbers, which can easily generated by using a
57 * algorithm. Unfortunately, it is very easy for attackers to guess
58 * the sequence of pseudo-random number generators, and for some
59 * applications this is not acceptable. So instead, we must try to
60 * gather "environmental noise" from the computer's environment, which
61 * must be hard for outside attackers to observe, and use that to
62 * generate random numbers. In a Unix environment, this is best done
63 * from inside the kernel.
64 *
65 * Sources of randomness from the environment include inter-keyboard
66 * timings, inter-interrupt timings from some interrupts, and other
67 * events which are both (a) non-deterministic and (b) hard for an
68 * outside observer to measure. Randomness from these sources are
69 * added to an "entropy pool", which is mixed using a CRC-like function.
70 * This is not cryptographically strong, but it is adequate assuming
71 * the randomness is not chosen maliciously, and it is fast enough that
72 * the overhead of doing it on every interrupt is very reasonable.
73 * As random bytes are mixed into the entropy pool, the routines keep
74 * an *estimate* of how many bits of randomness have been stored into
75 * the random number generator's internal state.
76 *
77 * When random bytes are desired, they are obtained by taking the SHA
78 * hash of the contents of the "entropy pool". The SHA hash avoids
79 * exposing the internal state of the entropy pool. It is believed to
80 * be computationally infeasible to derive any useful information
81 * about the input of SHA from its output. Even if it is possible to
82 * analyze SHA in some clever way, as long as the amount of data
83 * returned from the generator is less than the inherent entropy in
84 * the pool, the output data is totally unpredictable. For this
85 * reason, the routine decreases its internal estimate of how many
86 * bits of "true randomness" are contained in the entropy pool as it
87 * outputs random numbers.
88 *
89 * If this estimate goes to zero, the routine can still generate
90 * random numbers; however, an attacker may (at least in theory) be
91 * able to infer the future output of the generator from prior
92 * outputs. This requires successful cryptanalysis of SHA, which is
93 * not believed to be feasible, but there is a remote possibility.
94 * Nonetheless, these numbers should be useful for the vast majority
95 * of purposes.
96 *
97 * Exported interfaces ---- output
98 * ===============================
99 *
100 * There are three exported interfaces; the first is one designed to
101 * be used from within the kernel:
102 *
103 * void get_random_bytes(void *buf, int nbytes);
104 *
105 * This interface will return the requested number of random bytes,
106 * and place it in the requested buffer.
107 *
108 * The two other interfaces are two character devices /dev/random and
109 * /dev/urandom. /dev/random is suitable for use when very high
110 * quality randomness is desired (for example, for key generation or
111 * one-time pads), as it will only return a maximum of the number of
112 * bits of randomness (as estimated by the random number generator)
113 * contained in the entropy pool.
114 *
115 * The /dev/urandom device does not have this limit, and will return
116 * as many bytes as are requested. As more and more random bytes are
117 * requested without giving time for the entropy pool to recharge,
118 * this will result in random numbers that are merely cryptographically
119 * strong. For many applications, however, this is acceptable.
120 *
121 * Exported interfaces ---- input
122 * ==============================
123 *
124 * The current exported interfaces for gathering environmental noise
125 * from the devices are:
126 *
127 * void add_keyboard_randomness(unsigned char scancode);
128 * void add_mouse_randomness(__u32 mouse_data);
129 * void add_interrupt_randomness(int irq);
130 * void add_blkdev_randomness(int irq);
131 *
132 * add_keyboard_randomness() uses the inter-keypress timing, as well as the
133 * scancode as random inputs into the "entropy pool".
134 *
135 * add_mouse_randomness() uses the mouse interrupt timing, as well as
136 * the reported position of the mouse from the hardware.
137 *
138 * add_interrupt_randomness() uses the inter-interrupt timing as random
139 * inputs to the entropy pool. Note that not all interrupts are good
140 * sources of randomness! For example, the timer interrupts is not a
141 * good choice, because the periodicity of the interrupts is to
142 * regular, and hence predictable to an attacker. Disk interrupts are
143 * a better measure, since the timing of the disk interrupts are more
144 * unpredictable.
145 *
146 * add_blkdev_randomness() times the finishing time of block requests.
147 *
148 * All of these routines try to estimate how many bits of randomness a
149 * particular randomness source. They do this by keeping track of the
150 * first and second order deltas of the event timings.
151 *
152 * Ensuring unpredictability at system startup
153 * ============================================
154 *
155 * When any operating system starts up, it will go through a sequence
156 * of actions that are fairly predictable by an adversary, especially
157 * if the start-up does not involve interaction with a human operator.
158 * This reduces the actual number of bits of unpredictability in the
159 * entropy pool below the value in entropy_count. In order to
160 * counteract this effect, it helps to carry information in the
161 * entropy pool across shut-downs and start-ups. To do this, put the
162 * following lines an appropriate script which is run during the boot
163 * sequence:
164 *
165 * echo "Initializing random number generator..."
166 * random_seed=/var/run/random-seed
167 * # Carry a random seed from start-up to start-up
168 * # Load and then save 512 bytes, which is the size of the entropy pool
169 * if [ -f $random_seed ]; then
170 * cat $random_seed >/dev/urandom
171 * fi
172 * dd if=/dev/urandom of=$random_seed count=1
173 * chmod 600 $random_seed
174 *
175 * and the following lines in an appropriate script which is run as
176 * the system is shutdown:
177 *
178 * # Carry a random seed from shut-down to start-up
179 * # Save 512 bytes, which is the size of the entropy pool
180 * echo "Saving random seed..."
181 * random_seed=/var/run/random-seed
182 * dd if=/dev/urandom of=$random_seed count=1
183 * chmod 600 $random_seed
184 *
185 * For example, on most modern systems using the System V init
186 * scripts, such code fragments would be found in
187 * /etc/rc.d/init.d/random. On older Linux systems, the correct script
188 * location might be in /etc/rcb.d/rc.local or /etc/rc.d/rc.0.
189 *
190 * Effectively, these commands cause the contents of the entropy pool
191 * to be saved at shut-down time and reloaded into the entropy pool at
192 * start-up. (The 'dd' in the addition to the bootup script is to
193 * make sure that /etc/random-seed is different for every start-up,
194 * even if the system crashes without executing rc.0.) Even with
195 * complete knowledge of the start-up activities, predicting the state
196 * of the entropy pool requires knowledge of the previous history of
197 * the system.
198 *
199 * Configuring the /dev/random driver under Linux
200 * ==============================================
201 *
202 * The /dev/random driver under Linux uses minor numbers 8 and 9 of
203 * the /dev/mem major number (#1). So if your system does not have
204 * /dev/random and /dev/urandom created already, they can be created
205 * by using the commands:
206 *
207 * mknod /dev/random c 1 8
208 * mknod /dev/urandom c 1 9
209 *
210 * Acknowledgements:
211 * =================
212 *
213 * Ideas for constructing this random number generator were derived
214 * from Pretty Good Privacy's random number generator, and from private
215 * discussions with Phil Karn. Colin Plumb provided a faster random
216 * number generator, which speed up the mixing function of the entropy
217 * pool, taken from PGPfone. Dale Worley has also contributed many
218 * useful ideas and suggestions to improve this driver.
219 *
220 * Any flaws in the design are solely my responsibility, and should
221 * not be attributed to the Phil, Colin, or any of authors of PGP.
222 *
223 * The code for SHA transform was taken from Peter Gutmann's
224 * implementation, which has been placed in the public domain.
225 * The code for MD5 transform was taken from Colin Plumb's
226 * implementation, which has been placed in the public domain. The
227 * MD5 cryptographic checksum was devised by Ronald Rivest, and is
228 * documented in RFC 1321, "The MD5 Message Digest Algorithm".
229 *
230 * Further background information on this topic may be obtained from
231 * RFC 1750, "Randomness Recommendations for Security", by Donald
232 * Eastlake, Steve Crocker, and Jeff Schiller.
233 */
234
235 #include <linux/utsname.h>
236 #include <linux/config.h>
237 #include <linux/kernel.h>
238 #include <linux/major.h>
239 #include <linux/string.h>
240 #include <linux/fcntl.h>
241 #include <linux/malloc.h>
242 #include <linux/random.h>
243 #include <linux/poll.h>
244 #include <linux/init.h>
245
246 #include <asm/processor.h>
247 #include <asm/uaccess.h>
248 #include <asm/irq.h>
249 #include <asm/io.h>
250
251 /*
252 * Configuration information
253 */
254 #undef RANDOM_BENCHMARK
255 #undef BENCHMARK_NOINT
256 #define ROTATE_PARANOIA
257
258 #define POOLWORDS 128 /* Power of 2 - note that this is 32-bit words */
259 #define POOLBITS (POOLWORDS*32)
260 /*
261 * The pool is stirred with a primitive polynomial of degree POOLWORDS
262 * over GF(2). The taps for various sizes are defined below. They are
263 * chosen to be evenly spaced (minimum RMS distance from evenly spaced;
264 * the numbers in the comments are a scaled squared error sum) except
265 * for the last tap, which is 1 to get the twisting happening as fast
266 * as possible.
267 */
268 #if POOLWORDS == 2048 /* 115 x^2048+x^1638+x^1231+x^819+x^411+x^1+1 */
269 #define TAP1 1638
270 #define TAP2 1231
271 #define TAP3 819
272 #define TAP4 411
273 #define TAP5 1
274 #elif POOLWORDS == 1024 /* 290 x^1024+x^817+x^615+x^412+x^204+x^1+1 */
275 /* Alt: 115 x^1024+x^819+x^616+x^410+x^207+x^2+1 */
276 #define TAP1 817
277 #define TAP2 615
278 #define TAP3 412
279 #define TAP4 204
280 #define TAP5 1
281 #elif POOLWORDS == 512 /* 225 x^512+x^411+x^308+x^208+x^104+x+1 */
282 /* Alt: 95 x^512+x^409+x^307+x^206+x^102+x^2+1
283 * 95 x^512+x^409+x^309+x^205+x^103+x^2+1 */
284 #define TAP1 411
285 #define TAP2 308
286 #define TAP3 208
287 #define TAP4 104
288 #define TAP5 1
289 #elif POOLWORDS == 256 /* 125 x^256+x^205+x^155+x^101+x^52+x+1 */
290 #define TAP1 205
291 #define TAP2 155
292 #define TAP3 101
293 #define TAP4 52
294 #define TAP5 1
295 #elif POOLWORDS == 128 /* 105 x^128+x^103+x^76+x^51+x^25+x+1 */
296 /* Alt: 70 x^128+x^103+x^78+x^51+x^27+x^2+1 */
297 #define TAP1 103
298 #define TAP2 76
299 #define TAP3 51
300 #define TAP4 25
301 #define TAP5 1
302 #elif POOLWORDS == 64 /* 15 x^64+x^52+x^39+x^26+x^14+x+1 */
303 #define TAP1 52
304 #define TAP2 39
305 #define TAP3 26
306 #define TAP4 14
307 #define TAP5 1
308 #elif POOLWORDS == 32 /* 15 x^32+x^26+x^20+x^14+x^7+x^1+1 */
309 #define TAP1 26
310 #define TAP2 20
311 #define TAP3 14
312 #define TAP4 7
313 #define TAP5 1
314 #elif POOLWORDS & (POOLWORDS-1)
315 #error POOLWORDS must be a power of 2
316 #else
317 #error No primitive polynomial available for chosen POOLWORDS
318 #endif
319
320 /*
321 * For the purposes of better mixing, we use the CRC-32 polynomial as
322 * well to make a twisted Generalized Feedback Shift Reigster
323 *
324 * (See M. Matsumoto & Y. Kurita, 1992. Twisted GFSR generators. ACM
325 * Transactions on Modeling and Computer Simulation 2(3):179-194.
326 * Also see M. Matsumoto & Y. Kurita, 1994. Twisted GFSR generators
327 * II. ACM Transactions on Mdeling and Computer Simulation 4:254-266)
328 *
329 * Thanks to Colin Plumb for suggesting this.
330 * We have not analyzed the resultant polynomial to prove it primitive;
331 * in fact it almost certainly isn't. Nonetheless, the irreducible factors
332 * of a random large-degree polynomial over GF(2) are more than large enough
333 * that periodicity is not a concern.
334 *
335 * The input hash is much less sensitive than the output hash. All that
336 * we want of it is that it be a good non-cryptographic hash; i.e. it
337 * not produce collisions when fed "random" data of the sort we expect
338 * to see. As long as the pool state differs for different inputs, we
339 * have preserved the input entropy and done a good job. The fact that an
340 * intelligent attacker can construct inputs that will produce controlled
341 * alterations to the pool's state is not important because we don't
342 * consider such inputs to contribute any randomness.
343 * The only property we need with respect to them is
344 * that the attacker can't increase his/her knowledge of the pool's state.
345 * Since all additions are reversible (knowing the final state and the
346 * input, you can reconstruct the initial state), if an attacker has
347 * any uncertainty about the initial state, he/she can only shuffle that
348 * uncertainty about, but never cause any collisions (which would
349 * decrease the uncertainty).
350 *
351 * The chosen system lets the state of the pool be (essentially) the input
352 * modulo the generator polymnomial. Now, for random primitive polynomials,
353 * this is a universal class of hash functions, meaning that the chance
354 * of a collision is limited by the attacker's knowledge of the generator
355 * polynomail, so if it is chosen at random, an attacker can never force
356 * a collision. Here, we use a fixed polynomial, but we *can* assume that
357 * ###--> it is unknown to the processes generating the input entropy. <-###
358 * Because of this important property, this is a good, collision-resistant
359 * hash; hash collisions will occur no more often than chance.
360 */
361
362 /*
363 * The minimum number of bits to release a "wait on input". Should
364 * probably always be 8, since a /dev/random read can return a single
365 * byte.
366 */
367 #define WAIT_INPUT_BITS 8
368 /*
369 * The limit number of bits under which to release a "wait on
370 * output". Should probably always be the same as WAIT_INPUT_BITS, so
371 * that an output wait releases when and only when a wait on input
372 * would block.
373 */
374 #define WAIT_OUTPUT_BITS WAIT_INPUT_BITS
375
376 /* There is actually only one of these, globally. */
377 struct random_bucket {
378 unsigned add_ptr;
379 unsigned entropy_count;
380 #ifdef ROTATE_PARANOIA
381 int input_rotate;
382 #endif
383 __u32 pool[POOLWORDS];
384 };
385
386 #ifdef RANDOM_BENCHMARK
387 /* For benchmarking only */
388 struct random_benchmark {
389 unsigned long long start_time;
390 int times; /* # of samples */
391 unsigned long min;
392 unsigned long max;
393 unsigned long accum; /* accumulator for average */
394 const char *descr;
395 int unit;
396 unsigned long flags;
397 };
398
399 #define BENCHMARK_INTERVAL 500
400
401 static void initialize_benchmark(struct random_benchmark *bench,
402 const char *descr, int unit);
403 static void begin_benchmark(struct random_benchmark *bench);
404 static void end_benchmark(struct random_benchmark *bench);
405
406 struct random_benchmark timer_benchmark;
407 #endif
408
409 /* There is one of these per entropy source */
410 struct timer_rand_state {
411 __u32 last_time;
412 __s32 last_delta,last_delta2;
413 int dont_count_entropy:1;
414 };
415
416 static struct random_bucket random_state;
417 static struct timer_rand_state keyboard_timer_state;
418 static struct timer_rand_state mouse_timer_state;
419 static struct timer_rand_state extract_timer_state;
420 static struct timer_rand_state *irq_timer_state[NR_IRQS];
421 static struct timer_rand_state *blkdev_timer_state[MAX_BLKDEV];
422 static struct wait_queue *random_read_wait;
423 static struct wait_queue *random_write_wait;
424
425 static ssize_t random_read(struct file * file, char * buf,
426 size_t nbytes, loff_t *ppos);
427 static ssize_t random_read_unlimited(struct file * file, char * buf,
428 size_t nbytes, loff_t *ppos);
429 static unsigned int random_poll(struct file *file, poll_table * wait);
430 static ssize_t random_write(struct file * file, const char * buffer,
431 size_t count, loff_t *ppos);
432 static int random_ioctl(struct inode * inode, struct file * file,
433 unsigned int cmd, unsigned long arg);
434
435 static inline void fast_add_entropy_words(struct random_bucket *r,
436 __u32 x, __u32 y);
437
438 static void add_entropy_words(struct random_bucket *r, __u32 x, __u32 y);
439
440 #ifndef MIN
441 #define MIN(a,b) (((a) < (b)) ? (a) : (b))
442 #endif
443
444 /*
445 * Unfortunately, while the GCC optimizer for the i386 understands how
446 * to optimize a static rotate left of x bits, it doesn't know how to
447 * deal with a variable rotate of x bits. So we use a bit of asm magic.
448 */
449 #if (!defined (__i386__))
450 extern inline __u32 rotate_left(int i, __u32 word)
451 {
452 return (word << i) | (word >> (32 - i));
453
454 }
455 #else
456 extern inline __u32 rotate_left(int i, __u32 word)
457 {
458 __asm__("roll %%cl,%0"
459 :"=r" (word)
460 :"0" (word),"c" (i));
461 return word;
462 }
463 #endif
464
465 /*
466 * More asm magic....
467 *
468 * For entropy estimation, we need to do an integral base 2
469 * logarithm.
470 *
471 * Note the "12bits" suffix - this is used for numbers between
472 * 0 and 4095 only. This allows a few shortcuts.
473 */
474 #if 0 /* Slow but clear version */
475 static inline __u32 int_ln_12bits(__u32 word)
476 {
477 __u32 nbits = 0;
478
479 while (word >>= 1)
480 nbits++;
481 return nbits;
482 }
483 #else /* Faster (more clever) version, courtesy Colin Plumb */
484 static inline __u32 int_ln_12bits(__u32 word)
485 {
486 /* Smear msbit right to make an n-bit mask */
487 word |= word >> 8;
488 word |= word >> 4;
489 word |= word >> 2;
490 word |= word >> 1;
491 /* Remove one bit to make this a logarithm */
492 word >>= 1;
493 /* Count the bits set in the word */
494 word -= (word >> 1) & 0x555;
495 word = (word & 0x333) + ((word >> 2) & 0x333);
496 word += (word >> 4);
497 word += (word >> 8);
498 return word & 15;
499 }
500 #endif
501
502
503 /*
504 * Initialize the random pool with standard stuff.
505 *
506 * NOTE: This is an OS-dependent function.
507 */
508 static void init_std_data(struct random_bucket *r)
509 {
510 __u32 words[2], *p;
511 int i;
512 struct timeval tv;
513
514 do_gettimeofday(&tv);
515 add_entropy_words(r, tv.tv_sec, tv.tv_usec);
516
517 /*
518 * This doesnt lock system.utsname. Howeve we are generating
519 * entropy so a race with a name set here is fine.
520 */
521 p = (__u32 *)&system_utsname;
522 for (i = sizeof(system_utsname) / sizeof(words); i; i--) {
523 memcpy(words, p, sizeof(words));
524 add_entropy_words(r, words[0], words[1]);
525 p += sizeof(words)/sizeof(*words);
526 }
527
528 }
529
530 /* Clear the entropy pool and associated counters. */
531 static void rand_clear_pool(void)
532 {
533 memset(&random_state, 0, sizeof(random_state));
534 init_std_data(&random_state);
535 }
536
537 __initfunc(void rand_initialize(void))
538 {
539 int i;
540
541 rand_clear_pool();
542 for (i = 0; i < NR_IRQS; i++)
543 irq_timer_state[i] = NULL;
544 for (i = 0; i < MAX_BLKDEV; i++)
545 blkdev_timer_state[i] = NULL;
546 memset(&keyboard_timer_state, 0, sizeof(struct timer_rand_state));
547 memset(&mouse_timer_state, 0, sizeof(struct timer_rand_state));
548 memset(&extract_timer_state, 0, sizeof(struct timer_rand_state));
549 #ifdef RANDOM_BENCHMARK
550 initialize_benchmark(&timer_benchmark, "timer", 0);
551 #endif
552 extract_timer_state.dont_count_entropy = 1;
553 random_read_wait = NULL;
554 random_write_wait = NULL;
555 }
556
557 void rand_initialize_irq(int irq)
558 {
559 struct timer_rand_state *state;
560
561 if (irq >= NR_IRQS || irq_timer_state[irq])
562 return;
563
564 /*
565 * If kmalloc returns null, we just won't use that entropy
566 * source.
567 */
568 state = kmalloc(sizeof(struct timer_rand_state), GFP_KERNEL);
569 if (state) {
570 irq_timer_state[irq] = state;
571 memset(state, 0, sizeof(struct timer_rand_state));
572 }
573 }
574
575 void rand_initialize_blkdev(int major, int mode)
576 {
577 struct timer_rand_state *state;
578
579 if (major >= MAX_BLKDEV || blkdev_timer_state[major])
580 return;
581
582 /*
583 * If kmalloc returns null, we just won't use that entropy
584 * source.
585 */
586 state = kmalloc(sizeof(struct timer_rand_state), mode);
587 if (state) {
588 blkdev_timer_state[major] = state;
589 memset(state, 0, sizeof(struct timer_rand_state));
590 }
591 }
592
593 /*
594 * This function adds a byte into the entropy "pool". It does not
595 * update the entropy estimate. The caller must do this if appropriate.
596 *
597 * This function is tuned for speed above most other considerations.
598 *
599 * The pool is stirred with a primitive polynomial of the appropriate degree,
600 * and then twisted. We twist by three bits at a time because it's
601 * cheap to do so and helps slightly in the expected case where the
602 * entropy is concentrated in the low-order bits.
603 */
604 #define MASK(x) ((x) & (POOLWORDS-1)) /* Convenient abreviation */
605 static inline void fast_add_entropy_words(struct random_bucket *r,
606 __u32 x, __u32 y)
607 {
608 static __u32 const twist_table[8] = {
609 0, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
610 0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 };
611 unsigned i, j;
612
613 i = MASK(r->add_ptr - 2); /* i is always even */
614 r->add_ptr = i;
615
616 #ifdef ROTATE_PARANOIA
617 j = r->input_rotate + 14;
618 if (i)
619 j -= 7;
620 r->input_rotate = j & 31;
621
622 x = rotate_left(r->input_rotate, x);
623 y = rotate_left(r->input_rotate, y);
624 #endif
625
626 /*
627 * XOR in the various taps. Even though logically, we compute
628 * x and then compute y, we read in y then x order because most
629 * caches work slightly better with increasing read addresses.
630 * If a tap is even then we can use the fact that i is even to
631 * avoid a masking operation. Every polynomial has at least one
632 * even tap, so j is always used.
633 * (Is there a nicer way to arrange this code?)
634 */
635 #if TAP1 & 1
636 y ^= r->pool[MASK(i+TAP1)]; x ^= r->pool[MASK(i+TAP1+1)];
637 #else
638 j = MASK(i+TAP1); y ^= r->pool[j]; x ^= r->pool[j+1];
639 #endif
640 #if TAP2 & 1
641 y ^= r->pool[MASK(i+TAP2)]; x ^= r->pool[MASK(i+TAP2+1)];
642 #else
643 j = MASK(i+TAP2); y ^= r->pool[j]; x ^= r->pool[j+1];
644 #endif
645 #if TAP3 & 1
646 y ^= r->pool[MASK(i+TAP3)]; x ^= r->pool[MASK(i+TAP3+1)];
647 #else
648 j = MASK(i+TAP3); y ^= r->pool[j]; x ^= r->pool[j+1];
649 #endif
650 #if TAP4 & 1
651 y ^= r->pool[MASK(i+TAP4)]; x ^= r->pool[MASK(i+TAP4+1)];
652 #else
653 j = MASK(i+TAP4); y ^= r->pool[j]; x ^= r->pool[j+1];
654 #endif
655 #if TAP5 == 1
656 /* We need to pretend to write pool[i+1] before computing y */
657 y ^= r->pool[i];
658 x ^= r->pool[i+1];
659 x ^= r->pool[MASK(i+TAP5+1)];
660 y ^= r->pool[i+1] = x = (x >> 3) ^ twist_table[x & 7];
661 r->pool[i] = (y >> 3) ^ twist_table[y & 7];
662 #else
663 # if TAP5 & 1
664 y ^= r->pool[MASK(i+TAP5)]; x ^= r->pool[MASK(i+TAP5+1)];
665 # else
666 j = MASK(i+TAP5); y ^= r->pool[j]; x ^= r->pool[j+1];
667 # endif
668 y ^= r->pool[i];
669 x ^= r->pool[i+1];
670 r->pool[i] = (y >> 3) ^ twist_table[y & 7];
671 r->pool[i+1] = (x >> 3) ^ twist_table[x & 7];
672 #endif
673 }
674
675 /*
676 * For places where we don't need the inlined version
677 */
678 static void add_entropy_words(struct random_bucket *r, __u32 x, __u32 y)
679 {
680 fast_add_entropy_words(r, x, y);
681 }
682
683 /*
684 * This function adds entropy to the entropy "pool" by using timing
685 * delays. It uses the timer_rand_state structure to make an estimate
686 * of how many bits of entropy this call has added to the pool.
687 *
688 * The number "num" is also added to the pool - it should somehow describe
689 * the type of event which just happened. This is currently 0-255 for
690 * keyboard scan codes, and 256 upwards for interrupts.
691 * On the i386, this is assumed to be at most 16 bits, and the high bits
692 * are used for a high-resolution timer.
693 *
694 */
695 static void add_timer_randomness(struct random_bucket *r,
696 struct timer_rand_state *state, unsigned num)
697 {
698 __u32 time;
699 __s32 delta, delta2, delta3;
700
701 #ifdef RANDOM_BENCHMARK
702 begin_benchmark(&timer_benchmark);
703 #endif
704 #if defined (__i386__)
705 if (boot_cpu_data.x86_capability & X86_FEATURE_TSC) {
706 __u32 high;
707 __asm__(".byte 0x0f,0x31"
708 :"=a" (time), "=d" (high));
709 num ^= high;
710 } else {
711 time = jiffies;
712 }
713 #else
714 time = jiffies;
715 #endif
716
717 fast_add_entropy_words(r, (__u32)num, time);
718
719 /*
720 * Calculate number of bits of randomness we probably added.
721 * We take into account the first, second and third-order deltas
722 * in order to make our estimate.
723 */
724 if ((r->entropy_count < POOLBITS) && !state->dont_count_entropy) {
725 delta = time - state->last_time;
726 state->last_time = time;
727
728 delta2 = delta - state->last_delta;
729 state->last_delta = delta;
730
731 delta3 = delta2 - state->last_delta2;
732 state->last_delta2 = delta2;
733
734 if (delta < 0)
735 delta = -delta;
736 if (delta2 < 0)
737 delta2 = -delta2;
738 if (delta3 < 0)
739 delta3 = -delta3;
740 if (delta > delta2)
741 delta = delta2;
742 if (delta > delta3)
743 delta = delta3;
744
745 /*
746 * delta is now minimum absolute delta.
747 * Round down by 1 bit on general principles,
748 * and limit entropy entimate to 12 bits.
749 */
750 delta >>= 1;
751 delta &= (1 << 12) - 1;
752
753 r->entropy_count += int_ln_12bits(delta);
754
755 /* Prevent overflow */
756 if (r->entropy_count > POOLBITS)
757 r->entropy_count = POOLBITS;
758
759 /* Wake up waiting processes, if we have enough entropy. */
760 if (r->entropy_count >= WAIT_INPUT_BITS)
761 wake_up_interruptible(&random_read_wait);
762 }
763
764 #ifdef RANDOM_BENCHMARK
765 end_benchmark(&timer_benchmark);
766 #endif
767 }
768
769 void add_keyboard_randomness(unsigned char scancode)
770 {
771 add_timer_randomness(&random_state, &keyboard_timer_state, scancode);
772 }
773
774 void add_mouse_randomness(__u32 mouse_data)
775 {
776 add_timer_randomness(&random_state, &mouse_timer_state, mouse_data);
777 }
778
779 void add_interrupt_randomness(int irq)
780 {
781 if (irq >= NR_IRQS || irq_timer_state[irq] == 0)
782 return;
783
784 add_timer_randomness(&random_state, irq_timer_state[irq], 0x100+irq);
785 }
786
787 void add_blkdev_randomness(int major)
788 {
789 if (major >= MAX_BLKDEV)
790 return;
791
792 if (blkdev_timer_state[major] == 0) {
793 rand_initialize_blkdev(major, GFP_ATOMIC);
794 if (blkdev_timer_state[major] == 0)
795 return;
796 }
797
798 add_timer_randomness(&random_state, blkdev_timer_state[major],
799 0x200+major);
800 }
801
802 /*
803 * This chunk of code defines a function
804 * void HASH_TRANSFORM(__u32 digest[HASH_BUFFER_SIZE + HASH_EXTRA_SIZE],
805 * __u32 const data[16])
806 *
807 * The function hashes the input data to produce a digest in the first
808 * HASH_BUFFER_SIZE words of the digest[] array, and uses HASH_EXTRA_SIZE
809 * more words for internal purposes. (This buffer is exported so the
810 * caller can wipe it once rather than this code doing it each call,
811 * and tacking it onto the end of the digest[] array is the quick and
812 * dirty way of doing it.)
813 *
814 * It so happens that MD5 and SHA share most of the initial vector
815 * used to initialize the digest[] array before the first call:
816 * 1) 0x67452301
817 * 2) 0xefcdab89
818 * 3) 0x98badcfe
819 * 4) 0x10325476
820 * 5) 0xc3d2e1f0 (SHA only)
821 *
822 * For /dev/random purposes, the length of the data being hashed is
823 * fixed in length (at POOLWORDS words), so appending a bit count in
824 * the usual way is not cryptographically necessary.
825 */
826 #define USE_SHA
827
828 #ifdef USE_SHA
829
830 #define HASH_BUFFER_SIZE 5
831 #define HASH_EXTRA_SIZE 80
832 #define HASH_TRANSFORM SHATransform
833
834 /* Various size/speed tradeoffs are available. Choose 0..3. */
835 #define SHA_CODE_SIZE 0
836
837 /*
838 * SHA transform algorithm, taken from code written by Peter Gutmann,
839 * and placed in the public domain.
840 */
841
842 /* The SHA f()-functions. */
843
844 #define f1(x,y,z) ( z ^ (x & (y^z)) ) /* Rounds 0-19: x ? y : z */
845 #define f2(x,y,z) (x ^ y ^ z) /* Rounds 20-39: XOR */
846 #define f3(x,y,z) ( (x & y) + (z & (x ^ y)) ) /* Rounds 40-59: majority */
847 #define f4(x,y,z) (x ^ y ^ z) /* Rounds 60-79: XOR */
848
849 /* The SHA Mysterious Constants */
850
851 #define K1 0x5A827999L /* Rounds 0-19: sqrt(2) * 2^30 */
852 #define K2 0x6ED9EBA1L /* Rounds 20-39: sqrt(3) * 2^30 */
853 #define K3 0x8F1BBCDCL /* Rounds 40-59: sqrt(5) * 2^30 */
854 #define K4 0xCA62C1D6L /* Rounds 60-79: sqrt(10) * 2^30 */
855
856 #define ROTL(n,X) ( ( ( X ) << n ) | ( ( X ) >> ( 32 - n ) ) )
857
858 #define subRound(a, b, c, d, e, f, k, data) \
859 ( e += ROTL( 5, a ) + f( b, c, d ) + k + data, b = ROTL( 30, b ) )
860
861
862 static void SHATransform(__u32 digest[85], __u32 const data[16])
863 {
864 __u32 A, B, C, D, E; /* Local vars */
865 __u32 TEMP;
866 int i;
867 #define W (digest + HASH_BUFFER_SIZE) /* Expanded data array */
868
869 /*
870 * Do the preliminary expansion of 16 to 80 words. Doing it
871 * out-of-line line this is faster than doing it in-line on
872 * register-starved machines like the x86, and not really any
873 * slower on real processors.
874 */
875 memcpy(W, data, 16*sizeof(__u32));
876 for (i = 0; i < 64; i++) {
877 TEMP = W[i] ^ W[i+2] ^ W[i+8] ^ W[i+13];
878 W[i+16] = ROTL(1, TEMP);
879 }
880
881 /* Set up first buffer and local data buffer */
882 A = digest[ 0 ];
883 B = digest[ 1 ];
884 C = digest[ 2 ];
885 D = digest[ 3 ];
886 E = digest[ 4 ];
887
888 /* Heavy mangling, in 4 sub-rounds of 20 iterations each. */
889 #if SHA_CODE_SIZE == 0
890 /*
891 * Approximately 50% of the speed of the largest version, but
892 * takes up 1/16 the space. Saves about 6k on an i386 kernel.
893 */
894 for (i = 0; i < 80; i++) {
895 if (i < 40) {
896 if (i < 20)
897 TEMP = f1(B, C, D) + K1;
898 else
899 TEMP = f2(B, C, D) + K2;
900 } else {
901 if (i < 60)
902 TEMP = f3(B, C, D) + K3;
903 else
904 TEMP = f4(B, C, D) + K4;
905 }
906 TEMP += ROTL(5, A) + E + W[i];
907 E = D; D = C; C = ROTL(30, B); B = A; A = TEMP;
908 }
909 #elif SHA_CODE_SIZE == 1
910 for (i = 0; i < 20; i++) {
911 TEMP = f1(B, C, D) + K1 + ROTL(5, A) + E + W[i];
912 E = D; D = C; C = ROTL(30, B); B = A; A = TEMP;
913 }
914 for (; i < 40; i++) {
915 TEMP = f2(B, C, D) + K2 + ROTL(5, A) + E + W[i];
916 E = D; D = C; C = ROTL(30, B); B = A; A = TEMP;
917 }
918 for (; i < 60; i++) {
919 TEMP = f3(B, C, D) + K3 + ROTL(5, A) + E + W[i];
920 E = D; D = C; C = ROTL(30, B); B = A; A = TEMP;
921 }
922 for (; i < 80; i++) {
923 TEMP = f4(B, C, D) + K4 + ROTL(5, A) + E + W[i];
924 E = D; D = C; C = ROTL(30, B); B = A; A = TEMP;
925 }
926 #elif SHA_CODE_SIZE == 2
927 for (i = 0; i < 20; i += 5) {
928 subRound( A, B, C, D, E, f1, K1, W[ i ] );
929 subRound( E, A, B, C, D, f1, K1, W[ i+1 ] );
930 subRound( D, E, A, B, C, f1, K1, W[ i+2 ] );
931 subRound( C, D, E, A, B, f1, K1, W[ i+3 ] );
932 subRound( B, C, D, E, A, f1, K1, W[ i+4 ] );
933 }
934 for (; i < 40; i += 5) {
935 subRound( A, B, C, D, E, f2, K2, W[ i ] );
936 subRound( E, A, B, C, D, f2, K2, W[ i+1 ] );
937 subRound( D, E, A, B, C, f2, K2, W[ i+2 ] );
938 subRound( C, D, E, A, B, f2, K2, W[ i+3 ] );
939 subRound( B, C, D, E, A, f2, K2, W[ i+4 ] );
940 }
941 for (; i < 60; i += 5) {
942 subRound( A, B, C, D, E, f3, K3, W[ i ] );
943 subRound( E, A, B, C, D, f3, K3, W[ i+1 ] );
944 subRound( D, E, A, B, C, f3, K3, W[ i+2 ] );
945 subRound( C, D, E, A, B, f3, K3, W[ i+3 ] );
946 subRound( B, C, D, E, A, f3, K3, W[ i+4 ] );
947 }
948 for (; i < 80; i += 5) {
949 subRound( A, B, C, D, E, f4, K4, W[ i ] );
950 subRound( E, A, B, C, D, f4, K4, W[ i+1 ] );
951 subRound( D, E, A, B, C, f4, K4, W[ i+2 ] );
952 subRound( C, D, E, A, B, f4, K4, W[ i+3 ] );
953 subRound( B, C, D, E, A, f4, K4, W[ i+4 ] );
954 }
955 #elif SHA_CODE_SIZE == 3 /* Really large version */
956 subRound( A, B, C, D, E, f1, K1, W[ 0 ] );
957 subRound( E, A, B, C, D, f1, K1, W[ 1 ] );
958 subRound( D, E, A, B, C, f1, K1, W[ 2 ] );
959 subRound( C, D, E, A, B, f1, K1, W[ 3 ] );
960 subRound( B, C, D, E, A, f1, K1, W[ 4 ] );
961 subRound( A, B, C, D, E, f1, K1, W[ 5 ] );
962 subRound( E, A, B, C, D, f1, K1, W[ 6 ] );
963 subRound( D, E, A, B, C, f1, K1, W[ 7 ] );
964 subRound( C, D, E, A, B, f1, K1, W[ 8 ] );
965 subRound( B, C, D, E, A, f1, K1, W[ 9 ] );
966 subRound( A, B, C, D, E, f1, K1, W[ 10 ] );
967 subRound( E, A, B, C, D, f1, K1, W[ 11 ] );
968 subRound( D, E, A, B, C, f1, K1, W[ 12 ] );
969 subRound( C, D, E, A, B, f1, K1, W[ 13 ] );
970 subRound( B, C, D, E, A, f1, K1, W[ 14 ] );
971 subRound( A, B, C, D, E, f1, K1, W[ 15 ] );
972 subRound( E, A, B, C, D, f1, K1, W[ 16 ] );
973 subRound( D, E, A, B, C, f1, K1, W[ 17 ] );
974 subRound( C, D, E, A, B, f1, K1, W[ 18 ] );
975 subRound( B, C, D, E, A, f1, K1, W[ 19 ] );
976
977 subRound( A, B, C, D, E, f2, K2, W[ 20 ] );
978 subRound( E, A, B, C, D, f2, K2, W[ 21 ] );
979 subRound( D, E, A, B, C, f2, K2, W[ 22 ] );
980 subRound( C, D, E, A, B, f2, K2, W[ 23 ] );
981 subRound( B, C, D, E, A, f2, K2, W[ 24 ] );
982 subRound( A, B, C, D, E, f2, K2, W[ 25 ] );
983 subRound( E, A, B, C, D, f2, K2, W[ 26 ] );
984 subRound( D, E, A, B, C, f2, K2, W[ 27 ] );
985 subRound( C, D, E, A, B, f2, K2, W[ 28 ] );
986 subRound( B, C, D, E, A, f2, K2, W[ 29 ] );
987 subRound( A, B, C, D, E, f2, K2, W[ 30 ] );
988 subRound( E, A, B, C, D, f2, K2, W[ 31 ] );
989 subRound( D, E, A, B, C, f2, K2, W[ 32 ] );
990 subRound( C, D, E, A, B, f2, K2, W[ 33 ] );
991 subRound( B, C, D, E, A, f2, K2, W[ 34 ] );
992 subRound( A, B, C, D, E, f2, K2, W[ 35 ] );
993 subRound( E, A, B, C, D, f2, K2, W[ 36 ] );
994 subRound( D, E, A, B, C, f2, K2, W[ 37 ] );
995 subRound( C, D, E, A, B, f2, K2, W[ 38 ] );
996 subRound( B, C, D, E, A, f2, K2, W[ 39 ] );
997
998 subRound( A, B, C, D, E, f3, K3, W[ 40 ] );
999 subRound( E, A, B, C, D, f3, K3, W[ 41 ] );
1000 subRound( D, E, A, B, C, f3, K3, W[ 42 ] );
1001 subRound( C, D, E, A, B, f3, K3, W[ 43 ] );
1002 subRound( B, C, D, E, A, f3, K3, W[ 44 ] );
1003 subRound( A, B, C, D, E, f3, K3, W[ 45 ] );
1004 subRound( E, A, B, C, D, f3, K3, W[ 46 ] );
1005 subRound( D, E, A, B, C, f3, K3, W[ 47 ] );
1006 subRound( C, D, E, A, B, f3, K3, W[ 48 ] );
1007 subRound( B, C, D, E, A, f3, K3, W[ 49 ] );
1008 subRound( A, B, C, D, E, f3, K3, W[ 50 ] );
1009 subRound( E, A, B, C, D, f3, K3, W[ 51 ] );
1010 subRound( D, E, A, B, C, f3, K3, W[ 52 ] );
1011 subRound( C, D, E, A, B, f3, K3, W[ 53 ] );
1012 subRound( B, C, D, E, A, f3, K3, W[ 54 ] );
1013 subRound( A, B, C, D, E, f3, K3, W[ 55 ] );
1014 subRound( E, A, B, C, D, f3, K3, W[ 56 ] );
1015 subRound( D, E, A, B, C, f3, K3, W[ 57 ] );
1016 subRound( C, D, E, A, B, f3, K3, W[ 58 ] );
1017 subRound( B, C, D, E, A, f3, K3, W[ 59 ] );
1018
1019 subRound( A, B, C, D, E, f4, K4, W[ 60 ] );
1020 subRound( E, A, B, C, D, f4, K4, W[ 61 ] );
1021 subRound( D, E, A, B, C, f4, K4, W[ 62 ] );
1022 subRound( C, D, E, A, B, f4, K4, W[ 63 ] );
1023 subRound( B, C, D, E, A, f4, K4, W[ 64 ] );
1024 subRound( A, B, C, D, E, f4, K4, W[ 65 ] );
1025 subRound( E, A, B, C, D, f4, K4, W[ 66 ] );
1026 subRound( D, E, A, B, C, f4, K4, W[ 67 ] );
1027 subRound( C, D, E, A, B, f4, K4, W[ 68 ] );
1028 subRound( B, C, D, E, A, f4, K4, W[ 69 ] );
1029 subRound( A, B, C, D, E, f4, K4, W[ 70 ] );
1030 subRound( E, A, B, C, D, f4, K4, W[ 71 ] );
1031 subRound( D, E, A, B, C, f4, K4, W[ 72 ] );
1032 subRound( C, D, E, A, B, f4, K4, W[ 73 ] );
1033 subRound( B, C, D, E, A, f4, K4, W[ 74 ] );
1034 subRound( A, B, C, D, E, f4, K4, W[ 75 ] );
1035 subRound( E, A, B, C, D, f4, K4, W[ 76 ] );
1036 subRound( D, E, A, B, C, f4, K4, W[ 77 ] );
1037 subRound( C, D, E, A, B, f4, K4, W[ 78 ] );
1038 subRound( B, C, D, E, A, f4, K4, W[ 79 ] );
1039 #else
1040 #error Illegal SHA_CODE_SIZE
1041 #endif
1042
1043 /* Build message digest */
1044 digest[ 0 ] += A;
1045 digest[ 1 ] += B;
1046 digest[ 2 ] += C;
1047 digest[ 3 ] += D;
1048 digest[ 4 ] += E;
1049
1050 /* W is wiped by the caller */
1051 #undef W
1052 }
1053
1054 #undef ROTL
1055 #undef f1
1056 #undef f2
1057 #undef f3
1058 #undef f4
1059 #undef K1
1060 #undef K2
1061 #undef K3
1062 #undef K4
1063 #undef subRound
1064
1065 #else /* !USE_SHA - Use MD5 */
1066
1067 #define HASH_BUFFER_SIZE 4
1068 #define HASH_EXTRA_SIZE 0
1069 #define HASH_TRANSFORM MD5Transform
1070
1071 /*
1072 * MD5 transform algorithm, taken from code written by Colin Plumb,
1073 * and put into the public domain
1074 *
1075 * QUESTION: Replace this with SHA, which as generally received better
1076 * reviews from the cryptographic community?
1077 */
1078
1079 /* The four core functions - F1 is optimized somewhat */
1080
1081 /* #define F1(x, y, z) (x & y | ~x & z) */
1082 #define F1(x, y, z) (z ^ (x & (y ^ z)))
1083 #define F2(x, y, z) F1(z, x, y)
1084 #define F3(x, y, z) (x ^ y ^ z)
1085 #define F4(x, y, z) (y ^ (x | ~z))
1086
1087 /* This is the central step in the MD5 algorithm. */
1088 #define MD5STEP(f, w, x, y, z, data, s) \
1089 ( w += f(x, y, z) + data, w = w<<s | w>>(32-s), w += x )
1090
1091 /*
1092 * The core of the MD5 algorithm, this alters an existing MD5 hash to
1093 * reflect the addition of 16 longwords of new data. MD5Update blocks
1094 * the data and converts bytes into longwords for this routine.
1095 */
1096 static void MD5Transform(__u32 buf[HASH_BUFFER_SIZE], __u32 const in[16])
1097 {
1098 __u32 a, b, c, d;
1099
1100 a = buf[0];
1101 b = buf[1];
1102 c = buf[2];
1103 d = buf[3];
1104
1105 MD5STEP(F1, a, b, c, d, in[ 0]+0xd76aa478, 7);
1106 MD5STEP(F1, d, a, b, c, in[ 1]+0xe8c7b756, 12);
1107 MD5STEP(F1, c, d, a, b, in[ 2]+0x242070db, 17);
1108 MD5STEP(F1, b, c, d, a, in[ 3]+0xc1bdceee, 22);
1109 MD5STEP(F1, a, b, c, d, in[ 4]+0xf57c0faf, 7);
1110 MD5STEP(F1, d, a, b, c, in[ 5]+0x4787c62a, 12);
1111 MD5STEP(F1, c, d, a, b, in[ 6]+0xa8304613, 17);
1112 MD5STEP(F1, b, c, d, a, in[ 7]+0xfd469501, 22);
1113 MD5STEP(F1, a, b, c, d, in[ 8]+0x698098d8, 7);
1114 MD5STEP(F1, d, a, b, c, in[ 9]+0x8b44f7af, 12);
1115 MD5STEP(F1, c, d, a, b, in[10]+0xffff5bb1, 17);
1116 MD5STEP(F1, b, c, d, a, in[11]+0x895cd7be, 22);
1117 MD5STEP(F1, a, b, c, d, in[12]+0x6b901122, 7);
1118 MD5STEP(F1, d, a, b, c, in[13]+0xfd987193, 12);
1119 MD5STEP(F1, c, d, a, b, in[14]+0xa679438e, 17);
1120 MD5STEP(F1, b, c, d, a, in[15]+0x49b40821, 22);
1121
1122 MD5STEP(F2, a, b, c, d, in[ 1]+0xf61e2562, 5);
1123 MD5STEP(F2, d, a, b, c, in[ 6]+0xc040b340, 9);
1124 MD5STEP(F2, c, d, a, b, in[11]+0x265e5a51, 14);
1125 MD5STEP(F2, b, c, d, a, in[ 0]+0xe9b6c7aa, 20);
1126 MD5STEP(F2, a, b, c, d, in[ 5]+0xd62f105d, 5);
1127 MD5STEP(F2, d, a, b, c, in[10]+0x02441453, 9);
1128 MD5STEP(F2, c, d, a, b, in[15]+0xd8a1e681, 14);
1129 MD5STEP(F2, b, c, d, a, in[ 4]+0xe7d3fbc8, 20);
1130 MD5STEP(F2, a, b, c, d, in[ 9]+0x21e1cde6, 5);
1131 MD5STEP(F2, d, a, b, c, in[14]+0xc33707d6, 9);
1132 MD5STEP(F2, c, d, a, b, in[ 3]+0xf4d50d87, 14);
1133 MD5STEP(F2, b, c, d, a, in[ 8]+0x455a14ed, 20);
1134 MD5STEP(F2, a, b, c, d, in[13]+0xa9e3e905, 5);
1135 MD5STEP(F2, d, a, b, c, in[ 2]+0xfcefa3f8, 9);
1136 MD5STEP(F2, c, d, a, b, in[ 7]+0x676f02d9, 14);
1137 MD5STEP(F2, b, c, d, a, in[12]+0x8d2a4c8a, 20);
1138
1139 MD5STEP(F3, a, b, c, d, in[ 5]+0xfffa3942, 4);
1140 MD5STEP(F3, d, a, b, c, in[ 8]+0x8771f681, 11);
1141 MD5STEP(F3, c, d, a, b, in[11]+0x6d9d6122, 16);
1142 MD5STEP(F3, b, c, d, a, in[14]+0xfde5380c, 23);
1143 MD5STEP(F3, a, b, c, d, in[ 1]+0xa4beea44, 4);
1144 MD5STEP(F3, d, a, b, c, in[ 4]+0x4bdecfa9, 11);
1145 MD5STEP(F3, c, d, a, b, in[ 7]+0xf6bb4b60, 16);
1146 MD5STEP(F3, b, c, d, a, in[10]+0xbebfbc70, 23);
1147 MD5STEP(F3, a, b, c, d, in[13]+0x289b7ec6, 4);
1148 MD5STEP(F3, d, a, b, c, in[ 0]+0xeaa127fa, 11);
1149 MD5STEP(F3, c, d, a, b, in[ 3]+0xd4ef3085, 16);
1150 MD5STEP(F3, b, c, d, a, in[ 6]+0x04881d05, 23);
1151 MD5STEP(F3, a, b, c, d, in[ 9]+0xd9d4d039, 4);
1152 MD5STEP(F3, d, a, b, c, in[12]+0xe6db99e5, 11);
1153 MD5STEP(F3, c, d, a, b, in[15]+0x1fa27cf8, 16);
1154 MD5STEP(F3, b, c, d, a, in[ 2]+0xc4ac5665, 23);
1155
1156 MD5STEP(F4, a, b, c, d, in[ 0]+0xf4292244, 6);
1157 MD5STEP(F4, d, a, b, c, in[ 7]+0x432aff97, 10);
1158 MD5STEP(F4, c, d, a, b, in[14]+0xab9423a7, 15);
1159 MD5STEP(F4, b, c, d, a, in[ 5]+0xfc93a039, 21);
1160 MD5STEP(F4, a, b, c, d, in[12]+0x655b59c3, 6);
1161 MD5STEP(F4, d, a, b, c, in[ 3]+0x8f0ccc92, 10);
1162 MD5STEP(F4, c, d, a, b, in[10]+0xffeff47d, 15);
1163 MD5STEP(F4, b, c, d, a, in[ 1]+0x85845dd1, 21);
1164 MD5STEP(F4, a, b, c, d, in[ 8]+0x6fa87e4f, 6);
1165 MD5STEP(F4, d, a, b, c, in[15]+0xfe2ce6e0, 10);
1166 MD5STEP(F4, c, d, a, b, in[ 6]+0xa3014314, 15);
1167 MD5STEP(F4, b, c, d, a, in[13]+0x4e0811a1, 21);
1168 MD5STEP(F4, a, b, c, d, in[ 4]+0xf7537e82, 6);
1169 MD5STEP(F4, d, a, b, c, in[11]+0xbd3af235, 10);
1170 MD5STEP(F4, c, d, a, b, in[ 2]+0x2ad7d2bb, 15);
1171 MD5STEP(F4, b, c, d, a, in[ 9]+0xeb86d391, 21);
1172
1173 buf[0] += a;
1174 buf[1] += b;
1175 buf[2] += c;
1176 buf[3] += d;
1177 }
1178
1179 #undef F1
1180 #undef F2
1181 #undef F3
1182 #undef F4
1183 #undef MD5STEP
1184
1185 #endif /* !USE_SHA */
1186
1187
1188 #if POOLWORDS % 16 != 0
1189 #error extract_entropy() assumes that POOLWORDS is a multiple of 16 words.
1190 #endif
1191 /*
1192 * This function extracts randomness from the "entropy pool", and
1193 * returns it in a buffer. This function computes how many remaining
1194 * bits of entropy are left in the pool, but it does not restrict the
1195 * number of bytes that are actually obtained.
1196 */
1197 static ssize_t extract_entropy(struct random_bucket *r, char * buf,
1198 size_t nbytes, int to_user)
1199 {
1200 ssize_t ret, i;
1201 __u32 tmp[HASH_BUFFER_SIZE + HASH_EXTRA_SIZE];
1202 __u32 x;
1203
1204 add_timer_randomness(r, &extract_timer_state, nbytes);
1205
1206 /* Redundant, but just in case... */
1207 if (r->entropy_count > POOLBITS)
1208 r->entropy_count = POOLBITS;
1209
1210 ret = nbytes;
1211 if (r->entropy_count / 8 >= nbytes)
1212 r->entropy_count -= nbytes*8;
1213 else
1214 r->entropy_count = 0;
1215
1216 if (r->entropy_count < WAIT_OUTPUT_BITS)
1217 wake_up_interruptible(&random_write_wait);
1218
1219 while (nbytes) {
1220 /* Hash the pool to get the output */
1221 tmp[0] = 0x67452301;
1222 tmp[1] = 0xefcdab89;
1223 tmp[2] = 0x98badcfe;
1224 tmp[3] = 0x10325476;
1225 #ifdef USE_SHA
1226 tmp[4] = 0xc3d2e1f0;
1227 #endif
1228 for (i = 0; i < POOLWORDS; i += 16)
1229 HASH_TRANSFORM(tmp, r->pool+i);
1230
1231 /*
1232 * The following code does two separate things that happen
1233 * to both work two words at a time, so are convenient
1234 * to do together.
1235 *
1236 * First, this feeds the output back into the pool so
1237 * that the next call will return different results.
1238 * Any perturbation of the pool's state would do, even
1239 * changing one bit, but this mixes the pool nicely.
1240 *
1241 * Second, this folds the output in half to hide the data
1242 * fed back into the pool from the user and further mask
1243 * any patterns in the hash output. (The exact folding
1244 * pattern is not important; the one used here is quick.)
1245 */
1246 for (i = 0; i < HASH_BUFFER_SIZE/2; i++) {
1247 x = tmp[i + (HASH_BUFFER_SIZE+1)/2];
1248 add_entropy_words(r, tmp[i], x);
1249 tmp[i] ^= x;
1250 }
1251 #if HASH_BUFFER_SIZE & 1 /* There's a middle word to deal with */
1252 x = tmp[HASH_BUFFER_SIZE/2];
1253 add_entropy_words(r, x, (__u32)buf);
1254 x ^= (x >> 16); /* Fold it in half */
1255 ((__u16 *)tmp)[HASH_BUFFER_SIZE-1] = (__u16)x;
1256 #endif
1257
1258 /* Copy data to destination buffer */
1259 i = MIN(nbytes, HASH_BUFFER_SIZE*sizeof(__u32)/2);
1260 if (to_user) {
1261 i -= copy_to_user(buf, (__u8 const *)tmp, i);
1262 if (!i) {
1263 ret = -EFAULT;
1264 break;
1265 }
1266 } else
1267 memcpy(buf, (__u8 const *)tmp, i);
1268 nbytes -= i;
1269 buf += i;
1270 add_timer_randomness(r, &extract_timer_state, nbytes);
1271 if (to_user && current->need_resched)
1272 schedule();
1273 }
1274
1275 /* Wipe data just returned from memory */
1276 memset(tmp, 0, sizeof(tmp));
1277
1278 return ret;
1279 }
1280
1281 /*
1282 * This function is the exported kernel interface. It returns some
1283 * number of good random numbers, suitable for seeding TCP sequence
1284 * numbers, etc.
1285 */
1286 void get_random_bytes(void *buf, int nbytes)
1287 {
1288 extract_entropy(&random_state, (char *) buf, nbytes, 0);
1289 }
1290
1291 static ssize_t
1292 random_read(struct file * file, char * buf, size_t nbytes, loff_t *ppos)
1293 {
1294 struct wait_queue wait = { current, NULL };
1295 ssize_t n, retval = 0, count = 0;
1296
1297 if (nbytes == 0)
1298 return 0;
1299
1300 add_wait_queue(&random_read_wait, &wait);
1301 while (nbytes > 0) {
1302 current->state = TASK_INTERRUPTIBLE;
1303
1304 n = nbytes;
1305 if (n > random_state.entropy_count / 8)
1306 n = random_state.entropy_count / 8;
1307 if (n == 0) {
1308 if (file->f_flags & O_NONBLOCK) {
1309 retval = -EAGAIN;
1310 break;
1311 }
1312 if (signal_pending(current)) {
1313 retval = -ERESTARTSYS;
1314 break;
1315 }
1316 schedule();
1317 continue;
1318 }
1319 n = extract_entropy(&random_state, buf, n, 1);
1320 if (n < 0) {
1321 retval = n;
1322 break;
1323 }
1324 count += n;
1325 buf += n;
1326 nbytes -= n;
1327 break; /* This break makes the device work */
1328 /* like a named pipe */
1329 }
1330 current->state = TASK_RUNNING;
1331 remove_wait_queue(&random_read_wait, &wait);
1332
1333 /*
1334 * If we gave the user some bytes, update the access time.
1335 */
1336 if (count != 0) {
1337 UPDATE_ATIME(file->f_dentry->d_inode);
1338 }
1339
1340 return (count ? count : retval);
1341 }
1342
1343 static ssize_t
1344 random_read_unlimited(struct file * file, char * buf,
1345 size_t nbytes, loff_t *ppos)
1346 {
1347 return extract_entropy(&random_state, buf, nbytes, 1);
1348 }
1349
1350 static unsigned int
1351 random_poll(struct file *file, poll_table * wait)
1352 {
1353 unsigned int mask;
1354
1355 poll_wait(file, &random_read_wait, wait);
1356 poll_wait(file, &random_write_wait, wait);
1357 mask = 0;
1358 if (random_state.entropy_count >= WAIT_INPUT_BITS)
1359 mask |= POLLIN | POLLRDNORM;
1360 if (random_state.entropy_count < WAIT_OUTPUT_BITS)
1361 mask |= POLLOUT | POLLWRNORM;
1362 return mask;
1363 }
1364
1365 static ssize_t
1366 random_write(struct file * file, const char * buffer,
1367 size_t count, loff_t *ppos)
1368 {
1369 int ret = 0;
1370 size_t bytes;
1371 unsigned i;
1372 __u32 buf[16];
1373 const char *p = buffer;
1374 size_t c = count;
1375
1376 while (c > 0) {
1377 bytes = MIN(c, sizeof(buf));
1378
1379 bytes -= copy_from_user(&buf, p, bytes);
1380 if (!bytes) {
1381 ret = -EFAULT;
1382 break;
1383 }
1384 c -= bytes;
1385 p += bytes;
1386
1387 i = (unsigned)((bytes-1) / (2 * sizeof(__u32)));
1388 do {
1389 add_entropy_words(&random_state, buf[2*i], buf[2*i+1]);
1390 } while (i--);
1391 }
1392 if (p == buffer) {
1393 return (ssize_t)ret;
1394 } else {
1395 file->f_dentry->d_inode->i_mtime = CURRENT_TIME;
1396 mark_inode_dirty(file->f_dentry->d_inode);
1397 return (ssize_t)(p - buffer);
1398 }
1399 }
1400
1401 static int
1402 random_ioctl(struct inode * inode, struct file * file,
1403 unsigned int cmd, unsigned long arg)
1404 {
1405 int *p, size, ent_count;
1406 int retval;
1407
1408 switch (cmd) {
1409 case RNDGETENTCNT:
1410 retval = verify_area(VERIFY_WRITE, (void *) arg, sizeof(int));
1411 if (retval)
1412 return(retval);
1413 ent_count = random_state.entropy_count;
1414 put_user(ent_count, (int *) arg);
1415 return 0;
1416 case RNDADDTOENTCNT:
1417 if (!capable(CAP_SYS_ADMIN))
1418 return -EPERM;
1419 retval = verify_area(VERIFY_READ, (void *) arg, sizeof(int));
1420 if (retval)
1421 return(retval);
1422 get_user(ent_count, (int *) arg);
1423 /*
1424 * Add i to entropy_count, limiting the result to be
1425 * between 0 and POOLBITS.
1426 */
1427 if (ent_count < -random_state.entropy_count)
1428 random_state.entropy_count = 0;
1429 else if (ent_count > POOLBITS)
1430 random_state.entropy_count = POOLBITS;
1431 else {
1432 random_state.entropy_count += ent_count;
1433 if (random_state.entropy_count > POOLBITS)
1434 random_state.entropy_count = POOLBITS;
1435 if (random_state.entropy_count < 0)
1436 random_state.entropy_count = 0;
1437 }
1438 /*
1439 * Wake up waiting processes if we have enough
1440 * entropy.
1441 */
1442 if (random_state.entropy_count >= WAIT_INPUT_BITS)
1443 wake_up_interruptible(&random_read_wait);
1444 return 0;
1445 case RNDGETPOOL:
1446 if (!capable(CAP_SYS_ADMIN))
1447 return -EPERM;
1448 p = (int *) arg;
1449 retval = verify_area(VERIFY_WRITE, (void *) p, sizeof(int));
1450 if (retval)
1451 return(retval);
1452 ent_count = random_state.entropy_count;
1453 put_user(ent_count, p++);
1454 retval = verify_area(VERIFY_WRITE, (void *) p, sizeof(int));
1455 if (retval)
1456 return(retval);
1457 get_user(size, p);
1458 put_user(POOLWORDS, p++);
1459 if (size < 0)
1460 return -EINVAL;
1461 if (size > POOLWORDS)
1462 size = POOLWORDS;
1463 if (copy_to_user(p, random_state.pool, size*sizeof(__u32)))
1464 return -EFAULT;
1465 return 0;
1466 case RNDADDENTROPY:
1467 if (!capable(CAP_SYS_ADMIN))
1468 return -EPERM;
1469 p = (int *) arg;
1470 retval = verify_area(VERIFY_READ, (void *) p, 2*sizeof(int));
1471 if (retval)
1472 return(retval);
1473 get_user(ent_count, p++);
1474 if (ent_count < 0)
1475 return -EINVAL;
1476 get_user(size, p++);
1477 retval = verify_area(VERIFY_READ, (void *) p, size);
1478 if (retval)
1479 return retval;
1480 retval = random_write(file, (const char *) p,
1481 size, &file->f_pos);
1482 if (retval < 0)
1483 return retval;
1484 /*
1485 * Add ent_count to entropy_count, limiting the result to be
1486 * between 0 and POOLBITS.
1487 */
1488 if (ent_count > POOLBITS)
1489 random_state.entropy_count = POOLBITS;
1490 else {
1491 random_state.entropy_count += ent_count;
1492 if (random_state.entropy_count > POOLBITS)
1493 random_state.entropy_count = POOLBITS;
1494 if (random_state.entropy_count < 0)
1495 random_state.entropy_count = 0;
1496 }
1497 /*
1498 * Wake up waiting processes if we have enough
1499 * entropy.
1500 */
1501 if (random_state.entropy_count >= WAIT_INPUT_BITS)
1502 wake_up_interruptible(&random_read_wait);
1503 return 0;
1504 case RNDZAPENTCNT:
1505 if (!capable(CAP_SYS_ADMIN))
1506 return -EPERM;
1507 random_state.entropy_count = 0;
1508 return 0;
1509 case RNDCLEARPOOL:
1510 /* Clear the entropy pool and associated counters. */
1511 if (!capable(CAP_SYS_ADMIN))
1512 return -EPERM;
1513 rand_clear_pool();
1514 return 0;
1515 default:
1516 return -EINVAL;
1517 }
1518 }
1519
1520 struct file_operations random_fops = {
1521 NULL, /* random_lseek */
1522 random_read,
1523 random_write,
1524 NULL, /* random_readdir */
1525 random_poll, /* random_poll */
1526 random_ioctl,
1527 NULL, /* random_mmap */
1528 NULL, /* no special open code */
1529 NULL, /* flush */
1530 NULL /* no special release code */
1531 };
1532
1533 struct file_operations urandom_fops = {
1534 NULL, /* unrandom_lseek */
1535 random_read_unlimited,
1536 random_write,
1537 NULL, /* urandom_readdir */
1538 NULL, /* urandom_poll */
1539 random_ioctl,
1540 NULL, /* urandom_mmap */
1541 NULL, /* no special open code */
1542 NULL, /* flush */
1543 NULL /* no special release code */
1544 };
1545
1546 /*
1547 * TCP initial sequence number picking. This uses the random number
1548 * generator to pick an initial secret value. This value is hashed
1549 * along with the TCP endpoint information to provide a unique
1550 * starting point for each pair of TCP endpoints. This defeats
1551 * attacks which rely on guessing the initial TCP sequence number.
1552 * This algorithm was suggested by Steve Bellovin.
1553 *
1554 * Using a very strong hash was taking an appreciable amount of the total
1555 * TCP connection establishment time, so this is a weaker hash,
1556 * compensated for by changing the secret periodically.
1557 */
1558
1559 /* F, G and H are basic MD4 functions: selection, majority, parity */
1560 #define F(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
1561 #define G(x, y, z) (((x) & (y)) + (((x) ^ (y)) & (z)))
1562 #define H(x, y, z) ((x) ^ (y) ^ (z))
1563
1564 /*
1565 * The generic round function. The application is so specific that
1566 * we don't bother protecting all the arguments with parens, as is generally
1567 * good macro practice, in favor of extra legibility.
1568 * Rotation is separate from addition to prevent recomputation
1569 */
1570 #define ROUND(f, a, b, c, d, x, s) \
1571 (a += f(b, c, d) + x, a = (a << s) | (a >> (32-s)))
1572 #define K1 0
1573 #define K2 013240474631UL
1574 #define K3 015666365641UL
1575
1576 /*
1577 * Basic cut-down MD4 transform. Returns only 32 bits of result.
1578 */
1579 static __u32 halfMD4Transform (__u32 const buf[4], __u32 const in[8])
1580 {
1581 __u32 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
1582
1583 /* Round 1 */
1584 ROUND(F, a, b, c, d, in[0] + K1, 3);
1585 ROUND(F, d, a, b, c, in[1] + K1, 7);
1586 ROUND(F, c, d, a, b, in[2] + K1, 11);
1587 ROUND(F, b, c, d, a, in[3] + K1, 19);
1588 ROUND(F, a, b, c, d, in[4] + K1, 3);
1589 ROUND(F, d, a, b, c, in[5] + K1, 7);
1590 ROUND(F, c, d, a, b, in[6] + K1, 11);
1591 ROUND(F, b, c, d, a, in[7] + K1, 19);
1592
1593 /* Round 2 */
1594 ROUND(G, a, b, c, d, in[1] + K2, 3);
1595 ROUND(G, d, a, b, c, in[3] + K2, 5);
1596 ROUND(G, c, d, a, b, in[5] + K2, 9);
1597 ROUND(G, b, c, d, a, in[7] + K2, 13);
1598 ROUND(G, a, b, c, d, in[0] + K2, 3);
1599 ROUND(G, d, a, b, c, in[2] + K2, 5);
1600 ROUND(G, c, d, a, b, in[4] + K2, 9);
1601 ROUND(G, b, c, d, a, in[6] + K2, 13);
1602
1603 /* Round 3 */
1604 ROUND(H, a, b, c, d, in[3] + K3, 3);
1605 ROUND(H, d, a, b, c, in[7] + K3, 9);
1606 ROUND(H, c, d, a, b, in[2] + K3, 11);
1607 ROUND(H, b, c, d, a, in[6] + K3, 15);
1608 ROUND(H, a, b, c, d, in[1] + K3, 3);
1609 ROUND(H, d, a, b, c, in[5] + K3, 9);
1610 ROUND(H, c, d, a, b, in[0] + K3, 11);
1611 ROUND(H, b, c, d, a, in[4] + K3, 15);
1612
1613 return buf[1] + b; /* "most hashed" word */
1614 /* Alternative: return sum of all words? */
1615 }
1616
1617 #if 0 /* May be needed for IPv6 */
1618
1619 static __u32 twothirdsMD4Transform (__u32 const buf[4], __u32 const in[12])
1620 {
1621 __u32 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
1622
1623 /* Round 1 */
1624 ROUND(F, a, b, c, d, in[ 0] + K1, 3);
1625 ROUND(F, d, a, b, c, in[ 1] + K1, 7);
1626 ROUND(F, c, d, a, b, in[ 2] + K1, 11);
1627 ROUND(F, b, c, d, a, in[ 3] + K1, 19);
1628 ROUND(F, a, b, c, d, in[ 4] + K1, 3);
1629 ROUND(F, d, a, b, c, in[ 5] + K1, 7);
1630 ROUND(F, c, d, a, b, in[ 6] + K1, 11);
1631 ROUND(F, b, c, d, a, in[ 7] + K1, 19);
1632 ROUND(F, a, b, c, d, in[ 8] + K1, 3);
1633 ROUND(F, d, a, b, c, in[ 9] + K1, 7);
1634 ROUND(F, c, d, a, b, in[10] + K1, 11);
1635 ROUND(F, b, c, d, a, in[11] + K1, 19);
1636
1637 /* Round 2 */
1638 ROUND(G, a, b, c, d, in[ 1] + K2, 3);
1639 ROUND(G, d, a, b, c, in[ 3] + K2, 5);
1640 ROUND(G, c, d, a, b, in[ 5] + K2, 9);
1641 ROUND(G, b, c, d, a, in[ 7] + K2, 13);
1642 ROUND(G, a, b, c, d, in[ 9] + K2, 3);
1643 ROUND(G, d, a, b, c, in[11] + K2, 5);
1644 ROUND(G, c, d, a, b, in[ 0] + K2, 9);
1645 ROUND(G, b, c, d, a, in[ 2] + K2, 13);
1646 ROUND(G, a, b, c, d, in[ 4] + K2, 3);
1647 ROUND(G, d, a, b, c, in[ 6] + K2, 5);
1648 ROUND(G, c, d, a, b, in[ 8] + K2, 9);
1649 ROUND(G, b, c, d, a, in[10] + K2, 13);
1650
1651 /* Round 3 */
1652 ROUND(H, a, b, c, d, in[ 3] + K3, 3);
1653 ROUND(H, d, a, b, c, in[ 7] + K3, 9);
1654 ROUND(H, c, d, a, b, in[11] + K3, 11);
1655 ROUND(H, b, c, d, a, in[ 2] + K3, 15);
1656 ROUND(H, a, b, c, d, in[ 6] + K3, 3);
1657 ROUND(H, d, a, b, c, in[10] + K3, 9);
1658 ROUND(H, c, d, a, b, in[ 1] + K3, 11);
1659 ROUND(H, b, c, d, a, in[ 5] + K3, 15);
1660 ROUND(H, a, b, c, d, in[ 9] + K3, 3);
1661 ROUND(H, d, a, b, c, in[ 0] + K3, 9);
1662 ROUND(H, c, d, a, b, in[ 4] + K3, 11);
1663 ROUND(H, b, c, d, a, in[ 8] + K3, 15);
1664
1665 return buf[1] + b; /* "most hashed" word */
1666 /* Alternative: return sum of all words? */
1667 }
1668 #endif
1669
1670 #undef ROUND
1671 #undef F
1672 #undef G
1673 #undef H
1674 #undef K1
1675 #undef K2
1676 #undef K3
1677
1678 /* This should not be decreased so low that ISNs wrap too fast. */
1679 #define REKEY_INTERVAL 300
1680 #define HASH_BITS 24
1681
1682 __u32 secure_tcp_sequence_number(__u32 saddr, __u32 daddr,
1683 __u16 sport, __u16 dport)
1684 {
1685 static __u32 rekey_time = 0;
1686 static __u32 count = 0;
1687 static __u32 secret[12];
1688 struct timeval tv;
1689 __u32 seq;
1690
1691 /*
1692 * Pick a random secret every REKEY_INTERVAL seconds.
1693 */
1694 do_gettimeofday(&tv); /* We need the usecs below... */
1695
1696 if (!rekey_time || (tv.tv_sec - rekey_time) > REKEY_INTERVAL) {
1697 rekey_time = tv.tv_sec;
1698 /* First three words are overwritten below. */
1699 get_random_bytes(&secret+3, sizeof(secret)-12);
1700 count = (tv.tv_sec/REKEY_INTERVAL) << HASH_BITS;
1701 }
1702
1703 /*
1704 * Pick a unique starting offset for each TCP connection endpoints
1705 * (saddr, daddr, sport, dport).
1706 * Note that the words are placed into the first words to be
1707 * mixed in with the halfMD4. This is because the starting
1708 * vector is also a random secret (at secret+8), and further
1709 * hashing fixed data into it isn't going to improve anything,
1710 * so we should get started with the variable data.
1711 */
1712 secret[0]=saddr;
1713 secret[1]=daddr;
1714 secret[2]=(sport << 16) + dport;
1715
1716 seq = (halfMD4Transform(secret+8, secret) &
1717 ((1<<HASH_BITS)-1)) + count;
1718
1719 /*
1720 * As close as possible to RFC 793, which
1721 * suggests using a 250 kHz clock.
1722 * Further reading shows this assumes 2 Mb/s networks.
1723 * For 10 Mb/s Ethernet, a 1 MHz clock is appropriate.
1724 * That's funny, Linux has one built in! Use it!
1725 * (Networks are faster now - should this be increased?)
1726 */
1727 seq += tv.tv_usec + tv.tv_sec*1000000;
1728 #if 0
1729 printk("init_seq(%lx, %lx, %d, %d) = %d\n",
1730 saddr, daddr, sport, dport, seq);
1731 #endif
1732 return seq;
1733 }
1734
1735 #ifdef CONFIG_SYN_COOKIES
1736 /*
1737 * Secure SYN cookie computation. This is the algorithm worked out by
1738 * Dan Bernstein and Eric Schenk.
1739 *
1740 * For linux I implement the 1 minute counter by looking at the jiffies clock.
1741 * The count is passed in as a parameter, so this code doesn't much care.
1742 */
1743
1744 #define COOKIEBITS 24 /* Upper bits store count */
1745 #define COOKIEMASK (((__u32)1 << COOKIEBITS) - 1)
1746
1747 static int syncookie_init = 0;
1748 static __u32 syncookie_secret[2][16-3+HASH_BUFFER_SIZE];
1749
1750 __u32 secure_tcp_syn_cookie(__u32 saddr, __u32 daddr, __u16 sport,
1751 __u16 dport, __u32 sseq, __u32 count, __u32 data)
1752 {
1753 __u32 tmp[16 + HASH_BUFFER_SIZE + HASH_EXTRA_SIZE];
1754 __u32 seq;
1755
1756 /*
1757 * Pick two random secrets the first time we need a cookie.
1758 */
1759 if (syncookie_init == 0) {
1760 get_random_bytes(syncookie_secret, sizeof(syncookie_secret));
1761 syncookie_init = 1;
1762 }
1763
1764 /*
1765 * Compute the secure sequence number.
1766 * The output should be:
1767 * HASH(sec1,saddr,sport,daddr,dport,sec1) + sseq + (count * 2^24)
1768 * + (HASH(sec2,saddr,sport,daddr,dport,count,sec2) % 2^24).
1769 * Where sseq is their sequence number and count increases every
1770 * minute by 1.
1771 * As an extra hack, we add a small "data" value that encodes the
1772 * MSS into the second hash value.
1773 */
1774
1775 memcpy(tmp+3, syncookie_secret[0], sizeof(syncookie_secret[0]));
1776 tmp[0]=saddr;
1777 tmp[1]=daddr;
1778 tmp[2]=(sport << 16) + dport;
1779 HASH_TRANSFORM(tmp+16, tmp);
1780 seq = tmp[17] + sseq + (count << COOKIEBITS);
1781
1782 memcpy(tmp+3, syncookie_secret[1], sizeof(syncookie_secret[1]));
1783 tmp[0]=saddr;
1784 tmp[1]=daddr;
1785 tmp[2]=(sport << 16) + dport;
1786 tmp[3] = count; /* minute counter */
1787 HASH_TRANSFORM(tmp+16, tmp);
1788
1789 /* Add in the second hash and the data */
1790 return seq + ((tmp[17] + data) & COOKIEMASK);
1791 }
1792
1793 /*
1794 * This retrieves the small "data" value from the syncookie.
1795 * If the syncookie is bad, the data returned will be out of
1796 * range. This must be checked by the caller.
1797 *
1798 * The count value used to generate the cookie must be within
1799 * "maxdiff" if the current (passed-in) "count". The return value
1800 * is (__u32)-1 if this test fails.
1801 */
1802 __u32 check_tcp_syn_cookie(__u32 cookie, __u32 saddr, __u32 daddr, __u16 sport,
1803 __u16 dport, __u32 sseq, __u32 count, __u32 maxdiff)
1804 {
1805 __u32 tmp[16 + HASH_BUFFER_SIZE + HASH_EXTRA_SIZE];
1806 __u32 diff;
1807
1808 if (syncookie_init == 0)
1809 return (__u32)-1; /* Well, duh! */
1810
1811 /* Strip away the layers from the cookie */
1812 memcpy(tmp+3, syncookie_secret[0], sizeof(syncookie_secret[0]));
1813 tmp[0]=saddr;
1814 tmp[1]=daddr;
1815 tmp[2]=(sport << 16) + dport;
1816 HASH_TRANSFORM(tmp+16, tmp);
1817 cookie -= tmp[17] + sseq;
1818 /* Cookie is now reduced to (count * 2^24) ^ (hash % 2^24) */
1819
1820 diff = (count - (cookie >> COOKIEBITS)) & ((__u32)-1 >> COOKIEBITS);
1821 if (diff >= maxdiff)
1822 return (__u32)-1;
1823
1824 memcpy(tmp+3, syncookie_secret[1], sizeof(syncookie_secret[1]));
1825 tmp[0] = saddr;
1826 tmp[1] = daddr;
1827 tmp[2] = (sport << 16) + dport;
1828 tmp[3] = count - diff; /* minute counter */
1829 HASH_TRANSFORM(tmp+16, tmp);
1830
1831 return (cookie - tmp[17]) & COOKIEMASK; /* Leaving the data behind */
1832 }
1833 #endif
1834
1835
1836 #ifdef RANDOM_BENCHMARK
1837 /*
1838 * This is so we can do some benchmarking of the random driver, to see
1839 * how much overhead add_timer_randomness really takes. This only
1840 * works on a Pentium, since it depends on the timer clock...
1841 *
1842 * Note: the results of this benchmark as of this writing (5/27/96)
1843 *
1844 * On a Pentium, add_timer_randomness() takes between 150 and 1000
1845 * clock cycles, with an average of around 600 clock cycles. On a 75
1846 * MHz Pentium, this translates to 2 to 13 microseconds, with an
1847 * average time of 8 microseconds. This should be fast enough so we
1848 * can use add_timer_randomness() even with the fastest of interrupts...
1849 */
1850 static inline unsigned long long get_clock_cnt(void)
1851 {
1852 unsigned long low, high;
1853 __asm__(".byte 0x0f,0x31" :"=a" (low), "=d" (high));
1854 return (((unsigned long long) high << 32) | low);
1855 }
1856
1857 __initfunc(static void
1858 initialize_benchmark(struct random_benchmark *bench,
1859 const char *descr, int unit))
1860 {
1861 bench->times = 0;
1862 bench->accum = 0;
1863 bench->max = 0;
1864 bench->min = 1 << 31;
1865 bench->descr = descr;
1866 bench->unit = unit;
1867 }
1868
1869 static void begin_benchmark(struct random_benchmark *bench)
1870 {
1871 #ifdef BENCHMARK_NOINT
1872 save_flags(bench->flags); cli();
1873 #endif
1874 bench->start_time = get_clock_cnt();
1875 }
1876
1877 static void end_benchmark(struct random_benchmark *bench)
1878 {
1879 unsigned long ticks;
1880
1881 ticks = (unsigned long) (get_clock_cnt() - bench->start_time);
1882 #ifdef BENCHMARK_NOINT
1883 restore_flags(bench->flags);
1884 #endif
1885 if (ticks < bench->min)
1886 bench->min = ticks;
1887 if (ticks > bench->max)
1888 bench->max = ticks;
1889 bench->accum += ticks;
1890 bench->times++;
1891 if (bench->times == BENCHMARK_INTERVAL) {
1892 printk("Random benchmark: %s %d: %lu min, %lu avg, "
1893 "%lu max\n", bench->descr, bench->unit, bench->min,
1894 bench->accum / BENCHMARK_INTERVAL, bench->max);
1895 bench->times = 0;
1896 bench->accum = 0;
1897 bench->max = 0;
1898 bench->min = 1 << 31;
1899 }
1900 }
1901 #endif /* RANDOM_BENCHMARK */
Copy of Dave Jones history.git as used by http://archive.org/details/git-history-of-linux