1999-11-28 17:51:09 +00:00
|
|
|
/*-
|
2017-04-16 09:11:02 +00:00
|
|
|
* Copyright (c) 2017 The FreeBSD Foundation
|
|
|
|
|
* All rights reserved.
|
1999-11-28 17:51:09 +00:00
|
|
|
*
|
2017-04-16 09:11:02 +00:00
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer
|
|
|
|
|
* in this position and unchanged.
|
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
|
*
|
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
1999-11-28 17:51:09 +00:00
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
|
2003-06-11 05:37:42 +00:00
|
|
|
#include <sys/cdefs.h>
|
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
|
|
2000-06-25 10:15:58 +00:00
|
|
|
#include <sys/types.h>
|
2003-08-15 06:34:47 +00:00
|
|
|
#include <sys/param.h>
|
|
|
|
|
#include <sys/kernel.h>
|
1999-11-28 17:51:09 +00:00
|
|
|
#include <sys/libkern.h>
|
2017-04-16 09:11:02 +00:00
|
|
|
#include <sys/linker.h>
|
2003-08-15 06:34:47 +00:00
|
|
|
#include <sys/lock.h>
|
2017-04-16 09:11:02 +00:00
|
|
|
#include <sys/malloc.h>
|
2003-08-15 06:34:47 +00:00
|
|
|
#include <sys/mutex.h>
|
2017-04-16 09:11:02 +00:00
|
|
|
#include <sys/random.h>
|
2016-11-25 13:49:33 +00:00
|
|
|
#include <sys/smp.h>
|
2017-04-16 09:11:02 +00:00
|
|
|
#include <sys/time.h>
|
|
|
|
|
|
|
|
|
|
#include <crypto/chacha20/chacha.h>
|
random(4): Restore availability tradeoff prior to r346250
As discussed in that commit message, it is a dangerous default. But the
safe default causes enough pain on a variety of platforms that for now,
restore the prior default.
Some of this is self-induced pain we should/could do better about; for
example, programmatic CI systems and VM managers should introduce entropy
from the host for individual VM instances. This is considered a future work
item.
On modern x86 and Power9 systems, this may be wholly unnecessary after
D19928 lands (even in the non-ideal case where early /boot/entropy is
unavailable), because they have fast hardware random sources available early
in boot. But D19928 is not yet landed and we have a host of architectures
which do not provide fast random sources.
This change adds several tunables and diagnostic sysctls, documented
thoroughly in UPDATING and sys/dev/random/random_infra.c.
PR: 230875 (reopens)
Reported by: adrian, jhb, imp, and probably others
Reviewed by: delphij, imp (earlier version), markm (earlier version)
Discussed with: adrian
Approved by: secteam(delphij)
Relnotes: yeah
Security: related
Differential Revision: https://reviews.freebsd.org/D19944
2019-04-18 20:48:54 +00:00
|
|
|
#include <crypto/sha2/sha256.h>
|
|
|
|
|
#include <dev/random/randomdev.h>
|
|
|
|
|
#include <machine/cpu.h>
|
2017-04-16 09:11:02 +00:00
|
|
|
|
|
|
|
|
#define CHACHA20_RESEED_BYTES 65536
|
|
|
|
|
#define CHACHA20_RESEED_SECONDS 300
|
|
|
|
|
#define CHACHA20_KEYBYTES 32
|
|
|
|
|
#define CHACHA20_BUFFER_SIZE 64
|
1999-11-28 23:39:49 +00:00
|
|
|
|
2017-04-16 09:11:02 +00:00
|
|
|
CTASSERT(CHACHA20_KEYBYTES*8 >= CHACHA_MINKEYLEN);
|
1999-11-28 17:51:09 +00:00
|
|
|
|
2013-04-19 00:30:52 +00:00
|
|
|
int arc4rand_iniseed_state = ARC4_ENTR_NONE;
|
|
|
|
|
|
2017-04-16 09:11:02 +00:00
|
|
|
MALLOC_DEFINE(M_CHACHA20RANDOM, "chacha20random", "chacha20random structures");
|
2001-08-30 01:15:25 +00:00
|
|
|
|
2017-04-16 09:11:02 +00:00
|
|
|
struct chacha20_s {
|
2016-11-25 17:20:23 +00:00
|
|
|
struct mtx mtx;
|
2017-04-16 09:11:02 +00:00
|
|
|
int numbytes;
|
2016-11-25 13:49:33 +00:00
|
|
|
time_t t_reseed;
|
2017-04-16 09:11:02 +00:00
|
|
|
u_int8_t m_buffer[CHACHA20_BUFFER_SIZE];
|
|
|
|
|
struct chacha_ctx ctx;
|
2016-11-25 17:20:23 +00:00
|
|
|
} __aligned(CACHE_LINE_SIZE);
|
2016-11-25 13:49:33 +00:00
|
|
|
|
2017-04-16 09:11:02 +00:00
|
|
|
static struct chacha20_s *chacha20inst = NULL;
|
2016-11-25 13:49:33 +00:00
|
|
|
|
2017-04-16 09:11:02 +00:00
|
|
|
#define CHACHA20_FOREACH(_chacha20) \
|
|
|
|
|
for (_chacha20 = &chacha20inst[0]; \
|
|
|
|
|
_chacha20 <= &chacha20inst[mp_maxid]; \
|
|
|
|
|
_chacha20++)
|
1999-11-28 17:51:09 +00:00
|
|
|
|
|
|
|
|
/*
|
2017-04-16 09:11:02 +00:00
|
|
|
* Mix up the current context.
|
1999-11-28 17:51:09 +00:00
|
|
|
*/
|
|
|
|
|
static void
|
random(4): Block read_random(9) on initial seeding
read_random() is/was used, mostly without error checking, in a lot of
very sensitive places in the kernel -- including seeding the widely used
arc4random(9).
Most uses, especially arc4random(9), should block until the device is seeded
rather than proceeding with a bogus or empty seed. I did not spy any
obvious kernel consumers where blocking would be inappropriate (in the
sense that lack of entropy would be ok -- I did not investigate locking
angle thoroughly). In many instances, arc4random_buf(9) or that family
of APIs would be more appropriate anyway; that work was done in r345865.
A minor cleanup was made to the implementation of the READ_RANDOM function:
instead of using a variable-length array on the stack to temporarily store
all full random blocks sufficient to satisfy the requested 'len', only store
a single block on the stack. This has some benefit in terms of reducing
stack usage, reducing memcpy overhead and reducing devrandom output leakage
via the stack. Additionally, the stack block is now safely zeroed if it was
used.
One caveat of this change is that the kern.arandom sysctl no longer returns
zero bytes immediately if the random device is not seeded. This means that
FreeBSD-specific userspace applications which attempted to handle an
unseeded random device may be broken by this change. If such behavior is
needed, it can be replaced by the more portable getrandom(2) GRND_NONBLOCK
option.
On any typical FreeBSD system, entropy is persisted on read/write media and
used to seed the random device very early in boot, and blocking is never a
problem.
This change primarily impacts the behavior of /dev/random on embedded
systems with read-only media that do not configure "nodevice random". We
toggle the default from 'charge on blindly with no entropy' to 'block
indefinitely.' This default is safer, but may cause frustration. Embedded
system designers using FreeBSD have several options. The most obvious is to
plan to have a small writable NVRAM or NAND to persist entropy, like larger
systems. Early entropy can be fed from any loader, or by writing directly
to /dev/random during boot. Some embedded SoCs now provide a fast hardware
entropy source; this would also work for quickly seeding Fortuna. A 3rd
option would be creating an embedded-specific, more simplistic random
module, like that designed by DJB in [1] (this design still requires a small
rewritable media for forward secrecy). Finally, the least preferred option
might be "nodevice random", although I plan to remove this in a subsequent
revision.
To help developers emulate the behavior of these embedded systems on
ordinary workstations, the tunable kern.random.block_seeded_status was
added. When set to 1, it blocks the random device.
I attempted to document this change in random.4 and random.9 and ran into a
bunch of out-of-date or irrelevant or inaccurate content and ended up
rototilling those documents more than I intended to. Sorry. I think
they're in a better state now.
PR: 230875
Reviewed by: delphij, markm (earlier version)
Approved by: secteam(delphij), devrandom(markm)
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D19744
2019-04-15 18:40:36 +00:00
|
|
|
chacha20_randomstir(struct chacha20_s *chacha20)
|
1999-11-28 17:51:09 +00:00
|
|
|
{
|
2002-10-11 13:13:08 +00:00
|
|
|
struct timeval tv_now;
|
random(4): Block read_random(9) on initial seeding
read_random() is/was used, mostly without error checking, in a lot of
very sensitive places in the kernel -- including seeding the widely used
arc4random(9).
Most uses, especially arc4random(9), should block until the device is seeded
rather than proceeding with a bogus or empty seed. I did not spy any
obvious kernel consumers where blocking would be inappropriate (in the
sense that lack of entropy would be ok -- I did not investigate locking
angle thoroughly). In many instances, arc4random_buf(9) or that family
of APIs would be more appropriate anyway; that work was done in r345865.
A minor cleanup was made to the implementation of the READ_RANDOM function:
instead of using a variable-length array on the stack to temporarily store
all full random blocks sufficient to satisfy the requested 'len', only store
a single block on the stack. This has some benefit in terms of reducing
stack usage, reducing memcpy overhead and reducing devrandom output leakage
via the stack. Additionally, the stack block is now safely zeroed if it was
used.
One caveat of this change is that the kern.arandom sysctl no longer returns
zero bytes immediately if the random device is not seeded. This means that
FreeBSD-specific userspace applications which attempted to handle an
unseeded random device may be broken by this change. If such behavior is
needed, it can be replaced by the more portable getrandom(2) GRND_NONBLOCK
option.
On any typical FreeBSD system, entropy is persisted on read/write media and
used to seed the random device very early in boot, and blocking is never a
problem.
This change primarily impacts the behavior of /dev/random on embedded
systems with read-only media that do not configure "nodevice random". We
toggle the default from 'charge on blindly with no entropy' to 'block
indefinitely.' This default is safer, but may cause frustration. Embedded
system designers using FreeBSD have several options. The most obvious is to
plan to have a small writable NVRAM or NAND to persist entropy, like larger
systems. Early entropy can be fed from any loader, or by writing directly
to /dev/random during boot. Some embedded SoCs now provide a fast hardware
entropy source; this would also work for quickly seeding Fortuna. A 3rd
option would be creating an embedded-specific, more simplistic random
module, like that designed by DJB in [1] (this design still requires a small
rewritable media for forward secrecy). Finally, the least preferred option
might be "nodevice random", although I plan to remove this in a subsequent
revision.
To help developers emulate the behavior of these embedded systems on
ordinary workstations, the tunable kern.random.block_seeded_status was
added. When set to 1, it blocks the random device.
I attempted to document this change in random.4 and random.9 and ran into a
bunch of out-of-date or irrelevant or inaccurate content and ended up
rototilling those documents more than I intended to. Sorry. I think
they're in a better state now.
PR: 230875
Reviewed by: delphij, markm (earlier version)
Approved by: secteam(delphij), devrandom(markm)
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D19744
2019-04-15 18:40:36 +00:00
|
|
|
u_int8_t key[CHACHA20_KEYBYTES];
|
1999-11-28 17:51:09 +00:00
|
|
|
|
random(4): Restore availability tradeoff prior to r346250
As discussed in that commit message, it is a dangerous default. But the
safe default causes enough pain on a variety of platforms that for now,
restore the prior default.
Some of this is self-induced pain we should/could do better about; for
example, programmatic CI systems and VM managers should introduce entropy
from the host for individual VM instances. This is considered a future work
item.
On modern x86 and Power9 systems, this may be wholly unnecessary after
D19928 lands (even in the non-ideal case where early /boot/entropy is
unavailable), because they have fast hardware random sources available early
in boot. But D19928 is not yet landed and we have a host of architectures
which do not provide fast random sources.
This change adds several tunables and diagnostic sysctls, documented
thoroughly in UPDATING and sys/dev/random/random_infra.c.
PR: 230875 (reopens)
Reported by: adrian, jhb, imp, and probably others
Reviewed by: delphij, imp (earlier version), markm (earlier version)
Discussed with: adrian
Approved by: secteam(delphij)
Relnotes: yeah
Security: related
Differential Revision: https://reviews.freebsd.org/D19944
2019-04-18 20:48:54 +00:00
|
|
|
if (__predict_false(random_bypass_before_seeding && !is_random_seeded())) {
|
|
|
|
|
SHA256_CTX ctx;
|
|
|
|
|
uint64_t cc;
|
|
|
|
|
uint32_t fver;
|
|
|
|
|
|
|
|
|
|
if (!arc4random_bypassed_before_seeding) {
|
|
|
|
|
arc4random_bypassed_before_seeding = true;
|
|
|
|
|
if (!random_bypass_disable_warnings)
|
|
|
|
|
printf("arc4random: WARNING: initial seeding "
|
|
|
|
|
"bypassed the cryptographic random device "
|
|
|
|
|
"because it was not yet seeded and the "
|
|
|
|
|
"knob 'bypass_before_seeding' was "
|
|
|
|
|
"enabled.\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Last ditch effort to inject something in a bad condition. */
|
|
|
|
|
cc = get_cyclecount();
|
|
|
|
|
SHA256_Init(&ctx);
|
|
|
|
|
SHA256_Update(&ctx, key, sizeof(key));
|
|
|
|
|
SHA256_Update(&ctx, &cc, sizeof(cc));
|
|
|
|
|
fver = __FreeBSD_version;
|
|
|
|
|
SHA256_Update(&ctx, &fver, sizeof(fver));
|
|
|
|
|
_Static_assert(sizeof(key) == SHA256_DIGEST_LENGTH,
|
|
|
|
|
"make sure 256 bits is still 256 bits");
|
|
|
|
|
SHA256_Final(key, &ctx);
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* If the loader(8) did not have an entropy stash from the
|
|
|
|
|
* previous shutdown to load, then we will block. The answer is
|
|
|
|
|
* to make sure there is an entropy stash at shutdown time.
|
|
|
|
|
*
|
|
|
|
|
* On the other hand, if the random_bypass_before_seeding knob
|
|
|
|
|
* was set and we landed in this branch, we know this won't
|
|
|
|
|
* block because we know the random device is seeded.
|
|
|
|
|
*/
|
|
|
|
|
read_random(key, CHACHA20_KEYBYTES);
|
|
|
|
|
}
|
2017-04-16 09:11:02 +00:00
|
|
|
getmicrouptime(&tv_now);
|
|
|
|
|
mtx_lock(&chacha20->mtx);
|
|
|
|
|
chacha_keysetup(&chacha20->ctx, key, CHACHA20_KEYBYTES*8);
|
|
|
|
|
chacha_ivsetup(&chacha20->ctx, (u_char *)&tv_now.tv_sec, (u_char *)&tv_now.tv_usec);
|
2001-08-30 01:15:25 +00:00
|
|
|
/* Reset for next reseed cycle. */
|
2017-04-16 09:11:02 +00:00
|
|
|
chacha20->t_reseed = tv_now.tv_sec + CHACHA20_RESEED_SECONDS;
|
|
|
|
|
chacha20->numbytes = 0;
|
|
|
|
|
mtx_unlock(&chacha20->mtx);
|
1999-11-28 23:39:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2017-04-16 09:11:02 +00:00
|
|
|
* Initialize the contexts.
|
1999-11-28 23:39:49 +00:00
|
|
|
*/
|
|
|
|
|
static void
|
2017-04-16 09:11:02 +00:00
|
|
|
chacha20_init(void)
|
1999-11-28 23:39:49 +00:00
|
|
|
{
|
2017-04-16 09:11:02 +00:00
|
|
|
struct chacha20_s *chacha20;
|
|
|
|
|
|
|
|
|
|
chacha20inst = malloc((mp_maxid + 1) * sizeof(struct chacha20_s),
|
|
|
|
|
M_CHACHA20RANDOM, M_NOWAIT | M_ZERO);
|
|
|
|
|
KASSERT(chacha20inst != NULL, ("chacha20_init: memory allocation error"));
|
|
|
|
|
|
|
|
|
|
CHACHA20_FOREACH(chacha20) {
|
|
|
|
|
mtx_init(&chacha20->mtx, "chacha20_mtx", NULL, MTX_DEF);
|
|
|
|
|
chacha20->t_reseed = -1;
|
|
|
|
|
chacha20->numbytes = 0;
|
|
|
|
|
explicit_bzero(chacha20->m_buffer, CHACHA20_BUFFER_SIZE);
|
|
|
|
|
explicit_bzero(&chacha20->ctx, sizeof(chacha20->ctx));
|
2016-11-25 13:49:33 +00:00
|
|
|
}
|
|
|
|
|
}
|
2017-04-16 09:11:02 +00:00
|
|
|
SYSINIT(chacha20, SI_SUB_LOCK, SI_ORDER_ANY, chacha20_init, NULL);
|
2016-11-25 13:49:33 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2017-04-16 09:11:02 +00:00
|
|
|
chacha20_uninit(void)
|
2016-11-25 13:49:33 +00:00
|
|
|
{
|
2017-04-16 09:11:02 +00:00
|
|
|
struct chacha20_s *chacha20;
|
2016-11-25 13:49:33 +00:00
|
|
|
|
2017-04-16 09:11:02 +00:00
|
|
|
CHACHA20_FOREACH(chacha20)
|
|
|
|
|
mtx_destroy(&chacha20->mtx);
|
|
|
|
|
free(chacha20inst, M_CHACHA20RANDOM);
|
1999-11-28 17:51:09 +00:00
|
|
|
}
|
2017-04-16 09:11:02 +00:00
|
|
|
SYSUNINIT(chacha20, SI_SUB_LOCK, SI_ORDER_ANY, chacha20_uninit, NULL);
|
1999-11-28 17:51:09 +00:00
|
|
|
|
|
|
|
|
|
2003-08-15 06:34:47 +00:00
|
|
|
/*
|
|
|
|
|
* MPSAFE
|
|
|
|
|
*/
|
2002-10-11 13:13:08 +00:00
|
|
|
void
|
|
|
|
|
arc4rand(void *ptr, u_int len, int reseed)
|
1999-11-28 17:51:09 +00:00
|
|
|
{
|
2017-04-16 09:11:02 +00:00
|
|
|
struct chacha20_s *chacha20;
|
2002-10-11 13:13:08 +00:00
|
|
|
struct timeval tv;
|
2017-04-16 09:11:02 +00:00
|
|
|
u_int length;
|
|
|
|
|
u_int8_t *p;
|
1999-11-28 17:51:09 +00:00
|
|
|
|
2019-05-12 06:32:46 +00:00
|
|
|
if (__predict_false(reseed ||
|
|
|
|
|
(arc4rand_iniseed_state == ARC4_ENTR_HAVE &&
|
|
|
|
|
atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_HAVE, ARC4_ENTR_SEED))))
|
2017-04-16 09:11:02 +00:00
|
|
|
CHACHA20_FOREACH(chacha20)
|
|
|
|
|
chacha20_randomstir(chacha20);
|
2016-11-25 13:49:33 +00:00
|
|
|
|
2002-10-11 13:13:08 +00:00
|
|
|
getmicrouptime(&tv);
|
2019-05-12 06:32:46 +00:00
|
|
|
chacha20 = &chacha20inst[curcpu];
|
2017-04-16 09:11:02 +00:00
|
|
|
/* We may get unlucky and be migrated off this CPU, but that is expected to be infrequent */
|
|
|
|
|
if ((chacha20->numbytes > CHACHA20_RESEED_BYTES) || (tv.tv_sec > chacha20->t_reseed))
|
|
|
|
|
chacha20_randomstir(chacha20);
|
2016-11-25 13:49:33 +00:00
|
|
|
|
2002-10-11 13:13:08 +00:00
|
|
|
p = ptr;
|
2019-05-12 06:32:46 +00:00
|
|
|
mtx_lock(&chacha20->mtx);
|
2017-04-16 09:11:02 +00:00
|
|
|
while (len) {
|
|
|
|
|
length = MIN(CHACHA20_BUFFER_SIZE, len);
|
|
|
|
|
chacha_encrypt_bytes(&chacha20->ctx, chacha20->m_buffer, p, length);
|
|
|
|
|
p += length;
|
|
|
|
|
len -= length;
|
|
|
|
|
chacha20->numbytes += length;
|
|
|
|
|
if (chacha20->numbytes > CHACHA20_RESEED_BYTES) {
|
|
|
|
|
mtx_unlock(&chacha20->mtx);
|
|
|
|
|
chacha20_randomstir(chacha20);
|
|
|
|
|
mtx_lock(&chacha20->mtx);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
mtx_unlock(&chacha20->mtx);
|
2002-10-11 13:13:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
uint32_t
|
|
|
|
|
arc4random(void)
|
|
|
|
|
{
|
|
|
|
|
uint32_t ret;
|
1999-11-28 17:51:09 +00:00
|
|
|
|
2017-04-16 09:11:02 +00:00
|
|
|
arc4rand(&ret, sizeof(ret), 0);
|
1999-11-28 17:51:09 +00:00
|
|
|
return ret;
|
|
|
|
|
}
|
2017-04-16 09:11:02 +00:00
|
|
|
|
|
|
|
|
void
|
|
|
|
|
arc4random_buf(void *ptr, size_t len)
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
arc4rand(ptr, len, 0);
|
|
|
|
|
}
|
