kernel - Update random number generator
[dragonfly.git] / sys / kern / kern_nrandom.c
CommitLineData
c0b252c3
MD
1/*
2 * Copyright (c) 2004, 2005, 2006 Robin J Carey. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions, and the following disclaimer,
9 * without modification, immediately at the beginning of the file.
10 * 2. The name of the author may not be used to endorse or promote products
11 * derived from this software without specific prior written permission.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
17 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23 * SUCH DAMAGE.
24 *
1ee4c2e3 25 * $DragonFly: src/sys/kern/kern_nrandom.c,v 1.7 2008/08/01 04:42:30 dillon Exp $
c0b252c3
MD
26 */
27/* --- NOTES ---
28 *
29 * Note: The word "entropy" is often incorrectly used to describe
30 * random data. The word "entropy" originates from the science of
31 * Physics. The correct descriptive definition would be something
32 * along the lines of "seed", "unpredictable numbers" or
33 * "unpredictable data".
34 *
35 * Note: Some /dev/[u]random implementations save "seed" between
36 * boots which represents a security hazard since an adversary
37 * could acquire this data (since it is stored in a file). If
38 * the unpredictable data used in the above routines is only
39 * generated during Kernel operation, then an adversary can only
40 * acquire that data through a Kernel security compromise and/or
41 * a cryptographic algorithm failure/cryptanalysis.
42 *
43 * Note: On FreeBSD-4.11, interrupts have to be manually enabled
44 * using the rndcontrol(8) command.
45 *
46 * --- DESIGN (FreeBSD-4.11 based) ---
47 *
48 * The rnddev module automatically initializes itself the first time
49 * it is used (client calls any public rnddev_*() interface routine).
50 * Both CSPRNGs are initially seeded from the precise nano[up]time() routines.
51 * Tests show this method produces good enough results, suitable for intended
52 * use. It is necessary for both CSPRNGs to be completely seeded, initially.
53 *
54 * After initialization and during Kernel operation the only suitable
55 * unpredictable data available is:
56 *
57 * (1) Keyboard scan-codes.
58 * (2) Nanouptime acquired by a Keyboard/Read-Event.
59 * (3) Suitable interrupt source; hard-disk/ATA-device.
60 *
61 * (X) Mouse-event (xyz-data unsuitable); NOT IMPLEMENTED.
62 *
63 * This data is added to both CSPRNGs in real-time as it happens/
64 * becomes-available. Additionally, unpredictable (?) data may be
65 * acquired from a true-random number generator if such a device is
66 * available to the system (not advisable !).
67 * Nanouptime() acquired by a Read-Event is a very important aspect of
68 * this design, since it ensures that unpredictable data is added to
69 * the CSPRNGs even if there are no other sources.
70 * The nanouptime() Kernel routine is used since time relative to
71 * boot is less adversary-known than time itself.
72 *
73 * This design has been thoroughly tested with debug logging
74 * and the output from both /dev/random and /dev/urandom has
75 * been tested with the DIEHARD test-suite; both pass.
76 *
77 * MODIFICATIONS MADE TO ORIGINAL "kern_random.c":
78 *
79 * 6th July 2005:
80 *
81 * o Changed ReadSeed() function to schedule future read-seed-events
82 * by at least one second. Previous implementation used a randomised
83 * scheduling { 0, 1, 2, 3 seconds }.
84 * o Changed SEED_NANOUP() function to use a "previous" accumulator
85 * algorithm similar to ReadSeed(). This ensures that there is no
86 * way that an adversary can tell what number is being added to the
87 * CSPRNGs, since the number added to the CSPRNGs at Event-Time is
88 * the sum of nanouptime()@Event and an unknown/secret number.
89 * o Changed rnddev_add_interrupt() function to schedule future
90 * interrupt-events by at least one second. Previous implementation
91 * had no scheduling algorithm which allowed an "interrupt storm"
92 * to occur resulting in skewed data entering into the CSPRNGs.
93 *
94 *
95 * 9th July 2005:
96 *
97 * o Some small cleanups and change all internal functions to be
98 * static/private.
99 * o Removed ReadSeed() since its functionality is already performed
100 * by another function { rnddev_add_interrupt_OR_read() } and remove
101 * the silly rndByte accumulator/feedback-thing (since multipying by
102 * rndByte could yield a value of 0).
103 * o Made IBAA/L14 public interface become static/private;
104 * Local to this file (not changed to that in the original C modules).
105 *
106 * 16th July 2005:
107 *
108 * o SEED_NANOUP() -> NANOUP_EVENT() function rename.
109 * o Make NANOUP_EVENT() handle the time-buffering directly so that all
110 * time-stamp-events use this single time-buffer (including keyboard).
111 * This removes dependancy on "time_second" Kernel variable.
112 * o Removed second-time-buffer code in rnddev_add_interrupt_OR_read (void).
113 * o Rewrote the time-buffering algorithm in NANOUP_EVENT() to use a
114 * randomised time-delay range.
115 *
116 * 12th Dec 2005:
117 *
118 * o Updated to (hopefully final) L15 algorithm.
119 *
120 * 12th June 2006:
121 *
122 * o Added missing (u_char *) cast in RnddevRead() function.
123 * o Changed copyright to 3-clause BSD license and cleaned up the layout
124 * of this file.
125 */
126
127#include <sys/types.h>
128#include <sys/kernel.h>
129#include <sys/systm.h>
130#include <sys/poll.h>
131#include <sys/random.h>
132#include <sys/systimer.h>
133#include <sys/time.h>
134#include <sys/proc.h>
135#include <sys/lock.h>
136#include <sys/sysctl.h>
137#include <sys/spinlock.h>
138#include <machine/clock.h>
139
140#include <sys/thread2.h>
141#include <sys/spinlock2.h>
142
143/*
144 * Portability note: The u_char/unsigned char type is used where
145 * uint8_t from <stdint.h> or u_int8_t from <sys/types.h> should really
146 * be being used. On FreeBSD, it is safe to make the assumption that these
147 * different types are equivalent (on all architectures).
148 * The FreeBSD <sys/crypto/rc4> module also makes this assumption.
149 */
150
151/*------------------------------ IBAA ----------------------------------*/
152
153/*-------------------------- IBAA CSPRNG -------------------------------*/
154
155/*
156 * NOTE: The original source code from which this source code (IBAA)
157 * was taken has no copyright/license. The algorithm has no patent
158 * and is freely/publicly available from:
159 *
160 * http://www.burtleburtle.net/bob/rand/isaac.html
161 */
162
163/*
164 * ^ means XOR, & means bitwise AND, a<<b means shift a by b.
165 * barrel(a) shifts a 19 bits to the left, and bits wrap around
166 * ind(x) is (x AND 255), or (x mod 256)
167 */
168typedef u_int32_t u4; /* unsigned four bytes, 32 bits */
169
170#define ALPHA (8)
171#define SIZE (1 << ALPHA)
c26b3d4d 172#define MASK (SIZE - 1)
c0b252c3 173#define ind(x) ((x) & (SIZE - 1))
31f10bcb 174#define barrel(a) (((a) << 20) ^ ((a) >> 12)) /* beta=32,shift=20 */
c0b252c3
MD
175
176static void IBAA
177(
178 u4 *m, /* Memory: array of SIZE ALPHA-bit terms */
179 u4 *r, /* Results: the sequence, same size as m */
180 u4 *aa, /* Accumulator: a single value */
31f10bcb
MD
181 u4 *bb, /* the previous result */
182 u4 *counter /* counter */
c0b252c3
MD
183)
184{
185 u4 a, b, x, y, i;
186
31f10bcb
MD
187 a = *aa;
188 b = *bb + *counter;
189 ++*counter;
c0b252c3
MD
190 for (i = 0; i < SIZE; ++i) {
191 x = m[i];
192 a = barrel(a) + m[ind(i + (SIZE / 2))]; /* set a */
193 m[i] = y = m[ind(x)] + a + b; /* set m */
194 r[i] = b = m[ind(y >> ALPHA)] + x; /* set r */
195 }
196 *bb = b; *aa = a;
197}
198
199/*-------------------------- IBAA CSPRNG -------------------------------*/
200
201
202static u4 IBAA_memory[SIZE];
203static u4 IBAA_results[SIZE];
204static u4 IBAA_aa;
205static u4 IBAA_bb;
31f10bcb 206static u4 IBAA_counter;
c0b252c3
MD
207
208static volatile int IBAA_byte_index;
209
210
211static void IBAA_Init(void);
212static void IBAA_Call(void);
213static void IBAA_Seed(const u_int32_t val);
214static u_char IBAA_Byte(void);
215
216/*
217 * Initialize IBAA.
218 */
219static void
220IBAA_Init(void)
221{
222 size_t i;
223
224 for (i = 0; i < SIZE; ++i) {
225 IBAA_memory[i] = i;
226 }
227 IBAA_aa = IBAA_bb = 0;
31f10bcb 228 IBAA_counter = 0;
c0b252c3
MD
229 IBAA_byte_index = sizeof(IBAA_results); /* force IBAA_Call() */
230}
231
232/*
233 * PRIVATE: Call IBAA to produce 256 32-bit u4 results.
234 */
235static void
236IBAA_Call (void)
237{
31f10bcb 238 IBAA(IBAA_memory, IBAA_results, &IBAA_aa, &IBAA_bb, &IBAA_counter);
c0b252c3
MD
239 IBAA_byte_index = 0;
240}
241
242/*
c26b3d4d
MD
243 * Add a 32-bit u4 seed value into IBAAs memory. Mix the low 4 bits
244 * with 4 bits of PNG data to reduce the possibility of a seeding-based
245 * attack.
c0b252c3
MD
246 */
247static void
248IBAA_Seed (const u_int32_t val)
249{
c26b3d4d
MD
250 static int memIndex;
251 u4 *iptr;
c0b252c3 252
c26b3d4d
MD
253 iptr = &IBAA_memory[memIndex & MASK];
254 *iptr = ((*iptr << 3) | (*iptr >> 29)) + (val ^ (IBAA_Byte() & 15));
c0b252c3
MD
255 ++memIndex;
256}
257
258/*
259 * Extract a byte from IBAAs 256 32-bit u4 results array.
260 *
261 * NOTE: This code is designed to prevent MP races from taking
262 * IBAA_byte_index out of bounds.
263 */
264static u_char
265IBAA_Byte(void)
266{
267 u_char result;
268 int index;
269
270 index = IBAA_byte_index;
271 if (index == sizeof(IBAA_results)) {
272 IBAA_Call();
273 index = 0;
274 }
275 result = ((u_char *)IBAA_results)[index];
276 IBAA_byte_index = index + 1;
277 return result;
278}
279
280/*------------------------------ IBAA ----------------------------------*/
281
282
283/*------------------------------- L15 ----------------------------------*/
284
285/*
286 * IMPORTANT NOTE: LByteType must be exactly 8-bits in size or this software
287 * will not function correctly.
288 */
289typedef unsigned char LByteType;
290
291#define L15_STATE_SIZE 256
292
293static LByteType L15_x, L15_y;
294static LByteType L15_start_x;
295static LByteType L15_state[L15_STATE_SIZE];
296
297/*
298 * PRIVATE FUNCS:
299 */
300
301static void L15_Swap(const LByteType pos1, const LByteType pos2);
302static void L15_InitState(void);
303static void L15_KSA(const LByteType * const key,
304 const size_t keyLen);
305static void L15_Discard(const LByteType numCalls);
306
307/*
308 * PUBLIC INTERFACE:
309 */
310static void L15(const LByteType * const key, const size_t keyLen);
311static LByteType L15_Byte(void);
312static void L15_Vector(const LByteType * const key,
313 const size_t keyLen);
314
315static __inline void
316L15_Swap(const LByteType pos1, const LByteType pos2)
317{
318 const LByteType save1 = L15_state[pos1];
319
320 L15_state[pos1] = L15_state[pos2];
321 L15_state[pos2] = save1;
322}
323
324static void
325L15_InitState (void)
326{
327 size_t i;
328 for (i = 0; i < L15_STATE_SIZE; ++i)
329 L15_state[i] = i;
330}
331
332#define L_SCHEDULE(xx) \
333 \
334for (i = 0; i < L15_STATE_SIZE; ++i) { \
335 L15_Swap(i, (stateIndex += (L15_state[i] + (xx)))); \
336}
337
338static void
339L15_KSA (const LByteType * const key, const size_t keyLen)
340{
341 size_t i, keyIndex;
342 LByteType stateIndex = 0;
343
344 L_SCHEDULE(keyLen);
345 for (keyIndex = 0; keyIndex < keyLen; ++keyIndex) {
346 L_SCHEDULE(key[keyIndex]);
347 }
348}
349
350static void
351L15_Discard(const LByteType numCalls)
352{
353 LByteType i;
354 for (i = 0; i < numCalls; ++i) {
355 (void)L15_Byte();
356 }
357}
358
359
360/*
361 * PUBLIC INTERFACE:
362 */
363static void
364L15(const LByteType * const key, const size_t keyLen)
365{
01b40dc2
MD
366 L15_x = L15_start_x = 0;
367 L15_y = L15_STATE_SIZE - 1;
c0b252c3
MD
368 L15_InitState();
369 L15_KSA(key, keyLen);
370 L15_Discard(L15_Byte());
371}
372
373static LByteType
374L15_Byte(void)
375{
376 LByteType z;
377
378 L15_Swap(L15_state[L15_x], L15_y);
379 z = (L15_state [L15_x++] + L15_state[L15_y--]);
380 if (L15_x == L15_start_x) {
381 --L15_y;
382 }
383 return (L15_state[z]);
384}
385
386static void
387L15_Vector (const LByteType * const key, const size_t keyLen)
388{
389 L15_KSA(key, keyLen);
390}
391
392/*------------------------------- L15 ----------------------------------*/
393
394/************************************************************************
395 * KERNEL INTERFACE *
396 ************************************************************************
397 *
398 * By Robin J Carey and Matthew Dillon.
399 */
400
401static int rand_thread_signal = 1;
402static void NANOUP_EVENT(void);
403static thread_t rand_td;
404static struct spinlock rand_spin;
405
406static int nrandevents;
407SYSCTL_INT(_kern, OID_AUTO, nrandevents, CTLFLAG_RD, &nrandevents, 0, "");
c26b3d4d
MD
408static int seedenable;
409SYSCTL_INT(_kern, OID_AUTO, seedenable, CTLFLAG_RW, &seedenable, 0, "");
c0b252c3
MD
410
411/*
412 * Called from early boot
413 */
414void
415rand_initialize(void)
416{
417 struct timespec now;
418 int i;
419
420 spin_init(&rand_spin);
421
422 /* Initialize IBAA. */
423 IBAA_Init();
424
425 /* Initialize L15. */
426 nanouptime(&now);
427 L15((const LByteType *)&now.tv_nsec, sizeof(now.tv_nsec));
428 for (i = 0; i < (SIZE / 2); ++i) {
429 nanotime(&now);
430 IBAA_Seed(now.tv_nsec);
431 L15_Vector((const LByteType *)&now.tv_nsec,
432 sizeof(now.tv_nsec));
433 nanouptime(&now);
434 IBAA_Seed(now.tv_nsec);
435 L15_Vector((const LByteType *)&now.tv_nsec,
436 sizeof(now.tv_nsec));
437 }
01b40dc2
MD
438
439 /*
440 * Warm up the generator to get rid of weak initial states.
441 */
442 for (i = 0; i < 10; ++i)
443 IBAA_Call();
c0b252c3
MD
444}
445
446/*
447 * Keyboard events
448 */
449void
450add_keyboard_randomness(u_char scancode)
451{
452 spin_lock_wr(&rand_spin);
453 L15_Vector((const LByteType *) &scancode, sizeof (scancode));
454 spin_unlock_wr(&rand_spin);
455 add_interrupt_randomness(0);
456}
457
458/*
53d9cb72 459 * Interrupt events. This is SMP safe and allowed to race.
c0b252c3
MD
460 */
461void
462add_interrupt_randomness(int intr)
463{
464 if (rand_thread_signal == 0) {
465 rand_thread_signal = 1;
466 lwkt_schedule(rand_td);
467 }
468}
469
470/*
471 * True random number source
472 */
473void
474add_true_randomness(int val)
475{
476 spin_lock_wr(&rand_spin);
477 IBAA_Seed(val);
478 L15_Vector((const LByteType *) &val, sizeof (val));
479 ++nrandevents;
480 spin_unlock_wr(&rand_spin);
481}
482
c26b3d4d
MD
483int
484add_buffer_randomness(const char *buf, int bytes)
485{
486 int error;
01b40dc2 487 int i;
c26b3d4d
MD
488
489 if (seedenable && securelevel <= 0) {
490 while (bytes >= sizeof(int)) {
491 add_true_randomness(*(const int *)buf);
492 buf += sizeof(int);
493 bytes -= sizeof(int);
494 }
495 error = 0;
01b40dc2
MD
496
497 /*
498 * Warm up the generator to get rid of weak initial states.
499 */
500 for (i = 0; i < 10; ++i)
501 IBAA_Call();
c26b3d4d
MD
502 } else {
503 error = EPERM;
504 }
505 return (error);
506}
507
c0b252c3
MD
508/*
509 * Poll (always succeeds)
510 */
511int
b13267a5 512random_poll(cdev_t dev, int events)
c0b252c3
MD
513{
514 int revents = 0;
515
516 if (events & (POLLIN | POLLRDNORM))
517 revents |= events & (POLLIN | POLLRDNORM);
518 if (events & (POLLOUT | POLLWRNORM))
519 revents |= events & (POLLOUT | POLLWRNORM);
520
521 return (revents);
522}
523
524/*
525 * Heavy weight random number generator. May return less then the
526 * requested number of bytes.
527 */
528u_int
529read_random(void *buf, u_int nbytes)
530{
531 u_int i;
532
533 spin_lock_wr(&rand_spin);
534 for (i = 0; i < nbytes; ++i)
535 ((u_char *)buf)[i] = IBAA_Byte();
536 spin_unlock_wr(&rand_spin);
537 add_interrupt_randomness(0);
538 return(i);
539}
540
541/*
542 * Lightweight random number generator. Must return requested number of
543 * bytes.
544 */
545u_int
546read_random_unlimited(void *buf, u_int nbytes)
547{
548 u_int i;
549
550 spin_lock_wr(&rand_spin);
551 for (i = 0; i < nbytes; ++i)
552 ((u_char *)buf)[i] = L15_Byte();
553 spin_unlock_wr(&rand_spin);
554 add_interrupt_randomness(0);
555 return (i);
556}
557
558/*
559 * Random number generator helper thread. This limits code overhead from
560 * high frequency events by delaying the clearing of rand_thread_signal.
561 */
562static
563void
564rand_thread_loop(void *dummy)
565{
566 int count;
567
568 for (;;) {
569 NANOUP_EVENT ();
570 spin_lock_wr(&rand_spin);
571 count = (int)(L15_Byte() * hz / (256 * 10) + hz / 10);
572 spin_unlock_wr(&rand_spin);
573 tsleep(rand_td, 0, "rwait", count);
53d9cb72 574 crit_enter();
c0b252c3 575 lwkt_deschedule_self(rand_td);
53d9cb72
MD
576 cpu_sfence();
577 rand_thread_signal = 0;
578 crit_exit();
c0b252c3
MD
579 lwkt_switch();
580 }
581}
582
583static
584void
585rand_thread_init(void)
586{
587 lwkt_create(rand_thread_loop, NULL, &rand_td, NULL, 0, 0, "random");
588}
589
590SYSINIT(rand, SI_SUB_HELPER_THREADS, SI_ORDER_ANY, rand_thread_init, 0);
591
592/*
593 * Time-buffered event time-stamping. This is necessary to cutoff higher
594 * event frequencies, e.g. an interrupt occuring at 25Hz. In such cases
595 * the CPU is being chewed and the timestamps are skewed (minimal variation).
596 * Use a nano-second time-delay to limit how many times an Event can occur
597 * in one second; <= 5Hz. Note that this doesn't prevent time-stamp skewing.
598 * This implementation randmoises the time-delay between events, which adds
599 * a layer of security/unpredictability with regard to read-events (a user
600 * controlled input).
601 *
602 * Note: now.tv_nsec should range [ 0 - 1000,000,000 ].
603 * Note: "ACCUM" is a security measure (result = capped-unknown + unknown),
604 * and also produces an uncapped (>=32-bit) value.
605 */
606static void
607NANOUP_EVENT(void)
608{
609 static struct timespec ACCUM = { 0, 0 };
610 static struct timespec NEXT = { 0, 0 };
611 struct timespec now;
612
613 nanouptime(&now);
614 spin_lock_wr(&rand_spin);
615 if ((now.tv_nsec > NEXT.tv_nsec) || (now.tv_sec != NEXT.tv_sec)) {
616 /*
617 * Randomised time-delay: 200e6 - 350e6 ns; 5 - 2.86 Hz.
618 */
619 unsigned long one_mil;
620 unsigned long timeDelay;
621
622 one_mil = 1000000UL; /* 0.001 s */
1ee4c2e3
MD
623 timeDelay = (one_mil * 200) +
624 (((unsigned long)ACCUM.tv_nsec % 151) * one_mil);
c0b252c3
MD
625 NEXT.tv_nsec = now.tv_nsec + timeDelay;
626 NEXT.tv_sec = now.tv_sec;
627 ACCUM.tv_nsec += now.tv_nsec;
628
629 /*
630 * The TSC, if present, generally has an even higher
631 * resolution. Integrate a portion of it into our seed.
632 */
633 if (tsc_present)
634 ACCUM.tv_nsec ^= rdtsc() & 255;
635
636 IBAA_Seed(ACCUM.tv_nsec);
637 L15_Vector((const LByteType *)&ACCUM.tv_nsec,
638 sizeof(ACCUM.tv_nsec));
639 ++nrandevents;
640 }
641 spin_unlock_wr(&rand_spin);
642}
643