]>
Commit | Line | Data |
---|---|---|
b1322259 | 1 | /* |
0d664759 | 2 | * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. |
0c61e299 | 3 | * |
0db63de9 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
b1322259 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
0c61e299 | 8 | */ |
b1322259 | 9 | |
a0e53000 AP |
10 | #ifndef _GNU_SOURCE |
11 | # define _GNU_SOURCE | |
12 | #endif | |
da0616cd | 13 | #include "e_os.h" |
07016a8a | 14 | #include <stdio.h> |
b39fc560 | 15 | #include "internal/cryptlib.h" |
0c61e299 RL |
16 | #include <openssl/rand.h> |
17 | #include "rand_lcl.h" | |
6decf943 | 18 | #include "internal/rand_int.h" |
8389ec4b | 19 | #include <stdio.h> |
cf0891b8 | 20 | #include "internal/dso.h" |
14879629 | 21 | #if defined(__linux) |
38023b87 | 22 | # include <asm/unistd.h> |
14879629 | 23 | #endif |
1fa90bb3 | 24 | #if defined(__FreeBSD__) && !defined(OPENSSL_SYS_UEFI) |
14879629 KR |
25 | # include <sys/types.h> |
26 | # include <sys/sysctl.h> | |
27 | # include <sys/param.h> | |
28 | #endif | |
8f576627 | 29 | #if defined(__OpenBSD__) || defined(__NetBSD__) |
14879629 KR |
30 | # include <sys/param.h> |
31 | #endif | |
748eb991 | 32 | |
61783db5 KT |
33 | #if (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) \ |
34 | || defined(__DJGPP__) | |
5bc6bcf8 | 35 | # include <sys/types.h> |
c7504aeb P |
36 | # include <sys/stat.h> |
37 | # include <fcntl.h> | |
5bc6bcf8 DMSP |
38 | # include <unistd.h> |
39 | # include <sys/time.h> | |
40 | ||
41 | static uint64_t get_time_stamp(void); | |
42 | static uint64_t get_timer_bits(void); | |
43 | ||
44 | /* Macro to convert two thirty two bit values into a sixty four bit one */ | |
45 | # define TWO32TO64(a, b) ((((uint64_t)(a)) << 32) + (b)) | |
46 | ||
47 | /* | |
48 | * Check for the existence and support of POSIX timers. The standard | |
49 | * says that the _POSIX_TIMERS macro will have a positive value if they | |
50 | * are available. | |
51 | * | |
52 | * However, we want an additional constraint: that the timer support does | |
53 | * not require an extra library dependency. Early versions of glibc | |
54 | * require -lrt to be specified on the link line to access the timers, | |
55 | * so this needs to be checked for. | |
56 | * | |
57 | * It is worse because some libraries define __GLIBC__ but don't | |
58 | * support the version testing macro (e.g. uClibc). This means | |
59 | * an extra check is needed. | |
60 | * | |
61 | * The final condition is: | |
62 | * "have posix timers and either not glibc or glibc without -lrt" | |
63 | * | |
64 | * The nested #if sequences are required to avoid using a parameterised | |
65 | * macro that might be undefined. | |
66 | */ | |
67 | # undef OSSL_POSIX_TIMER_OKAY | |
68 | # if defined(_POSIX_TIMERS) && _POSIX_TIMERS > 0 | |
69 | # if defined(__GLIBC__) | |
70 | # if defined(__GLIBC_PREREQ) | |
71 | # if __GLIBC_PREREQ(2, 17) | |
72 | # define OSSL_POSIX_TIMER_OKAY | |
73 | # endif | |
74 | # endif | |
75 | # else | |
76 | # define OSSL_POSIX_TIMER_OKAY | |
77 | # endif | |
78 | # endif | |
748eb991 | 79 | #endif /* defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) */ |
0c61e299 | 80 | |
d90e128b DMSP |
81 | #if defined(OPENSSL_RAND_SEED_NONE) |
82 | /* none means none. this simplifies the following logic */ | |
83 | # undef OPENSSL_RAND_SEED_OS | |
84 | # undef OPENSSL_RAND_SEED_GETRANDOM | |
85 | # undef OPENSSL_RAND_SEED_LIBRANDOM | |
86 | # undef OPENSSL_RAND_SEED_DEVRANDOM | |
87 | # undef OPENSSL_RAND_SEED_RDTSC | |
88 | # undef OPENSSL_RAND_SEED_RDCPU | |
89 | # undef OPENSSL_RAND_SEED_EGD | |
90 | #endif | |
91 | ||
61783db5 KT |
92 | #if defined(OPENSSL_SYS_UEFI) && !defined(OPENSSL_RAND_SEED_NONE) |
93 | # error "UEFI only supports seeding NONE" | |
5c8b7b4c KT |
94 | #endif |
95 | ||
c16de9d8 DMSP |
96 | #if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) \ |
97 | || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_VXWORKS) \ | |
98 | || defined(OPENSSL_SYS_UEFI)) | |
0f113f3e MC |
99 | |
100 | # if defined(OPENSSL_SYS_VOS) | |
101 | ||
8389ec4b RS |
102 | # ifndef OPENSSL_RAND_SEED_OS |
103 | # error "Unsupported seeding method configured; must be os" | |
104 | # endif | |
105 | ||
106 | # if defined(OPENSSL_SYS_VOS_HPPA) && defined(OPENSSL_SYS_VOS_IA32) | |
107 | # error "Unsupported HP-PA and IA32 at the same time." | |
108 | # endif | |
109 | # if !defined(OPENSSL_SYS_VOS_HPPA) && !defined(OPENSSL_SYS_VOS_IA32) | |
110 | # error "Must have one of HP-PA or IA32" | |
111 | # endif | |
112 | ||
0f113f3e MC |
113 | /* |
114 | * The following algorithm repeatedly samples the real-time clock (RTC) to | |
115 | * generate a sequence of unpredictable data. The algorithm relies upon the | |
116 | * uneven execution speed of the code (due to factors such as cache misses, | |
117 | * interrupts, bus activity, and scheduling) and upon the rather large | |
118 | * relative difference between the speed of the clock and the rate at which | |
75e2c877 RS |
119 | * it can be read. If it is ported to an environment where execution speed |
120 | * is more constant or where the RTC ticks at a much slower rate, or the | |
121 | * clock can be read with fewer instructions, it is likely that the results | |
122 | * would be far more predictable. This should only be used for legacy | |
123 | * platforms. | |
0f113f3e | 124 | * |
c16de9d8 | 125 | * As a precaution, we assume only 2 bits of entropy per byte. |
0f113f3e | 126 | */ |
6decf943 | 127 | size_t rand_pool_acquire_entropy(RAND_POOL *pool) |
cc7399e7 | 128 | { |
0f113f3e | 129 | short int code; |
0f113f3e | 130 | int i, k; |
c16de9d8 | 131 | size_t bytes_needed; |
0f113f3e MC |
132 | struct timespec ts; |
133 | unsigned char v; | |
0f113f3e MC |
134 | # ifdef OPENSSL_SYS_VOS_HPPA |
135 | long duration; | |
136 | extern void s$sleep(long *_duration, short int *_code); | |
137 | # else | |
0f113f3e MC |
138 | long long duration; |
139 | extern void s$sleep2(long long *_duration, short int *_code); | |
8389ec4b | 140 | # endif |
0f113f3e | 141 | |
6ebb49f3 | 142 | bytes_needed = rand_pool_bytes_needed(pool, 4 /*entropy_factor*/); |
c16de9d8 DMSP |
143 | |
144 | for (i = 0; i < bytes_needed; i++) { | |
0f113f3e MC |
145 | /* |
146 | * burn some cpu; hope for interrupts, cache collisions, bus | |
147 | * interference, etc. | |
148 | */ | |
149 | for (k = 0; k < 99; k++) | |
150 | ts.tv_nsec = random(); | |
151 | ||
152 | # ifdef OPENSSL_SYS_VOS_HPPA | |
153 | /* sleep for 1/1024 of a second (976 us). */ | |
154 | duration = 1; | |
155 | s$sleep(&duration, &code); | |
156 | # else | |
0f113f3e MC |
157 | /* sleep for 1/65536 of a second (15 us). */ |
158 | duration = 1; | |
159 | s$sleep2(&duration, &code); | |
8389ec4b | 160 | # endif |
0f113f3e | 161 | |
8389ec4b | 162 | /* Get wall clock time, take 8 bits. */ |
0f113f3e | 163 | clock_gettime(CLOCK_REALTIME, &ts); |
8389ec4b | 164 | v = (unsigned char)(ts.tv_nsec & 0xFF); |
6decf943 | 165 | rand_pool_add(pool, arg, &v, sizeof(v) , 2); |
0f113f3e | 166 | } |
6decf943 | 167 | return rand_pool_entropy_available(pool); |
cc7399e7 | 168 | } |
8389ec4b | 169 | |
c7504aeb P |
170 | void rand_pool_cleanup(void) |
171 | { | |
172 | } | |
173 | ||
174 | void rand_pool_keep_random_devices_open(int keep) | |
175 | { | |
176 | } | |
177 | ||
810ef917 | 178 | # else |
8389ec4b RS |
179 | |
180 | # if defined(OPENSSL_RAND_SEED_EGD) && \ | |
181 | (defined(OPENSSL_NO_EGD) || !defined(DEVRANDOM_EGD)) | |
182 | # error "Seeding uses EGD but EGD is turned off or no device given" | |
0f113f3e MC |
183 | # endif |
184 | ||
8389ec4b RS |
185 | # if defined(OPENSSL_RAND_SEED_DEVRANDOM) && !defined(DEVRANDOM) |
186 | # error "Seeding uses urandom but DEVRANDOM is not configured" | |
187 | # endif | |
0f113f3e | 188 | |
8389ec4b | 189 | # if defined(OPENSSL_RAND_SEED_OS) |
72960279 | 190 | # if !defined(DEVRANDOM) |
8389ec4b | 191 | # error "OS seeding requires DEVRANDOM to be configured" |
0f113f3e | 192 | # endif |
14879629 | 193 | # define OPENSSL_RAND_SEED_GETRANDOM |
72960279 | 194 | # define OPENSSL_RAND_SEED_DEVRANDOM |
8389ec4b | 195 | # endif |
0f113f3e | 196 | |
8389ec4b RS |
197 | # if defined(OPENSSL_RAND_SEED_LIBRANDOM) |
198 | # error "librandom not (yet) supported" | |
199 | # endif | |
0f113f3e | 200 | |
8f576627 | 201 | # if (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) |
14879629 KR |
202 | /* |
203 | * sysctl_random(): Use sysctl() to read a random number from the kernel | |
9b5f1c8f | 204 | * Returns the number of bytes returned in buf on success, -1 on failure. |
14879629 | 205 | */ |
9b5f1c8f | 206 | static ssize_t sysctl_random(char *buf, size_t buflen) |
14879629 KR |
207 | { |
208 | int mib[2]; | |
209 | size_t done = 0; | |
210 | size_t len; | |
211 | ||
9b5f1c8f DMSP |
212 | /* |
213 | * Note: sign conversion between size_t and ssize_t is safe even | |
214 | * without a range check, see comment in syscall_random() | |
215 | */ | |
216 | ||
14879629 | 217 | /* |
8f576627 KR |
218 | * On FreeBSD old implementations returned longs, newer versions support |
219 | * variable sizes up to 256 byte. The code below would not work properly | |
220 | * when the sysctl returns long and we want to request something not a | |
221 | * multiple of longs, which should never be the case. | |
14879629 | 222 | */ |
9b5f1c8f DMSP |
223 | if (!ossl_assert(buflen % sizeof(long) == 0)) { |
224 | errno = EINVAL; | |
225 | return -1; | |
226 | } | |
14879629 | 227 | |
8f576627 KR |
228 | /* |
229 | * On NetBSD before 4.0 KERN_ARND was an alias for KERN_URND, and only | |
230 | * filled in an int, leaving the rest uninitialized. Since NetBSD 4.0 | |
231 | * it returns a variable number of bytes with the current version supporting | |
232 | * up to 256 bytes. | |
233 | * Just return an error on older NetBSD versions. | |
234 | */ | |
235 | #if defined(__NetBSD__) && __NetBSD_Version__ < 400000000 | |
9b5f1c8f DMSP |
236 | errno = ENOSYS; |
237 | return -1; | |
8f576627 KR |
238 | #endif |
239 | ||
14879629 KR |
240 | mib[0] = CTL_KERN; |
241 | mib[1] = KERN_ARND; | |
242 | ||
243 | do { | |
244 | len = buflen; | |
245 | if (sysctl(mib, 2, buf, &len, NULL, 0) == -1) | |
9b5f1c8f | 246 | return done > 0 ? done : -1; |
14879629 KR |
247 | done += len; |
248 | buf += len; | |
249 | buflen -= len; | |
250 | } while (buflen > 0); | |
251 | ||
252 | return done; | |
253 | } | |
254 | # endif | |
255 | ||
d90e128b | 256 | # if defined(OPENSSL_RAND_SEED_GETRANDOM) |
14879629 KR |
257 | /* |
258 | * syscall_random(): Try to get random data using a system call | |
9b5f1c8f | 259 | * returns the number of bytes returned in buf, or < 0 on error. |
14879629 | 260 | */ |
9b5f1c8f | 261 | static ssize_t syscall_random(void *buf, size_t buflen) |
14879629 | 262 | { |
9b5f1c8f DMSP |
263 | /* |
264 | * Note: 'buflen' equals the size of the buffer which is used by the | |
265 | * get_entropy() callback of the RAND_DRBG. It is roughly bounded by | |
266 | * | |
3064b551 | 267 | * 2 * RAND_POOL_FACTOR * (RAND_DRBG_STRENGTH / 8) = 2^14 |
9b5f1c8f DMSP |
268 | * |
269 | * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion | |
270 | * between size_t and ssize_t is safe even without a range check. | |
271 | */ | |
272 | ||
cf0891b8 KR |
273 | /* |
274 | * Do runtime detection to find getentropy(). | |
275 | * | |
cf0891b8 KR |
276 | * Known OSs that should support this: |
277 | * - Darwin since 16 (OSX 10.12, IOS 10.0). | |
278 | * - Solaris since 11.3 | |
279 | * - OpenBSD since 5.6 | |
280 | * - Linux since 3.17 with glibc 2.25 | |
281 | * - FreeBSD since 12.0 (1200061) | |
282 | */ | |
8d58f017 | 283 | # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) |
9b5f1c8f | 284 | extern int getentropy(void *buffer, size_t length) __attribute__((weak)); |
913cebc8 AP |
285 | |
286 | if (getentropy != NULL) | |
9b5f1c8f | 287 | return getentropy(buf, buflen) == 0 ? (ssize_t)buflen : -1; |
913cebc8 AP |
288 | # else |
289 | union { | |
290 | void *p; | |
291 | int (*f)(void *buffer, size_t length); | |
292 | } p_getentropy; | |
293 | ||
294 | /* | |
295 | * We could cache the result of the lookup, but we normally don't | |
296 | * call this function often. | |
297 | */ | |
46ceca3c | 298 | ERR_set_mark(); |
cf0891b8 | 299 | p_getentropy.p = DSO_global_lookup("getentropy"); |
46ceca3c | 300 | ERR_pop_to_mark(); |
cf0891b8 | 301 | if (p_getentropy.p != NULL) |
9b5f1c8f | 302 | return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; |
913cebc8 | 303 | # endif |
cf0891b8 | 304 | |
cf0891b8 | 305 | /* Linux supports this since version 3.17 */ |
38023b87 BE |
306 | # if defined(__linux) && defined(__NR_getrandom) |
307 | return syscall(__NR_getrandom, buf, buflen, 0); | |
9b5f1c8f DMSP |
308 | # elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) |
309 | return sysctl_random(buf, buflen); | |
310 | # else | |
311 | errno = ENOSYS; | |
14879629 | 312 | return -1; |
9b5f1c8f | 313 | # endif |
14879629 | 314 | } |
d90e128b | 315 | # endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */ |
14879629 | 316 | |
d90e128b | 317 | # if defined(OPENSSL_RAND_SEED_DEVRANDOM) |
c7504aeb P |
318 | static const char *random_device_paths[] = { DEVRANDOM }; |
319 | static struct random_device { | |
320 | int fd; | |
321 | dev_t dev; | |
322 | ino_t ino; | |
323 | mode_t mode; | |
324 | dev_t rdev; | |
325 | } random_devices[OSSL_NELEM(random_device_paths)]; | |
326 | static int keep_random_devices_open = 1; | |
327 | ||
328 | /* | |
329 | * Verify that the file descriptor associated with the random source is | |
330 | * still valid. The rationale for doing this is the fact that it is not | |
331 | * uncommon for daemons to close all open file handles when daemonizing. | |
332 | * So the handle might have been closed or even reused for opening | |
333 | * another file. | |
334 | */ | |
335 | static int check_random_device(struct random_device * rd) | |
336 | { | |
337 | struct stat st; | |
338 | ||
339 | return rd->fd != -1 | |
340 | && fstat(rd->fd, &st) != -1 | |
341 | && rd->dev == st.st_dev | |
342 | && rd->ino == st.st_ino | |
343 | && ((rd->mode ^ st.st_mode) & ~(S_IRWXU | S_IRWXG | S_IRWXO)) == 0 | |
344 | && rd->rdev == st.st_rdev; | |
345 | } | |
346 | ||
347 | /* | |
348 | * Open a random device if required and return its file descriptor or -1 on error | |
349 | */ | |
350 | static int get_random_device(size_t n) | |
351 | { | |
352 | struct stat st; | |
353 | struct random_device * rd = &random_devices[n]; | |
354 | ||
355 | /* reuse existing file descriptor if it is (still) valid */ | |
356 | if (check_random_device(rd)) | |
357 | return rd->fd; | |
358 | ||
359 | /* open the random device ... */ | |
360 | if ((rd->fd = open(random_device_paths[n], O_RDONLY)) == -1) | |
361 | return rd->fd; | |
362 | ||
363 | /* ... and cache its relevant stat(2) data */ | |
364 | if (fstat(rd->fd, &st) != -1) { | |
365 | rd->dev = st.st_dev; | |
366 | rd->ino = st.st_ino; | |
367 | rd->mode = st.st_mode; | |
368 | rd->rdev = st.st_rdev; | |
369 | } else { | |
370 | close(rd->fd); | |
371 | rd->fd = -1; | |
372 | } | |
373 | ||
374 | return rd->fd; | |
375 | } | |
376 | ||
377 | /* | |
378 | * Close a random device making sure it is a random device | |
379 | */ | |
380 | static void close_random_device(size_t n) | |
381 | { | |
382 | struct random_device * rd = &random_devices[n]; | |
383 | ||
384 | if (check_random_device(rd)) | |
385 | close(rd->fd); | |
386 | rd->fd = -1; | |
387 | } | |
388 | ||
c7504aeb P |
389 | int rand_pool_init(void) |
390 | { | |
391 | size_t i; | |
392 | ||
393 | for (i = 0; i < OSSL_NELEM(random_devices); i++) | |
394 | random_devices[i].fd = -1; | |
8cfc1971 | 395 | |
c7504aeb P |
396 | return 1; |
397 | } | |
398 | ||
399 | void rand_pool_cleanup(void) | |
400 | { | |
401 | size_t i; | |
402 | ||
403 | for (i = 0; i < OSSL_NELEM(random_devices); i++) | |
404 | close_random_device(i); | |
405 | } | |
406 | ||
407 | void rand_pool_keep_random_devices_open(int keep) | |
408 | { | |
8cfc1971 | 409 | if (!keep) |
c7504aeb | 410 | rand_pool_cleanup(); |
8cfc1971 | 411 | |
c7504aeb P |
412 | keep_random_devices_open = keep; |
413 | } | |
414 | ||
d90e128b | 415 | # else /* !defined(OPENSSL_RAND_SEED_DEVRANDOM) */ |
c7504aeb P |
416 | |
417 | int rand_pool_init(void) | |
418 | { | |
419 | return 1; | |
420 | } | |
421 | ||
422 | void rand_pool_cleanup(void) | |
423 | { | |
424 | } | |
425 | ||
426 | void rand_pool_keep_random_devices_open(int keep) | |
427 | { | |
428 | } | |
429 | ||
d90e128b | 430 | # endif /* defined(OPENSSL_RAND_SEED_DEVRANDOM) */ |
c7504aeb | 431 | |
75e2c877 | 432 | /* |
c16de9d8 DMSP |
433 | * Try the various seeding methods in turn, exit when successful. |
434 | * | |
435 | * TODO(DRBG): If more than one entropy source is available, is it | |
436 | * preferable to stop as soon as enough entropy has been collected | |
437 | * (as favored by @rsalz) or should one rather be defensive and add | |
438 | * more entropy than requested and/or from different sources? | |
439 | * | |
440 | * Currently, the user can select multiple entropy sources in the | |
441 | * configure step, yet in practice only the first available source | |
442 | * will be used. A more flexible solution has been requested, but | |
443 | * currently it is not clear how this can be achieved without | |
444 | * overengineering the problem. There are many parameters which | |
445 | * could be taken into account when selecting the order and amount | |
446 | * of input from the different entropy sources (trust, quality, | |
447 | * possibility of blocking). | |
75e2c877 | 448 | */ |
6decf943 | 449 | size_t rand_pool_acquire_entropy(RAND_POOL *pool) |
8389ec4b | 450 | { |
d90e128b | 451 | # if defined(OPENSSL_RAND_SEED_NONE) |
6decf943 | 452 | return rand_pool_entropy_available(pool); |
8389ec4b | 453 | # else |
c16de9d8 DMSP |
454 | size_t bytes_needed; |
455 | size_t entropy_available = 0; | |
456 | unsigned char *buffer; | |
0f113f3e | 457 | |
d90e128b | 458 | # if defined(OPENSSL_RAND_SEED_GETRANDOM) |
630ce41e DMSP |
459 | { |
460 | ssize_t bytes; | |
461 | /* Maximum allowed number of consecutive unsuccessful attempts */ | |
462 | int attempts = 3; | |
463 | ||
464 | bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); | |
465 | while (bytes_needed != 0 && attempts-- > 0) { | |
466 | buffer = rand_pool_add_begin(pool, bytes_needed); | |
467 | bytes = syscall_random(buffer, bytes_needed); | |
468 | if (bytes > 0) { | |
469 | rand_pool_add_end(pool, bytes, 8 * bytes); | |
470 | bytes_needed -= bytes; | |
471 | attempts = 3; /* reset counter after successful attempt */ | |
472 | } else if (bytes < 0 && errno != EINTR) { | |
473 | break; | |
474 | } | |
475 | } | |
75e2c877 | 476 | } |
630ce41e | 477 | entropy_available = rand_pool_entropy_available(pool); |
c16de9d8 DMSP |
478 | if (entropy_available > 0) |
479 | return entropy_available; | |
0f113f3e MC |
480 | # endif |
481 | ||
75e2c877 | 482 | # if defined(OPENSSL_RAND_SEED_LIBRANDOM) |
8389ec4b | 483 | { |
75e2c877 | 484 | /* Not yet implemented. */ |
0f113f3e | 485 | } |
8389ec4b | 486 | # endif |
0f113f3e | 487 | |
d90e128b | 488 | # if defined(OPENSSL_RAND_SEED_DEVRANDOM) |
6ebb49f3 | 489 | bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); |
c7504aeb P |
490 | { |
491 | size_t i; | |
0f113f3e | 492 | |
c7504aeb | 493 | for (i = 0; bytes_needed > 0 && i < OSSL_NELEM(random_device_paths); i++) { |
cca99621 DMSP |
494 | ssize_t bytes = 0; |
495 | /* Maximum allowed number of consecutive unsuccessful attempts */ | |
496 | int attempts = 3; | |
c7504aeb P |
497 | const int fd = get_random_device(i); |
498 | ||
499 | if (fd == -1) | |
8389ec4b | 500 | continue; |
c16de9d8 | 501 | |
cca99621 DMSP |
502 | while (bytes_needed != 0 && attempts-- > 0) { |
503 | buffer = rand_pool_add_begin(pool, bytes_needed); | |
504 | bytes = read(fd, buffer, bytes_needed); | |
c7504aeb | 505 | |
cca99621 DMSP |
506 | if (bytes > 0) { |
507 | rand_pool_add_end(pool, bytes, 8 * bytes); | |
508 | bytes_needed -= bytes; | |
509 | attempts = 3; /* reset counter after successful attempt */ | |
510 | } else if (bytes < 0 && errno != EINTR) { | |
511 | break; | |
512 | } | |
8389ec4b | 513 | } |
cca99621 | 514 | if (bytes < 0 || !keep_random_devices_open) |
c7504aeb | 515 | close_random_device(i); |
c16de9d8 | 516 | |
6ebb49f3 | 517 | bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); |
8389ec4b | 518 | } |
c7504aeb P |
519 | entropy_available = rand_pool_entropy_available(pool); |
520 | if (entropy_available > 0) | |
521 | return entropy_available; | |
0f113f3e | 522 | } |
8389ec4b | 523 | # endif |
0f113f3e | 524 | |
d90e128b | 525 | # if defined(OPENSSL_RAND_SEED_RDTSC) |
c16de9d8 DMSP |
526 | entropy_available = rand_acquire_entropy_from_tsc(pool); |
527 | if (entropy_available > 0) | |
528 | return entropy_available; | |
75e2c877 RS |
529 | # endif |
530 | ||
d90e128b | 531 | # if defined(OPENSSL_RAND_SEED_RDCPU) |
c16de9d8 DMSP |
532 | entropy_available = rand_acquire_entropy_from_cpu(pool); |
533 | if (entropy_available > 0) | |
534 | return entropy_available; | |
75e2c877 RS |
535 | # endif |
536 | ||
d90e128b | 537 | # if defined(OPENSSL_RAND_SEED_EGD) |
6ebb49f3 | 538 | bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); |
c16de9d8 | 539 | if (bytes_needed > 0) { |
75e2c877 RS |
540 | static const char *paths[] = { DEVRANDOM_EGD, NULL }; |
541 | int i; | |
0f113f3e | 542 | |
75e2c877 | 543 | for (i = 0; paths[i] != NULL; i++) { |
6decf943 | 544 | buffer = rand_pool_add_begin(pool, bytes_needed); |
c16de9d8 DMSP |
545 | if (buffer != NULL) { |
546 | size_t bytes = 0; | |
547 | int num = RAND_query_egd_bytes(paths[i], | |
548 | buffer, (int)bytes_needed); | |
549 | if (num == (int)bytes_needed) | |
550 | bytes = bytes_needed; | |
551 | ||
8e2bec9b RL |
552 | rand_pool_add_end(pool, bytes, 8 * bytes); |
553 | entropy_available = rand_pool_entropy_available(pool); | |
75e2c877 | 554 | } |
c16de9d8 DMSP |
555 | if (entropy_available > 0) |
556 | return entropy_available; | |
8389ec4b RS |
557 | } |
558 | } | |
559 | # endif | |
0f113f3e | 560 | |
6decf943 | 561 | return rand_pool_entropy_available(pool); |
0f113f3e | 562 | # endif |
0c61e299 | 563 | } |
8389ec4b | 564 | # endif |
5bc6bcf8 DMSP |
565 | #endif |
566 | ||
61783db5 KT |
567 | #if (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) \ |
568 | || defined(__DJGPP__) | |
5bc6bcf8 DMSP |
569 | int rand_pool_add_nonce_data(RAND_POOL *pool) |
570 | { | |
571 | struct { | |
572 | pid_t pid; | |
573 | CRYPTO_THREAD_ID tid; | |
574 | uint64_t time; | |
678d2681 P |
575 | } data; |
576 | ||
577 | /* Erase the entire structure including any padding */ | |
578 | memset(&data, 0, sizeof(data)); | |
5bc6bcf8 DMSP |
579 | |
580 | /* | |
581 | * Add process id, thread id, and a high resolution timestamp to | |
8bf36651 | 582 | * ensure that the nonce is unique with high probability for |
5bc6bcf8 DMSP |
583 | * different process instances. |
584 | */ | |
585 | data.pid = getpid(); | |
586 | data.tid = CRYPTO_THREAD_get_current_id(); | |
587 | data.time = get_time_stamp(); | |
588 | ||
589 | return rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); | |
590 | } | |
591 | ||
592 | int rand_pool_add_additional_data(RAND_POOL *pool) | |
593 | { | |
594 | struct { | |
595 | CRYPTO_THREAD_ID tid; | |
596 | uint64_t time; | |
678d2681 P |
597 | } data; |
598 | ||
599 | /* Erase the entire structure including any padding */ | |
600 | memset(&data, 0, sizeof(data)); | |
5bc6bcf8 DMSP |
601 | |
602 | /* | |
603 | * Add some noise from the thread id and a high resolution timer. | |
604 | * The thread id adds a little randomness if the drbg is accessed | |
605 | * concurrently (which is the case for the <master> drbg). | |
606 | */ | |
607 | data.tid = CRYPTO_THREAD_get_current_id(); | |
608 | data.time = get_timer_bits(); | |
609 | ||
610 | return rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); | |
611 | } | |
612 | ||
613 | ||
5bc6bcf8 DMSP |
614 | /* |
615 | * Get the current time with the highest possible resolution | |
616 | * | |
617 | * The time stamp is added to the nonce, so it is optimized for not repeating. | |
618 | * The current time is ideal for this purpose, provided the computer's clock | |
619 | * is synchronized. | |
620 | */ | |
621 | static uint64_t get_time_stamp(void) | |
622 | { | |
623 | # if defined(OSSL_POSIX_TIMER_OKAY) | |
624 | { | |
625 | struct timespec ts; | |
626 | ||
627 | if (clock_gettime(CLOCK_REALTIME, &ts) == 0) | |
628 | return TWO32TO64(ts.tv_sec, ts.tv_nsec); | |
629 | } | |
630 | # endif | |
631 | # if defined(__unix__) \ | |
632 | || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) | |
633 | { | |
634 | struct timeval tv; | |
635 | ||
636 | if (gettimeofday(&tv, NULL) == 0) | |
637 | return TWO32TO64(tv.tv_sec, tv.tv_usec); | |
638 | } | |
639 | # endif | |
640 | return time(NULL); | |
641 | } | |
642 | ||
643 | /* | |
644 | * Get an arbitrary timer value of the highest possible resolution | |
645 | * | |
646 | * The timer value is added as random noise to the additional data, | |
647 | * which is not considered a trusted entropy sourec, so any result | |
648 | * is acceptable. | |
649 | */ | |
650 | static uint64_t get_timer_bits(void) | |
651 | { | |
652 | uint64_t res = OPENSSL_rdtsc(); | |
653 | ||
654 | if (res != 0) | |
655 | return res; | |
656 | ||
657 | # if defined(__sun) || defined(__hpux) | |
658 | return gethrtime(); | |
659 | # elif defined(_AIX) | |
660 | { | |
661 | timebasestruct_t t; | |
662 | ||
663 | read_wall_time(&t, TIMEBASE_SZ); | |
664 | return TWO32TO64(t.tb_high, t.tb_low); | |
665 | } | |
666 | # elif defined(OSSL_POSIX_TIMER_OKAY) | |
667 | { | |
668 | struct timespec ts; | |
669 | ||
670 | # ifdef CLOCK_BOOTTIME | |
671 | # define CLOCK_TYPE CLOCK_BOOTTIME | |
672 | # elif defined(_POSIX_MONOTONIC_CLOCK) | |
673 | # define CLOCK_TYPE CLOCK_MONOTONIC | |
674 | # else | |
675 | # define CLOCK_TYPE CLOCK_REALTIME | |
676 | # endif | |
677 | ||
678 | if (clock_gettime(CLOCK_TYPE, &ts) == 0) | |
679 | return TWO32TO64(ts.tv_sec, ts.tv_nsec); | |
680 | } | |
681 | # endif | |
682 | # if defined(__unix__) \ | |
683 | || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) | |
684 | { | |
685 | struct timeval tv; | |
0c61e299 | 686 | |
5bc6bcf8 DMSP |
687 | if (gettimeofday(&tv, NULL) == 0) |
688 | return TWO32TO64(tv.tv_sec, tv.tv_usec); | |
689 | } | |
690 | # endif | |
691 | return time(NULL); | |
692 | } | |
748eb991 | 693 | #endif /* defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) */ |