1 /* $OpenBSD: rnd.c,v 1.184 2016/09/03 11:40:54 kettenis Exp $ */ 2 3 /* 4 * Copyright (c) 2011 Theo de Raadt. 5 * Copyright (c) 2008 Damien Miller. 6 * Copyright (c) 1996, 1997, 2000-2002 Michael Shalayeff. 7 * Copyright (c) 2013 Markus Friedl. 8 * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. 9 * All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, and the entire permission notice in its entirety, 16 * including the disclaimer of warranties. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 3. The name of the author may not be used to endorse or promote 21 * products derived from this software without specific prior 22 * written permission. 23 * 24 * ALTERNATIVELY, this product may be distributed under the terms of 25 * the GNU Public License, in which case the provisions of the GPL are 26 * required INSTEAD OF the above restrictions. (This clause is 27 * necessary due to a potential bad interaction between the GPL and 28 * the restrictions contained in a BSD-style copyright.) 29 * 30 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 31 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 33 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, 34 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 35 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 36 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 37 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 38 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 39 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 40 * OF THE POSSIBILITY OF SUCH DAMAGE. 41 */ 42 43 /* 44 * Computers are very predictable devices. Hence it is extremely hard 45 * to produce truly random numbers on a computer --- as opposed to 46 * pseudo-random numbers, which can be easily generated by using an 47 * algorithm. Unfortunately, it is very easy for attackers to guess 48 * the sequence of pseudo-random number generators, and for some 49 * applications this is not acceptable. Instead, we must try to 50 * gather "environmental noise" from the computer's environment, which 51 * must be hard for outside attackers to observe and use to 52 * generate random numbers. In a Unix environment, this is best done 53 * from inside the kernel. 54 * 55 * Sources of randomness from the environment include inter-keyboard 56 * timings, inter-interrupt timings from some interrupts, and other 57 * events which are both (a) non-deterministic and (b) hard for an 58 * outside observer to measure. Randomness from these sources is 59 * added to the "rnd states" queue; this is used as much of the 60 * source material which is mixed on occasion using a CRC-like function 61 * into the "entropy pool". This is not cryptographically strong, but 62 * it is adequate assuming the randomness is not chosen maliciously, 63 * and it is very fast because the interrupt-time event is only to add 64 * a small random token to the "rnd states" queue. 65 * 66 * When random bytes are desired, they are obtained by pulling from 67 * the entropy pool and running a SHA512 hash. The SHA512 hash avoids 68 * exposing the internal state of the entropy pool. Even if it is 69 * possible to analyze SHA512 in some clever way, as long as the amount 70 * of data returned from the generator is less than the inherent 71 * entropy in the pool, the output data is totally unpredictable. For 72 * this reason, the routine decreases its internal estimate of how many 73 * bits of "true randomness" are contained in the entropy pool as it 74 * outputs random numbers. 75 * 76 * If this estimate goes to zero, the SHA512 hash will continue to generate 77 * output since there is no true risk because the SHA512 output is not 78 * exported outside this subsystem. It is next used as input to seed a 79 * ChaCha20 stream cipher, which is re-seeded from time to time. This 80 * design provides very high amounts of output data from a potentially 81 * small entropy base, at high enough speeds to encourage use of random 82 * numbers in nearly any situation. Before OpenBSD 5.5, the RC4 stream 83 * cipher (also known as ARC4) was used instead of ChaCha20. 84 * 85 * The output of this single ChaCha20 engine is then shared amongst many 86 * consumers in the kernel and userland via a few interfaces: 87 * arc4random_buf(), arc4random(), arc4random_uniform(), randomread() 88 * for the set of /dev/random nodes, the sysctl kern.arandom, and the 89 * system call getentropy(), which provides seeds for process-context 90 * pseudorandom generators. 91 * 92 * Acknowledgements: 93 * ================= 94 * 95 * Ideas for constructing this random number generator were derived 96 * from Pretty Good Privacy's random number generator, and from private 97 * discussions with Phil Karn. Colin Plumb provided a faster random 98 * number generator, which speeds up the mixing function of the entropy 99 * pool, taken from PGPfone. Dale Worley has also contributed many 100 * useful ideas and suggestions to improve this driver. 101 * 102 * Any flaws in the design are solely my responsibility, and should 103 * not be attributed to the Phil, Colin, or any of the authors of PGP. 104 * 105 * Further background information on this topic may be obtained from 106 * RFC 1750, "Randomness Recommendations for Security", by Donald 107 * Eastlake, Steve Crocker, and Jeff Schiller. 108 * 109 * Using a RC4 stream cipher as 2nd stage after the MD5 (now SHA512) output 110 * is the result of work by David Mazieres. 111 */ 112 113 #include <sys/param.h> 114 #include <sys/systm.h> 115 #include <sys/disk.h> 116 #include <sys/event.h> 117 #include <sys/limits.h> 118 #include <sys/time.h> 119 #include <sys/ioctl.h> 120 #include <sys/malloc.h> 121 #include <sys/fcntl.h> 122 #include <sys/timeout.h> 123 #include <sys/mutex.h> 124 #include <sys/task.h> 125 #include <sys/msgbuf.h> 126 #include <sys/mount.h> 127 #include <sys/syscallargs.h> 128 129 #include <crypto/sha2.h> 130 131 #define KEYSTREAM_ONLY 132 #include <crypto/chacha_private.h> 133 134 #include <dev/rndvar.h> 135 136 #include <uvm/uvm_param.h> 137 #include <uvm/uvm_extern.h> 138 139 /* 140 * For the purposes of better mixing, we use the CRC-32 polynomial as 141 * well to make a twisted Generalized Feedback Shift Register 142 * 143 * (See M. Matsumoto & Y. Kurita, 1992. Twisted GFSR generators. ACM 144 * Transactions on Modeling and Computer Simulation 2(3):179-194. 145 * Also see M. Matsumoto & Y. Kurita, 1994. Twisted GFSR generators 146 * II. ACM Transactions on Mdeling and Computer Simulation 4:254-266) 147 * 148 * Thanks to Colin Plumb for suggesting this. 149 * 150 * We have not analyzed the resultant polynomial to prove it primitive; 151 * in fact it almost certainly isn't. Nonetheless, the irreducible factors 152 * of a random large-degree polynomial over GF(2) are more than large enough 153 * that periodicity is not a concern. 154 * 155 * The input hash is much less sensitive than the output hash. All 156 * we want from it is to be a good non-cryptographic hash - 157 * i.e. to not produce collisions when fed "random" data of the sort 158 * we expect to see. As long as the pool state differs for different 159 * inputs, we have preserved the input entropy and done a good job. 160 * The fact that an intelligent attacker can construct inputs that 161 * will produce controlled alterations to the pool's state is not 162 * important because we don't consider such inputs to contribute any 163 * randomness. The only property we need with respect to them is that 164 * the attacker can't increase his/her knowledge of the pool's state. 165 * Since all additions are reversible (knowing the final state and the 166 * input, you can reconstruct the initial state), if an attacker has 167 * any uncertainty about the initial state, he/she can only shuffle 168 * that uncertainty about, but never cause any collisions (which would 169 * decrease the uncertainty). 170 * 171 * The chosen system lets the state of the pool be (essentially) the input 172 * modulo the generator polynomial. Now, for random primitive polynomials, 173 * this is a universal class of hash functions, meaning that the chance 174 * of a collision is limited by the attacker's knowledge of the generator 175 * polynomial, so if it is chosen at random, an attacker can never force 176 * a collision. Here, we use a fixed polynomial, but we *can* assume that 177 * ###--> it is unknown to the processes generating the input entropy. <-### 178 * Because of this important property, this is a good, collision-resistant 179 * hash; hash collisions will occur no more often than chance. 180 */ 181 182 /* 183 * Stirring polynomials over GF(2) for various pool sizes. Used in 184 * add_entropy_words() below. 185 * 186 * The polynomial terms are chosen to be evenly spaced (minimum RMS 187 * distance from evenly spaced; except for the last tap, which is 1 to 188 * get the twisting happening as fast as possible. 189 * 190 * The reultant polynomial is: 191 * 2^POOLWORDS + 2^POOL_TAP1 + 2^POOL_TAP2 + 2^POOL_TAP3 + 2^POOL_TAP4 + 1 192 */ 193 #define POOLWORDS 2048 194 #define POOLBYTES (POOLWORDS*4) 195 #define POOLMASK (POOLWORDS - 1) 196 #define POOL_TAP1 1638 197 #define POOL_TAP2 1231 198 #define POOL_TAP3 819 199 #define POOL_TAP4 411 200 201 struct mutex entropylock = MUTEX_INITIALIZER(IPL_HIGH); 202 203 /* 204 * Raw entropy collection from device drivers; at interrupt context or not. 205 * add_*_randomness() provide data which is put into the entropy queue. 206 * Almost completely under the entropylock. 207 */ 208 struct timer_rand_state { /* There is one of these per entropy source */ 209 u_int last_time; 210 u_int last_delta; 211 u_int last_delta2; 212 u_int dont_count_entropy : 1; 213 u_int max_entropy : 1; 214 } rnd_states[RND_SRC_NUM]; 215 216 #define QEVLEN (1024 / sizeof(struct rand_event)) 217 #define QEVSLOW (QEVLEN * 3 / 4) /* yet another 0.75 for 60-minutes hour /-; */ 218 #define QEVSBITS 10 219 220 #define KEYSZ 32 221 #define IVSZ 8 222 #define BLOCKSZ 64 223 #define RSBUFSZ (16*BLOCKSZ) 224 #define EBUFSIZE KEYSZ + IVSZ 225 226 struct rand_event { 227 struct timer_rand_state *re_state; 228 u_int re_time; 229 u_int re_val; 230 } rnd_event_space[QEVLEN]; 231 /* index of next free slot */ 232 u_int rnd_event_idx; 233 234 struct timeout rnd_timeout; 235 236 static u_int32_t entropy_pool[POOLWORDS]; 237 static const u_int32_t entropy_pool0[POOLWORDS] __attribute__((section(".openbsd.randomdata"))); 238 u_int entropy_add_ptr; 239 u_char entropy_input_rotate; 240 241 void dequeue_randomness(void *); 242 void add_entropy_words(const u_int32_t *, u_int); 243 void extract_entropy(u_int8_t *) 244 __attribute__((__bounded__(__minbytes__,1,EBUFSIZE))); 245 246 int filt_randomread(struct knote *, long); 247 void filt_randomdetach(struct knote *); 248 int filt_randomwrite(struct knote *, long); 249 250 static void _rs_seed(u_char *, size_t); 251 static void _rs_clearseed(const void *p, size_t s); 252 253 struct filterops randomread_filtops = 254 { 1, NULL, filt_randomdetach, filt_randomread }; 255 struct filterops randomwrite_filtops = 256 { 1, NULL, filt_randomdetach, filt_randomwrite }; 257 258 static __inline struct rand_event * 259 rnd_get(void) 260 { 261 if (rnd_event_idx == 0) 262 return NULL; 263 /* if it wrapped around, start dequeuing at the end */ 264 if (rnd_event_idx > QEVLEN) 265 rnd_event_idx = QEVLEN; 266 267 return &rnd_event_space[--rnd_event_idx]; 268 } 269 270 static __inline struct rand_event * 271 rnd_put(void) 272 { 273 u_int idx = rnd_event_idx++; 274 275 /* allow wrapping. caller will use xor. */ 276 idx = idx % QEVLEN; 277 278 return &rnd_event_space[idx]; 279 } 280 281 static __inline u_int 282 rnd_qlen(void) 283 { 284 return rnd_event_idx; 285 } 286 287 /* 288 * This function adds entropy to the entropy pool by using timing 289 * delays. It uses the timer_rand_state structure to make an estimate 290 * of how many bits of entropy this call has added to the pool. 291 * 292 * The number "val" is also added to the pool - it should somehow describe 293 * the type of event which just happened. Currently the values of 0-255 294 * are for keyboard scan codes, 256 and upwards - for interrupts. 295 */ 296 void 297 enqueue_randomness(u_int state, u_int val) 298 { 299 int delta, delta2, delta3; 300 struct timer_rand_state *p; 301 struct rand_event *rep; 302 struct timespec ts; 303 u_int time, nbits; 304 305 #ifdef DIAGNOSTIC 306 if (state >= RND_SRC_NUM) 307 return; 308 #endif 309 310 if (timeout_initialized(&rnd_timeout)) 311 nanotime(&ts); 312 313 p = &rnd_states[state]; 314 val += state << 13; 315 316 time = (ts.tv_nsec >> 10) + (ts.tv_sec << 20); 317 nbits = 0; 318 319 /* 320 * Calculate the number of bits of randomness that we probably 321 * added. We take into account the first and second order 322 * deltas in order to make our estimate. 323 */ 324 if (!p->dont_count_entropy) { 325 delta = time - p->last_time; 326 delta2 = delta - p->last_delta; 327 delta3 = delta2 - p->last_delta2; 328 329 if (delta < 0) delta = -delta; 330 if (delta2 < 0) delta2 = -delta2; 331 if (delta3 < 0) delta3 = -delta3; 332 if (delta > delta2) delta = delta2; 333 if (delta > delta3) delta = delta3; 334 delta3 = delta >>= 1; 335 /* 336 * delta &= 0xfff; 337 * we don't do it since our time sheet is different from linux 338 */ 339 340 if (delta & 0xffff0000) { 341 nbits = 16; 342 delta >>= 16; 343 } 344 if (delta & 0xff00) { 345 nbits += 8; 346 delta >>= 8; 347 } 348 if (delta & 0xf0) { 349 nbits += 4; 350 delta >>= 4; 351 } 352 if (delta & 0xc) { 353 nbits += 2; 354 delta >>= 2; 355 } 356 if (delta & 2) { 357 nbits += 1; 358 delta >>= 1; 359 } 360 if (delta & 1) 361 nbits++; 362 } else if (p->max_entropy) 363 nbits = 8 * sizeof(val) - 1; 364 365 /* given the multi-order delta logic above, this should never happen */ 366 if (nbits >= 32) 367 return; 368 369 mtx_enter(&entropylock); 370 if (!p->dont_count_entropy) { 371 p->last_time = time; 372 p->last_delta = delta3; 373 p->last_delta2 = delta2; 374 } 375 376 rep = rnd_put(); 377 378 rep->re_state = p; 379 rep->re_time += ts.tv_nsec ^ (ts.tv_sec << 20); 380 rep->re_val += val; 381 382 if (rnd_qlen() > QEVSLOW/2 && timeout_initialized(&rnd_timeout) && 383 !timeout_pending(&rnd_timeout)) 384 timeout_add(&rnd_timeout, 1); 385 386 mtx_leave(&entropylock); 387 } 388 389 /* 390 * This function adds a byte into the entropy pool. It does not 391 * update the entropy estimate. The caller must do this if appropriate. 392 * 393 * The pool is stirred with a polynomial of degree POOLWORDS over GF(2); 394 * see POOL_TAP[1-4] above 395 * 396 * Rotate the input word by a changing number of bits, to help assure 397 * that all bits in the entropy get toggled. Otherwise, if the pool 398 * is consistently fed small numbers (such as keyboard scan codes) 399 * then the upper bits of the entropy pool will frequently remain 400 * untouched. 401 */ 402 void 403 add_entropy_words(const u_int32_t *buf, u_int n) 404 { 405 /* derived from IEEE 802.3 CRC-32 */ 406 static const u_int32_t twist_table[8] = { 407 0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158, 408 0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 409 }; 410 411 for (; n--; buf++) { 412 u_int32_t w = (*buf << entropy_input_rotate) | 413 (*buf >> ((32 - entropy_input_rotate) & 31)); 414 u_int i = entropy_add_ptr = 415 (entropy_add_ptr - 1) & POOLMASK; 416 /* 417 * Normally, we add 7 bits of rotation to the pool. 418 * At the beginning of the pool, add an extra 7 bits 419 * rotation, so that successive passes spread the 420 * input bits across the pool evenly. 421 */ 422 entropy_input_rotate = 423 (entropy_input_rotate + (i ? 7 : 14)) & 31; 424 425 /* XOR pool contents corresponding to polynomial terms */ 426 w ^= entropy_pool[(i + POOL_TAP1) & POOLMASK] ^ 427 entropy_pool[(i + POOL_TAP2) & POOLMASK] ^ 428 entropy_pool[(i + POOL_TAP3) & POOLMASK] ^ 429 entropy_pool[(i + POOL_TAP4) & POOLMASK] ^ 430 entropy_pool[(i + 1) & POOLMASK] ^ 431 entropy_pool[i]; /* + 2^POOLWORDS */ 432 433 entropy_pool[i] = (w >> 3) ^ twist_table[w & 7]; 434 } 435 } 436 437 /* 438 * Pulls entropy out of the queue and throws merges it into the pool 439 * with the CRC. 440 */ 441 /* ARGSUSED */ 442 void 443 dequeue_randomness(void *v) 444 { 445 struct rand_event *rep; 446 u_int32_t buf[2]; 447 448 mtx_enter(&entropylock); 449 450 if (timeout_initialized(&rnd_timeout)) 451 timeout_del(&rnd_timeout); 452 453 while ((rep = rnd_get())) { 454 buf[0] = rep->re_time; 455 buf[1] = rep->re_val; 456 mtx_leave(&entropylock); 457 458 add_entropy_words(buf, 2); 459 460 mtx_enter(&entropylock); 461 } 462 mtx_leave(&entropylock); 463 } 464 465 /* 466 * Grabs a chunk from the entropy_pool[] and slams it through SHA512 when 467 * requested. 468 */ 469 void 470 extract_entropy(u_int8_t *buf) 471 { 472 static u_int32_t extract_pool[POOLWORDS]; 473 u_char digest[SHA512_DIGEST_LENGTH]; 474 SHA2_CTX shactx; 475 476 #if SHA512_DIGEST_LENGTH < EBUFSIZE 477 #error "need more bigger hash output" 478 #endif 479 480 /* 481 * INTENTIONALLY not protected by entropylock. Races during 482 * memcpy() result in acceptable input data; races during 483 * SHA512Update() would create nasty data dependencies. We 484 * do not rely on this as a benefit, but if it happens, cool. 485 */ 486 memcpy(extract_pool, entropy_pool, sizeof(extract_pool)); 487 488 /* Hash the pool to get the output */ 489 SHA512Init(&shactx); 490 SHA512Update(&shactx, (u_int8_t *)extract_pool, sizeof(extract_pool)); 491 SHA512Final(digest, &shactx); 492 493 /* Copy data to destination buffer */ 494 memcpy(buf, digest, EBUFSIZE); 495 496 /* Modify pool so next hash will produce different results */ 497 add_timer_randomness(EBUFSIZE); 498 dequeue_randomness(NULL); 499 500 /* Wipe data from memory */ 501 explicit_bzero(extract_pool, sizeof(extract_pool)); 502 explicit_bzero(digest, sizeof(digest)); 503 } 504 505 /* random keystream by ChaCha */ 506 507 void arc4_reinit(void *v); /* timeout to start reinit */ 508 void arc4_init(void *); /* actually do the reinit */ 509 510 struct mutex rndlock = MUTEX_INITIALIZER(IPL_HIGH); 511 struct timeout arc4_timeout; 512 struct task arc4_task = TASK_INITIALIZER(arc4_init, NULL); 513 514 static int rs_initialized; 515 static chacha_ctx rs; /* chacha context for random keystream */ 516 /* keystream blocks (also chacha seed from boot) */ 517 static u_char rs_buf[RSBUFSZ]; 518 static const u_char rs_buf0[RSBUFSZ] __attribute__((section(".openbsd.randomdata"))); 519 static size_t rs_have; /* valid bytes at end of rs_buf */ 520 static size_t rs_count; /* bytes till reseed */ 521 522 void 523 suspend_randomness(void) 524 { 525 struct timespec ts; 526 527 getnanotime(&ts); 528 add_true_randomness(ts.tv_sec); 529 add_true_randomness(ts.tv_nsec); 530 531 dequeue_randomness(NULL); 532 rs_count = 0; 533 arc4random_buf(entropy_pool, sizeof(entropy_pool)); 534 } 535 536 void 537 resume_randomness(char *buf, size_t buflen) 538 { 539 struct timespec ts; 540 541 if (buf && buflen) 542 _rs_seed(buf, buflen); 543 getnanotime(&ts); 544 add_true_randomness(ts.tv_sec); 545 add_true_randomness(ts.tv_nsec); 546 547 dequeue_randomness(NULL); 548 rs_count = 0; 549 } 550 551 static inline void _rs_rekey(u_char *dat, size_t datlen); 552 553 static inline void 554 _rs_init(u_char *buf, size_t n) 555 { 556 KASSERT(n >= KEYSZ + IVSZ); 557 chacha_keysetup(&rs, buf, KEYSZ * 8); 558 chacha_ivsetup(&rs, buf + KEYSZ, NULL); 559 } 560 561 static void 562 _rs_seed(u_char *buf, size_t n) 563 { 564 _rs_rekey(buf, n); 565 566 /* invalidate rs_buf */ 567 rs_have = 0; 568 memset(rs_buf, 0, RSBUFSZ); 569 570 rs_count = 1600000; 571 } 572 573 static void 574 _rs_stir(int do_lock) 575 { 576 struct timespec ts; 577 u_int8_t buf[EBUFSIZE], *p; 578 int i; 579 580 /* 581 * Use SHA512 PRNG data and a system timespec; early in the boot 582 * process this is the best we can do -- some architectures do 583 * not collect entropy very well during this time, but may have 584 * clock information which is better than nothing. 585 */ 586 extract_entropy(buf); 587 588 nanotime(&ts); 589 for (p = (u_int8_t *)&ts, i = 0; i < sizeof(ts); i++) 590 buf[i] ^= p[i]; 591 592 if (do_lock) 593 mtx_enter(&rndlock); 594 _rs_seed(buf, sizeof(buf)); 595 if (do_lock) 596 mtx_leave(&rndlock); 597 598 explicit_bzero(buf, sizeof(buf)); 599 } 600 601 static inline void 602 _rs_stir_if_needed(size_t len) 603 { 604 if (!rs_initialized) { 605 _rs_init(rs_buf, KEYSZ + IVSZ); 606 rs_count = 1024 * 1024 * 1024; /* until main() runs */ 607 rs_initialized = 1; 608 } else if (rs_count <= len) 609 _rs_stir(0); 610 else 611 rs_count -= len; 612 } 613 614 static void 615 _rs_clearseed(const void *p, size_t s) 616 { 617 struct kmem_dyn_mode kd_avoidalias; 618 vaddr_t va = trunc_page((vaddr_t)p); 619 vsize_t off = (vaddr_t)p - va; 620 vaddr_t rwva; 621 paddr_t pa[3]; 622 int i; 623 624 KASSERT(s <= (nitems(pa) - 1) * PAGE_SIZE); 625 626 for (i = 0; i < nitems(pa); i++, va += PAGE_SIZE) 627 pmap_extract(pmap_kernel(), va, &pa[i]); 628 629 memset(&kd_avoidalias, 0, sizeof kd_avoidalias); 630 kd_avoidalias.kd_prefer = pa[0]; 631 kd_avoidalias.kd_waitok = 1; 632 rwva = (vaddr_t)km_alloc(nitems(pa) * PAGE_SIZE, &kv_any, &kp_none, 633 &kd_avoidalias); 634 if (!rwva) 635 panic("_rs_clearseed"); 636 637 va = rwva; 638 for (i = 0; i < nitems(pa); i++, va += PAGE_SIZE) 639 pmap_kenter_pa(va, pa[i], PROT_READ | PROT_WRITE); 640 pmap_update(pmap_kernel()); 641 642 explicit_bzero((void *)(rwva + off), s); 643 644 pmap_kremove(rwva, nitems(pa) * PAGE_SIZE); 645 km_free((void *)rwva, nitems(pa) * PAGE_SIZE, &kv_any, &kp_none); 646 } 647 648 static inline void 649 _rs_rekey(u_char *dat, size_t datlen) 650 { 651 if (!rs_initialized) { 652 memcpy(entropy_pool, entropy_pool0, sizeof entropy_pool); 653 memcpy(rs_buf, rs_buf0, sizeof rs_buf); 654 rs_initialized = 1; 655 /* seeds cannot be cleaned yet, random_start() will do so */ 656 } 657 658 #ifndef KEYSTREAM_ONLY 659 memset(rs_buf, 0, RSBUFSZ); 660 #endif 661 /* fill rs_buf with the keystream */ 662 chacha_encrypt_bytes(&rs, rs_buf, rs_buf, RSBUFSZ); 663 /* mix in optional user provided data */ 664 if (dat) { 665 size_t i, m; 666 667 m = MIN(datlen, KEYSZ + IVSZ); 668 for (i = 0; i < m; i++) 669 rs_buf[i] ^= dat[i]; 670 } 671 /* immediately reinit for backtracking resistance */ 672 _rs_init(rs_buf, KEYSZ + IVSZ); 673 memset(rs_buf, 0, KEYSZ + IVSZ); 674 rs_have = RSBUFSZ - KEYSZ - IVSZ; 675 } 676 677 static inline void 678 _rs_random_buf(void *_buf, size_t n) 679 { 680 u_char *buf = (u_char *)_buf; 681 size_t m; 682 683 _rs_stir_if_needed(n); 684 while (n > 0) { 685 if (rs_have > 0) { 686 m = MIN(n, rs_have); 687 memcpy(buf, rs_buf + RSBUFSZ - rs_have, m); 688 memset(rs_buf + RSBUFSZ - rs_have, 0, m); 689 buf += m; 690 n -= m; 691 rs_have -= m; 692 } 693 if (rs_have == 0) 694 _rs_rekey(NULL, 0); 695 } 696 } 697 698 static inline void 699 _rs_random_u32(u_int32_t *val) 700 { 701 _rs_stir_if_needed(sizeof(*val)); 702 if (rs_have < sizeof(*val)) 703 _rs_rekey(NULL, 0); 704 memcpy(val, rs_buf + RSBUFSZ - rs_have, sizeof(*val)); 705 memset(rs_buf + RSBUFSZ - rs_have, 0, sizeof(*val)); 706 rs_have -= sizeof(*val); 707 return; 708 } 709 710 /* Return one word of randomness from a ChaCha20 generator */ 711 u_int32_t 712 arc4random(void) 713 { 714 u_int32_t ret; 715 716 mtx_enter(&rndlock); 717 _rs_random_u32(&ret); 718 mtx_leave(&rndlock); 719 return ret; 720 } 721 722 /* 723 * Fill a buffer of arbitrary length with ChaCha20-derived randomness. 724 */ 725 void 726 arc4random_buf(void *buf, size_t n) 727 { 728 mtx_enter(&rndlock); 729 _rs_random_buf(buf, n); 730 mtx_leave(&rndlock); 731 } 732 733 /* 734 * Calculate a uniformly distributed random number less than upper_bound 735 * avoiding "modulo bias". 736 * 737 * Uniformity is achieved by generating new random numbers until the one 738 * returned is outside the range [0, 2**32 % upper_bound). This 739 * guarantees the selected random number will be inside 740 * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound) 741 * after reduction modulo upper_bound. 742 */ 743 u_int32_t 744 arc4random_uniform(u_int32_t upper_bound) 745 { 746 u_int32_t r, min; 747 748 if (upper_bound < 2) 749 return 0; 750 751 /* 2**32 % x == (2**32 - x) % x */ 752 min = -upper_bound % upper_bound; 753 754 /* 755 * This could theoretically loop forever but each retry has 756 * p > 0.5 (worst case, usually far better) of selecting a 757 * number inside the range we need, so it should rarely need 758 * to re-roll. 759 */ 760 for (;;) { 761 r = arc4random(); 762 if (r >= min) 763 break; 764 } 765 766 return r % upper_bound; 767 } 768 769 /* ARGSUSED */ 770 void 771 arc4_init(void *null) 772 { 773 _rs_stir(1); 774 } 775 776 /* 777 * Called by timeout to mark arc4 for stirring, 778 */ 779 void 780 arc4_reinit(void *v) 781 { 782 task_add(systq, &arc4_task); 783 /* 10 minutes, per dm@'s suggestion */ 784 timeout_add_sec(&arc4_timeout, 10 * 60); 785 } 786 787 /* 788 * Start periodic services inside the random subsystem, which pull 789 * entropy forward, hash it, and re-seed the random stream as needed. 790 */ 791 void 792 random_start(void) 793 { 794 #if !defined(NO_PROPOLICE) 795 extern long __guard_local; 796 797 if (__guard_local == 0) 798 printf("warning: no entropy supplied by boot loader\n"); 799 #endif 800 801 _rs_clearseed(entropy_pool0, sizeof entropy_pool0); 802 _rs_clearseed(rs_buf0, sizeof rs_buf0); 803 804 rnd_states[RND_SRC_TIMER].dont_count_entropy = 1; 805 rnd_states[RND_SRC_TRUE].dont_count_entropy = 1; 806 rnd_states[RND_SRC_TRUE].max_entropy = 1; 807 808 /* Provide some data from this kernel */ 809 add_entropy_words((u_int32_t *)version, 810 strlen(version) / sizeof(u_int32_t)); 811 812 /* Provide some data from this kernel */ 813 add_entropy_words((u_int32_t *)cfdata, 814 8192 / sizeof(u_int32_t)); 815 816 /* Message buffer may contain data from previous boot */ 817 if (msgbufp->msg_magic == MSG_MAGIC) 818 add_entropy_words((u_int32_t *)msgbufp->msg_bufc, 819 msgbufp->msg_bufs / sizeof(u_int32_t)); 820 821 rs_initialized = 1; 822 dequeue_randomness(NULL); 823 arc4_init(NULL); 824 timeout_set(&arc4_timeout, arc4_reinit, NULL); 825 arc4_reinit(NULL); 826 timeout_set(&rnd_timeout, dequeue_randomness, NULL); 827 } 828 829 int 830 randomopen(dev_t dev, int flag, int mode, struct proc *p) 831 { 832 return 0; 833 } 834 835 int 836 randomclose(dev_t dev, int flag, int mode, struct proc *p) 837 { 838 return 0; 839 } 840 841 /* 842 * Maximum number of bytes to serve directly from the main ChaCha 843 * pool. Larger requests are served from a discrete ChaCha instance keyed 844 * from the main pool. 845 */ 846 #define ARC4_MAIN_MAX_BYTES 2048 847 848 int 849 randomread(dev_t dev, struct uio *uio, int ioflag) 850 { 851 u_char lbuf[KEYSZ+IVSZ]; 852 chacha_ctx lctx; 853 size_t total = uio->uio_resid; 854 u_char *buf; 855 int myctx = 0, ret = 0; 856 857 if (uio->uio_resid == 0) 858 return 0; 859 860 buf = malloc(POOLBYTES, M_TEMP, M_WAITOK); 861 if (total > ARC4_MAIN_MAX_BYTES) { 862 arc4random_buf(lbuf, sizeof(lbuf)); 863 chacha_keysetup(&lctx, lbuf, KEYSZ * 8); 864 chacha_ivsetup(&lctx, lbuf + KEYSZ, NULL); 865 explicit_bzero(lbuf, sizeof(lbuf)); 866 myctx = 1; 867 } 868 869 while (ret == 0 && uio->uio_resid > 0) { 870 size_t n = ulmin(POOLBYTES, uio->uio_resid); 871 872 if (myctx) { 873 #ifndef KEYSTREAM_ONLY 874 memset(buf, 0, n); 875 #endif 876 chacha_encrypt_bytes(&lctx, buf, buf, n); 877 } else 878 arc4random_buf(buf, n); 879 ret = uiomove(buf, n, uio); 880 if (ret == 0 && uio->uio_resid > 0) 881 yield(); 882 } 883 if (myctx) 884 explicit_bzero(&lctx, sizeof(lctx)); 885 explicit_bzero(buf, POOLBYTES); 886 free(buf, M_TEMP, POOLBYTES); 887 return ret; 888 } 889 890 int 891 randomwrite(dev_t dev, struct uio *uio, int flags) 892 { 893 int ret = 0, newdata = 0; 894 u_int32_t *buf; 895 896 if (uio->uio_resid == 0) 897 return 0; 898 899 buf = malloc(POOLBYTES, M_TEMP, M_WAITOK); 900 901 while (ret == 0 && uio->uio_resid > 0) { 902 size_t n = ulmin(POOLBYTES, uio->uio_resid); 903 904 ret = uiomove(buf, n, uio); 905 if (ret != 0) 906 break; 907 while (n % sizeof(u_int32_t)) 908 ((u_int8_t *)buf)[n++] = 0; 909 add_entropy_words(buf, n / 4); 910 if (uio->uio_resid > 0) 911 yield(); 912 newdata = 1; 913 } 914 915 if (newdata) 916 arc4_init(NULL); 917 918 explicit_bzero(buf, POOLBYTES); 919 free(buf, M_TEMP, POOLBYTES); 920 return ret; 921 } 922 923 int 924 randomkqfilter(dev_t dev, struct knote *kn) 925 { 926 switch (kn->kn_filter) { 927 case EVFILT_READ: 928 kn->kn_fop = &randomread_filtops; 929 break; 930 case EVFILT_WRITE: 931 kn->kn_fop = &randomwrite_filtops; 932 break; 933 default: 934 return (EINVAL); 935 } 936 937 return (0); 938 } 939 940 void 941 filt_randomdetach(struct knote *kn) 942 { 943 } 944 945 int 946 filt_randomread(struct knote *kn, long hint) 947 { 948 kn->kn_data = ARC4_MAIN_MAX_BYTES; 949 return (1); 950 } 951 952 int 953 filt_randomwrite(struct knote *kn, long hint) 954 { 955 kn->kn_data = POOLBYTES; 956 return (1); 957 } 958 959 int 960 randomioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p) 961 { 962 switch (cmd) { 963 case FIOASYNC: 964 /* No async flag in softc so this is a no-op. */ 965 break; 966 case FIONBIO: 967 /* Handled in the upper FS layer. */ 968 break; 969 default: 970 return ENOTTY; 971 } 972 return 0; 973 } 974 975 int 976 sys_getentropy(struct proc *p, void *v, register_t *retval) 977 { 978 struct sys_getentropy_args /* { 979 syscallarg(void *) buf; 980 syscallarg(size_t) nbyte; 981 } */ *uap = v; 982 char buf[256]; 983 int error; 984 985 if (SCARG(uap, nbyte) > sizeof(buf)) 986 return (EIO); 987 arc4random_buf(buf, SCARG(uap, nbyte)); 988 if ((error = copyout(buf, SCARG(uap, buf), SCARG(uap, nbyte))) != 0) 989 return (error); 990 explicit_bzero(buf, sizeof(buf)); 991 retval[0] = 0; 992 return (0); 993 } 994