Module Name: src Committed By: tls Date: Sat Aug 9 06:19:50 UTC 2014
Modified Files: src/sys/conf [tls-earlyentropy]: files src/sys/kern [tls-earlyentropy]: subr_cprng.c src/sys/rump/librump/rumpkern [tls-earlyentropy]: Makefile.rumpkern src/sys/sys [tls-earlyentropy]: cprng.h rnd.h src/usr.sbin/npf/npftest/libnpftest [tls-earlyentropy]: npf_test_subr.c Added Files: src/sys/crypto/cprng_fast [tls-earlyentropy]: cprng_fast.c cprng_fast.h files.cprng_fast Removed Files: src/sys/crypto/ccrand [tls-earlyentropy]: ccrand.h ccrand2.c ccrand32.c ccrand64.c ccrand_bytes.c ccrand_gen16.c ccrand_reseed.c ccrand_seed.c ccrand_seed32.c ccrand_seed64.c ccrand_use.c ccrand_var.h ccrand_words.c ccrandn.c files.ccrand Log Message: Replace "ccrand" ChaCha implementation of cprng_fast with Taylor's smaller and somewhat simpler one. Fix rump builds so we can build a distribution. To generate a diff of this commit: cvs rdiff -u -r1.1090.2.1 -r1.1090.2.2 src/sys/conf/files cvs rdiff -u -r1.1.2.1 -r0 src/sys/crypto/ccrand/ccrand.h \ src/sys/crypto/ccrand/ccrand2.c src/sys/crypto/ccrand/ccrand32.c \ src/sys/crypto/ccrand/ccrand64.c src/sys/crypto/ccrand/ccrand_bytes.c \ src/sys/crypto/ccrand/ccrand_gen16.c \ src/sys/crypto/ccrand/ccrand_reseed.c src/sys/crypto/ccrand/ccrand_seed.c \ src/sys/crypto/ccrand/ccrand_seed32.c \ src/sys/crypto/ccrand/ccrand_seed64.c src/sys/crypto/ccrand/ccrand_use.c \ src/sys/crypto/ccrand/ccrand_var.h src/sys/crypto/ccrand/ccrand_words.c \ src/sys/crypto/ccrand/ccrandn.c src/sys/crypto/ccrand/files.ccrand cvs rdiff -u -r0 -r1.1.2.1 src/sys/crypto/cprng_fast/cprng_fast.c \ src/sys/crypto/cprng_fast/cprng_fast.h \ src/sys/crypto/cprng_fast/files.cprng_fast cvs rdiff -u -r1.23.2.1 -r1.23.2.2 src/sys/kern/subr_cprng.c cvs rdiff -u -r1.143 -r1.143.2.1 \ src/sys/rump/librump/rumpkern/Makefile.rumpkern cvs rdiff -u -r1.9.2.1 -r1.9.2.2 src/sys/sys/cprng.h cvs rdiff -u -r1.40.2.2 -r1.40.2.3 src/sys/sys/rnd.h cvs rdiff -u -r1.9 -r1.9.2.1 \ src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/conf/files diff -u src/sys/conf/files:1.1090.2.1 src/sys/conf/files:1.1090.2.2 --- src/sys/conf/files:1.1090.2.1 Thu Jul 17 14:03:33 2014 +++ src/sys/conf/files Sat Aug 9 06:19:50 2014 @@ -1,4 +1,4 @@ -# $NetBSD: files,v 1.1090.2.1 2014/07/17 14:03:33 tls Exp $ +# $NetBSD: files,v 1.1090.2.2 2014/08/09 06:19:50 tls Exp $ # @(#)files.newconf 7.5 (Berkeley) 5/10/93 version 20100430 @@ -160,13 +160,15 @@ include "crypto/cast128/files.cast128" include "crypto/rijndael/files.rijndael" include "crypto/skipjack/files.skipjack" include "crypto/camellia/files.camellia" -include "crypto/ccrand/files.ccrand" # General-purpose crypto processing framework. include "opencrypto/files.opencrypto" # NIST SP800.90 CTR DRBG include "crypto/nist_ctr_drbg/files.nist_ctr_drbg" +# ChaCha-based fast PRNG +include "crypto/cprng_fast/files.cprng_fast" + # # Kernel history/tracing. Old UVMHIST depends upon this. # Index: src/sys/kern/subr_cprng.c diff -u src/sys/kern/subr_cprng.c:1.23.2.1 src/sys/kern/subr_cprng.c:1.23.2.2 --- src/sys/kern/subr_cprng.c:1.23.2.1 Thu Jul 17 14:03:33 2014 +++ src/sys/kern/subr_cprng.c Sat Aug 9 06:19:50 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_cprng.c,v 1.23.2.1 2014/07/17 14:03:33 tls Exp $ */ +/* $NetBSD: subr_cprng.c,v 1.23.2.2 2014/08/09 06:19:50 tls Exp $ */ /*- * Copyright (c) 2011-2013 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.23.2.1 2014/07/17 14:03:33 tls Exp $"); +__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.23.2.2 2014/08/09 06:19:50 tls Exp $"); #include <sys/param.h> #include <sys/types.h> @@ -55,22 +55,11 @@ __KERNEL_RCSID(0, "$NetBSD: subr_cprng.c #endif #include <crypto/nist_ctr_drbg/nist_ctr_drbg.h> -#include <crypto/ccrand/ccrand.h> #if defined(__HAVE_CPU_COUNTER) #include <machine/cpu_counter.h> #endif -#define CPRNGF_MAXBYTES (512 * 1024 * 1024) -#define CPRNGF_HARDMAX (1 * 1024 * 1024 * 1024) -#define CPRNGF_RESEED_SECONDS 600 - -typedef struct { - ccrand_t ccrand; - int numbytes; - time_t nextreseed; -} cprng_fast_ctx_t; - static int sysctl_kern_urnd(SYSCTLFN_PROTO); static int sysctl_kern_arnd(SYSCTLFN_PROTO); @@ -78,19 +67,12 @@ static void cprng_strong_generate(struct static void cprng_strong_reseed(struct cprng_strong *); static void cprng_strong_reseed_from(struct cprng_strong *, const void *, size_t, bool); -static void cprng_fast_randrekey(cprng_fast_ctx_t *); -void *cprng_fast_rekey_softintr = NULL; - #if DEBUG static void cprng_strong_rngtest(struct cprng_strong *); -static void cprng_fast_rngtest(void); #endif static rndsink_callback_t cprng_strong_rndsink_callback; -percpu_t *percpu_cprng_fast_ctx; -static int cprng_fast_initialized; - void cprng_init(void) { @@ -134,6 +116,7 @@ struct cprng_strong { char cs_name[16]; int cs_flags; kmutex_t cs_lock; + percpu_t *cs_percpu; kcondvar_t cs_cv; struct selinfo cs_selq; struct rndsink *cs_rndsink; @@ -501,25 +484,6 @@ cprng_strong_rngtest(struct cprng_strong explicit_memset(rt, 0, sizeof(*rt)); /* paranoia */ kmem_intr_free(rt, sizeof(*rt)); } - -static void cprng_fast_rngtest(void) -{ - rngtest_t *const rt = kmem_intr_alloc(sizeof(*rt), KM_NOSLEEP); - if (rt == NULL) - /* XXX Warn? */ - return; - - (void)snprintf(rt->rt_name, sizeof(rt->rt_name), - "cpu%d", curcpu()->ci_index); - cprng_fast(rt->rt_b, sizeof(rt->rt_b)); - - if (rngtest(rt)) { - printf("cprng_fast for %s: failed statistical RNG test\n", - rt->rt_name); - } - explicit_memset(rt, 0, sizeof(*rt)); - kmem_intr_free(rt, sizeof(*rt)); -} #endif /* @@ -605,128 +569,3 @@ sysctl_kern_arnd(SYSCTLFN_ARGS) return error; } } - -static void -cprng_fast_randrekey(cprng_fast_ctx_t *ctx) -{ - uint8_t key[16]; - int s; - - int have_initial = rnd_initial_entropy; - - cprng_strong(kern_cprng, key, sizeof(key), FASYNC); - s = splhigh(); - ccrand_reseed(&ctx->ccrand, (uint32_t *)key, - sizeof(key) / sizeof(uint32_t)); - splx(s); - explicit_memset(key, 0, sizeof(key)); - /* - * Reset for next reseed cycle. - */ - ctx->nextreseed = time_uptime + - (have_initial ? CPRNGF_RESEED_SECONDS : 0); - ctx->numbytes = 0; - -#if DEBUG - cprng_fast_rngtest(); -#endif -} - -static void -cprng_fast_init_ctx(void *v, - void *arg __unused, - struct cpu_info * ci __unused) -{ - cprng_fast_ctx_t *ctx = v; - cprng_fast_randrekey(ctx); -} - -static void -cprng_fast_rekey_one(void *arg __unused) -{ - cprng_fast_ctx_t *ctx = percpu_getref(percpu_cprng_fast_ctx); - - cprng_fast_randrekey(ctx); - percpu_putref(percpu_cprng_fast_ctx); -} - -/* - * Because we key the cprng_fast instances from the kernel_cprng, - * and we try not to initialize the kernel_cprng until there is at - * least some chance there's entropy available for it, this must - * be called somewhat later than cprng_init() and is thus a separate - * function. - */ -void -cprng_fast_init(void) -{ - percpu_cprng_fast_ctx = percpu_alloc(sizeof(cprng_fast_ctx_t)); - - percpu_foreach(percpu_cprng_fast_ctx, cprng_fast_init_ctx, NULL); - cprng_fast_rekey_softintr = - softint_establish(SOFTINT_CLOCK|SOFTINT_MPSAFE, - cprng_fast_rekey_one, NULL); - cprng_fast_initialized++; -} - -static inline void -cprng_fast_checkrekey(cprng_fast_ctx_t *ctx) -{ - extern void *cprng_fast_rekey_softintr; - - if (__predict_false((ctx->numbytes > CPRNGF_MAXBYTES) || - (time_uptime > ctx->nextreseed))) { - /* Schedule a deferred reseed */ - softint_schedule(cprng_fast_rekey_softintr); - } -} - -uint32_t -cprng_fast32(void) -{ - cprng_fast_ctx_t *ctx = percpu_getref(percpu_cprng_fast_ctx); - int s; - uint32_t ret; - - cprng_fast_checkrekey(ctx); - - s = splhigh(); - ret = ccrand32(&ctx->ccrand); - splx(s); - ctx->numbytes+= sizeof(ret); - percpu_putref(percpu_cprng_fast_ctx); - return ret; -} - -uint64_t -cprng_fast64(void) -{ - cprng_fast_ctx_t *ctx = percpu_getref(percpu_cprng_fast_ctx); - int s; - uint64_t ret; - - cprng_fast_checkrekey(ctx); - - s = splhigh(); - ret = ccrand64(&ctx->ccrand); - splx(s); - ctx->numbytes += sizeof(ret); - percpu_putref(percpu_cprng_fast_ctx); - return ret; -} - -size_t -cprng_fast(void *p, size_t len) -{ - cprng_fast_ctx_t *ctx = percpu_getref(percpu_cprng_fast_ctx); - int s; - - cprng_fast_checkrekey(ctx); - - s = splhigh(); - ccrand_bytes(&ctx->ccrand, p, len); - splx(s); - ctx->numbytes += len; - percpu_putref(percpu_cprng_fast_ctx); - return len; -} Index: src/sys/rump/librump/rumpkern/Makefile.rumpkern diff -u src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.143 src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.143.2.1 --- src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.143 Fri Apr 4 18:20:28 2014 +++ src/sys/rump/librump/rumpkern/Makefile.rumpkern Sat Aug 9 06:19:50 2014 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.rumpkern,v 1.143 2014/04/04 18:20:28 njoly Exp $ +# $NetBSD: Makefile.rumpkern,v 1.143.2.1 2014/08/09 06:19:50 tls Exp $ # .include "${RUMPTOP}/Makefile.rump" @@ -15,6 +15,7 @@ LIB= rump ${RUMPTOP}/../dev \ ${RUMPTOP}/../crypto/nist_ctr_drbg \ ${RUMPTOP}/../crypto/rijndael \ + ${RUMPTOP}/../crypto/cprng_fast \ ${RUMPTOP}/../secmodel \ ${RUMPTOP}/../secmodel/suser \ ${RUMPTOP}/../compat/common @@ -149,7 +150,8 @@ SRCS+= clock_subr.c SRCS+= nist_ctr_drbg.c SRCS+= rijndael-alg-fst.c SRCS+= rijndael-api-fst.c -SRCS+= rijndael.c +SRCS+= rijndael.c +SRCS+= cprng_fast.c # compat SRCS+= kern_select_50.c Index: src/sys/sys/cprng.h diff -u src/sys/sys/cprng.h:1.9.2.1 src/sys/sys/cprng.h:1.9.2.2 --- src/sys/sys/cprng.h:1.9.2.1 Thu Jul 17 14:03:33 2014 +++ src/sys/sys/cprng.h Sat Aug 9 06:19:50 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: cprng.h,v 1.9.2.1 2014/07/17 14:03:33 tls Exp $ */ +/* $NetBSD: cprng.h,v 1.9.2.2 2014/08/09 06:19:50 tls Exp $ */ /*- * Copyright (c) 2011-2013 The NetBSD Foundation, Inc. @@ -41,23 +41,16 @@ #include <sys/rnd.h> /* XXX users bogusly transitively need this */ #include <crypto/nist_ctr_drbg/nist_ctr_drbg.h> -#include <sys/percpu.h> -#include <sys/intr.h> +#include <crypto/cprng_fast/cprng_fast.h> /* * NIST SP800-90 says 2^19 bytes per request for the CTR_DRBG. */ #define CPRNG_MAX_LEN 524288 -size_t cprng_fast(void *, size_t); - -uint32_t cprng_fast32(void); -uint64_t cprng_fast64(void); - typedef struct cprng_strong cprng_strong_t; void cprng_init(void); -void cprng_fast_init(void); #define CPRNG_INIT_ANY 0x00000001 #define CPRNG_REKEY_ANY 0x00000002 Index: src/sys/sys/rnd.h diff -u src/sys/sys/rnd.h:1.40.2.2 src/sys/sys/rnd.h:1.40.2.3 --- src/sys/sys/rnd.h:1.40.2.2 Thu Jul 17 14:03:33 2014 +++ src/sys/sys/rnd.h Sat Aug 9 06:19:50 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: rnd.h,v 1.40.2.2 2014/07/17 14:03:33 tls Exp $ */ +/* $NetBSD: rnd.h,v 1.40.2.3 2014/08/09 06:19:50 tls Exp $ */ /*- * Copyright (c) 1997 The NetBSD Foundation, Inc. @@ -227,6 +227,8 @@ extern int rnd_initial_entropy; extern int rnd_ready; extern int rnd_printing; /* XXX recursion through printf */ +extern int rnd_blockonce; + #endif /* _KERNEL */ #define RND_MAXSTATCOUNT 10 /* 10 sources at once max */ Index: src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c diff -u src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c:1.9 src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c:1.9.2.1 --- src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c:1.9 Thu Feb 13 03:34:40 2014 +++ src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c Sat Aug 9 06:19:50 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_test_subr.c,v 1.9 2014/02/13 03:34:40 rmind Exp $ */ +/* $NetBSD: npf_test_subr.c,v 1.9.2.1 2014/08/09 06:19:50 tls Exp $ */ /* * NPF initialisation and handler routines. @@ -138,10 +138,10 @@ npf_inet_ntop(int af, const void *src, c } /* - * Need to override for cprng_fast32() -- we need deterministic PRNG. + * Need to override cprng_fast32() -- we need deterministic PRNG. */ uint32_t -_arc4random(void) +cprng_fast32(void) { return (uint32_t)(_random_func ? _random_func() : random()); } Added files: Index: src/sys/crypto/cprng_fast/cprng_fast.c diff -u /dev/null src/sys/crypto/cprng_fast/cprng_fast.c:1.1.2.1 --- /dev/null Sat Aug 9 06:19:50 2014 +++ src/sys/crypto/cprng_fast/cprng_fast.c Sat Aug 9 06:19:50 2014 @@ -0,0 +1,496 @@ +/* $NetBSD: cprng_fast.c,v 1.1.2.1 2014/08/09 06:19:50 tls Exp $ */ + +/*- + * Copyright (c) 2014 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Taylor R. Campbell. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__KERNEL_RCSID(0, "$NetBSD: cprng_fast.c,v 1.1.2.1 2014/08/09 06:19:50 tls Exp $"); + +#include <sys/types.h> +#include <sys/bitops.h> +#include <sys/param.h> +#include <sys/cpu.h> +#include <sys/intr.h> +#include <sys/percpu.h> +#include <sys/cprng.h> + + +/* ChaCha core */ + +#define crypto_core_OUTPUTWORDS 16 +#define crypto_core_INPUTWORDS 4 +#define crypto_core_KEYWORDS 8 +#define crypto_core_CONSTWORDS 4 + +#define crypto_core_ROUNDS 8 + +static uint32_t +rotate(uint32_t u, unsigned c) +{ + + return (u << c) | (u >> (32 - c)); +} + +#define QUARTERROUND(a, b, c, d) do { \ + (a) += (b); (d) ^= (a); (d) = rotate((d), 16); \ + (c) += (d); (b) ^= (c); (b) = rotate((b), 12); \ + (a) += (b); (d) ^= (a); (d) = rotate((d), 8); \ + (c) += (d); (b) ^= (c); (b) = rotate((b), 7); \ +} while (0) + +static void +crypto_core(uint32_t *out, const uint32_t *in, const uint32_t *k, + const uint32_t *c) +{ + uint32_t x0,x1,x2,x3,x4,x5,x6,x7,x8,x9,x10,x11,x12,x13,x14,x15; + int i; + + x0 = c[0]; + x1 = c[1]; + x2 = c[2]; + x3 = c[3]; + x4 = k[0]; + x5 = k[1]; + x6 = k[2]; + x7 = k[3]; + x8 = k[4]; + x9 = k[5]; + x10 = k[6]; + x11 = k[7]; + x12 = in[0]; + x13 = in[1]; + x14 = in[2]; + x15 = in[3]; + + for (i = crypto_core_ROUNDS; i > 0; i -= 2) { + QUARTERROUND( x0, x4, x8,x12); + QUARTERROUND( x1, x5, x9,x13); + QUARTERROUND( x2, x6,x10,x14); + QUARTERROUND( x3, x7,x11,x15); + QUARTERROUND( x0, x5,x10,x15); + QUARTERROUND( x1, x6,x11,x12); + QUARTERROUND( x2, x7, x8,x13); + QUARTERROUND( x3, x4, x9,x14); + } + + out[0] = x0 + c[0]; + out[1] = x1 + c[1]; + out[2] = x2 + c[2]; + out[3] = x3 + c[3]; + out[4] = x4 + k[0]; + out[5] = x5 + k[1]; + out[6] = x6 + k[2]; + out[7] = x7 + k[3]; + out[8] = x8 + k[4]; + out[9] = x9 + k[5]; + out[10] = x10 + k[6]; + out[11] = x11 + k[7]; + out[12] = x12 + in[0]; + out[13] = x13 + in[1]; + out[14] = x14 + in[2]; + out[15] = x15 + in[3]; +} + +/* `expand 32-byte k' */ +static const uint32_t crypto_core_constant32[4] = { + 0x61707865U, 0x3320646eU, 0x79622d32U, 0x6b206574U, +}; + +/* + * Test vector for ChaCha20 from + * <http://tools.ietf.org/html/draft-strombergson-chacha-test-vectors-00>, + * test vectors for ChaCha12 and ChaCha8 generated by the same + * crypto_core code with crypto_core_ROUNDS varied. + */ + +#define check(E) do \ +{ \ + if (!(E)) \ + panic("crypto self-test failed: %s", #E); \ +} while (0) + +static void +crypto_core_selftest(void) +{ + const uint32_t zero32[8] = {0}; + const uint8_t sigma[] = "expand 32-byte k"; + uint32_t block[16]; + unsigned i; + +#if crypto_core_ROUNDS == 8 + static const uint8_t out[64] = { + 0x3e,0x00,0xef,0x2f,0x89,0x5f,0x40,0xd6, + 0x7f,0x5b,0xb8,0xe8,0x1f,0x09,0xa5,0xa1, + 0x2c,0x84,0x0e,0xc3,0xce,0x9a,0x7f,0x3b, + 0x18,0x1b,0xe1,0x88,0xef,0x71,0x1a,0x1e, + 0x98,0x4c,0xe1,0x72,0xb9,0x21,0x6f,0x41, + 0x9f,0x44,0x53,0x67,0x45,0x6d,0x56,0x19, + 0x31,0x4a,0x42,0xa3,0xda,0x86,0xb0,0x01, + 0x38,0x7b,0xfd,0xb8,0x0e,0x0c,0xfe,0x42, + }; +#elif crypto_core_ROUNDS == 12 + static const uint8_t out[64] = { + 0x9b,0xf4,0x9a,0x6a,0x07,0x55,0xf9,0x53, + 0x81,0x1f,0xce,0x12,0x5f,0x26,0x83,0xd5, + 0x04,0x29,0xc3,0xbb,0x49,0xe0,0x74,0x14, + 0x7e,0x00,0x89,0xa5,0x2e,0xae,0x15,0x5f, + 0x05,0x64,0xf8,0x79,0xd2,0x7a,0xe3,0xc0, + 0x2c,0xe8,0x28,0x34,0xac,0xfa,0x8c,0x79, + 0x3a,0x62,0x9f,0x2c,0xa0,0xde,0x69,0x19, + 0x61,0x0b,0xe8,0x2f,0x41,0x13,0x26,0xbe, + }; +#elif crypto_core_ROUNDS == 20 + static const uint8_t out[64] = { + 0x76,0xb8,0xe0,0xad,0xa0,0xf1,0x3d,0x90, + 0x40,0x5d,0x6a,0xe5,0x53,0x86,0xbd,0x28, + 0xbd,0xd2,0x19,0xb8,0xa0,0x8d,0xed,0x1a, + 0xa8,0x36,0xef,0xcc,0x8b,0x77,0x0d,0xc7, + 0xda,0x41,0x59,0x7c,0x51,0x57,0x48,0x8d, + 0x77,0x24,0xe0,0x3f,0xb8,0xd8,0x4a,0x37, + 0x6a,0x43,0xb8,0xf4,0x15,0x18,0xa1,0x1c, + 0xc3,0x87,0xb6,0x69,0xb2,0xee,0x65,0x86, + }; +#else +#error crypto_core_ROUNDS must be 8, 12, or 20. +#endif + + check(crypto_core_constant32[0] == le32dec(&sigma[0])); + check(crypto_core_constant32[1] == le32dec(&sigma[4])); + check(crypto_core_constant32[2] == le32dec(&sigma[8])); + check(crypto_core_constant32[3] == le32dec(&sigma[12])); + + crypto_core(block, zero32, zero32, crypto_core_constant32); + for (i = 0; i < 16; i++) + check(block[i] == le32dec(&out[i*4])); +} + +#undef check + +#define CPRNG_FAST_SEED_BYTES (crypto_core_KEYWORDS * sizeof(uint32_t)) + +struct cprng_fast { + uint32_t buffer[crypto_core_OUTPUTWORDS]; + uint32_t key[crypto_core_KEYWORDS]; + uint32_t nonce[crypto_core_INPUTWORDS]; + bool have_initial; +}; + +__CTASSERT(sizeof ((struct cprng_fast *)0)->key == CPRNG_FAST_SEED_BYTES); + +static void cprng_fast_schedule_reseed(struct cprng_fast *); +static void cprng_fast_intr(void *); + +static void cprng_fast_seed(struct cprng_fast *, const void *); +static void cprng_fast_buf(struct cprng_fast *, void *, unsigned); + +static void cprng_fast_buf_short(void *, size_t); +static void cprng_fast_buf_long(void *, size_t); + +static percpu_t *cprng_fast_percpu __read_mostly; +static void *cprng_fast_softint __read_mostly; + +extern int rnd_initial_entropy; + +void +cprng_fast_init(void) +{ + struct cpu_info *ci; + CPU_INFO_ITERATOR cii; + + crypto_core_selftest(); + cprng_fast_percpu = percpu_alloc(sizeof(struct cprng_fast)); + for (CPU_INFO_FOREACH(cii, ci)) { + struct cprng_fast *cprng; + uint8_t seed[CPRNG_FAST_SEED_BYTES]; + + percpu_traverse_enter(); + cprng = percpu_getptr_remote(cprng_fast_percpu, ci); + cprng_strong(kern_cprng, seed, sizeof(seed), FASYNC); + /* Can't do anything about it if not full entropy. */ + cprng_fast_seed(cprng, seed); + explicit_memset(seed, 0, sizeof(seed)); + percpu_traverse_exit(); + } + cprng_fast_softint = softint_establish(SOFTINT_SERIAL|SOFTINT_MPSAFE, + &cprng_fast_intr, NULL); +} + +static inline int +cprng_fast_get(struct cprng_fast **cprngp) +{ + + *cprngp = percpu_getref(cprng_fast_percpu); + return splvm(); +} + +static inline void +cprng_fast_put(struct cprng_fast *cprng, int s) +{ + + KASSERT((cprng == percpu_getref(cprng_fast_percpu)) && + (percpu_putref(cprng_fast_percpu), true)); + splx(s); + percpu_putref(cprng_fast_percpu); +} + +static inline void +cprng_fast_schedule_reseed(struct cprng_fast *cprng __unused) +{ + + softint_schedule(cprng_fast_softint); +} + +static void +cprng_fast_intr(void *cookie __unused) +{ + struct cprng_fast *cprng; + uint8_t seed[CPRNG_FAST_SEED_BYTES]; + + cprng_strong(kern_cprng, seed, sizeof(seed), FASYNC); + + cprng = percpu_getref(cprng_fast_percpu); + cprng_fast_seed(cprng, seed); + percpu_putref(cprng_fast_percpu); + + explicit_memset(seed, 0, sizeof(seed)); +} + +/* CPRNG algorithm */ + +/* + * The state consists of a key, the current nonce, and a 64-byte buffer + * of output. Since we fill the buffer only when we need output, and + * eat a 32-bit word at a time, one 32-bit word of the buffer would be + * wasted. Instead, we repurpose it to count the number of entries in + * the buffer remaining, counting from high to low in order to allow + * comparison to zero to detect when we need to refill it. + */ +#define CPRNG_FAST_BUFIDX (crypto_core_OUTPUTWORDS - 1) + +static inline void +cprng_fast_seed(struct cprng_fast *cprng, const void *seed) +{ + + (void)memset(cprng->buffer, 0, sizeof cprng->buffer); + (void)memcpy(cprng->key, seed, sizeof cprng->key); + (void)memset(cprng->nonce, 0, sizeof cprng->nonce); + + if (__predict_true(rnd_initial_entropy)) { + cprng->have_initial = true; + } else { + cprng->have_initial = false; + } +} + +static inline uint32_t +cprng_fast_word(struct cprng_fast *cprng) +{ + uint32_t v; + + if (__predict_true(0 < cprng->buffer[CPRNG_FAST_BUFIDX])) { + v = cprng->buffer[--cprng->buffer[CPRNG_FAST_BUFIDX]]; + } else { + /* If we don't have enough words, refill the buffer. */ + crypto_core(cprng->buffer, cprng->nonce, cprng->key, + crypto_core_constant32); + if (__predict_false(++cprng->nonce[0] == 0)) { + cprng->nonce[1]++; + cprng_fast_schedule_reseed(cprng); + } else { + if (__predict_false(false == cprng->have_initial)) { + if (rnd_initial_entropy) { + cprng_fast_schedule_reseed(cprng); + } + } + } + v = cprng->buffer[CPRNG_FAST_BUFIDX]; + cprng->buffer[CPRNG_FAST_BUFIDX] = CPRNG_FAST_BUFIDX; + } + + return v; +} + +static inline void +cprng_fast_buf(struct cprng_fast *cprng, void *buf, unsigned n) +{ + uint8_t *p = buf; + uint32_t v; + unsigned r; + + while (n) { + r = MIN(n, 4); + n -= r; + v = cprng_fast_word(cprng); + while (r--) { + *p++ = (v & 0xff); + v >>= 8; + } + } +} + +/* + * crypto_onetimestream: Expand a short unpredictable one-time seed + * into a long unpredictable output. + */ +static void +crypto_onetimestream(const uint32_t seed[crypto_core_KEYWORDS], void *buf, + size_t n) +{ + uint32_t block[crypto_core_OUTPUTWORDS]; + uint32_t nonce[crypto_core_INPUTWORDS] = {0}; + uint8_t *p8; + uint32_t *p32; + size_t ni, nb, nf; + + /* + * Guarantee we can generate up to n bytes. We have + * 2^(32*INPUTWORDS) possible inputs yielding output of + * 4*OUTPUTWORDS*2^(32*INPUTWORDS) bytes. It suffices to + * require that sizeof n > (1/CHAR_BIT) log_2 n be less than + * (1/CHAR_BIT) log_2 of the total output stream length. We + * have + * + * log_2 (4 o 2^(32 i)) = log_2 (4 o) + log_2 2^(32 i) + * = 2 + log_2 o + 32 i. + */ + __CTASSERT(CHAR_BIT*sizeof n <= + (2 + ilog2(crypto_core_OUTPUTWORDS) + 32*crypto_core_INPUTWORDS)); + + p8 = buf; + p32 = (uint32_t *)roundup2((uintptr_t)p8, sizeof(uint32_t)); + ni = (uint8_t *)p32 - p8; + if (n < ni) + ni = n; + nb = (n - ni) / sizeof block; + nf = (n - ni) % sizeof block; + + KASSERT(((uintptr_t)p32 & 3) == 0); + KASSERT(ni <= n); + KASSERT(nb <= (n / sizeof block)); + KASSERT(nf <= n); + KASSERT(n == (ni + (nb * sizeof block) + nf)); + KASSERT(ni < sizeof(uint32_t)); + KASSERT(nf < sizeof block); + + if (ni) { + crypto_core(block, nonce, seed, crypto_core_constant32); + nonce[0]++; + (void)memcpy(p8, block, ni); + } + while (nb--) { + crypto_core(p32, nonce, seed, crypto_core_constant32); + if (++nonce[0] == 0) + nonce[1]++; + p32 += crypto_core_OUTPUTWORDS; + } + if (nf) { + crypto_core(block, nonce, seed, crypto_core_constant32); + if (++nonce[0] == 0) + nonce[1]++; + (void)memcpy(p32, block, nf); + } + + if (ni | nf) + (void)explicit_memset(block, 0, sizeof block); +} + +/* Public API */ + +uint32_t +cprng_fast32(void) +{ + struct cprng_fast *cprng; + uint32_t v; + int s; + + s = cprng_fast_get(&cprng); + v = cprng_fast_word(cprng); + cprng_fast_put(cprng, s); + + return v; +} + +uint64_t +cprng_fast64(void) +{ + struct cprng_fast *cprng; + uint32_t hi, lo; + int s; + + s = cprng_fast_get(&cprng); + hi = cprng_fast_word(cprng); + lo = cprng_fast_word(cprng); + cprng_fast_put(cprng, s); + + return ((uint64_t)hi << 32) | lo; +} + +static void +cprng_fast_buf_short(void *buf, size_t len) +{ + struct cprng_fast *cprng; + int s; + + s = cprng_fast_get(&cprng); + cprng_fast_buf(cprng, buf, len); + cprng_fast_put(cprng, s); +} + +static __noinline void +cprng_fast_buf_long(void *buf, size_t len) +{ + uint32_t seed[crypto_core_KEYWORDS]; + struct cprng_fast *cprng; + int s; + + s = cprng_fast_get(&cprng); + cprng_fast_buf(cprng, seed, sizeof seed); + cprng_fast_put(cprng, s); + + crypto_onetimestream(seed, buf, len); + + (void)explicit_memset(seed, 0, sizeof seed); +} + +size_t +cprng_fast(void *buf, size_t len) +{ + + /* + * We don't want to hog the CPU, so we use the short version, + * to generate output without preemption, only if we can do it + * with at most one crypto_core. + */ + if (len <= (sizeof(uint32_t) * crypto_core_OUTPUTWORDS)) + cprng_fast_buf_short(buf, len); + else + cprng_fast_buf_long(buf, len); + + return len; +} Index: src/sys/crypto/cprng_fast/cprng_fast.h diff -u /dev/null src/sys/crypto/cprng_fast/cprng_fast.h:1.1.2.1 --- /dev/null Sat Aug 9 06:19:50 2014 +++ src/sys/crypto/cprng_fast/cprng_fast.h Sat Aug 9 06:19:50 2014 @@ -0,0 +1,9 @@ +#ifndef _SYS_CPRNG_FAST_H_ +#define _SYS_CPRNG_FAST_H_ + +size_t cprng_fast(void *, size_t); +uint32_t cprng_fast32(void); +uint64_t cprng_fast64(void); +void cprng_fast_init(void); + +#endif /* _SYS_CPRNG_FAST_H_ */ Index: src/sys/crypto/cprng_fast/files.cprng_fast diff -u /dev/null src/sys/crypto/cprng_fast/files.cprng_fast:1.1.2.1 --- /dev/null Sat Aug 9 06:19:50 2014 +++ src/sys/crypto/cprng_fast/files.cprng_fast Sat Aug 9 06:19:50 2014 @@ -0,0 +1,3 @@ +# $NetBSD: files.cprng_fast,v 1.1.2.1 2014/08/09 06:19:50 tls Exp $ + +file crypto/cprng_fast/cprng_fast.c