Subversion Repositories or1k

/*

 * random.c -- A strong random number generator

 *

 * Version 1.89, last modified 19-Sep-99

 *

 * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999.  All

 * rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 * 1. Redistributions of source code must retain the above copyright

 *    notice, and the entire permission notice in its entirety,

 *    including the disclaimer of warranties.

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in the

 *    documentation and/or other materials provided with the distribution.

 * 3. The name of the author may not be used to endorse or promote

 *    products derived from this software without specific prior

 *    written permission.

 *

 * ALTERNATIVELY, this product may be distributed under the terms of

 * the GNU General Public License, in which case the provisions of the GPL are

 * required INSTEAD OF the above restrictions.  (This clause is

 * necessary due to a potential bad interaction between the GPL and

 * the restrictions contained in a BSD-style copyright.)

 *

 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED

 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF

 * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE

 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT

 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR

 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE

 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH

 * DAMAGE.

 */

/*

 * (now, with legal B.S. out of the way.....)

 *

 * This routine gathers environmental noise from device drivers, etc.,

 * and returns good random numbers, suitable for cryptographic use.

 * Besides the obvious cryptographic uses, these numbers are also good

 * for seeding TCP sequence numbers, and other places where it is

 * desirable to have numbers which are not only random, but hard to

 * predict by an attacker.

 *

 * Theory of operation

 * ===================

 *

 * Computers are very predictable devices.  Hence it is extremely hard

 * to produce truly random numbers on a computer --- as opposed to

 * pseudo-random numbers, which can easily generated by using a

 * algorithm.  Unfortunately, it is very easy for attackers to guess

 * the sequence of pseudo-random number generators, and for some

 * applications this is not acceptable.  So instead, we must try to

 * gather "environmental noise" from the computer's environment, which

 * must be hard for outside attackers to observe, and use that to

 * generate random numbers.  In a Unix environment, this is best done

 * from inside the kernel.

 *

 * Sources of randomness from the environment include inter-keyboard

 * timings, inter-interrupt timings from some interrupts, and other

 * events which are both (a) non-deterministic and (b) hard for an

 * outside observer to measure.  Randomness from these sources are

 * added to an "entropy pool", which is mixed using a CRC-like function.

 * This is not cryptographically strong, but it is adequate assuming

 * the randomness is not chosen maliciously, and it is fast enough that

 * the overhead of doing it on every interrupt is very reasonable.

 * As random bytes are mixed into the entropy pool, the routines keep

 * an *estimate* of how many bits of randomness have been stored into

 * the random number generator's internal state.

 *

 * When random bytes are desired, they are obtained by taking the SHA

 * hash of the contents of the "entropy pool".  The SHA hash avoids

 * exposing the internal state of the entropy pool.  It is believed to

 * be computationally infeasible to derive any useful information

 * about the input of SHA from its output.  Even if it is possible to

 * analyze SHA in some clever way, as long as the amount of data

 * returned from the generator is less than the inherent entropy in

 * the pool, the output data is totally unpredictable.  For this

 * reason, the routine decreases its internal estimate of how many

 * bits of "true randomness" are contained in the entropy pool as it

 * outputs random numbers.

 *

 * If this estimate goes to zero, the routine can still generate

 * random numbers; however, an attacker may (at least in theory) be

 * able to infer the future output of the generator from prior

 * outputs.  This requires successful cryptanalysis of SHA, which is

 * not believed to be feasible, but there is a remote possibility.

 * Nonetheless, these numbers should be useful for the vast majority

 * of purposes.

 *

 * Exported interfaces ---- output

 * ===============================

 *

 * There are three exported interfaces; the first is one designed to

 * be used from within the kernel:

 *

 *      void get_random_bytes(void *buf, int nbytes);

 *

 * This interface will return the requested number of random bytes,

 * and place it in the requested buffer.

 *

 * The two other interfaces are two character devices /dev/random and

 * /dev/urandom.  /dev/random is suitable for use when very high

 * quality randomness is desired (for example, for key generation or

 * one-time pads), as it will only return a maximum of the number of

 * bits of randomness (as estimated by the random number generator)

 * contained in the entropy pool.

 *

 * The /dev/urandom device does not have this limit, and will return

 * as many bytes as are requested.  As more and more random bytes are

 * requested without giving time for the entropy pool to recharge,

 * this will result in random numbers that are merely cryptographically

 * strong.  For many applications, however, this is acceptable.

 *

 * Exported interfaces ---- input

 * ==============================

 *

 * The current exported interfaces for gathering environmental noise

 * from the devices are:

 *

 *      void add_keyboard_randomness(unsigned char scancode);

 *      void add_mouse_randomness(__u32 mouse_data);

 *      void add_interrupt_randomness(int irq);

 *      void add_blkdev_randomness(int irq);

 *

 * add_keyboard_randomness() uses the inter-keypress timing, as well as the

 * scancode as random inputs into the "entropy pool".

 *

 * add_mouse_randomness() uses the mouse interrupt timing, as well as

 * the reported position of the mouse from the hardware.

 *

 * add_interrupt_randomness() uses the inter-interrupt timing as random

 * inputs to the entropy pool.  Note that not all interrupts are good

 * sources of randomness!  For example, the timer interrupts is not a

 * good choice, because the periodicity of the interrupts is too

 * regular, and hence predictable to an attacker.  Disk interrupts are

 * a better measure, since the timing of the disk interrupts are more

 * unpredictable.

 *

 * add_blkdev_randomness() times the finishing time of block requests.

 *

 * All of these routines try to estimate how many bits of randomness a

 * particular randomness source.  They do this by keeping track of the

 * first and second order deltas of the event timings.

 *

 * Ensuring unpredictability at system startup

 * ============================================

 *

 * When any operating system starts up, it will go through a sequence

 * of actions that are fairly predictable by an adversary, especially

 * if the start-up does not involve interaction with a human operator.

 * This reduces the actual number of bits of unpredictability in the

 * entropy pool below the value in entropy_count.  In order to

 * counteract this effect, it helps to carry information in the

 * entropy pool across shut-downs and start-ups.  To do this, put the

 * following lines an appropriate script which is run during the boot

 * sequence:

 *

 *      echo "Initializing random number generator..."

 *      random_seed=/var/run/random-seed

 *      # Carry a random seed from start-up to start-up

 *      # Load and then save the whole entropy pool

 *      if [ -f $random_seed ]; then

 *              cat $random_seed >/dev/urandom

 *      else

 *              touch $random_seed

 *      fi

 *      chmod 600 $random_seed

 *      poolfile=/proc/sys/kernel/random/poolsize

 *      [ -r $poolfile ] && bytes=`cat $poolfile` || bytes=512

 *      dd if=/dev/urandom of=$random_seed count=1 bs=$bytes

 *

 * and the following lines in an appropriate script which is run as

 * the system is shutdown:

 *

 *      # Carry a random seed from shut-down to start-up

 *      # Save the whole entropy pool

 *      echo "Saving random seed..."

 *      random_seed=/var/run/random-seed

 *      touch $random_seed

 *      chmod 600 $random_seed

 *      poolfile=/proc/sys/kernel/random/poolsize

 *      [ -r $poolfile ] && bytes=`cat $poolfile` || bytes=512

 *      dd if=/dev/urandom of=$random_seed count=1 bs=$bytes

 *

 * For example, on most modern systems using the System V init

 * scripts, such code fragments would be found in

 * /etc/rc.d/init.d/random.  On older Linux systems, the correct script

 * location might be in /etc/rcb.d/rc.local or /etc/rc.d/rc.0.

 *

 * Effectively, these commands cause the contents of the entropy pool

 * to be saved at shut-down time and reloaded into the entropy pool at

 * start-up.  (The 'dd' in the addition to the bootup script is to

 * make sure that /etc/random-seed is different for every start-up,

 * even if the system crashes without executing rc.0.)  Even with

 * complete knowledge of the start-up activities, predicting the state

 * of the entropy pool requires knowledge of the previous history of

 * the system.

 *

 * Configuring the /dev/random driver under Linux

 * ==============================================

 *

 * The /dev/random driver under Linux uses minor numbers 8 and 9 of

 * the /dev/mem major number (#1).  So if your system does not have

 * /dev/random and /dev/urandom created already, they can be created

 * by using the commands:

 *

 *      mknod /dev/random c 1 8

 *      mknod /dev/urandom c 1 9

 *

 * Acknowledgements:

 * =================

 *

 * Ideas for constructing this random number generator were derived

 * from Pretty Good Privacy's random number generator, and from private

 * discussions with Phil Karn.  Colin Plumb provided a faster random

 * number generator, which speed up the mixing function of the entropy

 * pool, taken from PGPfone.  Dale Worley has also contributed many

 * useful ideas and suggestions to improve this driver.

 *

 * Any flaws in the design are solely my responsibility, and should

 * not be attributed to the Phil, Colin, or any of authors of PGP.

 *

 * The code for SHA transform was taken from Peter Gutmann's

 * implementation, which has been placed in the public domain.

 * The code for MD5 transform was taken from Colin Plumb's

 * implementation, which has been placed in the public domain.

 * The MD5 cryptographic checksum was devised by Ronald Rivest, and is

 * documented in RFC 1321, "The MD5 Message Digest Algorithm".

 *

 * Further background information on this topic may be obtained from

 * RFC 1750, "Randomness Recommendations for Security", by Donald

 * Eastlake, Steve Crocker, and Jeff Schiller.

 */

#include <linux/utsname.h>

#include <linux/config.h>

#include <linux/module.h>

#include <linux/kernel.h>

#include <linux/major.h>

#include <linux/string.h>

#include <linux/fcntl.h>

#include <linux/slab.h>

#include <linux/random.h>

#include <linux/poll.h>

#include <linux/init.h>

#include <linux/interrupt.h>

#include <linux/spinlock.h>

#include <asm/processor.h>

#include <asm/uaccess.h>

#include <asm/irq.h>

#include <asm/io.h>

/*

 * Configuration information

 */

#define DEFAULT_POOL_SIZE 512

#define SECONDARY_POOL_SIZE 128

#define BATCH_ENTROPY_SIZE 256

#define USE_SHA

/*

 * The minimum number of bits of entropy before we wake up a read on

 * /dev/random.  Should always be at least 8, or at least 1 byte.

 */

static int random_read_wakeup_thresh = 8;

/*

 * If the entropy count falls under this number of bits, then we

 * should wake up processes which are selecting or polling on write

 * access to /dev/random.

 */

static int random_write_wakeup_thresh = 128;

/*

 * A pool of size .poolwords is stirred with a primitive polynomial

 * of degree .poolwords over GF(2).  The taps for various sizes are

 * defined below.  They are chosen to be evenly spaced (minimum RMS

 * distance from evenly spaced; the numbers in the comments are a

 * scaled squared error sum) except for the last tap, which is 1 to

 * get the twisting happening as fast as possible.

 */

static struct poolinfo {

        int     poolwords;

        int     tap1, tap2, tap3, tap4, tap5;

} poolinfo_table[] = {

        /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1  -- 115 */

        { 2048, 1638,   1231,   819,    411,    1 },

        /* x^1024 + x^817 + x^615 + x^412 + x^204 + x + 1 -- 290 */

        { 1024, 817,    615,    412,    204,    1 },

#if 0                           /* Alternate polynomial */

        /* x^1024 + x^819 + x^616 + x^410 + x^207 + x^2 + 1 -- 115 */

        { 1024, 819,    616,    410,    207,    2 },

#endif

        /* x^512 + x^411 + x^308 + x^208 + x^104 + x + 1 -- 225 */

        { 512,  411,    308,    208,    104,    1 },

#if 0                           /* Alternates */

        /* x^512 + x^409 + x^307 + x^206 + x^102 + x^2 + 1 -- 95 */

        { 512,  409,    307,    206,    102,    2 },

        /* x^512 + x^409 + x^309 + x^205 + x^103 + x^2 + 1 -- 95 */

        { 512,  409,    309,    205,    103,    2 },

#endif

        /* x^256 + x^205 + x^155 + x^101 + x^52 + x + 1 -- 125 */

        { 256,  205,    155,    101,    52,     1 },

        /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */

        { 128,  103,    76,     51,     25,     1 },

#if 0   /* Alternate polynomial */

        /* x^128 + x^103 + x^78 + x^51 + x^27 + x^2 + 1 -- 70 */

        { 128,  103,    78,     51,     27,     2 },

#endif

        /* x^64 + x^52 + x^39 + x^26 + x^14 + x + 1 -- 15 */

        { 64,   52,     39,     26,     14,     1 },

        /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */

        { 32,   26,     20,     14,     7,      1 },

        { 0,     0,       0,       0,       0,       0 },

};

#define POOLBITS        poolwords*32

#define POOLBYTES       poolwords*4

/*

 * For the purposes of better mixing, we use the CRC-32 polynomial as

 * well to make a twisted Generalized Feedback Shift Reigster

 *

 * (See M. Matsumoto & Y. Kurita, 1992.  Twisted GFSR generators.  ACM

 * Transactions on Modeling and Computer Simulation 2(3):179-194.

 * Also see M. Matsumoto & Y. Kurita, 1994.  Twisted GFSR generators

 * II.  ACM Transactions on Mdeling and Computer Simulation 4:254-266)

 *

 * Thanks to Colin Plumb for suggesting this.

 *

 * We have not analyzed the resultant polynomial to prove it primitive;

 * in fact it almost certainly isn't.  Nonetheless, the irreducible factors

 * of a random large-degree polynomial over GF(2) are more than large enough

 * that periodicity is not a concern.

 *

 * The input hash is much less sensitive than the output hash.  All

 * that we want of it is that it be a good non-cryptographic hash;

 * i.e. it not produce collisions when fed "random" data of the sort

 * we expect to see.  As long as the pool state differs for different

 * inputs, we have preserved the input entropy and done a good job.

 * The fact that an intelligent attacker can construct inputs that

 * will produce controlled alterations to the pool's state is not

 * important because we don't consider such inputs to contribute any

 * randomness.  The only property we need with respect to them is that

 * the attacker can't increase his/her knowledge of the pool's state.

 * Since all additions are reversible (knowing the final state and the

 * input, you can reconstruct the initial state), if an attacker has

 * any uncertainty about the initial state, he/she can only shuffle

 * that uncertainty about, but never cause any collisions (which would

 * decrease the uncertainty).

 *

 * The chosen system lets the state of the pool be (essentially) the input

 * modulo the generator polymnomial.  Now, for random primitive polynomials,

 * this is a universal class of hash functions, meaning that the chance

 * of a collision is limited by the attacker's knowledge of the generator

 * polynomail, so if it is chosen at random, an attacker can never force

 * a collision.  Here, we use a fixed polynomial, but we *can* assume that

 * ###--> it is unknown to the processes generating the input entropy. <-###

 * Because of this important property, this is a good, collision-resistant

 * hash; hash collisions will occur no more often than chance.

 */

/*

 * Linux 2.2 compatibility

 */

#ifndef DECLARE_WAITQUEUE

#define DECLARE_WAITQUEUE(WAIT, PTR)    struct wait_queue WAIT = { PTR, NULL }

#endif

#ifndef DECLARE_WAIT_QUEUE_HEAD

#define DECLARE_WAIT_QUEUE_HEAD(WAIT) struct wait_queue *WAIT

#endif

/*

 * Static global variables

 */

static struct entropy_store *random_state; /* The default global store */

static struct entropy_store *sec_random_state; /* secondary store */

static DECLARE_WAIT_QUEUE_HEAD(random_read_wait);

static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);

/*

 * Forward procedure declarations

 */

#ifdef CONFIG_SYSCTL

static void sysctl_init_random(struct entropy_store *random_state);

#endif

/*****************************************************************

 *

 * Utility functions, with some ASM defined functions for speed

 * purposes

 *

 *****************************************************************/

/*

 * Unfortunately, while the GCC optimizer for the i386 understands how

 * to optimize a static rotate left of x bits, it doesn't know how to

 * deal with a variable rotate of x bits.  So we use a bit of asm magic.

 */

#if (!defined (__i386__))

static inline __u32 rotate_left(int i, __u32 word)

{

        return (word << i) | (word >> (32 - i));

}

#else

static inline __u32 rotate_left(int i, __u32 word)

{

        __asm__("roll %%cl,%0"

                :"=r" (word)

                :"0" (word),"c" (i));

        return word;

}

#endif

/*

 * More asm magic....

 *

 * For entropy estimation, we need to do an integral base 2

 * logarithm.

 *

 * Note the "12bits" suffix - this is used for numbers between

 * 0 and 4095 only.  This allows a few shortcuts.

 */

#if 0   /* Slow but clear version */

static inline __u32 int_ln_12bits(__u32 word)

{

        __u32 nbits = 0;

        while (word >>= 1)

                nbits++;

        return nbits;

}

#else   /* Faster (more clever) version, courtesy Colin Plumb */

static inline __u32 int_ln_12bits(__u32 word)

{

        /* Smear msbit right to make an n-bit mask */

        word |= word >> 8;

        word |= word >> 4;

        word |= word >> 2;

        word |= word >> 1;

        /* Remove one bit to make this a logarithm */

        word >>= 1;

        /* Count the bits set in the word */

        word -= (word >> 1) & 0x555;

        word = (word & 0x333) + ((word >> 2) & 0x333);

        word += (word >> 4);

        word += (word >> 8);

        return word & 15;

}

#endif

#if 0

#define DEBUG_ENT(fmt, arg...) printk(KERN_DEBUG "random: " fmt, ## arg)

#else

#define DEBUG_ENT(fmt, arg...) do {} while (0)

#endif

/**********************************************************************

 *

 * OS independent entropy store.   Here are the functions which handle

 * storing entropy in an entropy pool.

 *

 **********************************************************************/

struct entropy_store {

        unsigned        add_ptr;

        int             entropy_count;

        int             input_rotate;

        int             extract_count;

        struct poolinfo poolinfo;

        __u32           *pool;

};

/*

 * Initialize the entropy store.  The input argument is the size of

 * the random pool.

 *

 * Returns an negative error if there is a problem.

 */

static int create_entropy_store(int size, struct entropy_store **ret_bucket)

{

        struct  entropy_store   *r;

        struct  poolinfo        *p;

        int     poolwords;

        poolwords = (size + 3) / 4; /* Convert bytes->words */

        /* The pool size must be a multiple of 16 32-bit words */

        poolwords = ((poolwords + 15) / 16) * 16;

        for (p = poolinfo_table; p->poolwords; p++) {

                if (poolwords == p->poolwords)

                        break;

        }

        if (p->poolwords == 0)

                return -EINVAL;

        r = kmalloc(sizeof(struct entropy_store), GFP_KERNEL);

        if (!r)

                return -ENOMEM;

        memset (r, 0, sizeof(struct entropy_store));

        r->poolinfo = *p;

        r->pool = kmalloc(POOLBYTES, GFP_KERNEL);

        if (!r->pool) {

                kfree(r);

                return -ENOMEM;

        }

        memset(r->pool, 0, POOLBYTES);

        *ret_bucket = r;

        return 0;

}

/* Clear the entropy pool and associated counters. */

static void clear_entropy_store(struct entropy_store *r)

{

        r->add_ptr = 0;

        r->entropy_count = 0;

        r->input_rotate = 0;

        r->extract_count = 0;

        memset(r->pool, 0, r->poolinfo.POOLBYTES);

}

static void free_entropy_store(struct entropy_store *r)

{

        if (r->pool)

                kfree(r->pool);

        kfree(r);

}

/*

 * This function adds a byte into the entropy "pool".  It does not

 * update the entropy estimate.  The caller should call

 * credit_entropy_store if this is appropriate.

 *

 * The pool is stirred with a primitive polynomial of the appropriate

 * degree, and then twisted.  We twist by three bits at a time because

 * it's cheap to do so and helps slightly in the expected case where

 * the entropy is concentrated in the low-order bits.

 */

static void add_entropy_words(struct entropy_store *r, const __u32 *in,

                              int nwords)

{

        static __u32 const twist_table[8] = {

                         0, 0x3b6e20c8, 0x76dc4190, 0x4db26158,

                0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 };

        unsigned i;

        int new_rotate;

        int wordmask = r->poolinfo.poolwords - 1;

        __u32 w;

        while (nwords--) {

                w = rotate_left(r->input_rotate, *in++);

                i = r->add_ptr = (r->add_ptr - 1) & wordmask;

                /*

                 * Normally, we add 7 bits of rotation to the pool.

                 * At the beginning of the pool, add an extra 7 bits

                 * rotation, so that successive passes spread the

                 * input bits across the pool evenly.

                 */

                new_rotate = r->input_rotate + 14;

                if (i)

                        new_rotate = r->input_rotate + 7;

                r->input_rotate = new_rotate & 31;

                /* XOR in the various taps */

                w ^= r->pool[(i + r->poolinfo.tap1) & wordmask];

                w ^= r->pool[(i + r->poolinfo.tap2) & wordmask];

                w ^= r->pool[(i + r->poolinfo.tap3) & wordmask];

                w ^= r->pool[(i + r->poolinfo.tap4) & wordmask];

                w ^= r->pool[(i + r->poolinfo.tap5) & wordmask];

                w ^= r->pool[i];

                r->pool[i] = (w >> 3) ^ twist_table[w & 7];

        }

}

/*

 * Credit (or debit) the entropy store with n bits of entropy

 */

static void credit_entropy_store(struct entropy_store *r, int nbits)

{

        if (r->entropy_count + nbits < 0) {

                DEBUG_ENT("negative entropy/overflow (%d+%d)\n",

                          r->entropy_count, nbits);

                r->entropy_count = 0;

        } else if (r->entropy_count + nbits > r->poolinfo.POOLBITS) {

                r->entropy_count = r->poolinfo.POOLBITS;

        } else {

                r->entropy_count += nbits;

                if (nbits)

                        DEBUG_ENT("%s added %d bits, now %d\n",

                                  r == sec_random_state ? "secondary" :

                                  r == random_state ? "primary" : "unknown",

                                  nbits, r->entropy_count);

        }

}

/**********************************************************************

 *

 * Entropy batch input management

 *

 * We batch entropy to be added to avoid increasing interrupt latency

 *

 **********************************************************************/

static __u32    *batch_entropy_pool;

static int      *batch_entropy_credit;

static int      batch_max;

static int      batch_head, batch_tail;

static struct tq_struct batch_tqueue;

static void batch_entropy_process(void *private_);

/* note: the size must be a power of 2 */

static int __init batch_entropy_init(int size, struct entropy_store *r)

{

        batch_entropy_pool = kmalloc(2*size*sizeof(__u32), GFP_KERNEL);

        if (!batch_entropy_pool)

                return -1;

        batch_entropy_credit =kmalloc(size*sizeof(int), GFP_KERNEL);

        if (!batch_entropy_credit) {

                kfree(batch_entropy_pool);

                return -1;

        }

        batch_head = batch_tail = 0;

        batch_max = size;

        batch_tqueue.routine = batch_entropy_process;

        batch_tqueue.data = r;

        return 0;

}

/*

 * Changes to the entropy data is put into a queue rather than being added to

 * the entropy counts directly.  This is presumably to avoid doing heavy

 * hashing calculations during an interrupt in add_timer_randomness().

 * Instead, the entropy is only added to the pool once per timer tick.

 */

void batch_entropy_store(u32 a, u32 b, int num)

{

        int     new;

        if (!batch_max)

                return;

        batch_entropy_pool[2*batch_head] = a;

        batch_entropy_pool[(2*batch_head) + 1] = b;

        batch_entropy_credit[batch_head] = num;

        new = (batch_head+1) & (batch_max-1);

        if (new != batch_tail) {

                queue_task(&batch_tqueue, &tq_timer);

                batch_head = new;

        } else {

                DEBUG_ENT("batch entropy buffer full\n");

        }

}

/*

 * Flush out the accumulated entropy operations, adding entropy to the passed

 * store (normally random_state).  If that store has enough entropy, alternate

 * between randomizing the data of the primary and secondary stores.

 */

static void batch_entropy_process(void *private_)

{

        struct entropy_store *r = (struct entropy_store *) private_, *p;

        int max_entropy = r->poolinfo.POOLBITS;

        if (!batch_max)

                return;

        p = r;

        while (batch_head != batch_tail) {

                if (r->entropy_count >= max_entropy) {

                        r = (r == sec_random_state) ?   random_state :

                                                        sec_random_state;

                        max_entropy = r->poolinfo.POOLBITS;

                }

                add_entropy_words(r, batch_entropy_pool + 2*batch_tail, 2);

                credit_entropy_store(r, batch_entropy_credit[batch_tail]);

                batch_tail = (batch_tail+1) & (batch_max-1);

        }

        if (p->entropy_count >= random_read_wakeup_thresh)

                wake_up_interruptible(&random_read_wait);

}

/*********************************************************************

 *

 * Entropy input management

 *

 *********************************************************************/

/* There is one of these per entropy source */

struct timer_rand_state {

        __u32           last_time;

        __s32           last_delta,last_delta2;

        int             dont_count_entropy:1;

};

static struct timer_rand_state keyboard_timer_state;

static struct timer_rand_state mouse_timer_state;

static struct timer_rand_state extract_timer_state;

#ifndef CONFIG_ARCH_S390

static struct timer_rand_state *irq_timer_state[NR_IRQS];

#endif

static struct timer_rand_state *blkdev_timer_state[MAX_BLKDEV];

/*

 * This function adds entropy to the entropy "pool" by using timing

 * delays.  It uses the timer_rand_state structure to make an estimate

 * of how many bits of entropy this call has added to the pool.

 *

 * The number "num" is also added to the pool - it should somehow describe

 * the type of event which just happened.  This is currently 0-255 for

 * keyboard scan codes, and 256 upwards for interrupts.

 * On the i386, this is assumed to be at most 16 bits, and the high bits

 * are used for a high-resolution timer.

 *

 */

static void add_timer_randomness(struct timer_rand_state *state, unsigned num)

{

        __u32           time;

        __s32           delta, delta2, delta3;

        int             entropy = 0;

#if defined (__i386__)

        if (cpu_has_tsc) {

                __u32 high;

                rdtsc(time, high);

                num ^= high;

        } else {

                time = jiffies;

        }

#elif defined (__x86_64__)

        __u32 high;

        rdtsc(time, high);

        num ^= high;

#else

        time = jiffies;

#endif

        /*

         * Calculate number of bits of randomness we probably added.

         * We take into account the first, second and third-order deltas

         * in order to make our estimate.

         */

        if (!state->dont_count_entropy) {

                delta = time - state->last_time;

                state->last_time = time;