n2rng_provider.c revision fec509a05ddbf645268fe2e537314def7d1b67c8
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2007 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include <sys/sysmacros.h>
#include <sys/machsystm.h>
#include <sys/hypervisor_api.h>
/* n must be a power of 2 */
#define SHA1BLOCKBITS 512
#define SHA1WORDS 5
/*
* Policy. ENTROPY_STARVATION is the maximum number of calls each
* FIPS instance will accept without successfully getting more
* entropy. It needs to be large enough to allow RNG operations to
* not stall because of health checks, etc. But we don't want it too
* large. FIPS 186-2 change 1 (5 October 2001) states that no more
* that 2,000,000 DSA signatures (done using this algorithm) should be
* done without reseeding. We make sure we add 64 bits of entropy at
* most every 10000 operations, hence we will have stirred in 160 bits
* of entropy at most once every 30000 operations. Normally, we stir
* in 64 bits of entropy for every number generated.
*/
#define ENTROPY_STARVATION 10000ULL
extern int n2rng_herr2kerr(uint64_t);
/*
* Adds val1 and val2 and stores result into sum. The various input
* pointers can be exactly aliased. (They cannot be offset and
* overlapping, but no one would ever do that.) Values are big endian
* by words and native byte order within words. The return value's
* 2-bit is 0 if the result is zero, it's 1 bit is carry out. (This
* is reused code. The return code is not used by n2rng.) Thus,
* calling with both carryin and complement_val2 ones does a
* subtraction. A null sum pointer parameter is allowed. The
* subtraction features were required when this code was orginally
* written so it could do a mod q operation.
*/
static int
const unsigned carryin, const int complement_val2)
{
int i;
for (i = 4; i >= 0; --i) {
if (carry) {
} else {
}
if (sum) {
sum[i] = partialsum;
}
non_zero |= partialsum;
}
}
/*
* Computes a new random value, which is stored in x_j; updates XKEY
* in the *rs. XSEED_j is additional input. In principle, we should
* protect XKEY, perhaps by putting it on a non-pagable page, but we
* aways clobber XKEY with fresh entropy just before we use it. And
* step 3d irreversibly updates it just after we use it. The only
* risk is that if an attacker captured the state while the entropy
* generator was broken, the attacker could predict future values.
* There are two cases: 1. The attack gets root access to a live
* system. But there is no defense against that. 2. The attacker
* gets access to a crash dump. But by then no values are being
* generated.
*
* Note that XSEEDj is overwritten with sensitive stuff, and must be
* zeroed by the caller. We use two separate symbols (XVAL and
* XSEEDj) to make each step match the notation in FIPS 186-2.
*/
static void
{
int i;
/* Alias to preserve terminology from FIPS 186-2 */
/*
* K&R section A8.7: If the array has fixed size, the number
* of initializers may not exceed the number of members in the
* array; if there are fewer, the trailing members are
* initialized with 0.
*/
/*
* Step 3b: XVAL = (XKEY + XSEED_sub_j) mod 2^b. The mod is
* implicit in the 160 bit representation. Note that XVAL and
* XSEED_j are actually the same location.
*/
/*
* Step 3c: x_sub_j = G(t, XVAL) mod q.
*/
/*
* Filling to 64 bytes is requried by FIPS 186-2 Appendix 3.3.
* It also triggers SHA1Transform (the steps a-e of the spec).
*
* zero is a const char[], but SHA1update does not declare its
* second parameter const, even though it does not modify it,
* so we cast to suppress a compiler warning.
*/
/*
* The code below directly accesses the state field of
* sha1_context, which is of type SHA1_CTX, defined in sha1.h.
* This has been deemed acceptable, because that typedef is
* Consolidation Private, and n2rng is in the same
* consolidation.
*/
/* copy out to x_j */
for (i = 0; i < 5; i++) {
}
/*
* Step 3d: XKEY = (1 + XKEY + x_sub_j) mod 2^b. b=160. The
* mod 2^160 is implicit in the 160 bit representation. The
* one is added via the carry-in flag.
*/
}
int
{
int i;
union {
} entropy = {0};
/*
* Since in the new scheme of things, the RNG latency
* will be high on reads after the first, we get just
* one word of entropy per call. And if it fails, we
* just go on, but if the number of successive
* failures gets too big, we fail.
*/
sizeof (uint64_t))) {
/* failure case */
}
/*
* The idea here is that a Niagara2 chip is highly
* parallel, with many strands. If we have just one
* instance of the FIPS data, then only one FIPS
* computation can happen at a time, serializeing all
* the RNG stuff. So we make N2RNG_FIPS_INSTANCES,
* and use them round-robin, with the counter being
* n2rng->n_frs.fips_round_robin_j. We increment the
* counter with an atomic op, avoiding having to have
* a global muxtex. The atomic ops are also
* significantly faster than mutexes. The mutex is
* put inside the loop, otherwise one thread reading
* many blocks could stall all other strands.
*/
/*
* If we did not get any entropy, entropyword
* is zero. We get a false positive with
* probablitity 2^-64. It's not worth a few
* extra stores and tests eliminate the false
* positive.
*/
"entropy");
return (EIO);
}
} else {
frsp->entropyhunger = 0;
}
/* nbytes - i is bytes to go */
}
/* Zeroize sensitive information */
return (0);
}
/*
* Initializes one FIPS RNG instance. Must be called once for each
* instance.
*/
int
{
/*
* All FIPS-approved algorithms will operate as cryptograpic
* quality PRNGs even if there is no entropy source. (In
* fact, this the only one that accepts entropy on the fly.)
* One motivation for this is that they system keeps on
* delivering cryptographic quality random numbers, even if
* the entropy source fails.
*/
int rv;
if (rv) {
return (rv);
}
return (0);
}
void
{
/*
* Zeroise fips data. Not really necessary, since the
* algorithm has backtracking resistance, but do it anyway.
*/
}