]>
git.ipfire.org Git - thirdparty/hostap.git/blob - src/crypto/random.c
2 * Random number generator
3 * Copyright (c) 2010-2011, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
14 * This random number generator is used to provide additional entropy to the
15 * one provided by the operating system (os_get_random()) for session key
16 * generation. The os_get_random() output is expected to be secure and the
17 * implementation here is expected to provide only limited protection against
18 * cases where os_get_random() cannot provide strong randomness. This
19 * implementation shall not be assumed to be secure as the sole source of
20 * randomness. The random_get_bytes() function mixes in randomness from
21 * os_get_random() and as such, calls to os_get_random() can be replaced with
22 * calls to random_get_bytes() without reducing security.
24 * The design here follows partially the design used in the Linux
25 * drivers/char/random.c, but the implementation here is simpler and not as
26 * strong. This is a compromise to reduce duplicated CPU effort and to avoid
27 * extra code/memory size. As pointed out above, os_get_random() needs to be
28 * guaranteed to be secure for any of the security assumptions to hold.
31 #include "utils/includes.h"
34 #endif /* __linux__ */
36 #include "utils/common.h"
37 #include "utils/eloop.h"
42 #define POOL_WORDS_MASK (POOL_WORDS - 1)
48 #define EXTRACT_LEN 16
49 #define MIN_READY_MARK 2
51 static u32 pool
[POOL_WORDS
];
52 static unsigned int input_rotate
= 0;
53 static unsigned int pool_pos
= 0;
54 static u8 dummy_key
[20];
56 static size_t dummy_key_avail
= 0;
57 static int random_fd
= -1;
58 #endif /* __linux__ */
59 static unsigned int own_pool_ready
= 0;
60 #define RANDOM_ENTROPY_SIZE 20
61 static char *random_entropy_file
= NULL
;
62 static int random_entropy_file_read
= 0;
64 #define MIN_COLLECT_ENTROPY 1000
65 static unsigned int entropy
= 0;
66 static unsigned int total_collected
= 0;
69 static void random_write_entropy(void);
72 static u32
__ROL32(u32 x
, u32 y
)
74 return (x
<< (y
& 31)) | (x
>> (32 - (y
& 31)));
78 static void random_mix_pool(const void *buf
, size_t len
)
80 static const u32 twist
[8] = {
81 0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
82 0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278
87 wpa_hexdump_key(MSG_EXCESSIVE
, "random_mix_pool", buf
, len
);
90 w
= __ROL32(*pos
++, input_rotate
& 31);
91 input_rotate
+= pool_pos
? 7 : 14;
92 pool_pos
= (pool_pos
- 1) & POOL_WORDS_MASK
;
94 w
^= pool
[(pool_pos
+ POOL_TAP1
) & POOL_WORDS_MASK
];
95 w
^= pool
[(pool_pos
+ POOL_TAP2
) & POOL_WORDS_MASK
];
96 w
^= pool
[(pool_pos
+ POOL_TAP3
) & POOL_WORDS_MASK
];
97 w
^= pool
[(pool_pos
+ POOL_TAP4
) & POOL_WORDS_MASK
];
98 w
^= pool
[(pool_pos
+ POOL_TAP5
) & POOL_WORDS_MASK
];
99 pool
[pool_pos
] = (w
>> 3) ^ twist
[w
& 7];
104 static void random_extract(u8
*out
)
107 u8 hash
[SHA1_MAC_LEN
];
109 u32 buf
[POOL_WORDS
/ 2];
111 /* First, add hash back to pool to make backtracking more difficult. */
112 hmac_sha1(dummy_key
, sizeof(dummy_key
), (const u8
*) pool
,
114 random_mix_pool(hash
, sizeof(hash
));
115 /* Hash half the pool to extra data */
116 for (i
= 0; i
< POOL_WORDS
/ 2; i
++)
117 buf
[i
] = pool
[(pool_pos
- i
) & POOL_WORDS_MASK
];
118 hmac_sha1(dummy_key
, sizeof(dummy_key
), (const u8
*) buf
,
121 * Fold the hash to further reduce any potential output pattern.
122 * Though, compromise this to reduce CPU use for the most common output
123 * length (32) and return 16 bytes from instead of only half.
125 hash_ptr
= (u32
*) hash
;
126 hash_ptr
[0] ^= hash_ptr
[4];
127 os_memcpy(out
, hash
, EXTRACT_LEN
);
131 void random_add_randomness(const void *buf
, size_t len
)
134 static unsigned int count
= 0;
137 wpa_printf(MSG_MSGDUMP
, "Add randomness: count=%u entropy=%u",
139 if (entropy
> MIN_COLLECT_ENTROPY
&& (count
& 0x3ff) != 0) {
141 * No need to add more entropy at this point, so save CPU and
148 wpa_hexdump_key(MSG_EXCESSIVE
, "random pool",
149 (const u8
*) pool
, sizeof(pool
));
150 random_mix_pool(&t
, sizeof(t
));
151 random_mix_pool(buf
, len
);
152 wpa_hexdump_key(MSG_EXCESSIVE
, "random pool",
153 (const u8
*) pool
, sizeof(pool
));
159 int random_get_bytes(void *buf
, size_t len
)
165 wpa_printf(MSG_MSGDUMP
, "Get randomness: len=%u entropy=%u",
166 (unsigned int) len
, entropy
);
168 /* Start with assumed strong randomness from OS */
169 ret
= os_get_random(buf
, len
);
170 wpa_hexdump_key(MSG_EXCESSIVE
, "random from os_get_random",
173 /* Mix in additional entropy extracted from the internal pool */
179 wpa_hexdump_key(MSG_EXCESSIVE
, "random from internal pool",
181 siz
= left
> EXTRACT_LEN
? EXTRACT_LEN
: left
;
182 for (i
= 0; i
< siz
; i
++)
186 wpa_hexdump_key(MSG_EXCESSIVE
, "mixed random", buf
, len
);
197 int random_pool_ready(void)
204 * Make sure that there is reasonable entropy available before allowing
205 * some key derivation operations to proceed.
208 if (dummy_key_avail
== sizeof(dummy_key
))
209 return 1; /* Already initialized - good to continue */
212 * Try to fetch some more data from the kernel high quality
213 * /dev/random. There may not be enough data available at this point,
214 * so use non-blocking read to avoid blocking the application
217 fd
= open("/dev/random", O_RDONLY
| O_NONBLOCK
);
219 #ifndef CONFIG_NO_STDOUT_DEBUG
221 perror("open(/dev/random)");
222 wpa_printf(MSG_ERROR
, "random: Cannot open /dev/random: %s",
224 #endif /* CONFIG_NO_STDOUT_DEBUG */
228 res
= read(fd
, dummy_key
+ dummy_key_avail
,
229 sizeof(dummy_key
) - dummy_key_avail
);
231 wpa_printf(MSG_ERROR
, "random: Cannot read from /dev/random: "
232 "%s", strerror(errno
));
235 wpa_printf(MSG_DEBUG
, "random: Got %u/%u bytes from "
236 "/dev/random", (unsigned) res
,
237 (unsigned) (sizeof(dummy_key
) - dummy_key_avail
));
238 dummy_key_avail
+= res
;
241 if (dummy_key_avail
== sizeof(dummy_key
)) {
242 if (own_pool_ready
< MIN_READY_MARK
)
243 own_pool_ready
= MIN_READY_MARK
;
244 random_write_entropy();
248 wpa_printf(MSG_INFO
, "random: Only %u/%u bytes of strong "
249 "random data available from /dev/random",
250 (unsigned) dummy_key_avail
, (unsigned) sizeof(dummy_key
));
252 if (own_pool_ready
>= MIN_READY_MARK
||
253 total_collected
+ 10 * own_pool_ready
> MIN_COLLECT_ENTROPY
) {
254 wpa_printf(MSG_INFO
, "random: Allow operation to proceed "
255 "based on internal entropy");
259 wpa_printf(MSG_INFO
, "random: Not enough entropy pool available for "
260 "secure operations");
262 #else /* __linux__ */
263 /* TODO: could do similar checks on non-Linux platforms */
265 #endif /* __linux__ */
269 void random_mark_pool_ready(void)
272 wpa_printf(MSG_DEBUG
, "random: Mark internal entropy pool to be "
273 "ready (count=%u/%u)", own_pool_ready
, MIN_READY_MARK
);
274 random_write_entropy();
280 static void random_close_fd(void)
282 if (random_fd
>= 0) {
283 eloop_unregister_read_sock(random_fd
);
290 static void random_read_fd(int sock
, void *eloop_ctx
, void *sock_ctx
)
294 if (dummy_key_avail
== sizeof(dummy_key
)) {
299 res
= read(sock
, dummy_key
+ dummy_key_avail
,
300 sizeof(dummy_key
) - dummy_key_avail
);
302 wpa_printf(MSG_ERROR
, "random: Cannot read from /dev/random: "
303 "%s", strerror(errno
));
307 wpa_printf(MSG_DEBUG
, "random: Got %u/%u bytes from /dev/random",
309 (unsigned) (sizeof(dummy_key
) - dummy_key_avail
));
310 dummy_key_avail
+= res
;
312 if (dummy_key_avail
== sizeof(dummy_key
)) {
314 if (own_pool_ready
< MIN_READY_MARK
)
315 own_pool_ready
= MIN_READY_MARK
;
316 random_write_entropy();
320 #endif /* __linux__ */
323 static void random_read_entropy(void)
328 if (!random_entropy_file
)
331 buf
= os_readfile(random_entropy_file
, &len
);
333 return; /* entropy file not yet available */
335 if (len
!= 1 + RANDOM_ENTROPY_SIZE
) {
336 wpa_printf(MSG_DEBUG
, "random: Invalid entropy file %s",
337 random_entropy_file
);
342 own_pool_ready
= (u8
) buf
[0];
343 random_add_randomness(buf
+ 1, RANDOM_ENTROPY_SIZE
);
344 random_entropy_file_read
= 1;
346 wpa_printf(MSG_DEBUG
, "random: Added entropy from %s "
347 "(own_pool_ready=%u)",
348 random_entropy_file
, own_pool_ready
);
352 static void random_write_entropy(void)
354 char buf
[RANDOM_ENTROPY_SIZE
];
358 if (!random_entropy_file
)
361 random_get_bytes(buf
, RANDOM_ENTROPY_SIZE
);
363 f
= fopen(random_entropy_file
, "wb");
365 wpa_printf(MSG_ERROR
, "random: Could not write %s",
366 random_entropy_file
);
370 opr
= own_pool_ready
> 0xff ? 0xff : own_pool_ready
;
371 fwrite(&opr
, 1, 1, f
);
372 fwrite(buf
, RANDOM_ENTROPY_SIZE
, 1, f
);
375 wpa_printf(MSG_DEBUG
, "random: Updated entropy file %s "
376 "(own_pool_ready=%u)",
377 random_entropy_file
, own_pool_ready
);
381 void random_init(const char *entropy_file
)
383 os_free(random_entropy_file
);
385 random_entropy_file
= os_strdup(entropy_file
);
387 random_entropy_file
= NULL
;
388 random_read_entropy();
394 random_fd
= open("/dev/random", O_RDONLY
| O_NONBLOCK
);
396 #ifndef CONFIG_NO_STDOUT_DEBUG
398 perror("open(/dev/random)");
399 wpa_printf(MSG_ERROR
, "random: Cannot open /dev/random: %s",
401 #endif /* CONFIG_NO_STDOUT_DEBUG */
404 wpa_printf(MSG_DEBUG
, "random: Trying to read entropy from "
407 eloop_register_read_sock(random_fd
, random_read_fd
, NULL
, NULL
);
408 #endif /* __linux__ */
410 random_write_entropy();
414 void random_deinit(void)
418 #endif /* __linux__ */
419 random_write_entropy();
420 os_free(random_entropy_file
);
421 random_entropy_file
= NULL
;