linux-stable/include/linux/prandom.h

/* SPDX-License-Identifier: GPL-2.0 */
/*
 * include/linux/prandom.h
 *
 * Include file for the fast pseudo-random 32-bit
 * generation.
 */
#ifndef _LINUX_PRANDOM_H
#define _LINUX_PRANDOM_H

#include <linux/types.h>
#include <linux/percpu.h>

u32 prandom_u32(void);
void prandom_bytes(void *buf, size_t nbytes);
void prandom_seed(u32 seed);
void prandom_reseed_late(void);

#if BITS_PER_LONG == 64
/*
 * The core SipHash round function.  Each line can be executed in
 * parallel given enough CPU resources.
 */
#define PRND_SIPROUND(v0, v1, v2, v3) ( \
	v0 += v1, v1 = rol64(v1, 13),  v2 += v3, v3 = rol64(v3, 16), \
	v1 ^= v0, v0 = rol64(v0, 32),  v3 ^= v2,                     \
	v0 += v3, v3 = rol64(v3, 21),  v2 += v1, v1 = rol64(v1, 17), \
	v3 ^= v0,                      v1 ^= v2, v2 = rol64(v2, 32)  \
)

#define PRND_K0 (0x736f6d6570736575 ^ 0x6c7967656e657261)
#define PRND_K1 (0x646f72616e646f6d ^ 0x7465646279746573)

#elif BITS_PER_LONG == 32
/*
 * On 32-bit machines, we use HSipHash, a reduced-width version of SipHash.
 * This is weaker, but 32-bit machines are not used for high-traffic
 * applications, so there is less output for an attacker to analyze.
 */
#define PRND_SIPROUND(v0, v1, v2, v3) ( \
	v0 += v1, v1 = rol32(v1,  5),  v2 += v3, v3 = rol32(v3,  8), \
	v1 ^= v0, v0 = rol32(v0, 16),  v3 ^= v2,                     \
	v0 += v3, v3 = rol32(v3,  7),  v2 += v1, v1 = rol32(v1, 13), \
	v3 ^= v0,                      v1 ^= v2, v2 = rol32(v2, 16)  \
)
#define PRND_K0 0x6c796765
#define PRND_K1 0x74656462

#else
#error Unsupported BITS_PER_LONG
#endif

struct rnd_state {
	__u32 s1, s2, s3, s4;
};

u32 prandom_u32_state(struct rnd_state *state);
void prandom_bytes_state(struct rnd_state *state, void *buf, size_t nbytes);
void prandom_seed_full_state(struct rnd_state __percpu *pcpu_state);

#define prandom_init_once(pcpu_state)			\
	DO_ONCE(prandom_seed_full_state, (pcpu_state))

/**
 * prandom_u32_max - returns a pseudo-random number in interval [0, ep_ro)
 * @ep_ro: right open interval endpoint
 *
 * Returns a pseudo-random number that is in interval [0, ep_ro). Note
 * that the result depends on PRNG being well distributed in [0, ~0U]
 * u32 space. Here we use maximally equidistributed combined Tausworthe
 * generator, that is, prandom_u32(). This is useful when requesting a
 * random index of an array containing ep_ro elements, for example.
 *
 * Returns: pseudo-random number in interval [0, ep_ro)
 */
static inline u32 prandom_u32_max(u32 ep_ro)
{
	return (u32)(((u64) prandom_u32() * ep_ro) >> 32);
}

/*
 * Handle minimum values for seeds
 */
static inline u32 __seed(u32 x, u32 m)
{
	return (x < m) ? x + m : x;
}

/**
 * prandom_seed_state - set seed for prandom_u32_state().
 * @state: pointer to state structure to receive the seed.
 * @seed: arbitrary 64-bit value to use as a seed.
 */
static inline void prandom_seed_state(struct rnd_state *state, u64 seed)
{
	u32 i = (seed >> 32) ^ (seed << 10) ^ seed;

	state->s1 = __seed(i,   2U);
	state->s2 = __seed(i,   8U);
	state->s3 = __seed(i,  16U);
	state->s4 = __seed(i, 128U);
}

/* Pseudo random number generator from numerical recipes. */
static inline u32 next_pseudo_random32(u32 seed)
{
	return seed * 1664525 + 1013904223;
}

#endif
random32: move the pseudo-random 32-bit definitions to prandom.h The addition of percpu.h to the list of includes in random.h revealed some circular dependencies on arm64 and possibly other platforms. This include was added solely for the pseudo-random definitions, which have nothing to do with the rest of the definitions in this file but are still there for legacy reasons. This patch moves the pseudo-random parts to linux/prandom.h and the percpu.h include with it, which is now guarded by _LINUX_PRANDOM_H and protected against recursive inclusion. A further cleanup step would be to remove this from <linux/random.h> entirely, and make people who use the prandom infrastructure include just the new header file. That's a bit of a churn patch, but grepping for "prandom_" and "next_pseudo_random32" "struct rnd_state" should catch most users. But it turns out that that nice cleanup step is fairly painful, because a _lot_ of code currently seems to depend on the implicit include of <linux/random.h>, which can currently come in a lot of ways, including such fairly core headfers as <linux/net.h>. So the "nice cleanup" part may or may never happen. Fixes: 1c9df907da83 ("random: fix circular include dependency on arm64 after addition of percpu.h") Tested-by: Guenter Roeck <linux@roeck-us.net> Acked-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2020-07-31 05:51:14 +00:00			`/* SPDX-License-Identifier: GPL-2.0 */`
			`/*`
			`* include/linux/prandom.h`
			`*`
			`* Include file for the fast pseudo-random 32-bit`
			`* generation.`
			`*/`
			`#ifndef _LINUX_PRANDOM_H`
			`#define _LINUX_PRANDOM_H`

			`#include <linux/types.h>`
			`#include <linux/percpu.h>`

			`u32 prandom_u32(void);`
			`void prandom_bytes(void *buf, size_t nbytes);`
			`void prandom_seed(u32 seed);`
			`void prandom_reseed_late(void);`

random32: make prandom_u32() output unpredictable Non-cryptographic PRNGs may have great statistical properties, but are usually trivially predictable to someone who knows the algorithm, given a small sample of their output. An LFSR like prandom_u32() is particularly simple, even if the sample is widely scattered bits. It turns out the network stack uses prandom_u32() for some things like random port numbers which it would prefer are not trivially predictable. Predictability led to a practical DNS spoofing attack. Oops. This patch replaces the LFSR with a homebrew cryptographic PRNG based on the SipHash round function, which is in turn seeded with 128 bits of strong random key. (The authors of SipHash have not been consulted about this abuse of their algorithm.) Speed is prioritized over security; attacks are rare, while performance is always wanted. Replacing all callers of prandom_u32() is the quick fix. Whether to reinstate a weaker PRNG for uses which can tolerate it is an open question. Commit f227e3ec3b5c ("random32: update the net random state on interrupt and activity") was an earlier attempt at a solution. This patch replaces it. Reported-by: Amit Klein <aksecurity@gmail.com> Cc: Willy Tarreau <w@1wt.eu> Cc: Eric Dumazet <edumazet@google.com> Cc: "Jason A. Donenfeld" <Jason@zx2c4.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Kees Cook <keescook@chromium.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: tytso@mit.edu Cc: Florian Westphal <fw@strlen.de> Cc: Marc Plumb <lkml.mplumb@gmail.com> Fixes: f227e3ec3b5c ("random32: update the net random state on interrupt and activity") Signed-off-by: George Spelvin <lkml@sdf.org> Link: https://lore.kernel.org/netdev/20200808152628.GA27941@SDF.ORG/ [ willy: partial reversal of f227e3ec3b5c; moved SIPROUND definitions to prandom.h for later use; merged George's prandom_seed() proposal; inlined siprand_u32(); replaced the net_rand_state[] array with 4 members to fix a build issue; cosmetic cleanups to make checkpatch happy; fixed RANDOM32_SELFTEST build ] Signed-off-by: Willy Tarreau <w@1wt.eu> 2020-08-09 06:57:44 +00:00			`#if BITS_PER_LONG == 64`
			`/*`
			`* The core SipHash round function. Each line can be executed in`
			`* parallel given enough CPU resources.`
			`*/`
			`#define PRND_SIPROUND(v0, v1, v2, v3) ( \`
			`v0 += v1, v1 = rol64(v1, 13), v2 += v3, v3 = rol64(v3, 16), \`
			`v1 ^= v0, v0 = rol64(v0, 32), v3 ^= v2, \`
			`v0 += v3, v3 = rol64(v3, 21), v2 += v1, v1 = rol64(v1, 17), \`
			`v3 ^= v0, v1 ^= v2, v2 = rol64(v2, 32) \`
			`)`

			`#define PRND_K0 (0x736f6d6570736575 ^ 0x6c7967656e657261)`
			`#define PRND_K1 (0x646f72616e646f6d ^ 0x7465646279746573)`

			`#elif BITS_PER_LONG == 32`
			`/*`
			`* On 32-bit machines, we use HSipHash, a reduced-width version of SipHash.`
			`* This is weaker, but 32-bit machines are not used for high-traffic`
			`* applications, so there is less output for an attacker to analyze.`
			`*/`
			`#define PRND_SIPROUND(v0, v1, v2, v3) ( \`
			`v0 += v1, v1 = rol32(v1, 5), v2 += v3, v3 = rol32(v3, 8), \`
			`v1 ^= v0, v0 = rol32(v0, 16), v3 ^= v2, \`
			`v0 += v3, v3 = rol32(v3, 7), v2 += v1, v1 = rol32(v1, 13), \`
			`v3 ^= v0, v1 ^= v2, v2 = rol32(v2, 16) \`
			`)`
			`#define PRND_K0 0x6c796765`
			`#define PRND_K1 0x74656462`

			`#else`
			`#error Unsupported BITS_PER_LONG`
			`#endif`

random32: move the pseudo-random 32-bit definitions to prandom.h The addition of percpu.h to the list of includes in random.h revealed some circular dependencies on arm64 and possibly other platforms. This include was added solely for the pseudo-random definitions, which have nothing to do with the rest of the definitions in this file but are still there for legacy reasons. This patch moves the pseudo-random parts to linux/prandom.h and the percpu.h include with it, which is now guarded by _LINUX_PRANDOM_H and protected against recursive inclusion. A further cleanup step would be to remove this from <linux/random.h> entirely, and make people who use the prandom infrastructure include just the new header file. That's a bit of a churn patch, but grepping for "prandom_" and "next_pseudo_random32" "struct rnd_state" should catch most users. But it turns out that that nice cleanup step is fairly painful, because a _lot_ of code currently seems to depend on the implicit include of <linux/random.h>, which can currently come in a lot of ways, including such fairly core headfers as <linux/net.h>. So the "nice cleanup" part may or may never happen. Fixes: 1c9df907da83 ("random: fix circular include dependency on arm64 after addition of percpu.h") Tested-by: Guenter Roeck <linux@roeck-us.net> Acked-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2020-07-31 05:51:14 +00:00			`struct rnd_state {`
			`__u32 s1, s2, s3, s4;`
			`};`

			`u32 prandom_u32_state(struct rnd_state *state);`
			`void prandom_bytes_state(struct rnd_state state, void buf, size_t nbytes);`
			`void prandom_seed_full_state(struct rnd_state __percpu *pcpu_state);`

			`#define prandom_init_once(pcpu_state) \`
			`DO_ONCE(prandom_seed_full_state, (pcpu_state))`

			`/**`
			`* prandom_u32_max - returns a pseudo-random number in interval [0, ep_ro)`
			`* @ep_ro: right open interval endpoint`
			`*`
			`* Returns a pseudo-random number that is in interval [0, ep_ro). Note`
			`* that the result depends on PRNG being well distributed in [0, ~0U]`
			`* u32 space. Here we use maximally equidistributed combined Tausworthe`
			`* generator, that is, prandom_u32(). This is useful when requesting a`
			`* random index of an array containing ep_ro elements, for example.`
			`*`
			`* Returns: pseudo-random number in interval [0, ep_ro)`
			`*/`
			`static inline u32 prandom_u32_max(u32 ep_ro)`
			`{`
			`return (u32)(((u64) prandom_u32() * ep_ro) >> 32);`
			`}`

			`/*`
			`* Handle minimum values for seeds`
			`*/`
			`static inline u32 __seed(u32 x, u32 m)`
			`{`
			`return (x < m) ? x + m : x;`
			`}`

			`/**`
			`* prandom_seed_state - set seed for prandom_u32_state().`
			`* @state: pointer to state structure to receive the seed.`
			`* @seed: arbitrary 64-bit value to use as a seed.`
			`*/`
			`static inline void prandom_seed_state(struct rnd_state *state, u64 seed)`
			`{`
			`u32 i = (seed >> 32) ^ (seed << 10) ^ seed;`

			`state->s1 = __seed(i, 2U);`
			`state->s2 = __seed(i, 8U);`
			`state->s3 = __seed(i, 16U);`
			`state->s4 = __seed(i, 128U);`
			`}`

			`/* Pseudo random number generator from numerical recipes. */`
			`static inline u32 next_pseudo_random32(u32 seed)`
			`{`
			`return seed * 1664525 + 1013904223;`
			`}`

			`#endif`