Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/dev/random/hash.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /*- 2 * Copyright (c) 2000-2015 Mark R V Murray 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer 10 * in this position and unchanged. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 * 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #ifdef _KERNEL 32 #include <sys/param.h> 33 #include <sys/malloc.h> 34 #include <sys/random.h> 35 #include <sys/sysctl.h> 36 #include <sys/systm.h> 37 #else /* !_KERNEL */ 38 #include <sys/param.h> 39 #include <sys/types.h> 40 #include <assert.h> 41 #include <inttypes.h> 42 #include <signal.h> 43 #include <stdbool.h> 44 #include <stdio.h> 45 #include <stdlib.h> 46 #include <string.h> 47 #include <threads.h> 48 #define KASSERT(x, y) assert(x) 49 #define CTASSERT(x) _Static_assert(x, "CTASSERT " #x) 50 #endif /* _KERNEL */ 51 52 #define CHACHA_EMBED 53 #define KEYSTREAM_ONLY 54 #define CHACHA_NONCE0_CTR128 55 #include <crypto/chacha20/chacha.c> 56 #include <crypto/rijndael/rijndael-api-fst.h> 57 #include <crypto/sha2/sha256.h> 58 59 #include <dev/random/hash.h> 60 #ifdef _KERNEL 61 #include <dev/random/randomdev.h> 62 #endif 63 64 /* This code presumes that RANDOM_KEYSIZE is twice as large as RANDOM_BLOCKSIZE */ 65 CTASSERT(RANDOM_KEYSIZE == 2*RANDOM_BLOCKSIZE); 66 67 /* Validate that full Chacha IV is as large as the 128-bit counter */ 68 _Static_assert(CHACHA_STATELEN == RANDOM_BLOCKSIZE, ""); 69 70 /* 71 * Knob to control use of Chacha20-based PRF for Fortuna keystream primitive. 72 * 73 * Benefits include somewhat faster keystream generation compared with 74 * unaccelerated AES-ICM; reseeding is much cheaper than computing AES key 75 * schedules. 76 */ 77 bool random_chachamode __read_frequently = true; 78 #ifdef _KERNEL 79 SYSCTL_BOOL(_kern_random, OID_AUTO, use_chacha20_cipher, CTLFLAG_RDTUN, 80 &random_chachamode, 0, 81 "If non-zero, use the ChaCha20 cipher for randomdev PRF (default). " 82 "If zero, use AES-ICM cipher for randomdev PRF (12.x default)."); 83 #endif 84 85 /* Initialise the hash */ 86 void 87 randomdev_hash_init(struct randomdev_hash *context) 88 { 89 90 SHA256_Init(&context->sha); 91 } 92 93 /* Iterate the hash */ 94 void 95 randomdev_hash_iterate(struct randomdev_hash *context, const void *data, size_t size) 96 { 97 98 SHA256_Update(&context->sha, data, size); 99 } 100 101 /* Conclude by returning the hash in the supplied <*buf> which must be 102 * RANDOM_KEYSIZE bytes long. 103 */ 104 void 105 randomdev_hash_finish(struct randomdev_hash *context, void *buf) 106 { 107 108 SHA256_Final(buf, &context->sha); 109 } 110 111 /* Initialise the encryption routine by setting up the key schedule 112 * from the supplied <*data> which must be RANDOM_KEYSIZE bytes of binary 113 * data. 114 */ 115 void 116 randomdev_encrypt_init(union randomdev_key *context, const void *data) 117 { 118 119 if (random_chachamode) { 120 chacha_keysetup(&context->chacha, data, RANDOM_KEYSIZE * 8); 121 } else { 122 rijndael_cipherInit(&context->cipher, MODE_ECB, NULL); 123 rijndael_makeKey(&context->key, DIR_ENCRYPT, RANDOM_KEYSIZE*8, data); 124 } 125 } 126 127 /* 128 * Create a pseudorandom output stream of 'bytecount' bytes using a CTR-mode 129 * cipher or similar. The 128-bit counter is supplied in the in-out parmeter 130 * 'ctr.' The output stream goes to 'd_out.' 131 * 132 * If AES is used, 'bytecount' is guaranteed to be a multiple of 133 * RANDOM_BLOCKSIZE. 134 */ 135 void 136 randomdev_keystream(union randomdev_key *context, uint128_t *ctr, 137 void *d_out, size_t bytecount) 138 { 139 size_t i, blockcount, read_chunk; 140 141 if (random_chachamode) { 142 uint128_t lectr; 143 144 /* 145 * Chacha always encodes and increments the counter little 146 * endian. So on BE machines, we must provide a swapped 147 * counter to chacha, and swap the output too. 148 */ 149 le128enc(&lectr, *ctr); 150 151 chacha_ivsetup(&context->chacha, NULL, (const void *)&lectr); 152 while (bytecount > 0) { 153 /* 154 * We are limited by the chacha_encrypt_bytes API to 155 * u32 bytes per chunk. 156 */ 157 read_chunk = MIN(bytecount, 158 rounddown((size_t)UINT32_MAX, CHACHA_BLOCKLEN)); 159 160 chacha_encrypt_bytes(&context->chacha, NULL, d_out, 161 read_chunk); 162 163 d_out = (char *)d_out + read_chunk; 164 bytecount -= read_chunk; 165 } 166 167 /* 168 * Decode Chacha-updated LE counter to native endian and store 169 * it back in the caller's in-out parameter. 170 */ 171 chacha_ctrsave(&context->chacha, (void *)&lectr); 172 *ctr = le128dec(&lectr); 173 174 explicit_bzero(&lectr, sizeof(lectr)); 175 } else { 176 KASSERT(bytecount % RANDOM_BLOCKSIZE == 0, 177 ("%s: AES mode invalid bytecount, not a multiple of native " 178 "block size", __func__)); 179 180 blockcount = bytecount / RANDOM_BLOCKSIZE; 181 for (i = 0; i < blockcount; i++) { 182 /*- 183 * FS&K - r = r|E(K,C) 184 * - C = C + 1 185 */ 186 rijndael_blockEncrypt(&context->cipher, &context->key, 187 (void *)ctr, RANDOM_BLOCKSIZE * 8, d_out); 188 d_out = (char *)d_out + RANDOM_BLOCKSIZE; 189 uint128_increment(ctr); 190 } 191 } 192 } 193 194 /* 195 * Fetch a pointer to the relevant key material and its size. 196 * 197 * This API is expected to only be used only for reseeding, where the 198 * endianness does not matter; the goal is to simply incorporate the key 199 * material into the hash iterator that will produce key'. 200 * 201 * Do not expect the buffer pointed to by this API to match the exact 202 * endianness, etc, as the key material that was supplied to 203 * randomdev_encrypt_init(). 204 */ 205 void 206 randomdev_getkey(union randomdev_key *context, const void **keyp, size_t *szp) 207 { 208 209 if (!random_chachamode) { 210 *keyp = &context->key.keyMaterial; 211 *szp = context->key.keyLen / 8; 212 return; 213 } 214 215 /* Chacha20 mode */ 216 *keyp = (const void *)&context->chacha.input[4]; 217 218 /* Sanity check keysize */ 219 if (context->chacha.input[0] == U8TO32_LITTLE(sigma) && 220 context->chacha.input[1] == U8TO32_LITTLE(&sigma[4]) && 221 context->chacha.input[2] == U8TO32_LITTLE(&sigma[8]) && 222 context->chacha.input[3] == U8TO32_LITTLE(&sigma[12])) { 223 *szp = 32; 224 return; 225 } 226 227 #if 0 228 /* 229 * Included for the sake of completeness; as-implemented, Fortuna 230 * doesn't need or use 128-bit Chacha20. 231 */ 232 if (context->chacha->input[0] == U8TO32_LITTLE(tau) && 233 context->chacha->input[1] == U8TO32_LITTLE(&tau[4]) && 234 context->chacha->input[2] == U8TO32_LITTLE(&tau[8]) && 235 context->chacha->input[3] == U8TO32_LITTLE(&tau[12])) { 236 *szp = 16; 237 return; 238 } 239 #endif 240 241 #ifdef _KERNEL 242 panic("%s: Invalid chacha20 keysize: %16D\n", __func__, 243 (void *)context->chacha.input, " "); 244 #else 245 raise(SIGKILL); 246 #endif 247 }
Cache object: c1421af273ce37ae4ba015ab95cc2e2d
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]