1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * This file implements the interfaces that the /dev/random 28 * driver uses for read(2), write(2) and poll(2) on /dev/random or 29 * /dev/urandom. It also implements the kernel API - random_add_entropy(), 30 * random_add_pseudo_entropy(), random_get_pseudo_bytes() 31 * and random_get_bytes(). 32 * 33 * We periodically collect random bits from providers which are registered 34 * with the Kernel Cryptographic Framework (kCF) as capable of random 35 * number generation. The random bits are maintained in a cache and 36 * it is used for high quality random numbers (/dev/random) requests. 37 * We pick a provider and call its SPI routine, if the cache does not have 38 * enough bytes to satisfy a request. 39 * 40 * /dev/urandom requests use a software-based generator algorithm that uses the 41 * random bits in the cache as a seed. We create one pseudo-random generator 42 * (for /dev/urandom) per possible CPU on the system, and use it, 43 * kmem-magazine-style, to avoid cache line contention. 44 * 45 * LOCKING HIERARCHY: 46 * 1) rmp->rm_mag.rm_lock protects the per-cpu pseudo-random generators. 47 * 2) rndpool_lock protects the high-quality randomness pool. 48 * It may be locked while a rmp->rm_mag.rm_lock is held. 49 * 50 * A history note: The kernel API and the software-based algorithms in this 51 * file used to be part of the /dev/random driver. 52 */ 53 54 #include <sys/types.h> 55 #include <sys/conf.h> 56 #include <sys/sunddi.h> 57 #include <sys/disp.h> 58 #include <sys/modctl.h> 59 #include <sys/ddi.h> 60 #include <sys/crypto/common.h> 61 #include <sys/crypto/api.h> 62 #include <sys/crypto/impl.h> 63 #include <sys/crypto/sched_impl.h> 64 #include <sys/random.h> 65 #include <sys/sha1.h> 66 #include <sys/time.h> 67 #include <sys/sysmacros.h> 68 #include <sys/cpuvar.h> 69 #include <sys/taskq.h> 70 #include <rng/fips_random.h> 71 72 #define RNDPOOLSIZE 1024 /* Pool size in bytes */ 73 #define MINEXTRACTBYTES 20 74 #define MAXEXTRACTBYTES 1024 75 #define PRNG_MAXOBLOCKS 1310720 /* Max output block per prng key */ 76 #define TIMEOUT_INTERVAL 5 /* Periodic mixing interval in secs */ 77 78 typedef enum extract_type { 79 NONBLOCK_EXTRACT, 80 BLOCKING_EXTRACT, 81 ALWAYS_EXTRACT 82 } extract_type_t; 83 84 /* 85 * Hash-algo generic definitions. For now, they are SHA1's. We use SHA1 86 * routines directly instead of using k-API because we can't return any 87 * error code in /dev/urandom case and we can get an error using k-API 88 * if a mechanism is disabled. 89 */ 90 #define HASHSIZE 20 91 #define HASH_CTX SHA1_CTX 92 #define HashInit(ctx) SHA1Init((ctx)) 93 #define HashUpdate(ctx, p, s) SHA1Update((ctx), (p), (s)) 94 #define HashFinal(d, ctx) SHA1Final((d), (ctx)) 95 96 /* HMAC-SHA1 */ 97 #define HMAC_KEYSIZE 20 98 99 /* 100 * Cache of random bytes implemented as a circular buffer. findex and rindex 101 * track the front and back of the circular buffer. 102 */ 103 uint8_t rndpool[RNDPOOLSIZE]; 104 static int findex, rindex; 105 static int rnbyte_cnt; /* Number of bytes in the cache */ 106 107 static kmutex_t rndpool_lock; /* protects r/w accesses to the cache, */ 108 /* and the global variables */ 109 static kcondvar_t rndpool_read_cv; /* serializes poll/read syscalls */ 110 static int num_waiters; /* #threads waiting to read from /dev/random */ 111 112 static struct pollhead rnd_pollhead; 113 /* LINTED E_STATIC_UNUSED */ 114 static timeout_id_t kcf_rndtimeout_id; 115 static crypto_mech_type_t rngmech_type = CRYPTO_MECH_INVALID; 116 rnd_stats_t rnd_stats; 117 static boolean_t rng_prov_found = B_TRUE; 118 static boolean_t rng_ok_to_log = B_TRUE; 119 120 static void rndc_addbytes(uint8_t *, size_t); 121 static void rndc_getbytes(uint8_t *ptr, size_t len); 122 static void rnd_handler(void *); 123 static void rnd_alloc_magazines(); 124 125 void 126 kcf_rnd_init() 127 { 128 hrtime_t ts; 129 time_t now; 130 131 mutex_init(&rndpool_lock, NULL, MUTEX_DEFAULT, NULL); 132 cv_init(&rndpool_read_cv, NULL, CV_DEFAULT, NULL); 133 134 /* 135 * Add bytes to the cache using 136 * . 2 unpredictable times: high resolution time since the boot-time, 137 * and the current time-of-the day. 138 * This is used only to make the timeout value in the timer 139 * unpredictable. 140 */ 141 ts = gethrtime(); 142 rndc_addbytes((uint8_t *)&ts, sizeof (ts)); 143 144 (void) drv_getparm(TIME, &now); 145 rndc_addbytes((uint8_t *)&now, sizeof (now)); 146 147 rnbyte_cnt = 0; 148 findex = rindex = 0; 149 num_waiters = 0; 150 rngmech_type = KCF_MECHID(KCF_MISC_CLASS, 0); 151 152 rnd_alloc_magazines(); 153 } 154 155 /* 156 * Return TRUE if at least one provider exists that can 157 * supply random numbers. 158 */ 159 boolean_t 160 kcf_rngprov_check(void) 161 { 162 int rv; 163 kcf_provider_desc_t *pd; 164 165 if ((pd = kcf_get_mech_provider(rngmech_type, NULL, NULL, &rv, 166 NULL, CRYPTO_FG_RANDOM, B_FALSE, 0)) != NULL) { 167 KCF_PROV_REFRELE(pd); 168 /* 169 * We logged a warning once about no provider being available 170 * and now a provider became available. So, set the flag so 171 * that we can log again if the problem recurs. 172 */ 173 rng_ok_to_log = B_TRUE; 174 rng_prov_found = B_TRUE; 175 return (B_TRUE); 176 } else { 177 rng_prov_found = B_FALSE; 178 return (B_FALSE); 179 } 180 } 181 182 /* 183 * Pick a software-based provider and submit a request to seed 184 * its random number generator. 185 */ 186 static void 187 rngprov_seed(uint8_t *buf, int len, uint_t entropy_est, uint32_t flags) 188 { 189 kcf_provider_desc_t *pd = NULL; 190 191 if (kcf_get_sw_prov(rngmech_type, &pd, NULL, B_FALSE) == 192 CRYPTO_SUCCESS) { 193 (void) KCF_PROV_SEED_RANDOM(pd, pd->pd_sid, buf, len, 194 entropy_est, flags, NULL); 195 KCF_PROV_REFRELE(pd); 196 } 197 } 198 199 /* 200 * This routine is called for blocking reads. 201 * 202 * The argument is_taskq_thr indicates whether the caller is 203 * the taskq thread dispatched by the timeout handler routine. 204 * In this case, we cycle through all the providers 205 * submitting a request to each provider to generate random numbers. 206 * 207 * For other cases, we pick a provider and submit a request to generate 208 * random numbers. We retry using another provider if we get an error. 209 * 210 * Returns the number of bytes that are written to 'ptr'. Returns -1 211 * if no provider is found. ptr and need are unchanged. 212 */ 213 static int 214 rngprov_getbytes(uint8_t *ptr, size_t need, boolean_t is_taskq_thr) 215 { 216 int rv; 217 int prov_cnt = 0; 218 int total_bytes = 0; 219 kcf_provider_desc_t *pd; 220 kcf_req_params_t params; 221 kcf_prov_tried_t *list = NULL; 222 223 while ((pd = kcf_get_mech_provider(rngmech_type, NULL, NULL, &rv, 224 list, CRYPTO_FG_RANDOM, B_FALSE, 0)) != NULL) { 225 226 prov_cnt++; 227 228 KCF_WRAP_RANDOM_OPS_PARAMS(¶ms, KCF_OP_RANDOM_GENERATE, 229 pd->pd_sid, ptr, need, 0, 0); 230 rv = kcf_submit_request(pd, NULL, NULL, ¶ms, B_FALSE); 231 ASSERT(rv != CRYPTO_QUEUED); 232 233 if (rv == CRYPTO_SUCCESS) { 234 total_bytes += need; 235 if (is_taskq_thr) 236 rndc_addbytes(ptr, need); 237 else { 238 KCF_PROV_REFRELE(pd); 239 break; 240 } 241 } 242 243 if (is_taskq_thr || rv != CRYPTO_SUCCESS) { 244 /* Add pd to the linked list of providers tried. */ 245 if (kcf_insert_triedlist(&list, pd, KM_SLEEP) == NULL) { 246 KCF_PROV_REFRELE(pd); 247 break; 248 } 249 } 250 251 } 252 253 if (list != NULL) 254 kcf_free_triedlist(list); 255 256 if (prov_cnt == 0) { /* no provider could be found. */ 257 rng_prov_found = B_FALSE; 258 return (-1); 259 } else { 260 rng_prov_found = B_TRUE; 261 /* See comments in kcf_rngprov_check() */ 262 rng_ok_to_log = B_TRUE; 263 } 264 265 return (total_bytes); 266 } 267 268 static void 269 notify_done(void *arg, int rv) 270 { 271 uchar_t *rndbuf = arg; 272 273 if (rv == CRYPTO_SUCCESS) 274 rndc_addbytes(rndbuf, MINEXTRACTBYTES); 275 276 bzero(rndbuf, MINEXTRACTBYTES); 277 kmem_free(rndbuf, MINEXTRACTBYTES); 278 } 279 280 /* 281 * Cycle through all the providers submitting a request to each provider 282 * to generate random numbers. This is called for the modes - NONBLOCK_EXTRACT 283 * and ALWAYS_EXTRACT. 284 * 285 * Returns the number of bytes that are written to 'ptr'. Returns -1 286 * if no provider is found. ptr and len are unchanged. 287 */ 288 static int 289 rngprov_getbytes_nblk(uint8_t *ptr, size_t len) 290 { 291 int rv, total_bytes; 292 size_t blen; 293 uchar_t *rndbuf; 294 kcf_provider_desc_t *pd; 295 kcf_req_params_t params; 296 crypto_call_req_t req; 297 kcf_prov_tried_t *list = NULL; 298 int prov_cnt = 0; 299 300 blen = 0; 301 total_bytes = 0; 302 req.cr_flag = CRYPTO_SKIP_REQID; 303 req.cr_callback_func = notify_done; 304 305 while ((pd = kcf_get_mech_provider(rngmech_type, NULL, NULL, &rv, 306 list, CRYPTO_FG_RANDOM, CHECK_RESTRICT(&req), 0)) != NULL) { 307 308 prov_cnt ++; 309 switch (pd->pd_prov_type) { 310 case CRYPTO_HW_PROVIDER: 311 /* 312 * We have to allocate a buffer here as we can not 313 * assume that the input buffer will remain valid 314 * when the callback comes. We use a fixed size buffer 315 * to simplify the book keeping. 316 */ 317 rndbuf = kmem_alloc(MINEXTRACTBYTES, KM_NOSLEEP); 318 if (rndbuf == NULL) { 319 KCF_PROV_REFRELE(pd); 320 if (list != NULL) 321 kcf_free_triedlist(list); 322 return (total_bytes); 323 } 324 req.cr_callback_arg = rndbuf; 325 KCF_WRAP_RANDOM_OPS_PARAMS(¶ms, 326 KCF_OP_RANDOM_GENERATE, 327 pd->pd_sid, rndbuf, MINEXTRACTBYTES, 0, 0); 328 break; 329 330 case CRYPTO_SW_PROVIDER: 331 /* 332 * We do not need to allocate a buffer in the software 333 * provider case as there is no callback involved. We 334 * avoid any extra data copy by directly passing 'ptr'. 335 */ 336 KCF_WRAP_RANDOM_OPS_PARAMS(¶ms, 337 KCF_OP_RANDOM_GENERATE, 338 pd->pd_sid, ptr, len, 0, 0); 339 break; 340 } 341 342 rv = kcf_submit_request(pd, NULL, &req, ¶ms, B_FALSE); 343 if (rv == CRYPTO_SUCCESS) { 344 switch (pd->pd_prov_type) { 345 case CRYPTO_HW_PROVIDER: 346 /* 347 * Since we have the input buffer handy, 348 * we directly copy to it rather than 349 * adding to the pool. 350 */ 351 blen = min(MINEXTRACTBYTES, len); 352 bcopy(rndbuf, ptr, blen); 353 if (len < MINEXTRACTBYTES) 354 rndc_addbytes(rndbuf + len, 355 MINEXTRACTBYTES - len); 356 ptr += blen; 357 len -= blen; 358 total_bytes += blen; 359 break; 360 361 case CRYPTO_SW_PROVIDER: 362 total_bytes += len; 363 len = 0; 364 break; 365 } 366 } 367 368 /* 369 * We free the buffer in the callback routine 370 * for the CRYPTO_QUEUED case. 371 */ 372 if (pd->pd_prov_type == CRYPTO_HW_PROVIDER && 373 rv != CRYPTO_QUEUED) { 374 bzero(rndbuf, MINEXTRACTBYTES); 375 kmem_free(rndbuf, MINEXTRACTBYTES); 376 } 377 378 if (len == 0) { 379 KCF_PROV_REFRELE(pd); 380 break; 381 } 382 383 if (rv != CRYPTO_SUCCESS) { 384 /* Add pd to the linked list of providers tried. */ 385 if (kcf_insert_triedlist(&list, pd, KM_NOSLEEP) == 386 NULL) { 387 KCF_PROV_REFRELE(pd); 388 break; 389 } 390 } 391 } 392 393 if (list != NULL) { 394 kcf_free_triedlist(list); 395 } 396 397 if (prov_cnt == 0) { /* no provider could be found. */ 398 rng_prov_found = B_FALSE; 399 return (-1); 400 } else { 401 rng_prov_found = B_TRUE; 402 /* See comments in kcf_rngprov_check() */ 403 rng_ok_to_log = B_TRUE; 404 } 405 406 return (total_bytes); 407 } 408 409 static void 410 rngprov_task(void *arg) 411 { 412 int len = (int)(uintptr_t)arg; 413 uchar_t tbuf[MAXEXTRACTBYTES]; 414 415 ASSERT(len <= MAXEXTRACTBYTES); 416 (void) rngprov_getbytes(tbuf, len, B_TRUE); 417 } 418 419 /* 420 * Returns "len" random or pseudo-random bytes in *ptr. 421 * Will block if not enough random bytes are available and the 422 * call is blocking. 423 * 424 * Called with rndpool_lock held (allowing caller to do optimistic locking; 425 * releases the lock before return). 426 */ 427 static int 428 rnd_get_bytes(uint8_t *ptr, size_t len, extract_type_t how) 429 { 430 size_t bytes; 431 size_t got; 432 433 ASSERT(mutex_owned(&rndpool_lock)); 434 /* 435 * Check if the request can be satisfied from the cache 436 * of random bytes. 437 */ 438 if (len <= rnbyte_cnt) { 439 rndc_getbytes(ptr, len); 440 mutex_exit(&rndpool_lock); 441 return (0); 442 } 443 mutex_exit(&rndpool_lock); 444 445 switch (how) { 446 case BLOCKING_EXTRACT: 447 if ((got = rngprov_getbytes(ptr, len, B_FALSE)) == -1) 448 break; /* No provider found */ 449 450 if (got == len) 451 return (0); 452 len -= got; 453 ptr += got; 454 break; 455 456 case NONBLOCK_EXTRACT: 457 case ALWAYS_EXTRACT: 458 if ((got = rngprov_getbytes_nblk(ptr, len)) == -1) { 459 /* No provider found */ 460 if (how == NONBLOCK_EXTRACT) { 461 return (EAGAIN); 462 } 463 } else { 464 if (got == len) 465 return (0); 466 len -= got; 467 ptr += got; 468 } 469 if (how == NONBLOCK_EXTRACT && (rnbyte_cnt < len)) 470 return (EAGAIN); 471 break; 472 } 473 474 mutex_enter(&rndpool_lock); 475 while (len > 0) { 476 if (how == BLOCKING_EXTRACT) { 477 /* Check if there is enough */ 478 while (rnbyte_cnt < MINEXTRACTBYTES) { 479 num_waiters++; 480 if (cv_wait_sig(&rndpool_read_cv, 481 &rndpool_lock) == 0) { 482 num_waiters--; 483 mutex_exit(&rndpool_lock); 484 return (EINTR); 485 } 486 num_waiters--; 487 } 488 } 489 490 /* Figure out how many bytes to extract */ 491 bytes = min(len, rnbyte_cnt); 492 rndc_getbytes(ptr, bytes); 493 494 len -= bytes; 495 ptr += bytes; 496 497 if (len > 0 && how == ALWAYS_EXTRACT) { 498 /* 499 * There are not enough bytes, but we can not block. 500 * This only happens in the case of /dev/urandom which 501 * runs an additional generation algorithm. So, there 502 * is no problem. 503 */ 504 while (len > 0) { 505 *ptr = rndpool[findex]; 506 ptr++; len--; 507 rindex = findex = (findex + 1) & 508 (RNDPOOLSIZE - 1); 509 } 510 break; 511 } 512 } 513 514 mutex_exit(&rndpool_lock); 515 return (0); 516 } 517 518 int 519 kcf_rnd_get_bytes(uint8_t *ptr, size_t len, boolean_t noblock) 520 { 521 extract_type_t how; 522 int error; 523 524 how = noblock ? NONBLOCK_EXTRACT : BLOCKING_EXTRACT; 525 mutex_enter(&rndpool_lock); 526 if ((error = rnd_get_bytes(ptr, len, how)) != 0) 527 return (error); 528 529 BUMP_RND_STATS(rs_rndOut, len); 530 return (0); 531 } 532 533 /* 534 * Revisit this if the structs grow or we come up with a better way 535 * of cache-line-padding structures. 536 */ 537 #define RND_CPU_CACHE_SIZE 64 538 #define RND_CPU_PAD_SIZE RND_CPU_CACHE_SIZE*6 539 #define RND_CPU_PAD (RND_CPU_PAD_SIZE - \ 540 sizeof (rndmag_t)) 541 /* 542 * Per-CPU random state. Somewhat like like kmem's magazines, this provides 543 * a per-CPU instance of the pseudo-random generator. We have it much easier 544 * than kmem, as we can afford to "leak" random bits if a CPU is DR'ed out. 545 * 546 * Note that this usage is preemption-safe; a thread 547 * entering a critical section remembers which generator it locked 548 * and unlocks the same one; should it be preempted and wind up running on 549 * a different CPU, there will be a brief period of increased contention 550 * before it exits the critical section but nothing will melt. 551 */ 552 typedef struct rndmag_s 553 { 554 kmutex_t rm_lock; 555 uint8_t *rm_buffer; /* Start of buffer */ 556 uint8_t *rm_eptr; /* End of buffer */ 557 uint8_t *rm_rptr; /* Current read pointer */ 558 uint32_t rm_oblocks; /* time to rekey? */ 559 uint32_t rm_ofuzz; /* Rekey backoff state */ 560 uint32_t rm_olimit; /* Hard rekey limit */ 561 rnd_stats_t rm_stats; /* Per-CPU Statistics */ 562 uint32_t rm_key[HASHSIZE/BYTES_IN_WORD]; /* FIPS XKEY */ 563 uint32_t rm_seed[HASHSIZE/BYTES_IN_WORD]; /* seed for rekey */ 564 uint32_t rm_previous[HASHSIZE/BYTES_IN_WORD]; /* prev random */ 565 } rndmag_t; 566 567 typedef struct rndmag_pad_s 568 { 569 rndmag_t rm_mag; 570 uint8_t rm_pad[RND_CPU_PAD]; 571 } rndmag_pad_t; 572 573 /* 574 * Generate random bytes for /dev/urandom by applying the 575 * FIPS 186-2 algorithm with a key created from bytes extracted 576 * from the pool. A maximum of PRNG_MAXOBLOCKS output blocks 577 * is generated before a new key is obtained. 578 * 579 * Note that callers to this routine are likely to assume it can't fail. 580 * 581 * Called with rmp locked; releases lock. 582 */ 583 static int 584 rnd_generate_pseudo_bytes(rndmag_pad_t *rmp, uint8_t *ptr, size_t len) 585 { 586 size_t bytes = len, size; 587 int nblock; 588 uint32_t oblocks; 589 uint32_t tempout[HASHSIZE/BYTES_IN_WORD]; 590 uint32_t seed[HASHSIZE/BYTES_IN_WORD]; 591 int i; 592 hrtime_t timestamp; 593 uint8_t *src, *dst; 594 595 ASSERT(mutex_owned(&rmp->rm_mag.rm_lock)); 596 597 /* Nothing is being asked */ 598 if (len == 0) { 599 mutex_exit(&rmp->rm_mag.rm_lock); 600 return (0); 601 } 602 603 nblock = howmany(len, HASHSIZE); 604 605 rmp->rm_mag.rm_oblocks += nblock; 606 oblocks = rmp->rm_mag.rm_oblocks; 607 608 do { 609 if (oblocks >= rmp->rm_mag.rm_olimit) { 610 611 /* 612 * Contention-avoiding rekey: see if 613 * the pool is locked, and if so, wait a bit. 614 * Do an 'exponential back-in' to ensure we don't 615 * run too long without rekey. 616 */ 617 if (rmp->rm_mag.rm_ofuzz) { 618 /* 619 * Decaying exponential back-in for rekey. 620 */ 621 if ((rnbyte_cnt < MINEXTRACTBYTES) || 622 (!mutex_tryenter(&rndpool_lock))) { 623 rmp->rm_mag.rm_olimit += 624 rmp->rm_mag.rm_ofuzz; 625 rmp->rm_mag.rm_ofuzz >>= 1; 626 goto punt; 627 } 628 } else { 629 mutex_enter(&rndpool_lock); 630 } 631 632 /* Get a new chunk of entropy */ 633 (void) rnd_get_bytes((uint8_t *)rmp->rm_mag.rm_key, 634 HMAC_KEYSIZE, ALWAYS_EXTRACT); 635 636 rmp->rm_mag.rm_olimit = PRNG_MAXOBLOCKS/2; 637 rmp->rm_mag.rm_ofuzz = PRNG_MAXOBLOCKS/4; 638 oblocks = 0; 639 rmp->rm_mag.rm_oblocks = nblock; 640 } 641 punt: 642 timestamp = gethrtime(); 643 644 src = (uint8_t *)×tamp; 645 dst = (uint8_t *)rmp->rm_mag.rm_seed; 646 647 for (i = 0; i < HASHSIZE; i++) { 648 dst[i] ^= src[i % sizeof (timestamp)]; 649 } 650 651 bcopy(rmp->rm_mag.rm_seed, seed, HASHSIZE); 652 653 fips_random_inner(rmp->rm_mag.rm_key, tempout, 654 seed); 655 656 if (bytes >= HASHSIZE) { 657 size = HASHSIZE; 658 } else { 659 size = min(bytes, HASHSIZE); 660 } 661 662 /* 663 * FIPS 140-2: Continuous RNG test - each generation 664 * of an n-bit block shall be compared with the previously 665 * generated block. Test shall fail if any two compared 666 * n-bit blocks are equal. 667 */ 668 for (i = 0; i < HASHSIZE/BYTES_IN_WORD; i++) { 669 if (tempout[i] != rmp->rm_mag.rm_previous[i]) 670 break; 671 } 672 if (i == HASHSIZE/BYTES_IN_WORD) { 673 cmn_err(CE_WARN, "kcf_random: The value of 160-bit " 674 "block random bytes are same as the previous " 675 "one.\n"); 676 /* discard random bytes and return error */ 677 return (EIO); 678 } 679 680 bcopy(tempout, rmp->rm_mag.rm_previous, 681 HASHSIZE); 682 683 bcopy(tempout, ptr, size); 684 ptr += size; 685 bytes -= size; 686 oblocks++; 687 nblock--; 688 } while (bytes > 0); 689 690 /* Zero out sensitive information */ 691 bzero(seed, HASHSIZE); 692 bzero(tempout, HASHSIZE); 693 mutex_exit(&rmp->rm_mag.rm_lock); 694 return (0); 695 } 696 697 /* 698 * Per-CPU Random magazines. 699 */ 700 static rndmag_pad_t *rndmag; 701 static uint8_t *rndbuf; 702 static size_t rndmag_total; 703 /* 704 * common/os/cpu.c says that platform support code can shrinkwrap 705 * max_ncpus. On the off chance that we get loaded very early, we 706 * read it exactly once, to copy it here. 707 */ 708 static uint32_t random_max_ncpus = 0; 709 710 /* 711 * Boot-time tunables, for experimentation. 712 */ 713 size_t rndmag_threshold = 2560; 714 size_t rndbuf_len = 5120; 715 size_t rndmag_size = 1280; 716 717 718 int 719 kcf_rnd_get_pseudo_bytes(uint8_t *ptr, size_t len) 720 { 721 rndmag_pad_t *rmp; 722 uint8_t *cptr, *eptr; 723 724 /* 725 * Anyone who asks for zero bytes of randomness should get slapped. 726 */ 727 ASSERT(len > 0); 728 729 /* 730 * Fast path. 731 */ 732 for (;;) { 733 rmp = &rndmag[CPU->cpu_seqid]; 734 mutex_enter(&rmp->rm_mag.rm_lock); 735 736 /* 737 * Big requests bypass buffer and tail-call the 738 * generate routine directly. 739 */ 740 if (len > rndmag_threshold) { 741 BUMP_CPU_RND_STATS(rmp, rs_urndOut, len); 742 return (rnd_generate_pseudo_bytes(rmp, ptr, len)); 743 } 744 745 cptr = rmp->rm_mag.rm_rptr; 746 eptr = cptr + len; 747 748 if (eptr <= rmp->rm_mag.rm_eptr) { 749 rmp->rm_mag.rm_rptr = eptr; 750 bcopy(cptr, ptr, len); 751 BUMP_CPU_RND_STATS(rmp, rs_urndOut, len); 752 mutex_exit(&rmp->rm_mag.rm_lock); 753 754 return (0); 755 } 756 /* 757 * End fast path. 758 */ 759 rmp->rm_mag.rm_rptr = rmp->rm_mag.rm_buffer; 760 /* 761 * Note: We assume the generate routine always succeeds 762 * in this case (because it does at present..) 763 * It also always releases rm_lock. 764 */ 765 (void) rnd_generate_pseudo_bytes(rmp, rmp->rm_mag.rm_buffer, 766 rndbuf_len); 767 } 768 } 769 770 /* 771 * We set up (empty) magazines for all of max_ncpus, possibly wasting a 772 * little memory on big systems that don't have the full set installed. 773 * See above; "empty" means "rptr equal to eptr"; this will trigger the 774 * refill path in rnd_get_pseudo_bytes above on the first call for each CPU. 775 * 776 * TODO: make rndmag_size tunable at run time! 777 */ 778 static void 779 rnd_alloc_magazines() 780 { 781 rndmag_pad_t *rmp; 782 int i; 783 uint8_t discard_buf[HASHSIZE]; 784 785 rndbuf_len = roundup(rndbuf_len, HASHSIZE); 786 if (rndmag_size < rndbuf_len) 787 rndmag_size = rndbuf_len; 788 rndmag_size = roundup(rndmag_size, RND_CPU_CACHE_SIZE); 789 790 random_max_ncpus = max_ncpus; 791 rndmag_total = rndmag_size * random_max_ncpus; 792 793 rndbuf = kmem_alloc(rndmag_total, KM_SLEEP); 794 rndmag = kmem_zalloc(sizeof (rndmag_pad_t) * random_max_ncpus, 795 KM_SLEEP); 796 797 for (i = 0; i < random_max_ncpus; i++) { 798 uint8_t *buf; 799 800 rmp = &rndmag[i]; 801 mutex_init(&rmp->rm_mag.rm_lock, NULL, MUTEX_DRIVER, NULL); 802 803 buf = rndbuf + i * rndmag_size; 804 805 rmp->rm_mag.rm_buffer = buf; 806 rmp->rm_mag.rm_eptr = buf + rndbuf_len; 807 rmp->rm_mag.rm_rptr = buf + rndbuf_len; 808 rmp->rm_mag.rm_oblocks = 1; 809 810 mutex_enter(&rndpool_lock); 811 /* 812 * FIPS 140-2: the first n-bit (n > 15) block generated 813 * after power-up, initialization, or reset shall not 814 * be used, but shall be saved for comparison. 815 */ 816 (void) rnd_get_bytes(discard_buf, 817 HMAC_KEYSIZE, ALWAYS_EXTRACT); 818 bcopy(discard_buf, rmp->rm_mag.rm_previous, 819 HMAC_KEYSIZE); 820 /* rnd_get_bytes() will call mutex_exit(&rndpool_lock) */ 821 mutex_enter(&rndpool_lock); 822 (void) rnd_get_bytes((uint8_t *)rmp->rm_mag.rm_key, 823 HMAC_KEYSIZE, ALWAYS_EXTRACT); 824 /* rnd_get_bytes() will call mutex_exit(&rndpool_lock) */ 825 mutex_enter(&rndpool_lock); 826 (void) rnd_get_bytes((uint8_t *)rmp->rm_mag.rm_seed, 827 HMAC_KEYSIZE, ALWAYS_EXTRACT); 828 } 829 } 830 831 void 832 kcf_rnd_schedule_timeout(boolean_t do_mech2id) 833 { 834 clock_t ut; /* time in microseconds */ 835 836 if (do_mech2id) 837 rngmech_type = crypto_mech2id(SUN_RANDOM); 838 839 /* 840 * The new timeout value is taken from the buffer of random bytes. 841 * We're merely reading the first 32 bits from the buffer here, not 842 * consuming any random bytes. 843 * The timeout multiplier value is a random value between 0.5 sec and 844 * 1.544480 sec (0.5 sec + 0xFF000 microseconds). 845 * The new timeout is TIMEOUT_INTERVAL times that multiplier. 846 */ 847 ut = 500000 + (clock_t)((((uint32_t)rndpool[findex]) << 12) & 0xFF000); 848 kcf_rndtimeout_id = timeout(rnd_handler, NULL, 849 TIMEOUT_INTERVAL * drv_usectohz(ut)); 850 } 851 852 /* 853 * Called from the driver for a poll on /dev/random 854 * . POLLOUT always succeeds. 855 * . POLLIN and POLLRDNORM will block until a 856 * minimum amount of entropy is available. 857 * 858 * &rnd_pollhead is passed in *phpp in order to indicate the calling thread 859 * will block. When enough random bytes are available, later, the timeout 860 * handler routine will issue the pollwakeup() calls. 861 */ 862 void 863 kcf_rnd_chpoll(short events, int anyyet, short *reventsp, 864 struct pollhead **phpp) 865 { 866 *reventsp = events & POLLOUT; 867 868 if (events & (POLLIN | POLLRDNORM)) { 869 /* 870 * Sampling of rnbyte_cnt is an atomic 871 * operation. Hence we do not need any locking. 872 */ 873 if (rnbyte_cnt >= MINEXTRACTBYTES) 874 *reventsp |= (events & (POLLIN | POLLRDNORM)); 875 } 876 877 if (*reventsp == 0 && !anyyet) 878 *phpp = &rnd_pollhead; 879 } 880 881 /*ARGSUSED*/ 882 static void 883 rnd_handler(void *arg) 884 { 885 int len = 0; 886 887 if (!rng_prov_found && rng_ok_to_log) { 888 cmn_err(CE_WARN, "No randomness provider enabled for " 889 "/dev/random. Use cryptoadm(1M) to enable a provider."); 890 rng_ok_to_log = B_FALSE; 891 } 892 893 if (num_waiters > 0) 894 len = MAXEXTRACTBYTES; 895 else if (rnbyte_cnt < RNDPOOLSIZE) 896 len = MINEXTRACTBYTES; 897 898 if (len > 0) { 899 (void) taskq_dispatch(system_taskq, rngprov_task, 900 (void *)(uintptr_t)len, TQ_NOSLEEP); 901 } 902 903 mutex_enter(&rndpool_lock); 904 /* 905 * Wake up threads waiting in poll() or for enough accumulated 906 * random bytes to read from /dev/random. In case a poll() is 907 * concurrent with a read(), the polling process may be woken up 908 * indicating that enough randomness is now available for reading, 909 * and another process *steals* the bits from the pool, causing the 910 * subsequent read() from the first process to block. It is acceptable 911 * since the blocking will eventually end, after the timeout 912 * has expired enough times to honor the read. 913 * 914 * Note - Since we hold the rndpool_lock across the pollwakeup() call 915 * we MUST NOT grab the rndpool_lock in kcf_rndchpoll(). 916 */ 917 if (rnbyte_cnt >= MINEXTRACTBYTES) 918 pollwakeup(&rnd_pollhead, POLLIN | POLLRDNORM); 919 920 if (num_waiters > 0) 921 cv_broadcast(&rndpool_read_cv); 922 mutex_exit(&rndpool_lock); 923 924 kcf_rnd_schedule_timeout(B_FALSE); 925 } 926 927 static void 928 rndc_addbytes(uint8_t *ptr, size_t len) 929 { 930 ASSERT(ptr != NULL && len > 0); 931 ASSERT(rnbyte_cnt <= RNDPOOLSIZE); 932 933 mutex_enter(&rndpool_lock); 934 while ((len > 0) && (rnbyte_cnt < RNDPOOLSIZE)) { 935 rndpool[rindex] ^= *ptr; 936 ptr++; len--; 937 rindex = (rindex + 1) & (RNDPOOLSIZE - 1); 938 rnbyte_cnt++; 939 } 940 941 /* Handle buffer full case */ 942 while (len > 0) { 943 rndpool[rindex] ^= *ptr; 944 ptr++; len--; 945 findex = rindex = (rindex + 1) & (RNDPOOLSIZE - 1); 946 } 947 mutex_exit(&rndpool_lock); 948 } 949 950 /* 951 * Caller should check len <= rnbyte_cnt under the 952 * rndpool_lock before calling. 953 */ 954 static void 955 rndc_getbytes(uint8_t *ptr, size_t len) 956 { 957 ASSERT(MUTEX_HELD(&rndpool_lock)); 958 ASSERT(len <= rnbyte_cnt && rnbyte_cnt <= RNDPOOLSIZE); 959 960 BUMP_RND_STATS(rs_rndcOut, len); 961 962 while (len > 0) { 963 *ptr = rndpool[findex]; 964 ptr++; len--; 965 findex = (findex + 1) & (RNDPOOLSIZE - 1); 966 rnbyte_cnt--; 967 } 968 } 969 970 /* Random number exported entry points */ 971 972 /* 973 * Mix the supplied bytes into the entropy pool of a kCF 974 * RNG provider. 975 */ 976 int 977 random_add_pseudo_entropy(uint8_t *ptr, size_t len, uint_t entropy_est) 978 { 979 if (len < 1) 980 return (-1); 981 982 rngprov_seed(ptr, len, entropy_est, 0); 983 984 return (0); 985 } 986 987 /* 988 * Mix the supplied bytes into the entropy pool of a kCF 989 * RNG provider. Mix immediately. 990 */ 991 int 992 random_add_entropy(uint8_t *ptr, size_t len, uint_t entropy_est) 993 { 994 if (len < 1) 995 return (-1); 996 997 rngprov_seed(ptr, len, entropy_est, CRYPTO_SEED_NOW); 998 999 return (0); 1000 } 1001 1002 /* 1003 * Get bytes from the /dev/urandom generator. This function 1004 * always succeeds. Returns 0. 1005 */ 1006 int 1007 random_get_pseudo_bytes(uint8_t *ptr, size_t len) 1008 { 1009 ASSERT(!mutex_owned(&rndpool_lock)); 1010 1011 if (len < 1) 1012 return (0); 1013 return (kcf_rnd_get_pseudo_bytes(ptr, len)); 1014 } 1015 1016 /* 1017 * Get bytes from the /dev/random generator. Returns 0 1018 * on success. Returns EAGAIN if there is insufficient entropy. 1019 */ 1020 int 1021 random_get_bytes(uint8_t *ptr, size_t len) 1022 { 1023 ASSERT(!mutex_owned(&rndpool_lock)); 1024 1025 if (len < 1) 1026 return (0); 1027 return (kcf_rnd_get_bytes(ptr, len, B_TRUE)); 1028 } 1029