]>
Commit | Line | Data |
---|---|---|
bbb921da JM |
1 | /* |
2 | * Random number generator | |
d47fa330 | 3 | * Copyright (c) 2010-2011, Jouni Malinen <j@w1.fi> |
bbb921da | 4 | * |
0f3d578e JM |
5 | * This software may be distributed under the terms of the BSD license. |
6 | * See README for more details. | |
bbb921da JM |
7 | * |
8 | * This random number generator is used to provide additional entropy to the | |
9 | * one provided by the operating system (os_get_random()) for session key | |
10 | * generation. The os_get_random() output is expected to be secure and the | |
11 | * implementation here is expected to provide only limited protection against | |
12 | * cases where os_get_random() cannot provide strong randomness. This | |
13 | * implementation shall not be assumed to be secure as the sole source of | |
14 | * randomness. The random_get_bytes() function mixes in randomness from | |
15 | * os_get_random() and as such, calls to os_get_random() can be replaced with | |
16 | * calls to random_get_bytes() without reducing security. | |
17 | * | |
18 | * The design here follows partially the design used in the Linux | |
19 | * drivers/char/random.c, but the implementation here is simpler and not as | |
20 | * strong. This is a compromise to reduce duplicated CPU effort and to avoid | |
21 | * extra code/memory size. As pointed out above, os_get_random() needs to be | |
22 | * guaranteed to be secure for any of the security assumptions to hold. | |
23 | */ | |
24 | ||
25 | #include "utils/includes.h" | |
08704cd8 JM |
26 | #ifdef __linux__ |
27 | #include <fcntl.h> | |
28 | #endif /* __linux__ */ | |
bbb921da JM |
29 | |
30 | #include "utils/common.h" | |
d47fa330 | 31 | #include "utils/eloop.h" |
982bafed | 32 | #include "crypto/crypto.h" |
bbb921da JM |
33 | #include "sha1.h" |
34 | #include "random.h" | |
35 | ||
36 | #define POOL_WORDS 32 | |
37 | #define POOL_WORDS_MASK (POOL_WORDS - 1) | |
38 | #define POOL_TAP1 26 | |
39 | #define POOL_TAP2 20 | |
40 | #define POOL_TAP3 14 | |
41 | #define POOL_TAP4 7 | |
42 | #define POOL_TAP5 1 | |
43 | #define EXTRACT_LEN 16 | |
08704cd8 | 44 | #define MIN_READY_MARK 2 |
bbb921da JM |
45 | |
46 | static u32 pool[POOL_WORDS]; | |
47 | static unsigned int input_rotate = 0; | |
48 | static unsigned int pool_pos = 0; | |
08704cd8 | 49 | static u8 dummy_key[20]; |
b993e77b | 50 | #ifdef __linux__ |
08704cd8 | 51 | static size_t dummy_key_avail = 0; |
d47fa330 | 52 | static int random_fd = -1; |
b993e77b | 53 | #endif /* __linux__ */ |
08704cd8 | 54 | static unsigned int own_pool_ready = 0; |
38e24575 JM |
55 | #define RANDOM_ENTROPY_SIZE 20 |
56 | static char *random_entropy_file = NULL; | |
57 | static int random_entropy_file_read = 0; | |
bbb921da JM |
58 | |
59 | #define MIN_COLLECT_ENTROPY 1000 | |
60 | static unsigned int entropy = 0; | |
08704cd8 | 61 | static unsigned int total_collected = 0; |
bbb921da JM |
62 | |
63 | ||
38e24575 JM |
64 | static void random_write_entropy(void); |
65 | ||
66 | ||
bbb921da JM |
67 | static u32 __ROL32(u32 x, u32 y) |
68 | { | |
69 | return (x << (y & 31)) | (x >> (32 - (y & 31))); | |
70 | } | |
71 | ||
72 | ||
73 | static void random_mix_pool(const void *buf, size_t len) | |
74 | { | |
75 | static const u32 twist[8] = { | |
76 | 0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158, | |
77 | 0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 | |
78 | }; | |
79 | const u8 *pos = buf; | |
80 | u32 w; | |
81 | ||
82 | wpa_hexdump_key(MSG_EXCESSIVE, "random_mix_pool", buf, len); | |
83 | ||
84 | while (len--) { | |
85 | w = __ROL32(*pos++, input_rotate & 31); | |
86 | input_rotate += pool_pos ? 7 : 14; | |
87 | pool_pos = (pool_pos - 1) & POOL_WORDS_MASK; | |
88 | w ^= pool[pool_pos]; | |
89 | w ^= pool[(pool_pos + POOL_TAP1) & POOL_WORDS_MASK]; | |
90 | w ^= pool[(pool_pos + POOL_TAP2) & POOL_WORDS_MASK]; | |
91 | w ^= pool[(pool_pos + POOL_TAP3) & POOL_WORDS_MASK]; | |
92 | w ^= pool[(pool_pos + POOL_TAP4) & POOL_WORDS_MASK]; | |
93 | w ^= pool[(pool_pos + POOL_TAP5) & POOL_WORDS_MASK]; | |
94 | pool[pool_pos] = (w >> 3) ^ twist[w & 7]; | |
95 | } | |
96 | } | |
97 | ||
98 | ||
99 | static void random_extract(u8 *out) | |
100 | { | |
101 | unsigned int i; | |
102 | u8 hash[SHA1_MAC_LEN]; | |
103 | u32 *hash_ptr; | |
104 | u32 buf[POOL_WORDS / 2]; | |
105 | ||
106 | /* First, add hash back to pool to make backtracking more difficult. */ | |
107 | hmac_sha1(dummy_key, sizeof(dummy_key), (const u8 *) pool, | |
108 | sizeof(pool), hash); | |
109 | random_mix_pool(hash, sizeof(hash)); | |
110 | /* Hash half the pool to extra data */ | |
111 | for (i = 0; i < POOL_WORDS / 2; i++) | |
112 | buf[i] = pool[(pool_pos - i) & POOL_WORDS_MASK]; | |
113 | hmac_sha1(dummy_key, sizeof(dummy_key), (const u8 *) buf, | |
114 | sizeof(buf), hash); | |
115 | /* | |
116 | * Fold the hash to further reduce any potential output pattern. | |
117 | * Though, compromise this to reduce CPU use for the most common output | |
118 | * length (32) and return 16 bytes from instead of only half. | |
119 | */ | |
120 | hash_ptr = (u32 *) hash; | |
121 | hash_ptr[0] ^= hash_ptr[4]; | |
122 | os_memcpy(out, hash, EXTRACT_LEN); | |
123 | } | |
124 | ||
125 | ||
126 | void random_add_randomness(const void *buf, size_t len) | |
127 | { | |
128 | struct os_time t; | |
129 | static unsigned int count = 0; | |
130 | ||
131 | count++; | |
bbb921da JM |
132 | if (entropy > MIN_COLLECT_ENTROPY && (count & 0x3ff) != 0) { |
133 | /* | |
134 | * No need to add more entropy at this point, so save CPU and | |
135 | * skip the update. | |
136 | */ | |
137 | return; | |
138 | } | |
3208b5a0 JM |
139 | wpa_printf(MSG_EXCESSIVE, "Add randomness: count=%u entropy=%u", |
140 | count, entropy); | |
bbb921da JM |
141 | |
142 | os_get_time(&t); | |
143 | wpa_hexdump_key(MSG_EXCESSIVE, "random pool", | |
144 | (const u8 *) pool, sizeof(pool)); | |
145 | random_mix_pool(&t, sizeof(t)); | |
146 | random_mix_pool(buf, len); | |
147 | wpa_hexdump_key(MSG_EXCESSIVE, "random pool", | |
148 | (const u8 *) pool, sizeof(pool)); | |
149 | entropy++; | |
08704cd8 | 150 | total_collected++; |
bbb921da JM |
151 | } |
152 | ||
153 | ||
154 | int random_get_bytes(void *buf, size_t len) | |
155 | { | |
156 | int ret; | |
157 | u8 *bytes = buf; | |
158 | size_t left; | |
159 | ||
160 | wpa_printf(MSG_MSGDUMP, "Get randomness: len=%u entropy=%u", | |
161 | (unsigned int) len, entropy); | |
162 | ||
163 | /* Start with assumed strong randomness from OS */ | |
164 | ret = os_get_random(buf, len); | |
165 | wpa_hexdump_key(MSG_EXCESSIVE, "random from os_get_random", | |
166 | buf, len); | |
167 | ||
168 | /* Mix in additional entropy extracted from the internal pool */ | |
169 | left = len; | |
170 | while (left) { | |
171 | size_t siz, i; | |
172 | u8 tmp[EXTRACT_LEN]; | |
173 | random_extract(tmp); | |
174 | wpa_hexdump_key(MSG_EXCESSIVE, "random from internal pool", | |
175 | tmp, sizeof(tmp)); | |
176 | siz = left > EXTRACT_LEN ? EXTRACT_LEN : left; | |
177 | for (i = 0; i < siz; i++) | |
178 | *bytes++ ^= tmp[i]; | |
179 | left -= siz; | |
180 | } | |
982bafed JM |
181 | |
182 | #ifdef CONFIG_FIPS | |
183 | /* Mix in additional entropy from the crypto module */ | |
184 | left = len; | |
185 | while (left) { | |
186 | size_t siz, i; | |
187 | u8 tmp[EXTRACT_LEN]; | |
188 | if (crypto_get_random(tmp, sizeof(tmp)) < 0) { | |
189 | wpa_printf(MSG_ERROR, "random: No entropy available " | |
190 | "for generating strong random bytes"); | |
191 | return -1; | |
192 | } | |
193 | wpa_hexdump_key(MSG_EXCESSIVE, "random from crypto module", | |
194 | tmp, sizeof(tmp)); | |
195 | siz = left > EXTRACT_LEN ? EXTRACT_LEN : left; | |
196 | for (i = 0; i < siz; i++) | |
197 | *bytes++ ^= tmp[i]; | |
198 | left -= siz; | |
199 | } | |
200 | #endif /* CONFIG_FIPS */ | |
201 | ||
bbb921da JM |
202 | wpa_hexdump_key(MSG_EXCESSIVE, "mixed random", buf, len); |
203 | ||
204 | if (entropy < len) | |
205 | entropy = 0; | |
206 | else | |
207 | entropy -= len; | |
208 | ||
209 | return ret; | |
210 | } | |
08704cd8 JM |
211 | |
212 | ||
213 | int random_pool_ready(void) | |
214 | { | |
215 | #ifdef __linux__ | |
216 | int fd; | |
217 | ssize_t res; | |
218 | ||
219 | /* | |
220 | * Make sure that there is reasonable entropy available before allowing | |
221 | * some key derivation operations to proceed. | |
222 | */ | |
223 | ||
224 | if (dummy_key_avail == sizeof(dummy_key)) | |
225 | return 1; /* Already initialized - good to continue */ | |
226 | ||
227 | /* | |
228 | * Try to fetch some more data from the kernel high quality | |
229 | * /dev/random. There may not be enough data available at this point, | |
230 | * so use non-blocking read to avoid blocking the application | |
231 | * completely. | |
232 | */ | |
233 | fd = open("/dev/random", O_RDONLY | O_NONBLOCK); | |
234 | if (fd < 0) { | |
08704cd8 | 235 | wpa_printf(MSG_ERROR, "random: Cannot open /dev/random: %s", |
a193231d | 236 | strerror(errno)); |
08704cd8 JM |
237 | return -1; |
238 | } | |
239 | ||
240 | res = read(fd, dummy_key + dummy_key_avail, | |
241 | sizeof(dummy_key) - dummy_key_avail); | |
242 | if (res < 0) { | |
243 | wpa_printf(MSG_ERROR, "random: Cannot read from /dev/random: " | |
244 | "%s", strerror(errno)); | |
245 | res = 0; | |
246 | } | |
247 | wpa_printf(MSG_DEBUG, "random: Got %u/%u bytes from " | |
248 | "/dev/random", (unsigned) res, | |
249 | (unsigned) (sizeof(dummy_key) - dummy_key_avail)); | |
250 | dummy_key_avail += res; | |
251 | close(fd); | |
252 | ||
38e24575 JM |
253 | if (dummy_key_avail == sizeof(dummy_key)) { |
254 | if (own_pool_ready < MIN_READY_MARK) | |
255 | own_pool_ready = MIN_READY_MARK; | |
256 | random_write_entropy(); | |
08704cd8 | 257 | return 1; |
38e24575 | 258 | } |
08704cd8 JM |
259 | |
260 | wpa_printf(MSG_INFO, "random: Only %u/%u bytes of strong " | |
261 | "random data available from /dev/random", | |
262 | (unsigned) dummy_key_avail, (unsigned) sizeof(dummy_key)); | |
263 | ||
264 | if (own_pool_ready >= MIN_READY_MARK || | |
265 | total_collected + 10 * own_pool_ready > MIN_COLLECT_ENTROPY) { | |
266 | wpa_printf(MSG_INFO, "random: Allow operation to proceed " | |
267 | "based on internal entropy"); | |
268 | return 1; | |
269 | } | |
270 | ||
271 | wpa_printf(MSG_INFO, "random: Not enough entropy pool available for " | |
272 | "secure operations"); | |
273 | return 0; | |
274 | #else /* __linux__ */ | |
275 | /* TODO: could do similar checks on non-Linux platforms */ | |
276 | return 1; | |
277 | #endif /* __linux__ */ | |
278 | } | |
279 | ||
280 | ||
281 | void random_mark_pool_ready(void) | |
282 | { | |
283 | own_pool_ready++; | |
284 | wpa_printf(MSG_DEBUG, "random: Mark internal entropy pool to be " | |
285 | "ready (count=%u/%u)", own_pool_ready, MIN_READY_MARK); | |
38e24575 | 286 | random_write_entropy(); |
08704cd8 | 287 | } |
d47fa330 JM |
288 | |
289 | ||
290 | #ifdef __linux__ | |
291 | ||
292 | static void random_close_fd(void) | |
293 | { | |
294 | if (random_fd >= 0) { | |
295 | eloop_unregister_read_sock(random_fd); | |
296 | close(random_fd); | |
297 | random_fd = -1; | |
298 | } | |
299 | } | |
300 | ||
301 | ||
302 | static void random_read_fd(int sock, void *eloop_ctx, void *sock_ctx) | |
303 | { | |
304 | ssize_t res; | |
305 | ||
306 | if (dummy_key_avail == sizeof(dummy_key)) { | |
307 | random_close_fd(); | |
308 | return; | |
309 | } | |
310 | ||
311 | res = read(sock, dummy_key + dummy_key_avail, | |
312 | sizeof(dummy_key) - dummy_key_avail); | |
313 | if (res < 0) { | |
314 | wpa_printf(MSG_ERROR, "random: Cannot read from /dev/random: " | |
315 | "%s", strerror(errno)); | |
316 | return; | |
317 | } | |
318 | ||
319 | wpa_printf(MSG_DEBUG, "random: Got %u/%u bytes from /dev/random", | |
320 | (unsigned) res, | |
321 | (unsigned) (sizeof(dummy_key) - dummy_key_avail)); | |
322 | dummy_key_avail += res; | |
323 | ||
38e24575 | 324 | if (dummy_key_avail == sizeof(dummy_key)) { |
d47fa330 | 325 | random_close_fd(); |
38e24575 JM |
326 | if (own_pool_ready < MIN_READY_MARK) |
327 | own_pool_ready = MIN_READY_MARK; | |
328 | random_write_entropy(); | |
329 | } | |
d47fa330 JM |
330 | } |
331 | ||
332 | #endif /* __linux__ */ | |
333 | ||
334 | ||
38e24575 JM |
335 | static void random_read_entropy(void) |
336 | { | |
337 | char *buf; | |
338 | size_t len; | |
339 | ||
340 | if (!random_entropy_file) | |
341 | return; | |
342 | ||
343 | buf = os_readfile(random_entropy_file, &len); | |
344 | if (buf == NULL) | |
345 | return; /* entropy file not yet available */ | |
346 | ||
347 | if (len != 1 + RANDOM_ENTROPY_SIZE) { | |
348 | wpa_printf(MSG_DEBUG, "random: Invalid entropy file %s", | |
349 | random_entropy_file); | |
350 | os_free(buf); | |
351 | return; | |
352 | } | |
353 | ||
354 | own_pool_ready = (u8) buf[0]; | |
355 | random_add_randomness(buf + 1, RANDOM_ENTROPY_SIZE); | |
356 | random_entropy_file_read = 1; | |
357 | os_free(buf); | |
358 | wpa_printf(MSG_DEBUG, "random: Added entropy from %s " | |
359 | "(own_pool_ready=%u)", | |
360 | random_entropy_file, own_pool_ready); | |
361 | } | |
362 | ||
363 | ||
364 | static void random_write_entropy(void) | |
d47fa330 | 365 | { |
38e24575 JM |
366 | char buf[RANDOM_ENTROPY_SIZE]; |
367 | FILE *f; | |
368 | u8 opr; | |
2e923102 | 369 | int fail = 0; |
38e24575 JM |
370 | |
371 | if (!random_entropy_file) | |
372 | return; | |
373 | ||
15f09614 JM |
374 | if (random_get_bytes(buf, RANDOM_ENTROPY_SIZE) < 0) |
375 | return; | |
38e24575 JM |
376 | |
377 | f = fopen(random_entropy_file, "wb"); | |
378 | if (f == NULL) { | |
9339bd5c PR |
379 | wpa_printf(MSG_ERROR, "random: Could not open entropy file %s " |
380 | "for writing", random_entropy_file); | |
38e24575 JM |
381 | return; |
382 | } | |
383 | ||
384 | opr = own_pool_ready > 0xff ? 0xff : own_pool_ready; | |
2e923102 JM |
385 | if (fwrite(&opr, 1, 1, f) != 1 || |
386 | fwrite(buf, RANDOM_ENTROPY_SIZE, 1, f) != 1) | |
387 | fail = 1; | |
38e24575 | 388 | fclose(f); |
2e923102 | 389 | if (fail) { |
9339bd5c PR |
390 | wpa_printf(MSG_ERROR, "random: Could not write entropy data " |
391 | "to %s", random_entropy_file); | |
2e923102 JM |
392 | return; |
393 | } | |
38e24575 JM |
394 | |
395 | wpa_printf(MSG_DEBUG, "random: Updated entropy file %s " | |
396 | "(own_pool_ready=%u)", | |
397 | random_entropy_file, own_pool_ready); | |
398 | } | |
399 | ||
400 | ||
401 | void random_init(const char *entropy_file) | |
402 | { | |
403 | os_free(random_entropy_file); | |
404 | if (entropy_file) | |
405 | random_entropy_file = os_strdup(entropy_file); | |
406 | else | |
407 | random_entropy_file = NULL; | |
408 | random_read_entropy(); | |
409 | ||
d47fa330 JM |
410 | #ifdef __linux__ |
411 | if (random_fd >= 0) | |
412 | return; | |
413 | ||
414 | random_fd = open("/dev/random", O_RDONLY | O_NONBLOCK); | |
415 | if (random_fd < 0) { | |
d47fa330 | 416 | wpa_printf(MSG_ERROR, "random: Cannot open /dev/random: %s", |
a193231d | 417 | strerror(errno)); |
d47fa330 JM |
418 | return; |
419 | } | |
420 | wpa_printf(MSG_DEBUG, "random: Trying to read entropy from " | |
421 | "/dev/random"); | |
422 | ||
423 | eloop_register_read_sock(random_fd, random_read_fd, NULL, NULL); | |
424 | #endif /* __linux__ */ | |
38e24575 JM |
425 | |
426 | random_write_entropy(); | |
d47fa330 JM |
427 | } |
428 | ||
429 | ||
430 | void random_deinit(void) | |
431 | { | |
432 | #ifdef __linux__ | |
433 | random_close_fd(); | |
434 | #endif /* __linux__ */ | |
38e24575 JM |
435 | random_write_entropy(); |
436 | os_free(random_entropy_file); | |
437 | random_entropy_file = NULL; | |
d47fa330 | 438 | } |