blob: aca977e838cb74bf88e8bf9d319d62440edb2d5d [file] [log] [blame]
/* random-csprng.c - CSPRNG style random number generator (libgcrypt classic)
* Copyright (C) 1998, 2000, 2001, 2002, 2003, 2004, 2005, 2006,
* 2007, 2008 Free Software Foundation, Inc.
*
* This file is part of Libgcrypt.
*
* Libgcrypt is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* Libgcrypt is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
/*
This random number generator is modelled after the one described in
Peter Gutmann's 1998 Usenix Security Symposium paper: "Software
Generation of Practically Strong Random Numbers". See also chapter
6 in his book "Cryptographic Security Architecture", New York,
2004, ISBN 0-387-95387-6.
Note that the acronym CSPRNG stands for "Continuously Seeded
PseudoRandom Number Generator" as used in Peter's implementation of
the paper and not only for "Cryptographically Secure PseudoRandom
Number Generator".
*/
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include <time.h>
#ifdef HAVE_GETHRTIME
#include <sys/times.h>
#endif
#ifdef HAVE_GETTIMEOFDAY
#include <sys/time.h>
#endif
#ifdef HAVE_GETRUSAGE
#include <sys/resource.h>
#endif
#ifdef __MINGW32__
#include <process.h>
#endif
#include "g10lib.h"
#include "../cipher/rmd.h"
#include "random.h"
#include "rand-internal.h"
#include "cipher.h" /* Required for the rmd160_hash_buffer() prototype. */
#include "ath.h"
#ifndef RAND_MAX /* For SunOS. */
#define RAND_MAX 32767
#endif
/* Check whether we can lock the seed file read write. */
#if defined(HAVE_FCNTL) && defined(HAVE_FTRUNCATE) && !defined(HAVE_W32_SYSTEM)
#define LOCK_SEED_FILE 1
#else
#define LOCK_SEED_FILE 0
#endif
/* Define the constant we use for transforming the pool at read-out. */
#if SIZEOF_UNSIGNED_LONG == 8
#define ADD_VALUE 0xa5a5a5a5a5a5a5a5
#elif SIZEOF_UNSIGNED_LONG == 4
#define ADD_VALUE 0xa5a5a5a5
#else
#error weird size for an unsigned long
#endif
/* Contstants pertaining to the hash pool. */
#define BLOCKLEN 64 /* Hash this amount of bytes... */
#define DIGESTLEN 20 /* ... into a digest of this length (rmd160). */
/* POOLBLOCKS is the number of digests which make up the pool. */
#define POOLBLOCKS 30
/* POOLSIZE must be a multiple of the digest length to make the AND
operations faster, the size should also be a multiple of unsigned
long. */
#define POOLSIZE (POOLBLOCKS*DIGESTLEN)
#if (POOLSIZE % SIZEOF_UNSIGNED_LONG)
#error Please make sure that poolsize is a multiple of unsigned long
#endif
#define POOLWORDS (POOLSIZE / SIZEOF_UNSIGNED_LONG)
/* RNDPOOL is the pool we use to collect the entropy and to stir it
up. Its allocated size is POOLSIZE+BLOCKLEN. Note that this is
also an indication on whether the module has been fully
initialized. */
static unsigned char *rndpool;
/* KEYPOOL is used as a scratch copy to read out random from RNDPOOL.
Its allocated size is also POOLSIZE+BLOCKLEN. */
static unsigned char *keypool;
/* This is the offset into RNDPOOL where the next random bytes are to
be mixed in. */
static size_t pool_writepos;
/* When reading data out of KEYPOOL, we start the read at different
positions. This variable keeps track on where to read next. */
static size_t pool_readpos;
/* This flag is set to true as soon as the pool has been completely
filled the first time. This may happen either by rereading a seed
file or by adding enough entropy. */
static int pool_filled;
/* This counter is used to track whether the initial seeding has been
done with enough bytes from a reliable entropy source. */
static size_t pool_filled_counter;
/* If random of level GCRY_VERY_STRONG_RANDOM has been requested we
have stricter requirements on what kind of entropy is in the pool.
In particular POOL_FILLED is not sufficient. Thus we add some
extra seeding and set this flag to true if the extra seeding has
been done. */
static int did_initial_extra_seeding;
/* This variable is used to estimated the amount of fresh entropy
available in RNDPOOL. */
static int pool_balance;
/* After a mixing operation this variable will be set to true and
cleared if new entropy has been added or a remix is required for
otehr reasons. */
static int just_mixed;
/* The name of the seed file or NULL if no seed file has been defined.
The seed file needs to be regsitered at initialiation time. We
keep a malloced copy here. */
static char *seed_file_name;
/* If a seed file has been registered and maybe updated on exit this
flag set. */
static int allow_seed_file_update;
/* Option flag set at initialiation time to force allocation of the
pool in secure memory. */
static int secure_alloc;
/* This function pointer is set to the actual entropy gathering
function during initailization. After initialization it is
guaranteed to point to function. (On systems without a random
gatherer module a dummy function is used).*/
static int (*slow_gather_fnc)(void (*)(const void*, size_t,
enum random_origins),
enum random_origins, size_t, int);
/* This function is set to the actual fast entropy gathering fucntion
during initialization. If it is NULL, no such function is
available. */
static void (*fast_gather_fnc)(void (*)(const void*, size_t,
enum random_origins),
enum random_origins);
/* Option flag useful for debugging and the test suite. If set
requests for very strong random are degraded to strong random. Not
used by regular applications. */
static int quick_test;
/* On systems without entropy gathering modules, this flag is set to
indicate that the random generator is not working properly. A
warning message is issued as well. This is useful only for
debugging and during development. */
static int faked_rng;
/* This is the lock we use to protect all pool operations. */
static ath_mutex_t pool_lock = ATH_MUTEX_INITIALIZER;
/* This is a helper for assert calls. These calls are used to assert
that functions are called in a locked state. It is not meant to be
thread-safe but as a method to get aware of missing locks in the
test suite. */
static int pool_is_locked;
/* This is the lock we use to protect the buffer used by the nonce
generation. */
static ath_mutex_t nonce_buffer_lock = ATH_MUTEX_INITIALIZER;
/* We keep some counters in this structure for the sake of the
_gcry_random_dump_stats () function. */
static struct
{
unsigned long mixrnd;
unsigned long mixkey;
unsigned long slowpolls;
unsigned long fastpolls;
unsigned long getbytes1;
unsigned long ngetbytes1;
unsigned long getbytes2;
unsigned long ngetbytes2;
unsigned long addbytes;
unsigned long naddbytes;
} rndstats;
/* --- Stuff pertaining to the random daemon support. --- */
#ifdef USE_RANDOM_DAEMON
/* If ALLOW_DAEMON is true, the module will try to use the random
daemon first. If the daemon has failed, this variable is set to
back to false and the code continues as normal. Note, we don't
test this flag in a locked state because a wrong value does not
harm and the trhead will find out itself that the daemon does not
work and set it (again) to false. */
static int allow_daemon;
/* During initialization, the user may set a non-default socket name
for accessing the random daemon. If this value is NULL, the
default name will be used. */
static char *daemon_socket_name;
#endif /*USE_RANDOM_DAEMON*/
/* --- Prototypes --- */
static void read_pool (byte *buffer, size_t length, int level );
static void add_randomness (const void *buffer, size_t length,
enum random_origins origin);
static void random_poll (void);
static void do_fast_random_poll (void);
static int (*getfnc_gather_random (void))(void (*)(const void*, size_t,
enum random_origins),
enum random_origins, size_t, int);
static void (*getfnc_fast_random_poll (void))(void (*)(const void*, size_t,
enum random_origins),
enum random_origins);
static void read_random_source (enum random_origins origin,
size_t length, int level);
static int gather_faked (void (*add)(const void*, size_t, enum random_origins),
enum random_origins, size_t length, int level );
/* --- Functions --- */
/* Basic initialization which is required to initialize mutexes and
such. It does not run a full initialization so that the filling of
the random pool can be delayed until it is actually needed. We
assume that this function is used before any concurrent access
happens. */
static void
initialize_basics(void)
{
static int initialized;
int err;
if (!initialized)
{
initialized = 1;
err = ath_mutex_init (&pool_lock);
if (err)
log_fatal ("failed to create the pool lock: %s\n", strerror (err) );
err = ath_mutex_init (&nonce_buffer_lock);
if (err)
log_fatal ("failed to create the nonce buffer lock: %s\n",
strerror (err) );
#ifdef USE_RANDOM_DAEMON
_gcry_daemon_initialize_basics ();
#endif /*USE_RANDOM_DAEMON*/
/* Make sure that we are still using the values we have
traditionally used for the random levels. */
gcry_assert (GCRY_WEAK_RANDOM == 0
&& GCRY_STRONG_RANDOM == 1
&& GCRY_VERY_STRONG_RANDOM == 2);
}
}
/* Take the pool lock. */
static void
lock_pool (void)
{
int err;
err = ath_mutex_lock (&pool_lock);
if (err)
log_fatal ("failed to acquire the pool lock: %s\n", strerror (err));
pool_is_locked = 1;
}
/* Release the pool lock. */
static void
unlock_pool (void)
{
int err;
pool_is_locked = 0;
err = ath_mutex_unlock (&pool_lock);
if (err)
log_fatal ("failed to release the pool lock: %s\n", strerror (err));
}
/* Full initialization of this module. */
static void
initialize(void)
{
/* Although the basic initialization should have happened already,
we call it here to make sure that all prerequisites are met. */
initialize_basics ();
/* Now we can look the pool and complete the initialization if
necessary. */
lock_pool ();
if (!rndpool)
{
/* The data buffer is allocated somewhat larger, so that we can
use this extra space (which is allocated in secure memory) as
a temporary hash buffer */
rndpool = (secure_alloc
? gcry_xcalloc_secure (1, POOLSIZE + BLOCKLEN)
: gcry_xcalloc (1, POOLSIZE + BLOCKLEN));
keypool = (secure_alloc
? gcry_xcalloc_secure (1, POOLSIZE + BLOCKLEN)
: gcry_xcalloc (1, POOLSIZE + BLOCKLEN));
/* Setup the slow entropy gathering function. The code requires
that this function exists. */
slow_gather_fnc = getfnc_gather_random ();
if (!slow_gather_fnc)
{
faked_rng = 1;
slow_gather_fnc = gather_faked;
}
/* Setup the fast entropy gathering function. */
fast_gather_fnc = getfnc_fast_random_poll ();
}
unlock_pool ();
}
/* Initialize this random subsystem. If FULL is false, this function
merely calls the initialize and does not do anything more. Doing
this is not really required but when running in a threaded
environment we might get a race condition otherwise. */
void
_gcry_rngcsprng_initialize (int full)
{
if (!full)
initialize_basics ();
else
initialize ();
}
void
_gcry_rngcsprng_dump_stats (void)
{
/* In theory we would need to lock the stats here. However this
function is usually called during cleanup and then we _might_ run
into problems. */
log_info ("random usage: poolsize=%d mixed=%lu polls=%lu/%lu added=%lu/%lu\n"
" outmix=%lu getlvl1=%lu/%lu getlvl2=%lu/%lu%s\n",
POOLSIZE, rndstats.mixrnd, rndstats.slowpolls, rndstats.fastpolls,
rndstats.naddbytes, rndstats.addbytes,
rndstats.mixkey, rndstats.ngetbytes1, rndstats.getbytes1,
rndstats.ngetbytes2, rndstats.getbytes2,
_gcry_rndhw_failed_p()? " (hwrng failed)":"");
}
/* This function should be called during initialization and before
intialization of this module to place the random pools into secure
memory. */
void
_gcry_rngcsprng_secure_alloc (void)
{
secure_alloc = 1;
}
/* This may be called before full initialization to degrade the
quality of the RNG for the sake of a faster running test suite. */
void
_gcry_rngcsprng_enable_quick_gen (void)
{
quick_test = 1;
}
void
_gcry_rngcsprng_set_daemon_socket (const char *socketname)
{
#ifdef USE_RANDOM_DAEMON
if (daemon_socket_name)
BUG ();
daemon_socket_name = gcry_xstrdup (socketname);
#else /*!USE_RANDOM_DAEMON*/
(void)socketname;
#endif /*!USE_RANDOM_DAEMON*/
}
/* With ONOFF set to 1, enable the use of the daemon. With ONOFF set
to 0, disable the use of the daemon. With ONOF set to -1, return
whether the daemon has been enabled. */
int
_gcry_rngcsprng_use_daemon (int onoff)
{
#ifdef USE_RANDOM_DAEMON
int last;
/* This is not really thread safe. However it is expected that this
function is being called during initialization and at that point
we are for other reasons not really thread safe. We do not want
to lock it because we might eventually decide that this function
may even be called prior to gcry_check_version. */
last = allow_daemon;
if (onoff != -1)
allow_daemon = onoff;
return last;
#else /*!USE_RANDOM_DAEMON*/
(void)onoff;
return 0;
#endif /*!USE_RANDOM_DAEMON*/
}
/* This function returns true if no real RNG is available or the
quality of the RNG has been degraded for test purposes. */
int
_gcry_rngcsprng_is_faked (void)
{
/* We need to initialize due to the runtime determination of
available entropy gather modules. */
initialize();
return (faked_rng || quick_test);
}
/* Add BUFLEN bytes from BUF to the internal random pool. QUALITY
should be in the range of 0..100 to indicate the goodness of the
entropy added, or -1 for goodness not known. */
gcry_error_t
_gcry_rngcsprng_add_bytes (const void *buf, size_t buflen, int quality)
{
size_t nbytes;
const char *bufptr;
if (quality == -1)
quality = 35;
else if (quality > 100)
quality = 100;
else if (quality < 0)
quality = 0;
if (!buf)
return gpg_error (GPG_ERR_INV_ARG);
if (!buflen || quality < 10)
return 0; /* Take a shortcut. */
/* Because we don't increment the entropy estimation with FASTPOLL,
we don't need to take lock that estimation while adding from an
external source. This limited entropy estimation also means that
we can't take QUALITY into account. */
initialize_basics ();
bufptr = buf;
while (buflen)
{
nbytes = buflen > POOLSIZE? POOLSIZE : buflen;
lock_pool ();
if (rndpool)
add_randomness (bufptr, nbytes, RANDOM_ORIGIN_EXTERNAL);
unlock_pool ();
bufptr += nbytes;
buflen -= nbytes;
}
return 0;
}
/* Public function to fill the buffer with LENGTH bytes of
cryptographically strong random bytes. Level GCRY_WEAK_RANDOM is
not very strong, GCRY_STRONG_RANDOM is strong enough for most
usage, GCRY_VERY_STRONG_RANDOM is good for key generation stuff but
may be very slow. */
void
_gcry_rngcsprng_randomize (void *buffer, size_t length,
enum gcry_random_level level)
{
unsigned char *p;
/* Make sure we are initialized. */
initialize ();
/* Handle our hack used for regression tests of Libgcrypt. */
if ( quick_test && level > GCRY_STRONG_RANDOM )
level = GCRY_STRONG_RANDOM;
/* Make sure the level is okay. */
level &= 3;
#ifdef USE_RANDOM_DAEMON
if (allow_daemon
&& !_gcry_daemon_randomize (daemon_socket_name, buffer, length, level))
return; /* The daemon succeeded. */
allow_daemon = 0; /* Daemon failed - switch off. */
#endif /*USE_RANDOM_DAEMON*/
/* Acquire the pool lock. */
lock_pool ();
/* Update the statistics. */
if (level >= GCRY_VERY_STRONG_RANDOM)
{
rndstats.getbytes2 += length;
rndstats.ngetbytes2++;
}
else
{
rndstats.getbytes1 += length;
rndstats.ngetbytes1++;
}
/* Read the random into the provided buffer. */
for (p = buffer; length > 0;)
{
size_t n;
n = length > POOLSIZE? POOLSIZE : length;
read_pool (p, n, level);
length -= n;
p += n;
}
/* Release the pool lock. */
unlock_pool ();
}
/*
Mix the pool:
|........blocks*20byte........|20byte|..44byte..|
<..44byte..> <20byte>
| |
| +------+
+---------------------------|----------+
v v
|........blocks*20byte........|20byte|..44byte..|
<.....64bytes.....>
|
+----------------------------------+
Hash
v
|.............................|20byte|..44byte..|
<20byte><20byte><..44byte..>
| |
| +---------------------+
+-----------------------------+ |
v v
|.............................|20byte|..44byte..|
<.....64byte......>
|
+-------------------------+
Hash
v
|.............................|20byte|..44byte..|
<20byte><20byte><..44byte..>
and so on until we did this for all blocks.
To better protect against implementation errors in this code, we
xor a digest of the entire pool into the pool before mixing.
Note: this function must only be called with a locked pool.
*/
static void
mix_pool(unsigned char *pool)
{
static unsigned char failsafe_digest[DIGESTLEN];
static int failsafe_digest_valid;
unsigned char *hashbuf = pool + POOLSIZE;
unsigned char *p, *pend;
int i, n;
RMD160_CONTEXT md;
#if DIGESTLEN != 20
#error must have a digest length of 20 for ripe-md-160
#endif
gcry_assert (pool_is_locked);
_gcry_rmd160_init( &md );
/* Loop over the pool. */
pend = pool + POOLSIZE;
memcpy(hashbuf, pend - DIGESTLEN, DIGESTLEN );
memcpy(hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
_gcry_rmd160_mixblock( &md, hashbuf);
memcpy(pool, hashbuf, 20 );
if (failsafe_digest_valid && pool == rndpool)
{
for (i=0; i < 20; i++)
pool[i] ^= failsafe_digest[i];
}
p = pool;
for (n=1; n < POOLBLOCKS; n++)
{
memcpy (hashbuf, p, DIGESTLEN);
p += DIGESTLEN;
if (p+DIGESTLEN+BLOCKLEN < pend)
memcpy (hashbuf+DIGESTLEN, p+DIGESTLEN, BLOCKLEN-DIGESTLEN);
else
{
unsigned char *pp = p + DIGESTLEN;
for (i=DIGESTLEN; i < BLOCKLEN; i++ )
{
if ( pp >= pend )
pp = pool;
hashbuf[i] = *pp++;
}
}
_gcry_rmd160_mixblock ( &md, hashbuf);
memcpy(p, hashbuf, 20 );
}
/* Our hash implementation does only leave small parts (64 bytes)
of the pool on the stack, so it is okay not to require secure
memory here. Before we use this pool, it will be copied to the
help buffer anyway. */
if ( pool == rndpool)
{
_gcry_rmd160_hash_buffer (failsafe_digest, pool, POOLSIZE);
failsafe_digest_valid = 1;
}
_gcry_burn_stack (384); /* for the rmd160_mixblock(), rmd160_hash_buffer */
}
void
_gcry_rngcsprng_set_seed_file (const char *name)
{
if (seed_file_name)
BUG ();
seed_file_name = gcry_xstrdup (name);
}
/* Lock an open file identified by file descriptor FD and wait a
reasonable time to succeed. With FOR_WRITE set to true a write
lock will be taken. FNAME is used only for diagnostics. Returns 0
on success or -1 on error. */
static int
lock_seed_file (int fd, const char *fname, int for_write)
{
#if LOCK_SEED_FILE
struct flock lck;
struct timeval tv;
int backoff=0;
/* We take a lock on the entire file. */
memset (&lck, 0, sizeof lck);
lck.l_type = for_write? F_WRLCK : F_RDLCK;
lck.l_whence = SEEK_SET;
while (fcntl (fd, F_SETLK, &lck) == -1)
{
if (errno != EAGAIN && errno != EACCES)
{
log_info (_("can't lock `%s': %s\n"), fname, strerror (errno));
return -1;
}
if (backoff > 2) /* Show the first message after ~2.25 seconds. */
log_info( _("waiting for lock on `%s'...\n"), fname);
tv.tv_sec = backoff;
tv.tv_usec = 250000;
select (0, NULL, NULL, NULL, &tv);
if (backoff < 10)
backoff++ ;
}
#endif /*LOCK_SEED_FILE*/
return 0;
}
/* Read in a seed from the random_seed file and return true if this
was successful.
Note: Multiple instances of applications sharing the same random
seed file can be started in parallel, in which case they will read
out the same pool and then race for updating it (the last update
overwrites earlier updates). They will differentiate only by the
weak entropy that is added in read_seed_file based on the PID and
clock, and up to 16 bytes of weak random non-blockingly. The
consequence is that the output of these different instances is
correlated to some extent. In the perfect scenario, the attacker
can control (or at least guess) the PID and clock of the
application, and drain the system's entropy pool to reduce the "up
to 16 bytes" above to 0. Then the dependencies of the inital
states of the pools are completely known. */
static int
read_seed_file (void)
{
int fd;
struct stat sb;
unsigned char buffer[POOLSIZE];
int n;
gcry_assert (pool_is_locked);
if (!seed_file_name)
return 0;
#ifdef HAVE_DOSISH_SYSTEM
fd = open( seed_file_name, O_RDONLY | O_BINARY );
#else
fd = open( seed_file_name, O_RDONLY );
#endif
if( fd == -1 && errno == ENOENT)
{
allow_seed_file_update = 1;
return 0;
}
if (fd == -1 )
{
log_info(_("can't open `%s': %s\n"), seed_file_name, strerror(errno) );
return 0;
}
if (lock_seed_file (fd, seed_file_name, 0))
{
close (fd);
return 0;
}
if (fstat( fd, &sb ) )
{
log_info(_("can't stat `%s': %s\n"), seed_file_name, strerror(errno) );
close(fd);
return 0;
}
if (!S_ISREG(sb.st_mode) )
{
log_info(_("`%s' is not a regular file - ignored\n"), seed_file_name );
close(fd);
return 0;
}
if (!sb.st_size )
{
log_info(_("note: random_seed file is empty\n") );
close(fd);
allow_seed_file_update = 1;
return 0;
}
if (sb.st_size != POOLSIZE )
{
log_info(_("warning: invalid size of random_seed file - not used\n") );
close(fd);
return 0;
}
do
{
n = read( fd, buffer, POOLSIZE );
}
while (n == -1 && errno == EINTR );
if (n != POOLSIZE)
{
log_fatal(_("can't read `%s': %s\n"), seed_file_name,strerror(errno) );
close(fd);/*NOTREACHED*/
return 0;
}
close(fd);
add_randomness( buffer, POOLSIZE, RANDOM_ORIGIN_INIT );
/* add some minor entropy to the pool now (this will also force a mixing) */
{
pid_t x = getpid();
add_randomness( &x, sizeof(x), RANDOM_ORIGIN_INIT );
}
{
time_t x = time(NULL);
add_randomness( &x, sizeof(x), RANDOM_ORIGIN_INIT );
}
{
clock_t x = clock();
add_randomness( &x, sizeof(x), RANDOM_ORIGIN_INIT );
}
/* And read a few bytes from our entropy source. By using a level
* of 0 this will not block and might not return anything with some
* entropy drivers, however the rndlinux driver will use
* /dev/urandom and return some stuff - Do not read too much as we
* want to be friendly to the scare system entropy resource. */
read_random_source ( RANDOM_ORIGIN_INIT, 16, GCRY_WEAK_RANDOM );
allow_seed_file_update = 1;
return 1;
}
void
_gcry_rngcsprng_update_seed_file (void)
{
unsigned long *sp, *dp;
int fd, i;
/* We do only a basic initialization so that we can lock the pool.
This is required to cope with the case that this function is
called by some cleanup code at a point where the RNG has never
been initialized. */
initialize_basics ();
lock_pool ();
if ( !seed_file_name || !rndpool || !pool_filled )
{
unlock_pool ();
return;
}
if ( !allow_seed_file_update )
{
unlock_pool ();
log_info(_("note: random_seed file not updated\n"));
return;
}
/* At this point we know that there is something in the pool and
thus we can conclude that the pool has been fully initialized. */
/* Copy the entropy pool to a scratch pool and mix both of them. */
for (i=0,dp=(unsigned long*)keypool, sp=(unsigned long*)rndpool;
i < POOLWORDS; i++, dp++, sp++ )
{
*dp = *sp + ADD_VALUE;
}
mix_pool(rndpool); rndstats.mixrnd++;
mix_pool(keypool); rndstats.mixkey++;
#if defined(HAVE_DOSISH_SYSTEM) || defined(__CYGWIN__)
fd = open (seed_file_name, O_WRONLY|O_CREAT|O_TRUNC|O_BINARY,
S_IRUSR|S_IWUSR );
#else
# if LOCK_SEED_FILE
fd = open (seed_file_name, O_WRONLY|O_CREAT, S_IRUSR|S_IWUSR );
# else
fd = open (seed_file_name, O_WRONLY|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR );
# endif
#endif
if (fd == -1 )
log_info (_("can't create `%s': %s\n"), seed_file_name, strerror(errno) );
else if (lock_seed_file (fd, seed_file_name, 1))
{
close (fd);
}
#if LOCK_SEED_FILE
else if (ftruncate (fd, 0))
{
log_info(_("can't write `%s': %s\n"), seed_file_name, strerror(errno));
close (fd);
}
#endif /*LOCK_SEED_FILE*/
else
{
do
{
i = write (fd, keypool, POOLSIZE );
}
while (i == -1 && errno == EINTR);
if (i != POOLSIZE)
log_info (_("can't write `%s': %s\n"),seed_file_name, strerror(errno));
if (close(fd))
log_info (_("can't close `%s': %s\n"),seed_file_name, strerror(errno));
}
unlock_pool ();
}
/* Read random out of the pool. This function is the core of the
public random functions. Note that Level GCRY_WEAK_RANDOM is not
anymore handled special and in fact is an alias in the API for
level GCRY_STRONG_RANDOM. Must be called with the pool already
locked. */
static void
read_pool (byte *buffer, size_t length, int level)
{
int i;
unsigned long *sp, *dp;
/* The volatile is there to make sure the compiler does not optimize
the code away in case the getpid function is badly attributed.
Note that we keep a pid in a static variable as well as in a
stack based one; the latter is to detect ill behaving thread
libraries, ignoring the pool mutexes. */
static volatile pid_t my_pid = (pid_t)(-1);
volatile pid_t my_pid2;
gcry_assert (pool_is_locked);
retry:
/* Get our own pid, so that we can detect a fork. */
my_pid2 = getpid ();
if (my_pid == (pid_t)(-1))
my_pid = my_pid2;
if ( my_pid != my_pid2 )
{
/* We detected a plain fork; i.e. we are now the child. Update
the static pid and add some randomness. */
pid_t x;
my_pid = my_pid2;
x = my_pid;
add_randomness (&x, sizeof(x), RANDOM_ORIGIN_INIT);
just_mixed = 0; /* Make sure it will get mixed. */
}
gcry_assert (pool_is_locked);
/* Our code does not allow to extract more than POOLSIZE. Better
check it here. */
if (length > POOLSIZE)
{
log_bug("too many random bits requested\n");
}
if (!pool_filled)
{
if (read_seed_file() )
pool_filled = 1;
}
/* For level 2 quality (key generation) we always make sure that the
pool has been seeded enough initially. */
if (level == GCRY_VERY_STRONG_RANDOM && !did_initial_extra_seeding)
{
size_t needed;
pool_balance = 0;
needed = length - pool_balance;
if (needed < POOLSIZE/2)
needed = POOLSIZE/2;
else if( needed > POOLSIZE )
BUG ();
read_random_source (RANDOM_ORIGIN_EXTRAPOLL, needed,
GCRY_VERY_STRONG_RANDOM);
pool_balance += needed;
did_initial_extra_seeding = 1;
}
/* For level 2 make sure that there is enough random in the pool. */
if (level == GCRY_VERY_STRONG_RANDOM && pool_balance < length)
{
size_t needed;
if (pool_balance < 0)
pool_balance = 0;
needed = length - pool_balance;
if (needed > POOLSIZE)
BUG ();
read_random_source (RANDOM_ORIGIN_EXTRAPOLL, needed,
GCRY_VERY_STRONG_RANDOM);
pool_balance += needed;
}
/* Make sure the pool is filled. */
while (!pool_filled)
random_poll();
/* Always do a fast random poll (we have to use the unlocked version). */
do_fast_random_poll();
/* Mix the pid in so that we for sure won't deliver the same random
after a fork. */
{
pid_t apid = my_pid;
add_randomness (&apid, sizeof (apid), RANDOM_ORIGIN_INIT);
}
/* Mix the pool (if add_randomness() didn't it). */
if (!just_mixed)
{
mix_pool(rndpool);
rndstats.mixrnd++;
}
/* Create a new pool. */
for(i=0,dp=(unsigned long*)keypool, sp=(unsigned long*)rndpool;
i < POOLWORDS; i++, dp++, sp++ )
*dp = *sp + ADD_VALUE;
/* Mix both pools. */
mix_pool(rndpool); rndstats.mixrnd++;
mix_pool(keypool); rndstats.mixkey++;
/* Read the requested data. We use a read pointer to read from a
different position each time. */
while (length--)
{
*buffer++ = keypool[pool_readpos++];
if (pool_readpos >= POOLSIZE)
pool_readpos = 0;
pool_balance--;
}
if (pool_balance < 0)
pool_balance = 0;
/* Clear the keypool. */
memset (keypool, 0, POOLSIZE);
/* We need to detect whether a fork has happened. A fork might have
an identical pool and thus the child and the parent could emit
the very same random number. This test here is to detect forks
in a multi-threaded process. It does not work with all thread
implementations in particular not with pthreads. However it is
good enough for GNU Pth. */
if ( getpid () != my_pid2 )
{
pid_t x = getpid();
add_randomness (&x, sizeof(x), RANDOM_ORIGIN_INIT);
just_mixed = 0; /* Make sure it will get mixed. */
my_pid = x; /* Also update the static pid. */
goto retry;
}
}
/* Add LENGTH bytes of randomness from buffer to the pool. ORIGIN is
used to specify the randomness origin. This is one of the
RANDOM_ORIGIN_* values. */
static void
add_randomness (const void *buffer, size_t length, enum random_origins origin)
{
const unsigned char *p = buffer;
size_t count = 0;
gcry_assert (pool_is_locked);
rndstats.addbytes += length;
rndstats.naddbytes++;
while (length-- )
{
rndpool[pool_writepos++] ^= *p++;
count++;
if (pool_writepos >= POOLSIZE )
{
/* It is possible that we are invoked before the pool is
filled using an unreliable origin of entropy, for example
the fast random poll. To avoid flagging the pool as
filled in this case, we track the initial filling state
separately. See also the remarks about the seed file. */
if (origin >= RANDOM_ORIGIN_SLOWPOLL && !pool_filled)
{
pool_filled_counter += count;
count = 0;
if (pool_filled_counter >= POOLSIZE)
pool_filled = 1;
}
pool_writepos = 0;
mix_pool(rndpool); rndstats.mixrnd++;
just_mixed = !length;
}
}
}
static void
random_poll()
{
rndstats.slowpolls++;
read_random_source (RANDOM_ORIGIN_SLOWPOLL, POOLSIZE/5, GCRY_STRONG_RANDOM);
}
/* Runtime determination of the slow entropy gathering module. */
static int (*
getfnc_gather_random (void))(void (*)(const void*, size_t,
enum random_origins),
enum random_origins, size_t, int)
{
int (*fnc)(void (*)(const void*, size_t, enum random_origins),
enum random_origins, size_t, int);
#if USE_RNDLINUX
if ( !access (NAME_OF_DEV_RANDOM, R_OK)
&& !access (NAME_OF_DEV_URANDOM, R_OK))
{
fnc = _gcry_rndlinux_gather_random;
return fnc;
}
#endif
#if USE_RNDEGD
if ( _gcry_rndegd_connect_socket (1) != -1 )
{
fnc = _gcry_rndegd_gather_random;
return fnc;
}
#endif
#if USE_RNDUNIX
fnc = _gcry_rndunix_gather_random;
return fnc;
#endif
#if USE_RNDW32
fnc = _gcry_rndw32_gather_random;
return fnc;
#endif
log_fatal (_("no entropy gathering module detected\n"));
return NULL; /*NOTREACHED*/
}
/* Runtime determination of the fast entropy gathering function.
(Currently a compile time method is used.) */
static void (*
getfnc_fast_random_poll (void))( void (*)(const void*, size_t,
enum random_origins),
enum random_origins)
{
#if USE_RNDW32
return _gcry_rndw32_gather_random_fast;
#endif
return NULL;
}
static void
do_fast_random_poll (void)
{
gcry_assert (pool_is_locked);
rndstats.fastpolls++;
if (fast_gather_fnc)
fast_gather_fnc (add_randomness, RANDOM_ORIGIN_FASTPOLL);
/* Continue with the generic functions. */
#if HAVE_GETHRTIME
{
hrtime_t tv;
tv = gethrtime();
add_randomness( &tv, sizeof(tv), RANDOM_ORIGIN_FASTPOLL );
}
#elif HAVE_GETTIMEOFDAY
{
struct timeval tv;
if( gettimeofday( &tv, NULL ) )
BUG();
add_randomness( &tv.tv_sec, sizeof(tv.tv_sec), RANDOM_ORIGIN_FASTPOLL );
add_randomness( &tv.tv_usec, sizeof(tv.tv_usec), RANDOM_ORIGIN_FASTPOLL );
}
#elif HAVE_CLOCK_GETTIME
{ struct timespec tv;
if( clock_gettime( CLOCK_REALTIME, &tv ) == -1 )
BUG();
add_randomness( &tv.tv_sec, sizeof(tv.tv_sec), RANDOM_ORIGIN_FASTPOLL );
add_randomness( &tv.tv_nsec, sizeof(tv.tv_nsec), RANDOM_ORIGIN_FASTPOLL );
}
#else /* use times */
# ifndef HAVE_DOSISH_SYSTEM
{ struct tms buf;
times( &buf );
add_randomness( &buf, sizeof buf, RANDOM_ORIGIN_FASTPOLL );
}
# endif
#endif
#ifdef HAVE_GETRUSAGE
# ifdef RUSAGE_SELF
{
struct rusage buf;
/* QNX/Neutrino does return ENOSYS - so we just ignore it and add
whatever is in buf. In a chroot environment it might not work
at all (i.e. because /proc/ is not accessible), so we better
ignore all error codes and hope for the best. */
getrusage (RUSAGE_SELF, &buf );
add_randomness( &buf, sizeof buf, RANDOM_ORIGIN_FASTPOLL );
memset( &buf, 0, sizeof buf );
}
# else /*!RUSAGE_SELF*/
# ifdef __GCC__
# warning There is no RUSAGE_SELF on this system
# endif
# endif /*!RUSAGE_SELF*/
#endif /*HAVE_GETRUSAGE*/
/* Time and clock are availabe on all systems - so we better do it
just in case one of the above functions didn't work. */
{
time_t x = time(NULL);
add_randomness( &x, sizeof(x), RANDOM_ORIGIN_FASTPOLL );
}
{
clock_t x = clock();
add_randomness( &x, sizeof(x), RANDOM_ORIGIN_FASTPOLL );
}
/* If the system features a fast hardware RNG, read some bytes from
there. */
_gcry_rndhw_poll_fast (add_randomness, RANDOM_ORIGIN_FASTPOLL);
}
/* The fast random pool function as called at some places in
libgcrypt. This is merely a wrapper to make sure that this module
is initalized and to look the pool. Note, that this function is a
NOP unless a random function has been used or _gcry_initialize (1)
has been used. We use this hack so that the internal use of this
function in cipher_open and md_open won't start filling up the
random pool, even if no random will be required by the process. */
void
_gcry_rngcsprng_fast_poll (void)
{
initialize_basics ();
lock_pool ();
if (rndpool)
{
/* Yes, we are fully initialized. */
do_fast_random_poll ();
}
unlock_pool ();
}
static void
read_random_source (enum random_origins orgin, size_t length, int level )
{
if ( !slow_gather_fnc )
log_fatal ("Slow entropy gathering module not yet initialized\n");
if ( slow_gather_fnc (add_randomness, orgin, length, level) < 0)
log_fatal ("No way to gather entropy for the RNG\n");
}
static int
gather_faked (void (*add)(const void*, size_t, enum random_origins),
enum random_origins origin, size_t length, int level )
{
static int initialized=0;
size_t n;
char *buffer, *p;
(void)add;
(void)level;
if ( !initialized )
{
log_info(_("WARNING: using insecure random number generator!!\n"));
initialized=1;
#ifdef HAVE_RAND
srand( time(NULL)*getpid());
#else
srandom( time(NULL)*getpid());
#endif
}
p = buffer = gcry_xmalloc( length );
n = length;
#ifdef HAVE_RAND
while ( n-- )
*p++ = ((unsigned)(1 + (int) (256.0*rand()/(RAND_MAX+1.0)))-1);
#else
while ( n-- )
*p++ = ((unsigned)(1 + (int) (256.0*random()/(RAND_MAX+1.0)))-1);
#endif
add_randomness ( buffer, length, origin );
gcry_free (buffer);
return 0; /* okay */
}
/* Create an unpredicable nonce of LENGTH bytes in BUFFER. */
void
_gcry_rngcsprng_create_nonce (void *buffer, size_t length)
{
static unsigned char nonce_buffer[20+8];
static int nonce_buffer_initialized = 0;
static volatile pid_t my_pid; /* The volatile is there to make sure the
compiler does not optimize the code away
in case the getpid function is badly
attributed. */
volatile pid_t apid;
unsigned char *p;
size_t n;
int err;
/* Make sure we are initialized. */
initialize ();
#ifdef USE_RANDOM_DAEMON
if (allow_daemon
&& !_gcry_daemon_create_nonce (daemon_socket_name, buffer, length))
return; /* The daemon succeeded. */
allow_daemon = 0; /* Daemon failed - switch off. */
#endif /*USE_RANDOM_DAEMON*/
/* Acquire the nonce buffer lock. */
err = ath_mutex_lock (&nonce_buffer_lock);
if (err)
log_fatal ("failed to acquire the nonce buffer lock: %s\n",
strerror (err));
apid = getpid ();
/* The first time intialize our buffer. */
if (!nonce_buffer_initialized)
{
time_t atime = time (NULL);
pid_t xpid = apid;
my_pid = apid;
if ((sizeof apid + sizeof atime) > sizeof nonce_buffer)
BUG ();
/* Initialize the first 20 bytes with a reasonable value so that
a failure of gcry_randomize won't affect us too much. Don't
care about the uninitialized remaining bytes. */
p = nonce_buffer;
memcpy (p, &xpid, sizeof xpid);
p += sizeof xpid;
memcpy (p, &atime, sizeof atime);
/* Initialize the never changing private part of 64 bits. */
gcry_randomize (nonce_buffer+20, 8, GCRY_WEAK_RANDOM);
nonce_buffer_initialized = 1;
}
else if ( my_pid != apid )
{
/* We forked. Need to reseed the buffer - doing this for the
private part should be sufficient. */
gcry_randomize (nonce_buffer+20, 8, GCRY_WEAK_RANDOM);
/* Update the pid so that we won't run into here again and
again. */
my_pid = apid;
}
/* Create the nonce by hashing the entire buffer, returning the hash
and updating the first 20 bytes of the buffer with this hash. */
for (p = buffer; length > 0; length -= n, p += n)
{
_gcry_sha1_hash_buffer (nonce_buffer,
nonce_buffer, sizeof nonce_buffer);
n = length > 20? 20 : length;
memcpy (p, nonce_buffer, n);
}
/* Release the nonce buffer lock. */
err = ath_mutex_unlock (&nonce_buffer_lock);
if (err)
log_fatal ("failed to release the nonce buffer lock: %s\n",
strerror (err));
}