1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 /* 29 * This file implements the interfaces that the /dev/random 30 * driver uses for read(2), write(2) and poll(2) on /dev/random or 31 * /dev/urandom. It also implements the kernel API - random_add_entropy(), 32 * random_get_pseudo_bytes() and random_get_bytes(). 33 * 34 * We periodically collect random bits from providers which are registered 35 * with the Kernel Cryptographic Framework (kCF) as capable of random 36 * number generation. The random bits are maintained in a cache and 37 * it is used for high quality random numbers (/dev/random) requests. 38 * We pick a provider and call its SPI routine, if the cache does not have 39 * enough bytes to satisfy a request. 40 * 41 * /dev/urandom requests use a software-based generator algorithm that uses the 42 * random bits in the cache as a seed. We create one pseudo-random generator 43 * (for /dev/urandom) per possible CPU on the system, and use it, 44 * kmem-magazine-style, to avoid cache line contention. 45 * 46 * LOCKING HIERARCHY: 47 * 1) rmp->rm_lock protects the per-cpu pseudo-random generators. 48 * 2) rndpool_lock protects the high-quality randomness pool. 49 * It may be locked while a rmp->rm_lock is held. 50 * 51 * A history note: The kernel API and the software-based algorithms in this 52 * file used to be part of the /dev/random driver. 53 */ 54 55 #include <sys/types.h> 56 #include <sys/conf.h> 57 #include <sys/sunddi.h> 58 #include <sys/disp.h> 59 #include <sys/modctl.h> 60 #include <sys/ddi.h> 61 #include <sys/crypto/common.h> 62 #include <sys/crypto/api.h> 63 #include <sys/crypto/impl.h> 64 #include <sys/crypto/sched_impl.h> 65 #include <sys/random.h> 66 #include <sys/sha1.h> 67 #include <sys/time.h> 68 #include <sys/sysmacros.h> 69 #include <sys/cpuvar.h> 70 #include <sys/taskq.h> 71 72 #define RNDPOOLSIZE 1024 /* Pool size in bytes */ 73 #define MINEXTRACTBYTES 20 74 #define MAXEXTRACTBYTES 1024 75 #define PRNG_MAXOBLOCKS 1310720 /* Max output block per prng key */ 76 #define TIMEOUT_INTERVAL 5 /* Periodic mixing interval in secs */ 77 78 typedef enum extract_type { 79 NONBLOCK_EXTRACT, 80 BLOCKING_EXTRACT, 81 ALWAYS_EXTRACT 82 } extract_type_t; 83 84 /* 85 * Hash-algo generic definitions. For now, they are SHA1's. We use SHA1 86 * routines directly instead of using k-API because we can't return any 87 * error code in /dev/urandom case and we can get an error using k-API 88 * if a mechanism is disabled. 89 */ 90 #define HASHSIZE 20 91 #define HASH_CTX SHA1_CTX 92 #define HashInit(ctx) SHA1Init((ctx)) 93 #define HashUpdate(ctx, p, s) SHA1Update((ctx), (p), (s)) 94 #define HashFinal(d, ctx) SHA1Final((d), (ctx)) 95 96 /* HMAC-SHA1 */ 97 #define HMAC_KEYSIZE 20 98 #define HMAC_BLOCK_SIZE 64 99 #define HMAC_KEYSCHED sha1keysched_t 100 #define SET_ENCRYPT_KEY(k, s, ks) hmac_key((k), (s), (ks)) 101 #define HMAC_ENCRYPT(ks, p, s, d) hmac_encr((ks), (uint8_t *)(p), s, d) 102 103 /* HMAC-SHA1 "keyschedule" */ 104 typedef struct sha1keysched_s { 105 SHA1_CTX ictx; 106 SHA1_CTX octx; 107 } sha1keysched_t; 108 109 /* 110 * Cache of random bytes implemented as a circular buffer. findex and rindex 111 * track the front and back of the circular buffer. 112 */ 113 uint8_t rndpool[RNDPOOLSIZE]; 114 static int findex, rindex; 115 static int rnbyte_cnt; /* Number of bytes in the cache */ 116 117 static kmutex_t rndpool_lock; /* protects r/w accesses to the cache, */ 118 /* and the global variables */ 119 static kcondvar_t rndpool_read_cv; /* serializes poll/read syscalls */ 120 static int num_waiters; /* #threads waiting to read from /dev/random */ 121 122 static struct pollhead rnd_pollhead; 123 static timeout_id_t kcf_rndtimeout_id; 124 static crypto_mech_type_t rngmech_type = CRYPTO_MECH_INVALID; 125 rnd_stats_t rnd_stats; 126 127 static void rndc_addbytes(uint8_t *, size_t); 128 static void rndc_getbytes(uint8_t *ptr, size_t len); 129 static void rnd_handler(void *); 130 static void rnd_alloc_magazines(); 131 static void hmac_key(uint8_t *, size_t, void *); 132 static void hmac_encr(void *, uint8_t *, size_t, uint8_t *); 133 134 135 void 136 kcf_rnd_init() 137 { 138 hrtime_t ts; 139 time_t now; 140 141 mutex_init(&rndpool_lock, NULL, MUTEX_DEFAULT, NULL); 142 cv_init(&rndpool_read_cv, NULL, CV_DEFAULT, NULL); 143 144 /* 145 * Add bytes to the cache using 146 * . 2 unpredictable times: high resolution time since the boot-time, 147 * and the current time-of-the day. 148 * This is used only to make the timeout value in the timer 149 * unpredictable. 150 */ 151 ts = gethrtime(); 152 rndc_addbytes((uint8_t *)&ts, sizeof (ts)); 153 154 (void) drv_getparm(TIME, &now); 155 rndc_addbytes((uint8_t *)&now, sizeof (now)); 156 157 rnbyte_cnt = 0; 158 findex = rindex = 0; 159 num_waiters = 0; 160 rngmech_type = KCF_MECHID(KCF_MISC_CLASS, 0); 161 162 rnd_alloc_magazines(); 163 } 164 165 /* 166 * Return TRUE if at least one provider exists that can 167 * supply random numbers. 168 */ 169 boolean_t 170 kcf_rngprov_check(void) 171 { 172 int rv; 173 kcf_provider_desc_t *pd; 174 175 if ((pd = kcf_get_mech_provider(rngmech_type, NULL, &rv, 176 NULL, CRYPTO_FG_RANDOM, B_FALSE, 0)) != NULL) { 177 KCF_PROV_REFRELE(pd); 178 return (B_TRUE); 179 } else 180 return (B_FALSE); 181 } 182 183 /* 184 * Pick a software-based provider and submit a request to seed 185 * its random number generator. 186 */ 187 static void 188 rngprov_seed(uint8_t *buf, int len, uint_t entropy_est, uint32_t flags) 189 { 190 kcf_provider_desc_t *pd = NULL; 191 192 if (kcf_get_sw_prov(rngmech_type, &pd, B_FALSE) == CRYPTO_SUCCESS) { 193 (void) KCF_PROV_SEED_RANDOM(pd, pd->pd_sid, buf, len, 194 entropy_est, flags, NULL); 195 KCF_PROV_REFRELE(pd); 196 } 197 } 198 199 /* Boot-time tunable for experimentation. */ 200 int kcf_limit_hwrng = 1; 201 202 203 /* 204 * This routine is called for blocking reads. 205 * 206 * The argument from_user_api indicates whether the caller is 207 * from userland coming via the /dev/random driver. 208 * 209 * The argument is_taskq_thr indicates whether the caller is 210 * the taskq thread dispatched by the timeout handler routine. 211 * In this case, we cycle through all the providers 212 * submitting a request to each provider to generate random numbers. 213 * 214 * For other cases, we pick a provider and submit a request to generate 215 * random numbers. We retry using another provider if we get an error. 216 * 217 * Returns the number of bytes that are written to 'ptr'. Returns -1 218 * if no provider is found. ptr and need are unchanged. 219 */ 220 static int 221 rngprov_getbytes(uint8_t *ptr, size_t need, boolean_t from_user_api, 222 boolean_t is_taskq_thr) 223 { 224 int rv; 225 int prov_cnt = 0; 226 int total_bytes = 0; 227 kcf_provider_desc_t *pd; 228 kcf_req_params_t params; 229 kcf_prov_tried_t *list = NULL; 230 231 while ((pd = kcf_get_mech_provider(rngmech_type, NULL, &rv, 232 list, CRYPTO_FG_RANDOM, B_FALSE, 0)) != NULL) { 233 234 prov_cnt++; 235 /* 236 * Typically a hardware RNG is a multi-purpose 237 * crypto card and hence we do not want to overload the card 238 * just for random numbers. The following check is to prevent 239 * a user process from hogging the hardware RNG. Note that we 240 * still use the hardware RNG from the periodically run 241 * taskq thread. 242 */ 243 if (pd->pd_prov_type == CRYPTO_HW_PROVIDER && from_user_api && 244 kcf_limit_hwrng == 1) { 245 ASSERT(is_taskq_thr == B_FALSE); 246 goto try_next; 247 } 248 249 KCF_WRAP_RANDOM_OPS_PARAMS(¶ms, KCF_OP_RANDOM_GENERATE, 250 pd->pd_sid, ptr, need, 0, 0); 251 rv = kcf_submit_request(pd, NULL, NULL, ¶ms, B_FALSE); 252 ASSERT(rv != CRYPTO_QUEUED); 253 254 if (rv == CRYPTO_SUCCESS) { 255 total_bytes += need; 256 if (is_taskq_thr) 257 rndc_addbytes(ptr, need); 258 else { 259 KCF_PROV_REFRELE(pd); 260 break; 261 } 262 } 263 264 if (is_taskq_thr || rv != CRYPTO_SUCCESS) { 265 try_next: 266 /* Add pd to the linked list of providers tried. */ 267 if (kcf_insert_triedlist(&list, pd, KM_SLEEP) == NULL) { 268 KCF_PROV_REFRELE(pd); 269 break; 270 } 271 } 272 273 } 274 275 if (list != NULL) 276 kcf_free_triedlist(list); 277 278 if (prov_cnt == 0) { /* no provider could be found. */ 279 return (-1); 280 } 281 282 return (total_bytes); 283 } 284 285 static void 286 notify_done(void *arg, int rv) 287 { 288 uchar_t *rndbuf = arg; 289 290 if (rv == CRYPTO_SUCCESS) 291 rndc_addbytes(rndbuf, MINEXTRACTBYTES); 292 293 bzero(rndbuf, MINEXTRACTBYTES); 294 kmem_free(rndbuf, MINEXTRACTBYTES); 295 } 296 297 /* 298 * Cycle through all the providers submitting a request to each provider 299 * to generate random numbers. This is called for the modes - NONBLOCK_EXTRACT 300 * and ALWAYS_EXTRACT. 301 * 302 * Returns the number of bytes that are written to 'ptr'. Returns -1 303 * if no provider is found. ptr and len are unchanged. 304 */ 305 static int 306 rngprov_getbytes_nblk(uint8_t *ptr, size_t len, boolean_t from_user_api) 307 { 308 int rv, blen, total_bytes; 309 uchar_t *rndbuf; 310 kcf_provider_desc_t *pd; 311 kcf_req_params_t params; 312 crypto_call_req_t req; 313 kcf_prov_tried_t *list = NULL; 314 int prov_cnt = 0; 315 316 blen = 0; 317 total_bytes = 0; 318 req.cr_flag = CRYPTO_SKIP_REQID; 319 req.cr_callback_func = notify_done; 320 321 while ((pd = kcf_get_mech_provider(rngmech_type, NULL, &rv, 322 list, CRYPTO_FG_RANDOM, CHECK_RESTRICT(&req), 0)) != NULL) { 323 324 prov_cnt ++; 325 switch (pd->pd_prov_type) { 326 case CRYPTO_HW_PROVIDER: 327 /* See comments in rngprov_getbytes() */ 328 if (from_user_api && kcf_limit_hwrng == 1) 329 goto try_next; 330 331 /* 332 * We have to allocate a buffer here as we can not 333 * assume that the input buffer will remain valid 334 * when the callback comes. We use a fixed size buffer 335 * to simplify the book keeping. 336 */ 337 rndbuf = kmem_alloc(MINEXTRACTBYTES, KM_NOSLEEP); 338 if (rndbuf == NULL) { 339 KCF_PROV_REFRELE(pd); 340 if (list != NULL) 341 kcf_free_triedlist(list); 342 return (total_bytes); 343 } 344 req.cr_callback_arg = rndbuf; 345 KCF_WRAP_RANDOM_OPS_PARAMS(¶ms, 346 KCF_OP_RANDOM_GENERATE, 347 pd->pd_sid, rndbuf, MINEXTRACTBYTES, 0, 0); 348 break; 349 350 case CRYPTO_SW_PROVIDER: 351 /* 352 * We do not need to allocate a buffer in the software 353 * provider case as there is no callback involved. We 354 * avoid any extra data copy by directly passing 'ptr'. 355 */ 356 KCF_WRAP_RANDOM_OPS_PARAMS(¶ms, 357 KCF_OP_RANDOM_GENERATE, 358 pd->pd_sid, ptr, len, 0, 0); 359 break; 360 } 361 362 rv = kcf_submit_request(pd, NULL, &req, ¶ms, B_FALSE); 363 if (rv == CRYPTO_SUCCESS) { 364 switch (pd->pd_prov_type) { 365 case CRYPTO_HW_PROVIDER: 366 /* 367 * Since we have the input buffer handy, 368 * we directly copy to it rather than 369 * adding to the pool. 370 */ 371 blen = min(MINEXTRACTBYTES, len); 372 bcopy(rndbuf, ptr, blen); 373 if (len < MINEXTRACTBYTES) 374 rndc_addbytes(rndbuf + len, 375 MINEXTRACTBYTES - len); 376 ptr += blen; 377 len -= blen; 378 total_bytes += blen; 379 break; 380 381 case CRYPTO_SW_PROVIDER: 382 total_bytes += len; 383 len = 0; 384 break; 385 } 386 } 387 388 /* 389 * We free the buffer in the callback routine 390 * for the CRYPTO_QUEUED case. 391 */ 392 if (pd->pd_prov_type == CRYPTO_HW_PROVIDER && 393 rv != CRYPTO_QUEUED) { 394 bzero(rndbuf, MINEXTRACTBYTES); 395 kmem_free(rndbuf, MINEXTRACTBYTES); 396 } 397 398 if (len == 0) { 399 KCF_PROV_REFRELE(pd); 400 break; 401 } 402 403 if (rv != CRYPTO_SUCCESS) { 404 try_next: 405 /* Add pd to the linked list of providers tried. */ 406 if (kcf_insert_triedlist(&list, pd, KM_NOSLEEP) == 407 NULL) { 408 KCF_PROV_REFRELE(pd); 409 break; 410 } 411 } 412 } 413 414 if (list != NULL) { 415 kcf_free_triedlist(list); 416 } 417 418 if (prov_cnt == 0) { /* no provider could be found. */ 419 return (-1); 420 } 421 422 return (total_bytes); 423 } 424 425 static void 426 rngprov_task(void *arg) 427 { 428 int len = (int)(uintptr_t)arg; 429 uchar_t tbuf[MAXEXTRACTBYTES]; 430 431 ASSERT(len <= MAXEXTRACTBYTES); 432 if (rngprov_getbytes(tbuf, len, B_FALSE, B_TRUE) == -1) { 433 cmn_err(CE_WARN, "No randomness provider enabled for " 434 "/dev/random. Use cryptoadm(1M) to enable a provider."); 435 } 436 } 437 438 /* 439 * Returns "len" random or pseudo-random bytes in *ptr. 440 * Will block if not enough random bytes are available and the 441 * call is blocking. 442 * 443 * Called with rndpool_lock held (allowing caller to do optimistic locking; 444 * releases the lock before return). 445 */ 446 static int 447 rnd_get_bytes(uint8_t *ptr, size_t len, extract_type_t how, 448 boolean_t from_user_api) 449 { 450 int bytes; 451 size_t got; 452 453 ASSERT(mutex_owned(&rndpool_lock)); 454 /* 455 * Check if the request can be satisfied from the cache 456 * of random bytes. 457 */ 458 if (len <= rnbyte_cnt) { 459 rndc_getbytes(ptr, len); 460 mutex_exit(&rndpool_lock); 461 return (0); 462 } 463 mutex_exit(&rndpool_lock); 464 465 switch (how) { 466 case BLOCKING_EXTRACT: 467 if ((got = rngprov_getbytes(ptr, len, from_user_api, 468 B_FALSE)) == -1) 469 break; /* No provider found */ 470 471 if (got == len) 472 return (0); 473 len -= got; 474 ptr += got; 475 break; 476 477 case NONBLOCK_EXTRACT: 478 case ALWAYS_EXTRACT: 479 if ((got = rngprov_getbytes_nblk(ptr, len, 480 from_user_api)) == -1) { 481 /* No provider found */ 482 if (how == NONBLOCK_EXTRACT) { 483 return (EAGAIN); 484 } 485 } else { 486 if (got == len) 487 return (0); 488 len -= got; 489 ptr += got; 490 } 491 if (how == NONBLOCK_EXTRACT && (rnbyte_cnt < len)) 492 return (EAGAIN); 493 break; 494 } 495 496 mutex_enter(&rndpool_lock); 497 while (len > 0) { 498 if (how == BLOCKING_EXTRACT) { 499 /* Check if there is enough */ 500 while (rnbyte_cnt < MINEXTRACTBYTES) { 501 num_waiters++; 502 if (cv_wait_sig(&rndpool_read_cv, 503 &rndpool_lock) == 0) { 504 num_waiters--; 505 mutex_exit(&rndpool_lock); 506 return (EINTR); 507 } 508 num_waiters--; 509 } 510 } 511 512 /* Figure out how many bytes to extract */ 513 bytes = min(len, rnbyte_cnt); 514 rndc_getbytes(ptr, bytes); 515 516 len -= bytes; 517 ptr += bytes; 518 519 if (len > 0 && how == ALWAYS_EXTRACT) { 520 /* 521 * There are not enough bytes, but we can not block. 522 * This only happens in the case of /dev/urandom which 523 * runs an additional generation algorithm. So, there 524 * is no problem. 525 */ 526 while (len > 0) { 527 *ptr = rndpool[findex]; 528 ptr++; len--; 529 rindex = findex = (findex + 1) & 530 (RNDPOOLSIZE - 1); 531 } 532 break; 533 } 534 } 535 536 mutex_exit(&rndpool_lock); 537 return (0); 538 } 539 540 int 541 kcf_rnd_get_bytes(uint8_t *ptr, size_t len, boolean_t noblock, 542 boolean_t from_user_api) 543 { 544 extract_type_t how; 545 int error; 546 547 how = noblock ? NONBLOCK_EXTRACT : BLOCKING_EXTRACT; 548 mutex_enter(&rndpool_lock); 549 if ((error = rnd_get_bytes(ptr, len, how, from_user_api)) != 0) 550 return (error); 551 552 BUMP_RND_STATS(rs_rndOut, len); 553 return (0); 554 } 555 556 /* 557 * Revisit this if the structs grow or we come up with a better way 558 * of cache-line-padding structures. 559 */ 560 #define RND_CPU_CACHE_SIZE 64 561 #define RND_CPU_PAD_SIZE RND_CPU_CACHE_SIZE*5 562 #define RND_CPU_PAD (RND_CPU_PAD_SIZE - \ 563 (sizeof (kmutex_t) + 3*sizeof (uint8_t *) + sizeof (HMAC_KEYSCHED) + \ 564 sizeof (uint64_t) + 3*sizeof (uint32_t) + sizeof (rnd_stats_t))) 565 566 /* 567 * Per-CPU random state. Somewhat like like kmem's magazines, this provides 568 * a per-CPU instance of the pseudo-random generator. We have it much easier 569 * than kmem, as we can afford to "leak" random bits if a CPU is DR'ed out. 570 * 571 * Note that this usage is preemption-safe; a thread 572 * entering a critical section remembers which generator it locked 573 * and unlocks the same one; should it be preempted and wind up running on 574 * a different CPU, there will be a brief period of increased contention 575 * before it exits the critical section but nothing will melt. 576 */ 577 typedef struct rndmag_s 578 { 579 kmutex_t rm_lock; 580 uint8_t *rm_buffer; /* Start of buffer */ 581 uint8_t *rm_eptr; /* End of buffer */ 582 uint8_t *rm_rptr; /* Current read pointer */ 583 HMAC_KEYSCHED rm_ks; /* seed */ 584 uint64_t rm_counter; /* rotating counter for extracting */ 585 uint32_t rm_oblocks; /* time to rekey? */ 586 uint32_t rm_ofuzz; /* Rekey backoff state */ 587 uint32_t rm_olimit; /* Hard rekey limit */ 588 rnd_stats_t rm_stats; /* Per-CPU Statistics */ 589 uint8_t rm_pad[RND_CPU_PAD]; 590 } rndmag_t; 591 592 /* 593 * Generate random bytes for /dev/urandom by encrypting a 594 * rotating counter with a key created from bytes extracted 595 * from the pool. A maximum of PRNG_MAXOBLOCKS output blocks 596 * is generated before a new key is obtained. 597 * 598 * Note that callers to this routine are likely to assume it can't fail. 599 * 600 * Called with rmp locked; releases lock. 601 */ 602 static int 603 rnd_generate_pseudo_bytes(rndmag_t *rmp, uint8_t *ptr, size_t len) 604 { 605 size_t bytes = len; 606 int nblock, size; 607 uint32_t oblocks; 608 uint8_t digest[HASHSIZE]; 609 610 ASSERT(mutex_owned(&rmp->rm_lock)); 611 612 /* Nothing is being asked */ 613 if (len == 0) { 614 mutex_exit(&rmp->rm_lock); 615 return (0); 616 } 617 618 nblock = howmany(len, HASHSIZE); 619 620 rmp->rm_oblocks += nblock; 621 oblocks = rmp->rm_oblocks; 622 623 do { 624 if (oblocks >= rmp->rm_olimit) { 625 hrtime_t timestamp; 626 uint8_t key[HMAC_KEYSIZE]; 627 628 /* 629 * Contention-avoiding rekey: see if 630 * the pool is locked, and if so, wait a bit. 631 * Do an 'exponential back-in' to ensure we don't 632 * run too long without rekey. 633 */ 634 if (rmp->rm_ofuzz) { 635 /* 636 * Decaying exponential back-in for rekey. 637 */ 638 if ((rnbyte_cnt < MINEXTRACTBYTES) || 639 (!mutex_tryenter(&rndpool_lock))) { 640 rmp->rm_olimit += rmp->rm_ofuzz; 641 rmp->rm_ofuzz >>= 1; 642 goto punt; 643 } 644 } else { 645 mutex_enter(&rndpool_lock); 646 } 647 648 /* Get a new chunk of entropy */ 649 (void) rnd_get_bytes(key, HMAC_KEYSIZE, 650 ALWAYS_EXTRACT, B_FALSE); 651 652 /* Set up key */ 653 SET_ENCRYPT_KEY(key, HMAC_KEYSIZE, &rmp->rm_ks); 654 655 /* Get new counter value by encrypting timestamp */ 656 timestamp = gethrtime(); 657 HMAC_ENCRYPT(&rmp->rm_ks, ×tamp, 658 sizeof (timestamp), digest); 659 rmp->rm_olimit = PRNG_MAXOBLOCKS/2; 660 rmp->rm_ofuzz = PRNG_MAXOBLOCKS/4; 661 bcopy(digest, &rmp->rm_counter, sizeof (uint64_t)); 662 oblocks = 0; 663 rmp->rm_oblocks = nblock; 664 } 665 punt: 666 /* Hash counter to produce prn stream */ 667 if (bytes >= HASHSIZE) { 668 size = HASHSIZE; 669 HMAC_ENCRYPT(&rmp->rm_ks, &rmp->rm_counter, 670 sizeof (rmp->rm_counter), ptr); 671 } else { 672 size = min(bytes, HASHSIZE); 673 HMAC_ENCRYPT(&rmp->rm_ks, &rmp->rm_counter, 674 sizeof (rmp->rm_counter), digest); 675 bcopy(digest, ptr, size); 676 } 677 ptr += size; 678 bytes -= size; 679 rmp->rm_counter++; 680 oblocks++; 681 nblock--; 682 } while (bytes > 0); 683 684 mutex_exit(&rmp->rm_lock); 685 return (0); 686 } 687 688 /* 689 * Per-CPU Random magazines. 690 */ 691 static rndmag_t *rndmag; 692 static uint8_t *rndbuf; 693 static size_t rndmag_total; 694 /* 695 * common/os/cpu.c says that platform support code can shrinkwrap 696 * max_ncpus. On the off chance that we get loaded very early, we 697 * read it exactly once, to copy it here. 698 */ 699 static uint32_t random_max_ncpus = 0; 700 701 /* 702 * Boot-time tunables, for experimentation. 703 */ 704 size_t rndmag_threshold = 2560; 705 size_t rndbuf_len = 5120; 706 size_t rndmag_size = 1280; 707 708 709 int 710 kcf_rnd_get_pseudo_bytes(uint8_t *ptr, size_t len) 711 { 712 rndmag_t *rmp; 713 uint8_t *cptr, *eptr; 714 715 /* 716 * Anyone who asks for zero bytes of randomness should get slapped. 717 */ 718 ASSERT(len > 0); 719 720 /* 721 * Fast path. 722 */ 723 for (;;) { 724 rmp = &rndmag[CPU->cpu_seqid]; 725 mutex_enter(&rmp->rm_lock); 726 727 /* 728 * Big requests bypass buffer and tail-call the 729 * generate routine directly. 730 */ 731 if (len > rndmag_threshold) { 732 BUMP_CPU_RND_STATS(rmp, rs_urndOut, len); 733 return (rnd_generate_pseudo_bytes(rmp, ptr, len)); 734 } 735 736 cptr = rmp->rm_rptr; 737 eptr = cptr + len; 738 739 if (eptr <= rmp->rm_eptr) { 740 rmp->rm_rptr = eptr; 741 bcopy(cptr, ptr, len); 742 BUMP_CPU_RND_STATS(rmp, rs_urndOut, len); 743 mutex_exit(&rmp->rm_lock); 744 745 return (0); 746 } 747 /* 748 * End fast path. 749 */ 750 rmp->rm_rptr = rmp->rm_buffer; 751 /* 752 * Note: We assume the generate routine always succeeds 753 * in this case (because it does at present..) 754 * It also always releases rm_lock. 755 */ 756 (void) rnd_generate_pseudo_bytes(rmp, rmp->rm_buffer, 757 rndbuf_len); 758 } 759 } 760 761 /* 762 * We set up (empty) magazines for all of max_ncpus, possibly wasting a 763 * little memory on big systems that don't have the full set installed. 764 * See above; "empty" means "rptr equal to eptr"; this will trigger the 765 * refill path in rnd_get_pseudo_bytes above on the first call for each CPU. 766 * 767 * TODO: make rndmag_size tunable at run time! 768 */ 769 static void 770 rnd_alloc_magazines() 771 { 772 rndmag_t *rmp; 773 int i; 774 775 rndbuf_len = roundup(rndbuf_len, HASHSIZE); 776 if (rndmag_size < rndbuf_len) 777 rndmag_size = rndbuf_len; 778 rndmag_size = roundup(rndmag_size, RND_CPU_CACHE_SIZE); 779 780 random_max_ncpus = max_ncpus; 781 rndmag_total = rndmag_size * random_max_ncpus; 782 783 rndbuf = kmem_alloc(rndmag_total, KM_SLEEP); 784 rndmag = kmem_zalloc(sizeof (rndmag_t) * random_max_ncpus, KM_SLEEP); 785 786 for (i = 0; i < random_max_ncpus; i++) { 787 uint8_t *buf; 788 789 rmp = &rndmag[i]; 790 mutex_init(&rmp->rm_lock, NULL, MUTEX_DRIVER, NULL); 791 792 buf = rndbuf + i * rndmag_size; 793 794 rmp->rm_buffer = buf; 795 rmp->rm_eptr = buf + rndbuf_len; 796 rmp->rm_rptr = buf + rndbuf_len; 797 rmp->rm_oblocks = 1; 798 } 799 } 800 801 void 802 kcf_rnd_schedule_timeout(boolean_t do_mech2id) 803 { 804 clock_t ut; /* time in microseconds */ 805 806 if (do_mech2id) 807 rngmech_type = crypto_mech2id(SUN_RANDOM); 808 809 /* 810 * The new timeout value is taken from the buffer of random bytes. 811 * We're merely reading the first 32 bits from the buffer here, not 812 * consuming any random bytes. 813 * The timeout multiplier value is a random value between 0.5 sec and 814 * 1.544480 sec (0.5 sec + 0xFF000 microseconds). 815 * The new timeout is TIMEOUT_INTERVAL times that multiplier. 816 */ 817 ut = 500000 + (clock_t)((((uint32_t)rndpool[findex]) << 12) & 0xFF000); 818 kcf_rndtimeout_id = timeout(rnd_handler, NULL, 819 TIMEOUT_INTERVAL * drv_usectohz(ut)); 820 } 821 822 /* 823 * &rnd_pollhead is passed in *phpp in order to indicate the calling thread 824 * will block. When enough random bytes are available, later, the timeout 825 * handler routine will issue the pollwakeup() calls. 826 */ 827 void 828 kcf_rnd_chpoll(int anyyet, short *reventsp, struct pollhead **phpp) 829 { 830 /* 831 * Sampling of rnbyte_cnt is an atomic 832 * operation. Hence we do not need any locking. 833 */ 834 if (rnbyte_cnt >= MINEXTRACTBYTES) { 835 *reventsp |= (POLLIN | POLLRDNORM); 836 } else { 837 *reventsp = 0; 838 if (!anyyet) 839 *phpp = &rnd_pollhead; 840 } 841 } 842 843 /*ARGSUSED*/ 844 static void 845 rnd_handler(void *arg) 846 { 847 int len = 0; 848 849 if (num_waiters > 0) 850 len = MAXEXTRACTBYTES; 851 else if (rnbyte_cnt < RNDPOOLSIZE) 852 len = MINEXTRACTBYTES; 853 854 if (len > 0) { 855 (void) taskq_dispatch(system_taskq, rngprov_task, 856 (void *)(uintptr_t)len, TQ_NOSLEEP); 857 } else if (!kcf_rngprov_check()) { 858 cmn_err(CE_WARN, "No randomness provider enabled for " 859 "/dev/random. Use cryptoadm(1M) to enable a provider."); 860 } 861 862 mutex_enter(&rndpool_lock); 863 /* 864 * Wake up threads waiting in poll() or for enough accumulated 865 * random bytes to read from /dev/random. In case a poll() is 866 * concurrent with a read(), the polling process may be woken up 867 * indicating that enough randomness is now available for reading, 868 * and another process *steals* the bits from the pool, causing the 869 * subsequent read() from the first process to block. It is acceptable 870 * since the blocking will eventually end, after the timeout 871 * has expired enough times to honor the read. 872 * 873 * Note - Since we hold the rndpool_lock across the pollwakeup() call 874 * we MUST NOT grab the rndpool_lock in kcf_rndchpoll(). 875 */ 876 if (rnbyte_cnt >= MINEXTRACTBYTES) 877 pollwakeup(&rnd_pollhead, POLLIN | POLLRDNORM); 878 879 if (num_waiters > 0) 880 cv_broadcast(&rndpool_read_cv); 881 mutex_exit(&rndpool_lock); 882 883 kcf_rnd_schedule_timeout(B_FALSE); 884 } 885 886 /* Hashing functions */ 887 888 static void 889 hmac_key(uint8_t *key, size_t keylen, void *buf) 890 { 891 uint32_t *ip, *op; 892 uint32_t ipad[HMAC_BLOCK_SIZE/sizeof (uint32_t)]; 893 uint32_t opad[HMAC_BLOCK_SIZE/sizeof (uint32_t)]; 894 HASH_CTX *icontext, *ocontext; 895 int i; 896 int nints; 897 898 icontext = buf; 899 ocontext = (SHA1_CTX *)((uint8_t *)buf + sizeof (HASH_CTX)); 900 901 bzero((uchar_t *)ipad, HMAC_BLOCK_SIZE); 902 bzero((uchar_t *)opad, HMAC_BLOCK_SIZE); 903 bcopy(key, (uchar_t *)ipad, keylen); 904 bcopy(key, (uchar_t *)opad, keylen); 905 906 /* 907 * XOR key with ipad (0x36) and opad (0x5c) as defined 908 * in RFC 2104. 909 */ 910 ip = ipad; 911 op = opad; 912 nints = HMAC_BLOCK_SIZE/sizeof (uint32_t); 913 914 for (i = 0; i < nints; i++) { 915 ip[i] ^= 0x36363636; 916 op[i] ^= 0x5c5c5c5c; 917 } 918 919 /* Perform hash with ipad */ 920 HashInit(icontext); 921 HashUpdate(icontext, (uchar_t *)ipad, HMAC_BLOCK_SIZE); 922 923 /* Perform hash with opad */ 924 HashInit(ocontext); 925 HashUpdate(ocontext, (uchar_t *)opad, HMAC_BLOCK_SIZE); 926 } 927 928 static void 929 hmac_encr(void *ctx, uint8_t *ptr, size_t len, uint8_t *digest) 930 { 931 HASH_CTX *saved_contexts; 932 HASH_CTX icontext; 933 HASH_CTX ocontext; 934 935 saved_contexts = (HASH_CTX *)ctx; 936 icontext = saved_contexts[0]; 937 ocontext = saved_contexts[1]; 938 939 HashUpdate(&icontext, ptr, len); 940 HashFinal(digest, &icontext); 941 942 /* 943 * Perform Hash(K XOR OPAD, DIGEST), where DIGEST is the 944 * Hash(K XOR IPAD, DATA). 945 */ 946 HashUpdate(&ocontext, digest, HASHSIZE); 947 HashFinal(digest, &ocontext); 948 } 949 950 951 static void 952 rndc_addbytes(uint8_t *ptr, size_t len) 953 { 954 ASSERT(ptr != NULL && len > 0); 955 ASSERT(rnbyte_cnt <= RNDPOOLSIZE); 956 957 mutex_enter(&rndpool_lock); 958 while ((len > 0) && (rnbyte_cnt < RNDPOOLSIZE)) { 959 rndpool[rindex] ^= *ptr; 960 ptr++; len--; 961 rindex = (rindex + 1) & (RNDPOOLSIZE - 1); 962 rnbyte_cnt++; 963 } 964 965 /* Handle buffer full case */ 966 while (len > 0) { 967 rndpool[rindex] ^= *ptr; 968 ptr++; len--; 969 findex = rindex = (rindex + 1) & (RNDPOOLSIZE - 1); 970 } 971 mutex_exit(&rndpool_lock); 972 } 973 974 /* 975 * Caller should check len <= rnbyte_cnt under the 976 * rndpool_lock before calling. 977 */ 978 static void 979 rndc_getbytes(uint8_t *ptr, size_t len) 980 { 981 ASSERT(MUTEX_HELD(&rndpool_lock)); 982 ASSERT(len <= rnbyte_cnt && rnbyte_cnt <= RNDPOOLSIZE); 983 984 BUMP_RND_STATS(rs_rndcOut, len); 985 986 while (len > 0) { 987 *ptr = rndpool[findex]; 988 ptr++; len--; 989 findex = (findex + 1) & (RNDPOOLSIZE - 1); 990 rnbyte_cnt--; 991 } 992 } 993 994 /* Random number exported entry points */ 995 996 /* 997 * Mix the supplied bytes into the entropy pool of a kCF 998 * RNG provider. 999 */ 1000 int 1001 random_add_pseudo_entropy(uint8_t *ptr, size_t len, uint_t entropy_est) 1002 { 1003 if (len < 1) 1004 return (-1); 1005 1006 rngprov_seed(ptr, len, entropy_est, 0); 1007 1008 return (0); 1009 } 1010 1011 /* 1012 * Mix the supplied bytes into the entropy pool of a kCF 1013 * RNG provider. Mix immediately. 1014 */ 1015 int 1016 random_add_entropy(uint8_t *ptr, size_t len, uint_t entropy_est) 1017 { 1018 if (len < 1) 1019 return (-1); 1020 1021 rngprov_seed(ptr, len, entropy_est, CRYPTO_SEED_NOW); 1022 1023 return (0); 1024 } 1025 1026 /* 1027 * Get bytes from the /dev/urandom generator. This function 1028 * always succeeds. Returns 0. 1029 */ 1030 int 1031 random_get_pseudo_bytes(uint8_t *ptr, size_t len) 1032 { 1033 ASSERT(!mutex_owned(&rndpool_lock)); 1034 1035 if (len < 1) 1036 return (0); 1037 return (kcf_rnd_get_pseudo_bytes(ptr, len)); 1038 } 1039 1040 /* 1041 * Get bytes from the /dev/random generator. Returns 0 1042 * on success. Returns EAGAIN if there is insufficient entropy. 1043 */ 1044 int 1045 random_get_bytes(uint8_t *ptr, size_t len) 1046 { 1047 ASSERT(!mutex_owned(&rndpool_lock)); 1048 1049 if (len < 1) 1050 return (0); 1051 return (kcf_rnd_get_bytes(ptr, len, B_TRUE, B_FALSE)); 1052 } 1053