2010-02-20 18:51:54 +00:00
|
|
|
/*
|
|
|
|
* Copyright (c) 1993-1995 Colin Plumb. All rights reserved.
|
|
|
|
* For licensing and other legal details, see the file legal.c.
|
2012-03-31 20:22:13 +00:00
|
|
|
*
|
|
|
|
* Get environmental noise.
|
2010-02-20 18:51:54 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include "first.h"
|
|
|
|
#include <time.h> /* For time measurement code */
|
|
|
|
|
|
|
|
#ifndef MSDOS
|
|
|
|
#ifdef __MSDOS
|
|
|
|
#define MSDOS 1
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
#ifndef MSDOS
|
|
|
|
#ifdef __MSDOS__
|
|
|
|
#define MSDOS 1
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
#ifndef UNIX
|
|
|
|
#ifdef unix
|
|
|
|
#define UNIX 1
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
#ifndef UNIX
|
|
|
|
#ifdef __unix
|
|
|
|
#define UNIX 1
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
#ifndef UNIX
|
|
|
|
#ifdef __unix__
|
|
|
|
#define UNIX 1
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef MSDOS
|
|
|
|
|
|
|
|
#if __BORLANDC__
|
|
|
|
#define far __far /* Borland C++ 3.1's <dos.h> kacks in ANSI mode. Ugh! */
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <dos.h> /* for enable() and disable() */
|
|
|
|
#include <conio.h> /* for inp() and outp() */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This code gets as much information as possible out of 8253/8254 timer 0,
|
|
|
|
* which ticks every .84 microseconds. There are three cases:
|
|
|
|
* 1) Original 8253. 15 bits available, as the low bit is unused.
|
|
|
|
* 2) 8254, in mode 3. The 16th bit is available from the status register.
|
|
|
|
* 3) 8254, in mode 2. All 16 bits of the counters are available.
|
|
|
|
* (This is not documented anywhere, but I've seen it!)
|
|
|
|
*
|
|
|
|
* This code repeatedly tries to latch the status (ignored by an 8253) and
|
|
|
|
* sees if it looks like xx1101x0. If not, it's definitely not an 8254.
|
|
|
|
* Repeat this a few times to make sure it is an 8254.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
has8254(void)
|
|
|
|
{
|
|
|
|
int i, s1, s2;
|
|
|
|
|
|
|
|
for (i = 0; i < 5; i++) {
|
|
|
|
_disable();
|
|
|
|
outp(0x43, 0xe2); /* Latch status for timer 0 */
|
|
|
|
s1 = inp(0x40); /* If 8253, read timer low byte */
|
|
|
|
outp(0x43, 0xe2); /* Latch status for timer 0 */
|
|
|
|
s2 = inp(0x40); /* If 8253, read timer high byte */
|
|
|
|
_enable();
|
|
|
|
if ((s1 & 0x3d) != 0x34 || (s2 & 0x3d) != 0x34)
|
|
|
|
return 0; /* Ignoring status latch; 8253 */
|
|
|
|
}
|
|
|
|
return 1; /* Status reads as expected; 8254 */
|
|
|
|
}
|
|
|
|
|
|
|
|
/* TODO: It might be better to capture this data in a keyboard ISR */
|
|
|
|
static unsigned
|
|
|
|
read8254(void)
|
|
|
|
{
|
|
|
|
unsigned status, count;
|
|
|
|
|
|
|
|
_disable();
|
|
|
|
outp(0x43, 0xc2); /* Latch status and count for timer 0 */
|
|
|
|
status = inp(0x40);
|
|
|
|
count = inp(0x40);
|
|
|
|
count |= inp(0x40) << 8;
|
|
|
|
_enable();
|
|
|
|
/* The timer is usually in mode 3, but some motherboards use mode 2. */
|
|
|
|
if (status & 2)
|
|
|
|
count = count>>1 | (status & 0x80)<<8;
|
|
|
|
|
|
|
|
return count;
|
|
|
|
}
|
|
|
|
|
|
|
|
static unsigned
|
|
|
|
read8253(void)
|
|
|
|
{
|
|
|
|
unsigned count;
|
|
|
|
|
|
|
|
_disable();
|
|
|
|
outp(0x43, 0x00); /* Latch count for timer 0 */
|
|
|
|
count = (inp(0x40) & 0xff);
|
|
|
|
count |= (inp(0x40) & 0xff) << 8;
|
|
|
|
_enable();
|
|
|
|
|
|
|
|
return count >> 1;
|
|
|
|
}
|
|
|
|
#endif /* MSDOS */
|
|
|
|
|
|
|
|
#ifdef UNIX
|
|
|
|
/*
|
|
|
|
* This code uses five different timers, if available, in decreasing
|
|
|
|
* priority order:
|
|
|
|
* - gethrtime(), assumed unavailable unless USE_GETHRTIME=1
|
|
|
|
* - clock_gettime(), auto-detected unless overridden with USE_CLOCK_GETTIME
|
|
|
|
* - gettimeofday(), assumed available unless USE_GETTIMEOFDAY=0
|
|
|
|
* - getitimer(), auto-detected unless overridden with USE_GETITIMER
|
|
|
|
* - ftime(), assumed available unless USE_FTIME=0
|
|
|
|
*
|
|
|
|
* These are all accessed through the gettime(), timetype, and tickdiff()
|
|
|
|
* macros. The MINTICK constant is something to avoid the gettimeofday()
|
|
|
|
* glitch wherein it increments the return value even if no tick has occurred.
|
|
|
|
* When measuring the tick interval, if the difference between two successive
|
|
|
|
* times is not at least MINTICK ticks, it is ignored.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
#include <sys/times.h> /* for times() */
|
|
|
|
#include <stdlib.h> /* For qsort() */
|
|
|
|
|
|
|
|
#if !USE_GETHRTIME
|
|
|
|
#ifndef USE_CLOCK_GETTIME /* Detect using CLOCK_REALTIME from <time.h> */
|
|
|
|
#ifdef CLOCK_REALTIMExxx /* Stupid libc... */
|
|
|
|
#define USE_CLOCK_GETTIME 1
|
|
|
|
#else
|
|
|
|
#define USE_CLOCK_GETTIME 0
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#if !USE_CLOCK_GETTIME
|
|
|
|
#include <sys/time.h> /* For gettimeofday(), getitimer(), or ftime() */
|
|
|
|
|
|
|
|
#ifndef USE_GETTIMEOFDAY
|
|
|
|
#define USE_GETTIMEOFDAY 1 /* No way to tell, so assume it's there */
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#if !USE_GETTIMEOFDAY
|
|
|
|
#ifndef USE_GETITIMER /* Detect using ITIMER_REAL from <sys/time.h> */
|
|
|
|
#define USE_GETITIMER defined(ITIMER_REAL)
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#if !USE_GETITIMER
|
|
|
|
#ifndef USE_FTIME
|
|
|
|
#define USE_FTIME 1
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#endif /* !USE_GETITIMER */
|
|
|
|
#endif /* !USE_GETTIMEOFDAY */
|
|
|
|
#endif /* !USE_CLOCK_GETTIME */
|
|
|
|
#endif /* !USE_GETHRTIME */
|
|
|
|
|
|
|
|
#if USE_GETHRTIME
|
|
|
|
|
|
|
|
#define CHOICE_GETHRTIME 1
|
|
|
|
#include <sys/time.h>
|
|
|
|
typedef hrtime_t timetype;
|
|
|
|
#define gettime(s) (*(s) = gethrtime())
|
|
|
|
#define tickdiff(s,t) ((s)-(t))
|
|
|
|
#define MINTICK 0
|
|
|
|
|
|
|
|
#elif USE_CLOCK_GETTIME
|
|
|
|
|
|
|
|
#define CHOICE_CLOCK_GETTIME 1
|
|
|
|
typedef struct timespec timetype;
|
|
|
|
#define gettime(s) (void)clock_gettime(CLOCK_REALTIME, s)
|
|
|
|
#define tickdiff(s,t) (((s).tv_sec-(t).tv_sec)*1000000000 + \
|
|
|
|
(s).tv_nsec - (t).tv_nsec)
|
|
|
|
|
|
|
|
#elif USE_GETTIMEOFDAY
|
|
|
|
|
|
|
|
#define CHOICE_GETTIMEOFDAY 1
|
|
|
|
typedef struct timeval timetype;
|
|
|
|
#define gettime(s) (void)gettimeofday(s, (struct timezone *)0)
|
|
|
|
#define tickdiff(s,t) (((s).tv_sec-(t).tv_sec)*1000000+(s).tv_usec-(t).tv_usec)
|
|
|
|
#define MINTICK 1
|
|
|
|
|
|
|
|
#elif USE_GETITIMER
|
|
|
|
|
|
|
|
#define CHOICE_GETITIMER 1
|
|
|
|
#include <signal.h> /* For signal(), SIGALRM, SIG_IGN */
|
|
|
|
typedef struct itimerval timetype;
|
|
|
|
#define gettime(s) (void)getitimer(ITIMER_REAL, s)
|
|
|
|
#define tickdiff(s,t) (((t).it_value.tv_sec-(s).it_value.tv_sec)*1000000 + \
|
|
|
|
(t).it_value.tv_usec - (s).it_value.tv_usec)
|
|
|
|
#define MINTICK 1
|
|
|
|
|
|
|
|
#elif USE_FTIME /* Use ftime() */
|
|
|
|
|
|
|
|
#define CHOICE_FTIME 1
|
|
|
|
#include <sys/timeb.h>
|
|
|
|
typedef struct timeb timetype;
|
|
|
|
#define gettime(s) (void)ftime(s)
|
|
|
|
#define tickdiff(s,t) (((s).time-(t).time)*1000 + (s).millitm - (t).millitm)
|
|
|
|
#define MINTICK 0
|
|
|
|
|
|
|
|
#else
|
|
|
|
|
|
|
|
#error No clock available - please define one.
|
|
|
|
|
|
|
|
#endif /* End of complex choice of clock conditional */
|
|
|
|
|
|
|
|
#if CHOICE_CLOCK_GETTIME
|
|
|
|
|
|
|
|
static unsigned
|
|
|
|
noiseTickSize(void)
|
|
|
|
{
|
|
|
|
struct timespec res;
|
|
|
|
|
|
|
|
clock_getres(CLOCK_REALTIME, &res);
|
|
|
|
return res.tv_nsec;
|
|
|
|
}
|
|
|
|
|
|
|
|
#else /* Normal clock resolution estimation */
|
|
|
|
|
|
|
|
#if NOISEDEBUG
|
|
|
|
#include <stdio.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#define N 15 /* Number of deltas to try (at least 5, preferably odd) */
|
|
|
|
|
|
|
|
/* Function needed for qsort() */
|
|
|
|
static int
|
|
|
|
noiseCompare(void const *p1, void const *p2)
|
|
|
|
{
|
|
|
|
return *(unsigned const *)p1 > *(unsigned const *)p2 ? 1 :
|
|
|
|
*(unsigned const *)p1 < *(unsigned const *)p2 ? -1 : 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Find the resolution of the high-resolution clock by sampling successive
|
|
|
|
* values until a tick boundary, at which point the delta is entered into
|
|
|
|
* a table. An average near the median of the table is taken and returned
|
|
|
|
* as the system tick size to eliminate outliers due to descheduling (high)
|
|
|
|
* or tv0 not being the "zero" time in a given tick (low).
|
|
|
|
*
|
|
|
|
* Some trickery is needed to defeat the habit systems have of always
|
|
|
|
* incrementing the microseconds field from gettimeofday() results so that
|
|
|
|
* no two calls return the same value. Thus, a "tick boundary" is assumed
|
|
|
|
* when successive calls return a difference of more than MINTICK ticks.
|
|
|
|
* (For gettimeofday(), this is set to 2 us.) This catches cases where at
|
|
|
|
* most one other task reads the clock between successive reads by this task.
|
|
|
|
* More tasks in between are rare enough that they'll get cut off by the
|
|
|
|
* median filter.
|
|
|
|
*
|
|
|
|
* When a tick boundary is found, the *first* time read during the previous
|
|
|
|
* tick (tv0) is subtracted from the new time to get microseconds per tick.
|
|
|
|
*
|
|
|
|
* Suns have a 1 us timer, and as of SunOS 4.1, they return that timer, but
|
|
|
|
* there is ~50 us of system-call overhead to get it, so this overestimates
|
|
|
|
* the tick size considerably. On SunOS 5.x/Solaris, the overhead has been
|
|
|
|
* cut to about 2.5 us, so the measured time alternates between 2 and 3 us.
|
|
|
|
* Some better algorithms will be required for future machines that really
|
|
|
|
* do achieve 1 us granularity.
|
|
|
|
*
|
|
|
|
* Current best idea: discard all this hair and use Ueli Maurer's entropy
|
|
|
|
* estimation scheme. Assign each input event (delta) a sequence number.
|
|
|
|
* 16 bits should be more than adequate. Make a table of the last time
|
|
|
|
* (by sequence number) each possibe input event occurred. For practical
|
|
|
|
* implementation, hash the event to a fixed-size code and consider two
|
|
|
|
* events identical if they have the same hash code. This will only ever
|
|
|
|
* underestimate entropy. Then use the number of bits in the difference
|
|
|
|
* between the current sequence number and the previous one as the entropy
|
|
|
|
* estimate.
|
|
|
|
*
|
|
|
|
* If it's desirable to use longer contexts, Maurer's original technique
|
|
|
|
* just groups events into non-overlapping pairs and uses the technique on
|
|
|
|
* the pairs. If you want to increment the entropy numbers on each keystroke
|
|
|
|
* for user-interface niceness, you can do the operation each time, but you
|
|
|
|
* have to halve the sequence number difference before starting, and then you
|
|
|
|
* have to halve the number of bits of entropy computed because you're adding
|
|
|
|
* them twice.
|
|
|
|
*
|
|
|
|
* You can put the even and odd events into separate tables to close Maurer's
|
|
|
|
* model exactly, or you can just dump them into the same table, which will
|
|
|
|
* be more conservative.
|
|
|
|
*/
|
|
|
|
static unsigned
|
|
|
|
noiseTickSize(void)
|
|
|
|
{
|
|
|
|
unsigned i = 0, j = 0, diff, d[N];
|
|
|
|
timetype tv0, tv1, tv2;
|
|
|
|
|
|
|
|
gettime(&tv0);
|
|
|
|
tv1 = tv0;
|
|
|
|
do {
|
|
|
|
gettime(&tv2);
|
|
|
|
diff = (unsigned)tickdiff(tv2, tv1);
|
|
|
|
if (diff > MINTICK) {
|
|
|
|
d[i++] = diff;
|
|
|
|
tv0 = tv2;
|
|
|
|
j = 0;
|
|
|
|
} else if (++j >= 4096) /* Always getting <= MINTICK units */
|
|
|
|
return MINTICK + !MINTICK;
|
|
|
|
tv1 = tv2;
|
|
|
|
} while (i < N);
|
|
|
|
|
|
|
|
/* Return average of middle 5 values (rounding up) */
|
|
|
|
qsort(d, N, sizeof(d[0]), noiseCompare);
|
|
|
|
diff = (d[N/2-2]+d[N/2-1]+d[N/2]+d[N/2+1]+d[N/2+2]+4)/5;
|
|
|
|
#if NOISEDEBUG
|
|
|
|
fprintf(stderr, "Tick size is %u\n", diff);
|
|
|
|
#endif
|
|
|
|
return diff;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* Clock resolution measurement condition */
|
|
|
|
|
|
|
|
#endif /* UNIX */
|
|
|
|
|
|
|
|
#include "usuals.h"
|
|
|
|
#include "randpool.h"
|
|
|
|
#include "noise.h"
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Add as much environmentally-derived random noise as possible
|
|
|
|
* to the randPool. Typically, this involves reading the most
|
|
|
|
* accurate system clocks available.
|
|
|
|
*
|
|
|
|
* Returns the number of ticks that have passed since the last call,
|
|
|
|
* for entropy estimation purposes.
|
|
|
|
*/
|
|
|
|
word32
|
|
|
|
noise(void)
|
|
|
|
{
|
|
|
|
word32 delta;
|
|
|
|
|
|
|
|
#if defined(MSDOS)
|
|
|
|
static unsigned deltamask = 0;
|
|
|
|
static unsigned prevt;
|
|
|
|
unsigned t;
|
|
|
|
time_t tnow;
|
|
|
|
clock_t cnow;
|
|
|
|
|
|
|
|
if (deltamask == 0)
|
|
|
|
deltamask = has8254() ? 0xffff : 0x7fff;
|
|
|
|
t = (deltamask & 0x8000) ? read8254() : read8253();
|
|
|
|
randPoolAddBytes((byte const *)&t, sizeof(t));
|
|
|
|
delta = deltamask & (t - prevt);
|
|
|
|
prevt = t;
|
|
|
|
|
|
|
|
/* Add more-significant time components. */
|
|
|
|
cnow = clock();
|
|
|
|
randPoolAddBytes((byte *)&cnow, sizeof(cnow));
|
|
|
|
tnow = time((time_t *)0);
|
|
|
|
randPoolAddBytes((byte *)&tnow, sizeof(tnow));
|
|
|
|
/* END OF DOS */
|
|
|
|
#elif defined(VMS)
|
|
|
|
word32 t[2]; /* little-endian 64-bit timer */
|
|
|
|
word32 d1; /* MSW of difference */
|
|
|
|
static word32 prevt[2];
|
|
|
|
|
|
|
|
SYS$GETTIM(t); /* VMS hardware clock increments by 100000 per tick */
|
|
|
|
randPoolAddBytes((byte const *)t, sizeof(t));
|
|
|
|
/* Get difference in d1 and delta, and old time in prevt */
|
|
|
|
d1 = t[1] - prevt[1] + (t[0] < prevt[0]);
|
|
|
|
prevt[1] = t[1];
|
|
|
|
delta = t[0] - prevt[0];
|
|
|
|
prevt[0] = t[0];
|
|
|
|
|
|
|
|
/* Now, divide the 64-bit value by 100000 = 2^5 * 5^5 = 32 * 3125 */
|
|
|
|
/* Divide value, MSW in d1 and LSW in delta, by 32 */
|
|
|
|
delta >>= 5;
|
|
|
|
delta |= d1 << (32-5);
|
|
|
|
d1 >>= 5;
|
|
|
|
/*
|
|
|
|
* Divide by 3125. This fits into 16 bits, so the following
|
|
|
|
* code is possible. 2^32 = 3125 * 1374389 + 1671.
|
|
|
|
*
|
|
|
|
* This code has confused people reading it, so here's a detailed
|
|
|
|
* explanation. First, since we only want a 32-bit result,
|
|
|
|
* reduce the input mod 3125 * 2^32 before starting. This
|
|
|
|
* amounts to reducing the most significant word mod 3125 and
|
|
|
|
* leaving the least-significant word alone.
|
|
|
|
*
|
|
|
|
* Then, using / for mathematical (real, not integer) division, we
|
|
|
|
* want to compute floor(d1 * 2^32 + d0) / 3125), which I'll denote
|
|
|
|
* using the old [ ] syntax for floor, so it's
|
|
|
|
* [ (d1 * 2^32 + d0) / 3125 ]
|
|
|
|
* = [ (d1 * (3125 * 1374389 + 1671) + d0) / 3125 ]
|
|
|
|
* = [ d1 * 1374389 + (d1 * 1671 + d0) / 3125 ]
|
|
|
|
* = d1 * 137438 + [ (d1 * 1671 + d0) / 3125 ]
|
|
|
|
* = d1 * 137438 + [ d0 / 3125 ] + [ (d1 * 1671 + d0 % 3125) / 3125 ]
|
|
|
|
*
|
|
|
|
* The C / operator, applied to integers, performs [ a / b ], so
|
|
|
|
* this can be implemented in C, and since d1 < 3125 (by the first
|
|
|
|
* modulo operation), d1 * 1671 + d0 % 3125 < 3125 * 1672, which
|
|
|
|
* is 5225000, less than 2^32, so it all fits into 32 bits.
|
|
|
|
*/
|
|
|
|
d1 %= 3125; /* Ignore overflow past 32 bits */
|
|
|
|
delta = delta/3125 + d1*1374389 + (delta%3125 + d1*1671) / 3125;
|
|
|
|
/* END OF VMS */
|
|
|
|
#elif defined(UNIX)
|
|
|
|
timetype t;
|
|
|
|
static unsigned ticksize = 0;
|
|
|
|
static timetype prevt;
|
|
|
|
|
|
|
|
gettime(&t);
|
|
|
|
#if CHOICE_GETITIMER
|
|
|
|
/* If itimer isn't started, start it */
|
|
|
|
if (t.it_value.tv_sec == 0 && t.it_value.tv_usec == 0) {
|
|
|
|
/*
|
|
|
|
* start the timer - assume that PGP won't be running for
|
|
|
|
* more than 11 days, 13 hours, 46 minutes and 40 seconds.
|
|
|
|
*/
|
|
|
|
t.it_value.tv_sec = 1000000;
|
|
|
|
t.it_interval.tv_sec = 1000000;
|
|
|
|
t.it_interval.tv_usec = 0;
|
|
|
|
signal(SIGALRM, SIG_IGN); /* just in case.. */
|
|
|
|
setitimer(ITIMER_REAL, &t, NULL);
|
|
|
|
t.it_value.tv_sec = 0;
|
|
|
|
}
|
|
|
|
randPoolAddBytes((byte const *)&t.it_value, sizeof(t.it_value));
|
|
|
|
#else
|
|
|
|
randPoolAddBytes((byte const *)&t, sizeof(t));
|
|
|
|
#endif
|
|
|
|
|
|
|
|
if (!ticksize)
|
|
|
|
ticksize = noiseTickSize();
|
|
|
|
delta = (word32)(tickdiff(t, prevt) / ticksize);
|
|
|
|
prevt = t;
|
|
|
|
/* END OF UNIX */
|
|
|
|
#else
|
|
|
|
#error Unknown OS - define UNIX or MSDOS or add code for high-resolution timers
|
|
|
|
#endif
|
|
|
|
|
|
|
|
return delta;
|
|
|
|
}
|