2020-01-18 09:38:21 +01:00
|
|
|
/*
|
|
|
|
* Copyright (c) 2018-2020, Andreas Kling <kling@serenityos.org>
|
2021-08-31 19:32:46 -07:00
|
|
|
* Copyright (c) 2020, Peter Elliott <pelliott@serenityos.org>
|
2020-01-18 09:38:21 +01:00
|
|
|
*
|
2021-04-22 01:24:48 -07:00
|
|
|
* SPDX-License-Identifier: BSD-2-Clause
|
2020-01-18 09:38:21 +01:00
|
|
|
*/
|
|
|
|
|
2020-01-03 12:36:30 +01:00
|
|
|
#pragma once
|
|
|
|
|
2020-06-22 17:10:45 -06:00
|
|
|
#include <AK/Assertions.h>
|
|
|
|
#include <AK/ByteBuffer.h>
|
2020-01-03 12:36:30 +01:00
|
|
|
#include <AK/Types.h>
|
2022-04-02 23:47:47 +01:00
|
|
|
#include <Kernel/Arch/Processor.h>
|
2021-07-18 09:10:27 +02:00
|
|
|
#include <Kernel/Locking/Mutex.h>
|
2020-06-22 17:10:45 -06:00
|
|
|
#include <Kernel/StdLib.h>
|
2020-06-22 20:23:35 -06:00
|
|
|
#include <LibCrypto/Cipher/AES.h>
|
2020-06-23 14:05:26 -06:00
|
|
|
#include <LibCrypto/Cipher/Cipher.h>
|
2020-06-22 20:23:35 -06:00
|
|
|
#include <LibCrypto/Hash/SHA2.h>
|
2020-01-03 12:36:30 +01:00
|
|
|
|
2020-02-16 01:27:42 +01:00
|
|
|
namespace Kernel {
|
|
|
|
|
2020-06-22 17:10:45 -06:00
|
|
|
template<typename CipherT, typename HashT, int KeySize>
|
|
|
|
class FortunaPRNG {
|
2020-06-22 20:23:35 -06:00
|
|
|
public:
|
2020-06-22 17:10:45 -06:00
|
|
|
constexpr static size_t pool_count = 32;
|
|
|
|
constexpr static size_t reseed_threshold = 16;
|
|
|
|
|
|
|
|
using CipherType = CipherT;
|
2021-02-28 02:31:17 +01:00
|
|
|
using BlockType = typename CipherT::BlockType;
|
2020-06-22 17:10:45 -06:00
|
|
|
using HashType = HashT;
|
2021-02-28 02:31:17 +01:00
|
|
|
using DigestType = typename HashT::DigestType;
|
2020-06-22 17:10:45 -06:00
|
|
|
|
2022-01-20 17:47:39 +00:00
|
|
|
// FIXME: Do something other than VERIFY()'ing in case of OOM.
|
2020-06-23 14:05:26 -06:00
|
|
|
FortunaPRNG()
|
2022-01-20 17:47:39 +00:00
|
|
|
: m_counter(ByteBuffer::create_zeroed(BlockType::block_size()).release_value_but_fixme_should_propagate_errors())
|
2020-06-23 14:05:26 -06:00
|
|
|
{
|
|
|
|
}
|
|
|
|
|
2021-08-31 23:28:47 -07:00
|
|
|
bool get_random_bytes(Bytes buffer)
|
2020-06-22 17:10:45 -06:00
|
|
|
{
|
2021-08-22 01:49:22 +02:00
|
|
|
SpinlockLocker lock(m_lock);
|
2021-01-27 13:16:30 -07:00
|
|
|
if (!is_ready())
|
|
|
|
return false;
|
2020-06-22 17:10:45 -06:00
|
|
|
if (m_p0_len >= reseed_threshold) {
|
|
|
|
this->reseed();
|
|
|
|
}
|
|
|
|
|
2021-02-23 20:42:32 +01:00
|
|
|
VERIFY(is_seeded());
|
2020-06-22 17:10:45 -06:00
|
|
|
|
|
|
|
// FIXME: More than 2^20 bytes cannot be generated without refreshing the key.
|
2021-08-31 23:28:47 -07:00
|
|
|
VERIFY(buffer.size() < (1 << 20));
|
2020-06-22 17:10:45 -06:00
|
|
|
|
2020-11-27 20:13:55 +00:00
|
|
|
typename CipherType::CTRMode cipher(m_key, KeySize, Crypto::Cipher::Intent::Encryption);
|
2020-06-22 17:10:45 -06:00
|
|
|
|
2020-08-15 18:38:24 +02:00
|
|
|
auto counter_span = m_counter.bytes();
|
2021-08-31 23:28:47 -07:00
|
|
|
cipher.key_stream(buffer, counter_span, &counter_span);
|
2020-06-22 17:10:45 -06:00
|
|
|
|
|
|
|
// Extract a new key from the prng stream.
|
2020-08-15 18:38:24 +02:00
|
|
|
Bytes key_span = m_key.bytes();
|
2020-08-13 12:53:26 -04:00
|
|
|
cipher.key_stream(key_span, counter_span, &counter_span);
|
2021-01-27 13:16:30 -07:00
|
|
|
return true;
|
2020-06-22 17:10:45 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
template<typename T>
|
2022-10-17 00:06:11 +02:00
|
|
|
void add_random_event(T const& event_data, size_t pool)
|
2020-06-22 17:10:45 -06:00
|
|
|
{
|
|
|
|
pool %= pool_count;
|
|
|
|
if (pool == 0) {
|
|
|
|
m_p0_len++;
|
|
|
|
}
|
2022-04-01 20:58:27 +03:00
|
|
|
m_pools[pool].update(reinterpret_cast<u8 const*>(&event_data), sizeof(T));
|
2020-06-22 17:10:45 -06:00
|
|
|
}
|
|
|
|
|
2020-12-26 01:47:08 -08:00
|
|
|
[[nodiscard]] bool is_seeded() const
|
2020-06-27 11:10:01 -06:00
|
|
|
{
|
|
|
|
return m_reseed_number > 0;
|
|
|
|
}
|
|
|
|
|
2020-12-26 01:47:08 -08:00
|
|
|
[[nodiscard]] bool is_ready() const
|
2020-06-27 11:10:01 -06:00
|
|
|
{
|
2021-02-23 20:42:32 +01:00
|
|
|
VERIFY(m_lock.is_locked());
|
2020-06-27 11:10:01 -06:00
|
|
|
return is_seeded() || m_p0_len >= reseed_threshold;
|
|
|
|
}
|
|
|
|
|
2022-11-09 11:39:58 +01:00
|
|
|
Spinlock<LockRank::None>& get_lock() { return m_lock; }
|
2021-01-27 13:16:30 -07:00
|
|
|
|
2020-06-22 17:10:45 -06:00
|
|
|
private:
|
|
|
|
void reseed()
|
|
|
|
{
|
|
|
|
HashType new_key;
|
|
|
|
new_key.update(m_key);
|
|
|
|
for (size_t i = 0; i < pool_count; ++i) {
|
2021-02-05 20:04:19 +01:00
|
|
|
if (m_reseed_number % (1u << i) == 0) {
|
2020-06-22 17:10:45 -06:00
|
|
|
DigestType digest = m_pools[i].digest();
|
|
|
|
new_key.update(digest.immutable_data(), digest.data_length());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
DigestType digest = new_key.digest();
|
2021-09-06 03:29:52 +04:30
|
|
|
if (m_key.size() == digest.data_length()) {
|
|
|
|
// Avoid reallocating, just overwrite the key.
|
|
|
|
m_key.overwrite(0, digest.immutable_data(), digest.data_length());
|
|
|
|
} else {
|
|
|
|
auto buffer_result = ByteBuffer::copy(digest.immutable_data(), digest.data_length());
|
|
|
|
// If there's no memory left to copy this into, bail out.
|
2022-01-20 17:47:39 +00:00
|
|
|
if (buffer_result.is_error())
|
2021-09-06 03:29:52 +04:30
|
|
|
return;
|
|
|
|
|
|
|
|
m_key = buffer_result.release_value();
|
|
|
|
}
|
2020-06-22 17:10:45 -06:00
|
|
|
|
|
|
|
m_reseed_number++;
|
|
|
|
m_p0_len = 0;
|
|
|
|
}
|
|
|
|
|
2020-06-23 14:05:26 -06:00
|
|
|
ByteBuffer m_counter;
|
2020-06-22 17:10:45 -06:00
|
|
|
size_t m_reseed_number { 0 };
|
|
|
|
size_t m_p0_len { 0 };
|
|
|
|
ByteBuffer m_key;
|
|
|
|
HashType m_pools[pool_count];
|
2022-11-09 11:39:58 +01:00
|
|
|
Spinlock<LockRank::None> m_lock {};
|
2020-06-22 17:10:45 -06:00
|
|
|
};
|
|
|
|
|
2021-12-26 14:31:45 +01:00
|
|
|
class KernelRng : public FortunaPRNG<Crypto::Cipher::AESCipher, Crypto::Hash::SHA256, 256> {
|
2020-06-23 14:05:26 -06:00
|
|
|
|
2020-06-22 20:23:35 -06:00
|
|
|
public:
|
2020-08-24 19:35:19 -06:00
|
|
|
KernelRng();
|
2020-06-22 20:23:35 -06:00
|
|
|
static KernelRng& the();
|
|
|
|
|
2020-06-27 11:10:01 -06:00
|
|
|
void wait_for_entropy();
|
|
|
|
|
|
|
|
void wake_if_ready();
|
|
|
|
|
2020-06-22 20:23:35 -06:00
|
|
|
private:
|
2020-06-27 11:10:01 -06:00
|
|
|
WaitQueue m_seed_queue;
|
2020-06-22 20:23:35 -06:00
|
|
|
};
|
|
|
|
|
2020-06-24 14:07:28 -06:00
|
|
|
class EntropySource {
|
|
|
|
template<typename T>
|
|
|
|
struct Event {
|
|
|
|
u64 timestamp;
|
|
|
|
size_t source;
|
|
|
|
T event_data;
|
|
|
|
};
|
|
|
|
|
|
|
|
public:
|
2021-01-24 18:17:54 +01:00
|
|
|
enum class Static : size_t {
|
|
|
|
Interrupts,
|
|
|
|
MaxHardcodedSourceIndex,
|
|
|
|
};
|
|
|
|
|
2020-06-24 14:07:28 -06:00
|
|
|
EntropySource()
|
|
|
|
: m_source(next_source++)
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
2021-01-24 18:17:54 +01:00
|
|
|
EntropySource(Static hardcoded_source)
|
|
|
|
: m_source(static_cast<size_t>(hardcoded_source))
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
2020-06-24 14:07:28 -06:00
|
|
|
template<typename T>
|
2022-10-17 00:06:11 +02:00
|
|
|
void add_random_event(T const& event_data)
|
2020-06-24 14:07:28 -06:00
|
|
|
{
|
2021-01-27 13:16:30 -07:00
|
|
|
auto& kernel_rng = KernelRng::the();
|
2021-08-22 01:49:22 +02:00
|
|
|
SpinlockLocker lock(kernel_rng.get_lock());
|
2020-06-24 14:07:28 -06:00
|
|
|
// We don't lock this because on the off chance a pool is corrupted, entropy isn't lost.
|
2022-04-02 23:47:47 +01:00
|
|
|
Event<T> event = { Processor::read_cpu_counter(), m_source, event_data };
|
2021-12-26 14:31:45 +01:00
|
|
|
kernel_rng.add_random_event(event, m_pool);
|
2020-06-24 14:07:28 -06:00
|
|
|
m_pool++;
|
2021-01-27 13:16:30 -07:00
|
|
|
kernel_rng.wake_if_ready();
|
2020-06-24 14:07:28 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
private:
|
|
|
|
static size_t next_source;
|
|
|
|
size_t m_pool { 0 };
|
|
|
|
size_t m_source;
|
|
|
|
};
|
|
|
|
|
2020-01-03 12:36:30 +01:00
|
|
|
// NOTE: These API's are primarily about expressing intent/needs in the calling code.
|
2020-06-27 11:10:01 -06:00
|
|
|
// The only difference is that get_fast_random is guaranteed not to block.
|
2020-01-03 12:36:30 +01:00
|
|
|
|
2021-08-31 23:28:47 -07:00
|
|
|
void get_fast_random_bytes(Bytes);
|
|
|
|
bool get_good_random_bytes(Bytes bytes, bool allow_wait = true, bool fallback_to_fast = true);
|
2020-01-03 12:36:30 +01:00
|
|
|
|
|
|
|
template<typename T>
|
|
|
|
inline T get_fast_random()
|
|
|
|
{
|
|
|
|
T value;
|
2021-08-31 23:28:47 -07:00
|
|
|
Bytes bytes { reinterpret_cast<u8*>(&value), sizeof(T) };
|
|
|
|
get_fast_random_bytes(bytes);
|
2020-01-03 12:36:30 +01:00
|
|
|
return value;
|
|
|
|
}
|
|
|
|
|
|
|
|
template<typename T>
|
|
|
|
inline T get_good_random()
|
|
|
|
{
|
|
|
|
T value;
|
2021-08-31 23:28:47 -07:00
|
|
|
Bytes bytes { reinterpret_cast<u8*>(&value), sizeof(T) };
|
|
|
|
get_good_random_bytes(bytes);
|
2020-01-03 12:36:30 +01:00
|
|
|
return value;
|
|
|
|
}
|
|
|
|
|
2020-02-16 01:27:42 +01:00
|
|
|
}
|