2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
|
* include/linux/random.h
|
|
|
|
|
*
|
|
|
|
|
* Include file for the random number generator.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef _LINUX_RANDOM_H
|
|
|
|
|
#define _LINUX_RANDOM_H
|
|
|
|
|
|
2009-01-30 16:41:32 +00:00
|
|
|
#include <linux/types.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/ioctl.h>
|
2008-12-12 10:26:39 +00:00
|
|
|
#include <linux/irqnr.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
/* ioctl()'s for the random number generator */
|
|
|
|
|
|
|
|
|
|
/* Get the entropy count. */
|
|
|
|
|
#define RNDGETENTCNT _IOR( 'R', 0x00, int )
|
|
|
|
|
|
|
|
|
|
/* Add to (or subtract from) the entropy count. (Superuser only.) */
|
|
|
|
|
#define RNDADDTOENTCNT _IOW( 'R', 0x01, int )
|
|
|
|
|
|
|
|
|
|
/* Get the contents of the entropy pool. (Superuser only.) */
|
|
|
|
|
#define RNDGETPOOL _IOR( 'R', 0x02, int [2] )
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Write bytes into the entropy pool and add to the entropy count.
|
|
|
|
|
* (Superuser only.)
|
|
|
|
|
*/
|
|
|
|
|
#define RNDADDENTROPY _IOW( 'R', 0x03, int [2] )
|
|
|
|
|
|
|
|
|
|
/* Clear entropy count to 0. (Superuser only.) */
|
|
|
|
|
#define RNDZAPENTCNT _IO( 'R', 0x04 )
|
|
|
|
|
|
|
|
|
|
/* Clear the entropy pool and associated counters. (Superuser only.) */
|
|
|
|
|
#define RNDCLEARPOOL _IO( 'R', 0x06 )
|
|
|
|
|
|
|
|
|
|
struct rand_pool_info {
|
|
|
|
|
int entropy_count;
|
|
|
|
|
int buf_size;
|
|
|
|
|
__u32 buf[0];
|
|
|
|
|
};
|
|
|
|
|
|
2010-05-26 21:44:13 +00:00
|
|
|
struct rnd_state {
|
|
|
|
|
__u32 s1, s2, s3;
|
|
|
|
|
};
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* Exported functions */
|
|
|
|
|
|
BACKPORT: random: introduce getrandom(2) system call
Almost clean cherry pick of c6e9d6f38894798696f23c8084ca7edbf16ee895,
includes change made by merge 0891ad829d2a0501053703df66029e843e3b8365.
The getrandom(2) system call was requested by the LibreSSL Portable
developers. It is analoguous to the getentropy(2) system call in
OpenBSD.
The rationale of this system call is to provide resiliance against
file descriptor exhaustion attacks, where the attacker consumes all
available file descriptors, forcing the use of the fallback code where
/dev/[u]random is not available. Since the fallback code is often not
well-tested, it is better to eliminate this potential failure mode
entirely.
The other feature provided by this new system call is the ability to
request randomness from the /dev/urandom entropy pool, but to block
until at least 128 bits of entropy has been accumulated in the
/dev/urandom entropy pool. Historically, the emphasis in the
/dev/urandom development has been to ensure that urandom pool is
initialized as quickly as possible after system boot, and preferably
before the init scripts start execution.
This is because changing /dev/urandom reads to block represents an
interface change that could potentially break userspace which is not
acceptable. In practice, on most x86 desktop and server systems, in
general the entropy pool can be initialized before it is needed (and
in modern kernels, we will printk a warning message if not). However,
on an embedded system, this may not be the case. And so with this new
interface, we can provide the functionality of blocking until the
urandom pool has been initialized. Any userspace program which uses
this new functionality must take care to assure that if it is used
during the boot process, that it will not cause the init scripts or
other portions of the system startup to hang indefinitely.
SYNOPSIS
#include <linux/random.h>
int getrandom(void *buf, size_t buflen, unsigned int flags);
DESCRIPTION
The system call getrandom() fills the buffer pointed to by buf
with up to buflen random bytes which can be used to seed user
space random number generators (i.e., DRBG's) or for other
cryptographic uses. It should not be used for Monte Carlo
simulations or other programs/algorithms which are doing
probabilistic sampling.
If the GRND_RANDOM flags bit is set, then draw from the
/dev/random pool instead of the /dev/urandom pool. The
/dev/random pool is limited based on the entropy that can be
obtained from environmental noise, so if there is insufficient
entropy, the requested number of bytes may not be returned.
If there is no entropy available at all, getrandom(2) will
either block, or return an error with errno set to EAGAIN if
the GRND_NONBLOCK bit is set in flags.
If the GRND_RANDOM bit is not set, then the /dev/urandom pool
will be used. Unlike using read(2) to fetch data from
/dev/urandom, if the urandom pool has not been sufficiently
initialized, getrandom(2) will block (or return -1 with the
errno set to EAGAIN if the GRND_NONBLOCK bit is set in flags).
The getentropy(2) system call in OpenBSD can be emulated using
the following function:
int getentropy(void *buf, size_t buflen)
{
int ret;
if (buflen > 256)
goto failure;
ret = getrandom(buf, buflen, 0);
if (ret < 0)
return ret;
if (ret == buflen)
return 0;
failure:
errno = EIO;
return -1;
}
RETURN VALUE
On success, the number of bytes that was filled in the buf is
returned. This may not be all the bytes requested by the
caller via buflen if insufficient entropy was present in the
/dev/random pool, or if the system call was interrupted by a
signal.
On error, -1 is returned, and errno is set appropriately.
ERRORS
EINVAL An invalid flag was passed to getrandom(2)
EFAULT buf is outside the accessible address space.
EAGAIN The requested entropy was not available, and
getentropy(2) would have blocked if the
GRND_NONBLOCK flag was not set.
EINTR While blocked waiting for entropy, the call was
interrupted by a signal handler; see the description
of how interrupted read(2) calls on "slow" devices
are handled with and without the SA_RESTART flag
in the signal(7) man page.
NOTES
For small requests (buflen <= 256) getrandom(2) will not
return EINTR when reading from the urandom pool once the
entropy pool has been initialized, and it will return all of
the bytes that have been requested. This is the recommended
way to use getrandom(2), and is designed for compatibility
with OpenBSD's getentropy() system call.
However, if you are using GRND_RANDOM, then getrandom(2) may
block until the entropy accounting determines that sufficient
environmental noise has been gathered such that getrandom(2)
will be operating as a NRBG instead of a DRBG for those people
who are working in the NIST SP 800-90 regime. Since it may
block for a long time, these guarantees do *not* apply. The
user may want to interrupt a hanging process using a signal,
so blocking until all of the requested bytes are returned
would be unfriendly.
For this reason, the user of getrandom(2) MUST always check
the return value, in case it returns some error, or if fewer
bytes than requested was returned. In the case of
!GRND_RANDOM and small request, the latter should never
happen, but the careful userspace code (and all crypto code
should be careful) should check for this anyway!
Finally, unless you are doing long-term key generation (and
perhaps not even then), you probably shouldn't be using
GRND_RANDOM. The cryptographic algorithms used for
/dev/urandom are quite conservative, and so should be
sufficient for all purposes. The disadvantage of GRND_RANDOM
is that it can block, and the increased complexity required to
deal with partially fulfilled getrandom(2) requests.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Zach Brown <zab@zabbo.net>
Bug: http://b/29621447
Change-Id: I189ba74070dd6d918b0fdf83ff30bb74ec0f7556
(cherry picked from commit 4af712e8df998475736f3e2727701bd31e3751a9)
[flex1911]: backport to 3.4
2014-07-17 08:13:05 +00:00
|
|
|
/*
|
|
|
|
|
* Flags for getrandom(2)
|
|
|
|
|
*
|
|
|
|
|
* GRND_NONBLOCK Don't block and return EAGAIN instead
|
|
|
|
|
* GRND_RANDOM Use the /dev/random pool instead of /dev/urandom
|
|
|
|
|
*/
|
|
|
|
|
#define GRND_NONBLOCK 0x0001
|
|
|
|
|
#define GRND_RANDOM 0x0002
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
#ifdef __KERNEL__
|
|
|
|
|
|
2012-07-04 15:16:01 +00:00
|
|
|
extern void add_device_randomness(const void *, unsigned int);
|
2005-04-16 22:20:36 +00:00
|
|
|
extern void add_input_randomness(unsigned int type, unsigned int code,
|
|
|
|
|
unsigned int value);
|
2012-07-02 11:52:16 +00:00
|
|
|
extern void add_interrupt_randomness(int irq, int irq_flags);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
extern void get_random_bytes(void *buf, int nbytes);
|
random: add new get_random_bytes_arch() function
commit c2557a303ab6712bb6e09447df828c557c710ac9 upstream.
Create a new function, get_random_bytes_arch() which will use the
architecture-specific hardware random number generator if it is
present. Change get_random_bytes() to not use the HW RNG, even if it
is avaiable.
The reason for this is that the hw random number generator is fast (if
it is present), but it requires that we trust the hardware
manufacturer to have not put in a back door. (For example, an
increasing counter encrypted by an AES key known to the NSA.)
It's unlikely that Intel (for example) was paid off by the US
Government to do this, but it's impossible for them to prove otherwise
--- especially since Bull Mountain is documented to use AES as a
whitener. Hence, the output of an evil, trojan-horse version of
RDRAND is statistically indistinguishable from an RDRAND implemented
to the specifications claimed by Intel. Short of using a tunnelling
electronic microscope to reverse engineer an Ivy Bridge chip and
disassembling and analyzing the CPU microcode, there's no way for us
to tell for sure.
Since users of get_random_bytes() in the Linux kernel need to be able
to support hardware systems where the HW RNG is not present, most
time-sensitive users of this interface have already created their own
cryptographic RNG interface which uses get_random_bytes() as a seed.
So it's much better to use the HW RNG to improve the existing random
number generator, by mixing in any entropy returned by the HW RNG into
/dev/random's entropy pool, but to always _use_ /dev/random's entropy
pool.
This way we get almost of the benefits of the HW RNG without any
potential liabilities. The only benefits we forgo is the
speed/performance enhancements --- and generic kernel code can't
depend on depend on get_random_bytes() having the speed of a HW RNG
anyway.
For those places that really want access to the arch-specific HW RNG,
if it is available, we provide get_random_bytes_arch().
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ed Tam <etam@google.com>
2012-07-05 14:35:23 +00:00
|
|
|
extern void get_random_bytes_arch(void *buf, int nbytes);
|
2005-04-16 22:20:36 +00:00
|
|
|
void generate_random_uuid(unsigned char uuid_out[16]);
|
2013-09-10 14:52:35 +00:00
|
|
|
extern int random_int_secret_init(void);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
#ifndef MODULE
|
2007-02-12 08:55:28 +00:00
|
|
|
extern const struct file_operations random_fops, urandom_fops;
|
2005-04-16 22:20:36 +00:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
unsigned int get_random_int(void);
|
2016-02-24 21:27:06 +00:00
|
|
|
unsigned long get_random_long(void);
|
2005-04-16 22:20:36 +00:00
|
|
|
unsigned long randomize_range(unsigned long start, unsigned long end, unsigned long len);
|
|
|
|
|
|
2012-12-18 00:04:23 +00:00
|
|
|
u32 prandom_u32(void);
|
2012-12-18 00:04:25 +00:00
|
|
|
void prandom_bytes(void *buf, int nbytes);
|
2012-12-18 00:04:23 +00:00
|
|
|
void prandom_seed(u32 seed);
|
2013-11-11 11:20:34 +00:00
|
|
|
void prandom_reseed_late(void);
|
2006-10-17 07:09:42 +00:00
|
|
|
|
2012-12-18 00:04:23 +00:00
|
|
|
/*
|
|
|
|
|
* These macros are preserved for backward compatibility and should be
|
|
|
|
|
* removed as soon as a transition is finished.
|
|
|
|
|
*/
|
|
|
|
|
#define random32() prandom_u32()
|
|
|
|
|
#define srandom32(seed) prandom_seed(seed)
|
|
|
|
|
|
|
|
|
|
u32 prandom_u32_state(struct rnd_state *);
|
2012-12-18 00:04:25 +00:00
|
|
|
void prandom_bytes_state(struct rnd_state *state, void *buf, int nbytes);
|
2010-05-26 21:44:13 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Handle minimum values for seeds
|
|
|
|
|
*/
|
|
|
|
|
static inline u32 __seed(u32 x, u32 m)
|
|
|
|
|
{
|
|
|
|
|
return (x < m) ? x + m : x;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2012-12-18 00:04:23 +00:00
|
|
|
* prandom_seed_state - set seed for prandom_u32_state().
|
2010-05-26 21:44:13 +00:00
|
|
|
* @state: pointer to state structure to receive the seed.
|
|
|
|
|
* @seed: arbitrary 64-bit value to use as a seed.
|
|
|
|
|
*/
|
2012-12-18 00:04:23 +00:00
|
|
|
static inline void prandom_seed_state(struct rnd_state *state, u64 seed)
|
2010-05-26 21:44:13 +00:00
|
|
|
{
|
|
|
|
|
u32 i = (seed >> 32) ^ (seed << 10) ^ seed;
|
|
|
|
|
|
random32: fix off-by-one in seeding requirement
[ Upstream commit 51c37a70aaa3f95773af560e6db3073520513912 ]
For properly initialising the Tausworthe generator [1], we have
a strict seeding requirement, that is, s1 > 1, s2 > 7, s3 > 15.
Commit 697f8d0348 ("random32: seeding improvement") introduced
a __seed() function that imposes boundary checks proposed by the
errata paper [2] to properly ensure above conditions.
However, we're off by one, as the function is implemented as:
"return (x < m) ? x + m : x;", and called with __seed(X, 1),
__seed(X, 7), __seed(X, 15). Thus, an unwanted seed of 1, 7, 15
would be possible, whereas the lower boundary should actually
be of at least 2, 8, 16, just as GSL does. Fix this, as otherwise
an initialization with an unwanted seed could have the effect
that Tausworthe's PRNG properties cannot not be ensured.
Note that this PRNG is *not* used for cryptography in the kernel.
[1] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme.ps
[2] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme2.ps
Joint work with Hannes Frederic Sowa.
Change-Id: I9c63774e7a0cd5d747469b11b8769867484f36f9
Fixes: 697f8d0348a6 ("random32: seeding improvement")
Cc: Stephen Hemminger <stephen@networkplumber.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-11 11:20:32 +00:00
|
|
|
state->s1 = __seed(i, 2);
|
|
|
|
|
state->s2 = __seed(i, 8);
|
|
|
|
|
state->s3 = __seed(i, 16);
|
2010-05-26 21:44:13 +00:00
|
|
|
}
|
|
|
|
|
|
2011-07-31 20:54:50 +00:00
|
|
|
#ifdef CONFIG_ARCH_RANDOM
|
|
|
|
|
# include <asm/archrandom.h>
|
|
|
|
|
#else
|
|
|
|
|
static inline int arch_get_random_long(unsigned long *v)
|
|
|
|
|
{
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
static inline int arch_get_random_int(unsigned int *v)
|
|
|
|
|
{
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
#endif /* __KERNEL___ */
|
|
|
|
|
|
|
|
|
|
#endif /* _LINUX_RANDOM_H */
|
