1 /* 2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #ifndef _GNU_SOURCE 11 # define _GNU_SOURCE 12 #endif 13 #include "../e_os.h" 14 #include <stdio.h> 15 #include "internal/cryptlib.h" 16 #include <openssl/rand.h> 17 #include <openssl/crypto.h> 18 #include "crypto/rand_pool.h" 19 #include "crypto/rand.h" 20 #include <stdio.h> 21 #include "internal/dso.h" 22 #include "prov/seeding.h" 23 24 #ifdef __linux 25 # include <sys/syscall.h> 26 # ifdef DEVRANDOM_WAIT 27 # include <sys/shm.h> 28 # include <sys/utsname.h> 29 # endif 30 #endif 31 #if (defined(__FreeBSD__) || defined(__NetBSD__)) && !defined(OPENSSL_SYS_UEFI) 32 # include <sys/types.h> 33 # include <sys/sysctl.h> 34 # include <sys/param.h> 35 #endif 36 #if defined(__OpenBSD__) 37 # include <sys/param.h> 38 #endif 39 #if defined(__DragonFly__) 40 # include <sys/param.h> 41 # include <sys/random.h> 42 #endif 43 44 #if (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) \ 45 || defined(__DJGPP__) 46 # include <sys/types.h> 47 # include <sys/stat.h> 48 # include <fcntl.h> 49 # include <unistd.h> 50 # include <sys/time.h> 51 52 static uint64_t get_time_stamp(void); 53 static uint64_t get_timer_bits(void); 54 55 /* Macro to convert two thirty two bit values into a sixty four bit one */ 56 # define TWO32TO64(a, b) ((((uint64_t)(a)) << 32) + (b)) 57 58 /* 59 * Check for the existence and support of POSIX timers. The standard 60 * says that the _POSIX_TIMERS macro will have a positive value if they 61 * are available. 62 * 63 * However, we want an additional constraint: that the timer support does 64 * not require an extra library dependency. Early versions of glibc 65 * require -lrt to be specified on the link line to access the timers, 66 * so this needs to be checked for. 67 * 68 * It is worse because some libraries define __GLIBC__ but don't 69 * support the version testing macro (e.g. uClibc). This means 70 * an extra check is needed. 71 * 72 * The final condition is: 73 * "have posix timers and either not glibc or glibc without -lrt" 74 * 75 * The nested #if sequences are required to avoid using a parameterised 76 * macro that might be undefined. 77 */ 78 # undef OSSL_POSIX_TIMER_OKAY 79 /* On some systems, _POSIX_TIMERS is defined but empty. 80 * Subtracting by 0 when comparing avoids an error in this case. */ 81 # if defined(_POSIX_TIMERS) && _POSIX_TIMERS -0 > 0 82 # if defined(__GLIBC__) 83 # if defined(__GLIBC_PREREQ) 84 # if __GLIBC_PREREQ(2, 17) 85 # define OSSL_POSIX_TIMER_OKAY 86 # endif 87 # endif 88 # else 89 # define OSSL_POSIX_TIMER_OKAY 90 # endif 91 # endif 92 #endif /* (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) 93 || defined(__DJGPP__) */ 94 95 #if defined(OPENSSL_RAND_SEED_NONE) 96 /* none means none. this simplifies the following logic */ 97 # undef OPENSSL_RAND_SEED_OS 98 # undef OPENSSL_RAND_SEED_GETRANDOM 99 # undef OPENSSL_RAND_SEED_LIBRANDOM 100 # undef OPENSSL_RAND_SEED_DEVRANDOM 101 # undef OPENSSL_RAND_SEED_RDTSC 102 # undef OPENSSL_RAND_SEED_RDCPU 103 # undef OPENSSL_RAND_SEED_EGD 104 #endif 105 106 #if defined(OPENSSL_SYS_UEFI) && !defined(OPENSSL_RAND_SEED_NONE) 107 # error "UEFI only supports seeding NONE" 108 #endif 109 110 #if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) \ 111 || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_VXWORKS) \ 112 || defined(OPENSSL_SYS_UEFI)) 113 114 # if defined(OPENSSL_SYS_VOS) 115 116 # ifndef OPENSSL_RAND_SEED_OS 117 # error "Unsupported seeding method configured; must be os" 118 # endif 119 120 # if defined(OPENSSL_SYS_VOS_HPPA) && defined(OPENSSL_SYS_VOS_IA32) 121 # error "Unsupported HP-PA and IA32 at the same time." 122 # endif 123 # if !defined(OPENSSL_SYS_VOS_HPPA) && !defined(OPENSSL_SYS_VOS_IA32) 124 # error "Must have one of HP-PA or IA32" 125 # endif 126 127 /* 128 * The following algorithm repeatedly samples the real-time clock (RTC) to 129 * generate a sequence of unpredictable data. The algorithm relies upon the 130 * uneven execution speed of the code (due to factors such as cache misses, 131 * interrupts, bus activity, and scheduling) and upon the rather large 132 * relative difference between the speed of the clock and the rate at which 133 * it can be read. If it is ported to an environment where execution speed 134 * is more constant or where the RTC ticks at a much slower rate, or the 135 * clock can be read with fewer instructions, it is likely that the results 136 * would be far more predictable. This should only be used for legacy 137 * platforms. 138 * 139 * As a precaution, we assume only 2 bits of entropy per byte. 140 */ 141 size_t ossl_pool_acquire_entropy(RAND_POOL *pool) 142 { 143 short int code; 144 int i, k; 145 size_t bytes_needed; 146 struct timespec ts; 147 unsigned char v; 148 # ifdef OPENSSL_SYS_VOS_HPPA 149 long duration; 150 extern void s$sleep(long *_duration, short int *_code); 151 # else 152 long long duration; 153 extern void s$sleep2(long long *_duration, short int *_code); 154 # endif 155 156 bytes_needed = ossl_rand_pool_bytes_needed(pool, 4 /*entropy_factor*/); 157 158 for (i = 0; i < bytes_needed; i++) { 159 /* 160 * burn some cpu; hope for interrupts, cache collisions, bus 161 * interference, etc. 162 */ 163 for (k = 0; k < 99; k++) 164 ts.tv_nsec = random(); 165 166 # ifdef OPENSSL_SYS_VOS_HPPA 167 /* sleep for 1/1024 of a second (976 us). */ 168 duration = 1; 169 s$sleep(&duration, &code); 170 # else 171 /* sleep for 1/65536 of a second (15 us). */ 172 duration = 1; 173 s$sleep2(&duration, &code); 174 # endif 175 176 /* Get wall clock time, take 8 bits. */ 177 clock_gettime(CLOCK_REALTIME, &ts); 178 v = (unsigned char)(ts.tv_nsec & 0xFF); 179 ossl_rand_pool_add(pool, arg, &v, sizeof(v) , 2); 180 } 181 return ossl_rand_pool_entropy_available(pool); 182 } 183 184 void ossl_rand_pool_cleanup(void) 185 { 186 } 187 188 void ossl_rand_pool_keep_random_devices_open(int keep) 189 { 190 } 191 192 # else 193 194 # if defined(OPENSSL_RAND_SEED_EGD) && \ 195 (defined(OPENSSL_NO_EGD) || !defined(DEVRANDOM_EGD)) 196 # error "Seeding uses EGD but EGD is turned off or no device given" 197 # endif 198 199 # if defined(OPENSSL_RAND_SEED_DEVRANDOM) && !defined(DEVRANDOM) 200 # error "Seeding uses urandom but DEVRANDOM is not configured" 201 # endif 202 203 # if defined(OPENSSL_RAND_SEED_OS) 204 # if !defined(DEVRANDOM) 205 # error "OS seeding requires DEVRANDOM to be configured" 206 # endif 207 # define OPENSSL_RAND_SEED_GETRANDOM 208 # define OPENSSL_RAND_SEED_DEVRANDOM 209 # endif 210 211 # if defined(OPENSSL_RAND_SEED_LIBRANDOM) 212 # error "librandom not (yet) supported" 213 # endif 214 215 # if (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) 216 /* 217 * sysctl_random(): Use sysctl() to read a random number from the kernel 218 * Returns the number of bytes returned in buf on success, -1 on failure. 219 */ 220 static ssize_t sysctl_random(char *buf, size_t buflen) 221 { 222 int mib[2]; 223 size_t done = 0; 224 size_t len; 225 226 /* 227 * Note: sign conversion between size_t and ssize_t is safe even 228 * without a range check, see comment in syscall_random() 229 */ 230 231 /* 232 * On FreeBSD old implementations returned longs, newer versions support 233 * variable sizes up to 256 byte. The code below would not work properly 234 * when the sysctl returns long and we want to request something not a 235 * multiple of longs, which should never be the case. 236 */ 237 #if defined(__FreeBSD__) 238 if (!ossl_assert(buflen % sizeof(long) == 0)) { 239 errno = EINVAL; 240 return -1; 241 } 242 #endif 243 244 /* 245 * On NetBSD before 4.0 KERN_ARND was an alias for KERN_URND, and only 246 * filled in an int, leaving the rest uninitialized. Since NetBSD 4.0 247 * it returns a variable number of bytes with the current version supporting 248 * up to 256 bytes. 249 * Just return an error on older NetBSD versions. 250 */ 251 #if defined(__NetBSD__) && __NetBSD_Version__ < 400000000 252 errno = ENOSYS; 253 return -1; 254 #endif 255 256 mib[0] = CTL_KERN; 257 mib[1] = KERN_ARND; 258 259 do { 260 len = buflen > 256 ? 256 : buflen; 261 if (sysctl(mib, 2, buf, &len, NULL, 0) == -1) 262 return done > 0 ? done : -1; 263 done += len; 264 buf += len; 265 buflen -= len; 266 } while (buflen > 0); 267 268 return done; 269 } 270 # endif 271 272 # if defined(OPENSSL_RAND_SEED_GETRANDOM) 273 274 # if defined(__linux) && !defined(__NR_getrandom) 275 # if defined(__arm__) 276 # define __NR_getrandom (__NR_SYSCALL_BASE+384) 277 # elif defined(__i386__) 278 # define __NR_getrandom 355 279 # elif defined(__x86_64__) 280 # if defined(__ILP32__) 281 # define __NR_getrandom (__X32_SYSCALL_BIT + 318) 282 # else 283 # define __NR_getrandom 318 284 # endif 285 # elif defined(__xtensa__) 286 # define __NR_getrandom 338 287 # elif defined(__s390__) || defined(__s390x__) 288 # define __NR_getrandom 349 289 # elif defined(__bfin__) 290 # define __NR_getrandom 389 291 # elif defined(__powerpc__) 292 # define __NR_getrandom 359 293 # elif defined(__mips__) || defined(__mips64) 294 # if _MIPS_SIM == _MIPS_SIM_ABI32 295 # define __NR_getrandom (__NR_Linux + 353) 296 # elif _MIPS_SIM == _MIPS_SIM_ABI64 297 # define __NR_getrandom (__NR_Linux + 313) 298 # elif _MIPS_SIM == _MIPS_SIM_NABI32 299 # define __NR_getrandom (__NR_Linux + 317) 300 # endif 301 # elif defined(__hppa__) 302 # define __NR_getrandom (__NR_Linux + 339) 303 # elif defined(__sparc__) 304 # define __NR_getrandom 347 305 # elif defined(__ia64__) 306 # define __NR_getrandom 1339 307 # elif defined(__alpha__) 308 # define __NR_getrandom 511 309 # elif defined(__sh__) 310 # if defined(__SH5__) 311 # define __NR_getrandom 373 312 # else 313 # define __NR_getrandom 384 314 # endif 315 # elif defined(__avr32__) 316 # define __NR_getrandom 317 317 # elif defined(__microblaze__) 318 # define __NR_getrandom 385 319 # elif defined(__m68k__) 320 # define __NR_getrandom 352 321 # elif defined(__cris__) 322 # define __NR_getrandom 356 323 # elif defined(__aarch64__) 324 # define __NR_getrandom 278 325 # else /* generic */ 326 # define __NR_getrandom 278 327 # endif 328 # endif 329 330 /* 331 * syscall_random(): Try to get random data using a system call 332 * returns the number of bytes returned in buf, or < 0 on error. 333 */ 334 static ssize_t syscall_random(void *buf, size_t buflen) 335 { 336 /* 337 * Note: 'buflen' equals the size of the buffer which is used by the 338 * get_entropy() callback of the RAND_DRBG. It is roughly bounded by 339 * 340 * 2 * RAND_POOL_FACTOR * (RAND_DRBG_STRENGTH / 8) = 2^14 341 * 342 * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion 343 * between size_t and ssize_t is safe even without a range check. 344 */ 345 346 /* 347 * Do runtime detection to find getentropy(). 348 * 349 * Known OSs that should support this: 350 * - Darwin since 16 (OSX 10.12, IOS 10.0). 351 * - Solaris since 11.3 352 * - OpenBSD since 5.6 353 * - Linux since 3.17 with glibc 2.25 354 * - FreeBSD since 12.0 (1200061) 355 * 356 * Note: Sometimes getentropy() can be provided but not implemented 357 * internally. So we need to check errno for ENOSYS 358 */ 359 # if !defined(__DragonFly__) && !defined(__NetBSD__) && !defined(__FreeBSD__) 360 # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) 361 extern int getentropy(void *buffer, size_t length) __attribute__((weak)); 362 363 if (getentropy != NULL) { 364 if (getentropy(buf, buflen) == 0) 365 return (ssize_t)buflen; 366 if (errno != ENOSYS) 367 return -1; 368 } 369 # elif defined(OPENSSL_APPLE_CRYPTO_RANDOM) 370 371 if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess) 372 return (ssize_t)buflen; 373 374 return -1; 375 # else 376 union { 377 void *p; 378 int (*f)(void *buffer, size_t length); 379 } p_getentropy; 380 381 /* 382 * We could cache the result of the lookup, but we normally don't 383 * call this function often. 384 */ 385 ERR_set_mark(); 386 p_getentropy.p = DSO_global_lookup("getentropy"); 387 ERR_pop_to_mark(); 388 if (p_getentropy.p != NULL) 389 return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; 390 # endif 391 # endif /* !__DragonFly__ */ 392 393 /* Linux supports this since version 3.17 */ 394 # if defined(__linux) && defined(__NR_getrandom) 395 return syscall(__NR_getrandom, buf, buflen, 0); 396 # elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \ 397 || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000) \ 398 || defined(__FreeBSD__) 399 return getrandom(buf, buflen, 0); 400 # elif defined(__NetBSD__) && defined(KERN_ARND) 401 return sysctl_random(buf, buflen); 402 # else 403 errno = ENOSYS; 404 return -1; 405 # endif 406 } 407 # endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */ 408 409 # if defined(OPENSSL_RAND_SEED_DEVRANDOM) 410 static const char *random_device_paths[] = { DEVRANDOM }; 411 static struct random_device { 412 int fd; 413 dev_t dev; 414 ino_t ino; 415 mode_t mode; 416 dev_t rdev; 417 } random_devices[OSSL_NELEM(random_device_paths)]; 418 static int keep_random_devices_open = 1; 419 420 # if defined(__linux) && defined(DEVRANDOM_WAIT) \ 421 && defined(OPENSSL_RAND_SEED_GETRANDOM) 422 static void *shm_addr; 423 424 static void cleanup_shm(void) 425 { 426 shmdt(shm_addr); 427 } 428 429 /* 430 * Ensure that the system randomness source has been adequately seeded. 431 * This is done by having the first start of libcrypto, wait until the device 432 * /dev/random becomes able to supply a byte of entropy. Subsequent starts 433 * of the library and later reseedings do not need to do this. 434 */ 435 static int wait_random_seeded(void) 436 { 437 static int seeded = OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID < 0; 438 static const int kernel_version[] = { DEVRANDOM_SAFE_KERNEL }; 439 int kernel[2]; 440 int shm_id, fd, r; 441 char c, *p; 442 struct utsname un; 443 fd_set fds; 444 445 if (!seeded) { 446 /* See if anything has created the global seeded indication */ 447 if ((shm_id = shmget(OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID, 1, 0)) == -1) { 448 /* 449 * Check the kernel's version and fail if it is too recent. 450 * 451 * Linux kernels from 4.8 onwards do not guarantee that 452 * /dev/urandom is properly seeded when /dev/random becomes 453 * readable. However, such kernels support the getentropy(2) 454 * system call and this should always succeed which renders 455 * this alternative but essentially identical source moot. 456 */ 457 if (uname(&un) == 0) { 458 kernel[0] = atoi(un.release); 459 p = strchr(un.release, '.'); 460 kernel[1] = p == NULL ? 0 : atoi(p + 1); 461 if (kernel[0] > kernel_version[0] 462 || (kernel[0] == kernel_version[0] 463 && kernel[1] >= kernel_version[1])) { 464 return 0; 465 } 466 } 467 /* Open /dev/random and wait for it to be readable */ 468 if ((fd = open(DEVRANDOM_WAIT, O_RDONLY)) != -1) { 469 if (DEVRANDM_WAIT_USE_SELECT && fd < FD_SETSIZE) { 470 FD_ZERO(&fds); 471 FD_SET(fd, &fds); 472 while ((r = select(fd + 1, &fds, NULL, NULL, NULL)) < 0 473 && errno == EINTR); 474 } else { 475 while ((r = read(fd, &c, 1)) < 0 && errno == EINTR); 476 } 477 close(fd); 478 if (r == 1) { 479 seeded = 1; 480 /* Create the shared memory indicator */ 481 shm_id = shmget(OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID, 1, 482 IPC_CREAT | S_IRUSR | S_IRGRP | S_IROTH); 483 } 484 } 485 } 486 if (shm_id != -1) { 487 seeded = 1; 488 /* 489 * Map the shared memory to prevent its premature destruction. 490 * If this call fails, it isn't a big problem. 491 */ 492 shm_addr = shmat(shm_id, NULL, SHM_RDONLY); 493 if (shm_addr != (void *)-1) 494 OPENSSL_atexit(&cleanup_shm); 495 } 496 } 497 return seeded; 498 } 499 # else /* defined __linux && DEVRANDOM_WAIT && OPENSSL_RAND_SEED_GETRANDOM */ 500 static int wait_random_seeded(void) 501 { 502 return 1; 503 } 504 # endif 505 506 /* 507 * Verify that the file descriptor associated with the random source is 508 * still valid. The rationale for doing this is the fact that it is not 509 * uncommon for daemons to close all open file handles when daemonizing. 510 * So the handle might have been closed or even reused for opening 511 * another file. 512 */ 513 static int check_random_device(struct random_device * rd) 514 { 515 struct stat st; 516 517 return rd->fd != -1 518 && fstat(rd->fd, &st) != -1 519 && rd->dev == st.st_dev 520 && rd->ino == st.st_ino 521 && ((rd->mode ^ st.st_mode) & ~(S_IRWXU | S_IRWXG | S_IRWXO)) == 0 522 && rd->rdev == st.st_rdev; 523 } 524 525 /* 526 * Open a random device if required and return its file descriptor or -1 on error 527 */ 528 static int get_random_device(size_t n) 529 { 530 struct stat st; 531 struct random_device * rd = &random_devices[n]; 532 533 /* reuse existing file descriptor if it is (still) valid */ 534 if (check_random_device(rd)) 535 return rd->fd; 536 537 /* open the random device ... */ 538 if ((rd->fd = open(random_device_paths[n], O_RDONLY)) == -1) 539 return rd->fd; 540 541 /* ... and cache its relevant stat(2) data */ 542 if (fstat(rd->fd, &st) != -1) { 543 rd->dev = st.st_dev; 544 rd->ino = st.st_ino; 545 rd->mode = st.st_mode; 546 rd->rdev = st.st_rdev; 547 } else { 548 close(rd->fd); 549 rd->fd = -1; 550 } 551 552 return rd->fd; 553 } 554 555 /* 556 * Close a random device making sure it is a random device 557 */ 558 static void close_random_device(size_t n) 559 { 560 struct random_device * rd = &random_devices[n]; 561 562 if (check_random_device(rd)) 563 close(rd->fd); 564 rd->fd = -1; 565 } 566 567 int ossl_rand_pool_init(void) 568 { 569 size_t i; 570 571 for (i = 0; i < OSSL_NELEM(random_devices); i++) 572 random_devices[i].fd = -1; 573 574 return 1; 575 } 576 577 void ossl_rand_pool_cleanup(void) 578 { 579 size_t i; 580 581 for (i = 0; i < OSSL_NELEM(random_devices); i++) 582 close_random_device(i); 583 } 584 585 void ossl_rand_pool_keep_random_devices_open(int keep) 586 { 587 if (!keep) 588 ossl_rand_pool_cleanup(); 589 590 keep_random_devices_open = keep; 591 } 592 593 # else /* !defined(OPENSSL_RAND_SEED_DEVRANDOM) */ 594 595 int ossl_rand_pool_init(void) 596 { 597 return 1; 598 } 599 600 void ossl_rand_pool_cleanup(void) 601 { 602 } 603 604 void ossl_rand_pool_keep_random_devices_open(int keep) 605 { 606 } 607 608 # endif /* defined(OPENSSL_RAND_SEED_DEVRANDOM) */ 609 610 /* 611 * Try the various seeding methods in turn, exit when successful. 612 * 613 * If more than one entropy source is available, is it 614 * preferable to stop as soon as enough entropy has been collected 615 * (as favored by @rsalz) or should one rather be defensive and add 616 * more entropy than requested and/or from different sources? 617 * 618 * Currently, the user can select multiple entropy sources in the 619 * configure step, yet in practice only the first available source 620 * will be used. A more flexible solution has been requested, but 621 * currently it is not clear how this can be achieved without 622 * overengineering the problem. There are many parameters which 623 * could be taken into account when selecting the order and amount 624 * of input from the different entropy sources (trust, quality, 625 * possibility of blocking). 626 */ 627 size_t ossl_pool_acquire_entropy(RAND_POOL *pool) 628 { 629 # if defined(OPENSSL_RAND_SEED_NONE) 630 return ossl_rand_pool_entropy_available(pool); 631 # else 632 size_t entropy_available = 0; 633 634 (void)entropy_available; /* avoid compiler warning */ 635 636 # if defined(OPENSSL_RAND_SEED_GETRANDOM) 637 { 638 size_t bytes_needed; 639 unsigned char *buffer; 640 ssize_t bytes; 641 /* Maximum allowed number of consecutive unsuccessful attempts */ 642 int attempts = 3; 643 644 bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); 645 while (bytes_needed != 0 && attempts-- > 0) { 646 buffer = ossl_rand_pool_add_begin(pool, bytes_needed); 647 bytes = syscall_random(buffer, bytes_needed); 648 if (bytes > 0) { 649 ossl_rand_pool_add_end(pool, bytes, 8 * bytes); 650 bytes_needed -= bytes; 651 attempts = 3; /* reset counter after successful attempt */ 652 } else if (bytes < 0 && errno != EINTR) { 653 break; 654 } 655 } 656 } 657 entropy_available = ossl_rand_pool_entropy_available(pool); 658 if (entropy_available > 0) 659 return entropy_available; 660 # endif 661 662 # if defined(OPENSSL_RAND_SEED_LIBRANDOM) 663 { 664 /* Not yet implemented. */ 665 } 666 # endif 667 668 # if defined(OPENSSL_RAND_SEED_DEVRANDOM) 669 if (wait_random_seeded()) { 670 size_t bytes_needed; 671 unsigned char *buffer; 672 size_t i; 673 674 bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); 675 for (i = 0; bytes_needed > 0 && i < OSSL_NELEM(random_device_paths); 676 i++) { 677 ssize_t bytes = 0; 678 /* Maximum number of consecutive unsuccessful attempts */ 679 int attempts = 3; 680 const int fd = get_random_device(i); 681 682 if (fd == -1) 683 continue; 684 685 while (bytes_needed != 0 && attempts-- > 0) { 686 buffer = ossl_rand_pool_add_begin(pool, bytes_needed); 687 bytes = read(fd, buffer, bytes_needed); 688 689 if (bytes > 0) { 690 ossl_rand_pool_add_end(pool, bytes, 8 * bytes); 691 bytes_needed -= bytes; 692 attempts = 3; /* reset counter on successful attempt */ 693 } else if (bytes < 0 && errno != EINTR) { 694 break; 695 } 696 } 697 if (bytes < 0 || !keep_random_devices_open) 698 close_random_device(i); 699 700 bytes_needed = ossl_rand_pool_bytes_needed(pool, 1); 701 } 702 entropy_available = ossl_rand_pool_entropy_available(pool); 703 if (entropy_available > 0) 704 return entropy_available; 705 } 706 # endif 707 708 # if defined(OPENSSL_RAND_SEED_RDTSC) 709 entropy_available = ossl_prov_acquire_entropy_from_tsc(pool); 710 if (entropy_available > 0) 711 return entropy_available; 712 # endif 713 714 # if defined(OPENSSL_RAND_SEED_RDCPU) 715 entropy_available = ossl_prov_acquire_entropy_from_cpu(pool); 716 if (entropy_available > 0) 717 return entropy_available; 718 # endif 719 720 # if defined(OPENSSL_RAND_SEED_EGD) 721 { 722 static const char *paths[] = { DEVRANDOM_EGD, NULL }; 723 size_t bytes_needed; 724 unsigned char *buffer; 725 int i; 726 727 bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); 728 for (i = 0; bytes_needed > 0 && paths[i] != NULL; i++) { 729 size_t bytes = 0; 730 int num; 731 732 buffer = ossl_rand_pool_add_begin(pool, bytes_needed); 733 num = RAND_query_egd_bytes(paths[i], 734 buffer, (int)bytes_needed); 735 if (num == (int)bytes_needed) 736 bytes = bytes_needed; 737 738 ossl_rand_pool_add_end(pool, bytes, 8 * bytes); 739 bytes_needed = ossl_rand_pool_bytes_needed(pool, 1); 740 } 741 entropy_available = ossl_rand_pool_entropy_available(pool); 742 if (entropy_available > 0) 743 return entropy_available; 744 } 745 # endif 746 747 return ossl_rand_pool_entropy_available(pool); 748 # endif 749 } 750 # endif 751 #endif 752 753 #if (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) \ 754 || defined(__DJGPP__) 755 int ossl_pool_add_nonce_data(RAND_POOL *pool) 756 { 757 struct { 758 pid_t pid; 759 CRYPTO_THREAD_ID tid; 760 uint64_t time; 761 } data; 762 763 /* Erase the entire structure including any padding */ 764 memset(&data, 0, sizeof(data)); 765 766 /* 767 * Add process id, thread id, and a high resolution timestamp to 768 * ensure that the nonce is unique with high probability for 769 * different process instances. 770 */ 771 data.pid = getpid(); 772 data.tid = CRYPTO_THREAD_get_current_id(); 773 data.time = get_time_stamp(); 774 775 return ossl_rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); 776 } 777 778 int ossl_rand_pool_add_additional_data(RAND_POOL *pool) 779 { 780 struct { 781 int fork_id; 782 CRYPTO_THREAD_ID tid; 783 uint64_t time; 784 } data; 785 786 /* Erase the entire structure including any padding */ 787 memset(&data, 0, sizeof(data)); 788 789 /* 790 * Add some noise from the thread id and a high resolution timer. 791 * The fork_id adds some extra fork-safety. 792 * The thread id adds a little randomness if the drbg is accessed 793 * concurrently (which is the case for the <master> drbg). 794 */ 795 data.fork_id = openssl_get_fork_id(); 796 data.tid = CRYPTO_THREAD_get_current_id(); 797 data.time = get_timer_bits(); 798 799 return ossl_rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); 800 } 801 802 803 /* 804 * Get the current time with the highest possible resolution 805 * 806 * The time stamp is added to the nonce, so it is optimized for not repeating. 807 * The current time is ideal for this purpose, provided the computer's clock 808 * is synchronized. 809 */ 810 static uint64_t get_time_stamp(void) 811 { 812 # if defined(OSSL_POSIX_TIMER_OKAY) 813 { 814 struct timespec ts; 815 816 if (clock_gettime(CLOCK_REALTIME, &ts) == 0) 817 return TWO32TO64(ts.tv_sec, ts.tv_nsec); 818 } 819 # endif 820 # if defined(__unix__) \ 821 || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) 822 { 823 struct timeval tv; 824 825 if (gettimeofday(&tv, NULL) == 0) 826 return TWO32TO64(tv.tv_sec, tv.tv_usec); 827 } 828 # endif 829 return time(NULL); 830 } 831 832 /* 833 * Get an arbitrary timer value of the highest possible resolution 834 * 835 * The timer value is added as random noise to the additional data, 836 * which is not considered a trusted entropy sourec, so any result 837 * is acceptable. 838 */ 839 static uint64_t get_timer_bits(void) 840 { 841 uint64_t res = OPENSSL_rdtsc(); 842 843 if (res != 0) 844 return res; 845 846 # if defined(__sun) || defined(__hpux) 847 return gethrtime(); 848 # elif defined(_AIX) 849 { 850 timebasestruct_t t; 851 852 read_wall_time(&t, TIMEBASE_SZ); 853 return TWO32TO64(t.tb_high, t.tb_low); 854 } 855 # elif defined(OSSL_POSIX_TIMER_OKAY) 856 { 857 struct timespec ts; 858 859 # ifdef CLOCK_BOOTTIME 860 # define CLOCK_TYPE CLOCK_BOOTTIME 861 # elif defined(_POSIX_MONOTONIC_CLOCK) 862 # define CLOCK_TYPE CLOCK_MONOTONIC 863 # else 864 # define CLOCK_TYPE CLOCK_REALTIME 865 # endif 866 867 if (clock_gettime(CLOCK_TYPE, &ts) == 0) 868 return TWO32TO64(ts.tv_sec, ts.tv_nsec); 869 } 870 # endif 871 # if defined(__unix__) \ 872 || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) 873 { 874 struct timeval tv; 875 876 if (gettimeofday(&tv, NULL) == 0) 877 return TWO32TO64(tv.tv_sec, tv.tv_usec); 878 } 879 # endif 880 return time(NULL); 881 } 882 #endif /* (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) 883 || defined(__DJGPP__) */ 884