xref: /titanic_44/usr/src/uts/common/crypto/api/kcf_random.c (revision 99653d4ee642c6528e88224f12409a5f23060994)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 /*
29  * This file implements the interfaces that the /dev/random
30  * driver uses for read(2), write(2) and poll(2) on /dev/random or
31  * /dev/urandom. It also implements the kernel API - random_add_entropy(),
32  * random_get_pseudo_bytes() and random_get_bytes().
33  *
34  * We periodically collect random bits from providers which are registered
35  * with the Kernel Cryptographic Framework (kCF) as capable of random
36  * number generation. The random bits are maintained in a cache and
37  * it is used for high quality random numbers (/dev/random) requests.
38  * We pick a provider and call its SPI routine, if the cache does not have
39  * enough bytes to satisfy a request.
40  *
41  * /dev/urandom requests use a software-based generator algorithm that uses the
42  * random bits in the cache as a seed. We create one pseudo-random generator
43  * (for /dev/urandom) per possible CPU on the system, and use it,
44  * kmem-magazine-style, to avoid cache line contention.
45  *
46  * LOCKING HIERARCHY:
47  *	1) rmp->rm_lock protects the per-cpu pseudo-random generators.
48  * 	2) rndpool_lock protects the high-quality randomness pool.
49  *		It may be locked while a rmp->rm_lock is held.
50  *
51  * A history note: The kernel API and the software-based algorithms in this
52  * file used to be part of the /dev/random driver.
53  */
54 
55 #include <sys/types.h>
56 #include <sys/conf.h>
57 #include <sys/sunddi.h>
58 #include <sys/disp.h>
59 #include <sys/modctl.h>
60 #include <sys/ddi.h>
61 #include <sys/crypto/common.h>
62 #include <sys/crypto/api.h>
63 #include <sys/crypto/impl.h>
64 #include <sys/crypto/sched_impl.h>
65 #include <sys/random.h>
66 #include <sys/sha1.h>
67 #include <sys/time.h>
68 #include <sys/sysmacros.h>
69 #include <sys/cpuvar.h>
70 #include <sys/taskq.h>
71 
72 #define	RNDPOOLSIZE		1024	/* Pool size in bytes */
73 #define	MINEXTRACTBYTES		20
74 #define	MAXEXTRACTBYTES		1024
75 #define	PRNG_MAXOBLOCKS		1310720	/* Max output block per prng key */
76 #define	TIMEOUT_INTERVAL	5	/* Periodic mixing interval in secs */
77 
78 typedef enum    extract_type {
79 	NONBLOCK_EXTRACT,
80 	BLOCKING_EXTRACT,
81 	ALWAYS_EXTRACT
82 } extract_type_t;
83 
84 /*
85  * Hash-algo generic definitions. For now, they are SHA1's. We use SHA1
86  * routines directly instead of using k-API because we can't return any
87  * error code in /dev/urandom case and we can get an error using k-API
88  * if a mechanism is disabled.
89  */
90 #define	HASHSIZE		20
91 #define	HASH_CTX		SHA1_CTX
92 #define	HashInit(ctx)		SHA1Init((ctx))
93 #define	HashUpdate(ctx, p, s)	SHA1Update((ctx), (p), (s))
94 #define	HashFinal(d, ctx)	SHA1Final((d), (ctx))
95 
96 /* HMAC-SHA1 */
97 #define	HMAC_KEYSIZE			20
98 #define	HMAC_BLOCK_SIZE			64
99 #define	HMAC_KEYSCHED			sha1keysched_t
100 #define	SET_ENCRYPT_KEY(k, s, ks)	hmac_key((k), (s), (ks))
101 #define	HMAC_ENCRYPT(ks, p, s, d)	hmac_encr((ks), (uint8_t *)(p), s, d)
102 
103 /* HMAC-SHA1 "keyschedule" */
104 typedef struct sha1keysched_s {
105 	SHA1_CTX ictx;
106 	SHA1_CTX octx;
107 } sha1keysched_t;
108 
109 /*
110  * Cache of random bytes implemented as a circular buffer. findex and rindex
111  * track the front and back of the circular buffer.
112  */
113 uint8_t rndpool[RNDPOOLSIZE];
114 static int findex, rindex;
115 static int rnbyte_cnt;		/* Number of bytes in the cache */
116 
117 static kmutex_t rndpool_lock;	/* protects r/w accesses to the cache, */
118 				/* and the global variables */
119 static kcondvar_t rndpool_read_cv; /* serializes poll/read syscalls */
120 static int num_waiters;		/* #threads waiting to read from /dev/random */
121 
122 static struct pollhead rnd_pollhead;
123 static timeout_id_t kcf_rndtimeout_id;
124 static crypto_mech_type_t rngmech_type = CRYPTO_MECH_INVALID;
125 rnd_stats_t rnd_stats;
126 
127 static void rndc_addbytes(uint8_t *, size_t);
128 static void rndc_getbytes(uint8_t *ptr, size_t len);
129 static void rnd_handler(void *);
130 static void rnd_alloc_magazines();
131 static void hmac_key(uint8_t *, size_t, void *);
132 static void hmac_encr(void *, uint8_t *, size_t, uint8_t *);
133 
134 
135 void
136 kcf_rnd_init()
137 {
138 	hrtime_t ts;
139 	time_t now;
140 
141 	mutex_init(&rndpool_lock, NULL, MUTEX_DEFAULT, NULL);
142 	cv_init(&rndpool_read_cv, NULL, CV_DEFAULT, NULL);
143 
144 	/*
145 	 * Add bytes to the cache using
146 	 * . 2 unpredictable times: high resolution time since the boot-time,
147 	 *   and the current time-of-the day.
148 	 * This is used only to make the timeout value in the timer
149 	 * unpredictable.
150 	 */
151 	ts = gethrtime();
152 	rndc_addbytes((uint8_t *)&ts, sizeof (ts));
153 
154 	(void) drv_getparm(TIME, &now);
155 	rndc_addbytes((uint8_t *)&now, sizeof (now));
156 
157 	rnbyte_cnt = 0;
158 	findex = rindex = 0;
159 	num_waiters = 0;
160 	rngmech_type = KCF_MECHID(KCF_MISC_CLASS, 0);
161 
162 	rnd_alloc_magazines();
163 }
164 
165 /*
166  * Return TRUE if at least one provider exists that can
167  * supply random numbers.
168  */
169 boolean_t
170 kcf_rngprov_check(void)
171 {
172 	int rv;
173 	kcf_provider_desc_t *pd;
174 
175 	if ((pd = kcf_get_mech_provider(rngmech_type, NULL, &rv,
176 	    NULL, CRYPTO_FG_RANDOM, B_FALSE, 0)) != NULL) {
177 		KCF_PROV_REFRELE(pd);
178 		return (B_TRUE);
179 	} else
180 		return (B_FALSE);
181 }
182 
183 /*
184  * Pick a software-based provider and submit a request to seed
185  * its random number generator.
186  */
187 static void
188 rngprov_seed(uint8_t *buf, int len, uint_t entropy_est, uint32_t flags)
189 {
190 	kcf_provider_desc_t *pd = NULL;
191 
192 	if (kcf_get_sw_prov(rngmech_type, &pd, B_FALSE) == CRYPTO_SUCCESS) {
193 		(void) KCF_PROV_SEED_RANDOM(pd, pd->pd_sid, buf, len,
194 		    entropy_est, flags, NULL);
195 		KCF_PROV_REFRELE(pd);
196 	}
197 }
198 
199 /* Boot-time tunable for experimentation. */
200 int kcf_limit_hwrng = 1;
201 
202 
203 /*
204  * This routine is called for blocking reads.
205  *
206  * The argument from_user_api indicates whether the caller is
207  * from userland coming via the /dev/random driver.
208  *
209  * The argument is_taskq_thr indicates whether the caller is
210  * the taskq thread dispatched by the timeout handler routine.
211  * In this case, we cycle through all the providers
212  * submitting a request to each provider to generate random numbers.
213  *
214  * For other cases, we pick a provider and submit a request to generate
215  * random numbers. We retry using another provider if we get an error.
216  *
217  * Returns the number of bytes that are written to 'ptr'. Returns -1
218  * if no provider is found. ptr and need are unchanged.
219  */
220 static int
221 rngprov_getbytes(uint8_t *ptr, size_t need, boolean_t from_user_api,
222     boolean_t is_taskq_thr)
223 {
224 	int rv;
225 	int prov_cnt = 0;
226 	int total_bytes = 0;
227 	kcf_provider_desc_t *pd;
228 	kcf_req_params_t params;
229 	kcf_prov_tried_t *list = NULL;
230 
231 	while ((pd = kcf_get_mech_provider(rngmech_type, NULL, &rv,
232 	    list, CRYPTO_FG_RANDOM, B_FALSE, 0)) != NULL) {
233 
234 		prov_cnt++;
235 		/*
236 		 * Typically a hardware RNG is a multi-purpose
237 		 * crypto card and hence we do not want to overload the card
238 		 * just for random numbers. The following check is to prevent
239 		 * a user process from hogging the hardware RNG. Note that we
240 		 * still use the hardware RNG from the periodically run
241 		 * taskq thread.
242 		 */
243 		if (pd->pd_prov_type == CRYPTO_HW_PROVIDER && from_user_api &&
244 		    kcf_limit_hwrng == 1) {
245 			ASSERT(is_taskq_thr == B_FALSE);
246 			goto try_next;
247 		}
248 
249 		KCF_WRAP_RANDOM_OPS_PARAMS(&params, KCF_OP_RANDOM_GENERATE,
250 		    pd->pd_sid, ptr, need, 0, 0);
251 		rv = kcf_submit_request(pd, NULL, NULL, &params, B_FALSE);
252 		ASSERT(rv != CRYPTO_QUEUED);
253 
254 		if (rv == CRYPTO_SUCCESS) {
255 			total_bytes += need;
256 			if (is_taskq_thr)
257 				rndc_addbytes(ptr, need);
258 			else {
259 				KCF_PROV_REFRELE(pd);
260 				break;
261 			}
262 		}
263 
264 		if (is_taskq_thr || rv != CRYPTO_SUCCESS) {
265 try_next:
266 			/* Add pd to the linked list of providers tried. */
267 			if (kcf_insert_triedlist(&list, pd, KM_SLEEP) == NULL) {
268 				KCF_PROV_REFRELE(pd);
269 				break;
270 			}
271 		}
272 
273 	}
274 
275 	if (list != NULL)
276 		kcf_free_triedlist(list);
277 
278 	if (prov_cnt == 0) { /* no provider could be found. */
279 		return (-1);
280 	}
281 
282 	return (total_bytes);
283 }
284 
285 static void
286 notify_done(void *arg, int rv)
287 {
288 	uchar_t *rndbuf = arg;
289 
290 	if (rv == CRYPTO_SUCCESS)
291 		rndc_addbytes(rndbuf, MINEXTRACTBYTES);
292 
293 	bzero(rndbuf, MINEXTRACTBYTES);
294 	kmem_free(rndbuf, MINEXTRACTBYTES);
295 }
296 
297 /*
298  * Cycle through all the providers submitting a request to each provider
299  * to generate random numbers. This is called for the modes - NONBLOCK_EXTRACT
300  * and ALWAYS_EXTRACT.
301  *
302  * Returns the number of bytes that are written to 'ptr'. Returns -1
303  * if no provider is found. ptr and len are unchanged.
304  */
305 static int
306 rngprov_getbytes_nblk(uint8_t *ptr, size_t len, boolean_t from_user_api)
307 {
308 	int rv, blen, total_bytes;
309 	uchar_t *rndbuf;
310 	kcf_provider_desc_t *pd;
311 	kcf_req_params_t params;
312 	crypto_call_req_t req;
313 	kcf_prov_tried_t *list = NULL;
314 	int prov_cnt = 0;
315 
316 	blen = 0;
317 	total_bytes = 0;
318 	req.cr_flag = CRYPTO_SKIP_REQID;
319 	req.cr_callback_func = notify_done;
320 
321 	while ((pd = kcf_get_mech_provider(rngmech_type, NULL, &rv,
322 	    list, CRYPTO_FG_RANDOM, CHECK_RESTRICT(&req), 0)) != NULL) {
323 
324 		prov_cnt ++;
325 		switch (pd->pd_prov_type) {
326 		case CRYPTO_HW_PROVIDER:
327 			/* See comments in rngprov_getbytes() */
328 			if (from_user_api && kcf_limit_hwrng == 1)
329 				goto try_next;
330 
331 			/*
332 			 * We have to allocate a buffer here as we can not
333 			 * assume that the input buffer will remain valid
334 			 * when the callback comes. We use a fixed size buffer
335 			 * to simplify the book keeping.
336 			 */
337 			rndbuf = kmem_alloc(MINEXTRACTBYTES, KM_NOSLEEP);
338 			if (rndbuf == NULL) {
339 				KCF_PROV_REFRELE(pd);
340 				if (list != NULL)
341 					kcf_free_triedlist(list);
342 				return (total_bytes);
343 			}
344 			req.cr_callback_arg = rndbuf;
345 			KCF_WRAP_RANDOM_OPS_PARAMS(&params,
346 			    KCF_OP_RANDOM_GENERATE,
347 			    pd->pd_sid, rndbuf, MINEXTRACTBYTES, 0, 0);
348 			break;
349 
350 		case CRYPTO_SW_PROVIDER:
351 			/*
352 			 * We do not need to allocate a buffer in the software
353 			 * provider case as there is no callback involved. We
354 			 * avoid any extra data copy by directly passing 'ptr'.
355 			 */
356 			KCF_WRAP_RANDOM_OPS_PARAMS(&params,
357 			    KCF_OP_RANDOM_GENERATE,
358 			    pd->pd_sid, ptr, len, 0, 0);
359 			break;
360 		}
361 
362 		rv = kcf_submit_request(pd, NULL, &req, &params, B_FALSE);
363 		if (rv == CRYPTO_SUCCESS) {
364 			switch (pd->pd_prov_type) {
365 			case CRYPTO_HW_PROVIDER:
366 				/*
367 				 * Since we have the input buffer handy,
368 				 * we directly copy to it rather than
369 				 * adding to the pool.
370 				 */
371 				blen = min(MINEXTRACTBYTES, len);
372 				bcopy(rndbuf, ptr, blen);
373 				if (len < MINEXTRACTBYTES)
374 					rndc_addbytes(rndbuf + len,
375 					    MINEXTRACTBYTES - len);
376 				ptr += blen;
377 				len -= blen;
378 				total_bytes += blen;
379 				break;
380 
381 			case CRYPTO_SW_PROVIDER:
382 				total_bytes += len;
383 				len = 0;
384 				break;
385 			}
386 		}
387 
388 		/*
389 		 * We free the buffer in the callback routine
390 		 * for the CRYPTO_QUEUED case.
391 		 */
392 		if (pd->pd_prov_type == CRYPTO_HW_PROVIDER &&
393 		    rv != CRYPTO_QUEUED) {
394 			bzero(rndbuf, MINEXTRACTBYTES);
395 			kmem_free(rndbuf, MINEXTRACTBYTES);
396 		}
397 
398 		if (len == 0) {
399 			KCF_PROV_REFRELE(pd);
400 			break;
401 		}
402 
403 		if (rv != CRYPTO_SUCCESS) {
404 try_next:
405 			/* Add pd to the linked list of providers tried. */
406 			if (kcf_insert_triedlist(&list, pd, KM_NOSLEEP) ==
407 			    NULL) {
408 				KCF_PROV_REFRELE(pd);
409 				break;
410 			}
411 		}
412 	}
413 
414 	if (list != NULL) {
415 		kcf_free_triedlist(list);
416 	}
417 
418 	if (prov_cnt == 0) { /* no provider could be found. */
419 		return (-1);
420 	}
421 
422 	return (total_bytes);
423 }
424 
425 static void
426 rngprov_task(void *arg)
427 {
428 	int len = (int)(uintptr_t)arg;
429 	uchar_t tbuf[MAXEXTRACTBYTES];
430 
431 	ASSERT(len <= MAXEXTRACTBYTES);
432 	if (rngprov_getbytes(tbuf, len, B_FALSE, B_TRUE) == -1) {
433 		cmn_err(CE_WARN, "No randomness provider enabled for "
434 		    "/dev/random. Use cryptoadm(1M) to enable a provider.");
435 	}
436 }
437 
438 /*
439  * Returns "len" random or pseudo-random bytes in *ptr.
440  * Will block if not enough random bytes are available and the
441  * call is blocking.
442  *
443  * Called with rndpool_lock held (allowing caller to do optimistic locking;
444  * releases the lock before return).
445  */
446 static int
447 rnd_get_bytes(uint8_t *ptr, size_t len, extract_type_t how,
448     boolean_t from_user_api)
449 {
450 	int bytes;
451 	size_t got;
452 
453 	ASSERT(mutex_owned(&rndpool_lock));
454 	/*
455 	 * Check if the request can be satisfied from the cache
456 	 * of random bytes.
457 	 */
458 	if (len <= rnbyte_cnt) {
459 		rndc_getbytes(ptr, len);
460 		mutex_exit(&rndpool_lock);
461 		return (0);
462 	}
463 	mutex_exit(&rndpool_lock);
464 
465 	switch (how) {
466 	case BLOCKING_EXTRACT:
467 		if ((got = rngprov_getbytes(ptr, len, from_user_api,
468 		    B_FALSE)) == -1)
469 			break;	/* No provider found */
470 
471 		if (got == len)
472 			return (0);
473 		len -= got;
474 		ptr += got;
475 		break;
476 
477 	case NONBLOCK_EXTRACT:
478 	case ALWAYS_EXTRACT:
479 		if ((got = rngprov_getbytes_nblk(ptr, len,
480 		    from_user_api)) == -1) {
481 			/* No provider found */
482 			if (how == NONBLOCK_EXTRACT) {
483 				return (EAGAIN);
484 			}
485 		} else {
486 			if (got == len)
487 				return (0);
488 			len -= got;
489 			ptr += got;
490 		}
491 		if (how == NONBLOCK_EXTRACT && (rnbyte_cnt < len))
492 			return (EAGAIN);
493 		break;
494 	}
495 
496 	mutex_enter(&rndpool_lock);
497 	while (len > 0) {
498 		if (how == BLOCKING_EXTRACT) {
499 			/* Check if there is enough */
500 			while (rnbyte_cnt < MINEXTRACTBYTES) {
501 				num_waiters++;
502 				if (cv_wait_sig(&rndpool_read_cv,
503 				    &rndpool_lock) == 0) {
504 					num_waiters--;
505 					mutex_exit(&rndpool_lock);
506 					return (EINTR);
507 				}
508 				num_waiters--;
509 			}
510 		}
511 
512 		/* Figure out how many bytes to extract */
513 		bytes = min(len, rnbyte_cnt);
514 		rndc_getbytes(ptr, bytes);
515 
516 		len -= bytes;
517 		ptr += bytes;
518 
519 		if (len > 0 && how == ALWAYS_EXTRACT) {
520 			/*
521 			 * There are not enough bytes, but we can not block.
522 			 * This only happens in the case of /dev/urandom which
523 			 * runs an additional generation algorithm. So, there
524 			 * is no problem.
525 			 */
526 			while (len > 0) {
527 				*ptr = rndpool[findex];
528 				ptr++; len--;
529 				rindex = findex = (findex + 1) &
530 				    (RNDPOOLSIZE - 1);
531 			}
532 			break;
533 		}
534 	}
535 
536 	mutex_exit(&rndpool_lock);
537 	return (0);
538 }
539 
540 int
541 kcf_rnd_get_bytes(uint8_t *ptr, size_t len, boolean_t noblock,
542     boolean_t from_user_api)
543 {
544 	extract_type_t how;
545 	int error;
546 
547 	how = noblock ? NONBLOCK_EXTRACT : BLOCKING_EXTRACT;
548 	mutex_enter(&rndpool_lock);
549 	if ((error = rnd_get_bytes(ptr, len, how, from_user_api)) != 0)
550 		return (error);
551 
552 	BUMP_RND_STATS(rs_rndOut, len);
553 	return (0);
554 }
555 
556 /*
557  * Revisit this if the structs grow or we come up with a better way
558  * of cache-line-padding structures.
559  */
560 #define	RND_CPU_CACHE_SIZE	64
561 #define	RND_CPU_PAD_SIZE	RND_CPU_CACHE_SIZE*5
562 #define	RND_CPU_PAD (RND_CPU_PAD_SIZE - \
563 	(sizeof (kmutex_t) + 3*sizeof (uint8_t *) + sizeof (HMAC_KEYSCHED) + \
564 	sizeof (uint64_t) + 3*sizeof (uint32_t) + sizeof (rnd_stats_t)))
565 
566 /*
567  * Per-CPU random state.  Somewhat like like kmem's magazines, this provides
568  * a per-CPU instance of the pseudo-random generator.  We have it much easier
569  * than kmem, as we can afford to "leak" random bits if a CPU is DR'ed out.
570  *
571  * Note that this usage is preemption-safe; a thread
572  * entering a critical section remembers which generator it locked
573  * and unlocks the same one; should it be preempted and wind up running on
574  * a different CPU, there will be a brief period of increased contention
575  * before it exits the critical section but nothing will melt.
576  */
577 typedef struct rndmag_s
578 {
579 	kmutex_t	rm_lock;
580 	uint8_t 	*rm_buffer;	/* Start of buffer */
581 	uint8_t		*rm_eptr;	/* End of buffer */
582 	uint8_t		*rm_rptr;	/* Current read pointer */
583 	HMAC_KEYSCHED 	rm_ks;		/* seed */
584 	uint64_t 	rm_counter;	/* rotating counter for extracting */
585 	uint32_t	rm_oblocks;	/* time to rekey? */
586 	uint32_t	rm_ofuzz;	/* Rekey backoff state */
587 	uint32_t	rm_olimit;	/* Hard rekey limit */
588 	rnd_stats_t	rm_stats;	/* Per-CPU Statistics */
589 	uint8_t		rm_pad[RND_CPU_PAD];
590 } rndmag_t;
591 
592 /*
593  * Generate random bytes for /dev/urandom by encrypting a
594  * rotating counter with a key created from bytes extracted
595  * from the pool.  A maximum of PRNG_MAXOBLOCKS output blocks
596  * is generated before a new key is obtained.
597  *
598  * Note that callers to this routine are likely to assume it can't fail.
599  *
600  * Called with rmp locked; releases lock.
601  */
602 static int
603 rnd_generate_pseudo_bytes(rndmag_t *rmp, uint8_t *ptr, size_t len)
604 {
605 	size_t bytes = len;
606 	int nblock, size;
607 	uint32_t oblocks;
608 	uint8_t digest[HASHSIZE];
609 
610 	ASSERT(mutex_owned(&rmp->rm_lock));
611 
612 	/* Nothing is being asked */
613 	if (len == 0) {
614 		mutex_exit(&rmp->rm_lock);
615 		return (0);
616 	}
617 
618 	nblock = howmany(len, HASHSIZE);
619 
620 	rmp->rm_oblocks += nblock;
621 	oblocks = rmp->rm_oblocks;
622 
623 	do {
624 		if (oblocks >= rmp->rm_olimit) {
625 			hrtime_t timestamp;
626 			uint8_t key[HMAC_KEYSIZE];
627 
628 			/*
629 			 * Contention-avoiding rekey: see if
630 			 * the pool is locked, and if so, wait a bit.
631 			 * Do an 'exponential back-in' to ensure we don't
632 			 * run too long without rekey.
633 			 */
634 			if (rmp->rm_ofuzz) {
635 				/*
636 				 * Decaying exponential back-in for rekey.
637 				 */
638 				if ((rnbyte_cnt < MINEXTRACTBYTES) ||
639 				    (!mutex_tryenter(&rndpool_lock))) {
640 					rmp->rm_olimit += rmp->rm_ofuzz;
641 					rmp->rm_ofuzz >>= 1;
642 					goto punt;
643 				}
644 			} else {
645 				mutex_enter(&rndpool_lock);
646 			}
647 
648 			/* Get a new chunk of entropy */
649 			(void) rnd_get_bytes(key, HMAC_KEYSIZE,
650 			    ALWAYS_EXTRACT, B_FALSE);
651 
652 			/* Set up key */
653 			SET_ENCRYPT_KEY(key, HMAC_KEYSIZE, &rmp->rm_ks);
654 
655 			/* Get new counter value by encrypting timestamp */
656 			timestamp = gethrtime();
657 			HMAC_ENCRYPT(&rmp->rm_ks, &timestamp,
658 			    sizeof (timestamp), digest);
659 			rmp->rm_olimit = PRNG_MAXOBLOCKS/2;
660 			rmp->rm_ofuzz = PRNG_MAXOBLOCKS/4;
661 			bcopy(digest, &rmp->rm_counter, sizeof (uint64_t));
662 			oblocks = 0;
663 			rmp->rm_oblocks = nblock;
664 		}
665 punt:
666 		/* Hash counter to produce prn stream */
667 		if (bytes >= HASHSIZE) {
668 			size = HASHSIZE;
669 			HMAC_ENCRYPT(&rmp->rm_ks, &rmp->rm_counter,
670 			    sizeof (rmp->rm_counter), ptr);
671 		} else {
672 			size = min(bytes, HASHSIZE);
673 			HMAC_ENCRYPT(&rmp->rm_ks, &rmp->rm_counter,
674 			    sizeof (rmp->rm_counter), digest);
675 			bcopy(digest, ptr, size);
676 		}
677 		ptr += size;
678 		bytes -= size;
679 		rmp->rm_counter++;
680 		oblocks++;
681 		nblock--;
682 	} while (bytes > 0);
683 
684 	mutex_exit(&rmp->rm_lock);
685 	return (0);
686 }
687 
688 /*
689  * Per-CPU Random magazines.
690  */
691 static rndmag_t *rndmag;
692 static uint8_t	*rndbuf;
693 static size_t 	rndmag_total;
694 /*
695  * common/os/cpu.c says that platform support code can shrinkwrap
696  * max_ncpus.  On the off chance that we get loaded very early, we
697  * read it exactly once, to copy it here.
698  */
699 static uint32_t	random_max_ncpus = 0;
700 
701 /*
702  * Boot-time tunables, for experimentation.
703  */
704 size_t	rndmag_threshold = 2560;
705 size_t	rndbuf_len = 5120;
706 size_t	rndmag_size = 1280;
707 
708 
709 int
710 kcf_rnd_get_pseudo_bytes(uint8_t *ptr, size_t len)
711 {
712 	rndmag_t *rmp;
713 	uint8_t *cptr, *eptr;
714 
715 	/*
716 	 * Anyone who asks for zero bytes of randomness should get slapped.
717 	 */
718 	ASSERT(len > 0);
719 
720 	/*
721 	 * Fast path.
722 	 */
723 	for (;;) {
724 		rmp = &rndmag[CPU->cpu_seqid];
725 		mutex_enter(&rmp->rm_lock);
726 
727 		/*
728 		 * Big requests bypass buffer and tail-call the
729 		 * generate routine directly.
730 		 */
731 		if (len > rndmag_threshold) {
732 			BUMP_CPU_RND_STATS(rmp, rs_urndOut, len);
733 			return (rnd_generate_pseudo_bytes(rmp, ptr, len));
734 		}
735 
736 		cptr = rmp->rm_rptr;
737 		eptr = cptr + len;
738 
739 		if (eptr <= rmp->rm_eptr) {
740 			rmp->rm_rptr = eptr;
741 			bcopy(cptr, ptr, len);
742 			BUMP_CPU_RND_STATS(rmp, rs_urndOut, len);
743 			mutex_exit(&rmp->rm_lock);
744 
745 			return (0);
746 		}
747 		/*
748 		 * End fast path.
749 		 */
750 		rmp->rm_rptr = rmp->rm_buffer;
751 		/*
752 		 * Note:  We assume the generate routine always succeeds
753 		 * in this case (because it does at present..)
754 		 * It also always releases rm_lock.
755 		 */
756 		(void) rnd_generate_pseudo_bytes(rmp, rmp->rm_buffer,
757 		    rndbuf_len);
758 	}
759 }
760 
761 /*
762  * We set up (empty) magazines for all of max_ncpus, possibly wasting a
763  * little memory on big systems that don't have the full set installed.
764  * See above;  "empty" means "rptr equal to eptr"; this will trigger the
765  * refill path in rnd_get_pseudo_bytes above on the first call for each CPU.
766  *
767  * TODO: make rndmag_size tunable at run time!
768  */
769 static void
770 rnd_alloc_magazines()
771 {
772 	rndmag_t *rmp;
773 	int i;
774 
775 	rndbuf_len = roundup(rndbuf_len, HASHSIZE);
776 	if (rndmag_size < rndbuf_len)
777 		rndmag_size = rndbuf_len;
778 	rndmag_size = roundup(rndmag_size, RND_CPU_CACHE_SIZE);
779 
780 	random_max_ncpus = max_ncpus;
781 	rndmag_total = rndmag_size * random_max_ncpus;
782 
783 	rndbuf = kmem_alloc(rndmag_total, KM_SLEEP);
784 	rndmag = kmem_zalloc(sizeof (rndmag_t) * random_max_ncpus, KM_SLEEP);
785 
786 	for (i = 0; i < random_max_ncpus; i++) {
787 		uint8_t *buf;
788 
789 		rmp = &rndmag[i];
790 		mutex_init(&rmp->rm_lock, NULL, MUTEX_DRIVER, NULL);
791 
792 		buf = rndbuf + i * rndmag_size;
793 
794 		rmp->rm_buffer = buf;
795 		rmp->rm_eptr = buf + rndbuf_len;
796 		rmp->rm_rptr = buf + rndbuf_len;
797 		rmp->rm_oblocks = 1;
798 	}
799 }
800 
801 void
802 kcf_rnd_schedule_timeout(boolean_t do_mech2id)
803 {
804 	clock_t ut;	/* time in microseconds */
805 
806 	if (do_mech2id)
807 		rngmech_type = crypto_mech2id(SUN_RANDOM);
808 
809 	/*
810 	 * The new timeout value is taken from the buffer of random bytes.
811 	 * We're merely reading the first 32 bits from the buffer here, not
812 	 * consuming any random bytes.
813 	 * The timeout multiplier value is a random value between 0.5 sec and
814 	 * 1.544480 sec (0.5 sec + 0xFF000 microseconds).
815 	 * The new timeout is TIMEOUT_INTERVAL times that multiplier.
816 	 */
817 	ut = 500000 + (clock_t)((((uint32_t)rndpool[findex]) << 12) & 0xFF000);
818 	kcf_rndtimeout_id = timeout(rnd_handler, NULL,
819 	    TIMEOUT_INTERVAL * drv_usectohz(ut));
820 }
821 
822 /*
823  * &rnd_pollhead is passed in *phpp in order to indicate the calling thread
824  * will block. When enough random bytes are available, later, the timeout
825  * handler routine will issue the pollwakeup() calls.
826  */
827 void
828 kcf_rnd_chpoll(int anyyet, short *reventsp, struct pollhead **phpp)
829 {
830 	/*
831 	 * Sampling of rnbyte_cnt is an atomic
832 	 * operation. Hence we do not need any locking.
833 	 */
834 	if (rnbyte_cnt >= MINEXTRACTBYTES) {
835 		*reventsp |= (POLLIN | POLLRDNORM);
836 	} else {
837 		*reventsp = 0;
838 		if (!anyyet)
839 			*phpp = &rnd_pollhead;
840 	}
841 }
842 
843 /*ARGSUSED*/
844 static void
845 rnd_handler(void *arg)
846 {
847 	int len = 0;
848 
849 	if (num_waiters > 0)
850 		len = MAXEXTRACTBYTES;
851 	else if (rnbyte_cnt < RNDPOOLSIZE)
852 		len = MINEXTRACTBYTES;
853 
854 	if (len > 0) {
855 		(void) taskq_dispatch(system_taskq, rngprov_task,
856 		    (void *)(uintptr_t)len, TQ_NOSLEEP);
857 	} else if (!kcf_rngprov_check()) {
858 		cmn_err(CE_WARN, "No randomness provider enabled for "
859 		    "/dev/random. Use cryptoadm(1M) to enable a provider.");
860 	}
861 
862 	mutex_enter(&rndpool_lock);
863 	/*
864 	 * Wake up threads waiting in poll() or for enough accumulated
865 	 * random bytes to read from /dev/random. In case a poll() is
866 	 * concurrent with a read(), the polling process may be woken up
867 	 * indicating that enough randomness is now available for reading,
868 	 * and another process *steals* the bits from the pool, causing the
869 	 * subsequent read() from the first process to block. It is acceptable
870 	 * since the blocking will eventually end, after the timeout
871 	 * has expired enough times to honor the read.
872 	 *
873 	 * Note - Since we hold the rndpool_lock across the pollwakeup() call
874 	 * we MUST NOT grab the rndpool_lock in kcf_rndchpoll().
875 	 */
876 	if (rnbyte_cnt >= MINEXTRACTBYTES)
877 		pollwakeup(&rnd_pollhead, POLLIN | POLLRDNORM);
878 
879 	if (num_waiters > 0)
880 		cv_broadcast(&rndpool_read_cv);
881 	mutex_exit(&rndpool_lock);
882 
883 	kcf_rnd_schedule_timeout(B_FALSE);
884 }
885 
886 /* Hashing functions */
887 
888 static void
889 hmac_key(uint8_t *key, size_t keylen, void *buf)
890 {
891 	uint32_t *ip, *op;
892 	uint32_t ipad[HMAC_BLOCK_SIZE/sizeof (uint32_t)];
893 	uint32_t opad[HMAC_BLOCK_SIZE/sizeof (uint32_t)];
894 	HASH_CTX *icontext, *ocontext;
895 	int i;
896 	int nints;
897 
898 	icontext = buf;
899 	ocontext = (SHA1_CTX *)((uint8_t *)buf + sizeof (HASH_CTX));
900 
901 	bzero((uchar_t *)ipad, HMAC_BLOCK_SIZE);
902 	bzero((uchar_t *)opad, HMAC_BLOCK_SIZE);
903 	bcopy(key, (uchar_t *)ipad, keylen);
904 	bcopy(key, (uchar_t *)opad, keylen);
905 
906 	/*
907 	 * XOR key with ipad (0x36) and opad (0x5c) as defined
908 	 * in RFC 2104.
909 	 */
910 	ip = ipad;
911 	op = opad;
912 	nints = HMAC_BLOCK_SIZE/sizeof (uint32_t);
913 
914 	for (i = 0; i < nints; i++) {
915 		ip[i] ^= 0x36363636;
916 		op[i] ^= 0x5c5c5c5c;
917 	}
918 
919 	/* Perform hash with ipad */
920 	HashInit(icontext);
921 	HashUpdate(icontext, (uchar_t *)ipad, HMAC_BLOCK_SIZE);
922 
923 	/* Perform hash with opad */
924 	HashInit(ocontext);
925 	HashUpdate(ocontext, (uchar_t *)opad, HMAC_BLOCK_SIZE);
926 }
927 
928 static void
929 hmac_encr(void *ctx, uint8_t *ptr, size_t len, uint8_t *digest)
930 {
931 	HASH_CTX *saved_contexts;
932 	HASH_CTX icontext;
933 	HASH_CTX ocontext;
934 
935 	saved_contexts = (HASH_CTX *)ctx;
936 	icontext = saved_contexts[0];
937 	ocontext = saved_contexts[1];
938 
939 	HashUpdate(&icontext, ptr, len);
940 	HashFinal(digest, &icontext);
941 
942 	/*
943 	 * Perform Hash(K XOR OPAD, DIGEST), where DIGEST is the
944 	 * Hash(K XOR IPAD, DATA).
945 	 */
946 	HashUpdate(&ocontext, digest, HASHSIZE);
947 	HashFinal(digest, &ocontext);
948 }
949 
950 
951 static void
952 rndc_addbytes(uint8_t *ptr, size_t len)
953 {
954 	ASSERT(ptr != NULL && len > 0);
955 	ASSERT(rnbyte_cnt <= RNDPOOLSIZE);
956 
957 	mutex_enter(&rndpool_lock);
958 	while ((len > 0) && (rnbyte_cnt < RNDPOOLSIZE)) {
959 		rndpool[rindex] ^= *ptr;
960 		ptr++; len--;
961 		rindex = (rindex + 1) & (RNDPOOLSIZE - 1);
962 		rnbyte_cnt++;
963 	}
964 
965 	/* Handle buffer full case */
966 	while (len > 0) {
967 		rndpool[rindex] ^= *ptr;
968 		ptr++; len--;
969 		findex = rindex = (rindex + 1) & (RNDPOOLSIZE - 1);
970 	}
971 	mutex_exit(&rndpool_lock);
972 }
973 
974 /*
975  * Caller should check len <= rnbyte_cnt under the
976  * rndpool_lock before calling.
977  */
978 static void
979 rndc_getbytes(uint8_t *ptr, size_t len)
980 {
981 	ASSERT(MUTEX_HELD(&rndpool_lock));
982 	ASSERT(len <= rnbyte_cnt && rnbyte_cnt <= RNDPOOLSIZE);
983 
984 	BUMP_RND_STATS(rs_rndcOut, len);
985 
986 	while (len > 0) {
987 		*ptr = rndpool[findex];
988 		ptr++; len--;
989 		findex = (findex + 1) & (RNDPOOLSIZE - 1);
990 		rnbyte_cnt--;
991 	}
992 }
993 
994 /* Random number exported entry points */
995 
996 /*
997  * Mix the supplied bytes into the entropy pool of a kCF
998  * RNG provider.
999  */
1000 int
1001 random_add_pseudo_entropy(uint8_t *ptr, size_t len, uint_t entropy_est)
1002 {
1003 	if (len < 1)
1004 		return (-1);
1005 
1006 	rngprov_seed(ptr, len, entropy_est, 0);
1007 
1008 	return (0);
1009 }
1010 
1011 /*
1012  * Mix the supplied bytes into the entropy pool of a kCF
1013  * RNG provider. Mix immediately.
1014  */
1015 int
1016 random_add_entropy(uint8_t *ptr, size_t len, uint_t entropy_est)
1017 {
1018 	if (len < 1)
1019 		return (-1);
1020 
1021 	rngprov_seed(ptr, len, entropy_est, CRYPTO_SEED_NOW);
1022 
1023 	return (0);
1024 }
1025 
1026 /*
1027  * Get bytes from the /dev/urandom generator. This function
1028  * always succeeds. Returns 0.
1029  */
1030 int
1031 random_get_pseudo_bytes(uint8_t *ptr, size_t len)
1032 {
1033 	ASSERT(!mutex_owned(&rndpool_lock));
1034 
1035 	if (len < 1)
1036 		return (0);
1037 	return (kcf_rnd_get_pseudo_bytes(ptr, len));
1038 }
1039 
1040 /*
1041  * Get bytes from the /dev/random generator. Returns 0
1042  * on success. Returns EAGAIN if there is insufficient entropy.
1043  */
1044 int
1045 random_get_bytes(uint8_t *ptr, size_t len)
1046 {
1047 	ASSERT(!mutex_owned(&rndpool_lock));
1048 
1049 	if (len < 1)
1050 		return (0);
1051 	return (kcf_rnd_get_bytes(ptr, len, B_TRUE, B_FALSE));
1052 }
1053