git: 7c6fb056cca7 - stable/12 - random(4): Generalize algorithm-independent APIs

From: David E. O'Brien <obrien_at_FreeBSD.org>
Date: Mon, 14 Feb 2022 21:21:06 UTC
The branch stable/12 has been updated by obrien:

URL: https://cgit.FreeBSD.org/src/commit/?id=7c6fb056cca7df876be82da0c03a72ea8644ccca

commit 7c6fb056cca7df876be82da0c03a72ea8644ccca
Author:     Conrad Meyer <cem@FreeBSD.org>
AuthorDate: 2019-06-17 15:09:12 +0000
Commit:     David E. O'Brien <obrien@FreeBSD.org>
CommitDate: 2022-02-14 21:14:31 +0000

    random(4): Generalize algorithm-independent APIs
    
    At a basic level, remove assumptions about the underlying algorithm (such as
    output block size and reseeding requirements) from the algorithm-independent
    logic in randomdev.c.  Chacha20 does not have many of the restrictions that
    AES-ICM does as a PRF (Pseudo-Random Function), because it has a cipher
    block size of 512 bits.  The motivation is that by generalizing the API,
    Chacha is not penalized by the limitations of AES.
    
    In READ_RANDOM_UIO, first attempt to NOWAIT allocate a large enough buffer
    for the entire user request, or the maximal input we'll accept between
    signal checking, whichever is smaller.  The idea is that the implementation
    of any randomdev algorithm is then free to divide up large requests in
    whatever fashion it sees fit.
    
    As part of this, two responsibilities from the "algorithm-generic" randomdev
    code are pushed down into the Fortuna ra_read implementation (and any other
    future or out-of-tree ra_read implementations):
    
      1. If an algorithm needs to rekey every N bytes, it is responsible for
      handling that in ra_read(). (I.e., Fortuna's 1MB rekey interval for AES
      block generation.)
    
      2. If an algorithm uses a block cipher that doesn't tolerate partial-block
      requests (again, e.g., AES), it is also responsible for handling that in
      ra_read().
    
    Several APIs are changed from u_int buffer length to the more canonical
    size_t.  Several APIs are changed from taking a blockcount to a bytecount,
    to permit PRFs like Chacha20 to directly generate quantities of output that
    are not multiples of RANDOM_BLOCKSIZE (AES block size).
    
    The Fortuna algorithm is changed to NOT rekey every 1MiB when in Chacha20
    mode (kern.random.use_chacha20_cipher="1").  This is explicitly supported by
    the math in FS&K ยง9.4 (Ferguson, Schneier, and Kohno; "Cryptography
    Engineering"), as well as by their conclusion: "If we had a block cipher
    with a 256-bit [or greater] block size, then the collisions would not
    have been an issue at all."
    
    For now, continue to break up reads into PAGE_SIZE chunks, as they were
    before.  So, no functional change, mostly.
    
    (cherry picked from commit d0d71d818c28069a8b940b3fb115c2d21a4efba9)
---
 sys/dev/random/fortuna.c           | 129 +++++++++++++++++++++++++------------
 sys/dev/random/hash.c              |  35 ++++++++--
 sys/dev/random/hash.h              |   2 +-
 sys/dev/random/other_algorithm.c   |   8 +--
 sys/dev/random/randomdev.c         | 125 ++++++++++++++++++-----------------
 sys/dev/random/randomdev.h         |   2 +-
 tests/sys/devrandom/uint128_test.c |   3 +-
 7 files changed, 190 insertions(+), 114 deletions(-)

diff --git a/sys/dev/random/fortuna.c b/sys/dev/random/fortuna.c
index b0ab6e88c69e..48620a14c349 100644
--- a/sys/dev/random/fortuna.c
+++ b/sys/dev/random/fortuna.c
@@ -128,7 +128,7 @@ static uint8_t zero_region[RANDOM_ZERO_BLOCKSIZE];
 #endif
 
 static void random_fortuna_pre_read(void);
-static void random_fortuna_read(uint8_t *, u_int);
+static void random_fortuna_read(uint8_t *, size_t);
 static bool random_fortuna_seeded(void);
 static bool random_fortuna_seeded_internal(void);
 static void random_fortuna_process_event(struct harvest_event *);
@@ -305,50 +305,46 @@ random_fortuna_reseed_internal(uint32_t *entropy_data, u_int blockcount)
 	uint128_increment(&fortuna_state.fs_counter);
 }
 
-/*-
- * FS&K - GenerateBlocks()
- * Generate a number of complete blocks of random output.
- */
-static __inline void
-random_fortuna_genblocks(uint8_t *buf, u_int blockcount)
-{
-
-	RANDOM_RESEED_ASSERT_LOCK_OWNED();
-	KASSERT(!uint128_is_zero(fortuna_state.fs_counter), ("FS&K: C != 0"));
-
-	/*
-	 * Fills buf with RANDOM_BLOCKSIZE * blockcount bytes of keystream.
-	 * Increments fs_counter as it goes.
-	 */
-	randomdev_keystream(&fortuna_state.fs_key, &fortuna_state.fs_counter,
-	    buf, blockcount);
-}
-
 /*-
  * FS&K - PseudoRandomData()
- * This generates no more than 2^20 bytes of data, and cleans up its
- * internal state when finished. It is assumed that a whole number of
- * blocks are available for writing; any excess generated will be
- * ignored.
+ *
+ * If Chacha20 is used, output size is unrestricted.  If AES-CTR is used,
+ * output size MUST be <= 1MB and a multiple of RANDOM_BLOCKSIZE.  The
+ * reasoning for this is discussed in FS&K 9.4; the significant distinction
+ * between the two ciphers is that AES has a *block* size of 128 bits while
+ * Chacha has a *block* size of 512 bits.
  */
 static __inline void
-random_fortuna_genrandom(uint8_t *buf, u_int bytecount)
+random_fortuna_genrandom(uint8_t *buf, size_t bytecount)
 {
-	uint8_t temp[RANDOM_BLOCKSIZE * RANDOM_KEYS_PER_BLOCK];
-	u_int blockcount;
+	uint8_t newkey[RANDOM_KEYSIZE];
 
 	RANDOM_RESEED_ASSERT_LOCK_OWNED();
+
 	/*-
-	 * FS&K - assert(n < 2^20 (== 1 MB)
+	 * FS&K - assert(n < 2^20 (== 1 MB)) when 128-bit block cipher is used
 	 *      - r = first-n-bytes(GenerateBlocks(ceil(n/16)))
 	 *      - K = GenerateBlocks(2)
 	 */
-	KASSERT((bytecount <= RANDOM_FORTUNA_MAX_READ), ("invalid single read request to Fortuna of %d bytes", bytecount));
-	blockcount = howmany(bytecount, RANDOM_BLOCKSIZE);
-	random_fortuna_genblocks(buf, blockcount);
-	random_fortuna_genblocks(temp, RANDOM_KEYS_PER_BLOCK);
-	randomdev_encrypt_init(&fortuna_state.fs_key, temp);
-	explicit_bzero(temp, sizeof(temp));
+	KASSERT(random_chachamode || bytecount <= RANDOM_FORTUNA_MAX_READ,
+	    ("%s: invalid large read request: %zu bytes", __func__,
+	     bytecount));
+
+	/*
+	 * This is where FS&K would invoke GenerateBlocks().  GenerateBlocks()
+	 * doesn't make a lot of sense or have much value if we use bytecount
+	 * for the API (which is useful for ciphers that do not require
+	 * block-sized output, like Chacha20).
+	 *
+	 * Just invoke our PRF abstraction directly, which is responsible for
+	 * updating fs_counter ('C').
+	 */
+	randomdev_keystream(&fortuna_state.fs_key, &fortuna_state.fs_counter,
+	    buf, bytecount);
+	randomdev_keystream(&fortuna_state.fs_key, &fortuna_state.fs_counter,
+	    newkey, sizeof(newkey));
+	randomdev_encrypt_init(&fortuna_state.fs_key, newkey);
+	explicit_bzero(newkey, sizeof(newkey));
 }
 
 /*-
@@ -441,18 +437,71 @@ random_fortuna_pre_read(void)
  * FS&K - RandomData() (Part 2)
  * Main read from Fortuna, continued. May be called multiple times after
  * the random_fortuna_pre_read() above.
- * The supplied buf MUST be a multiple of RANDOM_BLOCKSIZE in size.
- * Lots of code presumes this for efficiency, both here and in other
- * routines. You are NOT allowed to break this!
+ *
+ * The supplied buf MAY not be a multiple of RANDOM_BLOCKSIZE in size; it is
+ * the responsibility of the algorithm to accommodate partial block reads, if a
+ * block output mode is used.
  */
 void
-random_fortuna_read(uint8_t *buf, u_int bytecount)
+random_fortuna_read(uint8_t *buf, size_t bytecount)
 {
+	uint8_t remainder_buf[RANDOM_BLOCKSIZE];
+	size_t read_directly_len, read_chunk;
+
+	/*
+	 * The underlying AES generator expects multiples of RANDOM_BLOCKSIZE.
+	 */
+	if (random_chachamode)
+		read_directly_len = bytecount;
+	else
+		read_directly_len = rounddown(bytecount, RANDOM_BLOCKSIZE);
 
-	KASSERT((bytecount % RANDOM_BLOCKSIZE) == 0, ("%s(): bytecount (= %d) must be a multiple of %d", __func__, bytecount, RANDOM_BLOCKSIZE ));
 	RANDOM_RESEED_LOCK();
-	random_fortuna_genrandom(buf, bytecount);
+	KASSERT(!uint128_is_zero(fortuna_state.fs_counter), ("FS&K: C != 0"));
+
+	while (read_directly_len > 0) {
+		/*
+		 * 128-bit block ciphers like AES must be re-keyed at 1MB
+		 * intervals to avoid unacceptable statistical differentiation
+		 * from true random data.
+		 *
+		 * 512-bit block ciphers like Chacha20 do not have this
+		 * problem. (FS&K 9.4)
+		 */
+		if (random_chachamode)
+			read_chunk = read_directly_len;
+		else
+			read_chunk = MIN(read_directly_len,
+			    RANDOM_FORTUNA_MAX_READ);
+
+		/*
+		 * For now, we hold the global Fortuna mutex, so yield
+		 * periodically to provide vague availability to other lock
+		 * users.  PAGE_SIZE is chosen to match existing behavior.
+		 */
+		read_chunk = MIN(read_chunk, PAGE_SIZE);
+
+		random_fortuna_genrandom(buf, read_chunk);
+		buf += read_chunk;
+		read_directly_len -= read_chunk;
+		bytecount -= read_chunk;
+
+		/* Perform the actual yield. */
+		if (read_directly_len != 0) {
+			RANDOM_RESEED_UNLOCK();
+			RANDOM_RESEED_LOCK();
+		}
+	}
+
+	if (bytecount > 0)
+		random_fortuna_genrandom(remainder_buf, sizeof(remainder_buf));
+
 	RANDOM_RESEED_UNLOCK();
+
+	if (bytecount > 0) {
+		memcpy(buf, remainder_buf, bytecount);
+		explicit_bzero(remainder_buf, sizeof(remainder_buf));
+	}
 }
 
 #ifdef _KERNEL
diff --git a/sys/dev/random/hash.c b/sys/dev/random/hash.c
index 113f76e8a041..cd29b74c43a4 100644
--- a/sys/dev/random/hash.c
+++ b/sys/dev/random/hash.c
@@ -125,16 +125,18 @@ randomdev_encrypt_init(union randomdev_key *context, const void *data)
 }
 
 /*
- * Create a psuedorandom output stream of 'blockcount' blocks using a CTR-mode
+ * Create a psuedorandom output stream of 'bytecount' bytes using a CTR-mode
  * cipher or similar.  The 128-bit counter is supplied in the in-out parmeter
- * 'ctr.'  The output stream goes to 'd_out.'  'blockcount' RANDOM_BLOCKSIZE
- * bytes are generated.
+ * 'ctr.'  The output stream goes to 'd_out.'
+ *
+ * If AES is used, 'bytecount' is guaranteed to be a multiple of
+ * RANDOM_BLOCKSIZE.
  */
 void
 randomdev_keystream(union randomdev_key *context, uint128_t *ctr,
-    void *d_out, u_int blockcount)
+    void *d_out, size_t bytecount)
 {
-	u_int i;
+	size_t i, blockcount, read_chunk;
 
 	if (random_chachamode) {
 		uint128_t lectr;
@@ -147,8 +149,20 @@ randomdev_keystream(union randomdev_key *context, uint128_t *ctr,
 		le128enc(&lectr, *ctr);
 
 		chacha_ivsetup(&context->chacha, NULL, (const void *)&lectr);
-		chacha_encrypt_bytes(&context->chacha, NULL, d_out,
-		    RANDOM_BLOCKSIZE * blockcount);
+		while (bytecount > 0) {
+			/*
+			 * We are limited by the chacha_encrypt_bytes API to
+			 * u32 bytes per chunk.
+			 */
+			read_chunk = MIN(bytecount,
+			    rounddown((size_t)UINT32_MAX, CHACHA_BLOCKLEN));
+
+			chacha_encrypt_bytes(&context->chacha, NULL, d_out,
+			    read_chunk);
+
+			d_out = (char *)d_out + read_chunk;
+			bytecount -= read_chunk;
+		}
 
 		/*
 		 * Decode Chacha-updated LE counter to native endian and store
@@ -156,7 +170,14 @@ randomdev_keystream(union randomdev_key *context, uint128_t *ctr,
 		 */
 		chacha_ctrsave(&context->chacha, (void *)&lectr);
 		*ctr = le128dec(&lectr);
+
+		explicit_bzero(&lectr, sizeof(lectr));
 	} else {
+		KASSERT(bytecount % RANDOM_BLOCKSIZE == 0,
+		    ("%s: AES mode invalid bytecount, not a multiple of native "
+		     "block size", __func__));
+
+		blockcount = bytecount / RANDOM_BLOCKSIZE;
 		for (i = 0; i < blockcount; i++) {
 			/*-
 			 * FS&K - r = r|E(K,C)
diff --git a/sys/dev/random/hash.h b/sys/dev/random/hash.h
index e76eaaaf4ccb..ca2f3db56a00 100644
--- a/sys/dev/random/hash.h
+++ b/sys/dev/random/hash.h
@@ -61,7 +61,7 @@ void randomdev_hash_iterate(struct randomdev_hash *, const void *, size_t);
 void randomdev_hash_finish(struct randomdev_hash *, void *);
 
 void randomdev_encrypt_init(union randomdev_key *, const void *);
-void randomdev_keystream(union randomdev_key *context, uint128_t *, void *, u_int);
+void randomdev_keystream(union randomdev_key *context, uint128_t *, void *, size_t);
 void randomdev_getkey(union randomdev_key *, const void **, size_t *);
 
 #endif /* SYS_DEV_RANDOM_HASH_H_INCLUDED */
diff --git a/sys/dev/random/other_algorithm.c b/sys/dev/random/other_algorithm.c
index 57679f53a7da..4ed00c1156ff 100644
--- a/sys/dev/random/other_algorithm.c
+++ b/sys/dev/random/other_algorithm.c
@@ -84,7 +84,7 @@ __FBSDID("$FreeBSD$");
 #endif /* _KERNEL */
 
 static void random_other_pre_read(void);
-static void random_other_read(uint8_t *, u_int);
+static void random_other_read(uint8_t *, size_t);
 static bool random_other_seeded(void);
 static void random_other_process_event(struct harvest_event *);
 static void random_other_init_alg(void *);
@@ -165,10 +165,10 @@ random_other_pre_read(void)
 }
 
 /*
- * void random_other_read(uint8_t *buf, u_int count)
+ * void random_other_read(uint8_t *buf, size_t count)
  *
  * Generate <count> bytes of output into <*buf>.
- * You may use the fact that <count> will be a multiple of
+ * You may NOT use the fact that <count> will be a multiple of
  * RANDOM_BLOCKSIZE for optimization purposes.
  *
  * This function will always be called with your generator
@@ -176,7 +176,7 @@ random_other_pre_read(void)
  * output here, then feel free to KASSERT() or panic().
  */
 static void
-random_other_read(uint8_t *buf, u_int count)
+random_other_read(uint8_t *buf, size_t count)
 {
 
 	RANDOM_RESEED_LOCK();
diff --git a/sys/dev/random/randomdev.c b/sys/dev/random/randomdev.c
index e20669b3c207..8af39deeb34b 100644
--- a/sys/dev/random/randomdev.c
+++ b/sys/dev/random/randomdev.c
@@ -172,17 +172,21 @@ randomdev_wait_until_seeded(bool interruptible)
 int
 READ_RANDOM_UIO(struct uio *uio, bool nonblock)
 {
-	uint8_t *random_buf;
-	int error;
-	ssize_t read_len, total_read, c;
 	/* 16 MiB takes about 0.08 s CPU time on my 2017 AMD Zen CPU */
 #define SIGCHK_PERIOD (16 * 1024 * 1024)
 	const size_t sigchk_period = SIGCHK_PERIOD;
-
 	CTASSERT(SIGCHK_PERIOD % PAGE_SIZE == 0);
 #undef SIGCHK_PERIOD
 
-	random_buf = malloc(PAGE_SIZE, M_ENTROPY, M_WAITOK);
+	uint8_t *random_buf;
+	size_t total_read, read_len;
+	ssize_t bufsize;
+	int error;
+
+
+	KASSERT(uio->uio_rw == UIO_READ, ("%s: bogus write", __func__));
+	KASSERT(uio->uio_resid >= 0, ("%s: bogus negative resid", __func__));
+
 	p_random_alg_context->ra_pre_read();
 	error = 0;
 	/* (Un)Blocking logic */
@@ -193,44 +197,64 @@ READ_RANDOM_UIO(struct uio *uio, bool nonblock)
 			error = randomdev_wait_until_seeded(
 			    SEEDWAIT_INTERRUPTIBLE);
 	}
-	if (error == 0) {
-		read_rate_increment((uio->uio_resid + sizeof(uint32_t))/sizeof(uint32_t));
-		total_read = 0;
-		while (uio->uio_resid && !error) {
-			read_len = uio->uio_resid;
-			/*
-			 * Belt-and-braces.
-			 * Round up the read length to a crypto block size multiple,
-			 * which is what the underlying generator is expecting.
-			 * See the random_buf size requirements in the Fortuna code.
-			 */
-			read_len = roundup(read_len, RANDOM_BLOCKSIZE);
-			/* Work in chunks page-sized or less */
-			read_len = MIN(read_len, PAGE_SIZE);
-			p_random_alg_context->ra_read(random_buf, read_len);
-			c = MIN(uio->uio_resid, read_len);
-			/*
-			 * uiomove() may yield the CPU before each 'c' bytes
-			 * (up to PAGE_SIZE) are copied out.
-			 */
-			error = uiomove(random_buf, c, uio);
-			total_read += c;
-			/*
-			 * Poll for signals every few MBs to avoid very long
-			 * uninterruptible syscalls.
-			 */
-			if (error == 0 && uio->uio_resid != 0 &&
-			    total_read % sigchk_period == 0) {
-				error = tsleep_sbt(&random_alg_context, PCATCH,
-				    "randrd", SBT_1NS, 0, C_HARDCLOCK);
-				/* Squash tsleep timeout condition */
-				if (error == EWOULDBLOCK)
-					error = 0;
-			}
+	if (error != 0)
+		return (error);
+
+	read_rate_increment(howmany(uio->uio_resid + 1, sizeof(uint32_t)));
+	total_read = 0;
+
+	/* Easy to deal with the trivial 0 byte case. */
+	if (__predict_false(uio->uio_resid == 0))
+		return (0);
+
+	/*
+	 * If memory is plentiful, use maximally sized requests to avoid
+	 * per-call algorithm overhead.  But fall back to a single page
+	 * allocation if the full request isn't immediately available.
+	 */
+	bufsize = MIN(sigchk_period, (size_t)uio->uio_resid);
+	random_buf = malloc(bufsize, M_ENTROPY, M_NOWAIT);
+	if (random_buf == NULL) {
+		bufsize = PAGE_SIZE;
+		random_buf = malloc(bufsize, M_ENTROPY, M_WAITOK);
+	}
+
+	error = 0;
+	while (uio->uio_resid > 0 && error == 0) {
+		read_len = MIN((size_t)uio->uio_resid, bufsize);
+
+		p_random_alg_context->ra_read(random_buf, read_len);
+
+		/*
+		 * uiomove() may yield the CPU before each 'read_len' bytes (up
+		 * to bufsize) are copied out.
+		 */
+		error = uiomove(random_buf, read_len, uio);
+		total_read += read_len;
+
+		/*
+		 * Poll for signals every few MBs to avoid very long
+		 * uninterruptible syscalls.
+		 */
+		if (error == 0 && uio->uio_resid != 0 &&
+		    total_read % sigchk_period == 0) {
+			error = tsleep_sbt(&random_alg_context, PCATCH,
+			    "randrd", SBT_1NS, 0, C_HARDCLOCK);
+			/* Squash tsleep timeout condition */
+			if (error == EWOULDBLOCK)
+				error = 0;
 		}
-		if (error == ERESTART || error == EINTR)
-			error = 0;
 	}
+
+	/*
+	 * Short reads due to signal interrupt should not indicate error.
+	 * Instead, the uio will reflect that the read was shorter than
+	 * requested.
+	 */
+	if (error == ERESTART || error == EINTR)
+		error = 0;
+
+	explicit_bzero(random_buf, bufsize);
 	free(random_buf, M_ENTROPY);
 	return (error);
 }
@@ -249,7 +273,6 @@ READ_RANDOM_UIO(struct uio *uio, bool nonblock)
 void
 READ_RANDOM(void *random_buf, u_int len)
 {
-	u_int read_directly_len;
 
 	KASSERT(random_buf != NULL, ("No suitable random buffer in %s", __func__));
 	p_random_alg_context->ra_pre_read();
@@ -278,23 +301,7 @@ READ_RANDOM(void *random_buf, u_int len)
 		(void)randomdev_wait_until_seeded(SEEDWAIT_UNINTERRUPTIBLE);
 	}
 	read_rate_increment(roundup2(len, sizeof(uint32_t)));
-	/*
-	 * The underlying generator expects multiples of
-	 * RANDOM_BLOCKSIZE.
-	 */
-	read_directly_len = rounddown(len, RANDOM_BLOCKSIZE);
-	if (read_directly_len > 0)
-		p_random_alg_context->ra_read(random_buf, read_directly_len);
-	if (read_directly_len < len) {
-		uint8_t remainder_buf[RANDOM_BLOCKSIZE];
-
-		p_random_alg_context->ra_read(remainder_buf,
-		    sizeof(remainder_buf));
-		memcpy((char *)random_buf + read_directly_len, remainder_buf,
-		    len - read_directly_len);
-
-		explicit_bzero(remainder_buf, sizeof(remainder_buf));
-	}
+	p_random_alg_context->ra_read(random_buf, len);
 }
 
 bool
diff --git a/sys/dev/random/randomdev.h b/sys/dev/random/randomdev.h
index 91c93aee0805..3f9b0f3acc74 100644
--- a/sys/dev/random/randomdev.h
+++ b/sys/dev/random/randomdev.h
@@ -68,7 +68,7 @@ struct harvest_event;
 typedef void random_alg_init_t(void *);
 typedef void random_alg_deinit_t(void *);
 typedef void random_alg_pre_read_t(void);
-typedef void random_alg_read_t(uint8_t *, u_int);
+typedef void random_alg_read_t(uint8_t *, size_t);
 typedef bool random_alg_seeded_t(void);
 typedef void random_alg_reseed_t(void);
 typedef void random_alg_eventprocessor_t(struct harvest_event *);
diff --git a/tests/sys/devrandom/uint128_test.c b/tests/sys/devrandom/uint128_test.c
index 0e02b227f668..c621b0cc1a8d 100644
--- a/tests/sys/devrandom/uint128_test.c
+++ b/tests/sys/devrandom/uint128_test.c
@@ -209,8 +209,7 @@ ATF_TC_BODY(uint128_chacha_ctr, tc)
 		vec_u32_tole128(expectedle, tests[i].expected);
 
 		a = le128dec(inputle);
-		randomdev_keystream(&context, &a, trash, sizeof(trash) /
-		    RANDOM_BLOCKSIZE);
+		randomdev_keystream(&context, &a, trash, sizeof(trash));
 		u128_check_equality(le128dec(expectedle), a, tests[i].descr);
 	}