forked from includeos/IncludeOS
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathrng.cpp
More file actions
177 lines (158 loc) · 5.96 KB
/
Copy pathrng.cpp
File metadata and controls
177 lines (158 loc) · 5.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
// This file is a part of the IncludeOS unikernel - www.includeos.org
//
// Copyright 2016 Oslo and Akershus University College of Applied Sciences
// and Alfred Bratterud
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include <kernel/rng.hpp>
#include <kernel/cpuid.hpp>
#include <kernel/os.hpp>
#include <kernel/rdrand.hpp>
#include <algorithm>
#include <cstring>
#include <smp>
struct alignas(SMP_ALIGN) rng_state
{
uint64_t state[25];
};
static SMP::Array<rng_state> rng;
static inline uint64_t rotate_left(uint64_t input, size_t rot) {
return (input << rot) | (input >> (64-rot));
}
static void keccak_1600_p(uint64_t A[25]) {
static const uint64_t RC[24] = {
0x0000000000000001, 0x0000000000008082, 0x800000000000808A,
0x8000000080008000, 0x000000000000808B, 0x0000000080000001,
0x8000000080008081, 0x8000000000008009, 0x000000000000008A,
0x0000000000000088, 0x0000000080008009, 0x000000008000000A,
0x000000008000808B, 0x800000000000008B, 0x8000000000008089,
0x8000000000008003, 0x8000000000008002, 0x8000000000000080,
0x000000000000800A, 0x800000008000000A, 0x8000000080008081,
0x8000000000008080, 0x0000000080000001, 0x8000000080008008
};
for(size_t i = 0; i != 24; ++i)
{
const uint64_t C0 = A[0] ^ A[5] ^ A[10] ^ A[15] ^ A[20];
const uint64_t C1 = A[1] ^ A[6] ^ A[11] ^ A[16] ^ A[21];
const uint64_t C2 = A[2] ^ A[7] ^ A[12] ^ A[17] ^ A[22];
const uint64_t C3 = A[3] ^ A[8] ^ A[13] ^ A[18] ^ A[23];
const uint64_t C4 = A[4] ^ A[9] ^ A[14] ^ A[19] ^ A[24];
const uint64_t D0 = rotate_left(C0, 1) ^ C3;
const uint64_t D1 = rotate_left(C1, 1) ^ C4;
const uint64_t D2 = rotate_left(C2, 1) ^ C0;
const uint64_t D3 = rotate_left(C3, 1) ^ C1;
const uint64_t D4 = rotate_left(C4, 1) ^ C2;
const uint64_t B00 = A[ 0] ^ D1;
const uint64_t B10 = rotate_left(A[ 1] ^ D2, 1);
const uint64_t B20 = rotate_left(A[ 2] ^ D3, 62);
const uint64_t B05 = rotate_left(A[ 3] ^ D4, 28);
const uint64_t B15 = rotate_left(A[ 4] ^ D0, 27);
const uint64_t B16 = rotate_left(A[ 5] ^ D1, 36);
const uint64_t B01 = rotate_left(A[ 6] ^ D2, 44);
const uint64_t B11 = rotate_left(A[ 7] ^ D3, 6);
const uint64_t B21 = rotate_left(A[ 8] ^ D4, 55);
const uint64_t B06 = rotate_left(A[ 9] ^ D0, 20);
const uint64_t B07 = rotate_left(A[10] ^ D1, 3);
const uint64_t B17 = rotate_left(A[11] ^ D2, 10);
const uint64_t B02 = rotate_left(A[12] ^ D3, 43);
const uint64_t B12 = rotate_left(A[13] ^ D4, 25);
const uint64_t B22 = rotate_left(A[14] ^ D0, 39);
const uint64_t B23 = rotate_left(A[15] ^ D1, 41);
const uint64_t B08 = rotate_left(A[16] ^ D2, 45);
const uint64_t B18 = rotate_left(A[17] ^ D3, 15);
const uint64_t B03 = rotate_left(A[18] ^ D4, 21);
const uint64_t B13 = rotate_left(A[19] ^ D0, 8);
const uint64_t B14 = rotate_left(A[20] ^ D1, 18);
const uint64_t B24 = rotate_left(A[21] ^ D2, 2);
const uint64_t B09 = rotate_left(A[22] ^ D3, 61);
const uint64_t B19 = rotate_left(A[23] ^ D4, 56);
const uint64_t B04 = rotate_left(A[24] ^ D0, 14);
A[ 0] = B00 ^ (~B01 & B02);
A[ 1] = B01 ^ (~B02 & B03);
A[ 2] = B02 ^ (~B03 & B04);
A[ 3] = B03 ^ (~B04 & B00);
A[ 4] = B04 ^ (~B00 & B01);
A[ 5] = B05 ^ (~B06 & B07);
A[ 6] = B06 ^ (~B07 & B08);
A[ 7] = B07 ^ (~B08 & B09);
A[ 8] = B08 ^ (~B09 & B05);
A[ 9] = B09 ^ (~B05 & B06);
A[10] = B10 ^ (~B11 & B12);
A[11] = B11 ^ (~B12 & B13);
A[12] = B12 ^ (~B13 & B14);
A[13] = B13 ^ (~B14 & B10);
A[14] = B14 ^ (~B10 & B11);
A[15] = B15 ^ (~B16 & B17);
A[16] = B16 ^ (~B17 & B18);
A[17] = B17 ^ (~B18 & B19);
A[18] = B18 ^ (~B19 & B15);
A[19] = B19 ^ (~B15 & B16);
A[20] = B20 ^ (~B21 & B22);
A[21] = B21 ^ (~B22 & B23);
A[22] = B22 ^ (~B23 & B24);
A[23] = B23 ^ (~B24 & B20);
A[24] = B24 ^ (~B20 & B21);
A[0] ^= RC[i];
}
}
#define SHAKE_128_RATE (1600-256)/8
static inline void xor_bytes(const uint8_t* in, uint8_t* out, size_t bytes)
{
for(size_t i = 0; i != bytes; ++i)
out[i] ^= in[i];
}
void rng_absorb(const void* input, size_t bytes)
{
size_t absorbed = 0;
while(absorbed < bytes)
{
size_t absorbing = std::min<size_t>(bytes - absorbed, SHAKE_128_RATE);
xor_bytes(static_cast<const uint8_t*>(input) + absorbed,
reinterpret_cast<uint8_t*>(PER_CPU(rng).state),
absorbing);
keccak_1600_p(PER_CPU(rng).state);
absorbed += absorbing;
}
}
void rng_extract(void* output, size_t bytes)
{
size_t copied = 0;
while(copied < bytes)
{
size_t copying = std::min<size_t>(bytes - copied, SHAKE_128_RATE);
memcpy(static_cast<uint8_t*>(output) + copied, PER_CPU(rng).state, copying);
keccak_1600_p(PER_CPU(rng).state);
copied += copying;
}
}
void RNG::init()
{
// initialize random seed based on cycles since start
if (CPUID::has_feature(CPUID::Feature::RDRAND)) {
uint32_t rdrand_output[32];
for (size_t i = 0; i != 32; ++i) {
while (!rdrand32(&rdrand_output[i])) {}
}
rng_absorb(rdrand_output, sizeof(rdrand_output));
}
else {
// this is horrible, better solution needed here
for (size_t i = 0; i != 32; ++i) {
uint64_t clock = OS::cycles_since_boot();
// maybe additionally call something which will take
// variable time depending in some way on the processor
// state (clflush?) or a HAVEGE-like approach.
rng_absorb(&clock, sizeof(clock));
}
}
}