1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/sysmacros.h> 30 #include <sys/modctl.h> 31 #include <sys/conf.h> 32 #include <sys/devops.h> 33 #include <sys/cmn_err.h> 34 #include <sys/kmem.h> 35 #include <sys/stat.h> 36 #include <sys/open.h> 37 #include <sys/file.h> 38 #include <sys/cpuvar.h> 39 #include <sys/disp.h> 40 #include <sys/hsvc.h> 41 #include <sys/machsystm.h> 42 #include <sys/ksynch.h> 43 #include <sys/hypervisor_api.h> 44 #include <sys/n2rng.h> 45 #include <sys/sha1.h> 46 #include <sys/ddi.h> /* near end to get min and max macros right */ 47 #include <sys/sunddi.h> 48 49 /* n must be a power of 2 */ 50 #define ROUNDUP(k, n) (((k) + (n) - 1) & ~((n) - 1)) 51 #define SHA1BLOCKBITS 512 52 #define SHA1BLOCKBYTES (SHA1BLOCKBITS / 8) 53 #define SHA1WORDS 5 54 #define SHA1BYTES (4 * SHA1WORDS) 55 56 57 /* 58 * Policy. ENTROPY_STARVATION is the maximum number of calls each 59 * FIPS instance will accept without successfully getting more 60 * entropy. It needs to be large enough to allow RNG operations to 61 * not stall because of health checks, etc. But we don't want it too 62 * large. FIPS 186-2 change 1 (5 October 2001) states that no more 63 * that 2,000,000 DSA signatures (done using this algorithm) should be 64 * done without reseeding. We make sure we add 64 bits of entropy at 65 * most every 10000 operations, hence we will have stirred in 160 bits 66 * of entropy at most once every 30000 operations. Normally, we stir 67 * in 64 bits of entropy for every number generated. 68 */ 69 #define ENTROPY_STARVATION 10000ULL 70 71 extern int n2rng_herr2kerr(uint64_t); 72 73 74 /* 75 * Adds val1 and val2 and stores result into sum. The various input 76 * pointers can be exactly aliased. (They cannot be offset and 77 * overlapping, but no one would ever do that.) Values are big endian 78 * by words and native byte order within words. The return value's 79 * 2-bit is 0 if the result is zero, it's 1 bit is carry out. (This 80 * is reused code. The return code is not used by n2rng.) Thus, 81 * calling with both carryin and complement_val2 ones does a 82 * subtraction. A null sum pointer parameter is allowed. The 83 * subtraction features were required when this code was orginally 84 * written so it could do a mod q operation. 85 */ 86 static int 87 add160(uint32_t *sum, uint32_t const *val1, uint32_t const *val2, 88 const unsigned carryin, const int complement_val2) 89 { 90 int i; 91 uint32_t partialsum; 92 uint32_t carry = (carryin > 0); 93 uint32_t non_zero = 0; 94 95 for (i = 4; i >= 0; --i) { 96 partialsum = val1[i] + (complement_val2 ? ~val2[i] : val2[i]) + 97 carry; 98 if (carry) { 99 carry = (partialsum <= val1[i]); 100 } else { 101 carry = (partialsum < val1[i]); 102 } 103 if (sum) { 104 sum[i] = partialsum; 105 } 106 non_zero |= partialsum; 107 } 108 109 return (((non_zero != 0) * 2) | carry); 110 } 111 112 113 114 /* 115 * Computes a new random value, which is stored in x_j; updates XKEY 116 * in the *rs. XSEED_j is additional input. In principle, we should 117 * protect XKEY, perhaps by putting it on a non-pagable page, but we 118 * aways clobber XKEY with fresh entropy just before we use it. And 119 * step 3d irreversibly updates it just after we use it. The only 120 * risk is that if an attacker captured the state while the entropy 121 * generator was broken, the attacker could predict future values. 122 * There are two cases: 1. The attack gets root access to a live 123 * system. But there is no defense against that. 2. The attacker 124 * gets access to a crash dump. But by then no values are being 125 * generated. 126 * 127 * Note that XSEEDj is overwritten with sensitive stuff, and must be 128 * zeroed by the caller. We use two separate symbols (XVAL and 129 * XSEEDj) to make each step match the notation in FIPS 186-2. 130 */ 131 static void 132 fips_random_inner(fipsrandomstruct_t *frsp, uint32_t *x_j, 133 uint32_t *XSEED_j) 134 { 135 int i; 136 SHA1_CTX sha1_context; 137 /* Alias to preserve terminology from FIPS 186-2 */ 138 #define XVAL XSEED_j 139 /* 140 * K&R section A8.7: If the array has fixed size, the number 141 * of initializers may not exceed the number of members in the 142 * array; if there are fewer, the trailing members are 143 * initialized with 0. 144 */ 145 static const char zero[SHA1BLOCKBYTES - SHA1BYTES] = {0}; 146 147 /* 148 * Step 3b: XVAL = (XKEY + XSEED_sub_j) mod 2^b. The mod is 149 * implicit in the 160 bit representation. Note that XVAL and 150 * XSEED_j are actually the same location. 151 */ 152 (void) add160(XVAL, frsp->XKEY, XSEED_j, 0, 0); 153 /* 154 * Step 3c: x_sub_j = G(t, XVAL) mod q. 155 */ 156 SHA1Init(&sha1_context); 157 SHA1Update(&sha1_context, (unsigned char *)XVAL, SHA1BYTES); 158 /* 159 * Filling to 64 bytes is requried by FIPS 186-2 Appendix 3.3. 160 * It also triggers SHA1Transform (the steps a-e of the spec). 161 * 162 * zero is a const char[], but SHA1update does not declare its 163 * second parameter const, even though it does not modify it, 164 * so we cast to suppress a compiler warning. 165 */ 166 SHA1Update(&sha1_context, (unsigned char *)zero, 167 SHA1BLOCKBYTES - SHA1BYTES); 168 /* 169 * The code below directly accesses the state field of 170 * sha1_context, which is of type SHA1_CTX, defined in sha1.h. 171 * This has been deemed acceptable, because that typedef is 172 * Consolidation Private, and n2rng is in the same 173 * consolidation. 174 */ 175 /* copy out to x_j */ 176 for (i = 0; i < 5; i++) { 177 x_j[i] = sha1_context.state[i]; 178 } 179 /* 180 * Step 3d: XKEY = (1 + XKEY + x_sub_j) mod 2^b. b=160. The 181 * mod 2^160 is implicit in the 160 bit representation. The 182 * one is added via the carry-in flag. 183 */ 184 (void) add160(frsp->XKEY, frsp->XKEY, x_j, 1, 0); 185 #undef XVAL 186 } 187 188 int 189 fips_random(n2rng_t *n2rng, uint8_t *out, size_t nbytes) 190 { 191 int i; 192 fipsrandomstruct_t *frsp; 193 union { 194 uint32_t as32[SHA1WORDS]; 195 uint64_t as64[ROUNDUP(SHA1WORDS, 2) >> 1]; 196 } entropy = {0}; 197 uint32_t tempout[SHA1WORDS]; 198 199 200 for (i = 0; i < nbytes; i += SHA1BYTES) { 201 /* 202 * Since in the new scheme of things, the RNG latency 203 * will be high on reads after the first, we get just 204 * one word of entropy per call. And if it fails, we 205 * just go on, but if the number of successive 206 * failures gets too big, we fail. 207 */ 208 if (n2rng_getentropy(n2rng, (void *)&entropy.as64[1], 209 sizeof (uint64_t))) { 210 /* failure case */ 211 entropy.as64[1] = 0; 212 } 213 214 /* 215 * The idea here is that a Niagara2 chip is highly 216 * parallel, with many strands. If we have just one 217 * instance of the FIPS data, then only one FIPS 218 * computation can happen at a time, serializeing all 219 * the RNG stuff. So we make N2RNG_FIPS_INSTANCES, 220 * and use them round-robin, with the counter being 221 * n2rng->n_frs.fips_round_robin_j. We increment the 222 * counter with an atomic op, avoiding having to have 223 * a global muxtex. The atomic ops are also 224 * significantly faster than mutexes. The mutex is 225 * put inside the loop, otherwise one thread reading 226 * many blocks could stall all other strands. 227 */ 228 frsp = &n2rng->n_frs.fipsarray[ 229 atomic_inc_32_nv(&n2rng->n_frs.fips_round_robin_j) % 230 N2RNG_FIPS_INSTANCES]; 231 232 mutex_enter(&frsp->mtx); 233 234 if (entropy.as64[1] == 0) { 235 /* 236 * If we did not get any entropy, entropyword 237 * is zero. We get a false positive with 238 * probablitity 2^-64. It's not worth a few 239 * extra stores and tests eliminate the false 240 * positive. 241 */ 242 if (++frsp->entropyhunger > ENTROPY_STARVATION) { 243 mutex_exit(&frsp->mtx); 244 cmn_err(CE_WARN, "n2rng: not generating " 245 "entropy"); 246 return (EIO); 247 } 248 } else { 249 frsp->entropyhunger = 0; 250 } 251 252 /* nbytes - i is bytes to go */ 253 fips_random_inner(frsp, tempout, entropy.as32); 254 bcopy(tempout, &out[i], min(nbytes - i, SHA1BYTES)); 255 256 mutex_exit(&frsp->mtx); 257 } 258 259 /* Zeroize sensitive information */ 260 261 entropy.as64[1] = 0; 262 bzero(tempout, SHA1BYTES); 263 264 return (0); 265 } 266 267 /* 268 * Initializes one FIPS RNG instance. Must be called once for each 269 * instance. 270 */ 271 int 272 n2rng_fips_random_init(n2rng_t *n2rng, fipsrandomstruct_t *frsp) 273 { 274 /* 275 * All FIPS-approved algorithms will operate as cryptograpic 276 * quality PRNGs even if there is no entropy source. (In 277 * fact, this the only one that accepts entropy on the fly.) 278 * One motivation for this is that they system keeps on 279 * delivering cryptographic quality random numbers, even if 280 * the entropy source fails. 281 */ 282 283 int rv; 284 285 rv = n2rng_getentropy(n2rng, (void *)frsp->XKEY, ROUNDUP(SHA1BYTES, 8)); 286 if (rv) { 287 return (rv); 288 } 289 290 mutex_init(&frsp->mtx, NULL, MUTEX_DRIVER, NULL); 291 292 return (0); 293 } 294 295 void 296 n2rng_fips_random_fini(fipsrandomstruct_t *frsp) 297 { 298 mutex_destroy(&frsp->mtx); 299 /* 300 * Zeroise fips data. Not really necessary, since the 301 * algorithm has backtracking resistance, but do it anyway. 302 */ 303 bzero(frsp, sizeof (fipsrandomstruct_t)); 304 } 305