1 /* SPDX-License-Identifier: GPL-2.0 */
3 * include/linux/prandom.h
5 * Include file for the fast pseudo-random 32-bit
8 #ifndef _LINUX_PRANDOM_H
9 #define _LINUX_PRANDOM_H
11 #include <linux/types.h>
12 #include <linux/percpu.h>
14 u32 prandom_u32(void);
15 void prandom_bytes(void *buf, size_t nbytes);
16 void prandom_seed(u32 seed);
17 void prandom_reseed_late(void);
19 DECLARE_PER_CPU(unsigned long, net_rand_noise);
21 #define PRANDOM_ADD_NOISE(a, b, c, d) \
22 prandom_u32_add_noise((unsigned long)(a), (unsigned long)(b), \
23 (unsigned long)(c), (unsigned long)(d))
25 #if BITS_PER_LONG == 64
27 * The core SipHash round function. Each line can be executed in
28 * parallel given enough CPU resources.
30 #define PRND_SIPROUND(v0, v1, v2, v3) ( \
31 v0 += v1, v1 = rol64(v1, 13), v2 += v3, v3 = rol64(v3, 16), \
32 v1 ^= v0, v0 = rol64(v0, 32), v3 ^= v2, \
33 v0 += v3, v3 = rol64(v3, 21), v2 += v1, v1 = rol64(v1, 17), \
34 v3 ^= v0, v1 ^= v2, v2 = rol64(v2, 32) \
37 #define PRND_K0 (0x736f6d6570736575 ^ 0x6c7967656e657261)
38 #define PRND_K1 (0x646f72616e646f6d ^ 0x7465646279746573)
40 #elif BITS_PER_LONG == 32
42 * On 32-bit machines, we use HSipHash, a reduced-width version of SipHash.
43 * This is weaker, but 32-bit machines are not used for high-traffic
44 * applications, so there is less output for an attacker to analyze.
46 #define PRND_SIPROUND(v0, v1, v2, v3) ( \
47 v0 += v1, v1 = rol32(v1, 5), v2 += v3, v3 = rol32(v3, 8), \
48 v1 ^= v0, v0 = rol32(v0, 16), v3 ^= v2, \
49 v0 += v3, v3 = rol32(v3, 7), v2 += v1, v1 = rol32(v1, 13), \
50 v3 ^= v0, v1 ^= v2, v2 = rol32(v2, 16) \
52 #define PRND_K0 0x6c796765
53 #define PRND_K1 0x74656462
56 #error Unsupported BITS_PER_LONG
59 static inline void prandom_u32_add_noise(unsigned long a, unsigned long b,
60 unsigned long c, unsigned long d)
63 * This is not used cryptographically; it's just
64 * a convenient 4-word hash function. (3 xor, 2 add, 2 rol)
66 a ^= raw_cpu_read(net_rand_noise);
67 PRND_SIPROUND(a, b, c, d);
68 raw_cpu_write(net_rand_noise, d);
75 u32 prandom_u32_state(struct rnd_state *state);
76 void prandom_bytes_state(struct rnd_state *state, void *buf, size_t nbytes);
77 void prandom_seed_full_state(struct rnd_state __percpu *pcpu_state);
79 #define prandom_init_once(pcpu_state) \
80 DO_ONCE(prandom_seed_full_state, (pcpu_state))
83 * prandom_u32_max - returns a pseudo-random number in interval [0, ep_ro)
84 * @ep_ro: right open interval endpoint
86 * Returns a pseudo-random number that is in interval [0, ep_ro). Note
87 * that the result depends on PRNG being well distributed in [0, ~0U]
88 * u32 space. Here we use maximally equidistributed combined Tausworthe
89 * generator, that is, prandom_u32(). This is useful when requesting a
90 * random index of an array containing ep_ro elements, for example.
92 * Returns: pseudo-random number in interval [0, ep_ro)
94 static inline u32 prandom_u32_max(u32 ep_ro)
96 return (u32)(((u64) prandom_u32() * ep_ro) >> 32);
100 * Handle minimum values for seeds
102 static inline u32 __seed(u32 x, u32 m)
104 return (x < m) ? x + m : x;
108 * prandom_seed_state - set seed for prandom_u32_state().
109 * @state: pointer to state structure to receive the seed.
110 * @seed: arbitrary 64-bit value to use as a seed.
112 static inline void prandom_seed_state(struct rnd_state *state, u64 seed)
114 u32 i = ((seed >> 32) ^ (seed << 10) ^ seed) & 0xffffffffUL;
116 state->s1 = __seed(i, 2U);
117 state->s2 = __seed(i, 8U);
118 state->s3 = __seed(i, 16U);
119 state->s4 = __seed(i, 128U);
120 PRANDOM_ADD_NOISE(state, i, 0, 0);
123 /* Pseudo random number generator from numerical recipes. */
124 static inline u32 next_pseudo_random32(u32 seed)
126 return seed * 1664525 + 1013904223;