Merge tag '386.2_4' into dsl-master

386.2_4
gnuton · May 3, 2021 · ca54900 · ca54900
2 parents 5a4a44d + 71bcc40
commit ca54900
Show file tree

Hide file tree

Showing 38 changed files with 951 additions and 325 deletions.
diff --git a/Changelog-NG.txt b/Changelog-NG.txt
@@ -1,6 +1,19 @@
 Asuswrt-Merlin 386/NG Changelog
 ===============================
 
+386.2_4 (30-Apr-2021)
+  - NEW: Added jitterentropy-rngd to non-HND models, in addition
+         to HND models.
+  - UPDATED: OpenVPN to 2.5.2.
+  - UPDATED: jitterentropy-rngd to 1.2.2 (library 3.0.3)
+  - FIXED: Scheduled new FW checks wouldn't display the webui
+           notification icon when the local router had a
+           new release available.
+  - FIXED: OpenVPN server would flip into an error state (being
+           shown as "initializing" on the webui) whenever an
+           inbound client failed to connect to it.
+
+
 386.2_2 (13-Apr-2021)
   - FIXED: IPv6 pings were blocked if sent below the rate limit
            instead of above (issue introduced in 42095)

diff --git a/release/src-rt/version.conf b/release/src-rt/version.conf
@@ -1,5 +1,5 @@
 KERNEL_VER=3.0
 FS_VER=0.4
 SERIALNO=386.2
-EXTENDNO=2
+EXTENDNO=4
 RCNO=0
diff --git a/release/src/router/Makefile b/release/src/router/Makefile
@@ -1465,9 +1465,7 @@ obj-$(RTCONFIG_DNSSEC) += $(if $(RTCONFIG_DNSSEC_OPENSSL),openssl,) $(if $(RTCON
 obj-$(RTCONFIG_SAMBA36X) += libiconv-1.14
 obj-$(RTCONFIG_TELENET) += lanauth
 obj-y += wsdd2
-ifeq ($(HND_ROUTER),y)
 obj-y += jitterentropy-rngd
-endif
 #obj-$(RTCONFIG_BWDPI) += faketc
 
 ifneq ($(HND_ROUTER),y)
@@ -7748,7 +7746,7 @@ libovpn: shared nvram$(BCMEX)$(EX7)
 
 jitterentropy-rngd:
 	@$(SEP)
-	$(MAKE) CFLAGS+="-fPIC" -C $@
+	$(MAKE) CFLAGS+="-fPIC -O0" -C $@
 
 jitterentropy-rngd-install:
 	install -D jitterentropy-rngd/jitterentropy-rngd $(INSTALLDIR)/jitterentropy-rngd/usr/sbin/jitterentropy-rngd

diff --git a/release/src/router/jitterentropy-rngd/CHANGES.md b/release/src/router/jitterentropy-rngd/CHANGES.md
@@ -1,3 +1,10 @@
+1.2.2:
+ * enhancement: Add SP800-90B compliant entropy injection
+ * fix: proper use of the RNDRESEEDCRNG IOCTL which otherwise causes an
+   endless loop due to kernel change 11a0b5e0ec8c13bef06f7414f9e914506140d5cb
+ * enhancement: Catch runtime FIPS health failures
+ * enhancement: use Jitter RNG library 3.0.2
+
 1.2.1:
   * on older GCC versions use -fstack-protector as suggested by Warszawski,
    Diego

diff --git a/release/src/router/jitterentropy-rngd/Makefile b/release/src/router/jitterentropy-rngd/Makefile
@@ -2,7 +2,7 @@
 
 CC ?= $(CROSS_COMPILE)gcc
 STRIP ?= $(CROSS_COMPILE)strip
-CFLAGS ?=-Wextra -Wall -pedantic -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fwrapv --param ssp-buffer-size=4 -fvisibility=hidden -fPIE -Wcast-align -Wmissing-field-initializers -Wshadow -Wswitch-enum -O2
+CFLAGS ?=-Wextra -Wall -pedantic -fwrapv --param ssp-buffer-size=4 -fvisibility=hidden -fPIE -Wcast-align -Wmissing-field-initializers -Wshadow -Wswitch-enum -O0
 LDFLAGS ?=-Wl,-z,relro,-z,now -pie
 
 GCCVERSIONFORMAT := $(shell echo `$(CC) -dumpversion | sed 's/\./\n/g' | wc -l`)

diff --git a/release/src/router/jitterentropy-rngd/jitterentropy-base-user.h b/release/src/router/jitterentropy-rngd/jitterentropy-base-user.h
@@ -132,9 +132,8 @@ static inline void jent_get_nstime(uint64_t *out)
 	struct timespec time;
 	if (clock_gettime(CLOCK_REALTIME, &time) == 0)
 	{
-		tmp = (uint32_t)time.tv_sec;
-		tmp = tmp << 32;
-		tmp = tmp | (uint32_t)time.tv_nsec;
+		tmp = ((uint64_t)time.tv_sec & 0xFFFFFFFF) * 1000000000UL;
+		tmp = tmp + (uint64_t)time.tv_nsec;
 	}
 	*out = tmp;
 # endif /* __MACH__ */

diff --git a/release/src/router/jitterentropy-rngd/jitterentropy-base.c b/release/src/router/jitterentropy-rngd/jitterentropy-base.c
@@ -58,7 +58,7 @@
 #define MINVERSION 0 /* API compatible, ABI may change, functional
 		      * enhancements only, consumer can be left unchanged if
 		      * enhancements are not considered */
-#define PATCHLEVEL 1 /* API / ABI compatible, no functional changes, no
+#define PATCHLEVEL 2 /* API / ABI compatible, no functional changes, no
 		      * enhancements, bug fixes only */
 
 /***************************************************************************
@@ -67,6 +67,10 @@
  * None of the following should be altered
  ***************************************************************************/
 
+#ifdef __OPTIMIZE__
+ #error "The CPU Jitter random number generator must not be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitterentropy.c."
+#endif
+
 /*
  * JENT_POWERUP_TESTLOOPCOUNT needs some loops to identify edge
  * systems. 100 is definitely too little.
@@ -113,30 +117,30 @@ unsigned int jent_version(void)
  *
  * @ec [in] Reference to entropy collector
  */
-static void jent_apt_reset(struct rand_data *ec, unsigned int delta_masked)
+static void jent_apt_reset(struct rand_data *ec, uint64_t current_delta)
 {
 	/* Reset APT counter */
 	ec->apt_count = 0;
-	ec->apt_base = delta_masked;
+	ec->apt_base = current_delta;
 	ec->apt_observations = 0;
 }
 
 /**
  * Insert a new entropy event into APT
  *
  * @ec [in] Reference to entropy collector
- * @delta_masked [in] Masked time delta to process
+ * @current_delta [in] Current time delta
  */
-static void jent_apt_insert(struct rand_data *ec, unsigned int delta_masked)
+static void jent_apt_insert(struct rand_data *ec, uint64_t current_delta)
 {
 	/* Initialize the base reference */
 	if (!ec->apt_base_set) {
-		ec->apt_base = delta_masked;
+		ec->apt_base = current_delta;
 		ec->apt_base_set = 1;
 		return;
 	}
 
-	if (delta_masked == ec->apt_base) {
+	if (current_delta == ec->apt_base) {
 		ec->apt_count++;
 
 		if (ec->apt_count >= JENT_APT_CUTOFF)
@@ -146,7 +150,7 @@ static void jent_apt_insert(struct rand_data *ec, unsigned int delta_masked)
 	ec->apt_observations++;
 
 	if (ec->apt_observations >= JENT_APT_WINDOW_SIZE)
-		jent_apt_reset(ec, delta_masked);
+		jent_apt_reset(ec, current_delta);
 }
 
 /***************************************************************************
@@ -246,7 +250,6 @@ static unsigned int jent_stuck(struct rand_data *ec, uint64_t current_delta)
 {
 	uint64_t delta2 = jent_delta(ec->last_delta, current_delta);
 	uint64_t delta3 = jent_delta(ec->last_delta2, delta2);
-	unsigned int delta_masked = current_delta & JENT_APT_WORD_MASK;
 
 	ec->last_delta = current_delta;
 	ec->last_delta2 = delta2;
@@ -255,7 +258,7 @@ static unsigned int jent_stuck(struct rand_data *ec, uint64_t current_delta)
 	 * Insert the result of the comparison of two back-to-back time
 	 * deltas.
 	 */
-	jent_apt_insert(ec, delta_masked);
+	jent_apt_insert(ec, current_delta);
 
 	if (!current_delta || !delta2 || !delta3) {
 		/* RCT with a stuck bit */
@@ -303,10 +306,14 @@ struct sha_ctx {
 	uint8_t partial[SHA3_MAX_SIZE_BLOCK];
 };
 
+#define aligned(val)	__attribute__((aligned(val)))
+#define ALIGNED_BUFFER(name, size, type)				       \
+	type name[(size + sizeof(type)-1) / sizeof(type)] aligned(sizeof(type));
+
 /* CTX size allows any hash type up to SHA3-224 */
 #define SHA_MAX_CTX_SIZE	368
-#define HASH_CTX_ON_STACK(name)						\
-	uint8_t name ## _ctx_buf[SHA_MAX_CTX_SIZE];			\
+#define HASH_CTX_ON_STACK(name)						       \
+	ALIGNED_BUFFER(name ## _ctx_buf, SHA_MAX_CTX_SIZE, uint64_t)	       \
 	struct sha_ctx *name = (struct sha_ctx *) name ## _ctx_buf
 
 /*
@@ -822,6 +829,15 @@ static inline void jent_notime_unsettick(struct rand_data *ec) { (void)ec; }
 static uint64_t jent_loop_shuffle(struct rand_data *ec,
 				  unsigned int bits, unsigned int min)
 {
+#ifdef JENT_CONF_DISABLE_LOOP_SHUFFLE
+
+	(void)ec;
+	(void)bits;
+
+	return (1<<min);
+
+#else /* JENT_CONF_DISABLE_LOOP_SHUFFLE */
+
 	uint64_t time = 0;
 	uint64_t shuffle = 0;
 	unsigned int i = 0;
@@ -850,6 +866,8 @@ static uint64_t jent_loop_shuffle(struct rand_data *ec,
 	 * RNG loop count.
 	 */
 	return (shuffle + (1<<min));
+
+#endif /* JENT_CONF_DISABLE_LOOP_SHUFFLE */
 }
 
 /**
@@ -872,10 +890,11 @@ static void jent_hash_time(struct rand_data *ec, uint64_t time,
 			   uint64_t loop_cnt, unsigned int stuck)
 {
 	HASH_CTX_ON_STACK(ctx);
+	uint8_t itermediary[SHA3_256_SIZE_DIGEST];
 	uint64_t j = 0;
 #define MAX_HASH_LOOP 3
 #define MIN_HASH_LOOP 0
-	uint64_t lfsr_loop_cnt =
+	uint64_t hash_loop_cnt =
 		jent_loop_shuffle(ec, MAX_HASH_LOOP, MIN_HASH_LOOP);
 
 	sha3_256_init(ctx);
@@ -885,8 +904,14 @@ static void jent_hash_time(struct rand_data *ec, uint64_t time,
 	 * needed during runtime
 	 */
 	if (loop_cnt)
-		lfsr_loop_cnt = loop_cnt;
-	for (j = 0; j < lfsr_loop_cnt; j++) {
+		hash_loop_cnt = loop_cnt;
+
+	/*
+	 * This loop basically slows down the SHA-3 operation depending
+	 * on the hash_loop_cnt. Each iteration of the loop generates the
+	 * same result.
+	 */
+	for (j = 0; j < hash_loop_cnt; j++) {
 		sha3_update(ctx, ec->data, SHA3_256_SIZE_DIGEST);
 		sha3_update(ctx, (uint8_t *)&time, sizeof(uint64_t));
 		sha3_update(ctx, (uint8_t *)&j, sizeof(uint64_t));
@@ -898,13 +923,19 @@ static void jent_hash_time(struct rand_data *ec, uint64_t time,
 		 * requires that any conditioning operation to have an identical
 		 * amount of input data according to section 3.1.5.
 		 */
-		if (stuck)
-			sha3_init(ctx);
+
+		/*
+		 * The sha3_final operations re-initialize the context for the
+		 * next loop iteration.
+		 */
+		if (stuck || (j < hash_loop_cnt - 1))
+			sha3_final(ctx, itermediary);
 		else
 			sha3_final(ctx, ec->data);
 	}
 
 	jent_memset_secure(ctx, SHA_MAX_CTX_SIZE);
+	jent_memset_secure(itermediary, sizeof(itermediary));
 }
 
 /**
@@ -950,7 +981,6 @@ static void jent_memaccess(struct rand_data *ec, uint64_t loop_cnt)
 	 */
 	if (loop_cnt)
 		acc_loop_cnt = loop_cnt;
-
 	for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) {
 		unsigned char *tmpval = ec->mem + ec->memlocation;
 		/*
@@ -983,17 +1013,21 @@ static void jent_memaccess(struct rand_data *ec, uint64_t loop_cnt)
  * 	    and not using its result.
  *
  * @ec [in] Reference to entropy collector
+ * @loop_cnt [in] see jent_hash_time
+ * @ret_current_delta [out] Test interface: return time delta - may be NULL
  *
  * @return: result of stuck test
  */
-static unsigned int jent_measure_jitter(struct rand_data *ec)
+static unsigned int jent_measure_jitter(struct rand_data *ec,
+					uint64_t loop_cnt,
+					uint64_t *ret_current_delta)
 {
 	uint64_t time = 0;
 	uint64_t current_delta = 0;
 	unsigned int stuck;
 
 	/* Invoke one noise source before time measurement to add variations */
-	jent_memaccess(ec, 0);
+	jent_memaccess(ec, loop_cnt);
 
 	/*
 	 * Get time stamp and calculate time delta to previous
@@ -1007,7 +1041,11 @@ static unsigned int jent_measure_jitter(struct rand_data *ec)
 	stuck = jent_stuck(ec, current_delta);
 
 	/* Now call the next noise sources which also injects the data */
-	jent_hash_time(ec, current_delta, 0, stuck);
+	jent_hash_time(ec, current_delta, loop_cnt, stuck);
+
+	/* return the raw entropy value */
+	if (ret_current_delta)
+		*ret_current_delta = current_delta;
 
 	return stuck;
 }
@@ -1023,11 +1061,11 @@ static void jent_random_data(struct rand_data *ec)
 	unsigned int k = 0;
 
 	/* priming of the ->prev_time value */
-	jent_measure_jitter(ec);
+	jent_measure_jitter(ec, 0, NULL);
 
 	while (1) {
 		/* If a stuck measurement is received, repeat measurement */
-		if (jent_measure_jitter(ec))
+		if (jent_measure_jitter(ec, 0, NULL))
 			continue;
 
 		/*
@@ -1138,6 +1176,22 @@ struct rand_data *jent_entropy_collector_alloc(unsigned int osr,
 {
 	struct rand_data *entropy_collector;
 
+	/*
+	 * Requesting disabling and forcing of internal timer
+	 * makes no sense.
+	 */
+	if ((flags & JENT_DISABLE_INTERNAL_TIMER) &&
+	    (flags & JENT_FORCE_INTERNAL_TIMER))
+		return NULL;
+
+	/*
+	 * If the initial test code concludes to force the internal timer
+	 * and the user requests it not to be used, do not allocate
+	 * the Jitter RNG instance.
+	 */
+	if (jent_force_internal_timer && (flags & JENT_DISABLE_INTERNAL_TIMER))
+		return NULL;
+
 	entropy_collector = jent_zalloc(sizeof(struct rand_data));
 	if (NULL == entropy_collector)
 		return NULL;
@@ -1157,16 +1211,18 @@ struct rand_data *jent_entropy_collector_alloc(unsigned int osr,
 	}
 
 	/* verify and set the oversampling rate */
-	if (osr == 0)
-		osr = 1; /* minimum sampling rate is 1 */
+	if (osr < JENT_MIN_OSR)
+		osr = JENT_MIN_OSR;
 	entropy_collector->osr = osr;
 
-	if (jent_fips_enabled())
+	if (jent_fips_enabled() || (flags & JENT_FORCE_FIPS))
 		entropy_collector->fips_enabled = 1;
 
 	/* Use timer-less noise source */
-	if (jent_notime_enable(entropy_collector, flags))
-		goto err;
+	if (!(flags & JENT_DISABLE_INTERNAL_TIMER)) {
+		if (jent_notime_enable(entropy_collector, flags))
+			goto err;
+	}
 
 	/* fill the data pad with non-zero values */
 	if (jent_notime_settick(entropy_collector))
@@ -1350,7 +1406,7 @@ static int jent_time_entropy_init(unsigned int enable_notime)
 	 * than 1 to ensure the entropy estimation
 	 * implied with 1 is preserved
 	 */
-	if ((delta_sum) <= 1) {
+	if ((delta_sum) <= JENT_POWERUP_TESTLOOPCOUNT) {
 		ret = EMINVARVAR;
 		goto out;
 	}
@@ -1360,7 +1416,7 @@ static int jent_time_entropy_init(unsigned int enable_notime)
 	 * least 10% of all checks -- on some platforms, the counter increments
 	 * in multiples of 100, but not always
 	 */
-	if ((JENT_POWERUP_TESTLOOPCOUNT/10 * 9) < count_mod) {
+	if (JENT_STUCK_INIT_THRES(JENT_POWERUP_TESTLOOPCOUNT) < count_mod) {
 		ret = ECOARSETIME;
 		goto out;
 	}
@@ -1369,7 +1425,7 @@ static int jent_time_entropy_init(unsigned int enable_notime)
 	 * If we have more than 90% stuck results, then this Jitter RNG is
 	 * likely to not work well.
 	 */
-	if ((JENT_POWERUP_TESTLOOPCOUNT/10 * 9) < count_stuck)
+	if (JENT_STUCK_INIT_THRES(JENT_POWERUP_TESTLOOPCOUNT) < count_stuck)
 		ret = ESTUCK;
 
 out: