2005-04-16 15:20:36 -07:00
|
|
|
/*
|
|
|
|
* include/linux/random.h
|
|
|
|
*
|
|
|
|
* Include file for the random number generator.
|
|
|
|
*/
|
|
|
|
#ifndef _LINUX_RANDOM_H
|
|
|
|
#define _LINUX_RANDOM_H
|
|
|
|
|
2012-10-13 10:46:48 +01:00
|
|
|
#include <uapi/linux/random.h>
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
|
2012-07-04 11:16:01 -04:00
|
|
|
extern void add_device_randomness(const void *, unsigned int);
|
2005-04-16 15:20:36 -07:00
|
|
|
extern void add_input_randomness(unsigned int type, unsigned int code,
|
|
|
|
unsigned int value);
|
2012-07-02 07:52:16 -04:00
|
|
|
extern void add_interrupt_randomness(int irq, int irq_flags);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
extern void get_random_bytes(void *buf, int nbytes);
|
random: add new get_random_bytes_arch() function
Create a new function, get_random_bytes_arch() which will use the
architecture-specific hardware random number generator if it is
present. Change get_random_bytes() to not use the HW RNG, even if it
is avaiable.
The reason for this is that the hw random number generator is fast (if
it is present), but it requires that we trust the hardware
manufacturer to have not put in a back door. (For example, an
increasing counter encrypted by an AES key known to the NSA.)
It's unlikely that Intel (for example) was paid off by the US
Government to do this, but it's impossible for them to prove otherwise
--- especially since Bull Mountain is documented to use AES as a
whitener. Hence, the output of an evil, trojan-horse version of
RDRAND is statistically indistinguishable from an RDRAND implemented
to the specifications claimed by Intel. Short of using a tunnelling
electronic microscope to reverse engineer an Ivy Bridge chip and
disassembling and analyzing the CPU microcode, there's no way for us
to tell for sure.
Since users of get_random_bytes() in the Linux kernel need to be able
to support hardware systems where the HW RNG is not present, most
time-sensitive users of this interface have already created their own
cryptographic RNG interface which uses get_random_bytes() as a seed.
So it's much better to use the HW RNG to improve the existing random
number generator, by mixing in any entropy returned by the HW RNG into
/dev/random's entropy pool, but to always _use_ /dev/random's entropy
pool.
This way we get almost of the benefits of the HW RNG without any
potential liabilities. The only benefits we forgo is the
speed/performance enhancements --- and generic kernel code can't
depend on depend on get_random_bytes() having the speed of a HW RNG
anyway.
For those places that really want access to the arch-specific HW RNG,
if it is available, we provide get_random_bytes_arch().
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: stable@vger.kernel.org
2012-07-05 10:35:23 -04:00
|
|
|
extern void get_random_bytes_arch(void *buf, int nbytes);
|
2005-04-16 15:20:36 -07:00
|
|
|
void generate_random_uuid(unsigned char uuid_out[16]);
|
2013-09-10 10:52:35 -04:00
|
|
|
extern int random_int_secret_init(void);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
#ifndef MODULE
|
2007-02-12 00:55:28 -08:00
|
|
|
extern const struct file_operations random_fops, urandom_fops;
|
2005-04-16 15:20:36 -07:00
|
|
|
#endif
|
|
|
|
|
|
|
|
unsigned int get_random_int(void);
|
|
|
|
unsigned long randomize_range(unsigned long start, unsigned long end, unsigned long len);
|
|
|
|
|
2012-12-17 16:04:23 -08:00
|
|
|
u32 prandom_u32(void);
|
2012-12-17 16:04:25 -08:00
|
|
|
void prandom_bytes(void *buf, int nbytes);
|
2012-12-17 16:04:23 -08:00
|
|
|
void prandom_seed(u32 seed);
|
2013-11-11 12:20:34 +01:00
|
|
|
void prandom_reseed_late(void);
|
2006-10-17 00:09:42 -07:00
|
|
|
|
2012-12-17 16:04:23 -08:00
|
|
|
u32 prandom_u32_state(struct rnd_state *);
|
2012-12-17 16:04:25 -08:00
|
|
|
void prandom_bytes_state(struct rnd_state *state, void *buf, int nbytes);
|
2010-05-26 14:44:13 -07:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Handle minimum values for seeds
|
|
|
|
*/
|
|
|
|
static inline u32 __seed(u32 x, u32 m)
|
|
|
|
{
|
|
|
|
return (x < m) ? x + m : x;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2012-12-17 16:04:23 -08:00
|
|
|
* prandom_seed_state - set seed for prandom_u32_state().
|
2010-05-26 14:44:13 -07:00
|
|
|
* @state: pointer to state structure to receive the seed.
|
|
|
|
* @seed: arbitrary 64-bit value to use as a seed.
|
|
|
|
*/
|
2012-12-17 16:04:23 -08:00
|
|
|
static inline void prandom_seed_state(struct rnd_state *state, u64 seed)
|
2010-05-26 14:44:13 -07:00
|
|
|
{
|
|
|
|
u32 i = (seed >> 32) ^ (seed << 10) ^ seed;
|
|
|
|
|
random32: fix off-by-one in seeding requirement
For properly initialising the Tausworthe generator [1], we have
a strict seeding requirement, that is, s1 > 1, s2 > 7, s3 > 15.
Commit 697f8d0348 ("random32: seeding improvement") introduced
a __seed() function that imposes boundary checks proposed by the
errata paper [2] to properly ensure above conditions.
However, we're off by one, as the function is implemented as:
"return (x < m) ? x + m : x;", and called with __seed(X, 1),
__seed(X, 7), __seed(X, 15). Thus, an unwanted seed of 1, 7, 15
would be possible, whereas the lower boundary should actually
be of at least 2, 8, 16, just as GSL does. Fix this, as otherwise
an initialization with an unwanted seed could have the effect
that Tausworthe's PRNG properties cannot not be ensured.
Note that this PRNG is *not* used for cryptography in the kernel.
[1] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme.ps
[2] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme2.ps
Joint work with Hannes Frederic Sowa.
Fixes: 697f8d0348a6 ("random32: seeding improvement")
Cc: Stephen Hemminger <stephen@networkplumber.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-11-11 12:20:32 +01:00
|
|
|
state->s1 = __seed(i, 2);
|
|
|
|
state->s2 = __seed(i, 8);
|
|
|
|
state->s3 = __seed(i, 16);
|
2010-05-26 14:44:13 -07:00
|
|
|
}
|
|
|
|
|
2011-07-31 13:54:50 -07:00
|
|
|
#ifdef CONFIG_ARCH_RANDOM
|
|
|
|
# include <asm/archrandom.h>
|
|
|
|
#else
|
|
|
|
static inline int arch_get_random_long(unsigned long *v)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
static inline int arch_get_random_int(unsigned int *v)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2013-01-22 09:49:50 +00:00
|
|
|
/* Pseudo random number generator from numerical recipes. */
|
|
|
|
static inline u32 next_pseudo_random32(u32 seed)
|
|
|
|
{
|
|
|
|
return seed * 1664525 + 1013904223;
|
|
|
|
}
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
#endif /* _LINUX_RANDOM_H */
|