FreeBSD/Linux Kernel Cross Reference
sys/dev/random/hash.c
1 /*-
2 * Copyright (c) 2000-2015 Mark R V Murray
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer
10 * in this position and unchanged.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 *
26 */
27
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
30
31 #ifdef _KERNEL
32 #include <sys/param.h>
33 #include <sys/malloc.h>
34 #include <sys/random.h>
35 #include <sys/sysctl.h>
36 #include <sys/systm.h>
37 #else /* !_KERNEL */
38 #include <sys/param.h>
39 #include <sys/types.h>
40 #include <assert.h>
41 #include <inttypes.h>
42 #include <signal.h>
43 #include <stdbool.h>
44 #include <stdio.h>
45 #include <stdlib.h>
46 #include <string.h>
47 #include <threads.h>
48 #define KASSERT(x, y) assert(x)
49 #define CTASSERT(x) _Static_assert(x, "CTASSERT " #x)
50 #endif /* _KERNEL */
51
52 #define CHACHA_EMBED
53 #define KEYSTREAM_ONLY
54 #define CHACHA_NONCE0_CTR128
55 #include <crypto/chacha20/chacha.c>
56 #include <crypto/rijndael/rijndael-api-fst.h>
57 #include <crypto/sha2/sha256.h>
58
59 #include <dev/random/hash.h>
60 #ifdef _KERNEL
61 #include <dev/random/randomdev.h>
62 #endif
63
64 /* This code presumes that RANDOM_KEYSIZE is twice as large as RANDOM_BLOCKSIZE */
65 CTASSERT(RANDOM_KEYSIZE == 2*RANDOM_BLOCKSIZE);
66
67 /* Validate that full Chacha IV is as large as the 128-bit counter */
68 _Static_assert(CHACHA_STATELEN == RANDOM_BLOCKSIZE, "");
69
70 /*
71 * Knob to control use of Chacha20-based PRF for Fortuna keystream primitive.
72 *
73 * Benefits include somewhat faster keystream generation compared with
74 * unaccelerated AES-ICM; reseeding is much cheaper than computing AES key
75 * schedules.
76 */
77 bool random_chachamode __read_frequently = true;
78 #ifdef _KERNEL
79 SYSCTL_BOOL(_kern_random, OID_AUTO, use_chacha20_cipher, CTLFLAG_RDTUN,
80 &random_chachamode, 0,
81 "If non-zero, use the ChaCha20 cipher for randomdev PRF (default). "
82 "If zero, use AES-ICM cipher for randomdev PRF (12.x default).");
83 #endif
84
85 /* Initialise the hash */
86 void
87 randomdev_hash_init(struct randomdev_hash *context)
88 {
89
90 SHA256_Init(&context->sha);
91 }
92
93 /* Iterate the hash */
94 void
95 randomdev_hash_iterate(struct randomdev_hash *context, const void *data, size_t size)
96 {
97
98 SHA256_Update(&context->sha, data, size);
99 }
100
101 /* Conclude by returning the hash in the supplied <*buf> which must be
102 * RANDOM_KEYSIZE bytes long.
103 */
104 void
105 randomdev_hash_finish(struct randomdev_hash *context, void *buf)
106 {
107
108 SHA256_Final(buf, &context->sha);
109 }
110
111 /* Initialise the encryption routine by setting up the key schedule
112 * from the supplied <*data> which must be RANDOM_KEYSIZE bytes of binary
113 * data.
114 */
115 void
116 randomdev_encrypt_init(union randomdev_key *context, const void *data)
117 {
118
119 if (random_chachamode) {
120 chacha_keysetup(&context->chacha, data, RANDOM_KEYSIZE * 8);
121 } else {
122 rijndael_cipherInit(&context->cipher, MODE_ECB, NULL);
123 rijndael_makeKey(&context->key, DIR_ENCRYPT, RANDOM_KEYSIZE*8, data);
124 }
125 }
126
127 /*
128 * Create a pseudorandom output stream of 'bytecount' bytes using a CTR-mode
129 * cipher or similar. The 128-bit counter is supplied in the in-out parmeter
130 * 'ctr.' The output stream goes to 'd_out.'
131 *
132 * If AES is used, 'bytecount' is guaranteed to be a multiple of
133 * RANDOM_BLOCKSIZE.
134 */
135 void
136 randomdev_keystream(union randomdev_key *context, uint128_t *ctr,
137 void *d_out, size_t bytecount)
138 {
139 size_t i, blockcount, read_chunk;
140
141 if (random_chachamode) {
142 uint128_t lectr;
143
144 /*
145 * Chacha always encodes and increments the counter little
146 * endian. So on BE machines, we must provide a swapped
147 * counter to chacha, and swap the output too.
148 */
149 le128enc(&lectr, *ctr);
150
151 chacha_ivsetup(&context->chacha, NULL, (const void *)&lectr);
152 while (bytecount > 0) {
153 /*
154 * We are limited by the chacha_encrypt_bytes API to
155 * u32 bytes per chunk.
156 */
157 read_chunk = MIN(bytecount,
158 rounddown((size_t)UINT32_MAX, CHACHA_BLOCKLEN));
159
160 chacha_encrypt_bytes(&context->chacha, NULL, d_out,
161 read_chunk);
162
163 d_out = (char *)d_out + read_chunk;
164 bytecount -= read_chunk;
165 }
166
167 /*
168 * Decode Chacha-updated LE counter to native endian and store
169 * it back in the caller's in-out parameter.
170 */
171 chacha_ctrsave(&context->chacha, (void *)&lectr);
172 *ctr = le128dec(&lectr);
173
174 explicit_bzero(&lectr, sizeof(lectr));
175 } else {
176 KASSERT(bytecount % RANDOM_BLOCKSIZE == 0,
177 ("%s: AES mode invalid bytecount, not a multiple of native "
178 "block size", __func__));
179
180 blockcount = bytecount / RANDOM_BLOCKSIZE;
181 for (i = 0; i < blockcount; i++) {
182 /*-
183 * FS&K - r = r|E(K,C)
184 * - C = C + 1
185 */
186 rijndael_blockEncrypt(&context->cipher, &context->key,
187 (void *)ctr, RANDOM_BLOCKSIZE * 8, d_out);
188 d_out = (char *)d_out + RANDOM_BLOCKSIZE;
189 uint128_increment(ctr);
190 }
191 }
192 }
193
194 /*
195 * Fetch a pointer to the relevant key material and its size.
196 *
197 * This API is expected to only be used only for reseeding, where the
198 * endianness does not matter; the goal is to simply incorporate the key
199 * material into the hash iterator that will produce key'.
200 *
201 * Do not expect the buffer pointed to by this API to match the exact
202 * endianness, etc, as the key material that was supplied to
203 * randomdev_encrypt_init().
204 */
205 void
206 randomdev_getkey(union randomdev_key *context, const void **keyp, size_t *szp)
207 {
208
209 if (!random_chachamode) {
210 *keyp = &context->key.keyMaterial;
211 *szp = context->key.keyLen / 8;
212 return;
213 }
214
215 /* Chacha20 mode */
216 *keyp = (const void *)&context->chacha.input[4];
217
218 /* Sanity check keysize */
219 if (context->chacha.input[0] == U8TO32_LITTLE(sigma) &&
220 context->chacha.input[1] == U8TO32_LITTLE(&sigma[4]) &&
221 context->chacha.input[2] == U8TO32_LITTLE(&sigma[8]) &&
222 context->chacha.input[3] == U8TO32_LITTLE(&sigma[12])) {
223 *szp = 32;
224 return;
225 }
226
227 #if 0
228 /*
229 * Included for the sake of completeness; as-implemented, Fortuna
230 * doesn't need or use 128-bit Chacha20.
231 */
232 if (context->chacha->input[0] == U8TO32_LITTLE(tau) &&
233 context->chacha->input[1] == U8TO32_LITTLE(&tau[4]) &&
234 context->chacha->input[2] == U8TO32_LITTLE(&tau[8]) &&
235 context->chacha->input[3] == U8TO32_LITTLE(&tau[12])) {
236 *szp = 16;
237 return;
238 }
239 #endif
240
241 #ifdef _KERNEL
242 panic("%s: Invalid chacha20 keysize: %16D\n", __func__,
243 (void *)context->chacha.input, " ");
244 #else
245 raise(SIGKILL);
246 #endif
247 }
Cache object: c1421af273ce37ae4ba015ab95cc2e2d
|