NetBSD/sys/kern/subr_cprng.c

360 lines
11 KiB
C

/* $NetBSD: subr_cprng.c,v 1.44 2023/08/05 11:21:24 riastradh Exp $ */
/*-
* Copyright (c) 2019 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Taylor R. Campbell.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/*
* cprng_strong
*
* Per-CPU NIST Hash_DRBG, reseeded automatically from the entropy
* pool when we transition to full entropy, never blocking. This
* is slightly different from the old cprng_strong API, but the
* only users of the old one fell into three categories:
*
* 1. never-blocking, oughta-be-per-CPU (kern_cprng, sysctl_prng)
* 2. never-blocking, used per-CPU anyway (/dev/urandom short reads)
* 3. /dev/random
*
* This code serves the first two categories without having extra
* logic for /dev/random.
*
* kern_cprng - available at IPL_SOFTSERIAL or lower
* user_cprng - available only at IPL_NONE in thread context
*
* The name kern_cprng is for hysterical raisins. The name
* user_cprng serves only to contrast with kern_cprng.
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.44 2023/08/05 11:21:24 riastradh Exp $");
#include <sys/param.h>
#include <sys/types.h>
#include <sys/cprng.h>
#include <sys/cpu.h>
#include <sys/entropy.h>
#include <sys/errno.h>
#include <sys/evcnt.h>
#include <sys/intr.h>
#include <sys/kmem.h>
#include <sys/percpu.h>
#include <sys/sysctl.h>
#include <sys/systm.h>
#include <crypto/nist_hash_drbg/nist_hash_drbg.h>
/*
* struct cprng_strong
*/
struct cprng_strong {
struct percpu *cs_percpu; /* struct cprng_cpu */
ipl_cookie_t cs_iplcookie;
};
/*
* struct cprng_cpu
*
* Per-CPU state for a cprng_strong. The DRBG and evcnt are
* allocated separately because percpu(9) sometimes moves per-CPU
* objects around without zeroing them.
*/
struct cprng_cpu {
struct nist_hash_drbg *cc_drbg;
struct {
struct evcnt reseed;
} *cc_evcnt;
unsigned cc_epoch;
};
static int sysctl_kern_urandom(SYSCTLFN_ARGS);
static int sysctl_kern_arandom(SYSCTLFN_ARGS);
static void cprng_init_cpu(void *, void *, struct cpu_info *);
static void cprng_fini_cpu(void *, void *, struct cpu_info *);
/* Well-known CPRNG instances */
struct cprng_strong *kern_cprng __read_mostly; /* IPL_SOFTSERIAL */
struct cprng_strong *user_cprng __read_mostly; /* IPL_NONE */
static struct sysctllog *cprng_sysctllog __read_mostly;
void
cprng_init(void)
{
if (__predict_false(nist_hash_drbg_initialize() != 0))
panic("NIST Hash_DRBG failed self-test");
/*
* Create CPRNG instances at two IPLs: IPL_SOFTSERIAL for
* kernel use that may occur inside soft interrupt handlers,
* and IPL_NONE for userland use which need not block
* interrupts.
*/
kern_cprng = cprng_strong_create("kern", IPL_SOFTSERIAL, 0);
user_cprng = cprng_strong_create("user", IPL_NONE, 0);
/* Create kern.urandom and kern.arandom sysctl nodes. */
sysctl_createv(&cprng_sysctllog, 0, NULL, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READONLY, CTLTYPE_INT, "urandom",
SYSCTL_DESCR("Independent uniform random 32-bit integer"),
sysctl_kern_urandom, 0, NULL, 0, CTL_KERN, KERN_URND, CTL_EOL);
sysctl_createv(&cprng_sysctllog, 0, NULL, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READONLY, CTLTYPE_INT /*lie*/, "arandom",
SYSCTL_DESCR("Independent uniform random bytes, up to 256 bytes"),
sysctl_kern_arandom, 0, NULL, 0, CTL_KERN, KERN_ARND, CTL_EOL);
}
/*
* sysctl kern.urandom
*
* Independent uniform random 32-bit integer. Read-only.
*/
static int
sysctl_kern_urandom(SYSCTLFN_ARGS)
{
struct sysctlnode node = *rnode;
int v;
int error;
/* Generate an int's worth of data. */
cprng_strong(user_cprng, &v, sizeof v, 0);
/* Do the sysctl dance. */
node.sysctl_data = &v;
error = sysctl_lookup(SYSCTLFN_CALL(&node));
/* Clear the buffer before returning the sysctl error. */
explicit_memset(&v, 0, sizeof v);
return error;
}
/*
* sysctl kern.arandom
*
* Independent uniform random bytes, up to 256 bytes. Read-only.
*/
static int
sysctl_kern_arandom(SYSCTLFN_ARGS)
{
struct sysctlnode node = *rnode;
uint8_t buf[256];
int error;
/*
* Clamp to a reasonably small size. 256 bytes is kind of
* arbitrary; 32 would be more reasonable, but we used 256 in
* the past, so let's not break compatibility.
*/
if (*oldlenp > 256) /* size_t, so never negative */
*oldlenp = 256;
/* Generate data. */
cprng_strong(user_cprng, buf, *oldlenp, 0);
/* Do the sysctl dance. */
node.sysctl_data = buf;
node.sysctl_size = *oldlenp;
error = sysctl_lookup(SYSCTLFN_CALL(&node));
/* Clear the buffer before returning the sysctl error. */
explicit_memset(buf, 0, sizeof buf);
return error;
}
struct cprng_strong *
cprng_strong_create(const char *name, int ipl, int flags)
{
struct cprng_strong *cprng;
cprng = kmem_alloc(sizeof(*cprng), KM_SLEEP);
cprng->cs_iplcookie = makeiplcookie(ipl);
cprng->cs_percpu = percpu_create(sizeof(struct cprng_cpu),
cprng_init_cpu, cprng_fini_cpu, __UNCONST(name));
return cprng;
}
void
cprng_strong_destroy(struct cprng_strong *cprng)
{
percpu_free(cprng->cs_percpu, sizeof(struct cprng_cpu));
kmem_free(cprng, sizeof(*cprng));
}
static void
cprng_init_cpu(void *ptr, void *cookie, struct cpu_info *ci)
{
struct cprng_cpu *cc = ptr;
const char *name = cookie;
const char *cpuname;
uint8_t zero[NIST_HASH_DRBG_SEEDLEN_BYTES] = {0};
char namebuf[64]; /* XXX size? */
/*
* Format the name as, e.g., kern/8 if we're on cpu8. This
* doesn't get displayed anywhere; it just ensures that if
* there were a bug causing us to use the same otherwise secure
* seed on multiple CPUs, we would still get independent output
* from the NIST Hash_DRBG.
*/
snprintf(namebuf, sizeof namebuf, "%s/%u", name, cpu_index(ci));
/*
* Allocate the struct nist_hash_drbg and struct evcnt
* separately, since percpu(9) may move objects around in
* memory without zeroing.
*/
cc->cc_drbg = kmem_zalloc(sizeof(*cc->cc_drbg), KM_SLEEP);
cc->cc_evcnt = kmem_alloc(sizeof(*cc->cc_evcnt), KM_SLEEP);
/*
* Initialize the DRBG with no seed. We do this in order to
* defer reading from the entropy pool as long as possible.
*/
if (__predict_false(nist_hash_drbg_instantiate(cc->cc_drbg,
zero, sizeof zero, NULL, 0, namebuf, strlen(namebuf))))
panic("nist_hash_drbg_instantiate");
/* Attach the event counters. */
/* XXX ci_cpuname may not be initialized early enough. */
cpuname = ci->ci_cpuname[0] == '\0' ? "cpu0" : ci->ci_cpuname;
evcnt_attach_dynamic(&cc->cc_evcnt->reseed, EVCNT_TYPE_MISC, NULL,
cpuname, "cprng_strong reseed");
/* Set the epoch uninitialized so we reseed on first use. */
cc->cc_epoch = 0;
}
static void
cprng_fini_cpu(void *ptr, void *cookie, struct cpu_info *ci)
{
struct cprng_cpu *cc = ptr;
evcnt_detach(&cc->cc_evcnt->reseed);
if (__predict_false(nist_hash_drbg_destroy(cc->cc_drbg)))
panic("nist_hash_drbg_destroy");
kmem_free(cc->cc_evcnt, sizeof(*cc->cc_evcnt));
kmem_free(cc->cc_drbg, sizeof(*cc->cc_drbg));
}
static void
cprng_strong_reseed(struct cprng_strong *cprng, unsigned epoch,
struct cprng_cpu **ccp, int *sp)
{
uint8_t seed[NIST_HASH_DRBG_SEEDLEN_BYTES];
/*
* Drop everything to extract a fresh seed from the entropy
* pool. entropy_extract may sleep on an adaptive lock, which
* invalidates our percpu(9) reference.
*
* This may race with reseeding in another thread, which is no
* big deal -- worst case, we rewind the entropy epoch here and
* cause the next caller to reseed again, and in the end we
* just reseed a couple more times than necessary.
*/
splx(*sp);
percpu_putref(cprng->cs_percpu);
entropy_extract(seed, sizeof seed, 0);
*ccp = percpu_getref(cprng->cs_percpu);
*sp = splraiseipl(cprng->cs_iplcookie);
(*ccp)->cc_evcnt->reseed.ev_count++;
if (__predict_false(nist_hash_drbg_reseed((*ccp)->cc_drbg,
seed, sizeof seed, NULL, 0)))
panic("nist_hash_drbg_reseed");
explicit_memset(seed, 0, sizeof seed);
(*ccp)->cc_epoch = epoch;
}
size_t
cprng_strong(struct cprng_strong *cprng, void *buf, size_t len, int flags)
{
struct cprng_cpu *cc;
unsigned epoch;
int s;
/* Not allowed in hard interrupt context. */
KASSERT(!cpu_intr_p());
/*
* Verify maximum request length. Caller should really limit
* their requests to 32 bytes to avoid spending much time with
* preemption disabled -- use the 32 bytes to seed a private
* DRBG instance if you need more data.
*/
KASSERT(len <= CPRNG_MAX_LEN);
/* Verify legacy API use. */
KASSERT(flags == 0);
/* Acquire per-CPU state and block interrupts. */
cc = percpu_getref(cprng->cs_percpu);
s = splraiseipl(cprng->cs_iplcookie);
/* If the entropy epoch has changed, (re)seed. */
epoch = entropy_epoch();
if (__predict_false(epoch != cc->cc_epoch))
cprng_strong_reseed(cprng, epoch, &cc, &s);
/* Generate data. Failure here means it's time to reseed. */
if (__predict_false(nist_hash_drbg_generate(cc->cc_drbg, buf, len,
NULL, 0))) {
cprng_strong_reseed(cprng, epoch, &cc, &s);
if (__predict_false(nist_hash_drbg_generate(cc->cc_drbg,
buf, len, NULL, 0)))
panic("nist_hash_drbg_generate");
}
/* Release state and interrupts. */
splx(s);
percpu_putref(cprng->cs_percpu);
/* Return the number of bytes generated, for hysterical raisins. */
return len;
}
uint32_t
cprng_strong32(void)
{
uint32_t r;
cprng_strong(kern_cprng, &r, sizeof(r), 0);
return r;
}
uint64_t
cprng_strong64(void)
{
uint64_t r;
cprng_strong(kern_cprng, &r, sizeof(r), 0);
return r;
}