projects / openwrt / staging / jow.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
urandom-seed: use seedrng for seeding the random number generator
[openwrt/staging/jow.git] / package / system / urandom-seed / seedrng.c
1 // SPDX-License-Identifier: (GPL-2.0 OR MIT OR Apache-2.0)
2 /*
3 * Copyright (C) 2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
4 */
5
6 #include <linux/random.h>
7 #include <sys/random.h>
8 #include <sys/ioctl.h>
9 #include <sys/file.h>
10 #include <sys/stat.h>
11 #include <sys/types.h>
12 #include <fcntl.h>
13 #include <poll.h>
14 #include <unistd.h>
15 #include <time.h>
16 #include <errno.h>
17 #include <endian.h>
18 #include <stdbool.h>
19 #include <stdint.h>
20 #include <string.h>
21 #include <stdio.h>
22 #include <stdlib.h>
23
24 #define SEED_DIR "/etc/seedrng"
25 #define CREDITABLE_SEED SEED_DIR "/seed.credit"
26 #define NON_CREDITABLE_SEED SEED_DIR "/seed.no-credit"
27 #define LOCK_FILE "/tmp/run/seedrng.lock"
28
29 enum blake2s_lengths {
30 BLAKE2S_BLOCK_LEN = 64,
31 BLAKE2S_HASH_LEN = 32,
32 BLAKE2S_KEY_LEN = 32
33 };
34
35 enum seedrng_lengths {
36 MAX_SEED_LEN = 512,
37 MIN_SEED_LEN = BLAKE2S_HASH_LEN
38 };
39
40 struct blake2s_state {
41 uint32_t h[8];
42 uint32_t t[2];
43 uint32_t f[2];
44 uint8_t buf[BLAKE2S_BLOCK_LEN];
45 unsigned int buflen;
46 unsigned int outlen;
47 };
48
49 #define le32_to_cpup(a) le32toh(*(a))
50 #define cpu_to_le32(a) htole32(a)
51 #ifndef ARRAY_SIZE
52 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
53 #endif
54 #ifndef DIV_ROUND_UP
55 #define DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d))
56 #endif
57
58 static inline void cpu_to_le32_array(uint32_t *buf, unsigned int words)
59 {
60 while (words--) {
61 *buf = cpu_to_le32(*buf);
62 ++buf;
63 }
64 }
65
66 static inline void le32_to_cpu_array(uint32_t *buf, unsigned int words)
67 {
68 while (words--) {
69 *buf = le32_to_cpup(buf);
70 ++buf;
71 }
72 }
73
74 static inline uint32_t ror32(uint32_t word, unsigned int shift)
75 {
76 return (word >> (shift & 31)) | (word << ((-shift) & 31));
77 }
78
79 static const uint32_t blake2s_iv[8] = {
80 0x6A09E667UL, 0xBB67AE85UL, 0x3C6EF372UL, 0xA54FF53AUL,
81 0x510E527FUL, 0x9B05688CUL, 0x1F83D9ABUL, 0x5BE0CD19UL
82 };
83
84 static const uint8_t blake2s_sigma[10][16] = {
85 { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
86 { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
87 { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
88 { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
89 { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
90 { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
91 { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
92 { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
93 { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
94 { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
95 };
96
97 static void blake2s_set_lastblock(struct blake2s_state *state)
98 {
99 state->f[0] = -1;
100 }
101
102 static void blake2s_increment_counter(struct blake2s_state *state, const uint32_t inc)
103 {
104 state->t[0] += inc;
105 state->t[1] += (state->t[0] < inc);
106 }
107
108 static void blake2s_init_param(struct blake2s_state *state, const uint32_t param)
109 {
110 int i;
111
112 memset(state, 0, sizeof(*state));
113 for (i = 0; i < 8; ++i)
114 state->h[i] = blake2s_iv[i];
115 state->h[0] ^= param;
116 }
117
118 static void blake2s_init(struct blake2s_state *state, const size_t outlen)
119 {
120 blake2s_init_param(state, 0x01010000 | outlen);
121 state->outlen = outlen;
122 }
123
124 static void blake2s_compress(struct blake2s_state *state, const uint8_t *block, size_t nblocks, const uint32_t inc)
125 {
126 uint32_t m[16];
127 uint32_t v[16];
128 int i;
129
130 while (nblocks > 0) {
131 blake2s_increment_counter(state, inc);
132 memcpy(m, block, BLAKE2S_BLOCK_LEN);
133 le32_to_cpu_array(m, ARRAY_SIZE(m));
134 memcpy(v, state->h, 32);
135 v[ 8] = blake2s_iv[0];
136 v[ 9] = blake2s_iv[1];
137 v[10] = blake2s_iv[2];
138 v[11] = blake2s_iv[3];
139 v[12] = blake2s_iv[4] ^ state->t[0];
140 v[13] = blake2s_iv[5] ^ state->t[1];
141 v[14] = blake2s_iv[6] ^ state->f[0];
142 v[15] = blake2s_iv[7] ^ state->f[1];
143
144 #define G(r, i, a, b, c, d) do { \
145 a += b + m[blake2s_sigma[r][2 * i + 0]]; \
146 d = ror32(d ^ a, 16); \
147 c += d; \
148 b = ror32(b ^ c, 12); \
149 a += b + m[blake2s_sigma[r][2 * i + 1]]; \
150 d = ror32(d ^ a, 8); \
151 c += d; \
152 b = ror32(b ^ c, 7); \
153 } while (0)
154
155 #define ROUND(r) do { \
156 G(r, 0, v[0], v[ 4], v[ 8], v[12]); \
157 G(r, 1, v[1], v[ 5], v[ 9], v[13]); \
158 G(r, 2, v[2], v[ 6], v[10], v[14]); \
159 G(r, 3, v[3], v[ 7], v[11], v[15]); \
160 G(r, 4, v[0], v[ 5], v[10], v[15]); \
161 G(r, 5, v[1], v[ 6], v[11], v[12]); \
162 G(r, 6, v[2], v[ 7], v[ 8], v[13]); \
163 G(r, 7, v[3], v[ 4], v[ 9], v[14]); \
164 } while (0)
165 ROUND(0);
166 ROUND(1);
167 ROUND(2);
168 ROUND(3);
169 ROUND(4);
170 ROUND(5);
171 ROUND(6);
172 ROUND(7);
173 ROUND(8);
174 ROUND(9);
175
176 #undef G
177 #undef ROUND
178
179 for (i = 0; i < 8; ++i)
180 state->h[i] ^= v[i] ^ v[i + 8];
181
182 block += BLAKE2S_BLOCK_LEN;
183 --nblocks;
184 }
185 }
186
187 static void blake2s_update(struct blake2s_state *state, const void *inp, size_t inlen)
188 {
189 const size_t fill = BLAKE2S_BLOCK_LEN - state->buflen;
190 const uint8_t *in = inp;
191
192 if (!inlen)
193 return;
194 if (inlen > fill) {
195 memcpy(state->buf + state->buflen, in, fill);
196 blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_LEN);
197 state->buflen = 0;
198 in += fill;
199 inlen -= fill;
200 }
201 if (inlen > BLAKE2S_BLOCK_LEN) {
202 const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_LEN);
203 blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_LEN);
204 in += BLAKE2S_BLOCK_LEN * (nblocks - 1);
205 inlen -= BLAKE2S_BLOCK_LEN * (nblocks - 1);
206 }
207 memcpy(state->buf + state->buflen, in, inlen);
208 state->buflen += inlen;
209 }
210
211 static void blake2s_final(struct blake2s_state *state, uint8_t *out)
212 {
213 blake2s_set_lastblock(state);
214 memset(state->buf + state->buflen, 0, BLAKE2S_BLOCK_LEN - state->buflen);
215 blake2s_compress(state, state->buf, 1, state->buflen);
216 cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
217 memcpy(out, state->h, state->outlen);
218 }
219
220 static size_t determine_optimal_seed_len(void)
221 {
222 size_t ret = 0;
223 char poolsize_str[11] = { 0 };
224 int fd = open("/proc/sys/kernel/random/poolsize", O_RDONLY);
225
226 if (fd < 0 || read(fd, poolsize_str, sizeof(poolsize_str) - 1) < 0) {
227 fprintf(stderr, "WARNING: Unable to determine pool size, falling back to %u bits: %s\n", MIN_SEED_LEN * 8, strerror(errno));
228 ret = MIN_SEED_LEN;
229 } else
230 ret = DIV_ROUND_UP(strtoul(poolsize_str, NULL, 10), 8);
231 if (fd >= 0)
232 close(fd);
233 if (ret < MIN_SEED_LEN)
234 ret = MIN_SEED_LEN;
235 else if (ret > MAX_SEED_LEN)
236 ret = MAX_SEED_LEN;
237 return ret;
238 }
239
240 static int read_new_seed(uint8_t *seed, size_t len, bool *is_creditable)
241 {
242 ssize_t ret;
243 int urandom_fd;
244
245 *is_creditable = false;
246 ret = getrandom(seed, len, GRND_NONBLOCK);
247 if (ret == (ssize_t)len) {
248 *is_creditable = true;
249 return 0;
250 } else if (ret < 0 && errno == ENOSYS) {
251 struct pollfd random_fd = {
252 .fd = open("/dev/random", O_RDONLY),
253 .events = POLLIN
254 };
255 if (random_fd.fd < 0)
256 return -errno;
257 *is_creditable = poll(&random_fd, 1, 0) == 1;
258 close(random_fd.fd);
259 } else if (getrandom(seed, len, GRND_INSECURE) == (ssize_t)len)
260 return 0;
261 urandom_fd = open("/dev/urandom", O_RDONLY);
262 if (urandom_fd < 0)
263 return -errno;
264 ret = read(urandom_fd, seed, len);
265 if (ret == (ssize_t)len)
266 ret = 0;
267 else
268 ret = -errno ? -errno : -EIO;
269 close(urandom_fd);
270 return ret;
271 }
272
273 static int seed_rng(uint8_t *seed, size_t len, bool credit)
274 {
275 struct {
276 int entropy_count;
277 int buf_size;
278 uint8_t buffer[MAX_SEED_LEN];
279 } req = {
280 .entropy_count = credit ? len * 8 : 0,
281 .buf_size = len
282 };
283 int random_fd, ret;
284
285 if (len > sizeof(req.buffer))
286 return -EFBIG;
287 memcpy(req.buffer, seed, len);
288
289 random_fd = open("/dev/random", O_RDWR);
290 if (random_fd < 0)
291 return -errno;
292 ret = ioctl(random_fd, RNDADDENTROPY, &req);
293 if (ret)
294 ret = -errno ? -errno : -EIO;
295 close(random_fd);
296 return ret;
297 }
298
299 static int seed_from_file_if_exists(const char *filename, bool credit, struct blake2s_state *hash)
300 {
301 uint8_t seed[MAX_SEED_LEN];
302 ssize_t seed_len;
303 int fd, dfd, ret = 0;
304
305 fd = open(filename, O_RDONLY);
306 if (fd < 0 && errno == ENOENT)
307 return 0;
308 else if (fd < 0) {
309 ret = -errno;
310 fprintf(stderr, "ERROR: Unable to open seed file: %s\n", strerror(errno));
311 return ret;
312 }
313 dfd = open(SEED_DIR, O_DIRECTORY | O_RDONLY);
314 if (dfd < 0) {
315 ret = -errno;
316 close(fd);
317 fprintf(stderr, "ERROR: Unable to open seed directory: %s\n", strerror(errno));
318 return ret;
319 }
320 seed_len = read(fd, seed, sizeof(seed));
321 if (seed_len < 0) {
322 ret = -errno;
323 fprintf(stderr, "ERROR: Unable to read seed file: %s\n", strerror(errno));
324 }
325 close(fd);
326 if (ret) {
327 close(dfd);
328 return ret;
329 }
330 if ((unlink(filename) < 0 || fsync(dfd) < 0) && seed_len) {
331 ret = -errno;
332 fprintf(stderr, "ERROR: Unable to remove seed after reading, so not seeding: %s\n", strerror(errno));
333 }
334 close(dfd);
335 if (ret)
336 return ret;
337 if (!seed_len)
338 return 0;
339
340 blake2s_update(hash, &seed_len, sizeof(seed_len));
341 blake2s_update(hash, seed, seed_len);
342
343 fprintf(stdout, "Seeding %zd bits %s crediting\n", seed_len * 8, credit ? "and" : "without");
344 ret = seed_rng(seed, seed_len, credit);
345 if (ret < 0)
346 fprintf(stderr, "ERROR: Unable to seed: %s\n", strerror(-ret));
347 return ret;
348 }
349
350 static bool skip_credit(void)
351 {
352 const char *skip = getenv("SEEDRNG_SKIP_CREDIT");
353 return skip && (!strcmp(skip, "1") || !strcasecmp(skip, "true") ||
354 !strcasecmp(skip, "yes") || !strcasecmp(skip, "y"));
355 }
356
357 int main(int argc __attribute__((unused)), char *argv[] __attribute__((unused)))
358 {
359 static const char seedrng_prefix[] = "SeedRNG v1 Old+New Prefix";
360 static const char seedrng_failure[] = "SeedRNG v1 No New Seed Failure";
361 int ret, fd = -1, lock, program_ret = 0;
362 uint8_t new_seed[MAX_SEED_LEN];
363 size_t new_seed_len;
364 bool new_seed_creditable;
365 struct timespec realtime = { 0 }, boottime = { 0 };
366 struct blake2s_state hash;
367
368 umask(0077);
369 if (getuid()) {
370 fprintf(stderr, "ERROR: This program requires root\n");
371 return 1;
372 }
373
374 blake2s_init(&hash, BLAKE2S_HASH_LEN);
375 blake2s_update(&hash, seedrng_prefix, strlen(seedrng_prefix));
376 clock_gettime(CLOCK_REALTIME, &realtime);
377 clock_gettime(CLOCK_BOOTTIME, &boottime);
378 blake2s_update(&hash, &realtime, sizeof(realtime));
379 blake2s_update(&hash, &boottime, sizeof(boottime));
380
381 if (mkdir(SEED_DIR, 0700) < 0 && errno != EEXIST) {
382 fprintf(stderr, "ERROR: Unable to create \"%s\" directory: %s\n", SEED_DIR, strerror(errno));
383 return 1;
384 }
385
386 lock = open(LOCK_FILE, O_WRONLY | O_CREAT, 0000);
387 if (lock < 0 || flock(lock, LOCK_EX) < 0) {
388 fprintf(stderr, "ERROR: Unable to open lock file: %s\n", strerror(errno));
389 program_ret = 1;
390 goto out;
391 }
392
393 ret = seed_from_file_if_exists(NON_CREDITABLE_SEED, false, &hash);
394 if (ret < 0)
395 program_ret |= 1 << 1;
396 ret = seed_from_file_if_exists(CREDITABLE_SEED, !skip_credit(), &hash);
397 if (ret < 0)
398 program_ret |= 1 << 2;
399
400 new_seed_len = determine_optimal_seed_len();
401 ret = read_new_seed(new_seed, new_seed_len, &new_seed_creditable);
402 if (ret < 0) {
403 fprintf(stderr, "ERROR: Unable to read new seed: %s\n", strerror(-ret));
404 new_seed_len = BLAKE2S_HASH_LEN;
405 strncpy((char *)new_seed, seedrng_failure, new_seed_len);
406 program_ret |= 1 << 3;
407 }
408 blake2s_update(&hash, &new_seed_len, sizeof(new_seed_len));
409 blake2s_update(&hash, new_seed, new_seed_len);
410 blake2s_final(&hash, new_seed + new_seed_len - BLAKE2S_HASH_LEN);
411
412 fprintf(stdout, "Saving %zu bits of %s seed for next boot\n", new_seed_len * 8, new_seed_creditable ? "creditable" : "non-creditable");
413 fd = open(NON_CREDITABLE_SEED, O_WRONLY | O_CREAT | O_TRUNC, 0400);
414 if (fd < 0) {
415 fprintf(stderr, "ERROR: Unable to open seed file for writing: %s\n", strerror(errno));
416 program_ret |= 1 << 4;
417 goto out;
418 }
419 if (write(fd, new_seed, new_seed_len) != (ssize_t)new_seed_len || fsync(fd) < 0) {
420 fprintf(stderr, "ERROR: Unable to write seed file: %s\n", strerror(errno));
421 program_ret |= 1 << 5;
422 goto out;
423 }
424 if (new_seed_creditable && rename(NON_CREDITABLE_SEED, CREDITABLE_SEED) < 0) {
425 fprintf(stderr, "WARNING: Unable to make new seed creditable: %s\n", strerror(errno));
426 program_ret |= 1 << 6;
427 }
428 out:
429 if (fd >= 0)
430 close(fd);
431 if (lock >= 0)
432 close(lock);
433 return program_ret;
434 }
Staging tree of Jo-Philipp Wich