/src/libgcrypt/random/rndhw.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* rndhw.c - Access to the external random daemon |
2 | | * Copyright (C) 2007 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2012 Dmitry Kasatkin |
4 | | * |
5 | | * This file is part of Libgcrypt. |
6 | | * |
7 | | * Libgcrypt is free software; you can redistribute it and/or modify |
8 | | * it under the terms of the GNU Lesser General Public License as |
9 | | * published by the Free Software Foundation; either version 2.1 of |
10 | | * the License, or (at your option) any later version. |
11 | | * |
12 | | * Libgcrypt is distributed in the hope that it will be useful, |
13 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | * GNU Lesser General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU Lesser General Public |
18 | | * License along with this program; if not, see <http://www.gnu.org/licenses/>. |
19 | | */ |
20 | | |
21 | | #include <config.h> |
22 | | #include <stdio.h> |
23 | | #include <stdlib.h> |
24 | | |
25 | | #include "types.h" |
26 | | #include "g10lib.h" |
27 | | #include "rand-internal.h" |
28 | | |
29 | | #undef USE_PADLOCK |
30 | | #ifdef ENABLE_PADLOCK_SUPPORT |
31 | | # ifdef HAVE_GCC_ATTRIBUTE_ALIGNED |
32 | | # if (defined (__i386__) && SIZEOF_UNSIGNED_LONG == 4) || defined(__x86_64__) |
33 | | # define USE_PADLOCK 1 |
34 | | # endif |
35 | | # endif |
36 | | #endif /*ENABLE_PADLOCK_SUPPORT*/ |
37 | | |
38 | | #undef USE_DRNG |
39 | | #ifdef ENABLE_DRNG_SUPPORT |
40 | | # ifdef HAVE_GCC_ATTRIBUTE_ALIGNED |
41 | | # if (defined (__i386__) && SIZEOF_UNSIGNED_LONG == 4) || defined(__x86_64__) |
42 | | # define USE_DRNG 1 |
43 | | # endif |
44 | | # endif |
45 | | #endif /*ENABLE_RDRAND_SUPPORT*/ |
46 | | |
47 | | typedef void (*add_fn_t)(const void*, size_t, enum random_origins); |
48 | | |
49 | | /* Keep track on whether the RNG has problems. */ |
50 | | static volatile int rng_failed; |
51 | | |
52 | | |
53 | | #ifdef USE_PADLOCK |
54 | | static size_t |
55 | | poll_padlock (void (*add)(const void*, size_t, enum random_origins), |
56 | | enum random_origins origin, int fast) |
57 | 0 | { |
58 | 0 | volatile char buffer[64+8] __attribute__ ((aligned (8))); |
59 | 0 | volatile char *p; |
60 | 0 | unsigned int nbytes, status; |
61 | | |
62 | | /* Peter Gutmann's cryptlib tests again whether the RNG is enabled |
63 | | but we don't do so. We would have to do this also for our AES |
64 | | implementation and that is definitely too time consuming. There |
65 | | would be a race condition anyway. Thus we assume that the OS |
66 | | does not change the Padlock initialization while a user process |
67 | | is running. */ |
68 | 0 | p = buffer; |
69 | 0 | nbytes = 0; |
70 | 0 | while (nbytes < 64) |
71 | 0 | { |
72 | 0 | #if defined(__x86_64__) && SIZEOF_VOID_P == 8 |
73 | 0 | asm volatile |
74 | 0 | ("movq %1, %%rdi\n\t" /* Set buffer. */ |
75 | 0 | "xorq %%rdx, %%rdx\n\t" /* Request up to 8 bytes. */ |
76 | 0 | ".byte 0x0f, 0xa7, 0xc0\n\t" /* XSTORE RNG. */ |
77 | 0 | : "=a" (status) |
78 | 0 | : "g" (p) |
79 | 0 | : "%rdx", "%rdi", "cc", "memory" |
80 | 0 | ); |
81 | | #else |
82 | | asm volatile |
83 | | ("movl %1, %%edi\n\t" /* Set buffer. */ |
84 | | "xorl %%edx, %%edx\n\t" /* Request up to 8 bytes. */ |
85 | | ".byte 0x0f, 0xa7, 0xc0\n\t" /* XSTORE RNG. */ |
86 | | : "=a" (status) |
87 | | : "g" (p) |
88 | | : "%edx", "%edi", "cc", "memory" |
89 | | ); |
90 | | #endif |
91 | 0 | if ((status & (1<<6)) /* RNG still enabled. */ |
92 | 0 | && !(status & (1<<13)) /* von Neumann corrector is enabled. */ |
93 | 0 | && !(status & (1<<14)) /* String filter is disabled. */ |
94 | 0 | && !(status & 0x1c00) /* BIAS voltage at default. */ |
95 | 0 | && (!(status & 0x1f) || (status & 0x1f) == 8) /* Sanity check. */ |
96 | 0 | ) |
97 | 0 | { |
98 | 0 | nbytes += (status & 0x1f); |
99 | 0 | if (fast) |
100 | 0 | break; /* Don't get into the loop with the fast flag set. */ |
101 | 0 | p += (status & 0x1f); |
102 | 0 | } |
103 | 0 | else |
104 | 0 | { |
105 | | /* If there was an error we need to break the loop and |
106 | | record that there is something wrong with the padlock |
107 | | RNG. */ |
108 | 0 | rng_failed = 1; |
109 | 0 | break; |
110 | 0 | } |
111 | 0 | } |
112 | |
|
113 | 0 | if (nbytes) |
114 | 0 | { |
115 | 0 | (*add) ((void*)buffer, nbytes, origin); |
116 | 0 | wipememory (buffer, nbytes); |
117 | 0 | } |
118 | 0 | return nbytes; |
119 | 0 | } |
120 | | #endif /*USE_PADLOCK*/ |
121 | | |
122 | | |
123 | | #ifdef USE_DRNG |
124 | 2.06M | # define RDRAND_RETRY_LOOPS 10 |
125 | | # define RDRAND_INT ".byte 0x0f,0xc7,0xf0" |
126 | | # if defined(__x86_64__) && SIZEOF_UNSIGNED_LONG == 8 |
127 | | # define RDRAND_LONG ".byte 0x48,0x0f,0xc7,0xf0" |
128 | | # else |
129 | | # define RDRAND_LONG RDRAND_INT |
130 | | # endif |
131 | | static inline int |
132 | | rdrand_long (volatile unsigned long *v) |
133 | 2.06M | { |
134 | 2.06M | int ok; |
135 | 2.06M | asm volatile ("1: " RDRAND_LONG "\n\t" |
136 | 2.06M | "jc 2f\n\t" |
137 | 2.06M | "decl %0\n\t" |
138 | 2.06M | "jnz 1b\n\t" |
139 | 2.06M | "2:" |
140 | 2.06M | : "=r" (ok), "=a" (*v) |
141 | 2.06M | : "0" (RDRAND_RETRY_LOOPS) |
142 | 2.06M | : "cc", "memory"); |
143 | 2.06M | return ok; |
144 | 2.06M | } |
145 | | |
146 | | |
147 | | static inline int |
148 | | rdrand_nlong (volatile unsigned long *v, int count) |
149 | 258k | { |
150 | 2.32M | while (count--) |
151 | 2.06M | if (!rdrand_long(v++)) |
152 | 0 | return 0; |
153 | 258k | return 1; |
154 | 258k | } |
155 | | |
156 | | |
157 | | static size_t |
158 | | poll_drng (add_fn_t add, enum random_origins origin, int fast) |
159 | 258k | { |
160 | 258k | volatile unsigned long buffer[8] __attribute__ ((aligned (8))); |
161 | 258k | unsigned int nbytes = sizeof (buffer); |
162 | | |
163 | 258k | (void)fast; |
164 | | |
165 | 258k | if (!rdrand_nlong (buffer, DIM(buffer))) |
166 | 0 | return 0; |
167 | 258k | (*add)((void *)buffer, nbytes, origin); |
168 | 258k | return nbytes; |
169 | 258k | } |
170 | | #endif /*USE_DRNG*/ |
171 | | |
172 | | |
173 | | int |
174 | | _gcry_rndhw_failed_p (void) |
175 | 0 | { |
176 | 0 | return rng_failed; |
177 | 0 | } |
178 | | |
179 | | |
180 | | /* Try to read random from a hardware RNG if a fast one is |
181 | | available. */ |
182 | | void |
183 | | _gcry_rndhw_poll_fast (void (*add)(const void*, size_t, enum random_origins), |
184 | | enum random_origins origin) |
185 | 258k | { |
186 | 258k | (void)add; |
187 | 258k | (void)origin; |
188 | | |
189 | 258k | #ifdef USE_DRNG |
190 | 258k | if ((_gcry_get_hw_features () & HWF_INTEL_RDRAND)) |
191 | 258k | poll_drng (add, origin, 1); |
192 | 258k | #endif |
193 | 258k | #ifdef USE_PADLOCK |
194 | 258k | if ((_gcry_get_hw_features () & HWF_PADLOCK_RNG)) |
195 | 0 | poll_padlock (add, origin, 1); |
196 | 258k | #endif |
197 | 258k | } |
198 | | |
199 | | |
200 | | /* Read 64 bytes from a hardware RNG and return the number of bytes |
201 | | actually read. However hardware source is let account only |
202 | | for up to 50% (or 25% for RDRAND) of the requested bytes. */ |
203 | | size_t |
204 | | _gcry_rndhw_poll_slow (void (*add)(const void*, size_t, enum random_origins), |
205 | | enum random_origins origin, size_t req_length) |
206 | 0 | { |
207 | 0 | size_t nbytes = 0; |
208 | |
|
209 | 0 | (void)add; |
210 | 0 | (void)origin; |
211 | |
|
212 | 0 | req_length /= 2; /* Up to 50%. */ |
213 | |
|
214 | 0 | #ifdef USE_DRNG |
215 | 0 | if ((_gcry_get_hw_features () & HWF_INTEL_RDRAND)) |
216 | 0 | { |
217 | 0 | req_length /= 2; /* Up to 25%. */ |
218 | 0 | nbytes += poll_drng (add, origin, 0); |
219 | 0 | } |
220 | 0 | #endif |
221 | 0 | #ifdef USE_PADLOCK |
222 | 0 | if ((_gcry_get_hw_features () & HWF_PADLOCK_RNG)) |
223 | 0 | nbytes += poll_padlock (add, origin, 0); |
224 | 0 | #endif |
225 | |
|
226 | 0 | if (nbytes > req_length) |
227 | 0 | nbytes = req_length; |
228 | |
|
229 | 0 | return nbytes; |
230 | 0 | } |