FreeBSD kernel libkern code
arc4random.c
Go to the documentation of this file.
1/*-
2 * Copyright (c) 2017 The FreeBSD Foundation
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer
9 * in this position and unchanged.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 *
25 */
26
27#include <sys/cdefs.h>
28__FBSDID("$FreeBSD$");
29
30#include <sys/types.h>
31#include <sys/param.h>
32#include <sys/kernel.h>
33#include <sys/libkern.h>
34#include <sys/linker.h>
35#include <sys/lock.h>
36#include <sys/malloc.h>
37#include <sys/msan.h>
38#include <sys/mutex.h>
39#include <sys/random.h>
40#include <sys/smp.h>
41#include <sys/time.h>
42
43#include <machine/cpu.h>
44
45#include <crypto/chacha20/chacha.h>
46#include <crypto/sha2/sha256.h>
47#include <dev/random/randomdev.h>
48#ifdef RANDOM_FENESTRASX
49#include <dev/random/fenestrasX/fx_pub.h>
50#endif
51
52#define CHACHA20_RESEED_BYTES 65536
53#define CHACHA20_RESEED_SECONDS 300
54#define CHACHA20_KEYBYTES 32
55#define CHACHA20_BUFFER_SIZE 64
56
57CTASSERT(CHACHA20_KEYBYTES*8 >= CHACHA_MINKEYLEN);
58
59#ifndef RANDOM_FENESTRASX
60int arc4rand_iniseed_state = ARC4_ENTR_NONE;
61#endif
62
63MALLOC_DEFINE(M_CHACHA20RANDOM, "chacha20random", "chacha20random structures");
64
65struct chacha20_s {
66 struct mtx mtx;
67 int numbytes;
68 time_t t_reseed;
69 uint8_t m_buffer[CHACHA20_BUFFER_SIZE];
70 struct chacha_ctx ctx;
71#ifdef RANDOM_FENESTRASX
72 uint64_t seed_version;
73#endif
74} __aligned(CACHE_LINE_SIZE);
75
76static struct chacha20_s *chacha20inst = NULL;
77
78#define CHACHA20_FOREACH(_chacha20) \
79 for (_chacha20 = &chacha20inst[0]; \
80 _chacha20 <= &chacha20inst[mp_maxid]; \
81 _chacha20++)
82
83/*
84 * Mix up the current context.
85 */
86static void
87chacha20_randomstir(struct chacha20_s *chacha20)
88{
89 struct timeval tv_now;
90 uint8_t key[CHACHA20_KEYBYTES];
91#ifdef RANDOM_FENESTRASX
92 uint64_t seed_version;
93
94#else
95 if (__predict_false(random_bypass_before_seeding && !is_random_seeded())) {
96 SHA256_CTX ctx;
97 uint64_t cc;
98 uint32_t fver;
99
100 if (!arc4random_bypassed_before_seeding) {
101 arc4random_bypassed_before_seeding = true;
102 if (!random_bypass_disable_warnings)
103 printf("arc4random: WARNING: initial seeding "
104 "bypassed the cryptographic random device "
105 "because it was not yet seeded and the "
106 "knob 'bypass_before_seeding' was "
107 "enabled.\n");
108 }
109
110 /*
111 * "key" is intentionally left uninitialized here, so with KMSAN
112 * enabled the arc4random() return value may be marked
113 * uninitialized, leading to spurious reports. Lie to KMSAN to
114 * avoid this situation.
115 */
116 kmsan_mark(key, sizeof(key), KMSAN_STATE_INITED);
117
118 /* Last ditch effort to inject something in a bad condition. */
119 cc = get_cyclecount();
120 SHA256_Init(&ctx);
121 SHA256_Update(&ctx, key, sizeof(key));
122 SHA256_Update(&ctx, &cc, sizeof(cc));
123 fver = __FreeBSD_version;
124 SHA256_Update(&ctx, &fver, sizeof(fver));
125 _Static_assert(sizeof(key) == SHA256_DIGEST_LENGTH,
126 "make sure 256 bits is still 256 bits");
127 SHA256_Final(key, &ctx);
128 } else {
129#endif
130#ifdef RANDOM_FENESTRASX
131 read_random_key(key, CHACHA20_KEYBYTES, &seed_version);
132#else
133 /*
134 * If the loader(8) did not have an entropy stash from the
135 * previous shutdown to load, then we will block. The answer is
136 * to make sure there is an entropy stash at shutdown time.
137 *
138 * On the other hand, if the random_bypass_before_seeding knob
139 * was set and we landed in this branch, we know this won't
140 * block because we know the random device is seeded.
141 */
142 read_random(key, CHACHA20_KEYBYTES);
143 }
144#endif
145 getmicrouptime(&tv_now);
146 mtx_lock(&chacha20->mtx);
147 chacha_keysetup(&chacha20->ctx, key, CHACHA20_KEYBYTES*8);
148 chacha_ivsetup(&chacha20->ctx, (u_char *)&tv_now.tv_sec, (u_char *)&tv_now.tv_usec);
149 /* Reset for next reseed cycle. */
150 chacha20->t_reseed = tv_now.tv_sec + CHACHA20_RESEED_SECONDS;
151 chacha20->numbytes = 0;
152#ifdef RANDOM_FENESTRASX
153 chacha20->seed_version = seed_version;
154#endif
155 mtx_unlock(&chacha20->mtx);
156}
157
158/*
159 * Initialize the contexts.
160 */
161static void
162chacha20_init(void)
163{
164 struct chacha20_s *chacha20;
165
166 chacha20inst = malloc((mp_maxid + 1) * sizeof(struct chacha20_s),
167 M_CHACHA20RANDOM, M_NOWAIT | M_ZERO);
168 KASSERT(chacha20inst != NULL, ("chacha20_init: memory allocation error"));
169
170 CHACHA20_FOREACH(chacha20) {
171 mtx_init(&chacha20->mtx, "chacha20_mtx", NULL, MTX_DEF);
172 chacha20->t_reseed = -1;
173 chacha20->numbytes = 0;
174 explicit_bzero(chacha20->m_buffer, CHACHA20_BUFFER_SIZE);
175 explicit_bzero(&chacha20->ctx, sizeof(chacha20->ctx));
176 }
177}
178SYSINIT(chacha20, SI_SUB_LOCK, SI_ORDER_ANY, chacha20_init, NULL);
179
180
181static void
182chacha20_uninit(void)
183{
184 struct chacha20_s *chacha20;
185
186 CHACHA20_FOREACH(chacha20)
187 mtx_destroy(&chacha20->mtx);
188 free(chacha20inst, M_CHACHA20RANDOM);
189}
190SYSUNINIT(chacha20, SI_SUB_LOCK, SI_ORDER_ANY, chacha20_uninit, NULL);
191
192
193/*
194 * MPSAFE
195 */
196void
197arc4rand(void *ptr, u_int len, int reseed)
198{
199 struct chacha20_s *chacha20;
200 struct timeval tv;
201 u_int length;
202 uint8_t *p;
203
204#ifdef RANDOM_FENESTRASX
205 if (__predict_false(reseed))
206#else
207 if (__predict_false(reseed ||
208 (arc4rand_iniseed_state == ARC4_ENTR_HAVE &&
209 atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_HAVE, ARC4_ENTR_SEED))))
210#endif
211 CHACHA20_FOREACH(chacha20)
212 chacha20_randomstir(chacha20);
213
214 getmicrouptime(&tv);
215 chacha20 = &chacha20inst[curcpu];
216 /* We may get unlucky and be migrated off this CPU, but that is expected to be infrequent */
217 if ((chacha20->numbytes > CHACHA20_RESEED_BYTES) || (tv.tv_sec > chacha20->t_reseed))
218 chacha20_randomstir(chacha20);
219
220 mtx_lock(&chacha20->mtx);
221#ifdef RANDOM_FENESTRASX
222 if (__predict_false(
223 atomic_load_acq_64(&fxrng_root_generation) != chacha20->seed_version
224 )) {
225 mtx_unlock(&chacha20->mtx);
226 chacha20_randomstir(chacha20);
227 mtx_lock(&chacha20->mtx);
228 }
229#endif
230
231 p = ptr;
232 while (len) {
233 length = MIN(CHACHA20_BUFFER_SIZE, len);
234 chacha_encrypt_bytes(&chacha20->ctx, chacha20->m_buffer, p, length);
235 p += length;
236 len -= length;
237 chacha20->numbytes += length;
238 if (chacha20->numbytes > CHACHA20_RESEED_BYTES) {
239 mtx_unlock(&chacha20->mtx);
240 chacha20_randomstir(chacha20);
241 mtx_lock(&chacha20->mtx);
242 }
243 }
244 mtx_unlock(&chacha20->mtx);
245}
246
247uint32_t
248arc4random(void)
249{
250 uint32_t ret;
251
252 arc4rand(&ret, sizeof(ret), 0);
253 return ret;
254}
255
256void
257arc4random_buf(void *ptr, size_t len)
258{
259
260 arc4rand(ptr, len, 0);
261}
arc4random
uint32_t arc4random(void)
Definition: arc4random.c:248
SYSINIT
SYSINIT(chacha20, SI_SUB_LOCK, SI_ORDER_ANY, chacha20_init, NULL)
MALLOC_DEFINE
MALLOC_DEFINE(M_CHACHA20RANDOM, "chacha20random", "chacha20random structures")
ctx
struct chacha_ctx ctx
Definition: arc4random.c:4
CHACHA20_KEYBYTES
#define CHACHA20_KEYBYTES
Definition: arc4random.c:54
chacha20inst
static struct chacha20_s * chacha20inst
Definition: arc4random.c:76
CHACHA20_BUFFER_SIZE
#define CHACHA20_BUFFER_SIZE
Definition: arc4random.c:55
__FBSDID
__FBSDID("$FreeBSD$")
CTASSERT
CTASSERT(CHACHA20_KEYBYTES *8 >=CHACHA_MINKEYLEN)
CHACHA20_RESEED_BYTES
#define CHACHA20_RESEED_BYTES
Definition: arc4random.c:52
CHACHA20_FOREACH
#define CHACHA20_FOREACH(_chacha20)
Definition: arc4random.c:78
chacha20_randomstir
static void chacha20_randomstir(struct chacha20_s *chacha20)
Definition: arc4random.c:87
arc4rand
void arc4rand(void *ptr, u_int len, int reseed)
Definition: arc4random.c:197
chacha20_init
static void chacha20_init(void)
Definition: arc4random.c:162
SYSUNINIT
SYSUNINIT(chacha20, SI_SUB_LOCK, SI_ORDER_ANY, chacha20_uninit, NULL)
__aligned
struct chacha20_s __aligned(CACHE_LINE_SIZE)
arc4rand_iniseed_state
int arc4rand_iniseed_state
Definition: arc4random.c:60
arc4random_buf
void arc4random_buf(void *ptr, size_t len)
Definition: arc4random.c:257
CHACHA20_RESEED_SECONDS
#define CHACHA20_RESEED_SECONDS
Definition: arc4random.c:53
chacha20_uninit
static void chacha20_uninit(void)
Definition: arc4random.c:182
explicit_bzero
void explicit_bzero(void *buf, size_t len)
Definition: explicit_bzero.c:24
chacha20_s
Definition: arc4random.c:65
chacha20_s::mtx
struct mtx mtx
Definition: arc4random.c:66
chacha20_s::t_reseed
time_t t_reseed
Definition: arc4random.c:68
chacha20_s::numbytes
int numbytes
Definition: arc4random.c:67
chacha20_s::ctx
struct chacha_ctx ctx
Definition: arc4random.c:70
chacha20_s::m_buffer
uint8_t m_buffer[CHACHA20_BUFFER_SIZE]
Definition: arc4random.c:69