Annotation of src/usr.bin/ssh/random.c, Revision 1.1
1.1 ! deraadt 1: /* Note: file is included because gmp uses functions that use random in its
! 2: primality testing functions. //ylo */
! 3:
! 4: /*
! 5: * Copyright (c) 1983 Regents of the University of California.
! 6: * All rights reserved.
! 7: *
! 8: * Redistribution and use in source and binary forms, with or without
! 9: * modification, are permitted provided that the following conditions
! 10: * are met:
! 11: * 1. Redistributions of source code must retain the above copyright
! 12: * notice, this list of conditions and the following disclaimer.
! 13: * 2. Redistributions in binary form must reproduce the above copyright
! 14: * notice, this list of conditions and the following disclaimer in the
! 15: * documentation and/or other materials provided with the distribution.
! 16: * 3. All advertising materials mentioning features or use of this software
! 17: * must display the following acknowledgement:
! 18: * This product includes software developed by the University of
! 19: * California, Berkeley and its contributors.
! 20: * 4. Neither the name of the University nor the names of its contributors
! 21: * may be used to endorse or promote products derived from this software
! 22: * without specific prior written permission.
! 23: *
! 24: * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
! 25: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
! 26: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
! 27: * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
! 28: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
! 29: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
! 30: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
! 31: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
! 32: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
! 33: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
! 34: * SUCH DAMAGE.
! 35: */
! 36:
! 37: #if defined(LIBC_SCCS) && !defined(lint)
! 38: static char sccsid[] = "@(#)random.c 5.9 (Berkeley) 2/23/91";
! 39: #endif /* LIBC_SCCS and not lint */
! 40:
! 41: #include <stdio.h>
! 42: #include <stdlib.h>
! 43: #include <sys/types.h>
! 44:
! 45: /*
! 46: * random.c:
! 47: *
! 48: * An improved random number generation package. In addition to the standard
! 49: * rand()/srand() like interface, this package also has a special state info
! 50: * interface. The initstate() routine is called with a seed, an array of
! 51: * bytes, and a count of how many bytes are being passed in; this array is
! 52: * then initialized to contain information for random number generation with
! 53: * that much state information. Good sizes for the amount of state
! 54: * information are 32, 64, 128, and 256 bytes. The state can be switched by
! 55: * calling the setstate() routine with the same array as was initiallized
! 56: * with initstate(). By default, the package runs with 128 bytes of state
! 57: * information and generates far better random numbers than a linear
! 58: * congruential generator. If the amount of state information is less than
! 59: * 32 bytes, a simple linear congruential R.N.G. is used.
! 60: *
! 61: * Internally, the state information is treated as an array of longs; the
! 62: * zeroeth element of the array is the type of R.N.G. being used (small
! 63: * integer); the remainder of the array is the state information for the
! 64: * R.N.G. Thus, 32 bytes of state information will give 7 longs worth of
! 65: * state information, which will allow a degree seven polynomial. (Note:
! 66: * the zeroeth word of state information also has some other information
! 67: * stored in it -- see setstate() for details).
! 68: *
! 69: * The random number generation technique is a linear feedback shift register
! 70: * approach, employing trinomials (since there are fewer terms to sum up that
! 71: * way). In this approach, the least significant bit of all the numbers in
! 72: * the state table will act as a linear feedback shift register, and will
! 73: * have period 2^deg - 1 (where deg is the degree of the polynomial being
! 74: * used, assuming that the polynomial is irreducible and primitive). The
! 75: * higher order bits will have longer periods, since their values are also
! 76: * influenced by pseudo-random carries out of the lower bits. The total
! 77: * period of the generator is approximately deg*(2**deg - 1); thus doubling
! 78: * the amount of state information has a vast influence on the period of the
! 79: * generator. Note: the deg*(2**deg - 1) is an approximation only good for
! 80: * large deg, when the period of the shift register is the dominant factor.
! 81: * With deg equal to seven, the period is actually much longer than the
! 82: * 7*(2**7 - 1) predicted by this formula.
! 83: */
! 84:
! 85: /*
! 86: * For each of the currently supported random number generators, we have a
! 87: * break value on the amount of state information (you need at least this
! 88: * many bytes of state info to support this random number generator), a degree
! 89: * for the polynomial (actually a trinomial) that the R.N.G. is based on, and
! 90: * the separation between the two lower order coefficients of the trinomial.
! 91: */
! 92: #define TYPE_0 0 /* linear congruential */
! 93: #define BREAK_0 8
! 94: #define DEG_0 0
! 95: #define SEP_0 0
! 96:
! 97: #define TYPE_1 1 /* x**7 + x**3 + 1 */
! 98: #define BREAK_1 32
! 99: #define DEG_1 7
! 100: #define SEP_1 3
! 101:
! 102: #define TYPE_2 2 /* x**15 + x + 1 */
! 103: #define BREAK_2 64
! 104: #define DEG_2 15
! 105: #define SEP_2 1
! 106:
! 107: #define TYPE_3 3 /* x**31 + x**3 + 1 */
! 108: #define BREAK_3 128
! 109: #define DEG_3 31
! 110: #define SEP_3 3
! 111:
! 112: #define TYPE_4 4 /* x**63 + x + 1 */
! 113: #define BREAK_4 256
! 114: #define DEG_4 63
! 115: #define SEP_4 1
! 116:
! 117: /*
! 118: * Array versions of the above information to make code run faster --
! 119: * relies on fact that TYPE_i == i.
! 120: */
! 121: #define MAX_TYPES 5 /* max number of types above */
! 122:
! 123: static int degrees[MAX_TYPES] = { DEG_0, DEG_1, DEG_2, DEG_3, DEG_4 };
! 124: static int seps [MAX_TYPES] = { SEP_0, SEP_1, SEP_2, SEP_3, SEP_4 };
! 125:
! 126: /*
! 127: * Initially, everything is set up as if from:
! 128: *
! 129: * initstate(1, &randtbl, 128);
! 130: *
! 131: * Note that this initialization takes advantage of the fact that srandom()
! 132: * advances the front and rear pointers 10*rand_deg times, and hence the
! 133: * rear pointer which starts at 0 will also end up at zero; thus the zeroeth
! 134: * element of the state information, which contains info about the current
! 135: * position of the rear pointer is just
! 136: *
! 137: * MAX_TYPES * (rptr - state) + TYPE_3 == TYPE_3.
! 138: */
! 139:
! 140: static long randtbl[DEG_3 + 1] = {
! 141: TYPE_3,
! 142: 0x9a319039, 0x32d9c024, 0x9b663182, 0x5da1f342, 0xde3b81e0, 0xdf0a6fb5,
! 143: 0xf103bc02, 0x48f340fb, 0x7449e56b, 0xbeb1dbb0, 0xab5c5918, 0x946554fd,
! 144: 0x8c2e680f, 0xeb3d799f, 0xb11ee0b7, 0x2d436b86, 0xda672e2a, 0x1588ca88,
! 145: 0xe369735d, 0x904f35f7, 0xd7158fd6, 0x6fa6f051, 0x616e6b96, 0xac94efdc,
! 146: 0x36413f93, 0xc622c298, 0xf5a42ab8, 0x8a88d77b, 0xf5ad9d0e, 0x8999220b,
! 147: 0x27fb47b9,
! 148: };
! 149:
! 150: /*
! 151: * fptr and rptr are two pointers into the state info, a front and a rear
! 152: * pointer. These two pointers are always rand_sep places aparts, as they
! 153: * cycle cyclically through the state information. (Yes, this does mean we
! 154: * could get away with just one pointer, but the code for random() is more
! 155: * efficient this way). The pointers are left positioned as they would be
! 156: * from the call
! 157: *
! 158: * initstate(1, randtbl, 128);
! 159: *
! 160: * (The position of the rear pointer, rptr, is really 0 (as explained above
! 161: * in the initialization of randtbl) because the state table pointer is set
! 162: * to point to randtbl[1] (as explained below).
! 163: */
! 164: static long *fptr = &randtbl[SEP_3 + 1];
! 165: static long *rptr = &randtbl[1];
! 166:
! 167: /*
! 168: * The following things are the pointer to the state information table, the
! 169: * type of the current generator, the degree of the current polynomial being
! 170: * used, and the separation between the two pointers. Note that for efficiency
! 171: * of random(), we remember the first location of the state information, not
! 172: * the zeroeth. Hence it is valid to access state[-1], which is used to
! 173: * store the type of the R.N.G. Also, we remember the last location, since
! 174: * this is more efficient than indexing every time to find the address of
! 175: * the last element to see if the front and rear pointers have wrapped.
! 176: */
! 177: static long *state = &randtbl[1];
! 178: static int rand_type = TYPE_3;
! 179: static int rand_deg = DEG_3;
! 180: static int rand_sep = SEP_3;
! 181: static long *end_ptr = &randtbl[DEG_3 + 1];
! 182:
! 183: long random();
! 184:
! 185: /*
! 186: * srandom:
! 187: *
! 188: * Initialize the random number generator based on the given seed. If the
! 189: * type is the trivial no-state-information type, just remember the seed.
! 190: * Otherwise, initializes state[] based on the given "seed" via a linear
! 191: * congruential generator. Then, the pointers are set to known locations
! 192: * that are exactly rand_sep places apart. Lastly, it cycles the state
! 193: * information a given number of times to get rid of any initial dependencies
! 194: * introduced by the L.C.R.N.G. Note that the initialization of randtbl[]
! 195: * for default usage relies on values produced by this routine.
! 196: */
! 197: void
! 198: srandom(x)
! 199: u_int x;
! 200: {
! 201: register int i, j;
! 202:
! 203: if (rand_type == TYPE_0)
! 204: state[0] = x;
! 205: else {
! 206: j = 1;
! 207: state[0] = x;
! 208: for (i = 1; i < rand_deg; i++)
! 209: state[i] = 1103515245 * state[i - 1] + 12345;
! 210: fptr = &state[rand_sep];
! 211: rptr = &state[0];
! 212: for (i = 0; i < 10 * rand_deg; i++)
! 213: (void)random();
! 214: }
! 215: }
! 216:
! 217: /*
! 218: * initstate:
! 219: *
! 220: * Initialize the state information in the given array of n bytes for future
! 221: * random number generation. Based on the number of bytes we are given, and
! 222: * the break values for the different R.N.G.'s, we choose the best (largest)
! 223: * one we can and set things up for it. srandom() is then called to
! 224: * initialize the state information.
! 225: *
! 226: * Note that on return from srandom(), we set state[-1] to be the type
! 227: * multiplexed with the current value of the rear pointer; this is so
! 228: * successive calls to initstate() won't lose this information and will be
! 229: * able to restart with setstate().
! 230: *
! 231: * Note: the first thing we do is save the current state, if any, just like
! 232: * setstate() so that it doesn't matter when initstate is called.
! 233: *
! 234: * Returns a pointer to the old state.
! 235: */
! 236: char *
! 237: initstate(seed, arg_state, n)
! 238: u_int seed; /* seed for R.N.G. */
! 239: char *arg_state; /* pointer to state array */
! 240: int n; /* # bytes of state info */
! 241: {
! 242: register char *ostate = (char *)(&state[-1]);
! 243:
! 244: if (rand_type == TYPE_0)
! 245: state[-1] = rand_type;
! 246: else
! 247: state[-1] = MAX_TYPES * (rptr - state) + rand_type;
! 248: if (n < BREAK_0) {
! 249: (void)fprintf(stderr,
! 250: "random: not enough state (%d bytes); ignored.\n", n);
! 251: return(0);
! 252: }
! 253: if (n < BREAK_1) {
! 254: rand_type = TYPE_0;
! 255: rand_deg = DEG_0;
! 256: rand_sep = SEP_0;
! 257: } else if (n < BREAK_2) {
! 258: rand_type = TYPE_1;
! 259: rand_deg = DEG_1;
! 260: rand_sep = SEP_1;
! 261: } else if (n < BREAK_3) {
! 262: rand_type = TYPE_2;
! 263: rand_deg = DEG_2;
! 264: rand_sep = SEP_2;
! 265: } else if (n < BREAK_4) {
! 266: rand_type = TYPE_3;
! 267: rand_deg = DEG_3;
! 268: rand_sep = SEP_3;
! 269: } else {
! 270: rand_type = TYPE_4;
! 271: rand_deg = DEG_4;
! 272: rand_sep = SEP_4;
! 273: }
! 274: state = &(((long *)arg_state)[1]); /* first location */
! 275: end_ptr = &state[rand_deg]; /* must set end_ptr before srandom */
! 276: srandom(seed);
! 277: if (rand_type == TYPE_0)
! 278: state[-1] = rand_type;
! 279: else
! 280: state[-1] = MAX_TYPES*(rptr - state) + rand_type;
! 281: return(ostate);
! 282: }
! 283:
! 284: /*
! 285: * setstate:
! 286: *
! 287: * Restore the state from the given state array.
! 288: *
! 289: * Note: it is important that we also remember the locations of the pointers
! 290: * in the current state information, and restore the locations of the pointers
! 291: * from the old state information. This is done by multiplexing the pointer
! 292: * location into the zeroeth word of the state information.
! 293: *
! 294: * Note that due to the order in which things are done, it is OK to call
! 295: * setstate() with the same state as the current state.
! 296: *
! 297: * Returns a pointer to the old state information.
! 298: */
! 299: char *
! 300: setstate(arg_state)
! 301: char *arg_state;
! 302: {
! 303: register long *new_state = (long *)arg_state;
! 304: register int type = new_state[0] % MAX_TYPES;
! 305: register int rear = new_state[0] / MAX_TYPES;
! 306: char *ostate = (char *)(&state[-1]);
! 307:
! 308: if (rand_type == TYPE_0)
! 309: state[-1] = rand_type;
! 310: else
! 311: state[-1] = MAX_TYPES * (rptr - state) + rand_type;
! 312: switch(type) {
! 313: case TYPE_0:
! 314: case TYPE_1:
! 315: case TYPE_2:
! 316: case TYPE_3:
! 317: case TYPE_4:
! 318: rand_type = type;
! 319: rand_deg = degrees[type];
! 320: rand_sep = seps[type];
! 321: break;
! 322: default:
! 323: (void)fprintf(stderr,
! 324: "random: state info corrupted; not changed.\n");
! 325: }
! 326: state = &new_state[1];
! 327: if (rand_type != TYPE_0) {
! 328: rptr = &state[rear];
! 329: fptr = &state[(rear + rand_sep) % rand_deg];
! 330: }
! 331: end_ptr = &state[rand_deg]; /* set end_ptr too */
! 332: return(ostate);
! 333: }
! 334:
! 335: /*
! 336: * random:
! 337: *
! 338: * If we are using the trivial TYPE_0 R.N.G., just do the old linear
! 339: * congruential bit. Otherwise, we do our fancy trinomial stuff, which is
! 340: * the same in all the other cases due to all the global variables that have
! 341: * been set up. The basic operation is to add the number at the rear pointer
! 342: * into the one at the front pointer. Then both pointers are advanced to
! 343: * the next location cyclically in the table. The value returned is the sum
! 344: * generated, reduced to 31 bits by throwing away the "least random" low bit.
! 345: *
! 346: * Note: the code takes advantage of the fact that both the front and
! 347: * rear pointers can't wrap on the same call by not testing the rear
! 348: * pointer if the front one has wrapped.
! 349: *
! 350: * Returns a 31-bit random number.
! 351: */
! 352: long
! 353: random()
! 354: {
! 355: long i;
! 356:
! 357: if (rand_type == TYPE_0)
! 358: i = state[0] = (state[0] * 1103515245 + 12345) & 0x7fffffff;
! 359: else {
! 360: *fptr += *rptr;
! 361: i = (*fptr >> 1) & 0x7fffffff; /* chucking least random bit */
! 362: if (++fptr >= end_ptr) {
! 363: fptr = state;
! 364: ++rptr;
! 365: } else if (++rptr >= end_ptr)
! 366: rptr = state;
! 367: }
! 368: return(i);
! 369: }
! 370: