xref: /freebsd/lib/libc/gen/arc4random.h (revision b3e7694832e81d7a904a10f525f8797b753bf0d3) 
1c1e80940SXin LI /*	$OpenBSD: arc4random.h,v 1.4 2015/01/15 06:57:18 deraadt Exp $	*/
2c1e80940SXin LI 
3c1e80940SXin LI /*
4c1e80940SXin LI  * Copyright (c) 1996, David Mazieres <dm@uun.org>
5c1e80940SXin LI  * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
6c1e80940SXin LI  * Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
7c1e80940SXin LI  * Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org>
8c1e80940SXin LI  *
9c1e80940SXin LI  * Permission to use, copy, modify, and distribute this software for any
10c1e80940SXin LI  * purpose with or without fee is hereby granted, provided that the above
11c1e80940SXin LI  * copyright notice and this permission notice appear in all copies.
12c1e80940SXin LI  *
13c1e80940SXin LI  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
14c1e80940SXin LI  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
15c1e80940SXin LI  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
16c1e80940SXin LI  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
17c1e80940SXin LI  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18c1e80940SXin LI  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19c1e80940SXin LI  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20c1e80940SXin LI  */
21c1e80940SXin LI 
22c1e80940SXin LI /*
23c1e80940SXin LI  * Stub functions for portability.
24c1e80940SXin LI  */
25f8e8a06dSConrad Meyer #include <sys/elf.h>
26f8e8a06dSConrad Meyer #include <sys/endian.h>
27c1e80940SXin LI #include <sys/mman.h>
28*c2ca0667SAlex Richardson #if ARC4RANDOM_FXRNG != 0
29f8e8a06dSConrad Meyer #include <sys/time.h>	/* for sys/vdso.h only. */
30f8e8a06dSConrad Meyer #include <sys/vdso.h>
31f8e8a06dSConrad Meyer #include <machine/atomic.h>
32*c2ca0667SAlex Richardson #endif
33c1e80940SXin LI 
34f8e8a06dSConrad Meyer #include <err.h>
35f8e8a06dSConrad Meyer #include <errno.h>
36c1e80940SXin LI #include <signal.h>
37f8e8a06dSConrad Meyer #include <stdbool.h>
38f8e8a06dSConrad Meyer #include <stdint.h>
39f8e8a06dSConrad Meyer 
40*c2ca0667SAlex Richardson #if ARC4RANDOM_FXRNG != 0
41f8e8a06dSConrad Meyer /*
42f8e8a06dSConrad Meyer  * The kernel root seed version is a 64-bit counter, but we truncate it to a
43f8e8a06dSConrad Meyer  * 32-bit value in userspace for the convenience of 32-bit platforms.  32-bit
44f8e8a06dSConrad Meyer  * rollover is not possible with the current reseed interval (1 hour at limit)
45f8e8a06dSConrad Meyer  * without dynamic addition of new random devices (which also force a reseed in
46f8e8a06dSConrad Meyer  * the FXRNG design).  We don't have any dynamic device mechanism at this
47f8e8a06dSConrad Meyer  * time, and anyway something else is very wrong if billions of new devices are
48f8e8a06dSConrad Meyer  * being added.
49f8e8a06dSConrad Meyer  *
50f8e8a06dSConrad Meyer  * As is, it takes roughly 456,000 years of runtime to overflow the 32-bit
51f8e8a06dSConrad Meyer  * version.
52f8e8a06dSConrad Meyer  */
53f8e8a06dSConrad Meyer #define	fxrng_load_acq_generation(x)	atomic_load_acq_32(x)
54f8e8a06dSConrad Meyer static struct vdso_fxrng_generation_1 *vdso_fxrngp;
55*c2ca0667SAlex Richardson #endif
56c1e80940SXin LI 
57c1e80940SXin LI static pthread_mutex_t	arc4random_mtx = PTHREAD_MUTEX_INITIALIZER;
58c1e80940SXin LI #define	_ARC4_LOCK()						\
59c1e80940SXin LI 	do {							\
60c1e80940SXin LI 		if (__isthreaded)				\
61c1e80940SXin LI 			_pthread_mutex_lock(&arc4random_mtx);	\
62c1e80940SXin LI 	} while (0)
63c1e80940SXin LI 
64c1e80940SXin LI #define	_ARC4_UNLOCK()						\
65c1e80940SXin LI 	do {							\
66c1e80940SXin LI 		if (__isthreaded)				\
67c1e80940SXin LI 			_pthread_mutex_unlock(&arc4random_mtx);	\
68c1e80940SXin LI 	} while (0)
69c1e80940SXin LI 
70c1e80940SXin LI static inline void
_getentropy_fail(void)71c1e80940SXin LI _getentropy_fail(void)
72c1e80940SXin LI {
73c1e80940SXin LI 	raise(SIGKILL);
74c1e80940SXin LI }
75c1e80940SXin LI 
76f8e8a06dSConrad Meyer static inline void
_rs_initialize_fxrng(void)77f8e8a06dSConrad Meyer _rs_initialize_fxrng(void)
78f8e8a06dSConrad Meyer {
79*c2ca0667SAlex Richardson #if ARC4RANDOM_FXRNG != 0
80f8e8a06dSConrad Meyer 	struct vdso_fxrng_generation_1 *fxrngp;
81f8e8a06dSConrad Meyer 	int error;
82f8e8a06dSConrad Meyer 
83f8e8a06dSConrad Meyer 	error = _elf_aux_info(AT_FXRNG, &fxrngp, sizeof(fxrngp));
84f8e8a06dSConrad Meyer 	if (error != 0) {
85f8e8a06dSConrad Meyer 		/*
86f8e8a06dSConrad Meyer 		 * New userspace on an old or !RANDOM_FENESTRASX kernel; or an
87f8e8a06dSConrad Meyer 		 * arch that does not have a VDSO page.
88f8e8a06dSConrad Meyer 		 */
89f8e8a06dSConrad Meyer 		return;
90f8e8a06dSConrad Meyer 	}
91f8e8a06dSConrad Meyer 
92f8e8a06dSConrad Meyer 	/* Old userspace on newer kernel. */
93f8e8a06dSConrad Meyer 	if (fxrngp->fx_vdso_version != VDSO_FXRNG_VER_1)
94f8e8a06dSConrad Meyer 		return;
95f8e8a06dSConrad Meyer 
96f8e8a06dSConrad Meyer 	vdso_fxrngp = fxrngp;
97*c2ca0667SAlex Richardson #endif
98f8e8a06dSConrad Meyer }
99f8e8a06dSConrad Meyer 
100c1e80940SXin LI static inline int
_rs_allocate(struct _rs ** rsp,struct _rsx ** rsxp)101c1e80940SXin LI _rs_allocate(struct _rs **rsp, struct _rsx **rsxp)
102c1e80940SXin LI {
103c1e80940SXin LI 	struct {
104c1e80940SXin LI 		struct _rs rs;
105c1e80940SXin LI 		struct _rsx rsx;
106c1e80940SXin LI 	} *p;
107c1e80940SXin LI 
108c1e80940SXin LI 	if ((p = mmap(NULL, sizeof(*p), PROT_READ|PROT_WRITE,
109c1e80940SXin LI 	    MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED)
110c1e80940SXin LI 		return (-1);
1117ec1ec4fSAlex Richardson 	/* Allow bootstrapping arc4random.c on Linux/macOS */
1127ec1ec4fSAlex Richardson #ifdef INHERIT_ZERO
113c1e80940SXin LI 	if (minherit(p, sizeof(*p), INHERIT_ZERO) == -1) {
114c1e80940SXin LI 		munmap(p, sizeof(*p));
115c1e80940SXin LI 		return (-1);
116c1e80940SXin LI 	}
1177ec1ec4fSAlex Richardson #endif
118f8e8a06dSConrad Meyer 
119f8e8a06dSConrad Meyer 	_rs_initialize_fxrng();
120f8e8a06dSConrad Meyer 
121c1e80940SXin LI 	*rsp = &p->rs;
122c1e80940SXin LI 	*rsxp = &p->rsx;
123c1e80940SXin LI 	return (0);
124c1e80940SXin LI }
125c1e80940SXin LI 
126f8e8a06dSConrad Meyer /*
127f8e8a06dSConrad Meyer  * This isn't only detecting fork.  We're also using the existing callback from
128f8e8a06dSConrad Meyer  * _rs_stir_if_needed() to force arc4random(3) to reseed if the fenestrasX root
129f8e8a06dSConrad Meyer  * seed version has changed.  (That is, the root random(4) has reseeded from
130f8e8a06dSConrad Meyer  * pooled entropy.)
131f8e8a06dSConrad Meyer  */
132c1e80940SXin LI static inline void
_rs_forkdetect(void)133c1e80940SXin LI _rs_forkdetect(void)
134c1e80940SXin LI {
135f8e8a06dSConrad Meyer 	/* Detect fork (minherit(2) INHERIT_ZERO). */
136f8e8a06dSConrad Meyer 	if (__predict_false(rs == NULL || rsx == NULL))
137f8e8a06dSConrad Meyer 		return;
138*c2ca0667SAlex Richardson #if ARC4RANDOM_FXRNG != 0
139f8e8a06dSConrad Meyer 	/* If present, detect kernel FenestrasX seed version change. */
140f8e8a06dSConrad Meyer 	if (vdso_fxrngp == NULL)
141f8e8a06dSConrad Meyer 		return;
142f8e8a06dSConrad Meyer 	if (__predict_true(rsx->rs_seed_generation ==
143f8e8a06dSConrad Meyer 	    fxrng_load_acq_generation(&vdso_fxrngp->fx_generation32)))
144f8e8a06dSConrad Meyer 		return;
145*c2ca0667SAlex Richardson #endif
146f8e8a06dSConrad Meyer 	/* Invalidate rs_buf to force "stir" (reseed). */
147f8e8a06dSConrad Meyer 	memset(rs, 0, sizeof(*rs));
148c1e80940SXin LI }
149