xref: /freebsd/sys/libkern/arc4random.c (revision 1631382cf2820245cc72965498ff174bb548dd63)
1 /*-
2  * Copyright (c) 2017 The FreeBSD Foundation
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer
9  *    in this position and unchanged.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  *
25  */
26 
27 #include <sys/types.h>
28 #include <sys/param.h>
29 #include <sys/kernel.h>
30 #include <sys/libkern.h>
31 #include <sys/linker.h>
32 #include <sys/lock.h>
33 #include <sys/malloc.h>
34 #include <sys/msan.h>
35 #include <sys/mutex.h>
36 #include <sys/random.h>
37 #include <sys/smp.h>
38 #include <sys/time.h>
39 
40 #include <machine/cpu.h>
41 
42 #include <crypto/chacha20/chacha.h>
43 #include <crypto/sha2/sha256.h>
44 #include <dev/random/randomdev.h>
45 #ifdef RANDOM_FENESTRASX
46 #include <dev/random/fenestrasX/fx_pub.h>
47 #endif
48 
49 #define	CHACHA20_RESEED_BYTES	65536
50 #define	CHACHA20_RESEED_SECONDS	300
51 #define	CHACHA20_KEYBYTES	32
52 #define	CHACHA20_BUFFER_SIZE	64
53 
54 CTASSERT(CHACHA20_KEYBYTES*8 >= CHACHA_MINKEYLEN);
55 
56 #ifndef RANDOM_FENESTRASX
57 int arc4rand_iniseed_state = ARC4_ENTR_NONE;
58 #endif
59 
60 MALLOC_DEFINE(M_CHACHA20RANDOM, "chacha20random", "chacha20random structures");
61 
62 struct chacha20_s {
63 	struct mtx mtx;
64 	int numbytes;
65 	time_t t_reseed;
66 	uint8_t m_buffer[CHACHA20_BUFFER_SIZE];
67 	struct chacha_ctx ctx;
68 #ifdef RANDOM_FENESTRASX
69 	uint64_t seed_version;
70 #endif
71 } __aligned(CACHE_LINE_SIZE);
72 
73 static struct chacha20_s *chacha20inst = NULL;
74 
75 #define CHACHA20_FOREACH(_chacha20) \
76 	for (_chacha20 = &chacha20inst[0]; \
77 	     _chacha20 <= &chacha20inst[mp_maxid]; \
78 	     _chacha20++)
79 
80 /*
81  * Mix up the current context.
82  */
83 static void
84 chacha20_randomstir(struct chacha20_s *chacha20)
85 {
86 	struct timeval tv_now;
87 	uint8_t key[CHACHA20_KEYBYTES];
88 #ifdef RANDOM_FENESTRASX
89 	uint64_t seed_version;
90 
91 #else
92 	if (__predict_false(random_bypass_before_seeding && !is_random_seeded())) {
93 		SHA256_CTX ctx;
94 		uint64_t cc;
95 		uint32_t fver;
96 
97 		if (!arc4random_bypassed_before_seeding) {
98 			arc4random_bypassed_before_seeding = true;
99 			if (!random_bypass_disable_warnings)
100 				printf("arc4random: WARNING: initial seeding "
101 				    "bypassed the cryptographic random device "
102 				    "because it was not yet seeded and the "
103 				    "knob 'bypass_before_seeding' was "
104 				    "enabled.\n");
105 		}
106 
107 		/*
108 		 * "key" is intentionally left uninitialized here, so with KMSAN
109 		 * enabled the arc4random() return value may be marked
110 		 * uninitialized, leading to spurious reports.  Lie to KMSAN to
111 		 * avoid this situation.
112 		 */
113 		kmsan_mark(key, sizeof(key), KMSAN_STATE_INITED);
114 
115 		/* Last ditch effort to inject something in a bad condition. */
116 		cc = get_cyclecount();
117 		SHA256_Init(&ctx);
118 		SHA256_Update(&ctx, key, sizeof(key));
119 		SHA256_Update(&ctx, &cc, sizeof(cc));
120 		fver = __FreeBSD_version;
121 		SHA256_Update(&ctx, &fver, sizeof(fver));
122 		_Static_assert(sizeof(key) == SHA256_DIGEST_LENGTH,
123 		    "make sure 256 bits is still 256 bits");
124 		SHA256_Final(key, &ctx);
125 	} else {
126 #endif
127 #ifdef RANDOM_FENESTRASX
128 		read_random_key(key, CHACHA20_KEYBYTES, &seed_version);
129 #else
130 		/*
131 		* If the loader(8) did not have an entropy stash from the
132 		* previous shutdown to load, then we will block.  The answer is
133 		* to make sure there is an entropy stash at shutdown time.
134 		*
135 		* On the other hand, if the random_bypass_before_seeding knob
136 		* was set and we landed in this branch, we know this won't
137 		* block because we know the random device is seeded.
138 		*/
139 		read_random(key, CHACHA20_KEYBYTES);
140 	}
141 #endif
142 	getmicrouptime(&tv_now);
143 	mtx_lock(&chacha20->mtx);
144 	chacha_keysetup(&chacha20->ctx, key, CHACHA20_KEYBYTES*8);
145 	chacha_ivsetup(&chacha20->ctx, (u_char *)&tv_now.tv_sec, (u_char *)&tv_now.tv_usec);
146 	/* Reset for next reseed cycle. */
147 	chacha20->t_reseed = tv_now.tv_sec + CHACHA20_RESEED_SECONDS;
148 	chacha20->numbytes = 0;
149 #ifdef RANDOM_FENESTRASX
150 	chacha20->seed_version = seed_version;
151 #endif
152 	mtx_unlock(&chacha20->mtx);
153 }
154 
155 /*
156  * Initialize the contexts.
157  */
158 static void
159 chacha20_init(void)
160 {
161 	struct chacha20_s *chacha20;
162 
163 	chacha20inst = malloc((mp_maxid + 1) * sizeof(struct chacha20_s),
164 			M_CHACHA20RANDOM, M_NOWAIT | M_ZERO);
165 	KASSERT(chacha20inst != NULL, ("chacha20_init: memory allocation error"));
166 
167 	CHACHA20_FOREACH(chacha20) {
168 		mtx_init(&chacha20->mtx, "chacha20_mtx", NULL, MTX_DEF);
169 		chacha20->t_reseed = -1;
170 		chacha20->numbytes = 0;
171 		explicit_bzero(chacha20->m_buffer, CHACHA20_BUFFER_SIZE);
172 		explicit_bzero(&chacha20->ctx, sizeof(chacha20->ctx));
173 	}
174 }
175 SYSINIT(chacha20, SI_SUB_LOCK, SI_ORDER_ANY, chacha20_init, NULL);
176 
177 
178 static void
179 chacha20_uninit(void)
180 {
181 	struct chacha20_s *chacha20;
182 
183 	CHACHA20_FOREACH(chacha20)
184 		mtx_destroy(&chacha20->mtx);
185 	free(chacha20inst, M_CHACHA20RANDOM);
186 }
187 SYSUNINIT(chacha20, SI_SUB_LOCK, SI_ORDER_ANY, chacha20_uninit, NULL);
188 
189 
190 /*
191  * MPSAFE
192  */
193 void
194 arc4rand(void *ptr, u_int len, int reseed)
195 {
196 	struct chacha20_s *chacha20;
197 	struct timeval tv;
198 	u_int length;
199 	uint8_t *p;
200 
201 #ifdef RANDOM_FENESTRASX
202 	if (__predict_false(reseed))
203 #else
204 	if (__predict_false(reseed ||
205 	    (arc4rand_iniseed_state == ARC4_ENTR_HAVE &&
206 	    atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_HAVE, ARC4_ENTR_SEED))))
207 #endif
208 		CHACHA20_FOREACH(chacha20)
209 			chacha20_randomstir(chacha20);
210 
211 	getmicrouptime(&tv);
212 	chacha20 = &chacha20inst[curcpu];
213 	/* We may get unlucky and be migrated off this CPU, but that is expected to be infrequent */
214 	if ((chacha20->numbytes > CHACHA20_RESEED_BYTES) || (tv.tv_sec > chacha20->t_reseed))
215 		chacha20_randomstir(chacha20);
216 
217 	mtx_lock(&chacha20->mtx);
218 #ifdef RANDOM_FENESTRASX
219 	if (__predict_false(
220 	    atomic_load_acq_64(&fxrng_root_generation) != chacha20->seed_version
221 	    )) {
222 		mtx_unlock(&chacha20->mtx);
223 		chacha20_randomstir(chacha20);
224 		mtx_lock(&chacha20->mtx);
225 	}
226 #endif
227 
228 	p = ptr;
229 	while (len) {
230 		length = MIN(CHACHA20_BUFFER_SIZE, len);
231 		chacha_encrypt_bytes(&chacha20->ctx, chacha20->m_buffer, p, length);
232 		p += length;
233 		len -= length;
234 		chacha20->numbytes += length;
235 		if (chacha20->numbytes > CHACHA20_RESEED_BYTES) {
236 			mtx_unlock(&chacha20->mtx);
237 			chacha20_randomstir(chacha20);
238 			mtx_lock(&chacha20->mtx);
239 		}
240 	}
241 	mtx_unlock(&chacha20->mtx);
242 }
243 
244 uint32_t
245 arc4random(void)
246 {
247 	uint32_t ret;
248 
249 	arc4rand(&ret, sizeof(ret), 0);
250 	return ret;
251 }
252 
253 void
254 arc4random_buf(void *ptr, size_t len)
255 {
256 
257 	arc4rand(ptr, len, 0);
258 }
259