mirror of
https://github.com/opnsense/src.git
synced 2026-03-01 04:40:53 -05:00
13774e8228
read_random() is/was used, mostly without error checking, in a lot of very sensitive places in the kernel -- including seeding the widely used arc4random(9). Most uses, especially arc4random(9), should block until the device is seeded rather than proceeding with a bogus or empty seed. I did not spy any obvious kernel consumers where blocking would be inappropriate (in the sense that lack of entropy would be ok -- I did not investigate locking angle thoroughly). In many instances, arc4random_buf(9) or that family of APIs would be more appropriate anyway; that work was done in r345865. A minor cleanup was made to the implementation of the READ_RANDOM function: instead of using a variable-length array on the stack to temporarily store all full random blocks sufficient to satisfy the requested 'len', only store a single block on the stack. This has some benefit in terms of reducing stack usage, reducing memcpy overhead and reducing devrandom output leakage via the stack. Additionally, the stack block is now safely zeroed if it was used. One caveat of this change is that the kern.arandom sysctl no longer returns zero bytes immediately if the random device is not seeded. This means that FreeBSD-specific userspace applications which attempted to handle an unseeded random device may be broken by this change. If such behavior is needed, it can be replaced by the more portable getrandom(2) GRND_NONBLOCK option. On any typical FreeBSD system, entropy is persisted on read/write media and used to seed the random device very early in boot, and blocking is never a problem. This change primarily impacts the behavior of /dev/random on embedded systems with read-only media that do not configure "nodevice random". We toggle the default from 'charge on blindly with no entropy' to 'block indefinitely.' This default is safer, but may cause frustration. Embedded system designers using FreeBSD have several options. The most obvious is to plan to have a small writable NVRAM or NAND to persist entropy, like larger systems. Early entropy can be fed from any loader, or by writing directly to /dev/random during boot. Some embedded SoCs now provide a fast hardware entropy source; this would also work for quickly seeding Fortuna. A 3rd option would be creating an embedded-specific, more simplistic random module, like that designed by DJB in [1] (this design still requires a small rewritable media for forward secrecy). Finally, the least preferred option might be "nodevice random", although I plan to remove this in a subsequent revision. To help developers emulate the behavior of these embedded systems on ordinary workstations, the tunable kern.random.block_seeded_status was added. When set to 1, it blocks the random device. I attempted to document this change in random.4 and random.9 and ran into a bunch of out-of-date or irrelevant or inaccurate content and ended up rototilling those documents more than I intended to. Sorry. I think they're in a better state now. PR: 230875 Reviewed by: delphij, markm (earlier version) Approved by: secteam(delphij), devrandom(markm) Relnotes: yes Differential Revision: https://reviews.freebsd.org/D19744
132 lines
3.8 KiB
C
132 lines
3.8 KiB
C
/*-
|
|
* Copyright (c) 2015 Mark R V Murray
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer
|
|
* in this position and unchanged.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*
|
|
*/
|
|
|
|
#include <sys/cdefs.h>
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
#include <sys/param.h>
|
|
#include <sys/systm.h>
|
|
#include <sys/kernel.h>
|
|
#include <sys/malloc.h>
|
|
#include <sys/random.h>
|
|
#include <sys/sysctl.h>
|
|
|
|
#if defined(RANDOM_LOADABLE)
|
|
#include <sys/lock.h>
|
|
#include <sys/sx.h>
|
|
#endif
|
|
|
|
#include <dev/random/randomdev.h>
|
|
|
|
/* Set up the sysctl root node for the entropy device */
|
|
SYSCTL_NODE(_kern, OID_AUTO, random, CTLFLAG_RW, 0, "Cryptographically Secure Random Number Generator");
|
|
|
|
MALLOC_DEFINE(M_ENTROPY, "entropy", "Entropy harvesting buffers and data structures");
|
|
|
|
struct sources_head source_list = LIST_HEAD_INITIALIZER(source_list);
|
|
|
|
#if defined(RANDOM_LOADABLE)
|
|
struct random_algorithm *p_random_alg_context = NULL;
|
|
#else /* !defined(RANDOM_LOADABLE) */
|
|
struct random_algorithm *p_random_alg_context = &random_alg_context;
|
|
#endif /* defined(RANDOM_LOADABLE) */
|
|
|
|
#if defined(RANDOM_LOADABLE)
|
|
|
|
static void
|
|
null_read_random(void *dummy __unused, u_int dummy2 __unused)
|
|
{
|
|
panic("%s: no random module is loaded", __func__);
|
|
}
|
|
|
|
struct random_readers {
|
|
int (*read_random_uio)(struct uio *, bool);
|
|
void (*read_random)(void *, u_int);
|
|
} random_reader_context = {
|
|
(int (*)(struct uio *, bool))nullop,
|
|
null_read_random,
|
|
};
|
|
|
|
struct sx randomdev_config_lock;
|
|
|
|
static void
|
|
random_infra_sysinit(void *dummy __unused)
|
|
{
|
|
|
|
RANDOM_CONFIG_INIT_LOCK();
|
|
}
|
|
SYSINIT(random_device_h_init, SI_SUB_RANDOM, SI_ORDER_FIRST, random_infra_sysinit, NULL);
|
|
|
|
void
|
|
random_infra_init(int (*p_random_read_uio)(struct uio *, bool), void (*p_random_read)(void *, u_int))
|
|
{
|
|
|
|
RANDOM_CONFIG_X_LOCK();
|
|
random_reader_context.read_random_uio = p_random_read_uio;
|
|
random_reader_context.read_random = p_random_read;
|
|
RANDOM_CONFIG_X_UNLOCK();
|
|
}
|
|
|
|
void
|
|
random_infra_uninit(void)
|
|
{
|
|
|
|
RANDOM_CONFIG_X_LOCK();
|
|
random_reader_context.read_random_uio = (int (*)(struct uio *, bool))nullop;
|
|
random_reader_context.read_random = null_read_random;
|
|
RANDOM_CONFIG_X_UNLOCK();
|
|
}
|
|
|
|
static void
|
|
random_infra_sysuninit(void *dummy __unused)
|
|
{
|
|
|
|
RANDOM_CONFIG_DEINIT_LOCK();
|
|
}
|
|
SYSUNINIT(random_device_h_init, SI_SUB_RANDOM, SI_ORDER_FIRST, random_infra_sysuninit, NULL);
|
|
|
|
int
|
|
read_random_uio(struct uio *uio, bool nonblock)
|
|
{
|
|
int retval;
|
|
|
|
RANDOM_CONFIG_S_LOCK();
|
|
retval = random_reader_context.read_random_uio(uio, nonblock);
|
|
RANDOM_CONFIG_S_UNLOCK();
|
|
return (retval);
|
|
}
|
|
|
|
void
|
|
read_random(void *buf, u_int len)
|
|
{
|
|
|
|
RANDOM_CONFIG_S_LOCK();
|
|
random_reader_context.read_random(buf, len);
|
|
RANDOM_CONFIG_S_UNLOCK();
|
|
}
|
|
|
|
#endif /* defined(RANDOM_LOADABLE) */
|