io/n2rng/n2rng_provider.c

	n2rng_provider.c revision fec509a05ddbf645268fe2e537314def7d1b67c8
fec509a05ddbf645268fe2e537314def7d1b67c8gm/*
fec509a05ddbf645268fe2e537314def7d1b67c8gm * CDDL HEADER START
fec509a05ddbf645268fe2e537314def7d1b67c8gm *
fec509a05ddbf645268fe2e537314def7d1b67c8gm * The contents of this file are subject to the terms of the
fec509a05ddbf645268fe2e537314def7d1b67c8gm * Common Development and Distribution License (the "License").
fec509a05ddbf645268fe2e537314def7d1b67c8gm * You may not use this file except in compliance with the License.
fec509a05ddbf645268fe2e537314def7d1b67c8gm *
fec509a05ddbf645268fe2e537314def7d1b67c8gm * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
fec509a05ddbf645268fe2e537314def7d1b67c8gm * or http://www.opensolaris.org/os/licensing.
fec509a05ddbf645268fe2e537314def7d1b67c8gm * See the License for the specific language governing permissions
fec509a05ddbf645268fe2e537314def7d1b67c8gm * and limitations under the License.
fec509a05ddbf645268fe2e537314def7d1b67c8gm *
fec509a05ddbf645268fe2e537314def7d1b67c8gm * When distributing Covered Code, include this CDDL HEADER in each
fec509a05ddbf645268fe2e537314def7d1b67c8gm * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
fec509a05ddbf645268fe2e537314def7d1b67c8gm * If applicable, add the following below this CDDL HEADER, with the
fec509a05ddbf645268fe2e537314def7d1b67c8gm * fields enclosed by brackets "[]" replaced with your own identifying
fec509a05ddbf645268fe2e537314def7d1b67c8gm * information: Portions Copyright [yyyy] [name of copyright owner]
fec509a05ddbf645268fe2e537314def7d1b67c8gm *
fec509a05ddbf645268fe2e537314def7d1b67c8gm * CDDL HEADER END
fec509a05ddbf645268fe2e537314def7d1b67c8gm */
fec509a05ddbf645268fe2e537314def7d1b67c8gm/*
fec509a05ddbf645268fe2e537314def7d1b67c8gm * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
fec509a05ddbf645268fe2e537314def7d1b67c8gm * Use is subject to license terms.
fec509a05ddbf645268fe2e537314def7d1b67c8gm */
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm#pragma ident   "%Z%%M% %I% %E% SMI"
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/types.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/sysmacros.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/modctl.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/conf.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/devops.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/cmn_err.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/kmem.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/stat.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/open.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/file.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/cpuvar.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/disp.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/hsvc.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/machsystm.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/ksynch.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/hypervisor_api.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/n2rng.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/sha1.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/ddi.h>  /* near end to get min and max macros right */
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/sunddi.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm/* n must be a power of 2 */
fec509a05ddbf645268fe2e537314def7d1b67c8gm#define ROUNDUP(k, n)       (((k) + (n) - 1) & ~((n) - 1))
fec509a05ddbf645268fe2e537314def7d1b67c8gm#define SHA1BLOCKBITS       512
fec509a05ddbf645268fe2e537314def7d1b67c8gm#define SHA1BLOCKBYTES      (SHA1BLOCKBITS / 8)
fec509a05ddbf645268fe2e537314def7d1b67c8gm#define SHA1WORDS       5
fec509a05ddbf645268fe2e537314def7d1b67c8gm#define SHA1BYTES       (4 * SHA1WORDS)
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm/*
fec509a05ddbf645268fe2e537314def7d1b67c8gm * Policy.  ENTROPY_STARVATION is the maximum number of calls each
fec509a05ddbf645268fe2e537314def7d1b67c8gm * FIPS instance will accept without successfully getting more
fec509a05ddbf645268fe2e537314def7d1b67c8gm * entropy.  It needs to be large enough to allow RNG operations to
fec509a05ddbf645268fe2e537314def7d1b67c8gm * not stall because of health checks, etc.  But we don't want it too
fec509a05ddbf645268fe2e537314def7d1b67c8gm * large.  FIPS 186-2 change 1 (5 October 2001) states that no more
fec509a05ddbf645268fe2e537314def7d1b67c8gm * that 2,000,000 DSA signatures (done using this algorithm) should be
fec509a05ddbf645268fe2e537314def7d1b67c8gm * done without reseeding.  We make sure we add 64 bits of entropy at
fec509a05ddbf645268fe2e537314def7d1b67c8gm * most every 10000 operations, hence we will have stirred in 160 bits
fec509a05ddbf645268fe2e537314def7d1b67c8gm * of entropy at most once every 30000 operations.  Normally, we stir
fec509a05ddbf645268fe2e537314def7d1b67c8gm * in 64 bits of entropy for every number generated.
fec509a05ddbf645268fe2e537314def7d1b67c8gm */
fec509a05ddbf645268fe2e537314def7d1b67c8gm#define ENTROPY_STARVATION  10000ULL
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gmextern int  n2rng_herr2kerr(uint64_t);
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm/*
fec509a05ddbf645268fe2e537314def7d1b67c8gm * Adds val1 and val2 and stores result into sum.  The various input
fec509a05ddbf645268fe2e537314def7d1b67c8gm * pointers can be exactly aliased.  (They cannot be offset and
fec509a05ddbf645268fe2e537314def7d1b67c8gm * overlapping, but no one would ever do that.)  Values are big endian
fec509a05ddbf645268fe2e537314def7d1b67c8gm * by words and native byte order within words.  The return value's
fec509a05ddbf645268fe2e537314def7d1b67c8gm * 2-bit is 0 if the result is zero, it's 1 bit is carry out.  (This
fec509a05ddbf645268fe2e537314def7d1b67c8gm * is reused code.  The return code is not used by n2rng.)  Thus,
fec509a05ddbf645268fe2e537314def7d1b67c8gm * calling with both carryin and complement_val2 ones does a
fec509a05ddbf645268fe2e537314def7d1b67c8gm * subtraction.  A null sum pointer parameter is allowed.  The
fec509a05ddbf645268fe2e537314def7d1b67c8gm * subtraction features were required when this code was orginally
fec509a05ddbf645268fe2e537314def7d1b67c8gm * written so it could do a mod q operation.
fec509a05ddbf645268fe2e537314def7d1b67c8gm */
fec509a05ddbf645268fe2e537314def7d1b67c8gmstatic int
fec509a05ddbf645268fe2e537314def7d1b67c8gmadd160(uint32_t *sum, uint32_t const *val1, uint32_t const *val2,
fec509a05ddbf645268fe2e537314def7d1b67c8gm    const unsigned carryin, const int complement_val2)
fec509a05ddbf645268fe2e537314def7d1b67c8gm{
fec509a05ddbf645268fe2e537314def7d1b67c8gm    int i;
fec509a05ddbf645268fe2e537314def7d1b67c8gm    uint32_t partialsum;
fec509a05ddbf645268fe2e537314def7d1b67c8gm    uint32_t carry = (carryin > 0);
fec509a05ddbf645268fe2e537314def7d1b67c8gm    uint32_t non_zero = 0;
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm    for (i = 4; i >= 0; --i) {
fec509a05ddbf645268fe2e537314def7d1b67c8gm        partialsum = val1[i] + (complement_val2 ? ~val2[i] : val2[i]) +
fec509a05ddbf645268fe2e537314def7d1b67c8gm            carry;
fec509a05ddbf645268fe2e537314def7d1b67c8gm        if (carry) {
fec509a05ddbf645268fe2e537314def7d1b67c8gm            carry = (partialsum <= val1[i]);
fec509a05ddbf645268fe2e537314def7d1b67c8gm        } else {
fec509a05ddbf645268fe2e537314def7d1b67c8gm            carry = (partialsum < val1[i]);
fec509a05ddbf645268fe2e537314def7d1b67c8gm        }
fec509a05ddbf645268fe2e537314def7d1b67c8gm        if (sum) {
fec509a05ddbf645268fe2e537314def7d1b67c8gm            sum[i] = partialsum;
fec509a05ddbf645268fe2e537314def7d1b67c8gm        }
fec509a05ddbf645268fe2e537314def7d1b67c8gm        non_zero |= partialsum;
fec509a05ddbf645268fe2e537314def7d1b67c8gm    }
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm    return (((non_zero != 0) * 2) | carry);
fec509a05ddbf645268fe2e537314def7d1b67c8gm}
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm/*
fec509a05ddbf645268fe2e537314def7d1b67c8gm * Computes a new random value, which is stored in x_j; updates XKEY
fec509a05ddbf645268fe2e537314def7d1b67c8gm * in the *rs.  XSEED_j is additional input.  In principle, we should
fec509a05ddbf645268fe2e537314def7d1b67c8gm * protect XKEY, perhaps by putting it on a non-pagable page, but we
fec509a05ddbf645268fe2e537314def7d1b67c8gm * aways clobber XKEY with fresh entropy just before we use it.  And
fec509a05ddbf645268fe2e537314def7d1b67c8gm * step 3d irreversibly updates it just after we use it.  The only
fec509a05ddbf645268fe2e537314def7d1b67c8gm * risk is that if an attacker captured the state while the entropy
fec509a05ddbf645268fe2e537314def7d1b67c8gm * generator was broken, the attacker could predict future values.
fec509a05ddbf645268fe2e537314def7d1b67c8gm * There are two cases: 1.  The attack gets root access to a live
fec509a05ddbf645268fe2e537314def7d1b67c8gm * system.  But there is no defense against that.  2.  The attacker
fec509a05ddbf645268fe2e537314def7d1b67c8gm * gets access to a crash dump.  But by then no values are being
fec509a05ddbf645268fe2e537314def7d1b67c8gm * generated.
fec509a05ddbf645268fe2e537314def7d1b67c8gm *
fec509a05ddbf645268fe2e537314def7d1b67c8gm * Note that XSEEDj is overwritten with sensitive stuff, and must be
fec509a05ddbf645268fe2e537314def7d1b67c8gm * zeroed by the caller.  We use two separate symbols (XVAL and
fec509a05ddbf645268fe2e537314def7d1b67c8gm * XSEEDj) to make each step match the notation in FIPS 186-2.
fec509a05ddbf645268fe2e537314def7d1b67c8gm */
fec509a05ddbf645268fe2e537314def7d1b67c8gmstatic void
fec509a05ddbf645268fe2e537314def7d1b67c8gmfips_random_inner(fipsrandomstruct_t *frsp, uint32_t *x_j,
fec509a05ddbf645268fe2e537314def7d1b67c8gm    uint32_t *XSEED_j)
fec509a05ddbf645268fe2e537314def7d1b67c8gm{
fec509a05ddbf645268fe2e537314def7d1b67c8gm    int     i;
fec509a05ddbf645268fe2e537314def7d1b67c8gm    SHA1_CTX    sha1_context;
fec509a05ddbf645268fe2e537314def7d1b67c8gm    /* Alias to preserve terminology from FIPS 186-2 */
fec509a05ddbf645268fe2e537314def7d1b67c8gm#define XVAL XSEED_j
fec509a05ddbf645268fe2e537314def7d1b67c8gm    /*
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * K&R section A8.7: If the array has fixed size, the number
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * of initializers may not exceed the number of members in the
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * array; if there are fewer, the trailing members are
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * initialized with 0.
fec509a05ddbf645268fe2e537314def7d1b67c8gm     */
fec509a05ddbf645268fe2e537314def7d1b67c8gm    static const char   zero[SHA1BLOCKBYTES - SHA1BYTES] = {0};
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm    /*
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * Step 3b: XVAL = (XKEY + XSEED_sub_j) mod 2^b.  The mod is
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * implicit in the 160 bit representation.  Note that XVAL and
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * XSEED_j are actually the same location.
fec509a05ddbf645268fe2e537314def7d1b67c8gm     */
fec509a05ddbf645268fe2e537314def7d1b67c8gm    (void) add160(XVAL, frsp->XKEY, XSEED_j, 0, 0);
fec509a05ddbf645268fe2e537314def7d1b67c8gm    /*
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * Step 3c: x_sub_j = G(t, XVAL) mod q.
fec509a05ddbf645268fe2e537314def7d1b67c8gm     */
fec509a05ddbf645268fe2e537314def7d1b67c8gm    SHA1Init(&sha1_context);
fec509a05ddbf645268fe2e537314def7d1b67c8gm    SHA1Update(&sha1_context, (unsigned char *)XVAL, SHA1BYTES);
fec509a05ddbf645268fe2e537314def7d1b67c8gm    /*
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * Filling to 64 bytes is requried by FIPS 186-2 Appendix 3.3.
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * It also triggers SHA1Transform (the steps a-e of the spec).
fec509a05ddbf645268fe2e537314def7d1b67c8gm     *
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * zero is a const char[], but SHA1update does not declare its
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * second parameter const, even though it does not modify it,
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * so we cast to suppress a compiler warning.
fec509a05ddbf645268fe2e537314def7d1b67c8gm     */
fec509a05ddbf645268fe2e537314def7d1b67c8gm    SHA1Update(&sha1_context, (unsigned char *)zero,
fec509a05ddbf645268fe2e537314def7d1b67c8gm        SHA1BLOCKBYTES - SHA1BYTES);
fec509a05ddbf645268fe2e537314def7d1b67c8gm    /*
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * The code below directly accesses the state field of
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * sha1_context, which is of type SHA1_CTX, defined in sha1.h.
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * This has been deemed acceptable, because that typedef is
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * Consolidation Private, and n2rng is in the same
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * consolidation.
fec509a05ddbf645268fe2e537314def7d1b67c8gm     */
fec509a05ddbf645268fe2e537314def7d1b67c8gm    /* copy out to x_j */
fec509a05ddbf645268fe2e537314def7d1b67c8gm    for (i = 0; i < 5; i++) {
fec509a05ddbf645268fe2e537314def7d1b67c8gm        x_j[i] = sha1_context.state[i];
fec509a05ddbf645268fe2e537314def7d1b67c8gm    }
fec509a05ddbf645268fe2e537314def7d1b67c8gm    /*
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * Step 3d: XKEY = (1 + XKEY + x_sub_j) mod 2^b.  b=160.  The
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * mod 2^160 is implicit in the 160 bit representation.  The
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * one is added via the carry-in flag.
fec509a05ddbf645268fe2e537314def7d1b67c8gm     */
fec509a05ddbf645268fe2e537314def7d1b67c8gm    (void) add160(frsp->XKEY, frsp->XKEY, x_j, 1, 0);
fec509a05ddbf645268fe2e537314def7d1b67c8gm#undef XVAL
fec509a05ddbf645268fe2e537314def7d1b67c8gm}
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gmint
fec509a05ddbf645268fe2e537314def7d1b67c8gmfips_random(n2rng_t *n2rng, uint8_t *out, size_t nbytes)
fec509a05ddbf645268fe2e537314def7d1b67c8gm{
fec509a05ddbf645268fe2e537314def7d1b67c8gm    int         i;
fec509a05ddbf645268fe2e537314def7d1b67c8gm    fipsrandomstruct_t  *frsp;
fec509a05ddbf645268fe2e537314def7d1b67c8gm    union {
fec509a05ddbf645268fe2e537314def7d1b67c8gm        uint32_t    as32[SHA1WORDS];
fec509a05ddbf645268fe2e537314def7d1b67c8gm        uint64_t    as64[ROUNDUP(SHA1WORDS, 2) >> 1];
fec509a05ddbf645268fe2e537314def7d1b67c8gm    } entropy = {0};
fec509a05ddbf645268fe2e537314def7d1b67c8gm    uint32_t        tempout[SHA1WORDS];
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm    for (i = 0; i < nbytes; i += SHA1BYTES) {
fec509a05ddbf645268fe2e537314def7d1b67c8gm        /*
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * Since in the new scheme of things, the RNG latency
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * will be high on reads after the first, we get just
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * one word of entropy per call.  And if it fails, we
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * just go on, but if the number of successive
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * failures gets too big, we fail.
fec509a05ddbf645268fe2e537314def7d1b67c8gm         */
fec509a05ddbf645268fe2e537314def7d1b67c8gm        if (n2rng_getentropy(n2rng, (void *)&entropy.as64[1],
fec509a05ddbf645268fe2e537314def7d1b67c8gm            sizeof (uint64_t))) {
fec509a05ddbf645268fe2e537314def7d1b67c8gm            /* failure case */
fec509a05ddbf645268fe2e537314def7d1b67c8gm            entropy.as64[1] = 0;
fec509a05ddbf645268fe2e537314def7d1b67c8gm        }
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm        /*
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * The idea here is that a Niagara2 chip is highly
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * parallel, with many strands.  If we have just one
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * instance of the FIPS data, then only one FIPS
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * computation can happen at a time, serializeing all
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * the RNG stuff.  So we make N2RNG_FIPS_INSTANCES,
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * and use them round-robin, with the counter being
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * n2rng->n_frs.fips_round_robin_j.  We increment the
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * counter with an atomic op, avoiding having to have
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * a global muxtex.  The atomic ops are also
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * significantly faster than mutexes.  The mutex is
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * put inside the loop, otherwise one thread reading
fec509a05ddbf645268fe2e537314def7d1b67c8gm         * many blocks could stall all other strands.
fec509a05ddbf645268fe2e537314def7d1b67c8gm         */
fec509a05ddbf645268fe2e537314def7d1b67c8gm        frsp = &n2rng->n_frs.fipsarray[
fec509a05ddbf645268fe2e537314def7d1b67c8gm            atomic_inc_32_nv(&n2rng->n_frs.fips_round_robin_j) %
fec509a05ddbf645268fe2e537314def7d1b67c8gm            N2RNG_FIPS_INSTANCES];
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm        mutex_enter(&frsp->mtx);
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm        if (entropy.as64[1] == 0) {
fec509a05ddbf645268fe2e537314def7d1b67c8gm            /*
fec509a05ddbf645268fe2e537314def7d1b67c8gm             * If we did not get any entropy, entropyword
fec509a05ddbf645268fe2e537314def7d1b67c8gm             * is zero.  We get a false positive with
fec509a05ddbf645268fe2e537314def7d1b67c8gm             * probablitity 2^-64.  It's not worth a few
fec509a05ddbf645268fe2e537314def7d1b67c8gm             * extra stores and tests eliminate the false
fec509a05ddbf645268fe2e537314def7d1b67c8gm             * positive.
fec509a05ddbf645268fe2e537314def7d1b67c8gm             */
fec509a05ddbf645268fe2e537314def7d1b67c8gm            if (++frsp->entropyhunger > ENTROPY_STARVATION) {
fec509a05ddbf645268fe2e537314def7d1b67c8gm                mutex_exit(&frsp->mtx);
fec509a05ddbf645268fe2e537314def7d1b67c8gm                cmn_err(CE_WARN, "n2rng: not generating "
fec509a05ddbf645268fe2e537314def7d1b67c8gm                    "entropy");
fec509a05ddbf645268fe2e537314def7d1b67c8gm                return (EIO);
fec509a05ddbf645268fe2e537314def7d1b67c8gm            }
fec509a05ddbf645268fe2e537314def7d1b67c8gm        } else {
fec509a05ddbf645268fe2e537314def7d1b67c8gm            frsp->entropyhunger = 0;
fec509a05ddbf645268fe2e537314def7d1b67c8gm        }
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm        /* nbytes - i is bytes to go */
fec509a05ddbf645268fe2e537314def7d1b67c8gm        fips_random_inner(frsp, tempout, entropy.as32);
fec509a05ddbf645268fe2e537314def7d1b67c8gm        bcopy(tempout, &out[i], min(nbytes - i,  SHA1BYTES));
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm        mutex_exit(&frsp->mtx);
fec509a05ddbf645268fe2e537314def7d1b67c8gm    }
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm    /* Zeroize sensitive information */
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm    entropy.as64[1] = 0;
fec509a05ddbf645268fe2e537314def7d1b67c8gm    bzero(tempout, SHA1BYTES);
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm    return (0);
fec509a05ddbf645268fe2e537314def7d1b67c8gm}
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm/*
fec509a05ddbf645268fe2e537314def7d1b67c8gm * Initializes one FIPS RNG instance.  Must be called once for each
fec509a05ddbf645268fe2e537314def7d1b67c8gm * instance.
fec509a05ddbf645268fe2e537314def7d1b67c8gm */
fec509a05ddbf645268fe2e537314def7d1b67c8gmint
fec509a05ddbf645268fe2e537314def7d1b67c8gmn2rng_fips_random_init(n2rng_t *n2rng, fipsrandomstruct_t *frsp)
fec509a05ddbf645268fe2e537314def7d1b67c8gm{
fec509a05ddbf645268fe2e537314def7d1b67c8gm    /*
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * All FIPS-approved algorithms will operate as cryptograpic
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * quality PRNGs even if there is no entropy source.  (In
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * fact, this the only one that accepts entropy on the fly.)
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * One motivation for this is that they system keeps on
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * delivering cryptographic quality random numbers, even if
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * the entropy source fails.
fec509a05ddbf645268fe2e537314def7d1b67c8gm     */
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm    int rv;
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm    rv = n2rng_getentropy(n2rng, (void *)frsp->XKEY, ROUNDUP(SHA1BYTES, 8));
fec509a05ddbf645268fe2e537314def7d1b67c8gm    if (rv) {
fec509a05ddbf645268fe2e537314def7d1b67c8gm        return (rv);
fec509a05ddbf645268fe2e537314def7d1b67c8gm    }
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm    mutex_init(&frsp->mtx, NULL, MUTEX_DRIVER, NULL);
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm    return (0);
fec509a05ddbf645268fe2e537314def7d1b67c8gm}
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gmvoid
fec509a05ddbf645268fe2e537314def7d1b67c8gmn2rng_fips_random_fini(fipsrandomstruct_t *frsp)
fec509a05ddbf645268fe2e537314def7d1b67c8gm{
fec509a05ddbf645268fe2e537314def7d1b67c8gm    mutex_destroy(&frsp->mtx);
fec509a05ddbf645268fe2e537314def7d1b67c8gm    /*
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * Zeroise fips data.  Not really necessary, since the
fec509a05ddbf645268fe2e537314def7d1b67c8gm     * algorithm has backtracking resistance, but do it anyway.
fec509a05ddbf645268fe2e537314def7d1b67c8gm     */
fec509a05ddbf645268fe2e537314def7d1b67c8gm    bzero(frsp, sizeof (fipsrandomstruct_t));
fec509a05ddbf645268fe2e537314def7d1b67c8gm}