minix/drivers/random/random.c

/*
random.c

Random number generator.

The random number generator collects data from the kernel and compressed
that data into a seed for a psuedo random number generator.
*/

#include <minix/drivers.h>
#include "kernel/const.h"
#include "assert.h"

#include "random.h"
#include <sys/sha2.h>
#include "aes/rijndael.h"

#define N_DERIV	16
#define NR_POOLS 32
#define MIN_SAMPLES	256	/* Number of samples needed in pool 0 for a
				 * re-seed.
				 */

static unsigned long deriv[TOTAL_SOURCES][N_DERIV];
static int pool_ind[TOTAL_SOURCES];
static SHA256_CTX pool_ctx[NR_POOLS];
static unsigned samples= 0;
static int got_seeded= 0;
static u8_t random_key[2*AES_BLOCKSIZE];
static u32_t count_lo, count_hi;
static u32_t reseed_count;

static void add_sample(int source, unsigned long sample);
static void data_block(rd_keyinstance *keyp, void *data);
static void reseed(void);

void random_init()
{
	int i, j;

	assert(&deriv[TOTAL_SOURCES-1][N_DERIV-1] ==
		&deriv[0][0] + TOTAL_SOURCES*N_DERIV -1);

	for (i= 0; i<TOTAL_SOURCES; i++)
	{
		for (j= 0; j<N_DERIV; j++)
			deriv[i][j]= 0;
		pool_ind[i]= 0;
	}
	for (i= 0; i<NR_POOLS; i++)
		SHA256_Init(&pool_ctx[i]);
	count_lo= 0;
	count_hi= 0;
	reseed_count= 0;
}

int random_isseeded()
{
	if (got_seeded)
		return 1;
	return 0;
}

void random_update(source, buf, count)
int source;
rand_t *buf;
int count;
{
	int i;

#if 0
	printf("random_update: got %d samples for source %d\n", count, source);
#endif
	if (source < 0 || source >= TOTAL_SOURCES)
		panic("random_update: bad source: %d", source);
	for (i= 0; i<count; i++)
		add_sample(source, buf[i]);
	reseed();
}

void random_getbytes(buf, size)
void *buf;
size_t size;
{
	int n, r;
	u8_t *cp;
	rd_keyinstance key;
	u8_t output[AES_BLOCKSIZE];

	r= rijndael_makekey(&key, sizeof(random_key), random_key);
	assert(r == 0);

	cp= buf;
	while (size > 0)
	{
		n= AES_BLOCKSIZE;
		if (n > size)
		{
			n= size;
			data_block(&key, output);
			memcpy(cp, output, n);
		}
		else
			data_block(&key, cp);
		cp += n;
		size -= n;
	}

	/* Generate new key */
	assert(sizeof(random_key) == 2*AES_BLOCKSIZE);
	data_block(&key, random_key);
	data_block(&key, random_key+AES_BLOCKSIZE);
}

void random_putbytes(buf, size)
void *buf;
size_t size;
{
	/* Add bits to pool zero */
	SHA256_Update(&pool_ctx[0], buf, size);

	/* Assume that these bits are truely random. Increment samples
	 * with the number of bits.
	 */
	samples += size*8;

	reseed();
}

static void add_sample(source, sample)
int source;
unsigned long sample;
{
	int i, pool_nr;
	unsigned long d, v, di, min;

	/* Delete bad sample. Compute the Nth derivative. Delete the sample
	 * if any derivative is too small.
	 */
	min= (unsigned long)-1;
	v= sample;
	for (i= 0; i<N_DERIV; i++)
	{
		di= deriv[source][i];

		/* Compute the difference */
		if (v >= di)
			d= v-di;
		else
			d= di-v;
		deriv[source][i]= v;
		v= d;
		if (v <min)
			min= v;
	}
	if (min < 2)
	{
#if 0
		printf("ignoring sample '%u' from source %d\n",
			sample, source);
#endif
		return;
	}
#if 0
	printf("accepting sample '%u' from source %d\n", sample, source);
#endif

	pool_nr= pool_ind[source];
	assert(pool_nr >= 0 && pool_nr < NR_POOLS);

	SHA256_Update(&pool_ctx[pool_nr], (unsigned char *)&sample,
		sizeof(sample));
	if (pool_nr == 0)
		samples++;
	pool_nr++;
	if (pool_nr >= NR_POOLS)
		pool_nr= 0;
	pool_ind[source]= pool_nr;
}

static void data_block(keyp, data)
rd_keyinstance *keyp;
void *data;
{
	int r;
	u8_t input[AES_BLOCKSIZE];

	memset(input, '\0', sizeof(input));

	/* Do we want the output of the random numbers to be portable 
	 * across platforms (for example for RSA signatures)? At the moment
	 * we don't do anything special. Encrypt the counter with the AES
	 * key.
	 */
	assert(sizeof(count_lo)+sizeof(count_hi) <= AES_BLOCKSIZE);
	memcpy(input, &count_lo, sizeof(count_lo));
	memcpy(input+sizeof(count_lo), &count_hi, sizeof(count_hi));
	r= rijndael_ecb_encrypt(keyp, input, data, AES_BLOCKSIZE, NULL);
	assert(r == AES_BLOCKSIZE);

	count_lo++;
	if (count_lo == 0)
		count_hi++;
}

static void reseed()
{
	int i;
	SHA256_CTX ctx;
	u8_t digest[SHA256_DIGEST_LENGTH];

	if (samples < MIN_SAMPLES)
		return;

	reseed_count++;
	SHA256_Init(&ctx);
	if (got_seeded)
		SHA256_Update(&ctx, random_key, sizeof(random_key));
	SHA256_Final(digest, &pool_ctx[0]);
	SHA256_Update(&ctx, digest, sizeof(digest));
	SHA256_Init(&pool_ctx[0]);
	for (i= 1; i<NR_POOLS; i++)
	{
		if ((reseed_count & (1UL << (i-1))) != 0)
			break;
		SHA256_Final(digest, &pool_ctx[i]);
		SHA256_Update(&ctx, digest, sizeof(digest));
		SHA256_Init(&pool_ctx[i]);
	}
	SHA256_Final(digest, &ctx);
	assert(sizeof(random_key) == sizeof(digest));
	memcpy(random_key, &digest, sizeof(random_key));
	samples= 0;

	got_seeded= 1;
}
Random number generator 2005-07-18 17:40:24 +02:00			`/*`
			`random.c`

			`Random number generator.`

			`The random number generator collects data from the kernel and compressed`
			`that data into a seed for a psuedo random number generator.`
			`*/`

Convert drivers/ and servers/ over to bsdmake -Move libdriver to lib/ -Install all boot image services on filesystem to aid restartability 2010-03-22 22:25:22 +01:00			`#include <minix/drivers.h>`
Convert kernel over to bsdmake 2010-04-02 00:22:33 +02:00			`#include "kernel/const.h"`
Random number generator 2005-07-18 17:40:24 +02:00			`#include "assert.h"`

			`#include "random.h"`
Build NetBSD libc library in world in ELF mode. 3 sets of libraries are built now: . ack: all libraries that ack can compile (/usr/lib/i386/) . clang+elf: all libraries with minix headers (/usr/lib/) . clang+elf: all libraries with netbsd headers (/usr/netbsd/) Once everything can be compiled with netbsd libraries and headers, the /usr/netbsd hierarchy will be obsolete and its libraries compiled with netbsd headers will be installed in /usr/lib, and its headers in /usr/include. (i.e. minix libc and current minix headers set will be gone.) To use the NetBSD libc system (libraries + headers) before it is the default libc, see: http://wiki.minix3.org/en/DevelopersGuide/UsingNetBSDCode This wiki page also documents the maintenance of the patch files of minix-specific changes to imported NetBSD code. Changes in this commit: . libsys: Add NBSD compilation and create a safe NBSD-based libc. . Port rest of libraries (except libddekit) to new header system. . Enable compilation of libddekit with new headers. . Enable kernel compilation with new headers. . Enable drivers compilation with new headers. . Port legacy commands to new headers and libc. . Port servers to new headers. . Add <sys/sigcontext.h> in compat library. . Remove dependency file in tree. . Enable compilation of common/lib/libc/atomic in libsys . Do not generate RCSID strings in libc. . Temporarily disable zoneinfo as they are incompatible with NetBSD format . obj-nbsd for .gitignore . Procfs: use only integer arithmetic. (Antoine Leca) . Increase ramdisk size to create NBSD-based images. . Remove INCSYMLINKS handling hack. . Add nbsd_include/sys/exec_elf.h . Enable ELF compilation with NBSD libc. . Add 'make nbsdsrc' in tools to download reference NetBSD sources. . Automate minix-port.patch creation. . Avoid using fstavfs() as it is extremely slow and unneeded. . Set err() as PRIVATE to avoid name clash with libc. . [NBSD] servers/vm: remove compilation warnings. . u32 is not a long in NBSD headers. . UPDATING info on netbsd hierarchy . commands fixes for netbsd libc 2011-04-27 15:00:52 +02:00			`#include <sys/sha2.h>`
Random number generator 2005-07-18 17:40:24 +02:00			`#include "aes/rijndael.h"`

			`#define N_DERIV 16`
			`#define NR_POOLS 32`
			`#define MIN_SAMPLES 256 /* Number of samples needed in pool 0 for a`
			`* re-seed.`
			`*/`

retire PUBLIC, PRIVATE and FORWARD 2012-03-25 20:25:53 +02:00			`static unsigned long deriv[TOTAL_SOURCES][N_DERIV];`
			`static int pool_ind[TOTAL_SOURCES];`
			`static SHA256_CTX pool_ctx[NR_POOLS];`
			`static unsigned samples= 0;`
			`static int got_seeded= 0;`
			`static u8_t random_key[2*AES_BLOCKSIZE];`
			`static u32_t count_lo, count_hi;`
			`static u32_t reseed_count;`

			`static void add_sample(int source, unsigned long sample);`
			`static void data_block(rd_keyinstance keyp, void data);`
			`static void reseed(void);`

			`void random_init()`
Random number generator 2005-07-18 17:40:24 +02:00			`{`
			`int i, j;`

moved type and constants for random data to include file; added consistency check in random; added source of randomness internal to random using timing; only retrieve random bins that are full. 2009-04-02 17:24:44 +02:00			`assert(&deriv[TOTAL_SOURCES-1][N_DERIV-1] ==`
			`&deriv[0][0] + TOTAL_SOURCES*N_DERIV -1);`
Random number generator 2005-07-18 17:40:24 +02:00
moved type and constants for random data to include file; added consistency check in random; added source of randomness internal to random using timing; only retrieve random bins that are full. 2009-04-02 17:24:44 +02:00			`for (i= 0; i<TOTAL_SOURCES; i++)`
Random number generator 2005-07-18 17:40:24 +02:00			`{`
			`for (j= 0; j<N_DERIV; j++)`
			`deriv[i][j]= 0;`
			`pool_ind[i]= 0;`
			`}`
			`for (i= 0; i<NR_POOLS; i++)`
			`SHA256_Init(&pool_ctx[i]);`
			`count_lo= 0;`
			`count_hi= 0;`
			`reseed_count= 0;`
			`}`

retire PUBLIC, PRIVATE and FORWARD 2012-03-25 20:25:53 +02:00			`int random_isseeded()`
Random number generator 2005-07-18 17:40:24 +02:00			`{`
			`if (got_seeded)`
Small update to random number generator 2005-07-19 14:16:55 +02:00			`return 1;`
			`return 0;`
Random number generator 2005-07-18 17:40:24 +02:00			`}`

retire PUBLIC, PRIVATE and FORWARD 2012-03-25 20:25:53 +02:00			`void random_update(source, buf, count)`
Random number generator 2005-07-18 17:40:24 +02:00			`int source;`
moved type and constants for random data to include file; added consistency check in random; added source of randomness internal to random using timing; only retrieve random bins that are full. 2009-04-02 17:24:44 +02:00			`rand_t *buf;`
Random number generator 2005-07-18 17:40:24 +02:00			`int count;`
			`{`
			`int i;`

			`#if 0`
			`printf("random_update: got %d samples for source %d\n", count, source);`
			`#endif`
moved type and constants for random data to include file; added consistency check in random; added source of randomness internal to random using timing; only retrieve random bins that are full. 2009-04-02 17:24:44 +02:00			`if (source < 0 \|\| source >= TOTAL_SOURCES)`
panic() cleanup. this change - makes panic() variadic, doing full printf() formatting - no more NO_NUM, and no more separate printf() statements needed to print extra info (or something in hex) before panicing - unifies panic() - same panic() name and usage for everyone - vm, kernel and rest have different names/syntax currently in order to implement their own luxuries, but no longer - throws out the 1st argument, to make source less noisy. the panic() in syslib retrieves the server name from the kernel so it should be clear enough who is panicing; e.g. panic("sigaction failed: %d", errno); looks like: at_wini(73130): panic: sigaction failed: 0 syslib:panic.c: stacktrace: 0x74dc 0x2025 0x100a - throws out report() - printf() is more convenient and powerful - harmonizes/fixes the use of panic() - there were a few places that used printf-style formatting (didn't work) and newlines (messes up the formatting) in panic() - throws out a few per-server panic() functions - cleans up a tie-in of tty with panic() merging printf() and panic() statements to be done incrementally. 2010-03-05 16:05:11 +01:00			`panic("random_update: bad source: %d", source);`
Random number generator 2005-07-18 17:40:24 +02:00			`for (i= 0; i<count; i++)`
			`add_sample(source, buf[i]);`
Small update to random number generator 2005-07-19 14:16:55 +02:00			`reseed();`
Random number generator 2005-07-18 17:40:24 +02:00			`}`

retire PUBLIC, PRIVATE and FORWARD 2012-03-25 20:25:53 +02:00			`void random_getbytes(buf, size)`
Random number generator 2005-07-18 17:40:24 +02:00			`void *buf;`
			`size_t size;`
			`{`
			`int n, r;`
			`u8_t *cp;`
			`rd_keyinstance key;`
			`u8_t output[AES_BLOCKSIZE];`

			`r= rijndael_makekey(&key, sizeof(random_key), random_key);`
			`assert(r == 0);`

			`cp= buf;`
			`while (size > 0)`
			`{`
			`n= AES_BLOCKSIZE;`
			`if (n > size)`
			`{`
			`n= size;`
			`data_block(&key, output);`
			`memcpy(cp, output, n);`
			`}`
			`else`
			`data_block(&key, cp);`
			`cp += n;`
			`size -= n;`
			`}`

			`/* Generate new key */`
			`assert(sizeof(random_key) == 2*AES_BLOCKSIZE);`
			`data_block(&key, random_key);`
			`data_block(&key, random_key+AES_BLOCKSIZE);`
			`}`

retire PUBLIC, PRIVATE and FORWARD 2012-03-25 20:25:53 +02:00			`void random_putbytes(buf, size)`
Random number generator 2005-07-18 17:40:24 +02:00			`void *buf;`
			`size_t size;`
			`{`
			`/* Add bits to pool zero */`
			`SHA256_Update(&pool_ctx[0], buf, size);`

			`/* Assume that these bits are truely random. Increment samples`
			`* with the number of bits.`
			`*/`
			`samples += size*8;`
Small update to random number generator 2005-07-19 14:16:55 +02:00
			`reseed();`
Random number generator 2005-07-18 17:40:24 +02:00			`}`

retire PUBLIC, PRIVATE and FORWARD 2012-03-25 20:25:53 +02:00			`static void add_sample(source, sample)`
Random number generator 2005-07-18 17:40:24 +02:00			`int source;`
			`unsigned long sample;`
			`{`
			`int i, pool_nr;`
			`unsigned long d, v, di, min;`

			`/* Delete bad sample. Compute the Nth derivative. Delete the sample`
			`* if any derivative is too small.`
			`*/`
			`min= (unsigned long)-1;`
			`v= sample;`
			`for (i= 0; i<N_DERIV; i++)`
			`{`
			`di= deriv[source][i];`

			`/* Compute the difference */`
			`if (v >= di)`
			`d= v-di;`
			`else`
			`d= di-v;`
			`deriv[source][i]= v;`
			`v= d;`
			`if (v <min)`
			`min= v;`
			`}`
			`if (min < 2)`
			`{`
			`#if 0`
			`printf("ignoring sample '%u' from source %d\n",`
			`sample, source);`
			`#endif`
			`return;`
			`}`
			`#if 0`
			`printf("accepting sample '%u' from source %d\n", sample, source);`
			`#endif`

			`pool_nr= pool_ind[source];`
			`assert(pool_nr >= 0 && pool_nr < NR_POOLS);`

			`SHA256_Update(&pool_ctx[pool_nr], (unsigned char *)&sample,`
			`sizeof(sample));`
			`if (pool_nr == 0)`
			`samples++;`
			`pool_nr++;`
			`if (pool_nr >= NR_POOLS)`
			`pool_nr= 0;`
			`pool_ind[source]= pool_nr;`
			`}`

retire PUBLIC, PRIVATE and FORWARD 2012-03-25 20:25:53 +02:00			`static void data_block(keyp, data)`
Random number generator 2005-07-18 17:40:24 +02:00			`rd_keyinstance *keyp;`
			`void *data;`
			`{`
			`int r;`
			`u8_t input[AES_BLOCKSIZE];`

			`memset(input, '\0', sizeof(input));`

			`/* Do we want the output of the random numbers to be portable`
			`* across platforms (for example for RSA signatures)? At the moment`
			`* we don't do anything special. Encrypt the counter with the AES`
			`* key.`
			`*/`
			`assert(sizeof(count_lo)+sizeof(count_hi) <= AES_BLOCKSIZE);`
			`memcpy(input, &count_lo, sizeof(count_lo));`
			`memcpy(input+sizeof(count_lo), &count_hi, sizeof(count_hi));`
			`r= rijndael_ecb_encrypt(keyp, input, data, AES_BLOCKSIZE, NULL);`
			`assert(r == AES_BLOCKSIZE);`

			`count_lo++;`
			`if (count_lo == 0)`
			`count_hi++;`
			`}`
Small update to random number generator 2005-07-19 14:16:55 +02:00
retire PUBLIC, PRIVATE and FORWARD 2012-03-25 20:25:53 +02:00			`static void reseed()`
Small update to random number generator 2005-07-19 14:16:55 +02:00			`{`
			`int i;`
			`SHA256_CTX ctx;`
			`u8_t digest[SHA256_DIGEST_LENGTH];`

			`if (samples < MIN_SAMPLES)`
			`return;`

			`reseed_count++;`
			`SHA256_Init(&ctx);`
			`if (got_seeded)`
			`SHA256_Update(&ctx, random_key, sizeof(random_key));`
			`SHA256_Final(digest, &pool_ctx[0]);`
			`SHA256_Update(&ctx, digest, sizeof(digest));`
			`SHA256_Init(&pool_ctx[0]);`
			`for (i= 1; i<NR_POOLS; i++)`
			`{`
			`if ((reseed_count & (1UL << (i-1))) != 0)`
			`break;`
			`SHA256_Final(digest, &pool_ctx[i]);`
			`SHA256_Update(&ctx, digest, sizeof(digest));`
			`SHA256_Init(&pool_ctx[i]);`
			`}`
			`SHA256_Final(digest, &ctx);`
			`assert(sizeof(random_key) == sizeof(digest));`
			`memcpy(random_key, &digest, sizeof(random_key));`
			`samples= 0;`

			`got_seeded= 1;`
			`}`