1 /*- 2 * Copyright (c) 2000-2015 Mark R V Murray 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer 10 * in this position and unchanged. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 * 26 */ 27 28 #include <sys/cdefs.h> 29 #ifdef _KERNEL 30 #include <sys/param.h> 31 #include <sys/malloc.h> 32 #include <sys/random.h> 33 #include <sys/sysctl.h> 34 #include <sys/systm.h> 35 #else /* !_KERNEL */ 36 #include <sys/param.h> 37 #include <sys/types.h> 38 #include <assert.h> 39 #include <inttypes.h> 40 #include <signal.h> 41 #include <stdbool.h> 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <string.h> 45 #include <threads.h> 46 #define KASSERT(x, y) assert(x) 47 #define CTASSERT(x) _Static_assert(x, "CTASSERT " #x) 48 #endif /* _KERNEL */ 49 50 #define CHACHA_EMBED 51 #define KEYSTREAM_ONLY 52 #define CHACHA_NONCE0_CTR128 53 #include <crypto/chacha20/chacha.c> 54 #include <crypto/rijndael/rijndael-api-fst.h> 55 #include <crypto/sha2/sha256.h> 56 57 #include <dev/random/hash.h> 58 #ifdef _KERNEL 59 #include <dev/random/randomdev.h> 60 #endif 61 62 /* This code presumes that RANDOM_KEYSIZE is twice as large as RANDOM_BLOCKSIZE */ 63 CTASSERT(RANDOM_KEYSIZE == 2*RANDOM_BLOCKSIZE); 64 65 /* Validate that full Chacha IV is as large as the 128-bit counter */ 66 _Static_assert(CHACHA_STATELEN == RANDOM_BLOCKSIZE, ""); 67 68 /* 69 * Knob to control use of Chacha20-based PRF for Fortuna keystream primitive. 70 * 71 * Benefits include somewhat faster keystream generation compared with 72 * unaccelerated AES-ICM; reseeding is much cheaper than computing AES key 73 * schedules. 74 */ 75 bool random_chachamode __read_frequently = true; 76 #ifdef _KERNEL 77 SYSCTL_BOOL(_kern_random, OID_AUTO, use_chacha20_cipher, CTLFLAG_RDTUN, 78 &random_chachamode, 0, 79 "If non-zero, use the ChaCha20 cipher for randomdev PRF (default). " 80 "If zero, use AES-ICM cipher for randomdev PRF (12.x default)."); 81 #endif 82 83 /* Initialise the hash */ 84 void 85 randomdev_hash_init(struct randomdev_hash *context) 86 { 87 88 SHA256_Init(&context->sha); 89 } 90 91 /* Iterate the hash */ 92 void 93 randomdev_hash_iterate(struct randomdev_hash *context, const void *data, size_t size) 94 { 95 96 SHA256_Update(&context->sha, data, size); 97 } 98 99 /* Conclude by returning the hash in the supplied <*buf> which must be 100 * RANDOM_KEYSIZE bytes long. 101 */ 102 void 103 randomdev_hash_finish(struct randomdev_hash *context, void *buf) 104 { 105 106 SHA256_Final(buf, &context->sha); 107 } 108 109 /* Initialise the encryption routine by setting up the key schedule 110 * from the supplied <*data> which must be RANDOM_KEYSIZE bytes of binary 111 * data. 112 */ 113 void 114 randomdev_encrypt_init(union randomdev_key *context, const void *data) 115 { 116 117 if (random_chachamode) { 118 chacha_keysetup(&context->chacha, data, RANDOM_KEYSIZE * 8); 119 } else { 120 rijndael_cipherInit(&context->cipher, MODE_ECB, NULL); 121 rijndael_makeKey(&context->key, DIR_ENCRYPT, RANDOM_KEYSIZE*8, data); 122 } 123 } 124 125 /* 126 * Create a pseudorandom output stream of 'bytecount' bytes using a CTR-mode 127 * cipher or similar. The 128-bit counter is supplied in the in-out parameter 128 * 'ctr.' The output stream goes to 'd_out.' 129 * 130 * If AES is used, 'bytecount' is guaranteed to be a multiple of 131 * RANDOM_BLOCKSIZE. 132 */ 133 void 134 randomdev_keystream(union randomdev_key *context, uint128_t *ctr, 135 void *d_out, size_t bytecount) 136 { 137 size_t i, blockcount, read_chunk; 138 139 if (random_chachamode) { 140 uint128_t lectr; 141 142 /* 143 * Chacha always encodes and increments the counter little 144 * endian. So on BE machines, we must provide a swapped 145 * counter to chacha, and swap the output too. 146 */ 147 le128enc(&lectr, *ctr); 148 149 chacha_ivsetup(&context->chacha, NULL, (const void *)&lectr); 150 while (bytecount > 0) { 151 /* 152 * We are limited by the chacha_encrypt_bytes API to 153 * u32 bytes per chunk. 154 */ 155 read_chunk = MIN(bytecount, 156 rounddown((size_t)UINT32_MAX, CHACHA_BLOCKLEN)); 157 158 chacha_encrypt_bytes(&context->chacha, NULL, d_out, 159 read_chunk); 160 161 d_out = (char *)d_out + read_chunk; 162 bytecount -= read_chunk; 163 } 164 165 /* 166 * Decode Chacha-updated LE counter to native endian and store 167 * it back in the caller's in-out parameter. 168 */ 169 chacha_ctrsave(&context->chacha, (void *)&lectr); 170 *ctr = le128dec(&lectr); 171 172 explicit_bzero(&lectr, sizeof(lectr)); 173 } else { 174 KASSERT(bytecount % RANDOM_BLOCKSIZE == 0, 175 ("%s: AES mode invalid bytecount, not a multiple of native " 176 "block size", __func__)); 177 178 blockcount = bytecount / RANDOM_BLOCKSIZE; 179 for (i = 0; i < blockcount; i++) { 180 /*- 181 * FS&K - r = r|E(K,C) 182 * - C = C + 1 183 */ 184 rijndael_blockEncrypt(&context->cipher, &context->key, 185 (void *)ctr, RANDOM_BLOCKSIZE * 8, d_out); 186 d_out = (char *)d_out + RANDOM_BLOCKSIZE; 187 uint128_increment(ctr); 188 } 189 } 190 } 191 192 /* 193 * Fetch a pointer to the relevant key material and its size. 194 * 195 * This API is expected to only be used only for reseeding, where the 196 * endianness does not matter; the goal is to simply incorporate the key 197 * material into the hash iterator that will produce key'. 198 * 199 * Do not expect the buffer pointed to by this API to match the exact 200 * endianness, etc, as the key material that was supplied to 201 * randomdev_encrypt_init(). 202 */ 203 void 204 randomdev_getkey(union randomdev_key *context, const void **keyp, size_t *szp) 205 { 206 207 if (!random_chachamode) { 208 *keyp = &context->key.keyMaterial; 209 *szp = context->key.keyLen / 8; 210 return; 211 } 212 213 /* Chacha20 mode */ 214 *keyp = (const void *)&context->chacha.input[4]; 215 216 /* Sanity check keysize */ 217 if (context->chacha.input[0] == U8TO32_LITTLE(sigma) && 218 context->chacha.input[1] == U8TO32_LITTLE(&sigma[4]) && 219 context->chacha.input[2] == U8TO32_LITTLE(&sigma[8]) && 220 context->chacha.input[3] == U8TO32_LITTLE(&sigma[12])) { 221 *szp = 32; 222 return; 223 } 224 225 #if 0 226 /* 227 * Included for the sake of completeness; as-implemented, Fortuna 228 * doesn't need or use 128-bit Chacha20. 229 */ 230 if (context->chacha->input[0] == U8TO32_LITTLE(tau) && 231 context->chacha->input[1] == U8TO32_LITTLE(&tau[4]) && 232 context->chacha->input[2] == U8TO32_LITTLE(&tau[8]) && 233 context->chacha->input[3] == U8TO32_LITTLE(&tau[12])) { 234 *szp = 16; 235 return; 236 } 237 #endif 238 239 #ifdef _KERNEL 240 panic("%s: Invalid chacha20 keysize: %16D\n", __func__, 241 (void *)context->chacha.input, " "); 242 #else 243 raise(SIGKILL); 244 #endif 245 } 246