xref: /titanic_51/usr/src/uts/common/crypto/api/kcf_random.c (revision 7380b00ccf9fc5638da98d756925bc6d6c002a42)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * This file implements the interfaces that the /dev/random
28  * driver uses for read(2), write(2) and poll(2) on /dev/random or
29  * /dev/urandom. It also implements the kernel API - random_add_entropy(),
30  * random_add_pseudo_entropy(), random_get_pseudo_bytes()
31  * and random_get_bytes().
32  *
33  * We periodically collect random bits from providers which are registered
34  * with the Kernel Cryptographic Framework (kCF) as capable of random
35  * number generation. The random bits are maintained in a cache and
36  * it is used for high quality random numbers (/dev/random) requests.
37  * We pick a provider and call its SPI routine, if the cache does not have
38  * enough bytes to satisfy a request.
39  *
40  * /dev/urandom requests use a software-based generator algorithm that uses the
41  * random bits in the cache as a seed. We create one pseudo-random generator
42  * (for /dev/urandom) per possible CPU on the system, and use it,
43  * kmem-magazine-style, to avoid cache line contention.
44  *
45  * LOCKING HIERARCHY:
46  *	1) rmp->rm_mag.rm_lock protects the per-cpu pseudo-random generators.
47  * 	2) rndpool_lock protects the high-quality randomness pool.
48  *		It may be locked while a rmp->rm_mag.rm_lock is held.
49  *
50  * A history note: The kernel API and the software-based algorithms in this
51  * file used to be part of the /dev/random driver.
52  */
53 
54 #include <sys/types.h>
55 #include <sys/conf.h>
56 #include <sys/sunddi.h>
57 #include <sys/disp.h>
58 #include <sys/modctl.h>
59 #include <sys/ddi.h>
60 #include <sys/crypto/common.h>
61 #include <sys/crypto/api.h>
62 #include <sys/crypto/impl.h>
63 #include <sys/crypto/sched_impl.h>
64 #include <sys/random.h>
65 #include <sys/sha1.h>
66 #include <sys/time.h>
67 #include <sys/sysmacros.h>
68 #include <sys/cpuvar.h>
69 #include <sys/taskq.h>
70 #include <rng/fips_random.h>
71 
72 #define	RNDPOOLSIZE		1024	/* Pool size in bytes */
73 #define	MINEXTRACTBYTES		20
74 #define	MAXEXTRACTBYTES		1024
75 #define	PRNG_MAXOBLOCKS		1310720	/* Max output block per prng key */
76 #define	TIMEOUT_INTERVAL	5	/* Periodic mixing interval in secs */
77 
78 typedef enum    extract_type {
79 	NONBLOCK_EXTRACT,
80 	BLOCKING_EXTRACT,
81 	ALWAYS_EXTRACT
82 } extract_type_t;
83 
84 /*
85  * Hash-algo generic definitions. For now, they are SHA1's. We use SHA1
86  * routines directly instead of using k-API because we can't return any
87  * error code in /dev/urandom case and we can get an error using k-API
88  * if a mechanism is disabled.
89  */
90 #define	HASHSIZE		20
91 #define	HASH_CTX		SHA1_CTX
92 #define	HashInit(ctx)		SHA1Init((ctx))
93 #define	HashUpdate(ctx, p, s)	SHA1Update((ctx), (p), (s))
94 #define	HashFinal(d, ctx)	SHA1Final((d), (ctx))
95 
96 /* HMAC-SHA1 */
97 #define	HMAC_KEYSIZE			20
98 
99 /*
100  * Cache of random bytes implemented as a circular buffer. findex and rindex
101  * track the front and back of the circular buffer.
102  */
103 uint8_t rndpool[RNDPOOLSIZE];
104 static int findex, rindex;
105 static int rnbyte_cnt;		/* Number of bytes in the cache */
106 
107 static kmutex_t rndpool_lock;	/* protects r/w accesses to the cache, */
108 				/* and the global variables */
109 static kcondvar_t rndpool_read_cv; /* serializes poll/read syscalls */
110 static int num_waiters;		/* #threads waiting to read from /dev/random */
111 
112 static struct pollhead rnd_pollhead;
113 /* LINTED E_STATIC_UNUSED */
114 static timeout_id_t kcf_rndtimeout_id;
115 static crypto_mech_type_t rngmech_type = CRYPTO_MECH_INVALID;
116 rnd_stats_t rnd_stats;
117 static boolean_t rng_prov_found = B_TRUE;
118 static boolean_t rng_ok_to_log = B_TRUE;
119 
120 static void rndc_addbytes(uint8_t *, size_t);
121 static void rndc_getbytes(uint8_t *ptr, size_t len);
122 static void rnd_handler(void *);
123 static void rnd_alloc_magazines();
124 
125 void
126 kcf_rnd_init()
127 {
128 	hrtime_t ts;
129 	time_t now;
130 
131 	mutex_init(&rndpool_lock, NULL, MUTEX_DEFAULT, NULL);
132 	cv_init(&rndpool_read_cv, NULL, CV_DEFAULT, NULL);
133 
134 	/*
135 	 * Add bytes to the cache using
136 	 * . 2 unpredictable times: high resolution time since the boot-time,
137 	 *   and the current time-of-the day.
138 	 * This is used only to make the timeout value in the timer
139 	 * unpredictable.
140 	 */
141 	ts = gethrtime();
142 	rndc_addbytes((uint8_t *)&ts, sizeof (ts));
143 
144 	(void) drv_getparm(TIME, &now);
145 	rndc_addbytes((uint8_t *)&now, sizeof (now));
146 
147 	rnbyte_cnt = 0;
148 	findex = rindex = 0;
149 	num_waiters = 0;
150 	rngmech_type = KCF_MECHID(KCF_MISC_CLASS, 0);
151 
152 	rnd_alloc_magazines();
153 }
154 
155 /*
156  * Return TRUE if at least one provider exists that can
157  * supply random numbers.
158  */
159 boolean_t
160 kcf_rngprov_check(void)
161 {
162 	int rv;
163 	kcf_provider_desc_t *pd;
164 
165 	if ((pd = kcf_get_mech_provider(rngmech_type, NULL, NULL, &rv,
166 	    NULL, CRYPTO_FG_RANDOM, B_FALSE, 0)) != NULL) {
167 		KCF_PROV_REFRELE(pd);
168 		/*
169 		 * We logged a warning once about no provider being available
170 		 * and now a provider became available. So, set the flag so
171 		 * that we can log again if the problem recurs.
172 		 */
173 		rng_ok_to_log = B_TRUE;
174 		rng_prov_found = B_TRUE;
175 		return (B_TRUE);
176 	} else {
177 		rng_prov_found = B_FALSE;
178 		return (B_FALSE);
179 	}
180 }
181 
182 /*
183  * Pick a software-based provider and submit a request to seed
184  * its random number generator.
185  */
186 static void
187 rngprov_seed(uint8_t *buf, int len, uint_t entropy_est, uint32_t flags)
188 {
189 	kcf_provider_desc_t *pd = NULL;
190 
191 	if (kcf_get_sw_prov(rngmech_type, &pd, NULL, B_FALSE) ==
192 	    CRYPTO_SUCCESS) {
193 		(void) KCF_PROV_SEED_RANDOM(pd, pd->pd_sid, buf, len,
194 		    entropy_est, flags, NULL);
195 		KCF_PROV_REFRELE(pd);
196 	}
197 }
198 
199 /*
200  * This routine is called for blocking reads.
201  *
202  * The argument is_taskq_thr indicates whether the caller is
203  * the taskq thread dispatched by the timeout handler routine.
204  * In this case, we cycle through all the providers
205  * submitting a request to each provider to generate random numbers.
206  *
207  * For other cases, we pick a provider and submit a request to generate
208  * random numbers. We retry using another provider if we get an error.
209  *
210  * Returns the number of bytes that are written to 'ptr'. Returns -1
211  * if no provider is found. ptr and need are unchanged.
212  */
213 static int
214 rngprov_getbytes(uint8_t *ptr, size_t need, boolean_t is_taskq_thr)
215 {
216 	int rv;
217 	int prov_cnt = 0;
218 	int total_bytes = 0;
219 	kcf_provider_desc_t *pd;
220 	kcf_req_params_t params;
221 	kcf_prov_tried_t *list = NULL;
222 
223 	while ((pd = kcf_get_mech_provider(rngmech_type, NULL, NULL, &rv,
224 	    list, CRYPTO_FG_RANDOM, B_FALSE, 0)) != NULL) {
225 
226 		prov_cnt++;
227 
228 		KCF_WRAP_RANDOM_OPS_PARAMS(&params, KCF_OP_RANDOM_GENERATE,
229 		    pd->pd_sid, ptr, need, 0, 0);
230 		rv = kcf_submit_request(pd, NULL, NULL, &params, B_FALSE);
231 		ASSERT(rv != CRYPTO_QUEUED);
232 
233 		if (rv == CRYPTO_SUCCESS) {
234 			total_bytes += need;
235 			if (is_taskq_thr)
236 				rndc_addbytes(ptr, need);
237 			else {
238 				KCF_PROV_REFRELE(pd);
239 				break;
240 			}
241 		}
242 
243 		if (is_taskq_thr || rv != CRYPTO_SUCCESS) {
244 			/* Add pd to the linked list of providers tried. */
245 			if (kcf_insert_triedlist(&list, pd, KM_SLEEP) == NULL) {
246 				KCF_PROV_REFRELE(pd);
247 				break;
248 			}
249 		}
250 
251 	}
252 
253 	if (list != NULL)
254 		kcf_free_triedlist(list);
255 
256 	if (prov_cnt == 0) { /* no provider could be found. */
257 		rng_prov_found = B_FALSE;
258 		return (-1);
259 	} else {
260 		rng_prov_found = B_TRUE;
261 		/* See comments in kcf_rngprov_check() */
262 		rng_ok_to_log = B_TRUE;
263 	}
264 
265 	return (total_bytes);
266 }
267 
268 static void
269 notify_done(void *arg, int rv)
270 {
271 	uchar_t *rndbuf = arg;
272 
273 	if (rv == CRYPTO_SUCCESS)
274 		rndc_addbytes(rndbuf, MINEXTRACTBYTES);
275 
276 	bzero(rndbuf, MINEXTRACTBYTES);
277 	kmem_free(rndbuf, MINEXTRACTBYTES);
278 }
279 
280 /*
281  * Cycle through all the providers submitting a request to each provider
282  * to generate random numbers. This is called for the modes - NONBLOCK_EXTRACT
283  * and ALWAYS_EXTRACT.
284  *
285  * Returns the number of bytes that are written to 'ptr'. Returns -1
286  * if no provider is found. ptr and len are unchanged.
287  */
288 static int
289 rngprov_getbytes_nblk(uint8_t *ptr, size_t len)
290 {
291 	int rv, total_bytes;
292 	size_t blen;
293 	uchar_t *rndbuf;
294 	kcf_provider_desc_t *pd;
295 	kcf_req_params_t params;
296 	crypto_call_req_t req;
297 	kcf_prov_tried_t *list = NULL;
298 	int prov_cnt = 0;
299 
300 	blen = 0;
301 	total_bytes = 0;
302 	req.cr_flag = CRYPTO_SKIP_REQID;
303 	req.cr_callback_func = notify_done;
304 
305 	while ((pd = kcf_get_mech_provider(rngmech_type, NULL, NULL, &rv,
306 	    list, CRYPTO_FG_RANDOM, CHECK_RESTRICT(&req), 0)) != NULL) {
307 
308 		prov_cnt ++;
309 		switch (pd->pd_prov_type) {
310 		case CRYPTO_HW_PROVIDER:
311 			/*
312 			 * We have to allocate a buffer here as we can not
313 			 * assume that the input buffer will remain valid
314 			 * when the callback comes. We use a fixed size buffer
315 			 * to simplify the book keeping.
316 			 */
317 			rndbuf = kmem_alloc(MINEXTRACTBYTES, KM_NOSLEEP);
318 			if (rndbuf == NULL) {
319 				KCF_PROV_REFRELE(pd);
320 				if (list != NULL)
321 					kcf_free_triedlist(list);
322 				return (total_bytes);
323 			}
324 			req.cr_callback_arg = rndbuf;
325 			KCF_WRAP_RANDOM_OPS_PARAMS(&params,
326 			    KCF_OP_RANDOM_GENERATE,
327 			    pd->pd_sid, rndbuf, MINEXTRACTBYTES, 0, 0);
328 			break;
329 
330 		case CRYPTO_SW_PROVIDER:
331 			/*
332 			 * We do not need to allocate a buffer in the software
333 			 * provider case as there is no callback involved. We
334 			 * avoid any extra data copy by directly passing 'ptr'.
335 			 */
336 			KCF_WRAP_RANDOM_OPS_PARAMS(&params,
337 			    KCF_OP_RANDOM_GENERATE,
338 			    pd->pd_sid, ptr, len, 0, 0);
339 			break;
340 		}
341 
342 		rv = kcf_submit_request(pd, NULL, &req, &params, B_FALSE);
343 		if (rv == CRYPTO_SUCCESS) {
344 			switch (pd->pd_prov_type) {
345 			case CRYPTO_HW_PROVIDER:
346 				/*
347 				 * Since we have the input buffer handy,
348 				 * we directly copy to it rather than
349 				 * adding to the pool.
350 				 */
351 				blen = min(MINEXTRACTBYTES, len);
352 				bcopy(rndbuf, ptr, blen);
353 				if (len < MINEXTRACTBYTES)
354 					rndc_addbytes(rndbuf + len,
355 					    MINEXTRACTBYTES - len);
356 				ptr += blen;
357 				len -= blen;
358 				total_bytes += blen;
359 				break;
360 
361 			case CRYPTO_SW_PROVIDER:
362 				total_bytes += len;
363 				len = 0;
364 				break;
365 			}
366 		}
367 
368 		/*
369 		 * We free the buffer in the callback routine
370 		 * for the CRYPTO_QUEUED case.
371 		 */
372 		if (pd->pd_prov_type == CRYPTO_HW_PROVIDER &&
373 		    rv != CRYPTO_QUEUED) {
374 			bzero(rndbuf, MINEXTRACTBYTES);
375 			kmem_free(rndbuf, MINEXTRACTBYTES);
376 		}
377 
378 		if (len == 0) {
379 			KCF_PROV_REFRELE(pd);
380 			break;
381 		}
382 
383 		if (rv != CRYPTO_SUCCESS) {
384 			/* Add pd to the linked list of providers tried. */
385 			if (kcf_insert_triedlist(&list, pd, KM_NOSLEEP) ==
386 			    NULL) {
387 				KCF_PROV_REFRELE(pd);
388 				break;
389 			}
390 		}
391 	}
392 
393 	if (list != NULL) {
394 		kcf_free_triedlist(list);
395 	}
396 
397 	if (prov_cnt == 0) { /* no provider could be found. */
398 		rng_prov_found = B_FALSE;
399 		return (-1);
400 	} else {
401 		rng_prov_found = B_TRUE;
402 		/* See comments in kcf_rngprov_check() */
403 		rng_ok_to_log = B_TRUE;
404 	}
405 
406 	return (total_bytes);
407 }
408 
409 static void
410 rngprov_task(void *arg)
411 {
412 	int len = (int)(uintptr_t)arg;
413 	uchar_t tbuf[MAXEXTRACTBYTES];
414 
415 	ASSERT(len <= MAXEXTRACTBYTES);
416 	(void) rngprov_getbytes(tbuf, len, B_TRUE);
417 }
418 
419 /*
420  * Returns "len" random or pseudo-random bytes in *ptr.
421  * Will block if not enough random bytes are available and the
422  * call is blocking.
423  *
424  * Called with rndpool_lock held (allowing caller to do optimistic locking;
425  * releases the lock before return).
426  */
427 static int
428 rnd_get_bytes(uint8_t *ptr, size_t len, extract_type_t how)
429 {
430 	size_t bytes;
431 	size_t got;
432 
433 	ASSERT(mutex_owned(&rndpool_lock));
434 	/*
435 	 * Check if the request can be satisfied from the cache
436 	 * of random bytes.
437 	 */
438 	if (len <= rnbyte_cnt) {
439 		rndc_getbytes(ptr, len);
440 		mutex_exit(&rndpool_lock);
441 		return (0);
442 	}
443 	mutex_exit(&rndpool_lock);
444 
445 	switch (how) {
446 	case BLOCKING_EXTRACT:
447 		if ((got = rngprov_getbytes(ptr, len, B_FALSE)) == -1)
448 			break;	/* No provider found */
449 
450 		if (got == len)
451 			return (0);
452 		len -= got;
453 		ptr += got;
454 		break;
455 
456 	case NONBLOCK_EXTRACT:
457 	case ALWAYS_EXTRACT:
458 		if ((got = rngprov_getbytes_nblk(ptr, len)) == -1) {
459 			/* No provider found */
460 			if (how == NONBLOCK_EXTRACT) {
461 				return (EAGAIN);
462 			}
463 		} else {
464 			if (got == len)
465 				return (0);
466 			len -= got;
467 			ptr += got;
468 		}
469 		if (how == NONBLOCK_EXTRACT && (rnbyte_cnt < len))
470 			return (EAGAIN);
471 		break;
472 	}
473 
474 	mutex_enter(&rndpool_lock);
475 	while (len > 0) {
476 		if (how == BLOCKING_EXTRACT) {
477 			/* Check if there is enough */
478 			while (rnbyte_cnt < MINEXTRACTBYTES) {
479 				num_waiters++;
480 				if (cv_wait_sig(&rndpool_read_cv,
481 				    &rndpool_lock) == 0) {
482 					num_waiters--;
483 					mutex_exit(&rndpool_lock);
484 					return (EINTR);
485 				}
486 				num_waiters--;
487 			}
488 		}
489 
490 		/* Figure out how many bytes to extract */
491 		bytes = min(len, rnbyte_cnt);
492 		rndc_getbytes(ptr, bytes);
493 
494 		len -= bytes;
495 		ptr += bytes;
496 
497 		if (len > 0 && how == ALWAYS_EXTRACT) {
498 			/*
499 			 * There are not enough bytes, but we can not block.
500 			 * This only happens in the case of /dev/urandom which
501 			 * runs an additional generation algorithm. So, there
502 			 * is no problem.
503 			 */
504 			while (len > 0) {
505 				*ptr = rndpool[findex];
506 				ptr++; len--;
507 				rindex = findex = (findex + 1) &
508 				    (RNDPOOLSIZE - 1);
509 			}
510 			break;
511 		}
512 	}
513 
514 	mutex_exit(&rndpool_lock);
515 	return (0);
516 }
517 
518 int
519 kcf_rnd_get_bytes(uint8_t *ptr, size_t len, boolean_t noblock)
520 {
521 	extract_type_t how;
522 	int error;
523 
524 	how = noblock ? NONBLOCK_EXTRACT : BLOCKING_EXTRACT;
525 	mutex_enter(&rndpool_lock);
526 	if ((error = rnd_get_bytes(ptr, len, how)) != 0)
527 		return (error);
528 
529 	BUMP_RND_STATS(rs_rndOut, len);
530 	return (0);
531 }
532 
533 /*
534  * Revisit this if the structs grow or we come up with a better way
535  * of cache-line-padding structures.
536  */
537 #define	RND_CPU_CACHE_SIZE	64
538 #define	RND_CPU_PAD_SIZE	RND_CPU_CACHE_SIZE*6
539 #define	RND_CPU_PAD (RND_CPU_PAD_SIZE - \
540 	sizeof (rndmag_t))
541 /*
542  * Per-CPU random state.  Somewhat like like kmem's magazines, this provides
543  * a per-CPU instance of the pseudo-random generator.  We have it much easier
544  * than kmem, as we can afford to "leak" random bits if a CPU is DR'ed out.
545  *
546  * Note that this usage is preemption-safe; a thread
547  * entering a critical section remembers which generator it locked
548  * and unlocks the same one; should it be preempted and wind up running on
549  * a different CPU, there will be a brief period of increased contention
550  * before it exits the critical section but nothing will melt.
551  */
552 typedef struct rndmag_s
553 {
554 	kmutex_t	rm_lock;
555 	uint8_t		*rm_buffer;	/* Start of buffer */
556 	uint8_t		*rm_eptr;	/* End of buffer */
557 	uint8_t		*rm_rptr;	/* Current read pointer */
558 	uint32_t	rm_oblocks;	/* time to rekey? */
559 	uint32_t	rm_ofuzz;	/* Rekey backoff state */
560 	uint32_t	rm_olimit;	/* Hard rekey limit */
561 	rnd_stats_t	rm_stats;	/* Per-CPU Statistics */
562 	uint32_t	rm_key[HASHSIZE/BYTES_IN_WORD];	/* FIPS XKEY */
563 	uint32_t	rm_seed[HASHSIZE/BYTES_IN_WORD]; /* seed for rekey */
564 	uint32_t	rm_previous[HASHSIZE/BYTES_IN_WORD]; /* prev random */
565 } rndmag_t;
566 
567 typedef struct rndmag_pad_s
568 {
569 	rndmag_t	rm_mag;
570 	uint8_t		rm_pad[RND_CPU_PAD];
571 } rndmag_pad_t;
572 
573 /*
574  * Generate random bytes for /dev/urandom by applying the
575  * FIPS 186-2 algorithm with a key created from bytes extracted
576  * from the pool.  A maximum of PRNG_MAXOBLOCKS output blocks
577  * is generated before a new key is obtained.
578  *
579  * Note that callers to this routine are likely to assume it can't fail.
580  *
581  * Called with rmp locked; releases lock.
582  */
583 static int
584 rnd_generate_pseudo_bytes(rndmag_pad_t *rmp, uint8_t *ptr, size_t len)
585 {
586 	size_t bytes = len, size;
587 	int nblock;
588 	uint32_t oblocks;
589 	uint32_t tempout[HASHSIZE/BYTES_IN_WORD];
590 	uint32_t seed[HASHSIZE/BYTES_IN_WORD];
591 	int i;
592 	hrtime_t timestamp;
593 	uint8_t *src, *dst;
594 
595 	ASSERT(mutex_owned(&rmp->rm_mag.rm_lock));
596 
597 	/* Nothing is being asked */
598 	if (len == 0) {
599 		mutex_exit(&rmp->rm_mag.rm_lock);
600 		return (0);
601 	}
602 
603 	nblock = howmany(len, HASHSIZE);
604 
605 	rmp->rm_mag.rm_oblocks += nblock;
606 	oblocks = rmp->rm_mag.rm_oblocks;
607 
608 	do {
609 		if (oblocks >= rmp->rm_mag.rm_olimit) {
610 
611 			/*
612 			 * Contention-avoiding rekey: see if
613 			 * the pool is locked, and if so, wait a bit.
614 			 * Do an 'exponential back-in' to ensure we don't
615 			 * run too long without rekey.
616 			 */
617 			if (rmp->rm_mag.rm_ofuzz) {
618 				/*
619 				 * Decaying exponential back-in for rekey.
620 				 */
621 				if ((rnbyte_cnt < MINEXTRACTBYTES) ||
622 				    (!mutex_tryenter(&rndpool_lock))) {
623 					rmp->rm_mag.rm_olimit +=
624 					    rmp->rm_mag.rm_ofuzz;
625 					rmp->rm_mag.rm_ofuzz >>= 1;
626 					goto punt;
627 				}
628 			} else {
629 				mutex_enter(&rndpool_lock);
630 			}
631 
632 			/* Get a new chunk of entropy */
633 			(void) rnd_get_bytes((uint8_t *)rmp->rm_mag.rm_key,
634 			    HMAC_KEYSIZE, ALWAYS_EXTRACT);
635 
636 			rmp->rm_mag.rm_olimit = PRNG_MAXOBLOCKS/2;
637 			rmp->rm_mag.rm_ofuzz = PRNG_MAXOBLOCKS/4;
638 			oblocks = 0;
639 			rmp->rm_mag.rm_oblocks = nblock;
640 		}
641 punt:
642 		timestamp = gethrtime();
643 
644 		src = (uint8_t *)&timestamp;
645 		dst = (uint8_t *)rmp->rm_mag.rm_seed;
646 
647 		for (i = 0; i < HASHSIZE; i++) {
648 			dst[i] ^= src[i % sizeof (timestamp)];
649 		}
650 
651 		bcopy(rmp->rm_mag.rm_seed, seed, HASHSIZE);
652 
653 		fips_random_inner(rmp->rm_mag.rm_key, tempout,
654 		    seed);
655 
656 		if (bytes >= HASHSIZE) {
657 			size = HASHSIZE;
658 		} else {
659 			size = min(bytes, HASHSIZE);
660 		}
661 
662 		/*
663 		 * FIPS 140-2: Continuous RNG test - each generation
664 		 * of an n-bit block shall be compared with the previously
665 		 * generated block. Test shall fail if any two compared
666 		 * n-bit blocks are equal.
667 		 */
668 		for (i = 0; i < HASHSIZE/BYTES_IN_WORD; i++) {
669 			if (tempout[i] != rmp->rm_mag.rm_previous[i])
670 				break;
671 		}
672 		if (i == HASHSIZE/BYTES_IN_WORD) {
673 			cmn_err(CE_WARN, "kcf_random: The value of 160-bit "
674 			    "block random bytes are same as the previous "
675 			    "one.\n");
676 			/* discard random bytes and return error */
677 			return (EIO);
678 		}
679 
680 		bcopy(tempout, rmp->rm_mag.rm_previous,
681 		    HASHSIZE);
682 
683 		bcopy(tempout, ptr, size);
684 		ptr += size;
685 		bytes -= size;
686 		oblocks++;
687 		nblock--;
688 	} while (bytes > 0);
689 
690 	/* Zero out sensitive information */
691 	bzero(seed, HASHSIZE);
692 	bzero(tempout, HASHSIZE);
693 	mutex_exit(&rmp->rm_mag.rm_lock);
694 	return (0);
695 }
696 
697 /*
698  * Per-CPU Random magazines.
699  */
700 static rndmag_pad_t *rndmag;
701 static uint8_t	*rndbuf;
702 static size_t 	rndmag_total;
703 /*
704  * common/os/cpu.c says that platform support code can shrinkwrap
705  * max_ncpus.  On the off chance that we get loaded very early, we
706  * read it exactly once, to copy it here.
707  */
708 static uint32_t	random_max_ncpus = 0;
709 
710 /*
711  * Boot-time tunables, for experimentation.
712  */
713 size_t	rndmag_threshold = 2560;
714 size_t	rndbuf_len = 5120;
715 size_t	rndmag_size = 1280;
716 
717 
718 int
719 kcf_rnd_get_pseudo_bytes(uint8_t *ptr, size_t len)
720 {
721 	rndmag_pad_t *rmp;
722 	uint8_t *cptr, *eptr;
723 
724 	/*
725 	 * Anyone who asks for zero bytes of randomness should get slapped.
726 	 */
727 	ASSERT(len > 0);
728 
729 	/*
730 	 * Fast path.
731 	 */
732 	for (;;) {
733 		rmp = &rndmag[CPU->cpu_seqid];
734 		mutex_enter(&rmp->rm_mag.rm_lock);
735 
736 		/*
737 		 * Big requests bypass buffer and tail-call the
738 		 * generate routine directly.
739 		 */
740 		if (len > rndmag_threshold) {
741 			BUMP_CPU_RND_STATS(rmp, rs_urndOut, len);
742 			return (rnd_generate_pseudo_bytes(rmp, ptr, len));
743 		}
744 
745 		cptr = rmp->rm_mag.rm_rptr;
746 		eptr = cptr + len;
747 
748 		if (eptr <= rmp->rm_mag.rm_eptr) {
749 			rmp->rm_mag.rm_rptr = eptr;
750 			bcopy(cptr, ptr, len);
751 			BUMP_CPU_RND_STATS(rmp, rs_urndOut, len);
752 			mutex_exit(&rmp->rm_mag.rm_lock);
753 
754 			return (0);
755 		}
756 		/*
757 		 * End fast path.
758 		 */
759 		rmp->rm_mag.rm_rptr = rmp->rm_mag.rm_buffer;
760 		/*
761 		 * Note:  We assume the generate routine always succeeds
762 		 * in this case (because it does at present..)
763 		 * It also always releases rm_lock.
764 		 */
765 		(void) rnd_generate_pseudo_bytes(rmp, rmp->rm_mag.rm_buffer,
766 		    rndbuf_len);
767 	}
768 }
769 
770 /*
771  * We set up (empty) magazines for all of max_ncpus, possibly wasting a
772  * little memory on big systems that don't have the full set installed.
773  * See above;  "empty" means "rptr equal to eptr"; this will trigger the
774  * refill path in rnd_get_pseudo_bytes above on the first call for each CPU.
775  *
776  * TODO: make rndmag_size tunable at run time!
777  */
778 static void
779 rnd_alloc_magazines()
780 {
781 	rndmag_pad_t *rmp;
782 	int i;
783 	uint8_t discard_buf[HASHSIZE];
784 
785 	rndbuf_len = roundup(rndbuf_len, HASHSIZE);
786 	if (rndmag_size < rndbuf_len)
787 		rndmag_size = rndbuf_len;
788 	rndmag_size = roundup(rndmag_size, RND_CPU_CACHE_SIZE);
789 
790 	random_max_ncpus = max_ncpus;
791 	rndmag_total = rndmag_size * random_max_ncpus;
792 
793 	rndbuf = kmem_alloc(rndmag_total, KM_SLEEP);
794 	rndmag = kmem_zalloc(sizeof (rndmag_pad_t) * random_max_ncpus,
795 	    KM_SLEEP);
796 
797 	for (i = 0; i < random_max_ncpus; i++) {
798 		uint8_t *buf;
799 
800 		rmp = &rndmag[i];
801 		mutex_init(&rmp->rm_mag.rm_lock, NULL, MUTEX_DRIVER, NULL);
802 
803 		buf = rndbuf + i * rndmag_size;
804 
805 		rmp->rm_mag.rm_buffer = buf;
806 		rmp->rm_mag.rm_eptr = buf + rndbuf_len;
807 		rmp->rm_mag.rm_rptr = buf + rndbuf_len;
808 		rmp->rm_mag.rm_oblocks = 1;
809 
810 		mutex_enter(&rndpool_lock);
811 		/*
812 		 * FIPS 140-2: the first n-bit (n > 15) block generated
813 		 * after power-up, initialization, or reset shall not
814 		 * be used, but shall be saved for comparison.
815 		 */
816 		(void) rnd_get_bytes(discard_buf,
817 		    HMAC_KEYSIZE, ALWAYS_EXTRACT);
818 		bcopy(discard_buf, rmp->rm_mag.rm_previous,
819 		    HMAC_KEYSIZE);
820 		/* rnd_get_bytes() will call mutex_exit(&rndpool_lock) */
821 		mutex_enter(&rndpool_lock);
822 		(void) rnd_get_bytes((uint8_t *)rmp->rm_mag.rm_key,
823 		    HMAC_KEYSIZE, ALWAYS_EXTRACT);
824 		/* rnd_get_bytes() will call mutex_exit(&rndpool_lock) */
825 		mutex_enter(&rndpool_lock);
826 		(void) rnd_get_bytes((uint8_t *)rmp->rm_mag.rm_seed,
827 		    HMAC_KEYSIZE, ALWAYS_EXTRACT);
828 	}
829 }
830 
831 void
832 kcf_rnd_schedule_timeout(boolean_t do_mech2id)
833 {
834 	clock_t ut;	/* time in microseconds */
835 
836 	if (do_mech2id)
837 		rngmech_type = crypto_mech2id(SUN_RANDOM);
838 
839 	/*
840 	 * The new timeout value is taken from the buffer of random bytes.
841 	 * We're merely reading the first 32 bits from the buffer here, not
842 	 * consuming any random bytes.
843 	 * The timeout multiplier value is a random value between 0.5 sec and
844 	 * 1.544480 sec (0.5 sec + 0xFF000 microseconds).
845 	 * The new timeout is TIMEOUT_INTERVAL times that multiplier.
846 	 */
847 	ut = 500000 + (clock_t)((((uint32_t)rndpool[findex]) << 12) & 0xFF000);
848 	kcf_rndtimeout_id = timeout(rnd_handler, NULL,
849 	    TIMEOUT_INTERVAL * drv_usectohz(ut));
850 }
851 
852 /*
853  * Called from the driver for a poll on /dev/random
854  * . POLLOUT always succeeds.
855  * . POLLIN and POLLRDNORM will block until a
856  *   minimum amount of entropy is available.
857  *
858  * &rnd_pollhead is passed in *phpp in order to indicate the calling thread
859  * will block. When enough random bytes are available, later, the timeout
860  * handler routine will issue the pollwakeup() calls.
861  */
862 void
863 kcf_rnd_chpoll(short events, int anyyet, short *reventsp,
864     struct pollhead **phpp)
865 {
866 	*reventsp = events & POLLOUT;
867 
868 	if (events & (POLLIN | POLLRDNORM)) {
869 		/*
870 		 * Sampling of rnbyte_cnt is an atomic
871 		 * operation. Hence we do not need any locking.
872 		 */
873 		if (rnbyte_cnt >= MINEXTRACTBYTES)
874 			*reventsp |= (events & (POLLIN | POLLRDNORM));
875 	}
876 
877 	if (*reventsp == 0 && !anyyet)
878 		*phpp = &rnd_pollhead;
879 }
880 
881 /*ARGSUSED*/
882 static void
883 rnd_handler(void *arg)
884 {
885 	int len = 0;
886 
887 	if (!rng_prov_found && rng_ok_to_log) {
888 		cmn_err(CE_WARN, "No randomness provider enabled for "
889 		    "/dev/random. Use cryptoadm(1M) to enable a provider.");
890 		rng_ok_to_log = B_FALSE;
891 	}
892 
893 	if (num_waiters > 0)
894 		len = MAXEXTRACTBYTES;
895 	else if (rnbyte_cnt < RNDPOOLSIZE)
896 		len = MINEXTRACTBYTES;
897 
898 	if (len > 0) {
899 		(void) taskq_dispatch(system_taskq, rngprov_task,
900 		    (void *)(uintptr_t)len, TQ_NOSLEEP);
901 	}
902 
903 	mutex_enter(&rndpool_lock);
904 	/*
905 	 * Wake up threads waiting in poll() or for enough accumulated
906 	 * random bytes to read from /dev/random. In case a poll() is
907 	 * concurrent with a read(), the polling process may be woken up
908 	 * indicating that enough randomness is now available for reading,
909 	 * and another process *steals* the bits from the pool, causing the
910 	 * subsequent read() from the first process to block. It is acceptable
911 	 * since the blocking will eventually end, after the timeout
912 	 * has expired enough times to honor the read.
913 	 *
914 	 * Note - Since we hold the rndpool_lock across the pollwakeup() call
915 	 * we MUST NOT grab the rndpool_lock in kcf_rndchpoll().
916 	 */
917 	if (rnbyte_cnt >= MINEXTRACTBYTES)
918 		pollwakeup(&rnd_pollhead, POLLIN | POLLRDNORM);
919 
920 	if (num_waiters > 0)
921 		cv_broadcast(&rndpool_read_cv);
922 	mutex_exit(&rndpool_lock);
923 
924 	kcf_rnd_schedule_timeout(B_FALSE);
925 }
926 
927 static void
928 rndc_addbytes(uint8_t *ptr, size_t len)
929 {
930 	ASSERT(ptr != NULL && len > 0);
931 	ASSERT(rnbyte_cnt <= RNDPOOLSIZE);
932 
933 	mutex_enter(&rndpool_lock);
934 	while ((len > 0) && (rnbyte_cnt < RNDPOOLSIZE)) {
935 		rndpool[rindex] ^= *ptr;
936 		ptr++; len--;
937 		rindex = (rindex + 1) & (RNDPOOLSIZE - 1);
938 		rnbyte_cnt++;
939 	}
940 
941 	/* Handle buffer full case */
942 	while (len > 0) {
943 		rndpool[rindex] ^= *ptr;
944 		ptr++; len--;
945 		findex = rindex = (rindex + 1) & (RNDPOOLSIZE - 1);
946 	}
947 	mutex_exit(&rndpool_lock);
948 }
949 
950 /*
951  * Caller should check len <= rnbyte_cnt under the
952  * rndpool_lock before calling.
953  */
954 static void
955 rndc_getbytes(uint8_t *ptr, size_t len)
956 {
957 	ASSERT(MUTEX_HELD(&rndpool_lock));
958 	ASSERT(len <= rnbyte_cnt && rnbyte_cnt <= RNDPOOLSIZE);
959 
960 	BUMP_RND_STATS(rs_rndcOut, len);
961 
962 	while (len > 0) {
963 		*ptr = rndpool[findex];
964 		ptr++; len--;
965 		findex = (findex + 1) & (RNDPOOLSIZE - 1);
966 		rnbyte_cnt--;
967 	}
968 }
969 
970 /* Random number exported entry points */
971 
972 /*
973  * Mix the supplied bytes into the entropy pool of a kCF
974  * RNG provider.
975  */
976 int
977 random_add_pseudo_entropy(uint8_t *ptr, size_t len, uint_t entropy_est)
978 {
979 	if (len < 1)
980 		return (-1);
981 
982 	rngprov_seed(ptr, len, entropy_est, 0);
983 
984 	return (0);
985 }
986 
987 /*
988  * Mix the supplied bytes into the entropy pool of a kCF
989  * RNG provider. Mix immediately.
990  */
991 int
992 random_add_entropy(uint8_t *ptr, size_t len, uint_t entropy_est)
993 {
994 	if (len < 1)
995 		return (-1);
996 
997 	rngprov_seed(ptr, len, entropy_est, CRYPTO_SEED_NOW);
998 
999 	return (0);
1000 }
1001 
1002 /*
1003  * Get bytes from the /dev/urandom generator. This function
1004  * always succeeds. Returns 0.
1005  */
1006 int
1007 random_get_pseudo_bytes(uint8_t *ptr, size_t len)
1008 {
1009 	ASSERT(!mutex_owned(&rndpool_lock));
1010 
1011 	if (len < 1)
1012 		return (0);
1013 	return (kcf_rnd_get_pseudo_bytes(ptr, len));
1014 }
1015 
1016 /*
1017  * Get bytes from the /dev/random generator. Returns 0
1018  * on success. Returns EAGAIN if there is insufficient entropy.
1019  */
1020 int
1021 random_get_bytes(uint8_t *ptr, size_t len)
1022 {
1023 	ASSERT(!mutex_owned(&rndpool_lock));
1024 
1025 	if (len < 1)
1026 		return (0);
1027 	return (kcf_rnd_get_bytes(ptr, len, B_TRUE));
1028 }
1029