1 /**
2 * \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7 /*
8 * The HAVEGE RNG was designed by Andre Seznec in 2002.
9 *
10 * http://www.irisa.fr/caps/projects/hipsor/publi.php
11 *
12 * Contact: seznec(at)irisa_dot_fr - orocheco(at)irisa_dot_fr
13 */
14
15 #include "common.h"
16
17 #if defined(MBEDTLS_HAVEGE_C)
18
19 #include "mbedtls/havege.h"
20 #include "mbedtls/timing.h"
21 #include "mbedtls/platform_util.h"
22
23 #include <stdint.h>
24 #include <string.h>
25
26 /* ------------------------------------------------------------------------
27 * On average, one iteration accesses two 8-word blocks in the havege WALK
28 * table, and generates 16 words in the RES array.
29 *
30 * The data read in the WALK table is updated and permuted after each use.
31 * The result of the hardware clock counter read is used for this update.
32 *
33 * 25 conditional tests are present. The conditional tests are grouped in
34 * two nested groups of 12 conditional tests and 1 test that controls the
35 * permutation; on average, there should be 6 tests executed and 3 of them
36 * should be mispredicted.
37 * ------------------------------------------------------------------------
38 */
39
40 #define SWAP(X, Y) { uint32_t *T = (X); (X) = (Y); (Y) = T; }
41
42 #define TST1_ENTER if (PTEST & 1) { PTEST ^= 3; PTEST >>= 1;
43 #define TST2_ENTER if (PTEST & 1) { PTEST ^= 3; PTEST >>= 1;
44
45 #define TST1_LEAVE U1++; }
46 #define TST2_LEAVE U2++; }
47
48 #define ONE_ITERATION \
49 \
50 PTEST = PT1 >> 20; \
51 \
52 TST1_ENTER TST1_ENTER TST1_ENTER TST1_ENTER \
53 TST1_ENTER TST1_ENTER TST1_ENTER TST1_ENTER \
54 TST1_ENTER TST1_ENTER TST1_ENTER TST1_ENTER \
55 \
56 TST1_LEAVE TST1_LEAVE TST1_LEAVE TST1_LEAVE \
57 TST1_LEAVE TST1_LEAVE TST1_LEAVE TST1_LEAVE \
58 TST1_LEAVE TST1_LEAVE TST1_LEAVE TST1_LEAVE \
59 \
60 PTX = (PT1 >> 18) & 7; \
61 PT1 &= 0x1FFF; \
62 PT2 &= 0x1FFF; \
63 CLK = (uint32_t) mbedtls_timing_hardclock(); \
64 \
65 i = 0; \
66 A = &WALK[PT1]; RES[i++] ^= *A; \
67 B = &WALK[PT2]; RES[i++] ^= *B; \
68 C = &WALK[PT1 ^ 1]; RES[i++] ^= *C; \
69 D = &WALK[PT2 ^ 4]; RES[i++] ^= *D; \
70 \
71 IN = (*A >> (1)) ^ (*A << (31)) ^ CLK; \
72 *A = (*B >> (2)) ^ (*B << (30)) ^ CLK; \
73 *B = IN ^ U1; \
74 *C = (*C >> (3)) ^ (*C << (29)) ^ CLK; \
75 *D = (*D >> (4)) ^ (*D << (28)) ^ CLK; \
76 \
77 A = &WALK[PT1 ^ 2]; RES[i++] ^= *A; \
78 B = &WALK[PT2 ^ 2]; RES[i++] ^= *B; \
79 C = &WALK[PT1 ^ 3]; RES[i++] ^= *C; \
80 D = &WALK[PT2 ^ 6]; RES[i++] ^= *D; \
81 \
82 if (PTEST & 1) SWAP(A, C); \
83 \
84 IN = (*A >> (5)) ^ (*A << (27)) ^ CLK; \
85 *A = (*B >> (6)) ^ (*B << (26)) ^ CLK; \
86 *B = IN; CLK = (uint32_t) mbedtls_timing_hardclock(); \
87 *C = (*C >> (7)) ^ (*C << (25)) ^ CLK; \
88 *D = (*D >> (8)) ^ (*D << (24)) ^ CLK; \
89 \
90 A = &WALK[PT1 ^ 4]; \
91 B = &WALK[PT2 ^ 1]; \
92 \
93 PTEST = PT2 >> 1; \
94 \
95 PT2 = (RES[(i - 8) ^ PTY] ^ WALK[PT2 ^ PTY ^ 7]); \
96 PT2 = ((PT2 & 0x1FFF) & (~8)) ^ ((PT1 ^ 8) & 0x8); \
97 PTY = (PT2 >> 10) & 7; \
98 \
99 TST2_ENTER TST2_ENTER TST2_ENTER TST2_ENTER \
100 TST2_ENTER TST2_ENTER TST2_ENTER TST2_ENTER \
101 TST2_ENTER TST2_ENTER TST2_ENTER TST2_ENTER \
102 \
103 TST2_LEAVE TST2_LEAVE TST2_LEAVE TST2_LEAVE \
104 TST2_LEAVE TST2_LEAVE TST2_LEAVE TST2_LEAVE \
105 TST2_LEAVE TST2_LEAVE TST2_LEAVE TST2_LEAVE \
106 \
107 C = &WALK[PT1 ^ 5]; \
108 D = &WALK[PT2 ^ 5]; \
109 \
110 RES[i++] ^= *A; \
111 RES[i++] ^= *B; \
112 RES[i++] ^= *C; \
113 RES[i++] ^= *D; \
114 \
115 IN = (*A >> (9)) ^ (*A << (23)) ^ CLK; \
116 *A = (*B >> (10)) ^ (*B << (22)) ^ CLK; \
117 *B = IN ^ U2; \
118 *C = (*C >> (11)) ^ (*C << (21)) ^ CLK; \
119 *D = (*D >> (12)) ^ (*D << (20)) ^ CLK; \
120 \
121 A = &WALK[PT1 ^ 6]; RES[i++] ^= *A; \
122 B = &WALK[PT2 ^ 3]; RES[i++] ^= *B; \
123 C = &WALK[PT1 ^ 7]; RES[i++] ^= *C; \
124 D = &WALK[PT2 ^ 7]; RES[i++] ^= *D; \
125 \
126 IN = (*A >> (13)) ^ (*A << (19)) ^ CLK; \
127 *A = (*B >> (14)) ^ (*B << (18)) ^ CLK; \
128 *B = IN; \
129 *C = (*C >> (15)) ^ (*C << (17)) ^ CLK; \
130 *D = (*D >> (16)) ^ (*D << (16)) ^ CLK; \
131 \
132 PT1 = (RES[(i - 8) ^ PTX] ^ \
133 WALK[PT1 ^ PTX ^ 7]) & (~1); \
134 PT1 ^= (PT2 ^ 0x10) & 0x10; \
135 \
136 for (n++, i = 0; i < 16; i++) \
137 hs->pool[n % MBEDTLS_HAVEGE_COLLECT_SIZE] ^= RES[i];
138
139 /*
140 * Entropy gathering function
141 */
havege_fill(mbedtls_havege_state * hs)142 static void havege_fill(mbedtls_havege_state *hs)
143 {
144 size_t n = 0;
145 size_t i;
146 uint32_t U1, U2, *A, *B, *C, *D;
147 uint32_t PT1, PT2, *WALK, RES[16];
148 uint32_t PTX, PTY, CLK, PTEST, IN;
149
150 WALK = hs->WALK;
151 PT1 = hs->PT1;
152 PT2 = hs->PT2;
153
154 PTX = U1 = 0;
155 PTY = U2 = 0;
156
157 (void) PTX;
158
159 memset(RES, 0, sizeof(RES));
160
161 while (n < MBEDTLS_HAVEGE_COLLECT_SIZE * 4) {
162 ONE_ITERATION
163 ONE_ITERATION
164 ONE_ITERATION
165 ONE_ITERATION
166 }
167
168 hs->PT1 = PT1;
169 hs->PT2 = PT2;
170
171 hs->offset[0] = 0;
172 hs->offset[1] = MBEDTLS_HAVEGE_COLLECT_SIZE / 2;
173 }
174
175 /*
176 * HAVEGE initialization
177 */
mbedtls_havege_init(mbedtls_havege_state * hs)178 void mbedtls_havege_init(mbedtls_havege_state *hs)
179 {
180 memset(hs, 0, sizeof(mbedtls_havege_state));
181
182 havege_fill(hs);
183 }
184
mbedtls_havege_free(mbedtls_havege_state * hs)185 void mbedtls_havege_free(mbedtls_havege_state *hs)
186 {
187 if (hs == NULL) {
188 return;
189 }
190
191 mbedtls_platform_zeroize(hs, sizeof(mbedtls_havege_state));
192 }
193
194 /*
195 * HAVEGE rand function
196 */
mbedtls_havege_random(void * p_rng,unsigned char * buf,size_t len)197 int mbedtls_havege_random(void *p_rng, unsigned char *buf, size_t len)
198 {
199 uint32_t val;
200 size_t use_len;
201 mbedtls_havege_state *hs = (mbedtls_havege_state *) p_rng;
202 unsigned char *p = buf;
203
204 while (len > 0) {
205 use_len = len;
206 if (use_len > sizeof(val)) {
207 use_len = sizeof(val);
208 }
209
210 if (hs->offset[1] >= MBEDTLS_HAVEGE_COLLECT_SIZE) {
211 havege_fill(hs);
212 }
213
214 val = hs->pool[hs->offset[0]++];
215 val ^= hs->pool[hs->offset[1]++];
216
217 memcpy(p, &val, use_len);
218
219 len -= use_len;
220 p += use_len;
221 }
222
223 return 0;
224 }
225
226 #endif /* MBEDTLS_HAVEGE_C */
227