--- pgp/src/randpool.c	2018/04/24 16:41:03	1.1
+++ pgp/src/randpool.c	2018/04/24 16:45:30	1.1.1.4
@@ -1,7 +1,7 @@
 /*
  * True random number computation and storage
  *
- * (c) Copyright 1990-1994 by Philip Zimmermann.  All rights reserved.
+ * (c) Copyright 1990-1996 by Philip Zimmermann.  All rights reserved.
  * The author assumes no liability for damages resulting from the use
  * of this software, even if the damage results from defects in this
  * software.  No warranty is expressed or implied.
@@ -21,96 +21,171 @@
  * Written by Colin Plumb.
  */
 #include <stdlib.h>
+#include <string.h>
 
 #include "randpool.h"
 #include "usuals.h"
 #include "md5.h"
+#ifdef MACTC5
+#include "TimeManager.h"
+#endif
 
 /* The pool must be a multiple of the 16-byte (128-bit) MD5 block size */
-#define RANDPOOLBYTES ((RANDPOOLBITS+127 & ~127) >> 3)
-#if RANDPOOLBYTES <= 64
-#error Random pool too small - please increase RANDPOOLBITS in randpool.h
+#define RANDPOOLWORDS ((RANDPOOLBITS+127 & ~127) >> 5)
+#if RANDPOOLWORDS <= 16
+/* #error is not portable, this has the same effect */
+#include "Random pool too small - please increase RANDPOOLBITS in randpool.h"
 #endif
 
-static byte randPool[RANDPOOLBYTES];	/* Random pool */
-static unsigned randPoolGetPos = 0;	/* Current position to get from */
-static unsigned randPoolAddPos = 0;	/* Current position to add to */
-
-static byte randPoolKey[64];
+/* Must be word-aligned, so make it words.  Cast to bytes as needed. */
+static word32 randPool[RANDPOOLWORDS];	/* Random pool */
+static unsigned randPoolGetPos = sizeof(randPool); /* Position to get from */
+static unsigned randPoolAddPos = 0;	/* Position to add to */
 
 static void
 xorbytes(byte *dest, byte const *src, unsigned len)
 {
 	while (len--)
-		*dest++ = *src++;
+		*dest++ ^= *src++;
 }
 
 /*
  * Destroys already-used random numbers.  Ensures no sensitive data
  * remains in memory that can be recovered later.  This is also
- * called to "stir in" newly acquired environmental noise bits.
- * These noise bits are placed in the trueRandKey.
+ * called to "stir in" newly acquired environmental noise bits before
+ * removing any random bytes.
  *
- * The transformation is carried out by "encrypting" the data in CBC
- * mode with MD5 as the block cipher.  This is not invertible, but that
- * is just fine for these purposes.
- *
- * Then, to make doubly certain the stirring operation is strictly one-way,
- * we destroy the key.  This is done by reinitializing it from the pool,
- * copying the first 64 bytes of the pool over the key.  These bytes are
- * not returned by randPoolGetBytes().
+ * The transformation is carried out by "encrypting" the data in CFB
+ * mode with MD5 as the block cipher.  Then, to make certain the stirring
+ * operation is strictly one-way, we destroy the key, getting 64 bytes
+ * from the beginning of the pool and using them to reinitialize the
+ * key.  These bytes are not returned by randPoolGetBytes().
+ *
+ * The stirring operation is done twice, to ensure that each bit in the
+ * pool depends on each bit of entropy XORed in after each call to
+ * randPoolStir().
+ *
+ * To make this useful for pseudo-random (that is, repeatable) operations,
+ * the MD5 transformation is always done with a consistent byte order.
+ * MD5Transform itself works with 32-bit words, not bytes, so the pool,
+ * usually an array of bytes, is transformed into an array of 32-bit words,
+ * taking each group of 4 bytes in big-endian order.  At the end of the
+ * stirring, the transformation is reversed.
  */
 void
 randPoolStir(void)
 {
 	int i;
+	byte *p;
+	word32 t;
+	word32 iv[4];
+	static word32 randPoolKey[16] = {0};
+
+	/* Convert to word32s for stirring operation */
+	p = (byte *)randPool;
+	for (i = 0; i < RANDPOOLWORDS; i++) {
+		t = (word32)((unsigned)p[3]<<8 | p[2]) << 16 |
+		             (unsigned)p[1]<<8 | p[0];
+		randPool[i] = t;
+		p += 4;
+	}
+
+	/* Start IV from last block of randPool */
+	memcpy(iv, randPool+RANDPOOLWORDS-4, sizeof(iv));
+
+	/* First CFB pass */
+	for (i = 0; i < RANDPOOLWORDS; i += 4) {
+		MD5Transform(iv, randPoolKey);
+		iv[0] = randPool[i  ] ^= iv[0];
+		iv[1] = randPool[i+1] ^= iv[1];
+		iv[2] = randPool[i+2] ^= iv[2];
+		iv[3] = randPool[i+3] ^= iv[3];
+	}
+
+	/* Get new key */
+	memcpy(randPoolKey, randPool, sizeof(randPoolKey));
 
-	xorbytes(randPool, randPool+sizeof(randPool)-16, 16);
-	MD5Transform((word32 *)randPool, (word32 *)randPoolKey);
-	for(i = 16; i < sizeof(randPool); i += 16) {
-		xorbytes(randPool+i, randPool+i-16, 16);
-		MD5Transform((word32 *)(randPool+i), (word32 *)randPoolKey);
+	/* Second CFB pass */
+	for (i = 0; i < RANDPOOLWORDS; i += 4) {
+		MD5Transform(iv, randPoolKey);
+		iv[0] = randPool[i  ] ^= iv[0];
+		iv[1] = randPool[i+1] ^= iv[1];
+		iv[2] = randPool[i+2] ^= iv[2];
+		iv[3] = randPool[i+3] ^= iv[3];
 	}
 
+	/* Get new key */
 	memcpy(randPoolKey, randPool, sizeof(randPoolKey));
 
+	/* Wipe iv from memory */
+	memset(iv, 0, sizeof(iv));
+
+	/* Convert randPool back to bytes for further use */
+	p = (byte *)randPool;
+	for (i = 0; i < RANDPOOLWORDS; i++) {
+		t = randPool[i];
+		p[0] = t>>24;
+		p[1] = t>>16;
+		p[2] = t>>8;
+		p[3] = t;
+		p += 4;
+	}
+
+	/* Set up pointers for future addition or removal of random bytes */
 	randPoolAddPos = 0;
 	randPoolGetPos = sizeof(randPoolKey);
+#ifdef MACTC5
+	spinner();
+#endif
 }
 
+/*
+ * Make a deposit of information (entropy) into the pool.  The bits
+ * deposited need not have any particular distribution; the stirring
+ * operation transformes them to uniformly-distributed bits.
+ */
 void
 randPoolAddBytes(byte const *buf, unsigned len)
 {
 	unsigned t;
 
 	while (len > (t = sizeof(randPool) - randPoolAddPos)) {
-		xorbytes(randPool+randPoolAddPos, buf, t);
+		xorbytes((byte *)randPool+randPoolAddPos, buf, t);
 		buf += t;
 		len -= t;
 		randPoolStir();
 	}
 
 	if (len) {
-		xorbytes(randPool+randPoolAddPos, buf, len);
+		xorbytes((byte *)randPool+randPoolAddPos, buf, len);
 		randPoolAddPos += len;
-		randPoolGetPos = sizeof(randPool);
+		randPoolGetPos = sizeof(randPool); /* Force stir on get */
 	}
 }
 
+/*
+ * Withdraw some bits from the pool.  Regardless of the distribution of the
+ * input bits, the bits returned are uniformly distributed, although they
+ * cannot, of course, contain more Shannon entropy than the input bits.
+ */
 void
 randPoolGetBytes(byte *buf, unsigned len)
 {
 	unsigned t;
 
 	while (len > (t = sizeof(randPool) - randPoolGetPos)) {
-		memcpy(buf, randPool+randPoolGetPos, t);
+		memcpy(buf, (byte *)randPool+randPoolGetPos, t);
 		buf += t;
 		len -= t;
 		randPoolStir();
 	}
 
+#ifdef MACTC5
+	spinner();
+#endif
+
 	if (len) {
-		memcpy(buf, randPool+randPoolGetPos, len);
+		memcpy(buf, (byte *)randPool+randPoolGetPos, len);
 		randPoolGetPos += len;
 	}
 }
@@ -121,5 +196,9 @@ randPoolGetByte(void)
 	if (randPoolGetPos == sizeof(randPool))
 		randPoolStir();
 
-	return randPool[randPoolGetPos++];
+#ifdef MACTC5
+	spinner();
+#endif
+
+	return (((byte *)randPool)[randPoolGetPos++]);
 }