1c1e80940SXin LI /* $OpenBSD: arc4random.h,v 1.4 2015/01/15 06:57:18 deraadt Exp $ */ 2c1e80940SXin LI 3c1e80940SXin LI /* 4c1e80940SXin LI * Copyright (c) 1996, David Mazieres <dm@uun.org> 5c1e80940SXin LI * Copyright (c) 2008, Damien Miller <djm@openbsd.org> 6c1e80940SXin LI * Copyright (c) 2013, Markus Friedl <markus@openbsd.org> 7c1e80940SXin LI * Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org> 8c1e80940SXin LI * 9c1e80940SXin LI * Permission to use, copy, modify, and distribute this software for any 10c1e80940SXin LI * purpose with or without fee is hereby granted, provided that the above 11c1e80940SXin LI * copyright notice and this permission notice appear in all copies. 12c1e80940SXin LI * 13c1e80940SXin LI * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14c1e80940SXin LI * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15c1e80940SXin LI * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16c1e80940SXin LI * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17c1e80940SXin LI * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18c1e80940SXin LI * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19c1e80940SXin LI * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20c1e80940SXin LI * 21c1e80940SXin LI * $FreeBSD$ 22c1e80940SXin LI */ 23c1e80940SXin LI 24c1e80940SXin LI /* 25c1e80940SXin LI * Stub functions for portability. 26c1e80940SXin LI */ 27*f8e8a06dSConrad Meyer #include <sys/elf.h> 28*f8e8a06dSConrad Meyer #include <sys/endian.h> 29c1e80940SXin LI #include <sys/mman.h> 30*f8e8a06dSConrad Meyer #include <sys/time.h> /* for sys/vdso.h only. */ 31*f8e8a06dSConrad Meyer #include <sys/vdso.h> 32*f8e8a06dSConrad Meyer #include <machine/atomic.h> 33c1e80940SXin LI 34*f8e8a06dSConrad Meyer #include <err.h> 35*f8e8a06dSConrad Meyer #include <errno.h> 36c1e80940SXin LI #include <signal.h> 37*f8e8a06dSConrad Meyer #include <stdbool.h> 38*f8e8a06dSConrad Meyer #include <stdint.h> 39*f8e8a06dSConrad Meyer 40*f8e8a06dSConrad Meyer /* 41*f8e8a06dSConrad Meyer * The kernel root seed version is a 64-bit counter, but we truncate it to a 42*f8e8a06dSConrad Meyer * 32-bit value in userspace for the convenience of 32-bit platforms. 32-bit 43*f8e8a06dSConrad Meyer * rollover is not possible with the current reseed interval (1 hour at limit) 44*f8e8a06dSConrad Meyer * without dynamic addition of new random devices (which also force a reseed in 45*f8e8a06dSConrad Meyer * the FXRNG design). We don't have any dynamic device mechanism at this 46*f8e8a06dSConrad Meyer * time, and anyway something else is very wrong if billions of new devices are 47*f8e8a06dSConrad Meyer * being added. 48*f8e8a06dSConrad Meyer * 49*f8e8a06dSConrad Meyer * As is, it takes roughly 456,000 years of runtime to overflow the 32-bit 50*f8e8a06dSConrad Meyer * version. 51*f8e8a06dSConrad Meyer */ 52*f8e8a06dSConrad Meyer #define fxrng_load_acq_generation(x) atomic_load_acq_32(x) 53*f8e8a06dSConrad Meyer static struct vdso_fxrng_generation_1 *vdso_fxrngp; 54c1e80940SXin LI 55c1e80940SXin LI static pthread_mutex_t arc4random_mtx = PTHREAD_MUTEX_INITIALIZER; 56c1e80940SXin LI #define _ARC4_LOCK() \ 57c1e80940SXin LI do { \ 58c1e80940SXin LI if (__isthreaded) \ 59c1e80940SXin LI _pthread_mutex_lock(&arc4random_mtx); \ 60c1e80940SXin LI } while (0) 61c1e80940SXin LI 62c1e80940SXin LI #define _ARC4_UNLOCK() \ 63c1e80940SXin LI do { \ 64c1e80940SXin LI if (__isthreaded) \ 65c1e80940SXin LI _pthread_mutex_unlock(&arc4random_mtx); \ 66c1e80940SXin LI } while (0) 67c1e80940SXin LI 68c1e80940SXin LI static inline void 69c1e80940SXin LI _getentropy_fail(void) 70c1e80940SXin LI { 71c1e80940SXin LI raise(SIGKILL); 72c1e80940SXin LI } 73c1e80940SXin LI 74*f8e8a06dSConrad Meyer static inline void 75*f8e8a06dSConrad Meyer _rs_initialize_fxrng(void) 76*f8e8a06dSConrad Meyer { 77*f8e8a06dSConrad Meyer struct vdso_fxrng_generation_1 *fxrngp; 78*f8e8a06dSConrad Meyer int error; 79*f8e8a06dSConrad Meyer 80*f8e8a06dSConrad Meyer error = _elf_aux_info(AT_FXRNG, &fxrngp, sizeof(fxrngp)); 81*f8e8a06dSConrad Meyer if (error != 0) { 82*f8e8a06dSConrad Meyer /* 83*f8e8a06dSConrad Meyer * New userspace on an old or !RANDOM_FENESTRASX kernel; or an 84*f8e8a06dSConrad Meyer * arch that does not have a VDSO page. 85*f8e8a06dSConrad Meyer */ 86*f8e8a06dSConrad Meyer return; 87*f8e8a06dSConrad Meyer } 88*f8e8a06dSConrad Meyer 89*f8e8a06dSConrad Meyer /* Old userspace on newer kernel. */ 90*f8e8a06dSConrad Meyer if (fxrngp->fx_vdso_version != VDSO_FXRNG_VER_1) 91*f8e8a06dSConrad Meyer return; 92*f8e8a06dSConrad Meyer 93*f8e8a06dSConrad Meyer vdso_fxrngp = fxrngp; 94*f8e8a06dSConrad Meyer } 95*f8e8a06dSConrad Meyer 96c1e80940SXin LI static inline int 97c1e80940SXin LI _rs_allocate(struct _rs **rsp, struct _rsx **rsxp) 98c1e80940SXin LI { 99c1e80940SXin LI struct { 100c1e80940SXin LI struct _rs rs; 101c1e80940SXin LI struct _rsx rsx; 102c1e80940SXin LI } *p; 103c1e80940SXin LI 104c1e80940SXin LI if ((p = mmap(NULL, sizeof(*p), PROT_READ|PROT_WRITE, 105c1e80940SXin LI MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED) 106c1e80940SXin LI return (-1); 1077ec1ec4fSAlex Richardson /* Allow bootstrapping arc4random.c on Linux/macOS */ 1087ec1ec4fSAlex Richardson #ifdef INHERIT_ZERO 109c1e80940SXin LI if (minherit(p, sizeof(*p), INHERIT_ZERO) == -1) { 110c1e80940SXin LI munmap(p, sizeof(*p)); 111c1e80940SXin LI return (-1); 112c1e80940SXin LI } 1137ec1ec4fSAlex Richardson #endif 114*f8e8a06dSConrad Meyer 115*f8e8a06dSConrad Meyer _rs_initialize_fxrng(); 116*f8e8a06dSConrad Meyer 117c1e80940SXin LI *rsp = &p->rs; 118c1e80940SXin LI *rsxp = &p->rsx; 119c1e80940SXin LI return (0); 120c1e80940SXin LI } 121c1e80940SXin LI 122*f8e8a06dSConrad Meyer /* 123*f8e8a06dSConrad Meyer * This isn't only detecting fork. We're also using the existing callback from 124*f8e8a06dSConrad Meyer * _rs_stir_if_needed() to force arc4random(3) to reseed if the fenestrasX root 125*f8e8a06dSConrad Meyer * seed version has changed. (That is, the root random(4) has reseeded from 126*f8e8a06dSConrad Meyer * pooled entropy.) 127*f8e8a06dSConrad Meyer */ 128c1e80940SXin LI static inline void 129c1e80940SXin LI _rs_forkdetect(void) 130c1e80940SXin LI { 131*f8e8a06dSConrad Meyer /* Detect fork (minherit(2) INHERIT_ZERO). */ 132*f8e8a06dSConrad Meyer if (__predict_false(rs == NULL || rsx == NULL)) 133*f8e8a06dSConrad Meyer return; 134*f8e8a06dSConrad Meyer /* If present, detect kernel FenestrasX seed version change. */ 135*f8e8a06dSConrad Meyer if (vdso_fxrngp == NULL) 136*f8e8a06dSConrad Meyer return; 137*f8e8a06dSConrad Meyer if (__predict_true(rsx->rs_seed_generation == 138*f8e8a06dSConrad Meyer fxrng_load_acq_generation(&vdso_fxrngp->fx_generation32))) 139*f8e8a06dSConrad Meyer return; 140*f8e8a06dSConrad Meyer 141*f8e8a06dSConrad Meyer /* Invalidate rs_buf to force "stir" (reseed). */ 142*f8e8a06dSConrad Meyer memset(rs, 0, sizeof(*rs)); 143c1e80940SXin LI } 144