Annotation of sys/dev/rnd.c, Revision 1.1.1.1
1.1 nbrk 1: /* $OpenBSD: rnd.c,v 1.82 2007/06/17 21:22:04 jasper Exp $ */
2:
3: /*
4: * rnd.c -- A strong random number generator
5: *
6: * Copyright (c) 1996, 1997, 2000-2002 Michael Shalayeff.
7: *
8: * Version 1.89, last modified 19-Sep-99
9: *
10: * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999.
11: * All rights reserved.
12: *
13: * Redistribution and use in source and binary forms, with or without
14: * modification, are permitted provided that the following conditions
15: * are met:
16: * 1. Redistributions of source code must retain the above copyright
17: * notice, and the entire permission notice in its entirety,
18: * including the disclaimer of warranties.
19: * 2. Redistributions in binary form must reproduce the above copyright
20: * notice, this list of conditions and the following disclaimer in the
21: * documentation and/or other materials provided with the distribution.
22: * 3. The name of the author may not be used to endorse or promote
23: * products derived from this software without specific prior
24: * written permission.
25: *
26: * ALTERNATIVELY, this product may be distributed under the terms of
27: * the GNU Public License, in which case the provisions of the GPL are
28: * required INSTEAD OF the above restrictions. (This clause is
29: * necessary due to a potential bad interaction between the GPL and
30: * the restrictions contained in a BSD-style copyright.)
31: *
32: * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
33: * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
34: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
35: * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
36: * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
37: * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
38: * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
39: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
40: * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
41: * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
42: * OF THE POSSIBILITY OF SUCH DAMAGE.
43: */
44: /*
45: * (now, with legal B.S. out of the way.....)
46: *
47: * This routine gathers environmental noise from device drivers, etc.,
48: * and returns good random numbers, suitable for cryptographic use.
49: * Besides the obvious cryptographic uses, these numbers are also good
50: * for seeding TCP sequence numbers, and other places where it is
51: * desirable to have numbers which are not only random, but hard to
52: * predict by an attacker.
53: *
54: * Theory of operation
55: * ===================
56: *
57: * Computers are very predictable devices. Hence it is extremely hard
58: * to produce truly random numbers on a computer --- as opposed to
59: * pseudo-random numbers, which can be easily generated by using an
60: * algorithm. Unfortunately, it is very easy for attackers to guess
61: * the sequence of pseudo-random number generators, and for some
62: * applications this is not acceptable. Instead, we must try to
63: * gather "environmental noise" from the computer's environment, which
64: * must be hard for outside attackers to observe and use to
65: * generate random numbers. In a Unix environment, this is best done
66: * from inside the kernel.
67: *
68: * Sources of randomness from the environment include inter-keyboard
69: * timings, inter-interrupt timings from some interrupts, and other
70: * events which are both (a) non-deterministic and (b) hard for an
71: * outside observer to measure. Randomness from these sources is
72: * added to the "entropy pool", which is mixed using a CRC-like function.
73: * This is not cryptographically strong, but it is adequate assuming
74: * the randomness is not chosen maliciously, and it is fast enough that
75: * the overhead of doing it on every interrupt is very reasonable.
76: * As random bytes are mixed into the entropy pool, the routines keep
77: * an *estimate* of how many bits of randomness have been stored into
78: * the random number generator's internal state.
79: *
80: * When random bytes are desired, they are obtained by taking the MD5
81: * hash of the content of the entropy pool. The MD5 hash avoids
82: * exposing the internal state of the entropy pool. It is believed to
83: * be computationally infeasible to derive any useful information
84: * about the input of MD5 from its output. Even if it is possible to
85: * analyze MD5 in some clever way, as long as the amount of data
86: * returned from the generator is less than the inherent entropy in
87: * the pool, the output data is totally unpredictable. For this
88: * reason, the routine decreases its internal estimate of how many
89: * bits of "true randomness" are contained in the entropy pool as it
90: * outputs random numbers.
91: *
92: * If this estimate goes to zero, the routine can still generate
93: * random numbers; however, an attacker may (at least in theory) be
94: * able to infer the future output of the generator from prior
95: * outputs. This requires successful cryptanalysis of MD5, which is
96: * believed to be not feasible, but there is a remote possibility.
97: * Nonetheless, these numbers should be useful for the vast majority
98: * of purposes.
99: *
100: * Exported interfaces ---- output
101: * ===============================
102: *
103: * There are three exported interfaces.
104: * The first one is designed to be used from within the kernel:
105: *
106: * void get_random_bytes(void *buf, int nbytes);
107: *
108: * This interface will return the requested number of random bytes,
109: * and place it in the requested buffer.
110: *
111: * Two other interfaces are two character devices /dev/random and
112: * /dev/urandom. /dev/random is suitable for use when very high
113: * quality randomness is desired (for example, for key generation or
114: * one-time pads), as it will only return a maximum of the number of
115: * bits of randomness (as estimated by the random number generator)
116: * contained in the entropy pool.
117: *
118: * The /dev/urandom device does not have this limit, and will return
119: * as many bytes as were requested. As more and more random bytes
120: * requested without giving time for the entropy pool to recharge,
121: * this will result in random numbers that are merely cryptographically
122: * strong. For many applications, however, this is acceptable.
123: *
124: * Exported interfaces ---- input
125: * ==============================
126: *
127: * The current exported interfaces for gathering environmental noise
128: * from the devices are:
129: *
130: * void add_true_randomness(int data);
131: * void add_timer_randomness(int data);
132: * void add_mouse_randomness(int mouse_data);
133: * void add_net_randomness(int isr);
134: * void add_tty_randomness(int c);
135: * void add_disk_randomness(int n);
136: * void add_audio_randomness(int n);
137: *
138: * add_true_randomness() uses true random number generators present
139: * on some cryptographic and system chipsets. Entropy accounting
140: * is not quitable, no timing is done, supplied 32 bits of pure entropy
141: * are hashed into the pool plain and blindly, increasing the counter.
142: *
143: * add_timer_randomness() uses the random driver itselves timing,
144: * measuring extract_entropy() and rndioctl() execution times.
145: *
146: * add_mouse_randomness() uses the mouse interrupt timing, as well as
147: * the reported position of the mouse from the hardware.
148: *
149: * add_net_randomness() times the finishing time of net input.
150: *
151: * add_tty_randomness() uses the inter-keypress timing, as well as the
152: * character as random inputs into the entropy pool.
153: *
154: * add_disk_randomness() times the finishing time of disk requests as well
155: * as feeding both xfer size & time into the entropy pool.
156: *
157: * add_audio_randomness() times the finishing of audio codec dma
158: * requests for both recording and playback, apparently supplies quite
159: * a lot of entropy. I'd blame it on low resolution audio clock generators.
160: *
161: * All of these routines (except for add_true_randomness() of course)
162: * try to estimate how many bits of randomness are in a particular
163: * randomness source. They do this by keeping track of the first and
164: * second order deltas of the event timings.
165: *
166: * Ensuring unpredictability at system startup
167: * ============================================
168: *
169: * When any operating system starts up, it will go through a sequence
170: * of actions that are fairly predictable by an adversary, especially
171: * if the start-up does not involve interaction with a human operator.
172: * This reduces the actual number of bits of unpredictability in the
173: * entropy pool below the value in entropy_count. In order to
174: * counteract this effect, it helps to carry information in the
175: * entropy pool across shut-downs and start-ups. To do this, put the
176: * following lines in appropriate script which is run during the boot
177: * sequence:
178: *
179: * echo "Initializing random number generator..."
180: * # Carry a random seed from start-up to start-up
181: * # Load and then save 512 bytes, which is the size of the entropy pool
182: * if [ -f /etc/random-seed ]; then
183: * cat /etc/random-seed >/dev/urandom
184: * fi
185: * dd if=/dev/urandom of=/etc/random-seed count=1
186: *
187: * and the following lines in appropriate script which is run when
188: * the system is shutting down:
189: *
190: * # Carry a random seed from shut-down to start-up
191: * # Save 512 bytes, which is the size of the entropy pool
192: * echo "Saving random seed..."
193: * dd if=/dev/urandom of=/etc/random-seed count=1
194: *
195: * For example, on OpenBSD systems, the appropriate scripts are
196: * usually /etc/rc.local and /etc/rc.shutdown, respectively.
197: *
198: * Effectively, these commands cause the contents of the entropy pool
199: * to be saved at shutdown time and reloaded into the entropy pool at
200: * start-up. (The 'dd' in the addition to the bootup script is to
201: * make sure that /etc/random-seed is different for every start-up,
202: * even if the system crashes without executing rc.shutdown) Even with
203: * complete knowledge of the start-up activities, predicting the state
204: * of the entropy pool requires knowledge of the previous history of
205: * the system.
206: *
207: * Configuring the random(4) driver under OpenBSD
208: * ==============================================
209: *
210: * The special files for the random(4) driver should have been created
211: * during the installation process. However, if your system does not have
212: * /dev/random and /dev/[s|u|p|a]random created already, they can be created
213: * by using the MAKEDEV(8) script in /dev:
214: *
215: * /dev/MAKEDEV random
216: *
217: * Check MAKEDEV for information about major and minor numbers.
218: *
219: * Acknowledgements:
220: * =================
221: *
222: * Ideas for constructing this random number generator were derived
223: * from Pretty Good Privacy's random number generator, and from private
224: * discussions with Phil Karn. Colin Plumb provided a faster random
225: * number generator, which speeds up the mixing function of the entropy
226: * pool, taken from PGPfone. Dale Worley has also contributed many
227: * useful ideas and suggestions to improve this driver.
228: *
229: * Any flaws in the design are solely my responsibility, and should
230: * not be attributed to the Phil, Colin, or any of the authors of PGP.
231: *
232: * Further background information on this topic may be obtained from
233: * RFC 1750, "Randomness Recommendations for Security", by Donald
234: * Eastlake, Steve Crocker, and Jeff Schiller.
235: */
236:
237: #undef RNDEBUG
238:
239: #include <sys/param.h>
240: #include <sys/systm.h>
241: #include <sys/conf.h>
242: #include <sys/disk.h>
243: #include <sys/ioctl.h>
244: #include <sys/malloc.h>
245: #include <sys/fcntl.h>
246: #include <sys/vnode.h>
247: #include <sys/sysctl.h>
248: #include <sys/timeout.h>
249: #include <sys/poll.h>
250:
251: #include <crypto/md5.h>
252:
253: #include <dev/rndvar.h>
254: #include <dev/rndioctl.h>
255:
256: #ifdef RNDEBUG
257: int rnd_debug = 0x0000;
258: #define RD_INPUT 0x000f /* input data */
259: #define RD_OUTPUT 0x00f0 /* output data */
260: #define RD_WAIT 0x0100 /* sleep/wakeup for good data */
261: #endif
262:
263: /*
264: * The pool is stirred with a primitive polynomial of degree 128
265: * over GF(2), namely x^128 + x^99 + x^59 + x^31 + x^9 + x^7 + 1.
266: * For a pool of size 64, try x^64+x^62+x^38+x^10+x^6+x+1.
267: */
268: #define POOLBITS (POOLWORDS*32)
269: #define POOLBYTES (POOLWORDS*4)
270: #if POOLWORDS == 2048
271: #define TAP1 1638
272: #define TAP2 1231
273: #define TAP3 819
274: #define TAP4 411
275: #define TAP5 1
276: #elif POOLWORDS == 1024 /* also (819, 616, 410, 207, 2) */
277: #define TAP1 817
278: #define TAP2 615
279: #define TAP3 412
280: #define TAP4 204
281: #define TAP5 1
282: #elif POOLWORDS == 512 /* also (409,307,206,102,2), (409,309,205,103,2) */
283: #define TAP1 411
284: #define TAP2 308
285: #define TAP3 208
286: #define TAP4 104
287: #define TAP5 1
288: #elif POOLWORDS == 256
289: #define TAP1 205
290: #define TAP2 155
291: #define TAP3 101
292: #define TAP4 52
293: #define TAP5 1
294: #elif POOLWORDS == 128 /* also (103, 78, 51, 27, 2) */
295: #define TAP1 103
296: #define TAP2 76
297: #define TAP3 51
298: #define TAP4 25
299: #define TAP5 1
300: #elif POOLWORDS == 64
301: #define TAP1 52
302: #define TAP2 39
303: #define TAP3 26
304: #define TAP4 14
305: #define TAP5 1
306: #elif POOLWORDS == 32
307: #define TAP1 26
308: #define TAP2 20
309: #define TAP3 14
310: #define TAP4 7
311: #define TAP5 1
312: #else
313: #error No primitive polynomial available for chosen POOLWORDS
314: #endif
315:
316: /*
317: * For the purposes of better mixing, we use the CRC-32 polynomial as
318: * well to make a twisted Generalized Feedback Shift Register
319: *
320: * (See M. Matsumoto & Y. Kurita, 1992. Twisted GFSR generators. ACM
321: * Transactions on Modeling and Computer Simulation 2(3):179-194.
322: * Also see M. Matsumoto & Y. Kurita, 1994. Twisted GFSR generators
323: * II. ACM Transactions on Mdeling and Computer Simulation 4:254-266)
324: *
325: * Thanks to Colin Plumb for suggesting this.
326: *
327: * We have not analyzed the resultant polynomial to prove it primitive;
328: * in fact it almost certainly isn't. Nonetheless, the irreducible factors
329: * of a random large-degree polynomial over GF(2) are more than large enough
330: * that periodicity is not a concern.
331: *
332: * The input hash is much less sensitive than the output hash. All
333: * we want from it is to be a good non-cryptographic hash -
334: * i.e. to not produce collisions when fed "random" data of the sort
335: * we expect to see. As long as the pool state differs for different
336: * inputs, we have preserved the input entropy and done a good job.
337: * The fact that an intelligent attacker can construct inputs that
338: * will produce controlled alterations to the pool's state is not
339: * important because we don't consider such inputs to contribute any
340: * randomness. The only property we need with respect to them is that
341: * the attacker can't increase his/her knowledge of the pool's state.
342: * Since all additions are reversible (knowing the final state and the
343: * input, you can reconstruct the initial state), if an attacker has
344: * any uncertainty about the initial state, he/she can only shuffle
345: * that uncertainty about, but never cause any collisions (which would
346: * decrease the uncertainty).
347: *
348: * The chosen system lets the state of the pool be (essentially) the input
349: * modulo the generator polynomial. Now, for random primitive polynomials,
350: * this is a universal class of hash functions, meaning that the chance
351: * of a collision is limited by the attacker's knowledge of the generator
352: * polynomial, so if it is chosen at random, an attacker can never force
353: * a collision. Here, we use a fixed polynomial, but we *can* assume that
354: * ###--> it is unknown to the processes generating the input entropy. <-###
355: * Because of this important property, this is a good, collision-resistant
356: * hash; hash collisions will occur no more often than chance.
357: */
358:
359: /* pIII/333 reported to have some drops w/ these numbers */
360: #define QEVLEN (1024 / sizeof(struct rand_event))
361: #define QEVSLOW (QEVLEN * 3 / 4) /* yet another 0.75 for 60-minutes hour /-; */
362: #define QEVSBITS 10
363:
364: /* There is actually only one of these, globally. */
365: struct random_bucket {
366: u_int add_ptr;
367: u_int entropy_count;
368: u_char input_rotate;
369: u_int32_t pool[POOLWORDS];
370: u_int asleep;
371: u_int tmo;
372: };
373:
374: /* There is one of these per entropy source */
375: struct timer_rand_state {
376: u_int last_time;
377: u_int last_delta;
378: u_int last_delta2;
379: u_int dont_count_entropy : 1;
380: u_int max_entropy : 1;
381: };
382:
383: struct arc4_stream {
384: u_int8_t s[256];
385: u_int cnt;
386: u_int8_t i;
387: u_int8_t j;
388: };
389:
390: struct rand_event {
391: struct timer_rand_state *re_state;
392: u_int re_nbits;
393: u_int re_time;
394: u_int re_val;
395: };
396:
397: struct timeout rnd_timeout, arc4_timeout;
398: struct random_bucket random_state;
399: struct arc4_stream arc4random_state;
400: struct timer_rand_state rnd_states[RND_SRC_NUM];
401: struct rand_event rnd_event_space[QEVLEN];
402: struct rand_event *rnd_event_head = rnd_event_space;
403: struct rand_event *rnd_event_tail = rnd_event_space;
404: struct selinfo rnd_rsel, rnd_wsel;
405:
406: void filt_rndrdetach(struct knote *kn);
407: int filt_rndread(struct knote *kn, long hint);
408:
409: struct filterops rndread_filtops =
410: { 1, NULL, filt_rndrdetach, filt_rndread};
411:
412: void filt_rndwdetach(struct knote *kn);
413: int filt_rndwrite(struct knote *kn, long hint);
414:
415: struct filterops rndwrite_filtops =
416: { 1, NULL, filt_rndwdetach, filt_rndwrite};
417:
418: int rnd_attached;
419: int arc4random_initialized;
420: struct rndstats rndstats;
421:
422: static __inline u_int32_t roll(u_int32_t w, int i)
423: {
424: #ifdef i386
425: __asm ("roll %%cl, %0" : "+r" (w) : "c" (i));
426: #else
427: w = (w << i) | (w >> (32 - i));
428: #endif
429: return w;
430: }
431:
432: /* must be called at a proper spl, returns ptr to the next event */
433: static __inline struct rand_event *
434: rnd_get(void)
435: {
436: struct rand_event *p = rnd_event_tail;
437:
438: if (p == rnd_event_head)
439: return NULL;
440:
441: if (p + 1 >= &rnd_event_space[QEVLEN])
442: rnd_event_tail = rnd_event_space;
443: else
444: rnd_event_tail++;
445:
446: return p;
447: }
448:
449: /* must be called at a proper spl, returns next available item */
450: static __inline struct rand_event *
451: rnd_put(void)
452: {
453: struct rand_event *p = rnd_event_head + 1;
454:
455: if (p >= &rnd_event_space[QEVLEN])
456: p = rnd_event_space;
457:
458: if (p == rnd_event_tail)
459: return NULL;
460:
461: return rnd_event_head = p;
462: }
463:
464: /* must be called at a proper spl, returns number of items in the queue */
465: static __inline int
466: rnd_qlen(void)
467: {
468: int len = rnd_event_head - rnd_event_tail;
469: return (len < 0)? -len : len;
470: }
471:
472: void dequeue_randomness(void *);
473:
474: static void add_entropy_words(const u_int32_t *, u_int n);
475: void extract_entropy(u_int8_t *, int);
476:
477: static u_int8_t arc4_getbyte(void);
478: void arc4_stir(void);
479: void arc4_reinit(void *v);
480: void arc4maybeinit(void);
481:
482: /* Arcfour random stream generator. This code is derived from section
483: * 17.1 of Applied Cryptography, second edition, which describes a
484: * stream cipher allegedly compatible with RSA Labs "RC4" cipher (the
485: * actual description of which is a trade secret). The same algorithm
486: * is used as a stream cipher called "arcfour" in Tatu Ylonen's ssh
487: * package.
488: *
489: * The initialization function here has been modified to not discard
490: * the old state, and its input always includes the time of day in
491: * microseconds. Moreover, bytes from the stream may at any point be
492: * diverted to multiple processes or even kernel functions desiring
493: * random numbers. This increases the strength of the random stream,
494: * but makes it impossible to use this code for encryption, since there
495: * is no way to ever reproduce the same stream of random bytes.
496: *
497: * RC4 is a registered trademark of RSA Laboratories.
498: */
499:
500: static u_int8_t
501: arc4_getbyte(void)
502: {
503: u_int8_t si, sj, ret;
504: int s;
505:
506: s = splhigh();
507: rndstats.arc4_reads++;
508: arc4random_state.cnt++;
509: arc4random_state.i++;
510: si = arc4random_state.s[arc4random_state.i];
511: arc4random_state.j += si;
512: sj = arc4random_state.s[arc4random_state.j];
513: arc4random_state.s[arc4random_state.i] = sj;
514: arc4random_state.s[arc4random_state.j] = si;
515: ret = arc4random_state.s[(si + sj) & 0xff];
516: splx(s);
517: return (ret);
518: }
519:
520: void
521: arc4_stir(void)
522: {
523: u_int8_t buf[256];
524: u_int8_t si;
525: int n, s;
526: int len;
527:
528: nanotime((struct timespec *) buf);
529: len = random_state.entropy_count / 8; /* XXX maybe a half? */
530: if (len > sizeof(buf) - sizeof(struct timeval))
531: len = sizeof(buf) - sizeof(struct timeval);
532: get_random_bytes(buf + sizeof (struct timeval), len);
533: len += sizeof(struct timeval);
534:
535: s = splhigh();
536: arc4random_state.i--;
537: for (n = 0; n < 256; n++) {
538: arc4random_state.i++;
539: si = arc4random_state.s[arc4random_state.i];
540: arc4random_state.j += si + buf[n % len];
541: arc4random_state.s[arc4random_state.i] =
542: arc4random_state.s[arc4random_state.j];
543: arc4random_state.s[arc4random_state.j] = si;
544: }
545: arc4random_state.j = arc4random_state.i;
546: arc4random_state.cnt = 0;
547: rndstats.arc4_stirs += len;
548: rndstats.arc4_nstirs++;
549: splx(s);
550:
551: /*
552: * Throw away the first N words of output, as suggested in the
553: * paper "Weaknesses in the Key Scheduling Algorithm of RC4"
554: * by Fluher, Mantin, and Shamir. (N = 256 in our case.)
555: */
556: for (n = 0; n < 256 * 4; n++)
557: arc4_getbyte();
558: }
559:
560: void
561: arc4maybeinit(void)
562: {
563: extern int hz;
564:
565: if (!arc4random_initialized) {
566: #ifdef DIAGNOSTIC
567: if (!rnd_attached)
568: panic("arc4maybeinit: premature");
569: #endif
570: arc4random_initialized++;
571: arc4_stir();
572: /* 10 minutes, per dm@'s suggestion */
573: timeout_add(&arc4_timeout, 10 * 60 * hz);
574: }
575: }
576:
577: /*
578: * called by timeout to mark arc4 for stirring,
579: * actual stirring happens on any access attempt.
580: */
581: void
582: arc4_reinit(void *v)
583: {
584: arc4random_initialized = 0;
585: }
586:
587: u_int32_t
588: arc4random(void)
589: {
590: arc4maybeinit();
591: return ((arc4_getbyte() << 24) | (arc4_getbyte() << 16)
592: | (arc4_getbyte() << 8) | arc4_getbyte());
593: }
594:
595: void
596: arc4random_bytes(void *buf, size_t n)
597: {
598: u_int8_t *cp = buf;
599: u_int8_t *end = cp + n;
600:
601: arc4maybeinit();
602: while (cp < end)
603: *cp++ = arc4_getbyte();
604: }
605:
606: void
607: randomattach(void)
608: {
609: int i;
610:
611: if (rnd_attached) {
612: #ifdef RNDEBUG
613: printf("random: second attach\n");
614: #endif
615: return;
616: }
617:
618: timeout_set(&rnd_timeout, dequeue_randomness, &random_state);
619: timeout_set(&arc4_timeout, arc4_reinit, NULL);
620:
621: random_state.add_ptr = 0;
622: random_state.entropy_count = 0;
623: rnd_states[RND_SRC_TIMER].dont_count_entropy = 1;
624: rnd_states[RND_SRC_TRUE].dont_count_entropy = 1;
625: rnd_states[RND_SRC_TRUE].max_entropy = 1;
626:
627: bzero(&rndstats, sizeof(rndstats));
628: bzero(&rnd_event_space, sizeof(rnd_event_space));
629:
630: for (i = 0; i < 256; i++)
631: arc4random_state.s[i] = i;
632: arc4_reinit(NULL);
633:
634: rnd_attached = 1;
635: }
636:
637: int
638: randomopen(dev_t dev, int flag, int mode, struct proc *p)
639: {
640: return (minor (dev) < RND_NODEV) ? 0 : ENXIO;
641: }
642:
643: int
644: randomclose(dev_t dev, int flag, int mode, struct proc *p)
645: {
646: return 0;
647: }
648:
649: /*
650: * This function adds a byte into the entropy pool. It does not
651: * update the entropy estimate. The caller must do this if appropriate.
652: *
653: * The pool is stirred with a primitive polynomial of degree 128
654: * over GF(2), namely x^128 + x^99 + x^59 + x^31 + x^9 + x^7 + 1.
655: * For a pool of size 64, try x^64+x^62+x^38+x^10+x^6+x+1.
656: *
657: * We rotate the input word by a changing number of bits, to help
658: * assure that all bits in the entropy get toggled. Otherwise, if we
659: * consistently feed the entropy pool small numbers (like jiffies and
660: * scancodes, for example), the upper bits of the entropy pool don't
661: * get affected. --- TYT, 10/11/95
662: */
663: static void
664: add_entropy_words(const u_int32_t *buf, u_int n)
665: {
666: static const u_int32_t twist_table[8] = {
667: 0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
668: 0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278
669: };
670:
671: for (; n--; buf++) {
672: u_int32_t w = roll(*buf, random_state.input_rotate);
673: u_int i = random_state.add_ptr =
674: (random_state.add_ptr - 1) & (POOLWORDS - 1);
675: /*
676: * Normally, we add 7 bits of rotation to the pool.
677: * At the beginning of the pool, add an extra 7 bits
678: * rotation, so that successive passes spread the
679: * input bits across the pool evenly.
680: */
681: random_state.input_rotate =
682: (random_state.input_rotate + (i? 7 : 14)) & 31;
683:
684: /* XOR in the various taps */
685: w ^= random_state.pool[(i+TAP1) & (POOLWORDS-1)] ^
686: random_state.pool[(i+TAP2) & (POOLWORDS-1)] ^
687: random_state.pool[(i+TAP3) & (POOLWORDS-1)] ^
688: random_state.pool[(i+TAP4) & (POOLWORDS-1)] ^
689: random_state.pool[(i+TAP5) & (POOLWORDS-1)] ^
690: random_state.pool[i];
691: random_state.pool[i] = (w >> 3) ^ twist_table[w & 7];
692: }
693: }
694:
695: /*
696: * This function adds entropy to the entropy pool by using timing
697: * delays. It uses the timer_rand_state structure to make an estimate
698: * of how many bits of entropy this call has added to the pool.
699: *
700: * The number "val" is also added to the pool - it should somehow describe
701: * the type of event which just happened. Currently the values of 0-255
702: * are for keyboard scan codes, 256 and upwards - for interrupts.
703: * On the i386, this is assumed to be at most 16 bits, and the high bits
704: * are used for a high-resolution timer.
705: *
706: */
707: void
708: enqueue_randomness(int state, int val)
709: {
710: struct timer_rand_state *p;
711: struct rand_event *rep;
712: struct timespec tv;
713: u_int time, nbits;
714: int s;
715:
716: /* XXX on sparc we get here before randomattach() */
717: if (!rnd_attached)
718: return;
719:
720: #ifdef DIAGNOSTIC
721: if (state < 0 || state >= RND_SRC_NUM)
722: return;
723: #endif
724:
725: p = &rnd_states[state];
726: val += state << 13;
727:
728: nanotime(&tv);
729: time = (tv.tv_nsec >> 10) + (tv.tv_sec << 20);
730: nbits = 0;
731:
732: /*
733: * Calculate the number of bits of randomness that we probably
734: * added. We take into account the first and second order
735: * deltas in order to make our estimate.
736: */
737: if (!p->dont_count_entropy) {
738: int delta, delta2, delta3;
739: delta = time - p->last_time;
740: delta2 = delta - p->last_delta;
741: delta3 = delta2 - p->last_delta2;
742:
743: if (delta < 0) delta = -delta;
744: if (delta2 < 0) delta2 = -delta2;
745: if (delta3 < 0) delta3 = -delta3;
746: if (delta > delta2) delta = delta2;
747: if (delta > delta3) delta = delta3;
748: delta3 = delta >>= 1;
749: /*
750: * delta &= 0xfff;
751: * we don't do it since our time sheet is different from linux
752: */
753:
754: if (delta & 0xffff0000) {
755: nbits = 16;
756: delta >>= 16;
757: }
758: if (delta & 0xff00) {
759: nbits += 8;
760: delta >>= 8;
761: }
762: if (delta & 0xf0) {
763: nbits += 4;
764: delta >>= 4;
765: }
766: if (delta & 0xc) {
767: nbits += 2;
768: delta >>= 2;
769: }
770: if (delta & 2) {
771: nbits += 1;
772: delta >>= 1;
773: }
774: if (delta & 1)
775: nbits++;
776:
777: /*
778: * the logic is to drop low-entropy entries,
779: * in hope for dequeuing to be more randomfull
780: */
781: if (rnd_qlen() > QEVSLOW && nbits < QEVSBITS) {
782: rndstats.rnd_drople++;
783: return;
784: }
785: p->last_time = time;
786: p->last_delta = delta3;
787: p->last_delta2 = delta2;
788: } else if (p->max_entropy)
789: nbits = 8 * sizeof(val) - 1;
790:
791: s = splhigh();
792: if ((rep = rnd_put()) == NULL) {
793: rndstats.rnd_drops++;
794: splx(s);
795: return;
796: }
797:
798: rep->re_state = p;
799: rep->re_nbits = nbits;
800: rep->re_time = tv.tv_nsec ^ (tv.tv_sec << 20);
801: rep->re_val = val;
802:
803: rndstats.rnd_enqs++;
804: rndstats.rnd_ed[nbits]++;
805: rndstats.rnd_sc[state]++;
806: rndstats.rnd_sb[state] += nbits;
807:
808: if (rnd_qlen() > QEVSLOW/2 && !random_state.tmo) {
809: random_state.tmo++;
810: timeout_add(&rnd_timeout, 1);
811: }
812: splx(s);
813: }
814:
815: void
816: dequeue_randomness(void *v)
817: {
818: struct random_bucket *rs = v;
819: struct rand_event *rep;
820: u_int32_t buf[2];
821: u_int nbits;
822: int s;
823:
824: timeout_del(&rnd_timeout);
825: rndstats.rnd_deqs++;
826:
827: s = splhigh();
828: while ((rep = rnd_get())) {
829:
830: buf[0] = rep->re_time;
831: buf[1] = rep->re_val;
832: nbits = rep->re_nbits;
833: splx(s);
834:
835: add_entropy_words(buf, 2);
836:
837: rndstats.rnd_total += nbits;
838: rs->entropy_count += nbits;
839: if (rs->entropy_count > POOLBITS)
840: rs->entropy_count = POOLBITS;
841:
842: if (rs->asleep && rs->entropy_count > 8) {
843: #ifdef RNDEBUG
844: if (rnd_debug & RD_WAIT)
845: printf("rnd: wakeup[%u]{%u}\n",
846: rs->asleep,
847: rs->entropy_count);
848: #endif
849: rs->asleep--;
850: wakeup((void *)&rs->asleep);
851: selwakeup(&rnd_rsel);
852: KNOTE(&rnd_rsel.si_note, 0);
853: }
854:
855: s = splhigh();
856: }
857:
858: rs->tmo = 0;
859: splx(s);
860: }
861:
862: #if POOLWORDS % 16
863: #error extract_entropy() assumes that POOLWORDS is a multiple of 16 words.
864: #endif
865:
866: /*
867: * This function extracts randomness from the entropy pool, and
868: * returns it in a buffer. This function computes how many remaining
869: * bits of entropy are left in the pool, but it does not restrict the
870: * number of bytes that are actually obtained.
871: */
872: void
873: extract_entropy(u_int8_t *buf, int nbytes)
874: {
875: struct random_bucket *rs = &random_state;
876: u_char buffer[16];
877: MD5_CTX tmp;
878: u_int i;
879: int s;
880:
881: add_timer_randomness(nbytes);
882:
883: while (nbytes) {
884: if (nbytes < sizeof(buffer) / 2)
885: i = nbytes;
886: else
887: i = sizeof(buffer) / 2;
888:
889: /* Hash the pool to get the output */
890: MD5Init(&tmp);
891: s = splhigh();
892: MD5Update(&tmp, (u_int8_t*)rs->pool, sizeof(rs->pool));
893: if (rs->entropy_count / 8 > i)
894: rs->entropy_count -= i * 8;
895: else
896: rs->entropy_count = 0;
897: splx(s);
898: MD5Final(buffer, &tmp);
899:
900: /*
901: * In case the hash function has some recognizable
902: * output pattern, we fold it in half.
903: */
904: buffer[0] ^= buffer[15];
905: buffer[1] ^= buffer[14];
906: buffer[2] ^= buffer[13];
907: buffer[3] ^= buffer[12];
908: buffer[4] ^= buffer[11];
909: buffer[5] ^= buffer[10];
910: buffer[6] ^= buffer[ 9];
911: buffer[7] ^= buffer[ 8];
912:
913: /* Copy data to destination buffer */
914: bcopy(buffer, buf, i);
915: nbytes -= i;
916: buf += i;
917:
918: /* Modify pool so next hash will produce different results */
919: add_timer_randomness(nbytes);
920: dequeue_randomness(&random_state);
921: }
922:
923: /* Wipe data from memory */
924: bzero(&tmp, sizeof(tmp));
925: bzero(&buffer, sizeof(buffer));
926: }
927:
928: /*
929: * This function is the exported kernel interface. It returns some
930: * number of good random numbers, suitable for seeding TCP sequence
931: * numbers, etc.
932: */
933: void
934: get_random_bytes(void *buf, size_t nbytes)
935: {
936: extract_entropy((u_int8_t *) buf, nbytes);
937: rndstats.rnd_used += nbytes * 8;
938: }
939:
940: int
941: randomread(dev_t dev, struct uio *uio, int ioflag)
942: {
943: int ret = 0;
944: int i;
945: u_int32_t *buf;
946:
947: if (uio->uio_resid == 0)
948: return 0;
949:
950: MALLOC(buf, u_int32_t *, POOLBYTES, M_TEMP, M_WAITOK);
951:
952: while (!ret && uio->uio_resid > 0) {
953: int n = min(POOLBYTES, uio->uio_resid);
954:
955: switch(minor(dev)) {
956: case RND_RND:
957: ret = EIO; /* no chip -- error */
958: break;
959: case RND_SRND:
960: if (random_state.entropy_count < 16 * 8) {
961: if (ioflag & IO_NDELAY) {
962: ret = EWOULDBLOCK;
963: break;
964: }
965: #ifdef RNDEBUG
966: if (rnd_debug & RD_WAIT)
967: printf("rnd: sleep[%u]\n",
968: random_state.asleep);
969: #endif
970: random_state.asleep++;
971: rndstats.rnd_waits++;
972: ret = tsleep(&random_state.asleep,
973: PWAIT | PCATCH, "rndrd", 0);
974: #ifdef RNDEBUG
975: if (rnd_debug & RD_WAIT)
976: printf("rnd: awakened(%d)\n", ret);
977: #endif
978: if (ret)
979: break;
980: }
981: if (n > random_state.entropy_count / 8)
982: n = random_state.entropy_count / 8;
983: rndstats.rnd_reads++;
984: #ifdef RNDEBUG
985: if (rnd_debug & RD_OUTPUT)
986: printf("rnd: %u possible output\n", n);
987: #endif
988: case RND_URND:
989: get_random_bytes((char *)buf, n);
990: #ifdef RNDEBUG
991: if (rnd_debug & RD_OUTPUT)
992: printf("rnd: %u bytes for output\n", n);
993: #endif
994: break;
995: case RND_PRND:
996: i = (n + 3) / 4;
997: while (i--)
998: buf[i] = random() << 16 | (random() & 0xFFFF);
999: break;
1000: case RND_ARND:
1001: {
1002: u_int8_t *cp = (u_int8_t *) buf;
1003: u_int8_t *end = cp + n;
1004: arc4maybeinit();
1005: while (cp < end)
1006: *cp++ = arc4_getbyte();
1007: break;
1008: }
1009: default:
1010: ret = ENXIO;
1011: }
1012: if (n != 0 && ret == 0)
1013: ret = uiomove((caddr_t)buf, n, uio);
1014: }
1015:
1016: FREE(buf, M_TEMP);
1017: return ret;
1018: }
1019:
1020: int
1021: randompoll(dev_t dev, int events, struct proc *p)
1022: {
1023: int revents;
1024:
1025: revents = events & (POLLOUT | POLLWRNORM); /* always writable */
1026: if (events & (POLLIN | POLLRDNORM)) {
1027: if (minor(dev) == RND_SRND && random_state.entropy_count <= 0)
1028: selrecord(p, &rnd_rsel);
1029: else
1030: revents |= events & (POLLIN | POLLRDNORM);
1031: }
1032:
1033: return (revents);
1034: }
1035:
1036: int
1037: randomkqfilter(dev_t dev, struct knote *kn)
1038: {
1039: struct klist *klist;
1040: int s;
1041:
1042: switch (kn->kn_filter) {
1043: case EVFILT_READ:
1044: klist = &rnd_rsel.si_note;
1045: kn->kn_fop = &rndread_filtops;
1046: break;
1047: case EVFILT_WRITE:
1048: klist = &rnd_wsel.si_note;
1049: kn->kn_fop = &rndwrite_filtops;
1050: break;
1051: default:
1052: return (1);
1053: }
1054: kn->kn_hook = (void *)&random_state;
1055:
1056: s = splhigh();
1057: SLIST_INSERT_HEAD(klist, kn, kn_selnext);
1058: splx(s);
1059:
1060: return (0);
1061: }
1062:
1063: void
1064: filt_rndrdetach(struct knote *kn)
1065: {
1066: int s = splhigh();
1067:
1068: SLIST_REMOVE(&rnd_rsel.si_note, kn, knote, kn_selnext);
1069: splx(s);
1070: }
1071:
1072: int
1073: filt_rndread(struct knote *kn, long hint)
1074: {
1075: struct random_bucket *rs = (struct random_bucket *)kn->kn_hook;
1076:
1077: kn->kn_data = (int)rs->entropy_count;
1078: return rs->entropy_count > 0;
1079: }
1080:
1081: void
1082: filt_rndwdetach(struct knote *kn)
1083: {
1084: int s = splhigh();
1085:
1086: SLIST_REMOVE(&rnd_wsel.si_note, kn, knote, kn_selnext);
1087: splx(s);
1088: }
1089:
1090: int
1091: filt_rndwrite(struct knote *kn, long hint)
1092: {
1093: return (1);
1094: }
1095:
1096: int
1097: randomwrite(dev_t dev, struct uio *uio, int flags)
1098: {
1099: int ret = 0;
1100: u_int32_t *buf;
1101:
1102: if (minor(dev) == RND_RND || minor(dev) == RND_PRND)
1103: return ENXIO;
1104:
1105: if (uio->uio_resid == 0)
1106: return 0;
1107:
1108: MALLOC(buf, u_int32_t *, POOLBYTES, M_TEMP, M_WAITOK);
1109:
1110: while (!ret && uio->uio_resid > 0) {
1111: u_short n = min(POOLBYTES, uio->uio_resid);
1112:
1113: ret = uiomove((caddr_t)buf, n, uio);
1114: if (!ret) {
1115: while (n % sizeof(u_int32_t))
1116: ((u_int8_t *) buf)[n++] = 0;
1117: add_entropy_words(buf, n / 4);
1118: }
1119: }
1120:
1121: if (minor(dev) == RND_ARND && !ret)
1122: arc4random_initialized = 0;
1123:
1124: FREE(buf, M_TEMP);
1125: return ret;
1126: }
1127:
1128: int
1129: randomioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p)
1130: {
1131: int s, ret = 0;
1132: u_int cnt;
1133:
1134: add_timer_randomness((u_long)p ^ (u_long)data ^ cmd);
1135:
1136: switch (cmd) {
1137: case FIOASYNC:
1138: /* rnd has no async flag in softc so this is really a no-op. */
1139: break;
1140:
1141: case FIONBIO:
1142: /* Handled in the upper FS layer. */
1143: break;
1144:
1145: case RNDGETENTCNT:
1146: s = splhigh();
1147: *(u_int *)data = random_state.entropy_count;
1148: splx(s);
1149: break;
1150: case RNDADDTOENTCNT:
1151: if (suser(p, 0) != 0)
1152: ret = EPERM;
1153: else {
1154: cnt = *(u_int *)data;
1155: s = splhigh();
1156: random_state.entropy_count += cnt;
1157: if (random_state.entropy_count > POOLBITS)
1158: random_state.entropy_count = POOLBITS;
1159: splx(s);
1160: }
1161: break;
1162: case RNDZAPENTCNT:
1163: if (suser(p, 0) != 0)
1164: ret = EPERM;
1165: else {
1166: s = splhigh();
1167: random_state.entropy_count = 0;
1168: splx(s);
1169: }
1170: break;
1171: case RNDSTIRARC4:
1172: if (suser(p, 0) != 0)
1173: ret = EPERM;
1174: else if (random_state.entropy_count < 64)
1175: ret = EAGAIN;
1176: else {
1177: s = splhigh();
1178: arc4random_initialized = 0;
1179: splx(s);
1180: }
1181: break;
1182: case RNDCLRSTATS:
1183: if (suser(p, 0) != 0)
1184: ret = EPERM;
1185: else {
1186: s = splhigh();
1187: bzero(&rndstats, sizeof(rndstats));
1188: splx(s);
1189: }
1190: break;
1191: default:
1192: ret = ENOTTY;
1193: }
1194:
1195: add_timer_randomness((u_long)p ^ (u_long)data ^ cmd);
1196: return ret;
1197: }
CVSweb