[thirdparty/hostap.git] / src / crypto / random.c

/*
 * Random number generator
 * Copyright (c) 2010-2011, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 *
 * This random number generator is used to provide additional entropy to the
 * one provided by the operating system (os_get_random()) for session key
 * generation. The os_get_random() output is expected to be secure and the
 * implementation here is expected to provide only limited protection against
 * cases where os_get_random() cannot provide strong randomness. This
 * implementation shall not be assumed to be secure as the sole source of
 * randomness. The random_get_bytes() function mixes in randomness from
 * os_get_random() and as such, calls to os_get_random() can be replaced with
 * calls to random_get_bytes() without reducing security.
 *
 * The design here follows partially the design used in the Linux
 * drivers/char/random.c, but the implementation here is simpler and not as
 * strong. This is a compromise to reduce duplicated CPU effort and to avoid
 * extra code/memory size. As pointed out above, os_get_random() needs to be
 * guaranteed to be secure for any of the security assumptions to hold.
 */

#include "utils/includes.h"
#ifdef __linux__
#include <fcntl.h>
#endif /* __linux__ */

#include "utils/common.h"
#include "utils/eloop.h"
#include "crypto/crypto.h"
#include "sha1.h"
#include "random.h"

#define POOL_WORDS 32
#define POOL_WORDS_MASK (POOL_WORDS - 1)
#define POOL_TAP1 26
#define POOL_TAP2 20
#define POOL_TAP3 14
#define POOL_TAP4 7
#define POOL_TAP5 1
#define EXTRACT_LEN 16
#define MIN_READY_MARK 2

static u32 pool[POOL_WORDS];
static unsigned int input_rotate = 0;
static unsigned int pool_pos = 0;
static u8 dummy_key[20];
#ifdef __linux__
static size_t dummy_key_avail = 0;
static int random_fd = -1;
#endif /* __linux__ */
static unsigned int own_pool_ready = 0;
#define RANDOM_ENTROPY_SIZE 20
static char *random_entropy_file = NULL;
static int random_entropy_file_read = 0;

#define MIN_COLLECT_ENTROPY 1000
static unsigned int entropy = 0;
static unsigned int total_collected = 0;


static void random_write_entropy(void);


static u32 __ROL32(u32 x, u32 y)
{
	return (x << (y & 31)) | (x >> (32 - (y & 31)));
}


static void random_mix_pool(const void *buf, size_t len)
{
	static const u32 twist[8] = {
		0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
		0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278
	};
	const u8 *pos = buf;
	u32 w;

	wpa_hexdump_key(MSG_EXCESSIVE, "random_mix_pool", buf, len);

	while (len--) {
		w = __ROL32(*pos++, input_rotate & 31);
		input_rotate += pool_pos ? 7 : 14;
		pool_pos = (pool_pos - 1) & POOL_WORDS_MASK;
		w ^= pool[pool_pos];
		w ^= pool[(pool_pos + POOL_TAP1) & POOL_WORDS_MASK];
		w ^= pool[(pool_pos + POOL_TAP2) & POOL_WORDS_MASK];
		w ^= pool[(pool_pos + POOL_TAP3) & POOL_WORDS_MASK];
		w ^= pool[(pool_pos + POOL_TAP4) & POOL_WORDS_MASK];
		w ^= pool[(pool_pos + POOL_TAP5) & POOL_WORDS_MASK];
		pool[pool_pos] = (w >> 3) ^ twist[w & 7];
	}
}


static void random_extract(u8 *out)
{
	unsigned int i;
	u8 hash[SHA1_MAC_LEN];
	u32 *hash_ptr;
	u32 buf[POOL_WORDS / 2];

	/* First, add hash back to pool to make backtracking more difficult. */
	hmac_sha1(dummy_key, sizeof(dummy_key), (const u8 *) pool,
		  sizeof(pool), hash);
	random_mix_pool(hash, sizeof(hash));
	/* Hash half the pool to extra data */
	for (i = 0; i < POOL_WORDS / 2; i++)
		buf[i] = pool[(pool_pos - i) & POOL_WORDS_MASK];
	hmac_sha1(dummy_key, sizeof(dummy_key), (const u8 *) buf,
		  sizeof(buf), hash);
	/*
	 * Fold the hash to further reduce any potential output pattern.
	 * Though, compromise this to reduce CPU use for the most common output
	 * length (32) and return 16 bytes from instead of only half.
	 */
	hash_ptr = (u32 *) hash;
	hash_ptr[0] ^= hash_ptr[4];
	os_memcpy(out, hash, EXTRACT_LEN);
}


void random_add_randomness(const void *buf, size_t len)
{
	struct os_time t;
	static unsigned int count = 0;

	count++;
	if (entropy > MIN_COLLECT_ENTROPY && (count & 0x3ff) != 0) {
		/*
		 * No need to add more entropy at this point, so save CPU and
		 * skip the update.
		 */
		return;
	}
	wpa_printf(MSG_EXCESSIVE, "Add randomness: count=%u entropy=%u",
		   count, entropy);

	os_get_time(&t);
	wpa_hexdump_key(MSG_EXCESSIVE, "random pool",
			(const u8 *) pool, sizeof(pool));
	random_mix_pool(&t, sizeof(t));
	random_mix_pool(buf, len);
	wpa_hexdump_key(MSG_EXCESSIVE, "random pool",
			(const u8 *) pool, sizeof(pool));
	entropy++;
	total_collected++;
}


int random_get_bytes(void *buf, size_t len)
{
	int ret;
	u8 *bytes = buf;
	size_t left;

	wpa_printf(MSG_MSGDUMP, "Get randomness: len=%u entropy=%u",
		   (unsigned int) len, entropy);

	/* Start with assumed strong randomness from OS */
	ret = os_get_random(buf, len);
	wpa_hexdump_key(MSG_EXCESSIVE, "random from os_get_random",
			buf, len);

	/* Mix in additional entropy extracted from the internal pool */
	left = len;
	while (left) {
		size_t siz, i;
		u8 tmp[EXTRACT_LEN];
		random_extract(tmp);
		wpa_hexdump_key(MSG_EXCESSIVE, "random from internal pool",
				tmp, sizeof(tmp));
		siz = left > EXTRACT_LEN ? EXTRACT_LEN : left;
		for (i = 0; i < siz; i++)
			*bytes++ ^= tmp[i];
		left -= siz;
	}

#ifdef CONFIG_FIPS
	/* Mix in additional entropy from the crypto module */
	left = len;
	while (left) {
		size_t siz, i;
		u8 tmp[EXTRACT_LEN];
		if (crypto_get_random(tmp, sizeof(tmp)) < 0) {
			wpa_printf(MSG_ERROR, "random: No entropy available "
				   "for generating strong random bytes");
			return -1;
		}
		wpa_hexdump_key(MSG_EXCESSIVE, "random from crypto module",
				tmp, sizeof(tmp));
		siz = left > EXTRACT_LEN ? EXTRACT_LEN : left;
		for (i = 0; i < siz; i++)
			*bytes++ ^= tmp[i];
		left -= siz;
	}
#endif /* CONFIG_FIPS */

	wpa_hexdump_key(MSG_EXCESSIVE, "mixed random", buf, len);

	if (entropy < len)
		entropy = 0;
	else
		entropy -= len;

	return ret;
}


int random_pool_ready(void)
{
#ifdef __linux__
	int fd;
	ssize_t res;

	/*
	 * Make sure that there is reasonable entropy available before allowing
	 * some key derivation operations to proceed.
	 */

	if (dummy_key_avail == sizeof(dummy_key))
		return 1; /* Already initialized - good to continue */

	/*
	 * Try to fetch some more data from the kernel high quality
	 * /dev/random. There may not be enough data available at this point,
	 * so use non-blocking read to avoid blocking the application
	 * completely.
	 */
	fd = open("/dev/random", O_RDONLY | O_NONBLOCK);
	if (fd < 0) {
		wpa_printf(MSG_ERROR, "random: Cannot open /dev/random: %s",
			   strerror(errno));
		return -1;
	}

	res = read(fd, dummy_key + dummy_key_avail,
		   sizeof(dummy_key) - dummy_key_avail);
	if (res < 0) {
		wpa_printf(MSG_ERROR, "random: Cannot read from /dev/random: "
			   "%s", strerror(errno));
		res = 0;
	}
	wpa_printf(MSG_DEBUG, "random: Got %u/%u bytes from "
		   "/dev/random", (unsigned) res,
		   (unsigned) (sizeof(dummy_key) - dummy_key_avail));
	dummy_key_avail += res;
	close(fd);

	if (dummy_key_avail == sizeof(dummy_key)) {
		if (own_pool_ready < MIN_READY_MARK)
			own_pool_ready = MIN_READY_MARK;
		random_write_entropy();
		return 1;
	}

	wpa_printf(MSG_INFO, "random: Only %u/%u bytes of strong "
		   "random data available from /dev/random",
		   (unsigned) dummy_key_avail, (unsigned) sizeof(dummy_key));

	if (own_pool_ready >= MIN_READY_MARK ||
	    total_collected + 10 * own_pool_ready > MIN_COLLECT_ENTROPY) {
		wpa_printf(MSG_INFO, "random: Allow operation to proceed "
			   "based on internal entropy");
		return 1;
	}

	wpa_printf(MSG_INFO, "random: Not enough entropy pool available for "
		   "secure operations");
	return 0;
#else /* __linux__ */
	/* TODO: could do similar checks on non-Linux platforms */
	return 1;
#endif /* __linux__ */
}


void random_mark_pool_ready(void)
{
	own_pool_ready++;
	wpa_printf(MSG_DEBUG, "random: Mark internal entropy pool to be "
		   "ready (count=%u/%u)", own_pool_ready, MIN_READY_MARK);
	random_write_entropy();
}


#ifdef __linux__

static void random_close_fd(void)
{
	if (random_fd >= 0) {
		eloop_unregister_read_sock(random_fd);
		close(random_fd);
		random_fd = -1;
	}
}


static void random_read_fd(int sock, void *eloop_ctx, void *sock_ctx)
{
	ssize_t res;

	if (dummy_key_avail == sizeof(dummy_key)) {
		random_close_fd();
		return;
	}

	res = read(sock, dummy_key + dummy_key_avail,
		   sizeof(dummy_key) - dummy_key_avail);
	if (res < 0) {
		wpa_printf(MSG_ERROR, "random: Cannot read from /dev/random: "
			   "%s", strerror(errno));
		return;
	}

	wpa_printf(MSG_DEBUG, "random: Got %u/%u bytes from /dev/random",
		   (unsigned) res,
		   (unsigned) (sizeof(dummy_key) - dummy_key_avail));
	dummy_key_avail += res;

	if (dummy_key_avail == sizeof(dummy_key)) {
		random_close_fd();
		if (own_pool_ready < MIN_READY_MARK)
			own_pool_ready = MIN_READY_MARK;
		random_write_entropy();
	}
}

#endif /* __linux__ */


static void random_read_entropy(void)
{
	char *buf;
	size_t len;

	if (!random_entropy_file)
		return;

	buf = os_readfile(random_entropy_file, &len);
	if (buf == NULL)
		return; /* entropy file not yet available */

	if (len != 1 + RANDOM_ENTROPY_SIZE) {
		wpa_printf(MSG_DEBUG, "random: Invalid entropy file %s",
			   random_entropy_file);
		os_free(buf);
		return;
	}

	own_pool_ready = (u8) buf[0];
	random_add_randomness(buf + 1, RANDOM_ENTROPY_SIZE);
	random_entropy_file_read = 1;
	os_free(buf);
	wpa_printf(MSG_DEBUG, "random: Added entropy from %s "
		   "(own_pool_ready=%u)",
		   random_entropy_file, own_pool_ready);
}


static void random_write_entropy(void)
{
	char buf[RANDOM_ENTROPY_SIZE];
	FILE *f;
	u8 opr;
	int fail = 0;

	if (!random_entropy_file)
		return;

	if (random_get_bytes(buf, RANDOM_ENTROPY_SIZE) < 0)
		return;

	f = fopen(random_entropy_file, "wb");
	if (f == NULL) {
		wpa_printf(MSG_ERROR, "random: Could not open entropy file %s "
			   "for writing", random_entropy_file);
		return;
	}

	opr = own_pool_ready > 0xff ? 0xff : own_pool_ready;
	if (fwrite(&opr, 1, 1, f) != 1 ||
	    fwrite(buf, RANDOM_ENTROPY_SIZE, 1, f) != 1)
		fail = 1;
	fclose(f);
	if (fail) {
		wpa_printf(MSG_ERROR, "random: Could not write entropy data "
			   "to %s", random_entropy_file);
		return;
	}

	wpa_printf(MSG_DEBUG, "random: Updated entropy file %s "
		   "(own_pool_ready=%u)",
		   random_entropy_file, own_pool_ready);
}


void random_init(const char *entropy_file)
{
	os_free(random_entropy_file);
	if (entropy_file)
		random_entropy_file = os_strdup(entropy_file);
	else
		random_entropy_file = NULL;
	random_read_entropy();

#ifdef __linux__
	if (random_fd >= 0)
		return;

	random_fd = open("/dev/random", O_RDONLY | O_NONBLOCK);
	if (random_fd < 0) {
		wpa_printf(MSG_ERROR, "random: Cannot open /dev/random: %s",
			   strerror(errno));
		return;
	}
	wpa_printf(MSG_DEBUG, "random: Trying to read entropy from "
		   "/dev/random");

	eloop_register_read_sock(random_fd, random_read_fd, NULL, NULL);
#endif /* __linux__ */

	random_write_entropy();
}


void random_deinit(void)
{
#ifdef __linux__
	random_close_fd();
#endif /* __linux__ */
	random_write_entropy();
	os_free(random_entropy_file);
	random_entropy_file = NULL;
}
Commit	Line	Data
bbb921da JM	1	/*
bbb921da JM	2	* Random number generator
d47fa330	3	* Copyright (c) 2010-2011, Jouni Malinen <j@w1.fi>
bbb921da	4	*
0f3d578e JM	5	* This software may be distributed under the terms of the BSD license.
0f3d578e JM	6	* See README for more details.
bbb921da JM	7	*
	8	* This random number generator is used to provide additional entropy to the
	9	* one provided by the operating system (os_get_random()) for session key
	10	* generation. The os_get_random() output is expected to be secure and the
	11	* implementation here is expected to provide only limited protection against
	12	* cases where os_get_random() cannot provide strong randomness. This
	13	* implementation shall not be assumed to be secure as the sole source of
	14	* randomness. The random_get_bytes() function mixes in randomness from
	15	* os_get_random() and as such, calls to os_get_random() can be replaced with
	16	* calls to random_get_bytes() without reducing security.
	17	*
	18	* The design here follows partially the design used in the Linux
	19	* drivers/char/random.c, but the implementation here is simpler and not as
	20	* strong. This is a compromise to reduce duplicated CPU effort and to avoid
	21	* extra code/memory size. As pointed out above, os_get_random() needs to be
	22	* guaranteed to be secure for any of the security assumptions to hold.
	23	*/
	24
	25	#include "utils/includes.h"
08704cd8 JM	26	#ifdef __linux__
	27	#include <fcntl.h>
	28	#endif /* __linux__ */
bbb921da JM	29
bbb921da JM	30	#include "utils/common.h"
d47fa330	31	#include "utils/eloop.h"
982bafed	32	#include "crypto/crypto.h"
bbb921da JM	33	#include "sha1.h"
	34	#include "random.h"
	35
	36	#define POOL_WORDS 32
	37	#define POOL_WORDS_MASK (POOL_WORDS - 1)
	38	#define POOL_TAP1 26
	39	#define POOL_TAP2 20
	40	#define POOL_TAP3 14
	41	#define POOL_TAP4 7
	42	#define POOL_TAP5 1
	43	#define EXTRACT_LEN 16
08704cd8	44	#define MIN_READY_MARK 2
bbb921da JM	45
	46	static u32 pool[POOL_WORDS];
	47	static unsigned int input_rotate = 0;
	48	static unsigned int pool_pos = 0;
08704cd8	49	static u8 dummy_key[20];
b993e77b	50	#ifdef __linux__
08704cd8	51	static size_t dummy_key_avail = 0;
d47fa330	52	static int random_fd = -1;
b993e77b	53	#endif /* __linux__ */
08704cd8	54	static unsigned int own_pool_ready = 0;
38e24575 JM	55	#define RANDOM_ENTROPY_SIZE 20
	56	static char *random_entropy_file = NULL;
	57	static int random_entropy_file_read = 0;
bbb921da JM	58
	59	#define MIN_COLLECT_ENTROPY 1000
	60	static unsigned int entropy = 0;
08704cd8	61	static unsigned int total_collected = 0;
bbb921da JM	62
bbb921da JM	63
38e24575 JM	64	static void random_write_entropy(void);
	65
	66
bbb921da JM	67	static u32 __ROL32(u32 x, u32 y)
	68	{
	69	return (x << (y & 31)) \| (x >> (32 - (y & 31)));
	70	}
	71
	72
	73	static void random_mix_pool(const void *buf, size_t len)
	74	{
	75	static const u32 twist[8] = {
	76	0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
	77	0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278
	78	};
	79	const u8 *pos = buf;
	80	u32 w;
	81
	82	wpa_hexdump_key(MSG_EXCESSIVE, "random_mix_pool", buf, len);
	83
	84	while (len--) {
	85	w = __ROL32(*pos++, input_rotate & 31);
	86	input_rotate += pool_pos ? 7 : 14;
	87	pool_pos = (pool_pos - 1) & POOL_WORDS_MASK;
	88	w ^= pool[pool_pos];
	89	w ^= pool[(pool_pos + POOL_TAP1) & POOL_WORDS_MASK];
	90	w ^= pool[(pool_pos + POOL_TAP2) & POOL_WORDS_MASK];
	91	w ^= pool[(pool_pos + POOL_TAP3) & POOL_WORDS_MASK];
	92	w ^= pool[(pool_pos + POOL_TAP4) & POOL_WORDS_MASK];
	93	w ^= pool[(pool_pos + POOL_TAP5) & POOL_WORDS_MASK];
	94	pool[pool_pos] = (w >> 3) ^ twist[w & 7];
	95	}
	96	}
	97
	98
	99	static void random_extract(u8 *out)
	100	{
	101	unsigned int i;
	102	u8 hash[SHA1_MAC_LEN];
	103	u32 *hash_ptr;
	104	u32 buf[POOL_WORDS / 2];
	105
	106	/* First, add hash back to pool to make backtracking more difficult. */
	107	hmac_sha1(dummy_key, sizeof(dummy_key), (const u8 *) pool,
	108	sizeof(pool), hash);
	109	random_mix_pool(hash, sizeof(hash));
	110	/* Hash half the pool to extra data */
	111	for (i = 0; i < POOL_WORDS / 2; i++)
	112	buf[i] = pool[(pool_pos - i) & POOL_WORDS_MASK];
	113	hmac_sha1(dummy_key, sizeof(dummy_key), (const u8 *) buf,
	114	sizeof(buf), hash);
	115	/*
	116	* Fold the hash to further reduce any potential output pattern.
	117	* Though, compromise this to reduce CPU use for the most common output
	118	* length (32) and return 16 bytes from instead of only half.
	119	*/
	120	hash_ptr = (u32 *) hash;
	121	hash_ptr[0] ^= hash_ptr[4];
	122	os_memcpy(out, hash, EXTRACT_LEN);
	123	}
	124
	125
	126	void random_add_randomness(const void *buf, size_t len)
	127	{
	128	struct os_time t;
	129	static unsigned int count = 0;
	130
131	count++;
bbb921da JM	132	if (entropy > MIN_COLLECT_ENTROPY && (count & 0x3ff) != 0) {
	133	/*
	134	* No need to add more entropy at this point, so save CPU and
	135	* skip the update.
	136	*/
	137	return;
	138	}
3208b5a0 JM	139	wpa_printf(MSG_EXCESSIVE, "Add randomness: count=%u entropy=%u",
3208b5a0 JM	140	count, entropy);
bbb921da JM	141
	142	os_get_time(&t);
	143	wpa_hexdump_key(MSG_EXCESSIVE, "random pool",
	144	(const u8 *) pool, sizeof(pool));
	145	random_mix_pool(&t, sizeof(t));
	146	random_mix_pool(buf, len);
	147	wpa_hexdump_key(MSG_EXCESSIVE, "random pool",
	148	(const u8 *) pool, sizeof(pool));
	149	entropy++;
08704cd8	150	total_collected++;
bbb921da JM	151	}
	152
	153
	154	int random_get_bytes(void *buf, size_t len)
	155	{
	156	int ret;
	157	u8 *bytes = buf;
	158	size_t left;
	159
	160	wpa_printf(MSG_MSGDUMP, "Get randomness: len=%u entropy=%u",
	161	(unsigned int) len, entropy);
	162
	163	/* Start with assumed strong randomness from OS */
	164	ret = os_get_random(buf, len);
	165	wpa_hexdump_key(MSG_EXCESSIVE, "random from os_get_random",
	166	buf, len);
	167
	168	/* Mix in additional entropy extracted from the internal pool */
	169	left = len;
	170	while (left) {
	171	size_t siz, i;
	172	u8 tmp[EXTRACT_LEN];
	173	random_extract(tmp);
	174	wpa_hexdump_key(MSG_EXCESSIVE, "random from internal pool",
	175	tmp, sizeof(tmp));
	176	siz = left > EXTRACT_LEN ? EXTRACT_LEN : left;
	177	for (i = 0; i < siz; i++)
	178	*bytes++ ^= tmp[i];
	179	left -= siz;
	180	}
982bafed JM	181
	182	#ifdef CONFIG_FIPS
	183	/* Mix in additional entropy from the crypto module */
	184	left = len;
	185	while (left) {
	186	size_t siz, i;
	187	u8 tmp[EXTRACT_LEN];
	188	if (crypto_get_random(tmp, sizeof(tmp)) < 0) {
	189	wpa_printf(MSG_ERROR, "random: No entropy available "
	190	"for generating strong random bytes");
	191	return -1;
	192	}
	193	wpa_hexdump_key(MSG_EXCESSIVE, "random from crypto module",
	194	tmp, sizeof(tmp));
	195	siz = left > EXTRACT_LEN ? EXTRACT_LEN : left;
	196	for (i = 0; i < siz; i++)
	197	*bytes++ ^= tmp[i];
	198	left -= siz;
	199	}
	200	#endif /* CONFIG_FIPS */
	201
bbb921da JM	202	wpa_hexdump_key(MSG_EXCESSIVE, "mixed random", buf, len);
	203
	204	if (entropy < len)
	205	entropy = 0;
	206	else
	207	entropy -= len;
	208
	209	return ret;
	210	}
08704cd8 JM	211
	212
	213	int random_pool_ready(void)
	214	{
	215	#ifdef __linux__
	216	int fd;
	217	ssize_t res;
	218
	219	/*
	220	* Make sure that there is reasonable entropy available before allowing
	221	* some key derivation operations to proceed.
	222	*/
	223
	224	if (dummy_key_avail == sizeof(dummy_key))
	225	return 1; /* Already initialized - good to continue */
	226
	227	/*
	228	* Try to fetch some more data from the kernel high quality
	229	* /dev/random. There may not be enough data available at this point,
	230	* so use non-blocking read to avoid blocking the application
	231	* completely.
	232	*/
	233	fd = open("/dev/random", O_RDONLY \| O_NONBLOCK);
	234	if (fd < 0) {
08704cd8	235	wpa_printf(MSG_ERROR, "random: Cannot open /dev/random: %s",
a193231d	236	strerror(errno));
08704cd8 JM	237	return -1;
	238	}
	239
	240	res = read(fd, dummy_key + dummy_key_avail,
	241	sizeof(dummy_key) - dummy_key_avail);
	242	if (res < 0) {
	243	wpa_printf(MSG_ERROR, "random: Cannot read from /dev/random: "
	244	"%s", strerror(errno));
	245	res = 0;
	246	}
	247	wpa_printf(MSG_DEBUG, "random: Got %u/%u bytes from "
	248	"/dev/random", (unsigned) res,
	249	(unsigned) (sizeof(dummy_key) - dummy_key_avail));
	250	dummy_key_avail += res;
	251	close(fd);
	252
38e24575 JM	253	if (dummy_key_avail == sizeof(dummy_key)) {
	254	if (own_pool_ready < MIN_READY_MARK)
	255	own_pool_ready = MIN_READY_MARK;
	256	random_write_entropy();
08704cd8	257	return 1;
38e24575	258	}
08704cd8 JM	259
	260	wpa_printf(MSG_INFO, "random: Only %u/%u bytes of strong "
	261	"random data available from /dev/random",
	262	(unsigned) dummy_key_avail, (unsigned) sizeof(dummy_key));
	263
	264	if (own_pool_ready >= MIN_READY_MARK \|\|
	265	total_collected + 10 * own_pool_ready > MIN_COLLECT_ENTROPY) {
	266	wpa_printf(MSG_INFO, "random: Allow operation to proceed "
	267	"based on internal entropy");
	268	return 1;
	269	}
	270
	271	wpa_printf(MSG_INFO, "random: Not enough entropy pool available for "
	272	"secure operations");
	273	return 0;
	274	#else /* __linux__ */
	275	/* TODO: could do similar checks on non-Linux platforms */
	276	return 1;
	277	#endif /* __linux__ */
	278	}
	279
	280
	281	void random_mark_pool_ready(void)
	282	{
	283	own_pool_ready++;
	284	wpa_printf(MSG_DEBUG, "random: Mark internal entropy pool to be "
	285	"ready (count=%u/%u)", own_pool_ready, MIN_READY_MARK);
38e24575	286	random_write_entropy();
08704cd8	287	}
d47fa330 JM	288
	289
	290	#ifdef __linux__
	291
	292	static void random_close_fd(void)
	293	{
	294	if (random_fd >= 0) {
	295	eloop_unregister_read_sock(random_fd);
	296	close(random_fd);
	297	random_fd = -1;
	298	}
	299	}
	300
	301
	302	static void random_read_fd(int sock, void eloop_ctx, void sock_ctx)
	303	{
	304	ssize_t res;
	305
	306	if (dummy_key_avail == sizeof(dummy_key)) {
	307	random_close_fd();
	308	return;
	309	}
	310
	311	res = read(sock, dummy_key + dummy_key_avail,
	312	sizeof(dummy_key) - dummy_key_avail);
	313	if (res < 0) {
	314	wpa_printf(MSG_ERROR, "random: Cannot read from /dev/random: "
	315	"%s", strerror(errno));
	316	return;
	317	}
	318
	319	wpa_printf(MSG_DEBUG, "random: Got %u/%u bytes from /dev/random",
	320	(unsigned) res,
	321	(unsigned) (sizeof(dummy_key) - dummy_key_avail));
	322	dummy_key_avail += res;
	323
38e24575	324	if (dummy_key_avail == sizeof(dummy_key)) {
d47fa330	325	random_close_fd();
38e24575 JM	326	if (own_pool_ready < MIN_READY_MARK)
	327	own_pool_ready = MIN_READY_MARK;
	328	random_write_entropy();
	329	}
d47fa330 JM	330	}
	331
	332	#endif /* __linux__ */
	333
	334
38e24575 JM	335	static void random_read_entropy(void)
	336	{
	337	char *buf;
	338	size_t len;
	339
	340	if (!random_entropy_file)
	341	return;
	342
	343	buf = os_readfile(random_entropy_file, &len);
	344	if (buf == NULL)
	345	return; /* entropy file not yet available */
	346
	347	if (len != 1 + RANDOM_ENTROPY_SIZE) {
	348	wpa_printf(MSG_DEBUG, "random: Invalid entropy file %s",
	349	random_entropy_file);
	350	os_free(buf);
	351	return;
	352	}
	353
	354	own_pool_ready = (u8) buf[0];
	355	random_add_randomness(buf + 1, RANDOM_ENTROPY_SIZE);
	356	random_entropy_file_read = 1;
	357	os_free(buf);
	358	wpa_printf(MSG_DEBUG, "random: Added entropy from %s "
	359	"(own_pool_ready=%u)",
	360	random_entropy_file, own_pool_ready);
	361	}
	362
	363
	364	static void random_write_entropy(void)
d47fa330	365	{
38e24575 JM	366	char buf[RANDOM_ENTROPY_SIZE];
	367	FILE *f;
	368	u8 opr;
2e923102	369	int fail = 0;
38e24575 JM	370
	371	if (!random_entropy_file)
	372	return;
	373
15f09614 JM	374	if (random_get_bytes(buf, RANDOM_ENTROPY_SIZE) < 0)
15f09614 JM	375	return;
38e24575 JM	376
	377	f = fopen(random_entropy_file, "wb");
	378	if (f == NULL) {
9339bd5c PR	379	wpa_printf(MSG_ERROR, "random: Could not open entropy file %s "
9339bd5c PR	380	"for writing", random_entropy_file);
38e24575 JM	381	return;
	382	}
	383
	384	opr = own_pool_ready > 0xff ? 0xff : own_pool_ready;
2e923102 JM	385	if (fwrite(&opr, 1, 1, f) != 1 \|\|
	386	fwrite(buf, RANDOM_ENTROPY_SIZE, 1, f) != 1)
	387	fail = 1;
38e24575	388	fclose(f);
2e923102	389	if (fail) {
9339bd5c PR	390	wpa_printf(MSG_ERROR, "random: Could not write entropy data "
9339bd5c PR	391	"to %s", random_entropy_file);
2e923102 JM	392	return;
2e923102 JM	393	}
38e24575 JM	394
	395	wpa_printf(MSG_DEBUG, "random: Updated entropy file %s "
	396	"(own_pool_ready=%u)",
	397	random_entropy_file, own_pool_ready);
	398	}
	399
	400
	401	void random_init(const char *entropy_file)
	402	{
	403	os_free(random_entropy_file);
	404	if (entropy_file)
	405	random_entropy_file = os_strdup(entropy_file);
	406	else
	407	random_entropy_file = NULL;
	408	random_read_entropy();
	409
d47fa330 JM	410	#ifdef __linux__
	411	if (random_fd >= 0)
	412	return;
	413
	414	random_fd = open("/dev/random", O_RDONLY \| O_NONBLOCK);
	415	if (random_fd < 0) {
d47fa330	416	wpa_printf(MSG_ERROR, "random: Cannot open /dev/random: %s",
a193231d	417	strerror(errno));
d47fa330 JM	418	return;
	419	}
	420	wpa_printf(MSG_DEBUG, "random: Trying to read entropy from "
	421	"/dev/random");
	422
	423	eloop_register_read_sock(random_fd, random_read_fd, NULL, NULL);
	424	#endif /* __linux__ */
38e24575 JM	425
38e24575 JM	426	random_write_entropy();
d47fa330 JM	427	}
	428
	429
	430	void random_deinit(void)
	431	{
	432	#ifdef __linux__
	433	random_close_fd();
	434	#endif /* __linux__ */
38e24575 JM	435	random_write_entropy();
	436	os_free(random_entropy_file);
	437	random_entropy_file = NULL;
d47fa330	438	}