Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
3afd44cf08
NetBSD/sys/kern/subr_cprng.c
tls 3afd44cf08 First step of random number subsystem rework described in 
<20111022023242.BA26F14A158@mail.netbsd.org>.  This change includes
the following:

	An initial cleanup and minor reorganization of the entropy pool
	code in sys/dev/rnd.c and sys/dev/rndpool.c.  Several bugs are
	fixed.  Some effort is made to accumulate entropy more quickly at
	boot time.

	A generic interface, "rndsink", is added, for stream generators to
	request that they be re-keyed with good quality entropy from the pool
	as soon as it is available.

	The arc4random()/arc4randbytes() implementation in libkern is
	adjusted to use the rndsink interface for rekeying, which helps
	address the problem of low-quality keys at boot time.

	An implementation of the FIPS 140-2 statistical tests for random
	number generator quality is provided (libkern/rngtest.c).  This
	is based on Greg Rose's implementation from Qualcomm.

	A new random stream generator, nist_ctr_drbg, is provided.  It is
	based on an implementation of the NIST SP800-90 CTR_DRBG by
	Henric Jungheim.  This generator users AES in a modified counter
	mode to generate a backtracking-resistant random stream.

	An abstraction layer, "cprng", is provided for in-kernel consumers
	of randomness.  The arc4random/arc4randbytes API is deprecated for
	in-kernel use.  It is replaced by "cprng_strong".  The current
	cprng_fast implementation wraps the existing arc4random
	implementation.  The current cprng_strong implementation wraps the
	new CTR_DRBG implementation.  Both interfaces are rekeyed from
	the entropy pool automatically at intervals justifiable from best
	current cryptographic practice.

	In some quick tests, cprng_fast() is about the same speed as
	the old arc4randbytes(), and cprng_strong() is about 20% faster
	than rnd_extract_data().  Performance is expected to improve.

	The AES code in src/crypto/rijndael is no longer an optional
	kernel component, as it is required by cprng_strong, which is
	not an optional kernel component.

	The entropy pool output is subjected to the rngtest tests at
	startup time; if it fails, the system will reboot.  There is
	approximately a 3/10000 chance of a false positive from these
	tests.  Entropy pool _input_ from hardware random numbers is
	subjected to the rngtest tests at attach time, as well as the
	FIPS continuous-output test, to detect bad or stuck hardware
	RNGs; if any are detected, they are detached, but the system
	continues to run.

	A problem with rndctl(8) is fixed -- datastructures with
	pointers in arrays are no longer passed to userspace (this
	was not a security problem, but rather a major issue for
	compat32).  A new kernel will require a new rndctl.

	The sysctl kern.arandom() and kern.urandom() nodes are hooked
	up to the new generators, but the /dev/*random pseudodevices
	are not, yet.

	Manual pages for the new kernel interfaces are forthcoming.
2011-11-19 22:51:18 +00:00

306 lines
7.5 KiB
C
Raw Blame History

/* $NetBSD: subr_cprng.c,v 1.1 2011/11/19 22:51:25 tls Exp $ */
/*-
* Copyright (c) 2011 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Thor Lancelot Simon.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/systm.h>
#include <sys/kmem.h>
#include <sys/mutex.h>
#include <sys/rngtest.h>
#include <sys/rnd.h>
#include <machine/cpu_counter.h>
#include <sys/cprng.h>
__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.1 2011/11/19 22:51:25 tls Exp $");
void
cprng_init(void)
{
nist_ctr_initialize();
}
static inline uint32_t
cprng_counter(void)
{
struct timeval tv;
#if defined(__HAVE_CPU_COUNTER)
if (cpu_hascounter())
return cpu_counter32();
#endif
if (__predict_false(cold)) {
/* microtime unsafe if clock not running yet */
return 0;
}
microtime(&tv);
return (tv.tv_sec * 1000000 + tv.tv_usec);
}
static void
cprng_strong_reseed(void *const arg)
{
cprng_strong_t *c = arg;
uint8_t key[NIST_BLOCK_KEYLEN_BYTES];
uint32_t cc = cprng_counter();
mutex_enter(&c->mtx);
if (c->reseed.len != sizeof(key)) {
panic("cprng_strong_reseed: bad entropy length %d "
" (expected %d)", (int)c->reseed.len, (int)sizeof(key));
}
if (nist_ctr_drbg_reseed(&c->drbg, c->reseed.data, c->reseed.len,
&cc, sizeof(cc))) {
panic("cprng %s: nist_ctr_drbg_reseed failed.", c->name);
}
c->reseed_pending = 0;
if (c->flags & CPRNG_USE_CV) {
cv_broadcast(&c->cv);
}
mutex_exit(&c->mtx);
}
cprng_strong_t *
cprng_strong_create(const char *const name, int ipl, int flags)
{
cprng_strong_t *c;
uint8_t key[NIST_BLOCK_KEYLEN_BYTES];
int r, getmore = 0;;
uint32_t cc;
c = kmem_alloc(sizeof(*c), KM_NOSLEEP);
if (c == NULL) {
return NULL;
}
c->flags = flags;
strlcpy(c->name, name, sizeof(c->name));
c->reseed_pending = 0;
c->reseed.cb = cprng_strong_reseed;
c->reseed.arg = c;
strlcpy(c->reseed.name, name, sizeof(c->reseed.name));
mutex_init(&c->mtx, MUTEX_DEFAULT, ipl);
if (c->flags & CPRNG_USE_CV) {
cv_init(&c->cv, name);
}
r = rnd_extract_data(key, sizeof(key), RND_EXTRACT_GOOD);
if (r != sizeof(key)) {
if (c->flags & CPRNG_INIT_ANY) {
printf("cprng %s: WARNING insufficient "
"entropy at creation.\n", name);
rnd_extract_data(key + r, sizeof(key - r),
RND_EXTRACT_ANY);
} else {
return NULL;
}
getmore++;
}
if (nist_ctr_drbg_instantiate(&c->drbg, key, sizeof(key),
&cc, sizeof(cc), name, strlen(name))) {
panic("cprng %s: instantiation failed.", name);
}
if (getmore) {
int wr = 0;
/* Ask for more. */
c->reseed_pending = 1;
c->reseed.len = sizeof(key);
rndsink_attach(&c->reseed);
if (c->flags & CPRNG_USE_CV) {
mutex_enter(&c->mtx);
do {
wr = cv_wait_sig(&c->cv, &c->mtx);
if (__predict_true(wr == 0)) {
break;
}
if (wr == ERESTART) {
continue;
} else {
cv_destroy(&c->cv);
mutex_exit(&c->mtx);
mutex_destroy(&c->mtx);
kmem_free(c, sizeof(c));
return NULL;
}
} while (1);
mutex_exit(&c->mtx);
}
}
return c;
}
size_t
cprng_strong(cprng_strong_t *const c, void *const p, size_t len)
{
uint32_t cc = cprng_counter();
if (len > CPRNG_MAX_LEN) { /* XXX should we loop? */
len = CPRNG_MAX_LEN; /* let the caller loop if desired */
}
mutex_enter(&c->mtx);
again:
if (nist_ctr_drbg_generate(&c->drbg, p, len, &cc, sizeof(cc))) {
/* A generator failure really means we hit the hard limit. */
if (c->flags & CPRNG_REKEY_ANY) {
uint8_t key[NIST_BLOCK_KEYLEN_BYTES];
printf("cprng %s: WARNING pseudorandom rekeying.\n",
c->name);
rnd_extract_data(key, sizeof(key), RND_EXTRACT_ANY);
cc = cprng_counter();
if (nist_ctr_drbg_reseed(&c->drbg, key, sizeof(key),
&cc, sizeof(cc))) {
panic("cprng %s: nist_ctr_drbg_reseed "
"failed.", c->name);
}
if (c->flags & CPRNG_USE_CV) {
cv_broadcast(&c->cv); /* XXX unnecessary? */
}
} else {
if (c->flags & CPRNG_USE_CV) {
int wr;
do {
wr = cv_wait_sig(&c->cv, &c->mtx);
if (wr == EINTR) {
mutex_exit(&c->mtx);
return 0;
}
} while (nist_ctr_drbg_generate(&c->drbg, p,
len, &cc,
sizeof(cc)));
} else {
mutex_exit(&c->mtx);
return 0;
}
}
}
#ifdef DIAGNOSTIC
/*
* If the generator has just been keyed, perform
* the statistical RNG test.
*/
if (__predict_false(c->drbg.reseed_counter == 1)) {
rngtest_t rt;
strncpy(rt.rt_name, c->name, sizeof(rt.rt_name));
if (nist_ctr_drbg_generate(&c->drbg, rt.rt_b,
sizeof(rt.rt_b), NULL, 0)) {
panic("cprng %s: nist_ctr_drbg_generate failed!",
c->name);
}
if (rngtest(&rt)) {
printf("cprng %s: failed statistical RNG test.\n",
c->name);
c->drbg.reseed_counter =
NIST_CTR_DRBG_RESEED_INTERVAL + 1;
}
memset(&rt, 0, sizeof(rt));
}
#endif
if (__predict_false(c->drbg.reseed_counter >
(NIST_CTR_DRBG_RESEED_INTERVAL / 2))) {
if (!(c->reseed_pending)) {
c->reseed_pending = 1;
c->reseed.len = NIST_BLOCK_KEYLEN_BYTES;
rndsink_attach(&c->reseed);
}
if (__predict_false(c->drbg.reseed_counter >
NIST_CTR_DRBG_RESEED_INTERVAL)) {
goto again; /* statistical test failure */
}
}
mutex_exit(&c->mtx);
return len;
}
void
cprng_strong_destroy(cprng_strong_t *c)
{
KASSERT(!mutex_owned(&c->mtx));
if (c->flags & CPRNG_USE_CV) {
KASSERT(!cv_has_waiters(&c->cv));
cv_destroy(&c->cv);
}
mutex_destroy(&c->mtx);
if (c->reseed_pending) {
rndsink_detach(&c->reseed);
}
nist_ctr_drbg_destroy(&c->drbg);
memset(c, 0, sizeof(*c));
kmem_free(c, sizeof(*c));
}
int
cprng_strong_getflags(cprng_strong_t *const c)
{
KASSERT(mutex_owned(&c->mtx));
return c->flags;
}
void
cprng_strong_setflags(cprng_strong_t *const c, int flags)
{
KASSERT(mutex_owned(&c->mtx));
if (flags & CPRNG_USE_CV) {
if (!(c->flags & CPRNG_USE_CV)) {
cv_init(&c->cv, (const char *)c->name);
}
} else {
if (c->flags & CPRNG_USE_CV) {
KASSERT(!cv_has_waiters(&c->cv));
cv_destroy(&c->cv);
}
}
if (flags & CPRNG_REKEY_ANY) {
if (!(c->flags & CPRNG_REKEY_ANY)) {
if (c->flags & CPRNG_USE_CV) {
cv_broadcast(&c->cv);
}
}
}
c->flags = flags;
}
Reference in New Issue View Git Blame Copy Permalink