xref: /freebsd/crypto/openssl/providers/implementations/rands/seeding/rand_unix.c (revision 7ebc7d1ab76b9d06be9400d6c9fc74fcc43603a1)
1 /*
2  * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #ifndef _GNU_SOURCE
11 # define _GNU_SOURCE
12 #endif
13 #include "../e_os.h"
14 #include <stdio.h>
15 #include "internal/cryptlib.h"
16 #include <openssl/rand.h>
17 #include <openssl/crypto.h>
18 #include "crypto/rand_pool.h"
19 #include "crypto/rand.h"
20 #include <stdio.h>
21 #include "internal/dso.h"
22 #include "prov/seeding.h"
23 
24 #ifdef __linux
25 # include <sys/syscall.h>
26 # ifdef DEVRANDOM_WAIT
27 #  include <sys/shm.h>
28 #  include <sys/utsname.h>
29 # endif
30 #endif
31 #if defined(__NetBSD__)
32 # include <sys/types.h>
33 # include <sys/sysctl.h>
34 # include <sys/param.h>
35 #endif
36 #if defined(__OpenBSD__)
37 # include <sys/param.h>
38 #endif
39 #if (defined(__DragonFly__) || defined(__FreeBSD__)) \
40      && !defined(OPENSSL_SYS_UEFI)
41 # include <sys/param.h>
42 # include <sys/random.h>
43 #endif
44 
45 #if (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) \
46      || defined(__DJGPP__)
47 # include <sys/types.h>
48 # include <sys/stat.h>
49 # include <fcntl.h>
50 # include <unistd.h>
51 # include <sys/time.h>
52 
53 static uint64_t get_time_stamp(void);
54 static uint64_t get_timer_bits(void);
55 
56 /* Macro to convert two thirty two bit values into a sixty four bit one */
57 # define TWO32TO64(a, b) ((((uint64_t)(a)) << 32) + (b))
58 
59 /*
60  * Check for the existence and support of POSIX timers.  The standard
61  * says that the _POSIX_TIMERS macro will have a positive value if they
62  * are available.
63  *
64  * However, we want an additional constraint: that the timer support does
65  * not require an extra library dependency.  Early versions of glibc
66  * require -lrt to be specified on the link line to access the timers,
67  * so this needs to be checked for.
68  *
69  * It is worse because some libraries define __GLIBC__ but don't
70  * support the version testing macro (e.g. uClibc).  This means
71  * an extra check is needed.
72  *
73  * The final condition is:
74  *      "have posix timers and either not glibc or glibc without -lrt"
75  *
76  * The nested #if sequences are required to avoid using a parameterised
77  * macro that might be undefined.
78  */
79 # undef OSSL_POSIX_TIMER_OKAY
80 /* On some systems, _POSIX_TIMERS is defined but empty.
81  * Subtracting by 0 when comparing avoids an error in this case. */
82 # if defined(_POSIX_TIMERS) && _POSIX_TIMERS -0 > 0
83 #  if defined(__GLIBC__)
84 #   if defined(__GLIBC_PREREQ)
85 #    if __GLIBC_PREREQ(2, 17)
86 #     define OSSL_POSIX_TIMER_OKAY
87 #    endif
88 #   endif
89 #  else
90 #   define OSSL_POSIX_TIMER_OKAY
91 #  endif
92 # endif
93 #endif /* (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS))
94           || defined(__DJGPP__) */
95 
96 #if defined(OPENSSL_RAND_SEED_NONE)
97 /* none means none. this simplifies the following logic */
98 # undef OPENSSL_RAND_SEED_OS
99 # undef OPENSSL_RAND_SEED_GETRANDOM
100 # undef OPENSSL_RAND_SEED_LIBRANDOM
101 # undef OPENSSL_RAND_SEED_DEVRANDOM
102 # undef OPENSSL_RAND_SEED_RDTSC
103 # undef OPENSSL_RAND_SEED_RDCPU
104 # undef OPENSSL_RAND_SEED_EGD
105 #endif
106 
107 #if defined(OPENSSL_SYS_UEFI) && !defined(OPENSSL_RAND_SEED_NONE)
108 # error "UEFI only supports seeding NONE"
109 #endif
110 
111 #if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) \
112     || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_VXWORKS) \
113     || defined(OPENSSL_SYS_UEFI))
114 
115 # if defined(OPENSSL_SYS_VOS)
116 
117 #  ifndef OPENSSL_RAND_SEED_OS
118 #   error "Unsupported seeding method configured; must be os"
119 #  endif
120 
121 #  if defined(OPENSSL_SYS_VOS_HPPA) && defined(OPENSSL_SYS_VOS_IA32)
122 #   error "Unsupported HP-PA and IA32 at the same time."
123 #  endif
124 #  if !defined(OPENSSL_SYS_VOS_HPPA) && !defined(OPENSSL_SYS_VOS_IA32)
125 #   error "Must have one of HP-PA or IA32"
126 #  endif
127 
128 /*
129  * The following algorithm repeatedly samples the real-time clock (RTC) to
130  * generate a sequence of unpredictable data.  The algorithm relies upon the
131  * uneven execution speed of the code (due to factors such as cache misses,
132  * interrupts, bus activity, and scheduling) and upon the rather large
133  * relative difference between the speed of the clock and the rate at which
134  * it can be read.  If it is ported to an environment where execution speed
135  * is more constant or where the RTC ticks at a much slower rate, or the
136  * clock can be read with fewer instructions, it is likely that the results
137  * would be far more predictable.  This should only be used for legacy
138  * platforms.
139  *
140  * As a precaution, we assume only 2 bits of entropy per byte.
141  */
142 size_t ossl_pool_acquire_entropy(RAND_POOL *pool)
143 {
144     short int code;
145     int i, k;
146     size_t bytes_needed;
147     struct timespec ts;
148     unsigned char v;
149 #  ifdef OPENSSL_SYS_VOS_HPPA
150     long duration;
151     extern void s$sleep(long *_duration, short int *_code);
152 #  else
153     long long duration;
154     extern void s$sleep2(long long *_duration, short int *_code);
155 #  endif
156 
157     bytes_needed = ossl_rand_pool_bytes_needed(pool, 4 /*entropy_factor*/);
158 
159     for (i = 0; i < bytes_needed; i++) {
160         /*
161          * burn some cpu; hope for interrupts, cache collisions, bus
162          * interference, etc.
163          */
164         for (k = 0; k < 99; k++)
165             ts.tv_nsec = random();
166 
167 #  ifdef OPENSSL_SYS_VOS_HPPA
168         /* sleep for 1/1024 of a second (976 us).  */
169         duration = 1;
170         s$sleep(&duration, &code);
171 #  else
172         /* sleep for 1/65536 of a second (15 us).  */
173         duration = 1;
174         s$sleep2(&duration, &code);
175 #  endif
176 
177         /* Get wall clock time, take 8 bits. */
178         clock_gettime(CLOCK_REALTIME, &ts);
179         v = (unsigned char)(ts.tv_nsec & 0xFF);
180         ossl_rand_pool_add(pool, arg, &v, sizeof(v) , 2);
181     }
182     return ossl_rand_pool_entropy_available(pool);
183 }
184 
185 void ossl_rand_pool_cleanup(void)
186 {
187 }
188 
189 void ossl_rand_pool_keep_random_devices_open(int keep)
190 {
191 }
192 
193 # else
194 
195 #  if defined(OPENSSL_RAND_SEED_EGD) && \
196         (defined(OPENSSL_NO_EGD) || !defined(DEVRANDOM_EGD))
197 #   error "Seeding uses EGD but EGD is turned off or no device given"
198 #  endif
199 
200 #  if defined(OPENSSL_RAND_SEED_DEVRANDOM) && !defined(DEVRANDOM)
201 #   error "Seeding uses urandom but DEVRANDOM is not configured"
202 #  endif
203 
204 #  if defined(OPENSSL_RAND_SEED_OS)
205 #   if !defined(DEVRANDOM)
206 #    error "OS seeding requires DEVRANDOM to be configured"
207 #   endif
208 #   define OPENSSL_RAND_SEED_GETRANDOM
209 #   define OPENSSL_RAND_SEED_DEVRANDOM
210 #  endif
211 
212 #  if defined(OPENSSL_RAND_SEED_LIBRANDOM)
213 #   error "librandom not (yet) supported"
214 #  endif
215 
216 #  if defined(__NetBSD__) && defined(KERN_ARND)
217 /*
218  * sysctl_random(): Use sysctl() to read a random number from the kernel
219  * Returns the number of bytes returned in buf on success, -1 on failure.
220  */
221 static ssize_t sysctl_random(char *buf, size_t buflen)
222 {
223     int mib[2];
224     size_t done = 0;
225     size_t len;
226 
227     /*
228      * Note: sign conversion between size_t and ssize_t is safe even
229      * without a range check, see comment in syscall_random()
230      */
231 
232     /*
233      * On FreeBSD old implementations returned longs, newer versions support
234      * variable sizes up to 256 byte. The code below would not work properly
235      * when the sysctl returns long and we want to request something not a
236      * multiple of longs, which should never be the case.
237      */
238 #if   defined(__FreeBSD__)
239     if (!ossl_assert(buflen % sizeof(long) == 0)) {
240         errno = EINVAL;
241         return -1;
242     }
243 #endif
244 
245     /*
246      * On NetBSD before 4.0 KERN_ARND was an alias for KERN_URND, and only
247      * filled in an int, leaving the rest uninitialized. Since NetBSD 4.0
248      * it returns a variable number of bytes with the current version supporting
249      * up to 256 bytes.
250      * Just return an error on older NetBSD versions.
251      */
252 #if   defined(__NetBSD__) && __NetBSD_Version__ < 400000000
253     errno = ENOSYS;
254     return -1;
255 #endif
256 
257     mib[0] = CTL_KERN;
258     mib[1] = KERN_ARND;
259 
260     do {
261         len = buflen > 256 ? 256 : buflen;
262         if (sysctl(mib, 2, buf, &len, NULL, 0) == -1)
263             return done > 0 ? done : -1;
264         done += len;
265         buf += len;
266         buflen -= len;
267     } while (buflen > 0);
268 
269     return done;
270 }
271 #  endif
272 
273 #  if defined(OPENSSL_RAND_SEED_GETRANDOM)
274 
275 #   if defined(__linux) && !defined(__NR_getrandom)
276 #    if defined(__arm__)
277 #     define __NR_getrandom    (__NR_SYSCALL_BASE+384)
278 #    elif defined(__i386__)
279 #     define __NR_getrandom    355
280 #    elif defined(__x86_64__)
281 #     if defined(__ILP32__)
282 #      define __NR_getrandom   (__X32_SYSCALL_BIT + 318)
283 #     else
284 #      define __NR_getrandom   318
285 #     endif
286 #    elif defined(__xtensa__)
287 #     define __NR_getrandom    338
288 #    elif defined(__s390__) || defined(__s390x__)
289 #     define __NR_getrandom    349
290 #    elif defined(__bfin__)
291 #     define __NR_getrandom    389
292 #    elif defined(__powerpc__)
293 #     define __NR_getrandom    359
294 #    elif defined(__mips__) || defined(__mips64)
295 #     if _MIPS_SIM == _MIPS_SIM_ABI32
296 #      define __NR_getrandom   (__NR_Linux + 353)
297 #     elif _MIPS_SIM == _MIPS_SIM_ABI64
298 #      define __NR_getrandom   (__NR_Linux + 313)
299 #     elif _MIPS_SIM == _MIPS_SIM_NABI32
300 #      define __NR_getrandom   (__NR_Linux + 317)
301 #     endif
302 #    elif defined(__hppa__)
303 #     define __NR_getrandom    (__NR_Linux + 339)
304 #    elif defined(__sparc__)
305 #     define __NR_getrandom    347
306 #    elif defined(__ia64__)
307 #     define __NR_getrandom    1339
308 #    elif defined(__alpha__)
309 #     define __NR_getrandom    511
310 #    elif defined(__sh__)
311 #     if defined(__SH5__)
312 #      define __NR_getrandom   373
313 #     else
314 #      define __NR_getrandom   384
315 #     endif
316 #    elif defined(__avr32__)
317 #     define __NR_getrandom    317
318 #    elif defined(__microblaze__)
319 #     define __NR_getrandom    385
320 #    elif defined(__m68k__)
321 #     define __NR_getrandom    352
322 #    elif defined(__cris__)
323 #     define __NR_getrandom    356
324 #    elif defined(__aarch64__)
325 #     define __NR_getrandom    278
326 #    else /* generic */
327 #     define __NR_getrandom    278
328 #    endif
329 #   endif
330 
331 /*
332  * syscall_random(): Try to get random data using a system call
333  * returns the number of bytes returned in buf, or < 0 on error.
334  */
335 static ssize_t syscall_random(void *buf, size_t buflen)
336 {
337     /*
338      * Note: 'buflen' equals the size of the buffer which is used by the
339      * get_entropy() callback of the RAND_DRBG. It is roughly bounded by
340      *
341      *   2 * RAND_POOL_FACTOR * (RAND_DRBG_STRENGTH / 8) = 2^14
342      *
343      * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
344      * between size_t and ssize_t is safe even without a range check.
345      */
346 
347     /*
348      * Do runtime detection to find getentropy().
349      *
350      * Known OSs that should support this:
351      * - Darwin since 16 (OSX 10.12, IOS 10.0).
352      * - Solaris since 11.3
353      * - OpenBSD since 5.6
354      * - Linux since 3.17 with glibc 2.25
355      * - FreeBSD since 12.0 (1200061)
356      *
357      * Note: Sometimes getentropy() can be provided but not implemented
358      * internally. So we need to check errno for ENOSYS
359      */
360 #  if !defined(__DragonFly__) && !defined(__NetBSD__) && !defined(__FreeBSD__)
361 #    if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
362     extern int getentropy(void *buffer, size_t length) __attribute__((weak));
363 
364     if (getentropy != NULL) {
365         if (getentropy(buf, buflen) == 0)
366             return (ssize_t)buflen;
367         if (errno != ENOSYS)
368             return -1;
369     }
370 #    elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
371 
372     if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess)
373 	    return (ssize_t)buflen;
374 
375     return -1;
376 #    else
377     union {
378         void *p;
379         int (*f)(void *buffer, size_t length);
380     } p_getentropy;
381 
382     /*
383      * We could cache the result of the lookup, but we normally don't
384      * call this function often.
385      */
386     ERR_set_mark();
387     p_getentropy.p = DSO_global_lookup("getentropy");
388     ERR_pop_to_mark();
389     if (p_getentropy.p != NULL)
390         return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
391 #    endif
392 #  endif /* !__DragonFly__ */
393 
394     /* Linux supports this since version 3.17 */
395 #  if defined(__linux) && defined(__NR_getrandom)
396     return syscall(__NR_getrandom, buf, buflen, 0);
397 #  elif (defined(__DragonFly__)  && __DragonFly_version >= 500700) \
398      || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000) \
399      || defined(__FreeBSD__)
400     return getrandom(buf, buflen, 0);
401 #  elif defined(__NetBSD__) && defined(KERN_ARND)
402     return sysctl_random(buf, buflen);
403 #  else
404     errno = ENOSYS;
405     return -1;
406 #  endif
407 }
408 #  endif    /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
409 
410 #  if defined(OPENSSL_RAND_SEED_DEVRANDOM)
411 static const char *random_device_paths[] = { DEVRANDOM };
412 static struct random_device {
413     int fd;
414     dev_t dev;
415     ino_t ino;
416     mode_t mode;
417     dev_t rdev;
418 } random_devices[OSSL_NELEM(random_device_paths)];
419 static int keep_random_devices_open = 1;
420 
421 #   if defined(__linux) && defined(DEVRANDOM_WAIT) \
422        && defined(OPENSSL_RAND_SEED_GETRANDOM)
423 static void *shm_addr;
424 
425 static void cleanup_shm(void)
426 {
427     shmdt(shm_addr);
428 }
429 
430 /*
431  * Ensure that the system randomness source has been adequately seeded.
432  * This is done by having the first start of libcrypto, wait until the device
433  * /dev/random becomes able to supply a byte of entropy.  Subsequent starts
434  * of the library and later reseedings do not need to do this.
435  */
436 static int wait_random_seeded(void)
437 {
438     static int seeded = OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID < 0;
439     static const int kernel_version[] = { DEVRANDOM_SAFE_KERNEL };
440     int kernel[2];
441     int shm_id, fd, r;
442     char c, *p;
443     struct utsname un;
444     fd_set fds;
445 
446     if (!seeded) {
447         /* See if anything has created the global seeded indication */
448         if ((shm_id = shmget(OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID, 1, 0)) == -1) {
449             /*
450              * Check the kernel's version and fail if it is too recent.
451              *
452              * Linux kernels from 4.8 onwards do not guarantee that
453              * /dev/urandom is properly seeded when /dev/random becomes
454              * readable.  However, such kernels support the getentropy(2)
455              * system call and this should always succeed which renders
456              * this alternative but essentially identical source moot.
457              */
458             if (uname(&un) == 0) {
459                 kernel[0] = atoi(un.release);
460                 p = strchr(un.release, '.');
461                 kernel[1] = p == NULL ? 0 : atoi(p + 1);
462                 if (kernel[0] > kernel_version[0]
463                     || (kernel[0] == kernel_version[0]
464                         && kernel[1] >= kernel_version[1])) {
465                     return 0;
466                 }
467             }
468             /* Open /dev/random and wait for it to be readable */
469             if ((fd = open(DEVRANDOM_WAIT, O_RDONLY)) != -1) {
470                 if (DEVRANDM_WAIT_USE_SELECT && fd < FD_SETSIZE) {
471                     FD_ZERO(&fds);
472                     FD_SET(fd, &fds);
473                     while ((r = select(fd + 1, &fds, NULL, NULL, NULL)) < 0
474                            && errno == EINTR);
475                 } else {
476                     while ((r = read(fd, &c, 1)) < 0 && errno == EINTR);
477                 }
478                 close(fd);
479                 if (r == 1) {
480                     seeded = 1;
481                     /* Create the shared memory indicator */
482                     shm_id = shmget(OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID, 1,
483                                     IPC_CREAT | S_IRUSR | S_IRGRP | S_IROTH);
484                 }
485             }
486         }
487         if (shm_id != -1) {
488             seeded = 1;
489             /*
490              * Map the shared memory to prevent its premature destruction.
491              * If this call fails, it isn't a big problem.
492              */
493             shm_addr = shmat(shm_id, NULL, SHM_RDONLY);
494             if (shm_addr != (void *)-1)
495                 OPENSSL_atexit(&cleanup_shm);
496         }
497     }
498     return seeded;
499 }
500 #   else /* defined __linux && DEVRANDOM_WAIT && OPENSSL_RAND_SEED_GETRANDOM */
501 static int wait_random_seeded(void)
502 {
503     return 1;
504 }
505 #   endif
506 
507 /*
508  * Verify that the file descriptor associated with the random source is
509  * still valid. The rationale for doing this is the fact that it is not
510  * uncommon for daemons to close all open file handles when daemonizing.
511  * So the handle might have been closed or even reused for opening
512  * another file.
513  */
514 static int check_random_device(struct random_device * rd)
515 {
516     struct stat st;
517 
518     return rd->fd != -1
519            && fstat(rd->fd, &st) != -1
520            && rd->dev == st.st_dev
521            && rd->ino == st.st_ino
522            && ((rd->mode ^ st.st_mode) & ~(S_IRWXU | S_IRWXG | S_IRWXO)) == 0
523            && rd->rdev == st.st_rdev;
524 }
525 
526 /*
527  * Open a random device if required and return its file descriptor or -1 on error
528  */
529 static int get_random_device(size_t n)
530 {
531     struct stat st;
532     struct random_device * rd = &random_devices[n];
533 
534     /* reuse existing file descriptor if it is (still) valid */
535     if (check_random_device(rd))
536         return rd->fd;
537 
538     /* open the random device ... */
539     if ((rd->fd = open(random_device_paths[n], O_RDONLY)) == -1)
540         return rd->fd;
541 
542     /* ... and cache its relevant stat(2) data */
543     if (fstat(rd->fd, &st) != -1) {
544         rd->dev = st.st_dev;
545         rd->ino = st.st_ino;
546         rd->mode = st.st_mode;
547         rd->rdev = st.st_rdev;
548     } else {
549         close(rd->fd);
550         rd->fd = -1;
551     }
552 
553     return rd->fd;
554 }
555 
556 /*
557  * Close a random device making sure it is a random device
558  */
559 static void close_random_device(size_t n)
560 {
561     struct random_device * rd = &random_devices[n];
562 
563     if (check_random_device(rd))
564         close(rd->fd);
565     rd->fd = -1;
566 }
567 
568 int ossl_rand_pool_init(void)
569 {
570     size_t i;
571 
572     for (i = 0; i < OSSL_NELEM(random_devices); i++)
573         random_devices[i].fd = -1;
574 
575     return 1;
576 }
577 
578 void ossl_rand_pool_cleanup(void)
579 {
580     size_t i;
581 
582     for (i = 0; i < OSSL_NELEM(random_devices); i++)
583         close_random_device(i);
584 }
585 
586 void ossl_rand_pool_keep_random_devices_open(int keep)
587 {
588     if (!keep)
589         ossl_rand_pool_cleanup();
590 
591     keep_random_devices_open = keep;
592 }
593 
594 #  else     /* !defined(OPENSSL_RAND_SEED_DEVRANDOM) */
595 
596 int ossl_rand_pool_init(void)
597 {
598     return 1;
599 }
600 
601 void ossl_rand_pool_cleanup(void)
602 {
603 }
604 
605 void ossl_rand_pool_keep_random_devices_open(int keep)
606 {
607 }
608 
609 #  endif    /* defined(OPENSSL_RAND_SEED_DEVRANDOM) */
610 
611 /*
612  * Try the various seeding methods in turn, exit when successful.
613  *
614  * If more than one entropy source is available, is it
615  * preferable to stop as soon as enough entropy has been collected
616  * (as favored by @rsalz) or should one rather be defensive and add
617  * more entropy than requested and/or from different sources?
618  *
619  * Currently, the user can select multiple entropy sources in the
620  * configure step, yet in practice only the first available source
621  * will be used. A more flexible solution has been requested, but
622  * currently it is not clear how this can be achieved without
623  * overengineering the problem. There are many parameters which
624  * could be taken into account when selecting the order and amount
625  * of input from the different entropy sources (trust, quality,
626  * possibility of blocking).
627  */
628 size_t ossl_pool_acquire_entropy(RAND_POOL *pool)
629 {
630 #  if defined(OPENSSL_RAND_SEED_NONE)
631     return ossl_rand_pool_entropy_available(pool);
632 #  else
633     size_t entropy_available = 0;
634 
635     (void)entropy_available;    /* avoid compiler warning */
636 
637 #   if defined(OPENSSL_RAND_SEED_GETRANDOM)
638     {
639         size_t bytes_needed;
640         unsigned char *buffer;
641         ssize_t bytes;
642         /* Maximum allowed number of consecutive unsuccessful attempts */
643         int attempts = 3;
644 
645         bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
646         while (bytes_needed != 0 && attempts-- > 0) {
647             buffer = ossl_rand_pool_add_begin(pool, bytes_needed);
648             bytes = syscall_random(buffer, bytes_needed);
649             if (bytes > 0) {
650                 ossl_rand_pool_add_end(pool, bytes, 8 * bytes);
651                 bytes_needed -= bytes;
652                 attempts = 3; /* reset counter after successful attempt */
653             } else if (bytes < 0 && errno != EINTR) {
654                 break;
655             }
656         }
657     }
658     entropy_available = ossl_rand_pool_entropy_available(pool);
659     if (entropy_available > 0)
660         return entropy_available;
661 #   endif
662 
663 #   if defined(OPENSSL_RAND_SEED_LIBRANDOM)
664     {
665         /* Not yet implemented. */
666     }
667 #   endif
668 
669 #   if defined(OPENSSL_RAND_SEED_DEVRANDOM)
670     if (wait_random_seeded()) {
671         size_t bytes_needed;
672         unsigned char *buffer;
673         size_t i;
674 
675         bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
676         for (i = 0; bytes_needed > 0 && i < OSSL_NELEM(random_device_paths);
677              i++) {
678             ssize_t bytes = 0;
679             /* Maximum number of consecutive unsuccessful attempts */
680             int attempts = 3;
681             const int fd = get_random_device(i);
682 
683             if (fd == -1)
684                 continue;
685 
686             while (bytes_needed != 0 && attempts-- > 0) {
687                 buffer = ossl_rand_pool_add_begin(pool, bytes_needed);
688                 bytes = read(fd, buffer, bytes_needed);
689 
690                 if (bytes > 0) {
691                     ossl_rand_pool_add_end(pool, bytes, 8 * bytes);
692                     bytes_needed -= bytes;
693                     attempts = 3; /* reset counter on successful attempt */
694                 } else if (bytes < 0 && errno != EINTR) {
695                     break;
696                 }
697             }
698             if (bytes < 0 || !keep_random_devices_open)
699                 close_random_device(i);
700 
701             bytes_needed = ossl_rand_pool_bytes_needed(pool, 1);
702         }
703         entropy_available = ossl_rand_pool_entropy_available(pool);
704         if (entropy_available > 0)
705             return entropy_available;
706     }
707 #   endif
708 
709 #   if defined(OPENSSL_RAND_SEED_RDTSC)
710     entropy_available = ossl_prov_acquire_entropy_from_tsc(pool);
711     if (entropy_available > 0)
712         return entropy_available;
713 #   endif
714 
715 #   if defined(OPENSSL_RAND_SEED_RDCPU)
716     entropy_available = ossl_prov_acquire_entropy_from_cpu(pool);
717     if (entropy_available > 0)
718         return entropy_available;
719 #   endif
720 
721 #   if defined(OPENSSL_RAND_SEED_EGD)
722     {
723         static const char *paths[] = { DEVRANDOM_EGD, NULL };
724         size_t bytes_needed;
725         unsigned char *buffer;
726         int i;
727 
728         bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
729         for (i = 0; bytes_needed > 0 && paths[i] != NULL; i++) {
730             size_t bytes = 0;
731             int num;
732 
733             buffer = ossl_rand_pool_add_begin(pool, bytes_needed);
734             num = RAND_query_egd_bytes(paths[i],
735                                        buffer, (int)bytes_needed);
736             if (num == (int)bytes_needed)
737                 bytes = bytes_needed;
738 
739             ossl_rand_pool_add_end(pool, bytes, 8 * bytes);
740             bytes_needed = ossl_rand_pool_bytes_needed(pool, 1);
741         }
742         entropy_available = ossl_rand_pool_entropy_available(pool);
743         if (entropy_available > 0)
744             return entropy_available;
745     }
746 #   endif
747 
748     return ossl_rand_pool_entropy_available(pool);
749 #  endif
750 }
751 # endif
752 #endif
753 
754 #if (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) \
755      || defined(__DJGPP__)
756 int ossl_pool_add_nonce_data(RAND_POOL *pool)
757 {
758     struct {
759         pid_t pid;
760         CRYPTO_THREAD_ID tid;
761         uint64_t time;
762     } data;
763 
764     /* Erase the entire structure including any padding */
765     memset(&data, 0, sizeof(data));
766 
767     /*
768      * Add process id, thread id, and a high resolution timestamp to
769      * ensure that the nonce is unique with high probability for
770      * different process instances.
771      */
772     data.pid = getpid();
773     data.tid = CRYPTO_THREAD_get_current_id();
774     data.time = get_time_stamp();
775 
776     return ossl_rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0);
777 }
778 
779 int ossl_rand_pool_add_additional_data(RAND_POOL *pool)
780 {
781     struct {
782         int fork_id;
783         CRYPTO_THREAD_ID tid;
784         uint64_t time;
785     } data;
786 
787     /* Erase the entire structure including any padding */
788     memset(&data, 0, sizeof(data));
789 
790     /*
791      * Add some noise from the thread id and a high resolution timer.
792      * The fork_id adds some extra fork-safety.
793      * The thread id adds a little randomness if the drbg is accessed
794      * concurrently (which is the case for the <master> drbg).
795      */
796     data.fork_id = openssl_get_fork_id();
797     data.tid = CRYPTO_THREAD_get_current_id();
798     data.time = get_timer_bits();
799 
800     return ossl_rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0);
801 }
802 
803 
804 /*
805  * Get the current time with the highest possible resolution
806  *
807  * The time stamp is added to the nonce, so it is optimized for not repeating.
808  * The current time is ideal for this purpose, provided the computer's clock
809  * is synchronized.
810  */
811 static uint64_t get_time_stamp(void)
812 {
813 # if defined(OSSL_POSIX_TIMER_OKAY)
814     {
815         struct timespec ts;
816 
817         if (clock_gettime(CLOCK_REALTIME, &ts) == 0)
818             return TWO32TO64(ts.tv_sec, ts.tv_nsec);
819     }
820 # endif
821 # if defined(__unix__) \
822      || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L)
823     {
824         struct timeval tv;
825 
826         if (gettimeofday(&tv, NULL) == 0)
827             return TWO32TO64(tv.tv_sec, tv.tv_usec);
828     }
829 # endif
830     return time(NULL);
831 }
832 
833 /*
834  * Get an arbitrary timer value of the highest possible resolution
835  *
836  * The timer value is added as random noise to the additional data,
837  * which is not considered a trusted entropy sourec, so any result
838  * is acceptable.
839  */
840 static uint64_t get_timer_bits(void)
841 {
842     uint64_t res = OPENSSL_rdtsc();
843 
844     if (res != 0)
845         return res;
846 
847 # if defined(__sun) || defined(__hpux)
848     return gethrtime();
849 # elif defined(_AIX)
850     {
851         timebasestruct_t t;
852 
853         read_wall_time(&t, TIMEBASE_SZ);
854         return TWO32TO64(t.tb_high, t.tb_low);
855     }
856 # elif defined(OSSL_POSIX_TIMER_OKAY)
857     {
858         struct timespec ts;
859 
860 #  ifdef CLOCK_BOOTTIME
861 #   define CLOCK_TYPE CLOCK_BOOTTIME
862 #  elif defined(_POSIX_MONOTONIC_CLOCK)
863 #   define CLOCK_TYPE CLOCK_MONOTONIC
864 #  else
865 #   define CLOCK_TYPE CLOCK_REALTIME
866 #  endif
867 
868         if (clock_gettime(CLOCK_TYPE, &ts) == 0)
869             return TWO32TO64(ts.tv_sec, ts.tv_nsec);
870     }
871 # endif
872 # if defined(__unix__) \
873      || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L)
874     {
875         struct timeval tv;
876 
877         if (gettimeofday(&tv, NULL) == 0)
878             return TWO32TO64(tv.tv_sec, tv.tv_usec);
879     }
880 # endif
881     return time(NULL);
882 }
883 #endif /* (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS))
884           || defined(__DJGPP__) */
885