1 /* 2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #ifndef _GNU_SOURCE 11 # define _GNU_SOURCE 12 #endif 13 #include "../e_os.h" 14 #include <stdio.h> 15 #include "internal/cryptlib.h" 16 #include <openssl/rand.h> 17 #include <openssl/crypto.h> 18 #include "crypto/rand_pool.h" 19 #include "crypto/rand.h" 20 #include <stdio.h> 21 #include "internal/dso.h" 22 #include "prov/seeding.h" 23 24 #ifdef __linux 25 # include <sys/syscall.h> 26 # ifdef DEVRANDOM_WAIT 27 # include <sys/shm.h> 28 # include <sys/utsname.h> 29 # endif 30 #endif 31 #if defined(__NetBSD__) 32 # include <sys/types.h> 33 # include <sys/sysctl.h> 34 # include <sys/param.h> 35 #endif 36 #if defined(__OpenBSD__) 37 # include <sys/param.h> 38 #endif 39 #if (defined(__DragonFly__) || defined(__FreeBSD__)) \ 40 && !defined(OPENSSL_SYS_UEFI) 41 # include <sys/param.h> 42 # include <sys/random.h> 43 #endif 44 45 #if (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) \ 46 || defined(__DJGPP__) 47 # include <sys/types.h> 48 # include <sys/stat.h> 49 # include <fcntl.h> 50 # include <unistd.h> 51 # include <sys/time.h> 52 53 static uint64_t get_time_stamp(void); 54 static uint64_t get_timer_bits(void); 55 56 /* Macro to convert two thirty two bit values into a sixty four bit one */ 57 # define TWO32TO64(a, b) ((((uint64_t)(a)) << 32) + (b)) 58 59 /* 60 * Check for the existence and support of POSIX timers. The standard 61 * says that the _POSIX_TIMERS macro will have a positive value if they 62 * are available. 63 * 64 * However, we want an additional constraint: that the timer support does 65 * not require an extra library dependency. Early versions of glibc 66 * require -lrt to be specified on the link line to access the timers, 67 * so this needs to be checked for. 68 * 69 * It is worse because some libraries define __GLIBC__ but don't 70 * support the version testing macro (e.g. uClibc). This means 71 * an extra check is needed. 72 * 73 * The final condition is: 74 * "have posix timers and either not glibc or glibc without -lrt" 75 * 76 * The nested #if sequences are required to avoid using a parameterised 77 * macro that might be undefined. 78 */ 79 # undef OSSL_POSIX_TIMER_OKAY 80 /* On some systems, _POSIX_TIMERS is defined but empty. 81 * Subtracting by 0 when comparing avoids an error in this case. */ 82 # if defined(_POSIX_TIMERS) && _POSIX_TIMERS -0 > 0 83 # if defined(__GLIBC__) 84 # if defined(__GLIBC_PREREQ) 85 # if __GLIBC_PREREQ(2, 17) 86 # define OSSL_POSIX_TIMER_OKAY 87 # endif 88 # endif 89 # else 90 # define OSSL_POSIX_TIMER_OKAY 91 # endif 92 # endif 93 #endif /* (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) 94 || defined(__DJGPP__) */ 95 96 #if defined(OPENSSL_RAND_SEED_NONE) 97 /* none means none. this simplifies the following logic */ 98 # undef OPENSSL_RAND_SEED_OS 99 # undef OPENSSL_RAND_SEED_GETRANDOM 100 # undef OPENSSL_RAND_SEED_LIBRANDOM 101 # undef OPENSSL_RAND_SEED_DEVRANDOM 102 # undef OPENSSL_RAND_SEED_RDTSC 103 # undef OPENSSL_RAND_SEED_RDCPU 104 # undef OPENSSL_RAND_SEED_EGD 105 #endif 106 107 #if defined(OPENSSL_SYS_UEFI) && !defined(OPENSSL_RAND_SEED_NONE) 108 # error "UEFI only supports seeding NONE" 109 #endif 110 111 #if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) \ 112 || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_VXWORKS) \ 113 || defined(OPENSSL_SYS_UEFI)) 114 115 # if defined(OPENSSL_SYS_VOS) 116 117 # ifndef OPENSSL_RAND_SEED_OS 118 # error "Unsupported seeding method configured; must be os" 119 # endif 120 121 # if defined(OPENSSL_SYS_VOS_HPPA) && defined(OPENSSL_SYS_VOS_IA32) 122 # error "Unsupported HP-PA and IA32 at the same time." 123 # endif 124 # if !defined(OPENSSL_SYS_VOS_HPPA) && !defined(OPENSSL_SYS_VOS_IA32) 125 # error "Must have one of HP-PA or IA32" 126 # endif 127 128 /* 129 * The following algorithm repeatedly samples the real-time clock (RTC) to 130 * generate a sequence of unpredictable data. The algorithm relies upon the 131 * uneven execution speed of the code (due to factors such as cache misses, 132 * interrupts, bus activity, and scheduling) and upon the rather large 133 * relative difference between the speed of the clock and the rate at which 134 * it can be read. If it is ported to an environment where execution speed 135 * is more constant or where the RTC ticks at a much slower rate, or the 136 * clock can be read with fewer instructions, it is likely that the results 137 * would be far more predictable. This should only be used for legacy 138 * platforms. 139 * 140 * As a precaution, we assume only 2 bits of entropy per byte. 141 */ 142 size_t ossl_pool_acquire_entropy(RAND_POOL *pool) 143 { 144 short int code; 145 int i, k; 146 size_t bytes_needed; 147 struct timespec ts; 148 unsigned char v; 149 # ifdef OPENSSL_SYS_VOS_HPPA 150 long duration; 151 extern void s$sleep(long *_duration, short int *_code); 152 # else 153 long long duration; 154 extern void s$sleep2(long long *_duration, short int *_code); 155 # endif 156 157 bytes_needed = ossl_rand_pool_bytes_needed(pool, 4 /*entropy_factor*/); 158 159 for (i = 0; i < bytes_needed; i++) { 160 /* 161 * burn some cpu; hope for interrupts, cache collisions, bus 162 * interference, etc. 163 */ 164 for (k = 0; k < 99; k++) 165 ts.tv_nsec = random(); 166 167 # ifdef OPENSSL_SYS_VOS_HPPA 168 /* sleep for 1/1024 of a second (976 us). */ 169 duration = 1; 170 s$sleep(&duration, &code); 171 # else 172 /* sleep for 1/65536 of a second (15 us). */ 173 duration = 1; 174 s$sleep2(&duration, &code); 175 # endif 176 177 /* Get wall clock time, take 8 bits. */ 178 clock_gettime(CLOCK_REALTIME, &ts); 179 v = (unsigned char)(ts.tv_nsec & 0xFF); 180 ossl_rand_pool_add(pool, arg, &v, sizeof(v) , 2); 181 } 182 return ossl_rand_pool_entropy_available(pool); 183 } 184 185 void ossl_rand_pool_cleanup(void) 186 { 187 } 188 189 void ossl_rand_pool_keep_random_devices_open(int keep) 190 { 191 } 192 193 # else 194 195 # if defined(OPENSSL_RAND_SEED_EGD) && \ 196 (defined(OPENSSL_NO_EGD) || !defined(DEVRANDOM_EGD)) 197 # error "Seeding uses EGD but EGD is turned off or no device given" 198 # endif 199 200 # if defined(OPENSSL_RAND_SEED_DEVRANDOM) && !defined(DEVRANDOM) 201 # error "Seeding uses urandom but DEVRANDOM is not configured" 202 # endif 203 204 # if defined(OPENSSL_RAND_SEED_OS) 205 # if !defined(DEVRANDOM) 206 # error "OS seeding requires DEVRANDOM to be configured" 207 # endif 208 # define OPENSSL_RAND_SEED_GETRANDOM 209 # define OPENSSL_RAND_SEED_DEVRANDOM 210 # endif 211 212 # if defined(OPENSSL_RAND_SEED_LIBRANDOM) 213 # error "librandom not (yet) supported" 214 # endif 215 216 # if defined(__NetBSD__) && defined(KERN_ARND) 217 /* 218 * sysctl_random(): Use sysctl() to read a random number from the kernel 219 * Returns the number of bytes returned in buf on success, -1 on failure. 220 */ 221 static ssize_t sysctl_random(char *buf, size_t buflen) 222 { 223 int mib[2]; 224 size_t done = 0; 225 size_t len; 226 227 /* 228 * Note: sign conversion between size_t and ssize_t is safe even 229 * without a range check, see comment in syscall_random() 230 */ 231 232 /* 233 * On FreeBSD old implementations returned longs, newer versions support 234 * variable sizes up to 256 byte. The code below would not work properly 235 * when the sysctl returns long and we want to request something not a 236 * multiple of longs, which should never be the case. 237 */ 238 #if defined(__FreeBSD__) 239 if (!ossl_assert(buflen % sizeof(long) == 0)) { 240 errno = EINVAL; 241 return -1; 242 } 243 #endif 244 245 /* 246 * On NetBSD before 4.0 KERN_ARND was an alias for KERN_URND, and only 247 * filled in an int, leaving the rest uninitialized. Since NetBSD 4.0 248 * it returns a variable number of bytes with the current version supporting 249 * up to 256 bytes. 250 * Just return an error on older NetBSD versions. 251 */ 252 #if defined(__NetBSD__) && __NetBSD_Version__ < 400000000 253 errno = ENOSYS; 254 return -1; 255 #endif 256 257 mib[0] = CTL_KERN; 258 mib[1] = KERN_ARND; 259 260 do { 261 len = buflen > 256 ? 256 : buflen; 262 if (sysctl(mib, 2, buf, &len, NULL, 0) == -1) 263 return done > 0 ? done : -1; 264 done += len; 265 buf += len; 266 buflen -= len; 267 } while (buflen > 0); 268 269 return done; 270 } 271 # endif 272 273 # if defined(OPENSSL_RAND_SEED_GETRANDOM) 274 275 # if defined(__linux) && !defined(__NR_getrandom) 276 # if defined(__arm__) 277 # define __NR_getrandom (__NR_SYSCALL_BASE+384) 278 # elif defined(__i386__) 279 # define __NR_getrandom 355 280 # elif defined(__x86_64__) 281 # if defined(__ILP32__) 282 # define __NR_getrandom (__X32_SYSCALL_BIT + 318) 283 # else 284 # define __NR_getrandom 318 285 # endif 286 # elif defined(__xtensa__) 287 # define __NR_getrandom 338 288 # elif defined(__s390__) || defined(__s390x__) 289 # define __NR_getrandom 349 290 # elif defined(__bfin__) 291 # define __NR_getrandom 389 292 # elif defined(__powerpc__) 293 # define __NR_getrandom 359 294 # elif defined(__mips__) || defined(__mips64) 295 # if _MIPS_SIM == _MIPS_SIM_ABI32 296 # define __NR_getrandom (__NR_Linux + 353) 297 # elif _MIPS_SIM == _MIPS_SIM_ABI64 298 # define __NR_getrandom (__NR_Linux + 313) 299 # elif _MIPS_SIM == _MIPS_SIM_NABI32 300 # define __NR_getrandom (__NR_Linux + 317) 301 # endif 302 # elif defined(__hppa__) 303 # define __NR_getrandom (__NR_Linux + 339) 304 # elif defined(__sparc__) 305 # define __NR_getrandom 347 306 # elif defined(__ia64__) 307 # define __NR_getrandom 1339 308 # elif defined(__alpha__) 309 # define __NR_getrandom 511 310 # elif defined(__sh__) 311 # if defined(__SH5__) 312 # define __NR_getrandom 373 313 # else 314 # define __NR_getrandom 384 315 # endif 316 # elif defined(__avr32__) 317 # define __NR_getrandom 317 318 # elif defined(__microblaze__) 319 # define __NR_getrandom 385 320 # elif defined(__m68k__) 321 # define __NR_getrandom 352 322 # elif defined(__cris__) 323 # define __NR_getrandom 356 324 # elif defined(__aarch64__) 325 # define __NR_getrandom 278 326 # else /* generic */ 327 # define __NR_getrandom 278 328 # endif 329 # endif 330 331 /* 332 * syscall_random(): Try to get random data using a system call 333 * returns the number of bytes returned in buf, or < 0 on error. 334 */ 335 static ssize_t syscall_random(void *buf, size_t buflen) 336 { 337 /* 338 * Note: 'buflen' equals the size of the buffer which is used by the 339 * get_entropy() callback of the RAND_DRBG. It is roughly bounded by 340 * 341 * 2 * RAND_POOL_FACTOR * (RAND_DRBG_STRENGTH / 8) = 2^14 342 * 343 * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion 344 * between size_t and ssize_t is safe even without a range check. 345 */ 346 347 /* 348 * Do runtime detection to find getentropy(). 349 * 350 * Known OSs that should support this: 351 * - Darwin since 16 (OSX 10.12, IOS 10.0). 352 * - Solaris since 11.3 353 * - OpenBSD since 5.6 354 * - Linux since 3.17 with glibc 2.25 355 * - FreeBSD since 12.0 (1200061) 356 * 357 * Note: Sometimes getentropy() can be provided but not implemented 358 * internally. So we need to check errno for ENOSYS 359 */ 360 # if !defined(__DragonFly__) && !defined(__NetBSD__) && !defined(__FreeBSD__) 361 # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) 362 extern int getentropy(void *buffer, size_t length) __attribute__((weak)); 363 364 if (getentropy != NULL) { 365 if (getentropy(buf, buflen) == 0) 366 return (ssize_t)buflen; 367 if (errno != ENOSYS) 368 return -1; 369 } 370 # elif defined(OPENSSL_APPLE_CRYPTO_RANDOM) 371 372 if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess) 373 return (ssize_t)buflen; 374 375 return -1; 376 # else 377 union { 378 void *p; 379 int (*f)(void *buffer, size_t length); 380 } p_getentropy; 381 382 /* 383 * We could cache the result of the lookup, but we normally don't 384 * call this function often. 385 */ 386 ERR_set_mark(); 387 p_getentropy.p = DSO_global_lookup("getentropy"); 388 ERR_pop_to_mark(); 389 if (p_getentropy.p != NULL) 390 return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; 391 # endif 392 # endif /* !__DragonFly__ */ 393 394 /* Linux supports this since version 3.17 */ 395 # if defined(__linux) && defined(__NR_getrandom) 396 return syscall(__NR_getrandom, buf, buflen, 0); 397 # elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \ 398 || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000) \ 399 || defined(__FreeBSD__) 400 return getrandom(buf, buflen, 0); 401 # elif defined(__NetBSD__) && defined(KERN_ARND) 402 return sysctl_random(buf, buflen); 403 # else 404 errno = ENOSYS; 405 return -1; 406 # endif 407 } 408 # endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */ 409 410 # if defined(OPENSSL_RAND_SEED_DEVRANDOM) 411 static const char *random_device_paths[] = { DEVRANDOM }; 412 static struct random_device { 413 int fd; 414 dev_t dev; 415 ino_t ino; 416 mode_t mode; 417 dev_t rdev; 418 } random_devices[OSSL_NELEM(random_device_paths)]; 419 static int keep_random_devices_open = 1; 420 421 # if defined(__linux) && defined(DEVRANDOM_WAIT) \ 422 && defined(OPENSSL_RAND_SEED_GETRANDOM) 423 static void *shm_addr; 424 425 static void cleanup_shm(void) 426 { 427 shmdt(shm_addr); 428 } 429 430 /* 431 * Ensure that the system randomness source has been adequately seeded. 432 * This is done by having the first start of libcrypto, wait until the device 433 * /dev/random becomes able to supply a byte of entropy. Subsequent starts 434 * of the library and later reseedings do not need to do this. 435 */ 436 static int wait_random_seeded(void) 437 { 438 static int seeded = OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID < 0; 439 static const int kernel_version[] = { DEVRANDOM_SAFE_KERNEL }; 440 int kernel[2]; 441 int shm_id, fd, r; 442 char c, *p; 443 struct utsname un; 444 fd_set fds; 445 446 if (!seeded) { 447 /* See if anything has created the global seeded indication */ 448 if ((shm_id = shmget(OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID, 1, 0)) == -1) { 449 /* 450 * Check the kernel's version and fail if it is too recent. 451 * 452 * Linux kernels from 4.8 onwards do not guarantee that 453 * /dev/urandom is properly seeded when /dev/random becomes 454 * readable. However, such kernels support the getentropy(2) 455 * system call and this should always succeed which renders 456 * this alternative but essentially identical source moot. 457 */ 458 if (uname(&un) == 0) { 459 kernel[0] = atoi(un.release); 460 p = strchr(un.release, '.'); 461 kernel[1] = p == NULL ? 0 : atoi(p + 1); 462 if (kernel[0] > kernel_version[0] 463 || (kernel[0] == kernel_version[0] 464 && kernel[1] >= kernel_version[1])) { 465 return 0; 466 } 467 } 468 /* Open /dev/random and wait for it to be readable */ 469 if ((fd = open(DEVRANDOM_WAIT, O_RDONLY)) != -1) { 470 if (DEVRANDM_WAIT_USE_SELECT && fd < FD_SETSIZE) { 471 FD_ZERO(&fds); 472 FD_SET(fd, &fds); 473 while ((r = select(fd + 1, &fds, NULL, NULL, NULL)) < 0 474 && errno == EINTR); 475 } else { 476 while ((r = read(fd, &c, 1)) < 0 && errno == EINTR); 477 } 478 close(fd); 479 if (r == 1) { 480 seeded = 1; 481 /* Create the shared memory indicator */ 482 shm_id = shmget(OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID, 1, 483 IPC_CREAT | S_IRUSR | S_IRGRP | S_IROTH); 484 } 485 } 486 } 487 if (shm_id != -1) { 488 seeded = 1; 489 /* 490 * Map the shared memory to prevent its premature destruction. 491 * If this call fails, it isn't a big problem. 492 */ 493 shm_addr = shmat(shm_id, NULL, SHM_RDONLY); 494 if (shm_addr != (void *)-1) 495 OPENSSL_atexit(&cleanup_shm); 496 } 497 } 498 return seeded; 499 } 500 # else /* defined __linux && DEVRANDOM_WAIT && OPENSSL_RAND_SEED_GETRANDOM */ 501 static int wait_random_seeded(void) 502 { 503 return 1; 504 } 505 # endif 506 507 /* 508 * Verify that the file descriptor associated with the random source is 509 * still valid. The rationale for doing this is the fact that it is not 510 * uncommon for daemons to close all open file handles when daemonizing. 511 * So the handle might have been closed or even reused for opening 512 * another file. 513 */ 514 static int check_random_device(struct random_device * rd) 515 { 516 struct stat st; 517 518 return rd->fd != -1 519 && fstat(rd->fd, &st) != -1 520 && rd->dev == st.st_dev 521 && rd->ino == st.st_ino 522 && ((rd->mode ^ st.st_mode) & ~(S_IRWXU | S_IRWXG | S_IRWXO)) == 0 523 && rd->rdev == st.st_rdev; 524 } 525 526 /* 527 * Open a random device if required and return its file descriptor or -1 on error 528 */ 529 static int get_random_device(size_t n) 530 { 531 struct stat st; 532 struct random_device * rd = &random_devices[n]; 533 534 /* reuse existing file descriptor if it is (still) valid */ 535 if (check_random_device(rd)) 536 return rd->fd; 537 538 /* open the random device ... */ 539 if ((rd->fd = open(random_device_paths[n], O_RDONLY)) == -1) 540 return rd->fd; 541 542 /* ... and cache its relevant stat(2) data */ 543 if (fstat(rd->fd, &st) != -1) { 544 rd->dev = st.st_dev; 545 rd->ino = st.st_ino; 546 rd->mode = st.st_mode; 547 rd->rdev = st.st_rdev; 548 } else { 549 close(rd->fd); 550 rd->fd = -1; 551 } 552 553 return rd->fd; 554 } 555 556 /* 557 * Close a random device making sure it is a random device 558 */ 559 static void close_random_device(size_t n) 560 { 561 struct random_device * rd = &random_devices[n]; 562 563 if (check_random_device(rd)) 564 close(rd->fd); 565 rd->fd = -1; 566 } 567 568 int ossl_rand_pool_init(void) 569 { 570 size_t i; 571 572 for (i = 0; i < OSSL_NELEM(random_devices); i++) 573 random_devices[i].fd = -1; 574 575 return 1; 576 } 577 578 void ossl_rand_pool_cleanup(void) 579 { 580 size_t i; 581 582 for (i = 0; i < OSSL_NELEM(random_devices); i++) 583 close_random_device(i); 584 } 585 586 void ossl_rand_pool_keep_random_devices_open(int keep) 587 { 588 if (!keep) 589 ossl_rand_pool_cleanup(); 590 591 keep_random_devices_open = keep; 592 } 593 594 # else /* !defined(OPENSSL_RAND_SEED_DEVRANDOM) */ 595 596 int ossl_rand_pool_init(void) 597 { 598 return 1; 599 } 600 601 void ossl_rand_pool_cleanup(void) 602 { 603 } 604 605 void ossl_rand_pool_keep_random_devices_open(int keep) 606 { 607 } 608 609 # endif /* defined(OPENSSL_RAND_SEED_DEVRANDOM) */ 610 611 /* 612 * Try the various seeding methods in turn, exit when successful. 613 * 614 * If more than one entropy source is available, is it 615 * preferable to stop as soon as enough entropy has been collected 616 * (as favored by @rsalz) or should one rather be defensive and add 617 * more entropy than requested and/or from different sources? 618 * 619 * Currently, the user can select multiple entropy sources in the 620 * configure step, yet in practice only the first available source 621 * will be used. A more flexible solution has been requested, but 622 * currently it is not clear how this can be achieved without 623 * overengineering the problem. There are many parameters which 624 * could be taken into account when selecting the order and amount 625 * of input from the different entropy sources (trust, quality, 626 * possibility of blocking). 627 */ 628 size_t ossl_pool_acquire_entropy(RAND_POOL *pool) 629 { 630 # if defined(OPENSSL_RAND_SEED_NONE) 631 return ossl_rand_pool_entropy_available(pool); 632 # else 633 size_t entropy_available = 0; 634 635 (void)entropy_available; /* avoid compiler warning */ 636 637 # if defined(OPENSSL_RAND_SEED_GETRANDOM) 638 { 639 size_t bytes_needed; 640 unsigned char *buffer; 641 ssize_t bytes; 642 /* Maximum allowed number of consecutive unsuccessful attempts */ 643 int attempts = 3; 644 645 bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); 646 while (bytes_needed != 0 && attempts-- > 0) { 647 buffer = ossl_rand_pool_add_begin(pool, bytes_needed); 648 bytes = syscall_random(buffer, bytes_needed); 649 if (bytes > 0) { 650 ossl_rand_pool_add_end(pool, bytes, 8 * bytes); 651 bytes_needed -= bytes; 652 attempts = 3; /* reset counter after successful attempt */ 653 } else if (bytes < 0 && errno != EINTR) { 654 break; 655 } 656 } 657 } 658 entropy_available = ossl_rand_pool_entropy_available(pool); 659 if (entropy_available > 0) 660 return entropy_available; 661 # endif 662 663 # if defined(OPENSSL_RAND_SEED_LIBRANDOM) 664 { 665 /* Not yet implemented. */ 666 } 667 # endif 668 669 # if defined(OPENSSL_RAND_SEED_DEVRANDOM) 670 if (wait_random_seeded()) { 671 size_t bytes_needed; 672 unsigned char *buffer; 673 size_t i; 674 675 bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); 676 for (i = 0; bytes_needed > 0 && i < OSSL_NELEM(random_device_paths); 677 i++) { 678 ssize_t bytes = 0; 679 /* Maximum number of consecutive unsuccessful attempts */ 680 int attempts = 3; 681 const int fd = get_random_device(i); 682 683 if (fd == -1) 684 continue; 685 686 while (bytes_needed != 0 && attempts-- > 0) { 687 buffer = ossl_rand_pool_add_begin(pool, bytes_needed); 688 bytes = read(fd, buffer, bytes_needed); 689 690 if (bytes > 0) { 691 ossl_rand_pool_add_end(pool, bytes, 8 * bytes); 692 bytes_needed -= bytes; 693 attempts = 3; /* reset counter on successful attempt */ 694 } else if (bytes < 0 && errno != EINTR) { 695 break; 696 } 697 } 698 if (bytes < 0 || !keep_random_devices_open) 699 close_random_device(i); 700 701 bytes_needed = ossl_rand_pool_bytes_needed(pool, 1); 702 } 703 entropy_available = ossl_rand_pool_entropy_available(pool); 704 if (entropy_available > 0) 705 return entropy_available; 706 } 707 # endif 708 709 # if defined(OPENSSL_RAND_SEED_RDTSC) 710 entropy_available = ossl_prov_acquire_entropy_from_tsc(pool); 711 if (entropy_available > 0) 712 return entropy_available; 713 # endif 714 715 # if defined(OPENSSL_RAND_SEED_RDCPU) 716 entropy_available = ossl_prov_acquire_entropy_from_cpu(pool); 717 if (entropy_available > 0) 718 return entropy_available; 719 # endif 720 721 # if defined(OPENSSL_RAND_SEED_EGD) 722 { 723 static const char *paths[] = { DEVRANDOM_EGD, NULL }; 724 size_t bytes_needed; 725 unsigned char *buffer; 726 int i; 727 728 bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); 729 for (i = 0; bytes_needed > 0 && paths[i] != NULL; i++) { 730 size_t bytes = 0; 731 int num; 732 733 buffer = ossl_rand_pool_add_begin(pool, bytes_needed); 734 num = RAND_query_egd_bytes(paths[i], 735 buffer, (int)bytes_needed); 736 if (num == (int)bytes_needed) 737 bytes = bytes_needed; 738 739 ossl_rand_pool_add_end(pool, bytes, 8 * bytes); 740 bytes_needed = ossl_rand_pool_bytes_needed(pool, 1); 741 } 742 entropy_available = ossl_rand_pool_entropy_available(pool); 743 if (entropy_available > 0) 744 return entropy_available; 745 } 746 # endif 747 748 return ossl_rand_pool_entropy_available(pool); 749 # endif 750 } 751 # endif 752 #endif 753 754 #if (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) \ 755 || defined(__DJGPP__) 756 int ossl_pool_add_nonce_data(RAND_POOL *pool) 757 { 758 struct { 759 pid_t pid; 760 CRYPTO_THREAD_ID tid; 761 uint64_t time; 762 } data; 763 764 /* Erase the entire structure including any padding */ 765 memset(&data, 0, sizeof(data)); 766 767 /* 768 * Add process id, thread id, and a high resolution timestamp to 769 * ensure that the nonce is unique with high probability for 770 * different process instances. 771 */ 772 data.pid = getpid(); 773 data.tid = CRYPTO_THREAD_get_current_id(); 774 data.time = get_time_stamp(); 775 776 return ossl_rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); 777 } 778 779 int ossl_rand_pool_add_additional_data(RAND_POOL *pool) 780 { 781 struct { 782 int fork_id; 783 CRYPTO_THREAD_ID tid; 784 uint64_t time; 785 } data; 786 787 /* Erase the entire structure including any padding */ 788 memset(&data, 0, sizeof(data)); 789 790 /* 791 * Add some noise from the thread id and a high resolution timer. 792 * The fork_id adds some extra fork-safety. 793 * The thread id adds a little randomness if the drbg is accessed 794 * concurrently (which is the case for the <master> drbg). 795 */ 796 data.fork_id = openssl_get_fork_id(); 797 data.tid = CRYPTO_THREAD_get_current_id(); 798 data.time = get_timer_bits(); 799 800 return ossl_rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); 801 } 802 803 804 /* 805 * Get the current time with the highest possible resolution 806 * 807 * The time stamp is added to the nonce, so it is optimized for not repeating. 808 * The current time is ideal for this purpose, provided the computer's clock 809 * is synchronized. 810 */ 811 static uint64_t get_time_stamp(void) 812 { 813 # if defined(OSSL_POSIX_TIMER_OKAY) 814 { 815 struct timespec ts; 816 817 if (clock_gettime(CLOCK_REALTIME, &ts) == 0) 818 return TWO32TO64(ts.tv_sec, ts.tv_nsec); 819 } 820 # endif 821 # if defined(__unix__) \ 822 || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) 823 { 824 struct timeval tv; 825 826 if (gettimeofday(&tv, NULL) == 0) 827 return TWO32TO64(tv.tv_sec, tv.tv_usec); 828 } 829 # endif 830 return time(NULL); 831 } 832 833 /* 834 * Get an arbitrary timer value of the highest possible resolution 835 * 836 * The timer value is added as random noise to the additional data, 837 * which is not considered a trusted entropy sourec, so any result 838 * is acceptable. 839 */ 840 static uint64_t get_timer_bits(void) 841 { 842 uint64_t res = OPENSSL_rdtsc(); 843 844 if (res != 0) 845 return res; 846 847 # if defined(__sun) || defined(__hpux) 848 return gethrtime(); 849 # elif defined(_AIX) 850 { 851 timebasestruct_t t; 852 853 read_wall_time(&t, TIMEBASE_SZ); 854 return TWO32TO64(t.tb_high, t.tb_low); 855 } 856 # elif defined(OSSL_POSIX_TIMER_OKAY) 857 { 858 struct timespec ts; 859 860 # ifdef CLOCK_BOOTTIME 861 # define CLOCK_TYPE CLOCK_BOOTTIME 862 # elif defined(_POSIX_MONOTONIC_CLOCK) 863 # define CLOCK_TYPE CLOCK_MONOTONIC 864 # else 865 # define CLOCK_TYPE CLOCK_REALTIME 866 # endif 867 868 if (clock_gettime(CLOCK_TYPE, &ts) == 0) 869 return TWO32TO64(ts.tv_sec, ts.tv_nsec); 870 } 871 # endif 872 # if defined(__unix__) \ 873 || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) 874 { 875 struct timeval tv; 876 877 if (gettimeofday(&tv, NULL) == 0) 878 return TWO32TO64(tv.tv_sec, tv.tv_usec); 879 } 880 # endif 881 return time(NULL); 882 } 883 #endif /* (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) 884 || defined(__DJGPP__) */ 885