X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/6601e61aa18bf4f09af135ff61fc7f4771d23b06..7ee9d059c4eecf68ae4f8b0fb99ae2471eda79af:/bsd/dev/random/randomdev.c diff --git a/bsd/dev/random/randomdev.c b/bsd/dev/random/randomdev.c index 04e1883a4..c081bd209 100644 --- a/bsd/dev/random/randomdev.c +++ b/bsd/dev/random/randomdev.c @@ -1,25 +1,42 @@ /* - * Copyright (c)1999-2004 Apple Computer, Inc. All rights reserved. + * Copyright (c) 1999-2009 Apple, Inc. All rights reserved. * - * @APPLE_LICENSE_HEADER_START@ + * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * - * The contents of this file constitute Original Code as defined in and - * are subject to the Apple Public Source License Version 1.1 (the - * "License"). You may not use this file except in compliance with the - * License. Please obtain a copy of the License at - * http://www.apple.com/publicsource and read it before using this file. + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. The rights granted to you under the License + * may not be used to create, or enable the creation or redistribution of, + * unlawful or unlicensed copies of an Apple operating system, or to + * circumvent, violate, or enable the circumvention or violation of, any + * terms of an Apple operating system software license agreement. * - * This Original Code and all software distributed under the License are - * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the - * License for the specific language governing rights and limitations - * under the License. + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. * - * @APPLE_LICENSE_HEADER_END@ + * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ */ +/* + WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! + + THIS FILE IS NEEDED TO PASS FIPS ACCEPTANCE FOR THE RANDOM NUMBER GENERATOR. + IF YOU ALTER IT IN ANY WAY, WE WILL NEED TO GO THOUGH FIPS ACCEPTANCE AGAIN, + AN OPERATION THAT IS VERY EXPENSIVE AND TIME CONSUMING. IN OTHER WORDS, + DON'T MESS WITH THIS FILE. + + WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! +*/ + #include #include #include @@ -30,13 +47,20 @@ #include #include #include +#include #include #include #include #include #include -#include + +#include + +#include +#include + +#include "fips_sha1.h" #define RANDOM_MAJOR -1 /* let the kernel pick the device number */ @@ -64,21 +88,34 @@ static struct cdevsw random_cdevsw = 0 /* type */ }; + +/* + WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! + + ANY CODE PROTECTED UNDER "#ifdef __arm__" IS SERIOUSLY SUPPOSED TO BE THERE! + IF YOU REMOVE ARM CODE, RANDOM WILL NOT MEAN ANYTHING FOR iPHONES ALL OVER. + PLEASE DON'T TOUCH __arm__ CODE IN THIS FILE! + + WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! +*/ + + /* Used to detect whether we've already been initialized */ static int gRandomInstalled = 0; static PrngRef gPrngRef; static int gRandomError = 1; -static mutex_t *gYarrowMutex = 0; +static lck_grp_t *gYarrowGrp; +static lck_attr_t *gYarrowAttr; +static lck_grp_attr_t *gYarrowGrpAttr; +static lck_mtx_t *gYarrowMutex = 0; #define RESEED_TICKS 50 /* how long a reseed operation can take */ -enum {kBSizeInBits = 160}; // MUST be a multiple of 32!!! -enum {kBSizeInBytes = kBSizeInBits / 8}; -typedef u_int32_t BlockWord; -enum {kWordSizeInBits = 32}; -enum {kBSize = 5}; +typedef u_int8_t BlockWord; +enum {kBSize = 20}; typedef BlockWord Block[kBSize]; +enum {kBlockSize = sizeof(Block)}; /* define prototypes to keep the compiler happy... */ @@ -97,26 +134,26 @@ u_int32_t CalculateCRC(u_int8_t* buffer, size_t length); void add_blocks(Block a, Block b, BlockWord carry) { - int i = kBSize; - while (--i >= 0) + int i = kBlockSize - 1; + while (i >= 0) { - u_int64_t c = (u_int64_t)carry + - (u_int64_t)a[i] + - (u_int64_t)b[i]; - a[i] = c & ((1LL << kWordSizeInBits) - 1); - carry = c >> kWordSizeInBits; + u_int32_t c = (u_int32_t)carry + + (u_int32_t)a[i] + + (u_int32_t)b[i]; + a[i] = c & 0xff; + carry = c >> 8; + i -= 1; } } -struct sha1_ctxt g_sha1_ctx; -char zeros[(512 - kBSizeInBits) / 8]; -Block g_xkey; -Block g_random_data; -int g_bytes_used; -unsigned char g_SelfTestInitialized = 0; -u_int32_t gLastBlockChecksum; +static char zeros[(512 - kBSize * 8) / 8]; +static Block g_xkey; +static Block g_random_data; +static int g_bytes_used; +static unsigned char g_SelfTestInitialized = 0; +static u_int32_t gLastBlockChecksum; static const u_int32_t g_crc_table[] = { @@ -181,12 +218,16 @@ u_int32_t CalculateCRC(u_int8_t* buffer, size_t length) void random_block(Block b, int addOptional) { + SHA1_CTX sha1_ctx; + int repeatCount = 0; do { + // do one iteration + if (addOptional) { - // do one iteration + // create an xSeed to add. Block xSeed; prngOutput (gPrngRef, (BYTE*) &xSeed, sizeof (xSeed)); @@ -194,17 +235,33 @@ random_block(Block b, int addOptional) add_blocks (g_xkey, xSeed, 0); } + // initialize the value of H + FIPS_SHA1Init(&sha1_ctx); + + // to stay compatible with the FIPS specification, we need to flip the bytes in + // g_xkey to little endian byte order. In our case, this makes exactly no difference + // (random is random), but we need to do it anyway to keep FIPS happy + // compute "G" - SHA1Update (&g_sha1_ctx, (const u_int8_t *) &g_xkey, sizeof (g_xkey)); + FIPS_SHA1Update(&sha1_ctx, g_xkey, kBlockSize); // add zeros to fill the internal SHA-1 buffer - SHA1Update (&g_sha1_ctx, (const u_int8_t *)zeros, sizeof (zeros)); + FIPS_SHA1Update (&sha1_ctx, (const u_int8_t *)zeros, sizeof (zeros)); + + // we have to do a byte order correction here because the sha1 math is being done internally + // as u_int32_t, not a stream of bytes. Since we maintain our data as a byte stream, we need + // to convert - // write the resulting block - memmove(b, g_sha1_ctx.h.b8, sizeof (Block)); + u_int32_t* finger = (u_int32_t*) b; + + unsigned j; + for (j = 0; j < kBlockSize / sizeof (u_int32_t); ++j) + { + *finger++ = OSSwapHostToBigInt32(sha1_ctx.h.b32[j]); + } // calculate the CRC-32 of the block - u_int32_t new_crc = CalculateCRC(g_sha1_ctx.h.b8, sizeof (Block)); + u_int32_t new_crc = CalculateCRC(sha1_ctx.h.b8, sizeof (Block)); // make sure we don't repeat int cmp = new_crc == gLastBlockChecksum; @@ -249,8 +306,6 @@ void PreliminarySetup(void) { prng_error_status perr; - struct timeval tt; - char buffer [16]; /* create a Yarrow object */ perr = prngInitialize(&gPrngRef); @@ -262,6 +317,9 @@ PreliminarySetup(void) /* clear the error flag, reads and write should then work */ gRandomError = 0; + struct timeval tt; + char buffer [16]; + /* get a little non-deterministic data as an initial seed. */ microtime(&tt); @@ -280,18 +338,21 @@ PreliminarySetup(void) } /* turn the data around */ - perr = prngOutput(gPrngRef, (BYTE*)buffer, sizeof (buffer)); + perr = prngOutput(gPrngRef, (BYTE*) buffer, sizeof (buffer)); /* and scramble it some more */ perr = prngForceReseed(gPrngRef, RESEED_TICKS); /* make a mutex to control access */ - gYarrowMutex = mutex_alloc(0); + gYarrowGrpAttr = lck_grp_attr_alloc_init(); + gYarrowGrp = lck_grp_alloc_init("random", gYarrowGrpAttr); + gYarrowAttr = lck_attr_alloc_init(); + gYarrowMutex = lck_mtx_alloc_init(gYarrowGrp, gYarrowAttr); fips_initialize (); } -const Block kKnownAnswer = {0x92b404e5, 0x56588ced, 0x6c1acd4e, 0xbf053f68, 0x9f73a93}; +const Block kKnownAnswer = {0x92, 0xb4, 0x04, 0xe5, 0x56, 0x58, 0x8c, 0xed, 0x6c, 0x1a, 0xcd, 0x4e, 0xbf, 0x05, 0x3f, 0x68, 0x09, 0xf7, 0x3a, 0x93}; void fips_initialize(void) @@ -299,25 +360,18 @@ fips_initialize(void) /* So that we can do the self test, set the seed to zero */ memset(&g_xkey, 0, sizeof(g_xkey)); - /* initialize our SHA1 generator */ - SHA1Init (&g_sha1_ctx); - /* other initializations */ memset (zeros, 0, sizeof (zeros)); g_bytes_used = 0; random_block(g_random_data, FALSE); // check here to see if we got the initial data we were expecting - int i; - for (i = 0; i < kBSize; ++i) + if (memcmp(kKnownAnswer, g_random_data, kBlockSize) != 0) { - if (kKnownAnswer[i] != g_random_data[i]) - { - panic("FIPS random self test failed"); - } + panic("FIPS random self test failed"); } - - // now do the random block again to make sure that userland doesn't get predictable data + + // now do the random block again to make sure that userland doesn't get predicatable data random_block(g_random_data, TRUE); } @@ -428,20 +482,19 @@ random_write (__unused dev_t dev, struct uio *uio, __unused int ioflag) } /* get control of the Yarrow instance, Yarrow is NOT thread safe */ - mutex_lock(gYarrowMutex); + lck_mtx_lock(gYarrowMutex); /* Security server is sending us entropy */ while (uio_resid(uio) > 0 && retCode == 0) { /* get the user's data */ - // LP64todo - fix this! uio_resid may be 64-bit value int bytesToInput = min(uio_resid(uio), sizeof (rdBuffer)); retCode = uiomove(rdBuffer, bytesToInput, uio); if (retCode != 0) goto /*ugh*/ error_exit; /* put it in Yarrow */ - if (prngInput(gPrngRef, (BYTE*)rdBuffer, + if (prngInput(gPrngRef, (BYTE*) rdBuffer, bytesToInput, SYSTEM_SOURCE, bytesToInput * 8) != 0) { retCode = EIO; @@ -458,14 +511,15 @@ random_write (__unused dev_t dev, struct uio *uio, __unused int ioflag) /* retCode should be 0 at this point */ error_exit: /* do this to make sure the mutex unlocks. */ - mutex_unlock(gYarrowMutex); + lck_mtx_unlock(gYarrowMutex); return (retCode); } /* * return data to the caller. Results unpredictable. */ -int random_read(__unused dev_t dev, struct uio *uio, __unused int ioflag) +int +random_read(__unused dev_t dev, struct uio *uio, __unused int ioflag) { int retCode = 0; @@ -473,24 +527,25 @@ int random_read(__unused dev_t dev, struct uio *uio, __unused int ioflag) return (ENOTSUP); /* lock down the mutex */ - mutex_lock(gYarrowMutex); + lck_mtx_lock(gYarrowMutex); + int bytes_remaining = uio_resid(uio); while (bytes_remaining > 0 && retCode == 0) { /* get the user's data */ int bytes_to_read = 0; - int bytes_available = kBSizeInBytes - g_bytes_used; + int bytes_available = kBlockSize - g_bytes_used; if (bytes_available == 0) { random_block(g_random_data, TRUE); g_bytes_used = 0; - bytes_available = kBSizeInBytes; + bytes_available = kBlockSize; } bytes_to_read = min (bytes_remaining, bytes_available); - retCode = uiomove(((u_int8_t*)g_random_data)+ g_bytes_used, bytes_to_read, uio); + retCode = uiomove(((caddr_t)g_random_data)+ g_bytes_used, bytes_to_read, uio); g_bytes_used += bytes_to_read; if (retCode != 0) @@ -502,7 +557,7 @@ int random_read(__unused dev_t dev, struct uio *uio, __unused int ioflag) retCode = 0; error_exit: - mutex_unlock(gYarrowMutex); + lck_mtx_unlock(gYarrowMutex); return retCode; } @@ -514,36 +569,35 @@ read_random(void* buffer, u_int numbytes) PreliminarySetup (); } - mutex_lock(gYarrowMutex); - + lck_mtx_lock(gYarrowMutex); int bytes_read = 0; int bytes_remaining = numbytes; while (bytes_remaining > 0) { - int bytes_to_read = min(bytes_remaining, kBSizeInBytes - g_bytes_used); + int bytes_to_read = min(bytes_remaining, kBlockSize - g_bytes_used); if (bytes_to_read == 0) { random_block(g_random_data, TRUE); g_bytes_used = 0; - bytes_to_read = min(bytes_remaining, kBSizeInBytes); + bytes_to_read = min(bytes_remaining, kBlockSize); } - memmove (buffer, ((u_int8_t*)g_random_data)+ bytes_read, bytes_to_read); + memmove ((u_int8_t*) buffer + bytes_read, ((u_int8_t*)g_random_data)+ g_bytes_used, bytes_to_read); g_bytes_used += bytes_to_read; bytes_read += bytes_to_read; bytes_remaining -= bytes_to_read; } - mutex_unlock(gYarrowMutex); + lck_mtx_unlock(gYarrowMutex); } /* - * Return an unsigned long pseudo-random number. + * Return an u_int32_t pseudo-random number. */ -u_long +u_int32_t RandomULong(void) { - u_long buf; + u_int32_t buf; read_random(&buf, sizeof (buf)); return (buf); }