kris
/
pqcrypto
kopie van https://github.com/henrydcase/pqc.git
1
1
Vork 0
Code Kwesties 1 Publicaties 2 Wiki Activiteit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1131 Commits
9 Branches
73 MiB
 
 
 
Tree: e7b5cfe9f8
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van 'e7b5cfe9f8'
${ noResults }
pqcrypto/3rd/jitterentropy/jitterentropy-noise.c

425 regels
13 KiB
Ruw Blame Geschiedenis 

  1. /* Jitter RNG: Noise Sources

  2.  *

  3.  * Copyright (C) 2021 - 2022, Stephan Mueller <smueller@chronox.de>

  4.  *

  5.  * License: see LICENSE file in root directory

  6.  *

  7.  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED

  8.  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

  9.  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF

  10.  * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE

  11.  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

  12.  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT

  13.  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR

  14.  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

  15.  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

  16.  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE

  17.  * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH

  18.  * DAMAGE.

  19.  */

  20. 

  21. #include "jitterentropy-noise.h"

  22. #include "jitterentropy-health.h"

  23. #include "jitterentropy-timer.h"

  24. #include "jitterentropy-sha3.h"

  25. 

  26. #define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)]))

  27. 

  28. /***************************************************************************

  29.  * Noise sources

  30.  ***************************************************************************/

  31. 

  32. /**

  33.  * Update of the loop count used for the next round of

  34.  * an entropy collection.

  35.  *

  36.  * @ec [in] entropy collector struct

  37.  * @bits [in] is the number of low bits of the timer to consider

  38.  * @min [in] is the number of bits we shift the timer value to the right at

  39.  *	     the end to make sure we have a guaranteed minimum value

  40.  *

  41.  * @return Newly calculated loop counter

  42.  */

  43. static uint64_t jent_loop_shuffle(struct rand_data *ec,

  44. 				  unsigned int bits, unsigned int min)

  45. {

  46. #ifdef JENT_CONF_DISABLE_LOOP_SHUFFLE

  47. 

  48. 	(void)ec;

  49. 	(void)bits;

  50. 

  51. 	return (UINT64_C(1)<<min);

  52. 

  53. #else /* JENT_CONF_DISABLE_LOOP_SHUFFLE */

  54. 

  55. 	uint64_t time = 0;

  56. 	uint64_t shuffle = 0;

  57. 	uint64_t mask = (UINT64_C(1)<<bits) - 1;

  58. 	unsigned int i = 0;

  59. 

  60. 	/*

  61. 	 * Mix the current state of the random number into the shuffle

  62. 	 * calculation to balance that shuffle a bit more.

  63. 	 */

  64. 	jent_get_nstime_internal(ec, &time);

  65. 

  66. 	/*

  67. 	 * We fold the time value as much as possible to ensure that as many

  68. 	 * bits of the time stamp are included as possible.

  69. 	 */

  70. 	for (i = 0; (((sizeof(time) << 3) + bits - 1) / bits) > i; i++) {

  71. 		shuffle ^= time & mask;

  72. 		time = time >> bits;

  73. 	}

  74. 

  75. 	/*

  76. 	 * We add a lower boundary value to ensure we have a minimum

  77. 	 * RNG loop count.

  78. 	 */

  79. 	return (shuffle + (UINT64_C(1)<<min));

  80. 

  81. #endif /* JENT_CONF_DISABLE_LOOP_SHUFFLE */

  82. }

  83. 

  84. /**

  85.  * CPU Jitter noise source -- this is the noise source based on the CPU

  86.  * 			      execution time jitter

  87.  *

  88.  * This function injects the individual bits of the time value into the

  89.  * entropy pool using a hash.

  90.  *

  91.  * @ec [in] entropy collector struct

  92.  * @time [in] time delta to be injected

  93.  * @loop_cnt [in] if a value not equal to 0 is set, use the given value as

  94.  *		  number of loops to perform the hash operation

  95.  * @stuck [in] Is the time delta identified as stuck?

  96.  *

  97.  * Output:

  98.  * updated hash context

  99.  */

  100. static void jent_hash_time(struct rand_data *ec, uint64_t time,

  101. 			   uint64_t loop_cnt, unsigned int stuck)

  102. {

  103. 	HASH_CTX_ON_STACK(ctx);

  104. 	uint8_t intermediary[SHA3_256_SIZE_DIGEST];

  105. 	uint64_t j = 0;

  106. #define MAX_HASH_LOOP 3

  107. #define MIN_HASH_LOOP 0

  108. 

  109. 	/* Ensure that macros cannot overflow jent_loop_shuffle() */

  110. 	BUILD_BUG_ON((MAX_HASH_LOOP + MIN_HASH_LOOP) > 63);

  111. 	uint64_t hash_loop_cnt =

  112. 		jent_loop_shuffle(ec, MAX_HASH_LOOP, MIN_HASH_LOOP);

  113. 

  114. 	/* Use the memset to shut up valgrind */

  115. 	memset(intermediary, 0, sizeof(intermediary));

  116. 

  117. 	sha3_256_init(&ctx);

  118. 

  119. 	/*

  120. 	 * testing purposes -- allow test app to set the counter, not

  121. 	 * needed during runtime

  122. 	 */

  123. 	if (loop_cnt)

  124. 		hash_loop_cnt = loop_cnt;

  125. 

  126. 	/*

  127. 	 * This loop fills a buffer which is injected into the entropy pool.

  128. 	 * The main reason for this loop is to execute something over which we

  129. 	 * can perform a timing measurement. The injection of the resulting

  130. 	 * data into the pool is performed to ensure the result is used and

  131. 	 * the compiler cannot optimize the loop away in case the result is not

  132. 	 * used at all. Yet that data is considered "additional information"

  133. 	 * considering the terminology from SP800-90A without any entropy.

  134. 	 *

  135. 	 * Note, it does not matter which or how much data you inject, we are

  136. 	 * interested in one Keccack1600 compression operation performed with

  137. 	 * the sha3_final.

  138. 	 */

  139. 	for (j = 0; j < hash_loop_cnt; j++) {

  140. 		sha3_update(&ctx, intermediary, sizeof(intermediary));

  141. 		sha3_update(&ctx, (uint8_t *)&ec->rct_count,

  142. 			    sizeof(ec->rct_count));

  143. 		sha3_update(&ctx, (uint8_t *)&ec->apt_cutoff,

  144. 			    sizeof(ec->apt_cutoff));

  145. 		sha3_update(&ctx, (uint8_t *)&ec->apt_observations,

  146. 			    sizeof(ec->apt_observations));

  147. 		sha3_update(&ctx, (uint8_t *)&ec->apt_count,

  148. 			    sizeof(ec->apt_count));

  149. 		sha3_update(&ctx,(uint8_t *) &ec->apt_base,

  150. 			    sizeof(ec->apt_base));

  151. 		sha3_update(&ctx, (uint8_t *)&j, sizeof(uint64_t));

  152. 		sha3_final(&ctx, intermediary);

  153. 	}

  154. 

  155. 	/*

  156. 	 * Inject the data from the previous loop into the pool. This data is

  157. 	 * not considered to contain any entropy, but it stirs the pool a bit.

  158. 	 */

  159. 	sha3_update(ec->hash_state, intermediary, sizeof(intermediary));

  160. 

  161. 	/*

  162. 	 * Insert the time stamp into the hash context representing the pool.

  163. 	 *

  164. 	 * If the time stamp is stuck, do not finally insert the value into the

  165. 	 * entropy pool. Although this operation should not do any harm even

  166. 	 * when the time stamp has no entropy, SP800-90B requires that any

  167. 	 * conditioning operation to have an identical amount of input data

  168. 	 * according to section 3.1.5.

  169. 	 */

  170. 	if (!stuck)

  171. 		sha3_update(ec->hash_state, (uint8_t *)&time, sizeof(uint64_t));

  172. 

  173. 	jent_memset_secure(&ctx, SHA_MAX_CTX_SIZE);

  174. 	jent_memset_secure(intermediary, sizeof(intermediary));

  175. }

  176. 

  177. #define MAX_ACC_LOOP_BIT 7

  178. #define MIN_ACC_LOOP_BIT 0

  179. #ifdef JENT_RANDOM_MEMACCESS

  180. 

  181. static inline uint32_t uint32rotl(const uint32_t x, int k)

  182. {

  183. 	return (x << k) | (x >> (32 - k));

  184. }

  185. 

  186. static inline uint32_t xoshiro128starstar(uint32_t *s)

  187. {

  188. 	const uint32_t result = uint32rotl(s[1] * 5, 7) * 9;

  189. 	const uint32_t t = s[1] << 9;

  190. 

  191. 	s[2] ^= s[0];

  192. 	s[3] ^= s[1];

  193. 	s[1] ^= s[2];

  194. 	s[0] ^= s[3];

  195. 

  196. 	s[2] ^= t;

  197. 

  198. 	s[3] = uint32rotl(s[3], 11);

  199. 

  200. 	return result;

  201. }

  202. 

  203. static void jent_memaccess(struct rand_data *ec, uint64_t loop_cnt)

  204. {

  205. 	uint64_t i = 0, time = 0;

  206. 	union {

  207. 		uint32_t u[4];

  208. 		uint8_t b[sizeof(uint32_t) * 4];

  209. 	} prngState = { .u = {0x8e93eec0, 0xce65608a, 0xa8d46b46, 0xe83cef69} };

  210. 	uint32_t addressMask;

  211. 

  212. 	/* Ensure that macros cannot overflow jent_loop_shuffle() */

  213. 	BUILD_BUG_ON((MAX_ACC_LOOP_BIT + MIN_ACC_LOOP_BIT) > 63);

  214. 	uint64_t acc_loop_cnt =

  215. 		jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT);

  216. 

  217. 	if (NULL == ec || NULL == ec->mem)

  218. 		return;

  219. 	addressMask = ec->memmask;

  220. 

  221. 	/*

  222. 	 * Mix the current data into prngState

  223. 	 *

  224. 	 * Any time you see a PRNG in a noise source, you should be concerned.

  225. 	 *

  226. 	 * The PRNG doesn’t directly produce the raw noise, it just adjusts the

  227. 	 * location being updated. The timing of the update is part of the raw

  228. 	 * sample. The main thing this process gets you isn’t better

  229. 	 * “per-update” timing, it gets you mostly independent “per-update”

  230. 	 * timing, so we can now benefit from the Central Limit Theorem!

  231. 	 */

  232. 	for (i = 0; i < sizeof(prngState); i++) {

  233. 		jent_get_nstime_internal(ec, &time);

  234. 		prngState.b[i] ^= (uint8_t)(time & 0xff);

  235. 	}

  236. 

  237. 	/*

  238. 	 * testing purposes -- allow test app to set the counter, not

  239. 	 * needed during runtime

  240. 	 */

  241. 	if (loop_cnt)

  242. 		acc_loop_cnt = loop_cnt;

  243. 

  244. 	for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) {

  245. 		/* Take PRNG output to find the memory location to update. */

  246. 		unsigned char *tmpval = ec->mem +

  247. 					(xoshiro128starstar(prngState.u) &

  248. 					 addressMask);

  249. 

  250. 		/*

  251. 		 * memory access: just add 1 to one byte,

  252. 		 * wrap at 255 -- memory access implies read

  253. 		 * from and write to memory location

  254. 		 */

  255. 		*tmpval = (unsigned char)((*tmpval + 1) & 0xff);

  256. 	}

  257. }

  258. 

  259. #else /* JENT_RANDOM_MEMACCESS */

  260. 

  261. /**

  262.  * Memory Access noise source -- this is a noise source based on variations in

  263.  * 				 memory access times

  264.  *

  265.  * This function performs memory accesses which will add to the timing

  266.  * variations due to an unknown amount of CPU wait states that need to be

  267.  * added when accessing memory. The memory size should be larger than the L1

  268.  * caches as outlined in the documentation and the associated testing.

  269.  *

  270.  * The L1 cache has a very high bandwidth, albeit its access rate is  usually

  271.  * slower than accessing CPU registers. Therefore, L1 accesses only add minimal

  272.  * variations as the CPU has hardly to wait. Starting with L2, significant

  273.  * variations are added because L2 typically does not belong to the CPU any more

  274.  * and therefore a wider range of CPU wait states is necessary for accesses.

  275.  * L3 and real memory accesses have even a wider range of wait states. However,

  276.  * to reliably access either L3 or memory, the ec->mem memory must be quite

  277.  * large which is usually not desirable.

  278.  *

  279.  * @ec [in] Reference to the entropy collector with the memory access data -- if

  280.  *	    the reference to the memory block to be accessed is NULL, this noise

  281.  *	    source is disabled

  282.  * @loop_cnt [in] if a value not equal to 0 is set, use the given value as

  283.  *		  number of loops to perform the hash operation

  284.  */

  285. static void jent_memaccess(struct rand_data *ec, uint64_t loop_cnt)

  286. {

  287. 	unsigned int wrap = 0;

  288. 	uint64_t i = 0;

  289. 

  290. 	/* Ensure that macros cannot overflow jent_loop_shuffle() */

  291. 	BUILD_BUG_ON((MAX_ACC_LOOP_BIT + MIN_ACC_LOOP_BIT) > 63);

  292. 	uint64_t acc_loop_cnt =

  293. 		jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT);

  294. 

  295. 	if (NULL == ec || NULL == ec->mem)

  296. 		return;

  297. 	wrap = ec->memblocksize * ec->memblocks;

  298. 

  299. 	/*

  300. 	 * testing purposes -- allow test app to set the counter, not

  301. 	 * needed during runtime

  302. 	 */

  303. 	if (loop_cnt)

  304. 		acc_loop_cnt = loop_cnt;

  305. 	for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) {

  306. 		unsigned char *tmpval = ec->mem + ec->memlocation;

  307. 		/*

  308. 		 * memory access: just add 1 to one byte,

  309. 		 * wrap at 255 -- memory access implies read

  310. 		 * from and write to memory location

  311. 		 */

  312. 		*tmpval = (unsigned char)((*tmpval + 1) & 0xff);

  313. 		/*

  314. 		 * Addition of memblocksize - 1 to pointer

  315. 		 * with wrap around logic to ensure that every

  316. 		 * memory location is hit evenly

  317. 		 */

  318. 		ec->memlocation = ec->memlocation + ec->memblocksize - 1;

  319. 		ec->memlocation = ec->memlocation % wrap;

  320. 	}

  321. }

  322. 

  323. #endif /* JENT_RANDOM_MEMACCESS */

  324. 

  325. /***************************************************************************

  326.  * Start of entropy processing logic

  327.  ***************************************************************************/

  328. 

  329. /**

  330.  * This is the heart of the entropy generation: calculate time deltas and

  331.  * use the CPU jitter in the time deltas. The jitter is injected into the

  332.  * entropy pool.

  333.  *

  334.  * WARNING: ensure that ->prev_time is primed before using the output

  335.  * 	    of this function! This can be done by calling this function

  336.  * 	    and not using its result.

  337.  *

  338.  * @ec [in] Reference to entropy collector

  339.  * @loop_cnt [in] see jent_hash_time

  340.  * @ret_current_delta [out] Test interface: return time delta - may be NULL

  341.  *

  342.  * @return: result of stuck test

  343.  */

  344. unsigned int jent_measure_jitter(struct rand_data *ec,

  345. 				 uint64_t loop_cnt,

  346. 				 uint64_t *ret_current_delta)

  347. {

  348. 	uint64_t time = 0;

  349. 	uint64_t current_delta = 0;

  350. 	unsigned int stuck;

  351. 

  352. 	/* Invoke one noise source before time measurement to add variations */

  353. 	jent_memaccess(ec, loop_cnt);

  354. 

  355. 	/*

  356. 	 * Get time stamp and calculate time delta to previous

  357. 	 * invocation to measure the timing variations

  358. 	 */

  359. 	jent_get_nstime_internal(ec, &time);

  360. 	current_delta = jent_delta(ec->prev_time, time) /

  361. 						ec->jent_common_timer_gcd;

  362. 	ec->prev_time = time;

  363. 

  364. 	/* Check whether we have a stuck measurement. */

  365. 	stuck = jent_stuck(ec, current_delta);

  366. 

  367. 	/* Now call the next noise sources which also injects the data */

  368. 	jent_hash_time(ec, current_delta, loop_cnt, stuck);

  369. 

  370. 	/* return the raw entropy value */

  371. 	if (ret_current_delta)

  372. 		*ret_current_delta = current_delta;

  373. 

  374. 	return stuck;

  375. }

  376. 

  377. /**

  378.  * Generator of one 256 bit random number

  379.  * Function fills rand_data->hash_state

  380.  *

  381.  * @ec [in] Reference to entropy collector

  382.  */

  383. void jent_random_data(struct rand_data *ec)

  384. {

  385. 	unsigned int k = 0, safety_factor = 0;

  386. 

  387. 	if (ec->fips_enabled)

  388. 		safety_factor = ENTROPY_SAFETY_FACTOR;

  389. 

  390. 	/* priming of the ->prev_time value */

  391. 	jent_measure_jitter(ec, 0, NULL);

  392. 

  393. 	while (!jent_health_failure(ec)) {

  394. 		/* If a stuck measurement is received, repeat measurement */

  395. 		if (jent_measure_jitter(ec, 0, NULL))

  396. 			continue;

  397. 

  398. 		/*

  399. 		 * We multiply the loop value with ->osr to obtain the

  400. 		 * oversampling rate requested by the caller

  401. 		 */

  402. 		if (++k >= ((DATA_SIZE_BITS + safety_factor) * ec->osr))

  403. 			break;

  404. 	}

  405. }

  406. 

  407. void jent_read_random_block(struct rand_data *ec, char *dst, size_t dst_len)

  408. {

  409. 	uint8_t jent_block[SHA3_256_SIZE_DIGEST];

  410. 

  411. 	BUILD_BUG_ON(SHA3_256_SIZE_DIGEST != (DATA_SIZE_BITS / 8));

  412. 

  413. 	/* The final operation automatically re-initializes the ->hash_state */

  414. 	sha3_final(ec->hash_state, jent_block);

  415. 	if (dst_len)

  416. 		memcpy(dst, jent_block, dst_len);

  417. 

  418. 	/*

  419. 	 * Stir the new state with the data from the old state - the digest

  420. 	 * of the old data is not considered to have entropy.

  421. 	 */

  422. 	sha3_update(ec->hash_state, jent_block, sizeof(jent_block));

  423. 	jent_memset_secure(jent_block, sizeof(jent_block));

  424. }