Add entropy pool and strong random number generator

Entropy pool gathers environmental noise from device drivers, user-space, etc., and returns good random numbers, suitable for cryptographic use. Based on entropy pool design from *BSDs and uses BLAKE2Xs algorithm for CSPRNG output.

Patch also adds /dev/urandom support for using entropy pool RNG and new 'getrandom' system call for getting randomness without file-descriptor usage (thus avoiding file-descriptor exhaustion attacks). The 'getrandom' interface is similar as 'getentropy' and 'getrandom' available on OpenBSD and Linux respectively.

include/nuttx/board.h

@@ -646,4 +646,20 @@ void board_crashdump(uintptr_t currentsp, FAR void *tcb,
                      int lineno);
 #endif
 
+/****************************************************************************
+ * Name: board_initrngseed
+ *
+ * Description:
+ *   If CONFIG_BOARD_INITRNGSEED is selected then board_init_rngseed is
+ *   called at up_randompool_initialize() to feed initial random seed
+ *   to RNG. Implemenation of this functions should feed at least
+ *   MIN_SEED_NEW_ENTROPY_WORDS 32-bit random words to entropy-pool using
+ *   up_rngaddentropy() or up_rngaddint().
+ *
+ ****************************************************************************/
+
+#ifdef CONFIG_BOARD_INITRNGSEED
+void board_init_rngseed(void);
+#endif
+
 #endif /* __INCLUDE_NUTTX_BOARD_H */

include/nuttx/crypto/blake2s.h

@@ -0,0 +1,197 @@
+/****************************************************************************
+ * include/nuttx/crypto/blake2s.h
+ *
+ * This code is based on public-domain/CC0 BLAKE2 reference implementation
+ * by Samual Neves, at https://github.com/BLAKE2/BLAKE2/tree/master/ref
+ * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>
+ *
+ * Copyright (C) 2017 Haltian Ltd. All rights reserved.
+ * Authors: Jussi Kivilinna <jussi.kivilinna@haltian.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ * 3. Neither the name NuttX nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ ****************************************************************************/
+
+#ifndef __INCLUDE_NUTTX_CRYPTO_BLAKE2S_H
+#define __INCLUDE_NUTTX_CRYPTO_BLAKE2S_H
+
+/****************************************************************************
+ * Included Files
+ ****************************************************************************/
+
+#include <nuttx/config.h>
+
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+/****************************************************************************
+ * Pre-processor Definitions
+ ****************************************************************************/
+
+/****************************************************************************
+ * Public Types
+ ****************************************************************************/
+
+enum blake2s_constant
+{
+  BLAKE2S_BLOCKBYTES = 64,
+  BLAKE2S_OUTBYTES = 32,
+  BLAKE2S_KEYBYTES = 32,
+  BLAKE2S_SALTBYTES = 8,
+  BLAKE2S_PERSONALBYTES = 8
+};
+
+typedef struct blake2s_state__
+{
+  uint32_t h[8];
+  uint32_t t[2];
+  uint32_t f[2];
+  size_t buflen;
+  size_t outlen;
+  uint8_t buf[BLAKE2S_BLOCKBYTES];
+} blake2s_state;
+
+typedef struct blake2s_param__
+{
+  uint8_t digest_length;                        /* 1 */
+  uint8_t key_length;                           /* 2 */
+  uint8_t fanout;                               /* 3 */
+  uint8_t depth;                                /* 4 */
+  uint8_t leaf_length[4];                       /* 8 */
+  uint8_t node_offset[4];                       /* 12 */
+  uint8_t xof_length[2];                        /* 14 */
+  uint8_t node_depth;                           /* 15 */
+  uint8_t inner_length;                         /* 16 */
+  /* uint8_t  reserved[0]; */
+  uint8_t salt[BLAKE2S_SALTBYTES];              /* 24 */
+  uint8_t personal[BLAKE2S_PERSONALBYTES];      /* 32 */
+} blake2s_param;
+
+#ifdef __GNUC__ > 3
+#define BLAKE2_UNALIGNED 1
+typedef uint32_t uint32_alias_t __attribute__((may_alias, aligned(1)));
+typedef uint16_t uint16_alias_t __attribute__((may_alias, aligned(1)));
+#endif
+
+/****************************************************************************
+ * Public Function Prototypes
+ ****************************************************************************/
+
+/* Streaming API */
+
+int blake2s_init(FAR blake2s_state *S, size_t outlen);
+int blake2s_init_key(FAR blake2s_state *S, size_t outlen, FAR const void *key,
+                     size_t keylen);
+int blake2s_init_param(FAR blake2s_state *S, FAR const blake2s_param *P);
+int blake2s_update(FAR blake2s_state *S, FAR const void *in, size_t inlen);
+int blake2s_final(FAR blake2s_state *S, FAR void *out, size_t outlen);
+
+/* Simple API */
+
+int blake2s(FAR void *out, size_t outlen, FAR const void *in, size_t inlen,
+            FAR const void *key, size_t keylen);
+
+/****************************************************************************
+ * Public Inline Functions
+ ****************************************************************************/
+
+static inline uint32_t blake2_load32(FAR const void *src)
+{
+#if defined(BLAKE2_UNALIGNED) && !defined(CONFIG_ENDIAN_BIG)
+  return *(FAR uint32_alias_t *)src;
+#elif !defined(CONFIG_ENDIAN_BIG)
+  FAR const uint8_t *p = (FAR const uint8_t *)src;
+  return ((uint32_t)(p[0]) << 24) |
+         ((uint32_t)(p[1]) << 16) |
+         ((uint32_t)(p[2]) << 8) |
+         ((uint32_t)(p[3]) << 0);
+#else
+  FAR const uint8_t *p = (FAR const uint8_t *)src;
+  return ((uint32_t)(p[0]) << 0) |
+         ((uint32_t)(p[1]) << 8) |
+         ((uint32_t)(p[2]) << 16) |
+         ((uint32_t)(p[3]) << 24);
+#endif
+}
+
+static inline uint16_t blake2_load16(FAR const void *src)
+{
+#if defined(BLAKE2_UNALIGNED) && !defined(CONFIG_ENDIAN_BIG)
+  return *(FAR uint16_alias_t *)src;
+#elif !defined(CONFIG_ENDIAN_BIG)
+  const uint8_t *p = (FAR const uint8_t *)src;
+  return ((uint16_t)(p[0]) << 8) | ((uint16_t)(p[1]) << 0);
+#else
+  const uint8_t *p = (FAR const uint8_t *)src;
+  return ((uint16_t)(p[0]) << 0) | ((uint16_t)(p[1]) << 8);
+#endif
+}
+
+static inline void blake2_store16(FAR void *dst, uint16_t w)
+{
+#if defined(BLAKE2_UNALIGNED) && !defined(CONFIG_ENDIAN_BIG)
+  *(FAR uint16_alias_t *)dst = w;
+#elif !defined(CONFIG_ENDIAN_BIG)
+  FAR uint8_t *p = (FAR uint8_t *)dst;
+  p[1] = (uint8_t)w; w >>= 8;
+  p[0] = (uint8_t)w;
+#else
+  FAR uint8_t *p = (FAR uint8_t *)dst;
+  p[0] = (uint8_t)w; w >>= 8;
+  p[1] = (uint8_t)w;
+#endif
+}
+
+static inline void blake2_store32(FAR void *dst, uint32_t w)
+{
+#if defined(BLAKE2_UNALIGNED) && !defined(CONFIG_ENDIAN_BIG)
+  *(FAR uint32_alias_t *)dst = w;
+#elif !defined(CONFIG_ENDIAN_BIG)
+  FAR uint8_t *p = (FAR uint8_t *) dst;
+  p[0] = (uint8_t)(w >> 24);
+  p[1] = (uint8_t)(w >> 16);
+  p[2] = (uint8_t)(w >> 8);
+  p[3] = (uint8_t)(w >> 0);
+#else
+  FAR uint8_t *p = (FAR uint8_t *) dst;
+  p[0] = (uint8_t)(w >> 0);
+  p[1] = (uint8_t)(w >> 8);
+  p[2] = (uint8_t)(w >> 16);
+  p[3] = (uint8_t)(w >> 24);
+#endif
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __INCLUDE_NUTTX_CRYPTO_BLAKE2S_H */

include/nuttx/random.h

@@ -0,0 +1,171 @@
+/****************************************************************************
+ * include/nuttx/random.h
+ *
+ *   Copyright (C) 2015-2017 Haltian Ltd. All rights reserved.
+ *   Authors: Juha Niskanen <juha.niskanen@haltian.com>
+ *            Jussi Kivilinna <jussi.kivilinna@haltian.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ * 3. Neither the name NuttX nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ ****************************************************************************/
+
+#ifndef __INCLUDE_NUTTX_RANDOM_H
+#define __INCLUDE_NUTTX_RANDOM_H
+
+/****************************************************************************
+ * Included Files
+ ****************************************************************************/
+
+#include <nuttx/config.h>
+#include <stddef.h>
+
+#include <sys/random.h> /* getrandom() */
+
+/****************************************************************************
+ * Pre-processor Definitions
+ ****************************************************************************/
+
+/* Size of entropy pool in 32-bit integers, must be power of two */
+
+#define ENTROPY_POOL_SIZE        128
+
+#define add_irq_randomness(x)    up_rngaddint(RND_SRC_IRQ, (x))
+#define add_sensor_randomness(x) up_rngaddint(RND_SRC_SENSOR, (x))
+#define add_time_randomness(x)   up_rngaddint(RND_SRC_TIME, (x))
+#define add_hw_randomness(x)     up_rngaddint(RND_SRC_HW, (x))
+#define add_sw_randomness(x)     up_rngaddint(RND_SRC_SW, (x))
+#define add_ui_randomness(x)     up_rngaddint(RND_SRC_UI, (x))
+
+/* Allow above macros to always exist in source without ifdefs */
+
+#ifndef CONFIG_CRYPTO_RANDOM_POOL
+#  define up_rngaddint(k, x)            ((void)(k),(void)(x))
+#  define up_rngaddentropy(k, buf, n)   ((void)(k),(void)(buf),(void)(x))
+#endif
+
+/****************************************************************************
+ * Public Type Definitions
+ ****************************************************************************/
+
+/* Entropy pool structure */
+
+struct entropy_pool_s
+{
+  volatile uint32_t pool[ENTROPY_POOL_SIZE];
+};
+
+/* Randomness sources */
+
+enum rnd_source_t
+{
+  RND_SRC_TIME = 0,
+  RND_SRC_IRQ,
+  RND_SRC_SENSOR,
+  RND_SRC_HW,      /* unique per HW UID or coming from factory line. */
+  RND_SRC_SW,      /* unique per SW version. */
+  RND_SRC_UI       /* buttons etc. user-visible interface elements. */
+};
+
+/****************************************************************************
+ * Public Data
+ ****************************************************************************/
+
+#ifdef CONFIG_BOARD_ENTROPY_POOL
+/* Entropy pool structure can be provided by board source. Use for this is,
+ * for example, allocate entropy pool from special area of RAM which content
+ * is kept over system reset. */
+
+extern struct entropy_pool_s board_entropy_pool;
+#endif
+
+/****************************************************************************
+ * Public Function Prototypes
+ ****************************************************************************/
+
+#ifdef CONFIG_CRYPTO_RANDOM_POOL
+
+/****************************************************************************
+ * Function: up_rngaddint
+ *
+ * Description:
+ *   Add one integer to entropy pool, contributing a specific kind
+ *   of entropy to pool.
+ *
+ * Parameters:
+ *   kindof  - Enumeration constant telling where val came from
+ *   val     - Integer to be added
+ *
+ * Returned Value:
+ *   None
+ *
+ ****************************************************************************/
+
+void up_rngaddint(enum rnd_source_t kindof, int val);
+
+/****************************************************************************
+ * Function: up_rngaddentropy
+ *
+ * Description:
+ *   Add buffer of integers to entropy pool.
+ *
+ * Parameters:
+ *   kindof  - Enumeration constant telling where val came from
+ *   buf     - Buffer of integers to be added
+ *   n       - Number of elements in buf
+ *
+ * Returned Value:
+ *   None
+ *
+ ****************************************************************************/
+
+void up_rngaddentropy(enum rnd_source_t kindof, FAR const uint32_t *buf,
+                      size_t n);
+
+/****************************************************************************
+ * Function: up_rngreseed
+ *
+ * Description:
+ *   Force reseeding random number generator from entropy pool
+ *
+ ****************************************************************************/
+
+void up_rngreseed(void);
+
+/****************************************************************************
+ * Function: up_randompool_initialize
+ *
+ * Description:
+ *   Initialize entropy pool and random number generator
+ *
+ ****************************************************************************/
+
+void up_randompool_initialize(void);
+
+#endif /* CONFIG_CRYPTO_RANDOM_POOL */
+
+#endif /* __INCLUDE_NUTTX_RANDOM_H */

include/string.h

@@ -93,6 +93,8 @@ FAR void  *memcpy(FAR void *dest, FAR const void *src, size_t n);
 FAR void  *memmove(FAR void *dest, FAR const void *src, size_t count);
 FAR void  *memset(FAR void *s, int c, size_t n);
 
+void explicit_bzero(FAR void *s, size_t n);
+
 #undef EXTERN
 #if defined(__cplusplus)
 }

include/sys/random.h

@@ -0,0 +1,77 @@
+/****************************************************************************
+ * include/sys/random.h
+ *
+ *   Copyright (C) 2015-2017 Haltian Ltd. All rights reserved.
+ *   Authors: Juha Niskanen <juha.niskanen@haltian.com>
+ *            Jussi Kivilinna <jussi.kivilinna@haltian.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ * 3. Neither the name NuttX nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ ****************************************************************************/
+
+#ifndef __INCLUDE_SYS_RANDOM_H
+#define __INCLUDE_SYS_RANDOM_H
+
+/****************************************************************************
+ * Included Files
+ ****************************************************************************/
+
+#include <nuttx/config.h>
+#include <stddef.h>
+
+/****************************************************************************
+ * Public Function Prototypes
+ ****************************************************************************/
+
+#ifdef CONFIG_CRYPTO_RANDOM_POOL
+
+/****************************************************************************
+ * Function: getrandom
+ *
+ * Description:
+ *   Fill a buffer of arbitrary length with randomness. This is the
+ *   preferred interface for getting random numbers. The traditional
+ *   /dev/random approach is susceptible for things like the attacker
+ *   exhausting file descriptors on purpose.
+ *
+ *   Note that this function cannot fail, other than by asserting.
+ *
+ * Parameters:
+ *   bytes  - Buffer for returned random bytes
+ *   nbytes - Number of bytes requested.
+ *
+ * Returned Value:
+ *   None
+ *
+ ****************************************************************************/
+
+void getrandom(FAR void *bytes, size_t nbytes);
+
+#endif /* CONFIG_CRYPTO_RANDOM_POOL */
+
+#endif /* __INCLUDE_SYS_RANDOM_H */

include/sys/syscall.h

@@ -524,10 +524,19 @@
 /* The following is defined only if CONFIG_TASK_NAME_SIZE > 0 */
 
 #if CONFIG_TASK_NAME_SIZE > 0
-#  define SYS_prctl                    (SYS_nnetsocket+0)
-#  define SYS_maxsyscall               (SYS_nnetsocket+1)
+#  define SYS_prctl                    (SYS_nnetsocket+1)
 #else
-#  define SYS_maxsyscall               SYS_nnetsocket
+#  define SYS_prctl                    SYS_nnetsocket
+#endif
+
+/* The following is defined only if entropy pool random number generator
+ * is enabled. */
+
+#ifdef CONFIG_CRYPTO_RANDOM_POOL
+#  define SYS_getrandom                (SYS_prctl+1)
+#  define SYS_maxsyscall               (SYS_prctl+2)
+#else
+#  define SYS_maxsyscall               SYS_prctl
 #endif
 
 /* Note that the reported number of system calls does *NOT* include the