[dragonfly.git] / sys / kern / kern_nrandom.c

/*
 * Copyright (c) 2004, 2005, 2006 Robin J Carey. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions, and the following disclaimer,
 *    without modification, immediately at the beginning of the file.
 * 2. The name of the author may not be used to endorse or promote products
 *    derived from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $DragonFly: src/sys/kern/kern_nrandom.c,v 1.7 2008/08/01 04:42:30 dillon Exp $
 */
/*			   --- NOTES ---
 *
 * Note: The word "entropy" is often incorrectly used to describe
 * random data. The word "entropy" originates from the science of
 * Physics. The correct descriptive definition would be something
 * along the lines of "seed", "unpredictable numbers" or
 * "unpredictable data".
 *
 * Note: Some /dev/[u]random implementations save "seed" between
 * boots which represents a security hazard since an adversary
 * could acquire this data (since it is stored in a file). If
 * the unpredictable data used in the above routines is only
 * generated during Kernel operation, then an adversary can only
 * acquire that data through a Kernel security compromise and/or
 * a cryptographic algorithm failure/cryptanalysis.
 *
 * Note: On FreeBSD-4.11, interrupts have to be manually enabled
 * using the rndcontrol(8) command.
 *
 *		--- DESIGN (FreeBSD-4.11 based) ---
 *
 *   The rnddev module automatically initializes itself the first time
 * it is used (client calls any public rnddev_*() interface routine).
 * Both CSPRNGs are initially seeded from the precise nano[up]time() routines.
 * Tests show this method produces good enough results, suitable for intended
 * use. It is necessary for both CSPRNGs to be completely seeded, initially.
 *
 *   After initialization and during Kernel operation the only suitable
 * unpredictable data available is:
 *
 *	(1) Keyboard scan-codes.
 *	(2) Nanouptime acquired by a Keyboard/Read-Event.
 *	(3) Suitable interrupt source; hard-disk/ATA-device.
 *
 *      (X) Mouse-event (xyz-data unsuitable); NOT IMPLEMENTED.
 *
 *   This data is added to both CSPRNGs in real-time as it happens/
 * becomes-available. Additionally, unpredictable (?) data may be
 * acquired from a true-random number generator if such a device is
 * available to the system (not advisable !).
 *   Nanouptime() acquired by a Read-Event is a very important aspect of
 * this design, since it ensures that unpredictable data is added to
 * the CSPRNGs even if there are no other sources.
 *   The nanouptime() Kernel routine is used since time relative to
 * boot is less adversary-known than time itself.
 *
 *   This design has been thoroughly tested with debug logging
 * and the output from both /dev/random and /dev/urandom has
 * been tested with the DIEHARD test-suite; both pass.
 *
 * MODIFICATIONS MADE TO ORIGINAL "kern_random.c":
 *
 * 6th July 2005:
 *
 * o Changed ReadSeed() function to schedule future read-seed-events
 *   by at least one second. Previous implementation used a randomised
 *   scheduling { 0, 1, 2, 3 seconds }.
 * o Changed SEED_NANOUP() function to use a "previous" accumulator
 *   algorithm similar to ReadSeed(). This ensures that there is no
 *   way that an adversary can tell what number is being added to the
 *   CSPRNGs, since the number added to the CSPRNGs at Event-Time is
 *   the sum of nanouptime()@Event and an unknown/secret number.
 * o Changed rnddev_add_interrupt() function to schedule future
 *   interrupt-events by at least one second. Previous implementation
 *   had no scheduling algorithm which allowed an "interrupt storm"
 *   to occur resulting in skewed data entering into the CSPRNGs.
 *
 *
 * 9th July 2005:
 *
 * o Some small cleanups and change all internal functions to be
 *   static/private.
 * o Removed ReadSeed() since its functionality is already performed
 *   by another function { rnddev_add_interrupt_OR_read() } and remove
 *   the silly rndByte accumulator/feedback-thing (since multipying by
 *   rndByte could yield a value of 0).
 * o Made IBAA/L14 public interface become static/private;
 *   Local to this file (not changed to that in the original C modules).
 *
 * 16th July 2005:
 *
 * o SEED_NANOUP() -> NANOUP_EVENT() function rename.
 * o Make NANOUP_EVENT() handle the time-buffering directly so that all
 *   time-stamp-events use this single time-buffer (including keyboard).
 *   This removes dependancy on "time_second" Kernel variable.
 * o Removed second-time-buffer code in rnddev_add_interrupt_OR_read (void).
 * o Rewrote the time-buffering algorithm in NANOUP_EVENT() to use a
 *   randomised time-delay range.
 *
 * 12th Dec 2005:
 *
 * o Updated to (hopefully final) L15 algorithm.
 *
 * 12th June 2006:
 *
 * o Added missing (u_char *) cast in RnddevRead() function.
 * o Changed copyright to 3-clause BSD license and cleaned up the layout
 *   of this file.
 */

#include <sys/types.h>
#include <sys/kernel.h>
#include <sys/systm.h>
#include <sys/poll.h>
#include <sys/random.h>
#include <sys/systimer.h>
#include <sys/time.h>
#include <sys/proc.h>
#include <sys/lock.h>
#include <sys/sysctl.h>
#include <sys/spinlock.h>
#include <machine/clock.h>

#include <sys/thread2.h>
#include <sys/spinlock2.h>

/*
 * Portability note: The u_char/unsigned char type is used where
 * uint8_t from <stdint.h> or u_int8_t from <sys/types.h> should really
 * be being used. On FreeBSD, it is safe to make the assumption that these
 * different types are equivalent (on all architectures).
 * The FreeBSD <sys/crypto/rc4> module also makes this assumption.
 */

/*------------------------------ IBAA ----------------------------------*/

/*-------------------------- IBAA CSPRNG -------------------------------*/

/*
 * NOTE: The original source code from which this source code (IBAA)
 *       was taken has no copyright/license. The algorithm has no patent
 *       and is freely/publicly available from:
 *
 *           http://www.burtleburtle.net/bob/rand/isaac.html
 */

/*
 * ^ means XOR, & means bitwise AND, a<<b means shift a by b.
 * barrel(a) shifts a 19 bits to the left, and bits wrap around
 * ind(x) is (x AND 255), or (x mod 256)
 */
typedef	u_int32_t	u4;   /* unsigned four bytes, 32 bits */

#define	ALPHA		(8)
#define	SIZE		(1 << ALPHA)
#define MASK		(SIZE - 1)
#define	ind(x)		((x) & (SIZE - 1))
#define	barrel(a)	(((a) << 20) ^ ((a) >> 12))  /* beta=32,shift=20 */
 
static void IBAA
(
	u4 *m,		/* Memory: array of SIZE ALPHA-bit terms */
	u4 *r,		/* Results: the sequence, same size as m */
	u4 *aa,		/* Accumulator: a single value */
	u4 *bb,		/* the previous result */
	u4 *counter	/* counter */
)
{
	u4 a, b, x, y, i;
 
	a = *aa;
	b = *bb + *counter;
	++*counter;
	for (i = 0; i < SIZE; ++i) {
		x = m[i];  
		a = barrel(a) + m[ind(i + (SIZE / 2))];	/* set a */
		m[i] = y = m[ind(x)] + a + b;		/* set m */
		r[i] = b = m[ind(y >> ALPHA)] + x;	/* set r */
	}
	*bb = b; *aa = a;
}

/*-------------------------- IBAA CSPRNG -------------------------------*/


static u4	IBAA_memory[SIZE];
static u4	IBAA_results[SIZE];
static u4	IBAA_aa;
static u4	IBAA_bb;
static u4	IBAA_counter;

static volatile int IBAA_byte_index;


static void	IBAA_Init(void);
static void	IBAA_Call(void);
static void	IBAA_Seed(const u_int32_t val);
static u_char	IBAA_Byte(void);

/*
 * Initialize IBAA. 
 */
static void
IBAA_Init(void)
{
	size_t	i;

	for (i = 0; i < SIZE; ++i) {
		IBAA_memory[i] = i;
	}
	IBAA_aa = IBAA_bb = 0;
	IBAA_counter = 0;
	IBAA_byte_index = sizeof(IBAA_results);	/* force IBAA_Call() */
}

/*
 * PRIVATE: Call IBAA to produce 256 32-bit u4 results.
 */
static void
IBAA_Call (void)
{
	IBAA(IBAA_memory, IBAA_results, &IBAA_aa, &IBAA_bb, &IBAA_counter);
	IBAA_byte_index = 0;
}

/*
 * Add a 32-bit u4 seed value into IBAAs memory.  Mix the low 4 bits 
 * with 4 bits of PNG data to reduce the possibility of a seeding-based
 * attack.
 */
static void
IBAA_Seed (const u_int32_t val)
{
	static int memIndex;
	u4 *iptr;

	iptr = &IBAA_memory[memIndex & MASK];
	*iptr = ((*iptr << 3) | (*iptr >> 29)) + (val ^ (IBAA_Byte() & 15));
	++memIndex;
}

/*
 * Extract a byte from IBAAs 256 32-bit u4 results array. 
 *
 * NOTE: This code is designed to prevent MP races from taking
 * IBAA_byte_index out of bounds.
 */
static u_char
IBAA_Byte(void)
{
	u_char result;
	int index;

	index = IBAA_byte_index;
	if (index == sizeof(IBAA_results)) {
		IBAA_Call();
		index = 0;
	}
	result = ((u_char *)IBAA_results)[index];
	IBAA_byte_index = index + 1;
	return result;
}

/*------------------------------ IBAA ----------------------------------*/


/*------------------------------- L15 ----------------------------------*/

/*
 * IMPORTANT NOTE: LByteType must be exactly 8-bits in size or this software
 * will not function correctly.
 */
typedef unsigned char	LByteType;

#define	L15_STATE_SIZE	256

static LByteType	L15_x, L15_y;
static LByteType	L15_start_x;
static LByteType	L15_state[L15_STATE_SIZE];

/*
 * PRIVATE FUNCS:
 */

static void		L15_Swap(const LByteType pos1, const LByteType pos2);
static void		L15_InitState(void);
static void		L15_KSA(const LByteType * const key,
				const size_t keyLen);
static void		L15_Discard(const LByteType numCalls);

/*
 * PUBLIC INTERFACE:
 */
static void		L15(const LByteType * const key, const size_t keyLen);
static LByteType	L15_Byte(void);
static void		L15_Vector(const LByteType * const key,
				const size_t keyLen);

static __inline void
L15_Swap(const LByteType pos1, const LByteType pos2)
{
	const LByteType	save1 = L15_state[pos1];

	L15_state[pos1] = L15_state[pos2];
	L15_state[pos2] = save1;
}

static void
L15_InitState (void)
{
	size_t i;
	for (i = 0; i < L15_STATE_SIZE; ++i)
		L15_state[i] = i;
}

#define  L_SCHEDULE(xx)						\
								\
for (i = 0; i < L15_STATE_SIZE; ++i) {				\
    L15_Swap(i, (stateIndex += (L15_state[i] + (xx))));		\
}

static void
L15_KSA (const LByteType * const key, const size_t keyLen)
{
	size_t	i, keyIndex;
	LByteType stateIndex = 0;

	L_SCHEDULE(keyLen);
	for (keyIndex = 0; keyIndex < keyLen; ++keyIndex) {
		L_SCHEDULE(key[keyIndex]);
	}
}

static void
L15_Discard(const LByteType numCalls)
{
	LByteType i;
	for (i = 0; i < numCalls; ++i) {
		(void)L15_Byte();
	}
}


/*
 * PUBLIC INTERFACE:
 */
static void
L15(const LByteType * const key, const size_t keyLen)
{
	L15_x = L15_start_x = 0;
	L15_y = L15_STATE_SIZE - 1;
	L15_InitState();
	L15_KSA(key, keyLen);
	L15_Discard(L15_Byte());
}

static LByteType
L15_Byte(void)
{
	LByteType z;

	L15_Swap(L15_state[L15_x], L15_y);
	z = (L15_state [L15_x++] + L15_state[L15_y--]);
	if (L15_x == L15_start_x) {
		--L15_y;
	}
	return (L15_state[z]);
}

static void
L15_Vector (const LByteType * const key, const size_t keyLen)
{
	L15_KSA(key, keyLen);
}

/*------------------------------- L15 ----------------------------------*/

/************************************************************************
 *				KERNEL INTERFACE			*
 ************************************************************************
 *
 * By Robin J Carey and Matthew Dillon.
 */

static int rand_thread_signal = 1;
static void NANOUP_EVENT(void);
static thread_t rand_td;
static struct spinlock rand_spin;

static int nrandevents;
SYSCTL_INT(_kern, OID_AUTO, nrandevents, CTLFLAG_RD, &nrandevents, 0, "");
static int seedenable;
SYSCTL_INT(_kern, OID_AUTO, seedenable, CTLFLAG_RW, &seedenable, 0, "");

/*
 * Called from early boot
 */
void
rand_initialize(void)
{
	struct timespec	now;
	int i;

	spin_init(&rand_spin);

	/* Initialize IBAA. */
	IBAA_Init();

	/* Initialize L15. */
	nanouptime(&now);
	L15((const LByteType *)&now.tv_nsec, sizeof(now.tv_nsec));
	for (i = 0; i < (SIZE / 2); ++i) {
		nanotime(&now);
		IBAA_Seed(now.tv_nsec);
		L15_Vector((const LByteType *)&now.tv_nsec,
			   sizeof(now.tv_nsec));
		nanouptime(&now);
		IBAA_Seed(now.tv_nsec);
		L15_Vector((const LByteType *)&now.tv_nsec,
			   sizeof(now.tv_nsec));
	}

	/*
	 * Warm up the generator to get rid of weak initial states.
	 */
	for (i = 0; i < 10; ++i)
		IBAA_Call();
}

/*
 * Keyboard events
 */
void
add_keyboard_randomness(u_char scancode)
{
	spin_lock_wr(&rand_spin);
	L15_Vector((const LByteType *) &scancode, sizeof (scancode));
	spin_unlock_wr(&rand_spin);
	add_interrupt_randomness(0);
}

/*
 * Interrupt events.  This is SMP safe and allowed to race.
 */
void
add_interrupt_randomness(int intr)
{
	if (rand_thread_signal == 0) {
		rand_thread_signal = 1;
		lwkt_schedule(rand_td);
	}
}

/*
 * True random number source
 */
void
add_true_randomness(int val)
{
	spin_lock_wr(&rand_spin);
	IBAA_Seed(val);
	L15_Vector((const LByteType *) &val, sizeof (val));
	++nrandevents;
	spin_unlock_wr(&rand_spin);
}

int
add_buffer_randomness(const char *buf, int bytes)
{
	int error;
	int i;

	if (seedenable && securelevel <= 0) {
		while (bytes >= sizeof(int)) {
			add_true_randomness(*(const int *)buf);
			buf += sizeof(int);
			bytes -= sizeof(int);
		}
		error = 0;

		/*
		 * Warm up the generator to get rid of weak initial states.
		 */
		for (i = 0; i < 10; ++i)
			IBAA_Call();
	} else {
		error = EPERM;
	}
	return (error);
}

/*
 * Poll (always succeeds)
 */
int
random_poll(cdev_t dev, int events)
{
	int revents = 0;

	if (events & (POLLIN | POLLRDNORM))
		revents |= events & (POLLIN | POLLRDNORM);
	if (events & (POLLOUT | POLLWRNORM))
		revents |= events & (POLLOUT | POLLWRNORM);

	return (revents);
}

/*
 * Heavy weight random number generator.  May return less then the
 * requested number of bytes.
 */
u_int
read_random(void *buf, u_int nbytes)
{
	u_int i;

	spin_lock_wr(&rand_spin);
	for (i = 0; i < nbytes; ++i) 
		((u_char *)buf)[i] = IBAA_Byte();
	spin_unlock_wr(&rand_spin);
	add_interrupt_randomness(0);
	return(i);
}

/*
 * Lightweight random number generator.  Must return requested number of
 * bytes.
 */
u_int
read_random_unlimited(void *buf, u_int nbytes)
{
	u_int i;

	spin_lock_wr(&rand_spin);
	for (i = 0; i < nbytes; ++i)
		((u_char *)buf)[i] = L15_Byte();
	spin_unlock_wr(&rand_spin);
	add_interrupt_randomness(0);
	return (i);
}

/*
 * Random number generator helper thread.  This limits code overhead from
 * high frequency events by delaying the clearing of rand_thread_signal.
 */
static
void
rand_thread_loop(void *dummy)
{
	int count;

	for (;;) {
		NANOUP_EVENT ();
		spin_lock_wr(&rand_spin);
		count = (int)(L15_Byte() * hz / (256 * 10) + hz / 10);
		spin_unlock_wr(&rand_spin);
		tsleep(rand_td, 0, "rwait", count);
		crit_enter();
		lwkt_deschedule_self(rand_td);
		cpu_sfence();
		rand_thread_signal = 0;
		crit_exit();
		lwkt_switch();
	}
}

static
void
rand_thread_init(void)
{
	lwkt_create(rand_thread_loop, NULL, &rand_td, NULL, 0, 0, "random");
}

SYSINIT(rand, SI_SUB_HELPER_THREADS, SI_ORDER_ANY, rand_thread_init, 0);

/*
 * Time-buffered event time-stamping. This is necessary to cutoff higher
 * event frequencies, e.g. an interrupt occuring at 25Hz. In such cases
 * the CPU is being chewed and the timestamps are skewed (minimal variation).
 * Use a nano-second time-delay to limit how many times an Event can occur
 * in one second; <= 5Hz. Note that this doesn't prevent time-stamp skewing.
 * This implementation randmoises the time-delay between events, which adds
 * a layer of security/unpredictability with regard to read-events (a user
 * controlled input).
 *
 * Note: now.tv_nsec should range [ 0 - 1000,000,000 ].
 * Note: "ACCUM" is a security measure (result = capped-unknown + unknown),
 *       and also produces an uncapped (>=32-bit) value.
 */
static void
NANOUP_EVENT(void)
{
	static struct timespec	ACCUM = { 0, 0 };
	static struct timespec	NEXT  = { 0, 0 };
	struct timespec		now;

	nanouptime(&now);
	spin_lock_wr(&rand_spin);
	if ((now.tv_nsec > NEXT.tv_nsec) || (now.tv_sec != NEXT.tv_sec)) {
		/* 
		 * Randomised time-delay: 200e6 - 350e6 ns; 5 - 2.86 Hz. 
		 */
		unsigned long one_mil;
		unsigned long timeDelay;

		one_mil = 1000000UL;	/* 0.001 s */
		timeDelay = (one_mil * 200) + 
			    (((unsigned long)ACCUM.tv_nsec % 151) * one_mil);
		NEXT.tv_nsec = now.tv_nsec + timeDelay;
		NEXT.tv_sec = now.tv_sec;
		ACCUM.tv_nsec += now.tv_nsec;

		/*
		 * The TSC, if present, generally has an even higher
		 * resolution.  Integrate a portion of it into our seed.
		 */
		if (tsc_present)
			ACCUM.tv_nsec ^= rdtsc() & 255;

		IBAA_Seed(ACCUM.tv_nsec);
		L15_Vector((const LByteType *)&ACCUM.tv_nsec,
			   sizeof(ACCUM.tv_nsec));
		++nrandevents;
	}
	spin_unlock_wr(&rand_spin);
}
Commit	Line	Data
c0b252c3 MD	1	/*
	2	* Copyright (c) 2004, 2005, 2006 Robin J Carey. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions, and the following disclaimer,
	9	* without modification, immediately at the beginning of the file.
	10	* 2. The name of the author may not be used to endorse or promote products
	11	* derived from this software without specific prior written permission.
	12	*
	13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
	14	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	15	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	16	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
	17	* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	18	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	19	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	20	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	21	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	22	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	23	* SUCH DAMAGE.
	24	*
1ee4c2e3	25	* $DragonFly: src/sys/kern/kern_nrandom.c,v 1.7 2008/08/01 04:42:30 dillon Exp $
c0b252c3 MD	26	*/
	27	/* --- NOTES ---
	28	*
	29	* Note: The word "entropy" is often incorrectly used to describe
	30	* random data. The word "entropy" originates from the science of
	31	* Physics. The correct descriptive definition would be something
	32	* along the lines of "seed", "unpredictable numbers" or
	33	* "unpredictable data".
	34	*
	35	* Note: Some /dev/[u]random implementations save "seed" between
	36	* boots which represents a security hazard since an adversary
	37	* could acquire this data (since it is stored in a file). If
	38	* the unpredictable data used in the above routines is only
	39	* generated during Kernel operation, then an adversary can only
	40	* acquire that data through a Kernel security compromise and/or
	41	* a cryptographic algorithm failure/cryptanalysis.
	42	*
	43	* Note: On FreeBSD-4.11, interrupts have to be manually enabled
	44	* using the rndcontrol(8) command.
	45	*
	46	* --- DESIGN (FreeBSD-4.11 based) ---
	47	*
	48	* The rnddev module automatically initializes itself the first time
	49	* it is used (client calls any public rnddev_*() interface routine).
	50	* Both CSPRNGs are initially seeded from the precise nano[up]time() routines.
	51	* Tests show this method produces good enough results, suitable for intended
	52	* use. It is necessary for both CSPRNGs to be completely seeded, initially.
	53	*
	54	* After initialization and during Kernel operation the only suitable
	55	* unpredictable data available is:
	56	*
	57	* (1) Keyboard scan-codes.
	58	* (2) Nanouptime acquired by a Keyboard/Read-Event.
	59	* (3) Suitable interrupt source; hard-disk/ATA-device.
	60	*
	61	* (X) Mouse-event (xyz-data unsuitable); NOT IMPLEMENTED.
	62	*
	63	* This data is added to both CSPRNGs in real-time as it happens/
	64	* becomes-available. Additionally, unpredictable (?) data may be
	65	* acquired from a true-random number generator if such a device is
	66	* available to the system (not advisable !).
	67	* Nanouptime() acquired by a Read-Event is a very important aspect of
	68	* this design, since it ensures that unpredictable data is added to
	69	* the CSPRNGs even if there are no other sources.
	70	* The nanouptime() Kernel routine is used since time relative to
	71	* boot is less adversary-known than time itself.
	72	*
	73	* This design has been thoroughly tested with debug logging
	74	* and the output from both /dev/random and /dev/urandom has
	75	* been tested with the DIEHARD test-suite; both pass.
	76	*
	77	* MODIFICATIONS MADE TO ORIGINAL "kern_random.c":
	78	*
	79	* 6th July 2005:
	80	*
	81	* o Changed ReadSeed() function to schedule future read-seed-events
	82	* by at least one second. Previous implementation used a randomised
	83	* scheduling { 0, 1, 2, 3 seconds }.
	84	* o Changed SEED_NANOUP() function to use a "previous" accumulator
	85	* algorithm similar to ReadSeed(). This ensures that there is no
	86	* way that an adversary can tell what number is being added to the
	87	* CSPRNGs, since the number added to the CSPRNGs at Event-Time is
	88	* the sum of nanouptime()@Event and an unknown/secret number.
	89	* o Changed rnddev_add_interrupt() function to schedule future
90	* interrupt-events by at least one second. Previous implementation
91	* had no scheduling algorithm which allowed an "interrupt storm"
92	* to occur resulting in skewed data entering into the CSPRNGs.
93	*
94	*
95	* 9th July 2005:
96	*
97	* o Some small cleanups and change all internal functions to be
98	* static/private.
99	* o Removed ReadSeed() since its functionality is already performed
100	* by another function { rnddev_add_interrupt_OR_read() } and remove
101	* the silly rndByte accumulator/feedback-thing (since multipying by
102	* rndByte could yield a value of 0).
103	* o Made IBAA/L14 public interface become static/private;
104	* Local to this file (not changed to that in the original C modules).
105	*
106	* 16th July 2005:
107	*
108	* o SEED_NANOUP() -> NANOUP_EVENT() function rename.
109	* o Make NANOUP_EVENT() handle the time-buffering directly so that all
110	* time-stamp-events use this single time-buffer (including keyboard).
111	* This removes dependancy on "time_second" Kernel variable.
112	* o Removed second-time-buffer code in rnddev_add_interrupt_OR_read (void).
113	* o Rewrote the time-buffering algorithm in NANOUP_EVENT() to use a
114	* randomised time-delay range.
115	*
116	* 12th Dec 2005:
117	*
118	* o Updated to (hopefully final) L15 algorithm.
119	*
120	* 12th June 2006:
121	*
122	* o Added missing (u_char *) cast in RnddevRead() function.
123	* o Changed copyright to 3-clause BSD license and cleaned up the layout
124	* of this file.
125	*/
126
127	#include <sys/types.h>
128	#include <sys/kernel.h>
129	#include <sys/systm.h>
130	#include <sys/poll.h>
131	#include <sys/random.h>
132	#include <sys/systimer.h>
133	#include <sys/time.h>
134	#include <sys/proc.h>
135	#include <sys/lock.h>
136	#include <sys/sysctl.h>
137	#include <sys/spinlock.h>
138	#include <machine/clock.h>
139
140	#include <sys/thread2.h>
141	#include <sys/spinlock2.h>
142
143	/*
144	* Portability note: The u_char/unsigned char type is used where
145	* uint8_t from <stdint.h> or u_int8_t from <sys/types.h> should really
146	* be being used. On FreeBSD, it is safe to make the assumption that these
147	* different types are equivalent (on all architectures).
148	* The FreeBSD <sys/crypto/rc4> module also makes this assumption.
149	*/
150
151	/------------------------------ IBAA ----------------------------------/
152
153	/-------------------------- IBAA CSPRNG -------------------------------/
154
155	/*
156	* NOTE: The original source code from which this source code (IBAA)
157	* was taken has no copyright/license. The algorithm has no patent
158	* and is freely/publicly available from:
159	*
160	* http://www.burtleburtle.net/bob/rand/isaac.html
161	*/
162
163	/*
164	* ^ means XOR, & means bitwise AND, a<<b means shift a by b.
165	* barrel(a) shifts a 19 bits to the left, and bits wrap around
166	* ind(x) is (x AND 255), or (x mod 256)
167	*/
168	typedef u_int32_t u4; /* unsigned four bytes, 32 bits */
169
170	#define ALPHA (8)
171	#define SIZE (1 << ALPHA)
c26b3d4d	172	#define MASK (SIZE - 1)
c0b252c3	173	#define ind(x) ((x) & (SIZE - 1))
31f10bcb	174	#define barrel(a) (((a) << 20) ^ ((a) >> 12)) /* beta=32,shift=20 */
c0b252c3 MD	175
	176	static void IBAA
	177	(
	178	u4 m, / Memory: array of SIZE ALPHA-bit terms */
	179	u4 r, / Results: the sequence, same size as m */
	180	u4 aa, / Accumulator: a single value */
31f10bcb MD	181	u4 bb, / the previous result */
31f10bcb MD	182	u4 counter / counter */
c0b252c3 MD	183	)
	184	{
	185	u4 a, b, x, y, i;
	186
31f10bcb MD	187	a = *aa;
	188	b = bb + counter;
	189	++*counter;
c0b252c3 MD	190	for (i = 0; i < SIZE; ++i) {
	191	x = m[i];
	192	a = barrel(a) + m[ind(i + (SIZE / 2))]; /* set a */
	193	m[i] = y = m[ind(x)] + a + b; /* set m */
	194	r[i] = b = m[ind(y >> ALPHA)] + x; /* set r */
	195	}
	196	bb = b; aa = a;
	197	}
	198
	199	/-------------------------- IBAA CSPRNG -------------------------------/
	200
	201
	202	static u4 IBAA_memory[SIZE];
	203	static u4 IBAA_results[SIZE];
	204	static u4 IBAA_aa;
	205	static u4 IBAA_bb;
31f10bcb	206	static u4 IBAA_counter;
c0b252c3 MD	207
	208	static volatile int IBAA_byte_index;
	209
	210
	211	static void IBAA_Init(void);
	212	static void IBAA_Call(void);
	213	static void IBAA_Seed(const u_int32_t val);
	214	static u_char IBAA_Byte(void);
	215
	216	/*
	217	* Initialize IBAA.
	218	*/
	219	static void
	220	IBAA_Init(void)
	221	{
	222	size_t i;
	223
	224	for (i = 0; i < SIZE; ++i) {
	225	IBAA_memory[i] = i;
	226	}
	227	IBAA_aa = IBAA_bb = 0;
31f10bcb	228	IBAA_counter = 0;
c0b252c3 MD	229	IBAA_byte_index = sizeof(IBAA_results); /* force IBAA_Call() */
	230	}
	231
	232	/*
	233	* PRIVATE: Call IBAA to produce 256 32-bit u4 results.
	234	*/
	235	static void
	236	IBAA_Call (void)
	237	{
31f10bcb	238	IBAA(IBAA_memory, IBAA_results, &IBAA_aa, &IBAA_bb, &IBAA_counter);
c0b252c3 MD	239	IBAA_byte_index = 0;
	240	}
	241
	242	/*
c26b3d4d MD	243	* Add a 32-bit u4 seed value into IBAAs memory. Mix the low 4 bits
	244	* with 4 bits of PNG data to reduce the possibility of a seeding-based
	245	* attack.
c0b252c3 MD	246	*/
	247	static void
	248	IBAA_Seed (const u_int32_t val)
	249	{
c26b3d4d MD	250	static int memIndex;
c26b3d4d MD	251	u4 *iptr;
c0b252c3	252
c26b3d4d MD	253	iptr = &IBAA_memory[memIndex & MASK];
c26b3d4d MD	254	iptr = ((iptr << 3) \| (*iptr >> 29)) + (val ^ (IBAA_Byte() & 15));
c0b252c3 MD	255	++memIndex;
	256	}
	257
	258	/*
	259	* Extract a byte from IBAAs 256 32-bit u4 results array.
	260	*
	261	* NOTE: This code is designed to prevent MP races from taking
	262	* IBAA_byte_index out of bounds.
	263	*/
	264	static u_char
	265	IBAA_Byte(void)
	266	{
	267	u_char result;
	268	int index;
	269
	270	index = IBAA_byte_index;
	271	if (index == sizeof(IBAA_results)) {
	272	IBAA_Call();
	273	index = 0;
	274	}
	275	result = ((u_char *)IBAA_results)[index];
	276	IBAA_byte_index = index + 1;
	277	return result;
	278	}
	279
	280	/------------------------------ IBAA ----------------------------------/
	281
	282
	283	/------------------------------- L15 ----------------------------------/
	284
	285	/*
	286	* IMPORTANT NOTE: LByteType must be exactly 8-bits in size or this software
	287	* will not function correctly.
	288	*/
	289	typedef unsigned char LByteType;
	290
	291	#define L15_STATE_SIZE 256
	292
	293	static LByteType L15_x, L15_y;
	294	static LByteType L15_start_x;
	295	static LByteType L15_state[L15_STATE_SIZE];
	296
	297	/*
	298	* PRIVATE FUNCS:
	299	*/
	300
	301	static void L15_Swap(const LByteType pos1, const LByteType pos2);
	302	static void L15_InitState(void);
	303	static void L15_KSA(const LByteType * const key,
	304	const size_t keyLen);
	305	static void L15_Discard(const LByteType numCalls);
	306
	307	/*
	308	* PUBLIC INTERFACE:
	309	*/
	310	static void L15(const LByteType * const key, const size_t keyLen);
	311	static LByteType L15_Byte(void);
	312	static void L15_Vector(const LByteType * const key,
	313	const size_t keyLen);
	314
	315	static __inline void
	316	L15_Swap(const LByteType pos1, const LByteType pos2)
	317	{
	318	const LByteType save1 = L15_state[pos1];
319
320	L15_state[pos1] = L15_state[pos2];
321	L15_state[pos2] = save1;
322	}
323
324	static void
325	L15_InitState (void)
326	{
327	size_t i;
328	for (i = 0; i < L15_STATE_SIZE; ++i)
329	L15_state[i] = i;
330	}
331
332	#define L_SCHEDULE(xx) \
333	\
334	for (i = 0; i < L15_STATE_SIZE; ++i) { \
335	L15_Swap(i, (stateIndex += (L15_state[i] + (xx)))); \
336	}
337
338	static void
339	L15_KSA (const LByteType * const key, const size_t keyLen)
340	{
341	size_t i, keyIndex;
342	LByteType stateIndex = 0;
343
344	L_SCHEDULE(keyLen);
345	for (keyIndex = 0; keyIndex < keyLen; ++keyIndex) {
346	L_SCHEDULE(key[keyIndex]);
347	}
348	}
349
350	static void
351	L15_Discard(const LByteType numCalls)
352	{
353	LByteType i;
354	for (i = 0; i < numCalls; ++i) {
355	(void)L15_Byte();
356	}
357	}
358
359
360	/*
361	* PUBLIC INTERFACE:
362	*/
363	static void
364	L15(const LByteType * const key, const size_t keyLen)
365	{
01b40dc2 MD	366	L15_x = L15_start_x = 0;
01b40dc2 MD	367	L15_y = L15_STATE_SIZE - 1;
c0b252c3 MD	368	L15_InitState();
	369	L15_KSA(key, keyLen);
	370	L15_Discard(L15_Byte());
	371	}
	372
	373	static LByteType
	374	L15_Byte(void)
	375	{
	376	LByteType z;
	377
	378	L15_Swap(L15_state[L15_x], L15_y);
	379	z = (L15_state [L15_x++] + L15_state[L15_y--]);
	380	if (L15_x == L15_start_x) {
	381	--L15_y;
	382	}
	383	return (L15_state[z]);
	384	}
	385
	386	static void
	387	L15_Vector (const LByteType * const key, const size_t keyLen)
	388	{
	389	L15_KSA(key, keyLen);
	390	}
	391
	392	/------------------------------- L15 ----------------------------------/
	393
	394	/************************************************************************
	395	* KERNEL INTERFACE *
	396	************************************************************************
	397	*
	398	* By Robin J Carey and Matthew Dillon.
	399	*/
	400
	401	static int rand_thread_signal = 1;
	402	static void NANOUP_EVENT(void);
	403	static thread_t rand_td;
	404	static struct spinlock rand_spin;
	405
	406	static int nrandevents;
	407	SYSCTL_INT(_kern, OID_AUTO, nrandevents, CTLFLAG_RD, &nrandevents, 0, "");
c26b3d4d MD	408	static int seedenable;
c26b3d4d MD	409	SYSCTL_INT(_kern, OID_AUTO, seedenable, CTLFLAG_RW, &seedenable, 0, "");
c0b252c3 MD	410
	411	/*
	412	* Called from early boot
	413	*/
	414	void
	415	rand_initialize(void)
	416	{
	417	struct timespec now;
	418	int i;
	419
	420	spin_init(&rand_spin);
	421
	422	/* Initialize IBAA. */
	423	IBAA_Init();
	424
	425	/* Initialize L15. */
	426	nanouptime(&now);
	427	L15((const LByteType *)&now.tv_nsec, sizeof(now.tv_nsec));
	428	for (i = 0; i < (SIZE / 2); ++i) {
	429	nanotime(&now);
	430	IBAA_Seed(now.tv_nsec);
	431	L15_Vector((const LByteType *)&now.tv_nsec,
	432	sizeof(now.tv_nsec));
	433	nanouptime(&now);
	434	IBAA_Seed(now.tv_nsec);
	435	L15_Vector((const LByteType *)&now.tv_nsec,
	436	sizeof(now.tv_nsec));
	437	}
01b40dc2 MD	438
	439	/*
	440	* Warm up the generator to get rid of weak initial states.
	441	*/
	442	for (i = 0; i < 10; ++i)
	443	IBAA_Call();
c0b252c3 MD	444	}
	445
	446	/*
	447	* Keyboard events
	448	*/
	449	void
	450	add_keyboard_randomness(u_char scancode)
	451	{
	452	spin_lock_wr(&rand_spin);
	453	L15_Vector((const LByteType *) &scancode, sizeof (scancode));
	454	spin_unlock_wr(&rand_spin);
	455	add_interrupt_randomness(0);
	456	}
	457
	458	/*
53d9cb72	459	* Interrupt events. This is SMP safe and allowed to race.
c0b252c3 MD	460	*/
	461	void
	462	add_interrupt_randomness(int intr)
	463	{
	464	if (rand_thread_signal == 0) {
	465	rand_thread_signal = 1;
	466	lwkt_schedule(rand_td);
	467	}
	468	}
	469
	470	/*
	471	* True random number source
	472	*/
	473	void
	474	add_true_randomness(int val)
	475	{
	476	spin_lock_wr(&rand_spin);
	477	IBAA_Seed(val);
	478	L15_Vector((const LByteType *) &val, sizeof (val));
	479	++nrandevents;
	480	spin_unlock_wr(&rand_spin);
	481	}
	482
c26b3d4d MD	483	int
	484	add_buffer_randomness(const char *buf, int bytes)
	485	{
	486	int error;
01b40dc2	487	int i;
c26b3d4d MD	488
	489	if (seedenable && securelevel <= 0) {
	490	while (bytes >= sizeof(int)) {
	491	add_true_randomness((const int )buf);
	492	buf += sizeof(int);
	493	bytes -= sizeof(int);
	494	}
	495	error = 0;
01b40dc2 MD	496
	497	/*
	498	* Warm up the generator to get rid of weak initial states.
	499	*/
	500	for (i = 0; i < 10; ++i)
	501	IBAA_Call();
c26b3d4d MD	502	} else {
	503	error = EPERM;
	504	}
	505	return (error);
	506	}
	507
c0b252c3 MD	508	/*
	509	* Poll (always succeeds)
	510	*/
	511	int
b13267a5	512	random_poll(cdev_t dev, int events)
c0b252c3 MD	513	{
	514	int revents = 0;
	515
	516	if (events & (POLLIN \| POLLRDNORM))
	517	revents \|= events & (POLLIN \| POLLRDNORM);
	518	if (events & (POLLOUT \| POLLWRNORM))
	519	revents \|= events & (POLLOUT \| POLLWRNORM);
	520
	521	return (revents);
	522	}
	523
	524	/*
	525	* Heavy weight random number generator. May return less then the
	526	* requested number of bytes.
	527	*/
	528	u_int
	529	read_random(void *buf, u_int nbytes)
	530	{
	531	u_int i;
	532
	533	spin_lock_wr(&rand_spin);
	534	for (i = 0; i < nbytes; ++i)
	535	((u_char *)buf)[i] = IBAA_Byte();
	536	spin_unlock_wr(&rand_spin);
	537	add_interrupt_randomness(0);
	538	return(i);
	539	}
	540
	541	/*
	542	* Lightweight random number generator. Must return requested number of
	543	* bytes.
	544	*/
	545	u_int
	546	read_random_unlimited(void *buf, u_int nbytes)
	547	{
	548	u_int i;
	549
	550	spin_lock_wr(&rand_spin);
	551	for (i = 0; i < nbytes; ++i)
	552	((u_char *)buf)[i] = L15_Byte();
	553	spin_unlock_wr(&rand_spin);
	554	add_interrupt_randomness(0);
	555	return (i);
	556	}
	557
	558	/*
	559	* Random number generator helper thread. This limits code overhead from
	560	* high frequency events by delaying the clearing of rand_thread_signal.
	561	*/
	562	static
	563	void
	564	rand_thread_loop(void *dummy)
	565	{
	566	int count;
	567
	568	for (;;) {
	569	NANOUP_EVENT ();
	570	spin_lock_wr(&rand_spin);
	571	count = (int)(L15_Byte() * hz / (256 * 10) + hz / 10);
	572	spin_unlock_wr(&rand_spin);
	573	tsleep(rand_td, 0, "rwait", count);
53d9cb72	574	crit_enter();
c0b252c3	575	lwkt_deschedule_self(rand_td);
53d9cb72 MD	576	cpu_sfence();
	577	rand_thread_signal = 0;
	578	crit_exit();
c0b252c3 MD	579	lwkt_switch();
	580	}
	581	}
	582
	583	static
	584	void
	585	rand_thread_init(void)
	586	{
	587	lwkt_create(rand_thread_loop, NULL, &rand_td, NULL, 0, 0, "random");
	588	}
	589
	590	SYSINIT(rand, SI_SUB_HELPER_THREADS, SI_ORDER_ANY, rand_thread_init, 0);
	591
	592	/*
	593	* Time-buffered event time-stamping. This is necessary to cutoff higher
	594	* event frequencies, e.g. an interrupt occuring at 25Hz. In such cases
	595	* the CPU is being chewed and the timestamps are skewed (minimal variation).
	596	* Use a nano-second time-delay to limit how many times an Event can occur
	597	* in one second; <= 5Hz. Note that this doesn't prevent time-stamp skewing.
	598	* This implementation randmoises the time-delay between events, which adds
	599	* a layer of security/unpredictability with regard to read-events (a user
	600	* controlled input).
	601	*
	602	* Note: now.tv_nsec should range [ 0 - 1000,000,000 ].
	603	* Note: "ACCUM" is a security measure (result = capped-unknown + unknown),
	604	* and also produces an uncapped (>=32-bit) value.
	605	*/
	606	static void
	607	NANOUP_EVENT(void)
	608	{
	609	static struct timespec ACCUM = { 0, 0 };
	610	static struct timespec NEXT = { 0, 0 };
	611	struct timespec now;
	612
	613	nanouptime(&now);
	614	spin_lock_wr(&rand_spin);
	615	if ((now.tv_nsec > NEXT.tv_nsec) \|\| (now.tv_sec != NEXT.tv_sec)) {
	616	/*
	617	* Randomised time-delay: 200e6 - 350e6 ns; 5 - 2.86 Hz.
	618	*/
	619	unsigned long one_mil;
	620	unsigned long timeDelay;
	621
	622	one_mil = 1000000UL; /* 0.001 s */
1ee4c2e3 MD	623	timeDelay = (one_mil * 200) +
1ee4c2e3 MD	624	(((unsigned long)ACCUM.tv_nsec % 151) * one_mil);
c0b252c3 MD	625	NEXT.tv_nsec = now.tv_nsec + timeDelay;
	626	NEXT.tv_sec = now.tv_sec;
	627	ACCUM.tv_nsec += now.tv_nsec;
	628
	629	/*
	630	* The TSC, if present, generally has an even higher
	631	* resolution. Integrate a portion of it into our seed.
	632	*/
	633	if (tsc_present)
	634	ACCUM.tv_nsec ^= rdtsc() & 255;
	635
	636	IBAA_Seed(ACCUM.tv_nsec);
	637	L15_Vector((const LByteType *)&ACCUM.tv_nsec,
	638	sizeof(ACCUM.tv_nsec));
	639	++nrandevents;
	640	}
	641	spin_unlock_wr(&rand_spin);
	642	}
	643