OpenCores
URL https://opencores.org/ocsvn/or1k/or1k/trunk

Subversion Repositories or1k

[/] [or1k/] [trunk/] [rc203soc/] [sw/] [uClinux/] [drivers/] [char/] [random.c] - Blame information for rev 1777

Go to most recent revision | Details | Compare with Previous | View Log

Line No. Rev Author Line
1 1626 jcastillo
/*
2
 * random.c -- A strong random number generator
3
 *
4
 * Version 1.00, last modified 26-May-96
5
 *
6
 * Copyright Theodore Ts'o, 1994, 1995, 1996.  All rights reserved.
7
 *
8
 * Redistribution and use in source and binary forms, with or without
9
 * modification, are permitted provided that the following conditions
10
 * are met:
11
 * 1. Redistributions of source code must retain the above copyright
12
 *    notice, and the entire permission notice in its entirety,
13
 *    including the disclaimer of warranties.
14
 * 2. Redistributions in binary form must reproduce the above copyright
15
 *    notice, this list of conditions and the following disclaimer in the
16
 *    documentation and/or other materials provided with the distribution.
17
 * 3. The name of the author may not be used to endorse or promote
18
 *    products derived from this software without specific prior
19
 *    written permission.
20
 *
21
 * ALTERNATIVELY, this product may be distributed under the terms of
22
 * the GNU Public License, in which case the provisions of the GPL are
23
 * required INSTEAD OF the above restrictions.  (This clause is
24
 * necessary due to a potential bad interaction between the GPL and
25
 * the restrictions contained in a BSD-style copyright.)
26
 *
27
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
28
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
30
 * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
31
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
32
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
33
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
35
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
36
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
37
 * OF THE POSSIBILITY OF SUCH DAMAGE.
38
 */
39
 
40
/*
41
 * (now, with legal B.S. out of the way.....)
42
 *
43
 * This routine gathers environmental noise from device drivers, etc.,
44
 * and returns good random numbers, suitable for cryptographic use.
45
 * Besides the obvious cryptographic uses, these numbers are also good
46
 * for seeding TCP sequence numbers, and other places where it is
47
 * desirable to have numbers which are not only random, but hard to
48
 * predict by an attacker.
49
 *
50
 * Theory of operation
51
 * ===================
52
 *
53
 * Computers are very predictable devices.  Hence it is extremely hard
54
 * to produce truly random numbers on a computer --- as opposed to
55
 * pseudo-random numbers, which can easily generated by using a
56
 * algorithm.  Unfortunately, it is very easy for attackers to guess
57
 * the sequence of pseudo-random number generators, and for some
58
 * applications this is not acceptable.  So instead, we must try to
59
 * gather "environmental noise" from the computer's environment, which
60
 * must be hard for outside attackers to observe, and use that to
61
 * generate random numbers.  In a Unix environment, this is best done
62
 * from inside the kernel.
63
 *
64
 * Sources of randomness from the environment include inter-keyboard
65
 * timings, inter-interrupt timings from some interrupts, and other
66
 * events which are both (a) non-deterministic and (b) hard for an
67
 * outside observer to measure.  Randomness from these sources are
68
 * added to an "entropy pool", which is mixed using a CRC-like function.
69
 * This is not cryptographically strong, but it is adequate assuming
70
 * the randomness is not chosen maliciously, and it is fast enough that
71
 * the overhead of doing it on every interrupt is very reasonable.
72
 * As random bytes are mixed into the entropy pool, the routines keep
73
 * an *estimate* of how many bits of randomness have been stored into
74
 * the random number generator's internal state.
75
 *
76
 * When random bytes are desired, they are obtained by taking the MD5
77
 * hash of the contents of the "entropy pool".  The MD5 hash avoids
78
 * exposing the internal state of the entropy pool.  It is believed to
79
 * be computationally infeasible to derive any useful information
80
 * about the input of MD5 from its output.  Even if it is possible to
81
 * analyze MD5 in some clever way, as long as the amount of data
82
 * returned from the generator is less than the inherent entropy in
83
 * the pool, the output data is totally unpredictable.  For this
84
 * reason, the routine decreases its internal estimate of how many
85
 * bits of "true randomness" are contained in the entropy pool as it
86
 * outputs random numbers.
87
 *
88
 * If this estimate goes to zero, the routine can still generate
89
 * random numbers; however, an attacker may (at least in theory) be
90
 * able to infer the future output of the generator from prior
91
 * outputs.  This requires successful cryptanalysis of MD5, which is
92
 * not believed to be feasible, but there is a remote possibility.
93
 * Nonetheless, these numbers should be useful for the vast majority
94
 * of purposes.
95
 *
96
 * Exported interfaces ---- output
97
 * ===============================
98
 *
99
 * There are three exported interfaces; the first is one designed to
100
 * be used from within the kernel:
101
 *
102
 *      void get_random_bytes(void *buf, int nbytes);
103
 *
104
 * This interface will return the requested number of random bytes,
105
 * and place it in the requested buffer.
106
 *
107
 * The two other interfaces are two character devices /dev/random and
108
 * /dev/urandom.  /dev/random is suitable for use when very high
109
 * quality randomness is desired (for example, for key generation or
110
 * one-time pads), as it will only return a maximum of the number of
111
 * bits of randomness (as estimated by the random number generator)
112
 * contained in the entropy pool.
113
 *
114
 * The /dev/urandom device does not have this limit, and will return
115
 * as many bytes as are requested.  As more and more random bytes are
116
 * requested without giving time for the entropy pool to recharge,
117
 * this will result in random numbers that are merely cryptographically
118
 * strong.  For many applications, however, this is acceptable.
119
 *
120
 * Exported interfaces ---- input
121
 * ==============================
122
 *
123
 * The current exported interfaces for gathering environmental noise
124
 * from the devices are:
125
 *
126
 *      void add_keyboard_randomness(unsigned char scancode);
127
 *      void add_mouse_randomness(__u32 mouse_data);
128
 *      void add_interrupt_randomness(int irq);
129
 *      void add_blkdev_randomness(int irq);
130
 *
131
 * add_keyboard_randomness() uses the inter-keypress timing, as well as the
132
 * scancode as random inputs into the "entropy pool".
133
 *
134
 * add_mouse_randomness() uses the mouse interrupt timing, as well as
135
 * the reported position of the mouse from the hardware.
136
 *
137
 * add_interrupt_randomness() uses the inter-interrupt timing as random
138
 * inputs to the entropy pool.  Note that not all interrupts are good
139
 * sources of randomness!  For example, the timer interrupts is not a
140
 * good choice, because the periodicity of the interrupts is to
141
 * regular, and hence predictable to an attacker.  Disk interrupts are
142
 * a better measure, since the timing of the disk interrupts are more
143
 * unpredictable.
144
 *
145
 * add_blkdev_randomness() times the finishing time of block requests.
146
 *
147
 * All of these routines try to estimate how many bits of randomness a
148
 * particular randomness source.  They do this by keeping track of the
149
 * first and second order deltas of the event timings.
150
 *
151
 * Ensuring unpredictability at system startup
152
 * ============================================
153
 *
154
 * When any operating system starts up, it will go through a sequence
155
 * of actions that are fairly predictable by an adversary, especially
156
 * if the start-up does not involve interaction with a human operator.
157
 * This reduces the actual number of bits of unpredictability in the
158
 * entropy pool below the value in entropy_count.  In order to
159
 * counteract this effect, it helps to carry information in the
160
 * entropy pool across shut-downs and start-ups.  To do this, put the
161
 * following lines an appropriate script which is run during the boot
162
 * sequence:
163
 *
164
 *      echo "Initializing random number generator..."
165
 *      # Carry a random seed from start-up to start-up
166
 *      # Load and then save 512 bytes, which is the size of the entropy pool
167
 *      if [ -f /etc/random-seed ]; then
168
 *              cat /etc/random-seed >/dev/urandom
169
 *      fi
170
 *      dd if=/dev/urandom of=/etc/random-seed count=1
171
 *
172
 * and the following lines in an appropriate script which is run as
173
 * the system is shutdown:
174
 *
175
 *      # Carry a random seed from shut-down to start-up
176
 *      # Save 512 bytes, which is the size of the entropy pool
177
 *      echo "Saving random seed..."
178
 *      dd if=/dev/urandom of=/etc/random-seed count=1
179
 *
180
 * For example, on many Linux systems, the appropriate scripts are
181
 * usually /etc/rc.d/rc.local and /etc/rc.d/rc.0, respectively.
182
 *
183
 * Effectively, these commands cause the contents of the entropy pool
184
 * to be saved at shut-down time and reloaded into the entropy pool at
185
 * start-up.  (The 'dd' in the addition to the bootup script is to
186
 * make sure that /etc/random-seed is different for every start-up,
187
 * even if the system crashes without executing rc.0.)  Even with
188
 * complete knowledge of the start-up activities, predicting the state
189
 * of the entropy pool requires knowledge of the previous history of
190
 * the system.
191
 *
192
 * Configuring the /dev/random driver under Linux
193
 * ==============================================
194
 *
195
 * The /dev/random driver under Linux uses minor numbers 8 and 9 of
196
 * the /dev/mem major number (#1).  So if your system does not have
197
 * /dev/random and /dev/urandom created already, they can be created
198
 * by using the commands:
199
 *
200
 *      mknod /dev/random c 1 8
201
 *      mknod /dev/urandom c 1 9
202
 *
203
 * Acknowledgements:
204
 * =================
205
 *
206
 * Ideas for constructing this random number generator were derived
207
 * from the Pretty Good Privacy's random number generator, and from
208
 * private discussions with Phil Karn.  Colin Plumb provided a faster
209
 * random number generator, which speed up the mixing function of the
210
 * entropy pool, taken from PGP 3.0 (under development).  It has since
211
 * been modified by myself to provide better mixing in the case where
212
 * the input values to add_entropy_word() are mostly small numbers.
213
 * Dale Worley has also contributed many useful ideas and suggestions
214
 * to improve this driver.
215
 *
216
 * Any flaws in the design are solely my responsibility, and should
217
 * not be attributed to the Phil, Colin, or any of authors of PGP.
218
 *
219
 * The code for MD5 transform was taken from Colin Plumb's
220
 * implementation, which has been placed in the public domain.  The
221
 * MD5 cryptographic checksum was devised by Ronald Rivest, and is
222
 * documented in RFC 1321, "The MD5 Message Digest Algorithm".
223
 *
224
 * Further background information on this topic may be obtained from
225
 * RFC 1750, "Randomness Recommendations for Security", by Donald
226
 * Eastlake, Steve Crocker, and Jeff Schiller.
227
 */
228
 
229
#include <linux/config.h> /* CONFIG_RST_COOKIES and CONFIG_SYN_COOKIES */
230
#include <linux/utsname.h>
231
#include <linux/kernel.h>
232
#include <linux/major.h>
233
#include <linux/string.h>
234
#include <linux/fcntl.h>
235
#include <linux/malloc.h>
236
#include <linux/random.h>
237
 
238
#include <asm/segment.h>
239
#include <asm/irq.h>
240
#include <asm/io.h>
241
 
242
/*
243
 * Configuration information
244
 */
245
#undef RANDOM_BENCHMARK
246
#undef BENCHMARK_NOINT
247
 
248
/*
249
 * The pool is stirred with a primitive polynomial of degree 128
250
 * over GF(2), namely x^128 + x^99 + x^59 + x^31 + x^9 + x^7 + 1.
251
 * For a pool of size 64, try x^64+x^62+x^38+x^10+x^6+x+1.
252
 */
253
#define POOLWORDS 128    /* Power of 2 - note that this is 32-bit words */
254
#define POOLBITS (POOLWORDS*32)
255
#if POOLWORDS == 128
256
#define TAP1    99     /* The polynomial taps */
257
#define TAP2    59
258
#define TAP3    31
259
#define TAP4    9
260
#define TAP5    7
261
#elif POOLWORDS == 64
262
#define TAP1    62      /* The polynomial taps */
263
#define TAP2    38
264
#define TAP3    10
265
#define TAP4    6
266
#define TAP5    1
267
#else
268
#error No primitive polynomial available for chosen POOLWORDS
269
#endif
270
 
271
/*
272
 * The minimum number of bits to release a "wait on input".  Should
273
 * probably always be 8, since a /dev/random read can return a single
274
 * byte.
275
 */
276
#define WAIT_INPUT_BITS 8
277
/*
278
 * The limit number of bits under which to release a "wait on
279
 * output".  Should probably always be the same as WAIT_INPUT_BITS, so
280
 * that an output wait releases when and only when a wait on input
281
 * would block.
282
 */
283
#define WAIT_OUTPUT_BITS WAIT_INPUT_BITS
284
 
285
/* There is actually only one of these, globally. */
286
struct random_bucket {
287
        unsigned add_ptr;
288
        unsigned entropy_count;
289
        int input_rotate;
290
        __u32 *pool;
291
};
292
 
293
#ifdef RANDOM_BENCHMARK
294
/* For benchmarking only */
295
struct random_benchmark {
296
        unsigned long long      start_time;
297
        int                     times;          /* # of samples */
298
        unsigned long           min;
299
        unsigned long           max;
300
        unsigned long           accum;          /* accumulator for average */
301
        const char              *descr;
302
        int                     unit;
303
        unsigned long           flags;
304
};
305
 
306
#define BENCHMARK_INTERVAL 500
307
 
308
static void initialize_benchmark(struct random_benchmark *bench,
309
                                 const char *descr, int unit);
310
static void begin_benchmark(struct random_benchmark *bench);
311
static void end_benchmark(struct random_benchmark *bench);
312
 
313
struct random_benchmark timer_benchmark;
314
#endif
315
 
316
/* There is one of these per entropy source */
317
struct timer_rand_state {
318
        unsigned long   last_time;
319
        int             last_delta,last_delta2;
320
        int             dont_count_entropy:1;
321
};
322
 
323
static struct random_bucket random_state;
324
static __u32 random_pool[POOLWORDS];
325
static struct timer_rand_state keyboard_timer_state;
326
static struct timer_rand_state mouse_timer_state;
327
static struct timer_rand_state extract_timer_state;
328
static struct timer_rand_state *irq_timer_state[NR_IRQS];
329
static struct timer_rand_state *blkdev_timer_state[MAX_BLKDEV];
330
static struct wait_queue *random_wait;
331
 
332
static int random_read(struct inode * inode, struct file * file,
333
                       char * buf, int nbytes);
334
static int random_read_unlimited(struct inode * inode, struct file * file,
335
                                 char * buf, int nbytes);
336
static int random_select(struct inode *inode, struct file *file,
337
                         int sel_type, select_table * wait);
338
static int random_write(struct inode * inode, struct file * file,
339
                        const char * buffer, int count);
340
static int random_ioctl(struct inode * inode, struct file * file,
341
                        unsigned int cmd, unsigned long arg);
342
 
343
static inline void fast_add_entropy_word(struct random_bucket *r,
344
                                         const __u32 input);
345
 
346
static void add_entropy_word(struct random_bucket *r,
347
                                    const __u32 input);
348
 
349
#ifndef MIN
350
#define MIN(a,b) (((a) < (b)) ? (a) : (b))
351
#endif
352
 
353
/*
354
 * Unfortunately, while the GCC optimizer for the i386 understands how
355
 * to optimize a static rotate left of x bits, it doesn't know how to
356
 * deal with a variable rotate of x bits.  So we use a bit of asm magic.
357
 */
358
#if (!defined (__i386__))
359
extern inline __u32 rotate_left(int i, __u32 word)
360
{
361
        return (word << i) | (word >> (32 - i));
362
 
363
}
364
#else
365
extern inline __u32 rotate_left(int i, __u32 word)
366
{
367
        __asm__("roll %%cl,%0"
368
                :"=r" (word)
369
                :"0" (word),"c" (i));
370
        return word;
371
}
372
#endif
373
 
374
/*
375
 * More asm magic....
376
 *
377
 * For entropy estimation, we need to do an integral base 2
378
 * logarithm.  By default, use an open-coded C version, although we do
379
 * have a version which takes advantage of the Intel's x86's "bsr"
380
 * instruction.
381
 */
382
#if (!defined (__i386__))
383
static inline __u32 int_ln(__u32 word)
384
{
385
        __u32 nbits = 0;
386
 
387
        while (1) {
388
                word >>= 1;
389
                if (!word)
390
                        break;
391
                nbits++;
392
        }
393
        return nbits;
394
}
395
#else
396
static inline __u32 int_ln(__u32 word)
397
{
398
        __asm__("bsrl %1,%0\n\t"
399
                "jnz 1f\n\t"
400
                "movl $0,%0\n"
401
                "1:"
402
                :"=r" (word)
403
                :"r" (word));
404
        return word;
405
}
406
#endif
407
 
408
 
409
/*
410
 * Initialize the random pool with standard stuff.
411
 *
412
 * NOTE: This is an OS-dependent function.
413
 */
414
static void init_std_data(struct random_bucket *r)
415
{
416
        __u32 word, *p;
417
        int i;
418
        struct timeval  tv;
419
 
420
        do_gettimeofday(&tv);
421
        add_entropy_word(r, tv.tv_sec);
422
        add_entropy_word(r, tv.tv_usec);
423
 
424
        for (p = (__u32 *) &system_utsname,
425
             i = sizeof(system_utsname) / sizeof(__u32);
426
             i ; i--, p++) {
427
                memcpy(&word, p, sizeof(__u32));
428
                add_entropy_word(r, word);
429
        }
430
 
431
}
432
 
433
/* Clear the entropy pool and associated counters. */
434
static void rand_clear_pool(void)
435
{
436
        random_state.add_ptr = 0;
437
        random_state.entropy_count = 0;
438
        random_state.pool = random_pool;
439
        random_state.input_rotate = 0;
440
        memset(random_pool, 0, sizeof(random_pool));
441
        init_std_data(&random_state);
442
}
443
 
444
void rand_initialize(void)
445
{
446
        int i;
447
 
448
        rand_clear_pool();
449
        for (i = 0; i < NR_IRQS; i++)
450
                irq_timer_state[i] = NULL;
451
        for (i = 0; i < MAX_BLKDEV; i++)
452
                blkdev_timer_state[i] = NULL;
453
        memset(&keyboard_timer_state, 0, sizeof(struct timer_rand_state));
454
        memset(&mouse_timer_state, 0, sizeof(struct timer_rand_state));
455
        memset(&extract_timer_state, 0, sizeof(struct timer_rand_state));
456
#ifdef RANDOM_BENCHMARK
457
        initialize_benchmark(&timer_benchmark, "timer", 0);
458
#endif
459
        extract_timer_state.dont_count_entropy = 1;
460
        random_wait = NULL;
461
}
462
 
463
void rand_initialize_irq(int irq)
464
{
465
        struct timer_rand_state *state;
466
 
467
        if (irq >= NR_IRQS || irq_timer_state[irq])
468
                return;
469
 
470
        /*
471
         * If kmalloc returns null, we just won't use that entropy
472
         * source.
473
         */
474
        state = kmalloc(sizeof(struct timer_rand_state), GFP_KERNEL);
475
        if (state) {
476
                irq_timer_state[irq] = state;
477
                memset(state, 0, sizeof(struct timer_rand_state));
478
        }
479
}
480
 
481
void rand_initialize_blkdev(int major, int mode)
482
{
483
        struct timer_rand_state *state;
484
 
485
        if (major >= MAX_BLKDEV || blkdev_timer_state[major])
486
                return;
487
 
488
        /*
489
         * If kmalloc returns null, we just won't use that entropy
490
         * source.
491
         */
492
        state = kmalloc(sizeof(struct timer_rand_state), mode);
493
        if (state) {
494
                blkdev_timer_state[major] = state;
495
                memset(state, 0, sizeof(struct timer_rand_state));
496
        }
497
}
498
 
499
/*
500
 * This function adds a byte into the entropy "pool".  It does not
501
 * update the entropy estimate.  The caller must do this if appropriate.
502
 *
503
 * The pool is stirred with a primitive polynomial of degree 128
504
 * over GF(2), namely x^128 + x^99 + x^59 + x^31 + x^9 + x^7 + 1.
505
 * For a pool of size 64, try x^64+x^62+x^38+x^10+x^6+x+1.
506
 *
507
 * We rotate the input word by a changing number of bits, to help
508
 * assure that all bits in the entropy get toggled.  Otherwise, if we
509
 * consistently feed the entropy pool small numbers (like jiffies and
510
 * scancodes, for example), the upper bits of the entropy pool don't
511
 * get affected. --- TYT, 10/11/95
512
 */
513
static inline void fast_add_entropy_word(struct random_bucket *r,
514
                                         const __u32 input)
515
{
516
        unsigned i;
517
        int new_rotate;
518
        __u32 w;
519
 
520
        w = rotate_left(r->input_rotate, input);
521
        i = r->add_ptr = (r->add_ptr - 1) & (POOLWORDS-1);
522
        /*
523
         * Normally, we add 7 bits of rotation to the pool.  At the
524
         * beginning of the pool, add an extra 7 bits rotation, so
525
         * that successive passes spread the input bits across the
526
         * pool evenly.
527
         */
528
        new_rotate = r->input_rotate + 14;
529
        if (i)
530
                new_rotate = r->input_rotate + 7;
531
        r->input_rotate = new_rotate & 31;
532
 
533
        /* XOR in the various taps */
534
        w ^= r->pool[(i+TAP1)&(POOLWORDS-1)];
535
        w ^= r->pool[(i+TAP2)&(POOLWORDS-1)];
536
        w ^= r->pool[(i+TAP3)&(POOLWORDS-1)];
537
        w ^= r->pool[(i+TAP4)&(POOLWORDS-1)];
538
        w ^= r->pool[(i+TAP5)&(POOLWORDS-1)];
539
        w ^= r->pool[i];
540
        /* Rotate w left 1 bit (stolen from SHA) and store */
541
        r->pool[i] = (w << 1) | (w >> 31);
542
}
543
 
544
/*
545
 * For places where we don't need the inlined version
546
 */
547
static void add_entropy_word(struct random_bucket *r,
548
                                    const __u32 input)
549
{
550
        fast_add_entropy_word(r, input);
551
}
552
 
553
/*
554
 * This function adds entropy to the entropy "pool" by using timing
555
 * delays.  It uses the timer_rand_state structure to make an estimate
556
 * of how many bits of entropy this call has added to the pool.
557
 *
558
 * The number "num" is also added to the pool - it should somehow describe
559
 * the type of event which just happened.  This is currently 0-255 for
560
 * keyboard scan codes, and 256 upwards for interrupts.
561
 * On the i386, this is assumed to be at most 16 bits, and the high bits
562
 * are used for a high-resolution timer.
563
 *
564
 */
565
static void add_timer_randomness(struct random_bucket *r,
566
                                 struct timer_rand_state *state, unsigned num)
567
{
568
        int     delta, delta2, delta3;
569
        __u32           time;
570
 
571
#ifdef RANDOM_BENCHMARK
572
        begin_benchmark(&timer_benchmark);
573
#endif
574
#if defined (__i386__)
575
        if (x86_capability & 16) {
576
                unsigned long low, high;
577
                __asm__(".byte 0x0f,0x31"
578
                        :"=a" (low), "=d" (high));
579
                time = (__u32) low;
580
                num ^= (__u32) high;
581
        } else {
582
                time = jiffies;
583
        }
584
#else
585
        time = jiffies;
586
#endif
587
 
588
        fast_add_entropy_word(r, (__u32) num);
589
        fast_add_entropy_word(r, time);
590
 
591
        /*
592
         * Calculate number of bits of randomness we probably
593
         * added.  We take into account the first and second order
594
         * deltas in order to make our estimate.
595
         */
596
        if (!state->dont_count_entropy &&
597
            (r->entropy_count < POOLBITS)) {
598
                delta = time - state->last_time;
599
                state->last_time = time;
600
                if (delta < 0) delta = -delta;
601
 
602
                delta2 = delta - state->last_delta;
603
                state->last_delta = delta;
604
                if (delta2 < 0) delta2 = -delta2;
605
 
606
                delta3 = delta2 - state->last_delta2;
607
                state->last_delta2 = delta2;
608
                if (delta3 < 0) delta3 = -delta3;
609
 
610
                delta = MIN(MIN(delta, delta2), delta3) >> 1;
611
                /* Limit entropy estimate to 12 bits */
612
                delta &= (1 << 12) - 1;
613
 
614
                r->entropy_count += int_ln(delta);
615
 
616
                /* Prevent overflow */
617
                if (r->entropy_count > POOLBITS)
618
                        r->entropy_count = POOLBITS;
619
        }
620
 
621
        /* Wake up waiting processes, if we have enough entropy. */
622
        if (r->entropy_count >= WAIT_INPUT_BITS)
623
                wake_up_interruptible(&random_wait);
624
#ifdef RANDOM_BENCHMARK
625
        end_benchmark(&timer_benchmark);
626
#endif
627
}
628
 
629
void add_keyboard_randomness(unsigned char scancode)
630
{
631
        add_timer_randomness(&random_state, &keyboard_timer_state, scancode);
632
}
633
 
634
void add_mouse_randomness(__u32 mouse_data)
635
{
636
        add_timer_randomness(&random_state, &mouse_timer_state, mouse_data);
637
}
638
 
639
void add_interrupt_randomness(int irq)
640
{
641
        if (irq >= NR_IRQS || irq_timer_state[irq] == 0)
642
                return;
643
 
644
        add_timer_randomness(&random_state, irq_timer_state[irq], 0x100+irq);
645
}
646
 
647
void add_blkdev_randomness(int major)
648
{
649
        if (major >= MAX_BLKDEV)
650
                return;
651
 
652
        if (blkdev_timer_state[major] == 0) {
653
                rand_initialize_blkdev(major, GFP_ATOMIC);
654
                if (blkdev_timer_state[major] == 0)
655
                        return;
656
        }
657
 
658
        add_timer_randomness(&random_state, blkdev_timer_state[major],
659
                             0x200+major);
660
}
661
 
662
#define USE_SHA
663
 
664
#ifdef USE_SHA
665
 
666
#define HASH_BUFFER_SIZE 5
667
#define HASH_TRANSFORM SHATransform
668
 
669
/*
670
 * SHA transform algorithm, taken from code written by Peter Gutman,
671
 * and apparently in the public domain.
672
 */
673
 
674
/* The SHA f()-functions.  */
675
 
676
#define f1(x,y,z)   ( z ^ ( x & ( y ^ z ) ) )           /* Rounds  0-19 */
677
#define f2(x,y,z)   ( x ^ y ^ z )                       /* Rounds 20-39 */
678
#define f3(x,y,z)   ( ( x & y ) | ( z & ( x | y ) ) )   /* Rounds 40-59 */
679
#define f4(x,y,z)   ( x ^ y ^ z )                       /* Rounds 60-79 */
680
 
681
/* The SHA Mysterious Constants */
682
 
683
#define K1  0x5A827999L                                 /* Rounds  0-19 */
684
#define K2  0x6ED9EBA1L                                 /* Rounds 20-39 */
685
#define K3  0x8F1BBCDCL                                 /* Rounds 40-59 */
686
#define K4  0xCA62C1D6L                                 /* Rounds 60-79 */
687
 
688
#define ROTL(n,X)  ( ( ( X ) << n ) | ( ( X ) >> ( 32 - n ) ) )
689
 
690
#define expand(W,i) ( W[ i & 15 ] = \
691
                     ROTL( 1, ( W[ i & 15 ] ^ W[ (i - 14) & 15 ] ^ \
692
                                W[ (i - 8) & 15 ] ^ W[ (i - 3) & 15 ] ) ) )
693
 
694
#define subRound(a, b, c, d, e, f, k, data) \
695
    ( e += ROTL( 5, a ) + f( b, c, d ) + k + data, b = ROTL( 30, b ) )
696
 
697
 
698
void SHATransform(__u32 *digest, __u32 *data)
699
    {
700
    __u32 A, B, C, D, E;     /* Local vars */
701
    __u32 eData[ 16 ];       /* Expanded data */
702
 
703
    /* Set up first buffer and local data buffer */
704
    A = digest[ 0 ];
705
    B = digest[ 1 ];
706
    C = digest[ 2 ];
707
    D = digest[ 3 ];
708
    E = digest[ 4 ];
709
    memcpy( eData, data, 16*sizeof(__u32));
710
 
711
    /* Heavy mangling, in 4 sub-rounds of 20 iterations each. */
712
    subRound( A, B, C, D, E, f1, K1, eData[  0 ] );
713
    subRound( E, A, B, C, D, f1, K1, eData[  1 ] );
714
    subRound( D, E, A, B, C, f1, K1, eData[  2 ] );
715
    subRound( C, D, E, A, B, f1, K1, eData[  3 ] );
716
    subRound( B, C, D, E, A, f1, K1, eData[  4 ] );
717
    subRound( A, B, C, D, E, f1, K1, eData[  5 ] );
718
    subRound( E, A, B, C, D, f1, K1, eData[  6 ] );
719
    subRound( D, E, A, B, C, f1, K1, eData[  7 ] );
720
    subRound( C, D, E, A, B, f1, K1, eData[  8 ] );
721
    subRound( B, C, D, E, A, f1, K1, eData[  9 ] );
722
    subRound( A, B, C, D, E, f1, K1, eData[ 10 ] );
723
    subRound( E, A, B, C, D, f1, K1, eData[ 11 ] );
724
    subRound( D, E, A, B, C, f1, K1, eData[ 12 ] );
725
    subRound( C, D, E, A, B, f1, K1, eData[ 13 ] );
726
    subRound( B, C, D, E, A, f1, K1, eData[ 14 ] );
727
    subRound( A, B, C, D, E, f1, K1, eData[ 15 ] );
728
    subRound( E, A, B, C, D, f1, K1, expand( eData, 16 ) );
729
    subRound( D, E, A, B, C, f1, K1, expand( eData, 17 ) );
730
    subRound( C, D, E, A, B, f1, K1, expand( eData, 18 ) );
731
    subRound( B, C, D, E, A, f1, K1, expand( eData, 19 ) );
732
 
733
    subRound( A, B, C, D, E, f2, K2, expand( eData, 20 ) );
734
    subRound( E, A, B, C, D, f2, K2, expand( eData, 21 ) );
735
    subRound( D, E, A, B, C, f2, K2, expand( eData, 22 ) );
736
    subRound( C, D, E, A, B, f2, K2, expand( eData, 23 ) );
737
    subRound( B, C, D, E, A, f2, K2, expand( eData, 24 ) );
738
    subRound( A, B, C, D, E, f2, K2, expand( eData, 25 ) );
739
    subRound( E, A, B, C, D, f2, K2, expand( eData, 26 ) );
740
    subRound( D, E, A, B, C, f2, K2, expand( eData, 27 ) );
741
    subRound( C, D, E, A, B, f2, K2, expand( eData, 28 ) );
742
    subRound( B, C, D, E, A, f2, K2, expand( eData, 29 ) );
743
    subRound( A, B, C, D, E, f2, K2, expand( eData, 30 ) );
744
    subRound( E, A, B, C, D, f2, K2, expand( eData, 31 ) );
745
    subRound( D, E, A, B, C, f2, K2, expand( eData, 32 ) );
746
    subRound( C, D, E, A, B, f2, K2, expand( eData, 33 ) );
747
    subRound( B, C, D, E, A, f2, K2, expand( eData, 34 ) );
748
    subRound( A, B, C, D, E, f2, K2, expand( eData, 35 ) );
749
    subRound( E, A, B, C, D, f2, K2, expand( eData, 36 ) );
750
    subRound( D, E, A, B, C, f2, K2, expand( eData, 37 ) );
751
    subRound( C, D, E, A, B, f2, K2, expand( eData, 38 ) );
752
    subRound( B, C, D, E, A, f2, K2, expand( eData, 39 ) );
753
 
754
    subRound( A, B, C, D, E, f3, K3, expand( eData, 40 ) );
755
    subRound( E, A, B, C, D, f3, K3, expand( eData, 41 ) );
756
    subRound( D, E, A, B, C, f3, K3, expand( eData, 42 ) );
757
    subRound( C, D, E, A, B, f3, K3, expand( eData, 43 ) );
758
    subRound( B, C, D, E, A, f3, K3, expand( eData, 44 ) );
759
    subRound( A, B, C, D, E, f3, K3, expand( eData, 45 ) );
760
    subRound( E, A, B, C, D, f3, K3, expand( eData, 46 ) );
761
    subRound( D, E, A, B, C, f3, K3, expand( eData, 47 ) );
762
    subRound( C, D, E, A, B, f3, K3, expand( eData, 48 ) );
763
    subRound( B, C, D, E, A, f3, K3, expand( eData, 49 ) );
764
    subRound( A, B, C, D, E, f3, K3, expand( eData, 50 ) );
765
    subRound( E, A, B, C, D, f3, K3, expand( eData, 51 ) );
766
    subRound( D, E, A, B, C, f3, K3, expand( eData, 52 ) );
767
    subRound( C, D, E, A, B, f3, K3, expand( eData, 53 ) );
768
    subRound( B, C, D, E, A, f3, K3, expand( eData, 54 ) );
769
    subRound( A, B, C, D, E, f3, K3, expand( eData, 55 ) );
770
    subRound( E, A, B, C, D, f3, K3, expand( eData, 56 ) );
771
    subRound( D, E, A, B, C, f3, K3, expand( eData, 57 ) );
772
    subRound( C, D, E, A, B, f3, K3, expand( eData, 58 ) );
773
    subRound( B, C, D, E, A, f3, K3, expand( eData, 59 ) );
774
 
775
    subRound( A, B, C, D, E, f4, K4, expand( eData, 60 ) );
776
    subRound( E, A, B, C, D, f4, K4, expand( eData, 61 ) );
777
    subRound( D, E, A, B, C, f4, K4, expand( eData, 62 ) );
778
    subRound( C, D, E, A, B, f4, K4, expand( eData, 63 ) );
779
    subRound( B, C, D, E, A, f4, K4, expand( eData, 64 ) );
780
    subRound( A, B, C, D, E, f4, K4, expand( eData, 65 ) );
781
    subRound( E, A, B, C, D, f4, K4, expand( eData, 66 ) );
782
    subRound( D, E, A, B, C, f4, K4, expand( eData, 67 ) );
783
    subRound( C, D, E, A, B, f4, K4, expand( eData, 68 ) );
784
    subRound( B, C, D, E, A, f4, K4, expand( eData, 69 ) );
785
    subRound( A, B, C, D, E, f4, K4, expand( eData, 70 ) );
786
    subRound( E, A, B, C, D, f4, K4, expand( eData, 71 ) );
787
    subRound( D, E, A, B, C, f4, K4, expand( eData, 72 ) );
788
    subRound( C, D, E, A, B, f4, K4, expand( eData, 73 ) );
789
    subRound( B, C, D, E, A, f4, K4, expand( eData, 74 ) );
790
    subRound( A, B, C, D, E, f4, K4, expand( eData, 75 ) );
791
    subRound( E, A, B, C, D, f4, K4, expand( eData, 76 ) );
792
    subRound( D, E, A, B, C, f4, K4, expand( eData, 77 ) );
793
    subRound( C, D, E, A, B, f4, K4, expand( eData, 78 ) );
794
    subRound( B, C, D, E, A, f4, K4, expand( eData, 79 ) );
795
 
796
    /* Build message digest */
797
    digest[ 0 ] += A;
798
    digest[ 1 ] += B;
799
    digest[ 2 ] += C;
800
    digest[ 3 ] += D;
801
    digest[ 4 ] += E;
802
    }
803
 
804
#else
805
#define HASH_BUFFER_SIZE 4
806
#define HASH_TRANSFORM MD5Transform
807
 
808
/*
809
 * MD5 transform algorithm, taken from code written by Colin Plumb,
810
 * and put into the public domain
811
 *
812
 * QUESTION: Replace this with SHA, which as generally received better
813
 * reviews from the cryptographic community?
814
 */
815
 
816
/* The four core functions - F1 is optimized somewhat */
817
 
818
/* #define F1(x, y, z) (x & y | ~x & z) */
819
#define F1(x, y, z) (z ^ (x & (y ^ z)))
820
#define F2(x, y, z) F1(z, x, y)
821
#define F3(x, y, z) (x ^ y ^ z)
822
#define F4(x, y, z) (y ^ (x | ~z))
823
 
824
/* This is the central step in the MD5 algorithm. */
825
#define MD5STEP(f, w, x, y, z, data, s) \
826
        ( w += f(x, y, z) + data,  w = w<<s | w>>(32-s),  w += x )
827
 
828
/*
829
 * The core of the MD5 algorithm, this alters an existing MD5 hash to
830
 * reflect the addition of 16 longwords of new data.  MD5Update blocks
831
 * the data and converts bytes into longwords for this routine.
832
 */
833
static void MD5Transform(__u32 buf[4],
834
                         __u32 const in[16])
835
{
836
        __u32 a, b, c, d;
837
 
838
        a = buf[0];
839
        b = buf[1];
840
        c = buf[2];
841
        d = buf[3];
842
 
843
        MD5STEP(F1, a, b, c, d, in[ 0]+0xd76aa478,  7);
844
        MD5STEP(F1, d, a, b, c, in[ 1]+0xe8c7b756, 12);
845
        MD5STEP(F1, c, d, a, b, in[ 2]+0x242070db, 17);
846
        MD5STEP(F1, b, c, d, a, in[ 3]+0xc1bdceee, 22);
847
        MD5STEP(F1, a, b, c, d, in[ 4]+0xf57c0faf,  7);
848
        MD5STEP(F1, d, a, b, c, in[ 5]+0x4787c62a, 12);
849
        MD5STEP(F1, c, d, a, b, in[ 6]+0xa8304613, 17);
850
        MD5STEP(F1, b, c, d, a, in[ 7]+0xfd469501, 22);
851
        MD5STEP(F1, a, b, c, d, in[ 8]+0x698098d8,  7);
852
        MD5STEP(F1, d, a, b, c, in[ 9]+0x8b44f7af, 12);
853
        MD5STEP(F1, c, d, a, b, in[10]+0xffff5bb1, 17);
854
        MD5STEP(F1, b, c, d, a, in[11]+0x895cd7be, 22);
855
        MD5STEP(F1, a, b, c, d, in[12]+0x6b901122,  7);
856
        MD5STEP(F1, d, a, b, c, in[13]+0xfd987193, 12);
857
        MD5STEP(F1, c, d, a, b, in[14]+0xa679438e, 17);
858
        MD5STEP(F1, b, c, d, a, in[15]+0x49b40821, 22);
859
 
860
        MD5STEP(F2, a, b, c, d, in[ 1]+0xf61e2562,  5);
861
        MD5STEP(F2, d, a, b, c, in[ 6]+0xc040b340,  9);
862
        MD5STEP(F2, c, d, a, b, in[11]+0x265e5a51, 14);
863
        MD5STEP(F2, b, c, d, a, in[ 0]+0xe9b6c7aa, 20);
864
        MD5STEP(F2, a, b, c, d, in[ 5]+0xd62f105d,  5);
865
        MD5STEP(F2, d, a, b, c, in[10]+0x02441453,  9);
866
        MD5STEP(F2, c, d, a, b, in[15]+0xd8a1e681, 14);
867
        MD5STEP(F2, b, c, d, a, in[ 4]+0xe7d3fbc8, 20);
868
        MD5STEP(F2, a, b, c, d, in[ 9]+0x21e1cde6,  5);
869
        MD5STEP(F2, d, a, b, c, in[14]+0xc33707d6,  9);
870
        MD5STEP(F2, c, d, a, b, in[ 3]+0xf4d50d87, 14);
871
        MD5STEP(F2, b, c, d, a, in[ 8]+0x455a14ed, 20);
872
        MD5STEP(F2, a, b, c, d, in[13]+0xa9e3e905,  5);
873
        MD5STEP(F2, d, a, b, c, in[ 2]+0xfcefa3f8,  9);
874
        MD5STEP(F2, c, d, a, b, in[ 7]+0x676f02d9, 14);
875
        MD5STEP(F2, b, c, d, a, in[12]+0x8d2a4c8a, 20);
876
 
877
        MD5STEP(F3, a, b, c, d, in[ 5]+0xfffa3942,  4);
878
        MD5STEP(F3, d, a, b, c, in[ 8]+0x8771f681, 11);
879
        MD5STEP(F3, c, d, a, b, in[11]+0x6d9d6122, 16);
880
        MD5STEP(F3, b, c, d, a, in[14]+0xfde5380c, 23);
881
        MD5STEP(F3, a, b, c, d, in[ 1]+0xa4beea44,  4);
882
        MD5STEP(F3, d, a, b, c, in[ 4]+0x4bdecfa9, 11);
883
        MD5STEP(F3, c, d, a, b, in[ 7]+0xf6bb4b60, 16);
884
        MD5STEP(F3, b, c, d, a, in[10]+0xbebfbc70, 23);
885
        MD5STEP(F3, a, b, c, d, in[13]+0x289b7ec6,  4);
886
        MD5STEP(F3, d, a, b, c, in[ 0]+0xeaa127fa, 11);
887
        MD5STEP(F3, c, d, a, b, in[ 3]+0xd4ef3085, 16);
888
        MD5STEP(F3, b, c, d, a, in[ 6]+0x04881d05, 23);
889
        MD5STEP(F3, a, b, c, d, in[ 9]+0xd9d4d039,  4);
890
        MD5STEP(F3, d, a, b, c, in[12]+0xe6db99e5, 11);
891
        MD5STEP(F3, c, d, a, b, in[15]+0x1fa27cf8, 16);
892
        MD5STEP(F3, b, c, d, a, in[ 2]+0xc4ac5665, 23);
893
 
894
        MD5STEP(F4, a, b, c, d, in[ 0]+0xf4292244,  6);
895
        MD5STEP(F4, d, a, b, c, in[ 7]+0x432aff97, 10);
896
        MD5STEP(F4, c, d, a, b, in[14]+0xab9423a7, 15);
897
        MD5STEP(F4, b, c, d, a, in[ 5]+0xfc93a039, 21);
898
        MD5STEP(F4, a, b, c, d, in[12]+0x655b59c3,  6);
899
        MD5STEP(F4, d, a, b, c, in[ 3]+0x8f0ccc92, 10);
900
        MD5STEP(F4, c, d, a, b, in[10]+0xffeff47d, 15);
901
        MD5STEP(F4, b, c, d, a, in[ 1]+0x85845dd1, 21);
902
        MD5STEP(F4, a, b, c, d, in[ 8]+0x6fa87e4f,  6);
903
        MD5STEP(F4, d, a, b, c, in[15]+0xfe2ce6e0, 10);
904
        MD5STEP(F4, c, d, a, b, in[ 6]+0xa3014314, 15);
905
        MD5STEP(F4, b, c, d, a, in[13]+0x4e0811a1, 21);
906
        MD5STEP(F4, a, b, c, d, in[ 4]+0xf7537e82,  6);
907
        MD5STEP(F4, d, a, b, c, in[11]+0xbd3af235, 10);
908
        MD5STEP(F4, c, d, a, b, in[ 2]+0x2ad7d2bb, 15);
909
        MD5STEP(F4, b, c, d, a, in[ 9]+0xeb86d391, 21);
910
 
911
        buf[0] += a;
912
        buf[1] += b;
913
        buf[2] += c;
914
        buf[3] += d;
915
}
916
 
917
#undef F1
918
#undef F2
919
#undef F3
920
#undef F4
921
#undef MD5STEP
922
 
923
#endif
924
 
925
 
926
#if POOLWORDS % 16
927
#error extract_entropy() assumes that POOLWORDS is a multiple of 16 words.
928
#endif
929
/*
930
 * This function extracts randomness from the "entropy pool", and
931
 * returns it in a buffer.  This function computes how many remaining
932
 * bits of entropy are left in the pool, but it does not restrict the
933
 * number of bytes that are actually obtained.
934
 */
935
static int extract_entropy(struct random_bucket *r, char * buf,
936
                                  int nbytes, int to_user)
937
{
938
        int ret, i;
939
        __u32 tmp[HASH_BUFFER_SIZE];
940
        char *cp,*dp;
941
 
942
        if (to_user) {
943
                ret = verify_area(VERIFY_WRITE, (void *) buf, nbytes);
944
                if (ret)
945
                        return(ret);
946
        }
947
 
948
        add_timer_randomness(r, &extract_timer_state, nbytes);
949
 
950
        /* Redundant, but just in case... */
951
        if (r->entropy_count > POOLBITS)
952
                r->entropy_count = POOLBITS;
953
 
954
        ret = nbytes;
955
        if (r->entropy_count / 8 >= nbytes)
956
                r->entropy_count -= nbytes*8;
957
        else
958
                r->entropy_count = 0;
959
 
960
        while (nbytes) {
961
                /* Hash the pool to get the output */
962
                tmp[0] = 0x67452301;
963
                tmp[1] = 0xefcdab89;
964
                tmp[2] = 0x98badcfe;
965
                tmp[3] = 0x10325476;
966
#ifdef USE_SHA
967
                tmp[4] = 0xc3d2e1f0;
968
#endif
969
                for (i = 0; i < POOLWORDS; i += 16)
970
                        HASH_TRANSFORM(tmp, r->pool+i);
971
                /* Modify pool so next hash will produce different results */
972
                add_entropy_word(r, tmp[0]);
973
                add_entropy_word(r, tmp[1]);
974
                add_entropy_word(r, tmp[2]);
975
                add_entropy_word(r, tmp[3]);
976
#ifdef USE_SHA
977
                add_entropy_word(r, tmp[4]);
978
#endif
979
                /*
980
                 * Run the hash transform one more time, since we want
981
                 * to add at least minimal obscuring of the inputs to
982
                 * add_entropy_word().
983
                 */
984
                HASH_TRANSFORM(tmp, r->pool);
985
 
986
                /*
987
                 * In case the hash function has some recognizable
988
                 * output pattern, we fold it in half.
989
                 */
990
                cp = (char *) tmp;
991
                dp = cp + (HASH_BUFFER_SIZE*sizeof(__u32)) - 1;
992
                for (i=0; i <  HASH_BUFFER_SIZE*sizeof(__u32)/2; i++) {
993
                        *cp ^= *dp;
994
                        cp++;  dp--;
995
                }
996
 
997
                /* Copy data to destination buffer */
998
                i = MIN(nbytes, HASH_BUFFER_SIZE*sizeof(__u32)/2);
999
                if (to_user)
1000
                        memcpy_tofs(buf, (__u8 const *)tmp, i);
1001
                else
1002
                        memcpy(buf, (__u8 const *)tmp, i);
1003
                nbytes -= i;
1004
                buf += i;
1005
                add_timer_randomness(r, &extract_timer_state, nbytes);
1006
                if (to_user && need_resched)
1007
                {
1008
                        if(current->signal & ~current->blocked)
1009
                        {
1010
                                if(nbytes==0)
1011
                                        ret = -ERESTARTSYS;
1012
                                else
1013
                                        ret -= nbytes;
1014
                                break;
1015
                        }
1016
                        schedule();
1017
                }
1018
        }
1019
 
1020
        /* Wipe data from memory */
1021
        memset(tmp, 0, sizeof(tmp));
1022
 
1023
        return ret;
1024
}
1025
 
1026
/*
1027
 * This function is the exported kernel interface.  It returns some
1028
 * number of good random numbers, suitable for seeding TCP sequence
1029
 * numbers, etc.
1030
 */
1031
void get_random_bytes(void *buf, int nbytes)
1032
{
1033
        extract_entropy(&random_state, (char *) buf, nbytes, 0);
1034
}
1035
 
1036
static int
1037
random_read(struct inode * inode, struct file * file, char * buf, int nbytes)
1038
{
1039
        struct wait_queue       wait = { current, NULL };
1040
        int                     n;
1041
        int                     retval = 0;
1042
        int                     count = 0;
1043
 
1044
        if (nbytes == 0)
1045
                return 0;
1046
 
1047
        add_wait_queue(&random_wait, &wait);
1048
        while (nbytes > 0) {
1049
                current->state = TASK_INTERRUPTIBLE;
1050
 
1051
                n = nbytes;
1052
                if (n > random_state.entropy_count / 8)
1053
                        n = random_state.entropy_count / 8;
1054
                if (n == 0) {
1055
                        if (file->f_flags & O_NONBLOCK) {
1056
                                retval = -EAGAIN;
1057
                                break;
1058
                        }
1059
                        if (current->signal & ~current->blocked) {
1060
                                retval = -ERESTARTSYS;
1061
                                break;
1062
                        }
1063
                        schedule();
1064
                        continue;
1065
                }
1066
                n = extract_entropy(&random_state, buf, n, 1);
1067
                if (n < 0) {
1068
                        if (count == 0)
1069
                                retval = n;
1070
                        break;
1071
                }
1072
                count += n;
1073
                buf += n;
1074
                nbytes -= n;
1075
                break;          /* This break makes the device work */
1076
                                /* like a named pipe */
1077
        }
1078
        current->state = TASK_RUNNING;
1079
        remove_wait_queue(&random_wait, &wait);
1080
 
1081
        /*
1082
         * If we gave the user some bytes and we have an inode pointer,
1083
         * update the access time.
1084
         */
1085
        if (inode && count != 0)
1086
                UPDATE_ATIME(inode);
1087
 
1088
        return (count ? count : retval);
1089
}
1090
 
1091
static int
1092
random_read_unlimited(struct inode * inode, struct file * file,
1093
                      char * buf, int nbytes)
1094
{
1095
        return extract_entropy(&random_state, buf, nbytes, 1);
1096
}
1097
 
1098
static int
1099
random_select(struct inode *inode, struct file *file,
1100
                      int sel_type, select_table * wait)
1101
{
1102
        switch (sel_type) {
1103
        case SEL_IN:
1104
                if (random_state.entropy_count >= 8)
1105
                        return 1;
1106
                select_wait(&random_wait, wait);
1107
                break;
1108
        case SEL_OUT:
1109
                if (random_state.entropy_count < WAIT_OUTPUT_BITS)
1110
                        return 1;
1111
                select_wait(&random_wait, wait);
1112
                break;
1113
        }
1114
        return 0;
1115
}
1116
 
1117
static int
1118
random_write(struct inode * inode, struct file * file,
1119
             const char * buffer, int count)
1120
{
1121
        int i;
1122
        __u32 word, *p;
1123
 
1124
        if (count < 0)
1125
                return -EINVAL;
1126
 
1127
        i = verify_area(VERIFY_READ, (void *) buffer, count);
1128
        if (i)
1129
                return i;
1130
 
1131
        for (i = count, p = (__u32 *)buffer;
1132
             i >= sizeof(__u32);
1133
             i-= sizeof(__u32), p++) {
1134
                memcpy_fromfs(&word, p, sizeof(__u32));
1135
                add_entropy_word(&random_state, word);
1136
        }
1137
        if (i) {
1138
                word = 0;
1139
                memcpy_fromfs(&word, p, i);
1140
                add_entropy_word(&random_state, word);
1141
        }
1142
        if (inode) {
1143
                inode->i_mtime = CURRENT_TIME;
1144
                inode->i_dirt = 1;
1145
        }
1146
        return count;
1147
}
1148
 
1149
static int
1150
random_ioctl(struct inode * inode, struct file * file,
1151
             unsigned int cmd, unsigned long arg)
1152
{
1153
        int *p, size, ent_count;
1154
        int retval;
1155
 
1156
        /*
1157
         * Translate old 1.3.XX values.
1158
         * Remove this code in 2.1.0.
1159
         * <mec@duracef.shout.net>
1160
         */
1161
        switch (cmd) {
1162
        case 0x01080000: cmd = RNDGETENTCNT;   break;
1163
        case 0x01080001: cmd = RNDADDTOENTCNT; break;
1164
        case 0x01080002: cmd = RNDGETPOOL;     break;
1165
        case 0x01080003: cmd = RNDADDENTROPY;  break;
1166
        case 0x01080004: cmd = RNDZAPENTCNT;   break;
1167
        case 0x01080006: cmd = RNDCLEARPOOL;   break;
1168
        }
1169
 
1170
        switch (cmd) {
1171
        case RNDGETENTCNT:
1172
                retval = verify_area(VERIFY_WRITE, (void *) arg, sizeof(int));
1173
                if (retval)
1174
                        return(retval);
1175
                ent_count = random_state.entropy_count;
1176
                put_user(ent_count, (int *) arg);
1177
                return 0;
1178
        case RNDADDTOENTCNT:
1179
                if (!suser())
1180
                        return -EPERM;
1181
                retval = verify_area(VERIFY_READ, (void *) arg, sizeof(int));
1182
                if (retval)
1183
                        return(retval);
1184
                ent_count = get_user((int *) arg);
1185
                /*
1186
                 * Add i to entropy_count, limiting the result to be
1187
                 * between 0 and POOLBITS.
1188
                 */
1189
                if (ent_count < -random_state.entropy_count)
1190
                        random_state.entropy_count = 0;
1191
                else if (ent_count > POOLBITS)
1192
                        random_state.entropy_count = POOLBITS;
1193
                else {
1194
                        random_state.entropy_count += ent_count;
1195
                        if (random_state.entropy_count > POOLBITS)
1196
                                random_state.entropy_count = POOLBITS;
1197
                        if (random_state.entropy_count < 0)
1198
                                random_state.entropy_count = 0;
1199
                }
1200
                /*
1201
                 * Wake up waiting processes if we have enough
1202
                 * entropy.
1203
                 */
1204
                if (random_state.entropy_count >= WAIT_INPUT_BITS)
1205
                        wake_up_interruptible(&random_wait);
1206
                return 0;
1207
        case RNDGETPOOL:
1208
                if (!suser())
1209
                        return -EPERM;
1210
                p = (int *) arg;
1211
                retval = verify_area(VERIFY_WRITE, (void *) p, sizeof(int));
1212
                if (retval)
1213
                        return(retval);
1214
                ent_count = random_state.entropy_count;
1215
                put_user(ent_count, p++);
1216
                retval = verify_area(VERIFY_WRITE, (void *) p, sizeof(int));
1217
                if (retval)
1218
                        return(retval);
1219
                size = get_user(p);
1220
                put_user(POOLWORDS, p++);
1221
                if (size < 0)
1222
                        return -EINVAL;
1223
                if (size > POOLWORDS)
1224
                        size = POOLWORDS;
1225
                retval = verify_area(VERIFY_WRITE, (void *) p,
1226
                                     size * sizeof(__u32));
1227
                if (retval)
1228
                        return retval;
1229
                memcpy_tofs(p, random_state.pool, size*sizeof(__u32));
1230
                return 0;
1231
        case RNDADDENTROPY:
1232
                if (!suser())
1233
                        return -EPERM;
1234
                p = (int *) arg;
1235
                retval = verify_area(VERIFY_READ, (void *) p, 2*sizeof(int));
1236
                if (retval)
1237
                        return(retval);
1238
                ent_count = get_user(p++);
1239
                if (ent_count < 0)
1240
                        return -EINVAL;
1241
                size = get_user(p++);
1242
                retval = random_write(0, file, (const char *) p, size);
1243
                if (retval < 0)
1244
                        return retval;
1245
                /*
1246
                 * Add ent_count to entropy_count, limiting the result to be
1247
                 * between 0 and POOLBITS.
1248
                 */
1249
                if (ent_count > POOLBITS)
1250
                        random_state.entropy_count = POOLBITS;
1251
                else {
1252
                        random_state.entropy_count += ent_count;
1253
                        if (random_state.entropy_count > POOLBITS)
1254
                                random_state.entropy_count = POOLBITS;
1255
                        if (random_state.entropy_count < 0)
1256
                                random_state.entropy_count = 0;
1257
                }
1258
                /*
1259
                 * Wake up waiting processes if we have enough
1260
                 * entropy.
1261
                 */
1262
                if (random_state.entropy_count >= WAIT_INPUT_BITS)
1263
                        wake_up_interruptible(&random_wait);
1264
                return 0;
1265
        case RNDZAPENTCNT:
1266
                if (!suser())
1267
                        return -EPERM;
1268
                random_state.entropy_count = 0;
1269
                return 0;
1270
        case RNDCLEARPOOL:
1271
                /* Clear the entropy pool and associated counters. */
1272
                if (!suser())
1273
                        return -EPERM;
1274
                rand_clear_pool();
1275
                return 0;
1276
        default:
1277
                return -EINVAL;
1278
        }
1279
}
1280
 
1281
struct file_operations random_fops = {
1282
        NULL,           /* random_lseek */
1283
        random_read,
1284
        random_write,
1285
        NULL,           /* random_readdir */
1286
        random_select,  /* random_select */
1287
        random_ioctl,
1288
        NULL,           /* random_mmap */
1289
        NULL,           /* no special open code */
1290
        NULL            /* no special release code */
1291
};
1292
 
1293
struct file_operations urandom_fops = {
1294
        NULL,           /* unrandom_lseek */
1295
        random_read_unlimited,
1296
        random_write,
1297
        NULL,           /* urandom_readdir */
1298
        NULL,           /* urandom_select */
1299
        random_ioctl,
1300
        NULL,           /* urandom_mmap */
1301
        NULL,           /* no special open code */
1302
        NULL            /* no special release code */
1303
};
1304
 
1305
/*
1306
 * TCP initial sequence number picking.  This uses the random number
1307
 * generator to pick an initial secret value.  This value is hashed
1308
 * along with the TCP endpoint information to provide a unique
1309
 * starting point for each pair of TCP endpoints.  This defeats
1310
 * attacks which rely on guessing the initial TCP sequence number.
1311
 * This algorithm was suggested by Steve Bellovin.
1312
 */
1313
__u32 secure_tcp_sequence_number(__u32 saddr, __u32 daddr,
1314
                                 __u16 sport, __u16 dport)
1315
{
1316
        static int      is_init = 0;
1317
        static __u32    secret[16];
1318
        struct timeval  tv;
1319
        __u32           tmp[16];
1320
        __u32           seq;
1321
 
1322
        /*
1323
         * Pick a random secret the first time we open a TCP
1324
         * connection.
1325
         */
1326
        if (is_init == 0) {
1327
                get_random_bytes(&secret, sizeof(secret));
1328
                is_init = 1;
1329
        }
1330
 
1331
        memcpy(tmp, secret, sizeof(tmp));
1332
        /*
1333
         * Pick a unique starting offset for each
1334
         * TCP connection endpoints (saddr, daddr, sport, dport)
1335
         */
1336
        tmp[8]=saddr;
1337
        tmp[9]=daddr;
1338
        tmp[10]=(sport << 16) + dport;
1339
        HASH_TRANSFORM(tmp, tmp);
1340
 
1341
        /*
1342
         *      As close as possible to RFC 793, which
1343
         *      suggests using a 250kHz clock.
1344
         *      Further reading shows this assumes 2MB/s networks.
1345
         *      For 10MB/s ethernet, a 1MHz clock is appropriate.
1346
         *      That's funny, Linux has one built in!  Use it!
1347
         */
1348
        do_gettimeofday(&tv);
1349
        seq = tmp[1] + tv.tv_usec+tv.tv_sec*1000000;
1350
#if 0
1351
        /*
1352
          ugh...we can only use in_ntoa once per printk, splitting
1353
          a single line of info into multiple printk's confuses klogd,
1354
          and Linus says in_ntoa sucks anyway :)
1355
        */
1356
        printk("init_seq(%d.%d.%d.%d:%d, %d.%d.%d.%d:%d) = %d\n",
1357
                NIPQUAD(saddr), sport, NIPQUAD(daddr), dport, seq);
1358
#endif
1359
        return (seq);
1360
}
1361
 
1362
#ifdef CONFIG_RST_COOKIES
1363
/*
1364
 * TCP security probe sequence number picking. Losely based upon
1365
 * secure sequence number algorithm above.
1366
 */
1367
__u32 secure_tcp_probe_number(__u32 saddr, __u32 daddr,
1368
                 __u16 sport, __u16 dport, __u32 sseq, int validate)
1369
{
1370
        static int      is_init = 0;
1371
        static int      valid_secret[2];
1372
        static __u32    secret_timestamp[2];
1373
        static __u32    secret[2][16];
1374
        static int      offset = 0;
1375
        __u32           tmp[16];
1376
        __u32           seq;
1377
 
1378
        /*
1379
         * Pick a random secret the first time we open a TCP
1380
         * connection, and expire secrets older than 5 minutes.
1381
         */
1382
        if (is_init == 0 || jiffies-secret_timestamp[offset] > 600*HZ) {
1383
                if (is_init == 0) valid_secret[0] = valid_secret[1] = 0;
1384
                else offset = (offset+1)%2;
1385
                get_random_bytes(&secret[offset], sizeof(secret[offset]));
1386
                valid_secret[offset] = 1;
1387
                secret_timestamp[offset] = jiffies;
1388
                is_init = 1;
1389
        }
1390
 
1391
        memcpy(tmp, secret[offset], sizeof(tmp));
1392
        /*
1393
         * Pick a unique starting offset for each
1394
         * TCP connection endpoints (saddr, daddr, sport, dport)
1395
         */
1396
        tmp[8]=saddr;
1397
        tmp[9]=daddr;
1398
        tmp[10]=(sport << 16) + dport;
1399
        HASH_TRANSFORM(tmp, tmp);
1400
        seq = tmp[1];
1401
 
1402
        if (!validate) {
1403
                if (seq == sseq) seq++;
1404
#if 0
1405
                printk("init_seq(%d.%d.%d.%d:%d %d.%d.%d.%d:%d, %d) = %d\n",
1406
                        NIPQUAD(saddr), sport, NIPQUAD(daddr), dport, sseq, seq);
1407
#endif
1408
                return (seq);
1409
        } else {
1410
                if (seq == sseq || (seq+1) == sseq) {
1411
                        printk("validated probe(%d.%d.%d.%d:%d, %d.%d.%d.%d:%d, %d)\n",
1412
                                NIPQUAD(saddr), sport, NIPQUAD(daddr), dport, sseq);
1413
                        return 1;
1414
                }
1415
                if (jiffies-secret_timestamp[(offset+1)%2] <= 1200*HZ) {
1416
                        memcpy(tmp, secret[(offset+1)%2], sizeof(tmp));
1417
                        tmp[8]=saddr;
1418
                        tmp[9]=daddr;
1419
                        tmp[10]=(sport << 16) + dport;
1420
                        HASH_TRANSFORM(tmp, tmp);
1421
                        seq = tmp[1];
1422
                        if (seq == sseq || (seq+1) == sseq) {
1423
#ifdef 0
1424
                                printk("validated probe(%d.%d.%d.%d:%d, %d.%d.%d.%d:%d, %d)\n",
1425
                                        NIPQUAD(saddr), sport, NIPQUAD(daddr), dport, sseq);
1426
#endif
1427
                                return 1;
1428
                        }
1429
                }
1430
#ifdef 0
1431
                printk("failed validation on probe(%d.%d.%d.%d:%d, %d.%d.%d.%d:%d, %d)\n",
1432
                        NIPQUAD(saddr), sport, NIPQUAD(daddr), dport, sseq);
1433
#endif
1434
                return 0;
1435
        }
1436
}
1437
#endif
1438
 
1439
#ifdef CONFIG_SYN_COOKIES
1440
/*
1441
 * Secure SYN cookie computation. This is the algorithm worked out by
1442
 * Dan Bernstien and Eric Schenk.
1443
 *
1444
 * For linux I implement the 1 minute counter by looking at the jiffies clock.
1445
 * The count is passed in as a parameter;
1446
 *
1447
 */
1448
__u32 secure_tcp_syn_cookie(__u32 saddr, __u32 daddr,
1449
                 __u16 sport, __u16 dport, __u32 sseq, __u32 count)
1450
{
1451
        static int      is_init = 0;
1452
        static __u32    secret[2][16];
1453
        __u32           tmp[16];
1454
        __u32           seq;
1455
 
1456
        /*
1457
         * Pick two random secret the first time we open a TCP connection.
1458
         */
1459
        if (is_init == 0) {
1460
                get_random_bytes(&secret[0], sizeof(secret[0]));
1461
                get_random_bytes(&secret[1], sizeof(secret[1]));
1462
                is_init = 1;
1463
        }
1464
 
1465
        /*
1466
         * Compute the secure sequence number.
1467
         * The output should be:
1468
         *   MD5(sec1,saddr,sport,daddr,dport,sec1) + their sequence number
1469
         *      + (count * 2^24)
1470
         *      + (MD5(sec2,saddr,sport,daddr,dport,count,sec2) % 2^24).
1471
         * Where count increases every minute by 1.
1472
         */
1473
 
1474
        memcpy(tmp, secret[0], sizeof(tmp));
1475
        tmp[8]=saddr;
1476
        tmp[9]=daddr;
1477
        tmp[10]=(sport << 16) + dport;
1478
        HASH_TRANSFORM(tmp, tmp);
1479
        seq = tmp[1];
1480
 
1481
        memcpy(tmp, secret[1], sizeof(tmp));
1482
        tmp[8]=saddr;
1483
        tmp[9]=daddr;
1484
        tmp[10]=(sport << 16) + dport;
1485
        tmp[11]=count;  /* minute counter */
1486
        HASH_TRANSFORM(tmp, tmp);
1487
 
1488
        seq += sseq + (count << 24) + (tmp[1] & 0x00ffffff);
1489
 
1490
        /* Zap lower 3 bits to leave room for the MSS representation */
1491
        return (seq & 0xfffff8);
1492
}
1493
#endif
1494
 
1495
#ifdef RANDOM_BENCHMARK
1496
/*
1497
 * This is so we can do some benchmarking of the random driver, to see
1498
 * how much overhead add_timer_randomness really takes.  This only
1499
 * works on a Pentium, since it depends on the timer clock...
1500
 *
1501
 * Note: the results of this benchmark as of this writing (5/27/96)
1502
 *
1503
 * On a Pentium, add_timer_randomness() takes between 150 and 1000
1504
 * clock cycles, with an average of around 600 clock cycles.  On a 75
1505
 * MHz Pentium, this translates to 2 to 13 microseconds, with an
1506
 * average time of 8 microseconds.  This should be fast enough so we
1507
 * can use add_timer_randomness() even with the fastest of interrupts...
1508
 */
1509
static inline unsigned long long get_clock_cnt(void)
1510
{
1511
        unsigned long low, high;
1512
        __asm__(".byte 0x0f,0x31" :"=a" (low), "=d" (high));
1513
        return (((unsigned long long) high << 32) | low);
1514
}
1515
 
1516
static void initialize_benchmark(struct random_benchmark *bench,
1517
                                 const char *descr, int unit)
1518
{
1519
        bench->times = 0;
1520
        bench->accum = 0;
1521
        bench->max = 0;
1522
        bench->min = 1 << 31;
1523
        bench->descr = descr;
1524
        bench->unit = unit;
1525
}
1526
 
1527
static void begin_benchmark(struct random_benchmark *bench)
1528
{
1529
#ifdef BENCHMARK_NOINT
1530
        save_flags(bench->flags); cli();
1531
#endif
1532
        bench->start_time = get_clock_cnt();
1533
}
1534
 
1535
static void end_benchmark(struct random_benchmark *bench)
1536
{
1537
        unsigned long ticks;
1538
 
1539
        ticks = (unsigned long) (get_clock_cnt() - bench->start_time);
1540
#ifdef BENCHMARK_NOINT
1541
        restore_flags(bench->flags);
1542
#endif
1543
        if (ticks < bench->min)
1544
                bench->min = ticks;
1545
        if (ticks > bench->max)
1546
                bench->max = ticks;
1547
        bench->accum += ticks;
1548
        bench->times++;
1549
        if (bench->times == BENCHMARK_INTERVAL) {
1550
                printk("Random benchmark: %s %d: %lu min, %lu avg, "
1551
                       "%lu max\n", bench->descr, bench->unit, bench->min,
1552
                       bench->accum / BENCHMARK_INTERVAL, bench->max);
1553
                bench->times = 0;
1554
                bench->accum = 0;
1555
                bench->max = 0;
1556
                bench->min = 1 << 31;
1557
        }
1558
}
1559
#endif /* RANDOM_BENCHMARK */

powered by: WebSVN 2.1.0

© copyright 1999-2024 OpenCores.org, equivalent to Oliscience, all rights reserved. OpenCores®, registered trademark.