| blob | 13b98e913332a4b8be46f8ca4aa5148ed307ae66 |
1 /*
2 * Copyright (c) 2004, 2005, 2006 Robin J Carey. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions, and the following disclaimer,
9 * without modification, immediately at the beginning of the file.
10 * 2. The name of the author may not be used to endorse or promote products
11 * derived from this software without specific prior written permission.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
17 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23 * SUCH DAMAGE.
24 *
25 * $DragonFly: src/sys/kern/kern_nrandom.c,v 1.7 2008/08/01 04:42:30 dillon Exp $
26 */
27 /* --- NOTES ---
28 *
29 * Note: The word "entropy" is often incorrectly used to describe
30 * random data. The word "entropy" originates from the science of
31 * Physics. The correct descriptive definition would be something
32 * along the lines of "seed", "unpredictable numbers" or
33 * "unpredictable data".
34 *
35 * Note: Some /dev/[u]random implementations save "seed" between
36 * boots which represents a security hazard since an adversary
37 * could acquire this data (since it is stored in a file). If
38 * the unpredictable data used in the above routines is only
39 * generated during Kernel operation, then an adversary can only
40 * acquire that data through a Kernel security compromise and/or
41 * a cryptographic algorithm failure/cryptanalysis.
42 *
43 * Note: On FreeBSD-4.11, interrupts have to be manually enabled
44 * using the rndcontrol(8) command.
45 *
46 * --- DESIGN (FreeBSD-4.11 based) ---
47 *
48 * The rnddev module automatically initializes itself the first time
49 * it is used (client calls any public rnddev_*() interface routine).
50 * Both CSPRNGs are initially seeded from the precise nano[up]time() routines.
51 * Tests show this method produces good enough results, suitable for intended
52 * use. It is necessary for both CSPRNGs to be completely seeded, initially.
53 *
54 * After initialization and during Kernel operation the only suitable
55 * unpredictable data available is:
56 *
57 * (1) Keyboard scan-codes.
58 * (2) Nanouptime acquired by a Keyboard/Read-Event.
59 * (3) Suitable interrupt source; hard-disk/ATA-device.
60 *
61 * (X) Mouse-event (xyz-data unsuitable); NOT IMPLEMENTED.
62 *
63 * This data is added to both CSPRNGs in real-time as it happens/
64 * becomes-available. Additionally, unpredictable (?) data may be
65 * acquired from a true-random number generator if such a device is
66 * available to the system (not advisable !).
67 * Nanouptime() acquired by a Read-Event is a very important aspect of
68 * this design, since it ensures that unpredictable data is added to
69 * the CSPRNGs even if there are no other sources.
70 * The nanouptime() Kernel routine is used since time relative to
71 * boot is less adversary-known than time itself.
72 *
73 * This design has been thoroughly tested with debug logging
74 * and the output from both /dev/random and /dev/urandom has
75 * been tested with the DIEHARD test-suite; both pass.
76 *
77 * MODIFICATIONS MADE TO ORIGINAL "kern_random.c":
78 *
79 * 6th July 2005:
80 *
81 * o Changed ReadSeed() function to schedule future read-seed-events
82 * by at least one second. Previous implementation used a randomised
83 * scheduling { 0, 1, 2, 3 seconds }.
84 * o Changed SEED_NANOUP() function to use a "previous" accumulator
85 * algorithm similar to ReadSeed(). This ensures that there is no
86 * way that an adversary can tell what number is being added to the
87 * CSPRNGs, since the number added to the CSPRNGs at Event-Time is
88 * the sum of nanouptime()@Event and an unknown/secret number.
89 * o Changed rnddev_add_interrupt() function to schedule future
90 * interrupt-events by at least one second. Previous implementation
91 * had no scheduling algorithm which allowed an "interrupt storm"
92 * to occur resulting in skewed data entering into the CSPRNGs.
93 *
94 *
95 * 9th July 2005:
96 *
97 * o Some small cleanups and change all internal functions to be
98 * static/private.
99 * o Removed ReadSeed() since its functionality is already performed
100 * by another function { rnddev_add_interrupt_OR_read() } and remove
101 * the silly rndByte accumulator/feedback-thing (since multipying by
102 * rndByte could yield a value of 0).
103 * o Made IBAA/L14 public interface become static/private;
104 * Local to this file (not changed to that in the original C modules).
105 *
106 * 16th July 2005:
107 *
108 * o SEED_NANOUP() -> NANOUP_EVENT() function rename.
109 * o Make NANOUP_EVENT() handle the time-buffering directly so that all
110 * time-stamp-events use this single time-buffer (including keyboard).
111 * This removes dependancy on "time_second" Kernel variable.
112 * o Removed second-time-buffer code in rnddev_add_interrupt_OR_read (void).
113 * o Rewrote the time-buffering algorithm in NANOUP_EVENT() to use a
114 * randomised time-delay range.
115 *
116 * 12th Dec 2005:
117 *
118 * o Updated to (hopefully final) L15 algorithm.
119 *
120 * 12th June 2006:
121 *
122 * o Added missing (u_char *) cast in RnddevRead() function.
123 * o Changed copyright to 3-clause BSD license and cleaned up the layout
124 * of this file.
125 */
127 #include <sys/types.h>
128 #include <sys/kernel.h>
129 #include <sys/systm.h>
130 #include <sys/poll.h>
131 #include <sys/event.h>
132 #include <sys/random.h>
133 #include <sys/systimer.h>
134 #include <sys/time.h>
135 #include <sys/proc.h>
136 #include <sys/lock.h>
137 #include <sys/sysctl.h>
138 #include <sys/spinlock.h>
139 #include <machine/clock.h>
141 #include <sys/thread2.h>
142 #include <sys/spinlock2.h>
143 #include <sys/mplock2.h>
145 /*
146 * Portability note: The u_char/unsigned char type is used where
147 * uint8_t from <stdint.h> or u_int8_t from <sys/types.h> should really
148 * be being used. On FreeBSD, it is safe to make the assumption that these
149 * different types are equivalent (on all architectures).
150 * The FreeBSD <sys/crypto/rc4> module also makes this assumption.
151 */
153 /*------------------------------ IBAA ----------------------------------*/
155 /*-------------------------- IBAA CSPRNG -------------------------------*/
157 /*
158 * NOTE: The original source code from which this source code (IBAA)
159 * was taken has no copyright/license. The algorithm has no patent
160 * and is freely/publicly available from:
161 *
162 * http://www.burtleburtle.net/bob/rand/isaac.html
163 */
165 /*
166 * ^ means XOR, & means bitwise AND, a<<b means shift a by b.
167 * barrel(a) shifts a 19 bits to the left, and bits wrap around
168 * ind(x) is (x AND 255), or (x mod 256)
169 */
172 #define ALPHA (8)
173 #define SIZE (1 << ALPHA)
174 #define MASK (SIZE - 1)
175 #define ind(x) ((x) & (SIZE - 1))
178 static void IBAA
179 (
185 )
186 {
197 }
199 }
201 /*-------------------------- IBAA CSPRNG -------------------------------*/
218 /*
219 * Initialize IBAA.
220 */
221 static void
223 {
228 }
232 }
234 /*
235 * PRIVATE: Call IBAA to produce 256 32-bit u4 results.
236 */
237 static void
239 {
242 }
244 /*
245 * Add a 32-bit u4 seed value into IBAAs memory. Mix the low 4 bits
246 * with 4 bits of PNG data to reduce the possibility of a seeding-based
247 * attack.
248 */
249 static void
251 {
258 }
260 /*
261 * Extract a byte from IBAAs 256 32-bit u4 results array.
262 *
263 * NOTE: This code is designed to prevent MP races from taking
264 * IBAA_byte_index out of bounds.
265 */
266 static u_char
268 {
269 u_char result;
276 }
280 }
282 /*------------------------------ IBAA ----------------------------------*/
285 /*------------------------------- L15 ----------------------------------*/
287 /*
288 * IMPORTANT NOTE: LByteType must be exactly 8-bits in size or this software
289 * will not function correctly.
290 */
293 #define L15_STATE_SIZE 256
299 /*
300 * PRIVATE FUNCS:
301 */
309 /*
310 * PUBLIC INTERFACE:
311 */
319 {
324 }
326 static void
328 {
332 }
334 #define L_SCHEDULE(xx) \
335 \
336 for (i = 0; i < L15_STATE_SIZE; ++i) { \
337 L15_Swap(i, (stateIndex += (L15_state[i] + (xx)))); \
338 }
340 static void
342 {
349 }
350 }
352 static void
354 {
355 LByteType i;
358 }
359 }
362 /*
363 * PUBLIC INTERFACE:
364 */
365 static void
367 {
373 }
375 static LByteType
377 {
378 LByteType z;
384 }
386 }
388 static void
390 {
392 }
394 /*------------------------------- L15 ----------------------------------*/
396 /************************************************************************
397 * KERNEL INTERFACE *
398 ************************************************************************
399 *
400 * By Robin J Carey and Matthew Dillon.
401 */
413 /*
414 * Called from early boot
415 */
416 void
418 {
424 /* Initialize IBAA. */
427 /* Initialize L15. */
439 }
441 /*
442 * Warm up the generator to get rid of weak initial states.
443 */
446 }
448 /*
449 * Keyboard events
450 */
451 void
453 {
458 }
460 /*
461 * Interrupt events. This is SMP safe and allowed to race.
462 */
463 void
465 {
469 }
470 }
472 /*
473 * True random number source
474 */
475 void
477 {
483 }
485 int
487 {
496 }
499 /*
500 * Warm up the generator to get rid of weak initial states.
501 */
506 }
508 }
510 /*
511 * Poll (always succeeds)
512 */
513 int
515 {
524 }
526 /*
527 * Kqueue filter (always succeeds)
528 */
529 int
531 {
533 }
535 /*
536 * Heavy weight random number generator. May return less then the
537 * requested number of bytes.
538 */
539 u_int
541 {
542 u_int i;
550 }
552 /*
553 * Lightweight random number generator. Must return requested number of
554 * bytes.
555 */
556 u_int
558 {
559 u_int i;
567 }
569 /*
570 * Random number generator helper thread. This limits code overhead from
571 * high frequency events by delaying the clearing of rand_thread_signal.
572 *
573 * MPSAFE thread
574 */
575 static
576 void
578 {
593 }
594 }
596 static
597 void
599 {
601 }
605 /*
606 * Time-buffered event time-stamping. This is necessary to cutoff higher
607 * event frequencies, e.g. an interrupt occuring at 25Hz. In such cases
608 * the CPU is being chewed and the timestamps are skewed (minimal variation).
609 * Use a nano-second time-delay to limit how many times an Event can occur
610 * in one second; <= 5Hz. Note that this doesn't prevent time-stamp skewing.
611 * This implementation randmoises the time-delay between events, which adds
612 * a layer of security/unpredictability with regard to read-events (a user
613 * controlled input).
614 *
615 * Note: now.tv_nsec should range [ 0 - 1000,000,000 ].
616 * Note: "ACCUM" is a security measure (result = capped-unknown + unknown),
617 * and also produces an uncapped (>=32-bit) value.
618 */
619 static void
621 {
629 /*
630 * Randomised time-delay: 200e6 - 350e6 ns; 5 - 2.86 Hz.
631 */
642 /*
643 * The TSC, if present, generally has an even higher
644 * resolution. Integrate a portion of it into our seed.
645 */
653 }
655 }