]>
Commit | Line | Data |
---|---|---|
b1322259 | 1 | /* |
0d664759 | 2 | * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. |
0c61e299 | 3 | * |
b1322259 RS |
4 | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
0c61e299 | 8 | */ |
b1322259 | 9 | |
a0e53000 AP |
10 | #ifndef _GNU_SOURCE |
11 | # define _GNU_SOURCE | |
12 | #endif | |
da0616cd | 13 | #include "e_os.h" |
07016a8a | 14 | #include <stdio.h> |
b39fc560 | 15 | #include "internal/cryptlib.h" |
0c61e299 RL |
16 | #include <openssl/rand.h> |
17 | #include "rand_lcl.h" | |
6decf943 | 18 | #include "internal/rand_int.h" |
8389ec4b | 19 | #include <stdio.h> |
cf0891b8 | 20 | #include "internal/dso.h" |
14879629 KR |
21 | #if defined(__linux) |
22 | # include <sys/syscall.h> | |
23 | #endif | |
24 | #if defined(__FreeBSD__) | |
25 | # include <sys/types.h> | |
26 | # include <sys/sysctl.h> | |
27 | # include <sys/param.h> | |
28 | #endif | |
8f576627 | 29 | #if defined(__OpenBSD__) || defined(__NetBSD__) |
14879629 KR |
30 | # include <sys/param.h> |
31 | #endif | |
748eb991 DMSP |
32 | |
33 | #if defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) | |
5bc6bcf8 | 34 | # include <sys/types.h> |
c7504aeb P |
35 | # include <sys/stat.h> |
36 | # include <fcntl.h> | |
5bc6bcf8 DMSP |
37 | # include <unistd.h> |
38 | # include <sys/time.h> | |
39 | ||
40 | static uint64_t get_time_stamp(void); | |
41 | static uint64_t get_timer_bits(void); | |
42 | ||
43 | /* Macro to convert two thirty two bit values into a sixty four bit one */ | |
44 | # define TWO32TO64(a, b) ((((uint64_t)(a)) << 32) + (b)) | |
45 | ||
46 | /* | |
47 | * Check for the existence and support of POSIX timers. The standard | |
48 | * says that the _POSIX_TIMERS macro will have a positive value if they | |
49 | * are available. | |
50 | * | |
51 | * However, we want an additional constraint: that the timer support does | |
52 | * not require an extra library dependency. Early versions of glibc | |
53 | * require -lrt to be specified on the link line to access the timers, | |
54 | * so this needs to be checked for. | |
55 | * | |
56 | * It is worse because some libraries define __GLIBC__ but don't | |
57 | * support the version testing macro (e.g. uClibc). This means | |
58 | * an extra check is needed. | |
59 | * | |
60 | * The final condition is: | |
61 | * "have posix timers and either not glibc or glibc without -lrt" | |
62 | * | |
63 | * The nested #if sequences are required to avoid using a parameterised | |
64 | * macro that might be undefined. | |
65 | */ | |
66 | # undef OSSL_POSIX_TIMER_OKAY | |
67 | # if defined(_POSIX_TIMERS) && _POSIX_TIMERS > 0 | |
68 | # if defined(__GLIBC__) | |
69 | # if defined(__GLIBC_PREREQ) | |
70 | # if __GLIBC_PREREQ(2, 17) | |
71 | # define OSSL_POSIX_TIMER_OKAY | |
72 | # endif | |
73 | # endif | |
74 | # else | |
75 | # define OSSL_POSIX_TIMER_OKAY | |
76 | # endif | |
77 | # endif | |
748eb991 | 78 | #endif /* defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) */ |
0c61e299 | 79 | |
c16de9d8 | 80 | #if (defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)) && \ |
8389ec4b | 81 | !defined(OPENSSL_RAND_SEED_NONE) |
c16de9d8 DMSP |
82 | # error "UEFI and VXWorks only support seeding NONE" |
83 | #endif | |
84 | ||
85 | #if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) \ | |
86 | || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_VXWORKS) \ | |
87 | || defined(OPENSSL_SYS_UEFI)) | |
0f113f3e | 88 | |
9b5f1c8f DMSP |
89 | static ssize_t syscall_random(void *buf, size_t buflen); |
90 | ||
0f113f3e MC |
91 | # if defined(OPENSSL_SYS_VOS) |
92 | ||
8389ec4b RS |
93 | # ifndef OPENSSL_RAND_SEED_OS |
94 | # error "Unsupported seeding method configured; must be os" | |
95 | # endif | |
96 | ||
97 | # if defined(OPENSSL_SYS_VOS_HPPA) && defined(OPENSSL_SYS_VOS_IA32) | |
98 | # error "Unsupported HP-PA and IA32 at the same time." | |
99 | # endif | |
100 | # if !defined(OPENSSL_SYS_VOS_HPPA) && !defined(OPENSSL_SYS_VOS_IA32) | |
101 | # error "Must have one of HP-PA or IA32" | |
102 | # endif | |
103 | ||
0f113f3e MC |
104 | /* |
105 | * The following algorithm repeatedly samples the real-time clock (RTC) to | |
106 | * generate a sequence of unpredictable data. The algorithm relies upon the | |
107 | * uneven execution speed of the code (due to factors such as cache misses, | |
108 | * interrupts, bus activity, and scheduling) and upon the rather large | |
109 | * relative difference between the speed of the clock and the rate at which | |
75e2c877 RS |
110 | * it can be read. If it is ported to an environment where execution speed |
111 | * is more constant or where the RTC ticks at a much slower rate, or the | |
112 | * clock can be read with fewer instructions, it is likely that the results | |
113 | * would be far more predictable. This should only be used for legacy | |
114 | * platforms. | |
0f113f3e | 115 | * |
c16de9d8 | 116 | * As a precaution, we assume only 2 bits of entropy per byte. |
0f113f3e | 117 | */ |
6decf943 | 118 | size_t rand_pool_acquire_entropy(RAND_POOL *pool) |
cc7399e7 | 119 | { |
0f113f3e | 120 | short int code; |
0f113f3e | 121 | int i, k; |
c16de9d8 | 122 | size_t bytes_needed; |
0f113f3e MC |
123 | struct timespec ts; |
124 | unsigned char v; | |
0f113f3e MC |
125 | # ifdef OPENSSL_SYS_VOS_HPPA |
126 | long duration; | |
127 | extern void s$sleep(long *_duration, short int *_code); | |
128 | # else | |
0f113f3e MC |
129 | long long duration; |
130 | extern void s$sleep2(long long *_duration, short int *_code); | |
8389ec4b | 131 | # endif |
0f113f3e | 132 | |
6ebb49f3 | 133 | bytes_needed = rand_pool_bytes_needed(pool, 4 /*entropy_factor*/); |
c16de9d8 DMSP |
134 | |
135 | for (i = 0; i < bytes_needed; i++) { | |
0f113f3e MC |
136 | /* |
137 | * burn some cpu; hope for interrupts, cache collisions, bus | |
138 | * interference, etc. | |
139 | */ | |
140 | for (k = 0; k < 99; k++) | |
141 | ts.tv_nsec = random(); | |
142 | ||
143 | # ifdef OPENSSL_SYS_VOS_HPPA | |
144 | /* sleep for 1/1024 of a second (976 us). */ | |
145 | duration = 1; | |
146 | s$sleep(&duration, &code); | |
147 | # else | |
0f113f3e MC |
148 | /* sleep for 1/65536 of a second (15 us). */ |
149 | duration = 1; | |
150 | s$sleep2(&duration, &code); | |
8389ec4b | 151 | # endif |
0f113f3e | 152 | |
8389ec4b | 153 | /* Get wall clock time, take 8 bits. */ |
0f113f3e | 154 | clock_gettime(CLOCK_REALTIME, &ts); |
8389ec4b | 155 | v = (unsigned char)(ts.tv_nsec & 0xFF); |
6decf943 | 156 | rand_pool_add(pool, arg, &v, sizeof(v) , 2); |
0f113f3e | 157 | } |
6decf943 | 158 | return rand_pool_entropy_available(pool); |
cc7399e7 | 159 | } |
8389ec4b | 160 | |
c7504aeb P |
161 | void rand_pool_cleanup(void) |
162 | { | |
163 | } | |
164 | ||
165 | void rand_pool_keep_random_devices_open(int keep) | |
166 | { | |
167 | } | |
168 | ||
810ef917 | 169 | # else |
8389ec4b RS |
170 | |
171 | # if defined(OPENSSL_RAND_SEED_EGD) && \ | |
172 | (defined(OPENSSL_NO_EGD) || !defined(DEVRANDOM_EGD)) | |
173 | # error "Seeding uses EGD but EGD is turned off or no device given" | |
0f113f3e MC |
174 | # endif |
175 | ||
8389ec4b RS |
176 | # if defined(OPENSSL_RAND_SEED_DEVRANDOM) && !defined(DEVRANDOM) |
177 | # error "Seeding uses urandom but DEVRANDOM is not configured" | |
178 | # endif | |
0f113f3e | 179 | |
8389ec4b | 180 | # if defined(OPENSSL_RAND_SEED_OS) |
72960279 | 181 | # if !defined(DEVRANDOM) |
8389ec4b | 182 | # error "OS seeding requires DEVRANDOM to be configured" |
0f113f3e | 183 | # endif |
14879629 | 184 | # define OPENSSL_RAND_SEED_GETRANDOM |
72960279 | 185 | # define OPENSSL_RAND_SEED_DEVRANDOM |
8389ec4b | 186 | # endif |
0f113f3e | 187 | |
8389ec4b RS |
188 | # if defined(OPENSSL_RAND_SEED_LIBRANDOM) |
189 | # error "librandom not (yet) supported" | |
190 | # endif | |
0f113f3e | 191 | |
8f576627 | 192 | # if (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) |
14879629 KR |
193 | /* |
194 | * sysctl_random(): Use sysctl() to read a random number from the kernel | |
9b5f1c8f | 195 | * Returns the number of bytes returned in buf on success, -1 on failure. |
14879629 | 196 | */ |
9b5f1c8f | 197 | static ssize_t sysctl_random(char *buf, size_t buflen) |
14879629 KR |
198 | { |
199 | int mib[2]; | |
200 | size_t done = 0; | |
201 | size_t len; | |
202 | ||
9b5f1c8f DMSP |
203 | /* |
204 | * Note: sign conversion between size_t and ssize_t is safe even | |
205 | * without a range check, see comment in syscall_random() | |
206 | */ | |
207 | ||
14879629 | 208 | /* |
8f576627 KR |
209 | * On FreeBSD old implementations returned longs, newer versions support |
210 | * variable sizes up to 256 byte. The code below would not work properly | |
211 | * when the sysctl returns long and we want to request something not a | |
212 | * multiple of longs, which should never be the case. | |
14879629 | 213 | */ |
9b5f1c8f DMSP |
214 | if (!ossl_assert(buflen % sizeof(long) == 0)) { |
215 | errno = EINVAL; | |
216 | return -1; | |
217 | } | |
14879629 | 218 | |
8f576627 KR |
219 | /* |
220 | * On NetBSD before 4.0 KERN_ARND was an alias for KERN_URND, and only | |
221 | * filled in an int, leaving the rest uninitialized. Since NetBSD 4.0 | |
222 | * it returns a variable number of bytes with the current version supporting | |
223 | * up to 256 bytes. | |
224 | * Just return an error on older NetBSD versions. | |
225 | */ | |
226 | #if defined(__NetBSD__) && __NetBSD_Version__ < 400000000 | |
9b5f1c8f DMSP |
227 | errno = ENOSYS; |
228 | return -1; | |
8f576627 KR |
229 | #endif |
230 | ||
14879629 KR |
231 | mib[0] = CTL_KERN; |
232 | mib[1] = KERN_ARND; | |
233 | ||
234 | do { | |
235 | len = buflen; | |
236 | if (sysctl(mib, 2, buf, &len, NULL, 0) == -1) | |
9b5f1c8f | 237 | return done > 0 ? done : -1; |
14879629 KR |
238 | done += len; |
239 | buf += len; | |
240 | buflen -= len; | |
241 | } while (buflen > 0); | |
242 | ||
243 | return done; | |
244 | } | |
245 | # endif | |
246 | ||
247 | /* | |
248 | * syscall_random(): Try to get random data using a system call | |
9b5f1c8f | 249 | * returns the number of bytes returned in buf, or < 0 on error. |
14879629 | 250 | */ |
9b5f1c8f | 251 | static ssize_t syscall_random(void *buf, size_t buflen) |
14879629 | 252 | { |
9b5f1c8f DMSP |
253 | /* |
254 | * Note: 'buflen' equals the size of the buffer which is used by the | |
255 | * get_entropy() callback of the RAND_DRBG. It is roughly bounded by | |
256 | * | |
257 | * 2 * DRBG_MINMAX_FACTOR * (RAND_DRBG_STRENGTH / 8) = 2^13 | |
258 | * | |
259 | * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion | |
260 | * between size_t and ssize_t is safe even without a range check. | |
261 | */ | |
262 | ||
cf0891b8 KR |
263 | /* |
264 | * Do runtime detection to find getentropy(). | |
265 | * | |
cf0891b8 KR |
266 | * Known OSs that should support this: |
267 | * - Darwin since 16 (OSX 10.12, IOS 10.0). | |
268 | * - Solaris since 11.3 | |
269 | * - OpenBSD since 5.6 | |
270 | * - Linux since 3.17 with glibc 2.25 | |
271 | * - FreeBSD since 12.0 (1200061) | |
272 | */ | |
8d58f017 | 273 | # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) |
9b5f1c8f | 274 | extern int getentropy(void *buffer, size_t length) __attribute__((weak)); |
913cebc8 AP |
275 | |
276 | if (getentropy != NULL) | |
9b5f1c8f | 277 | return getentropy(buf, buflen) == 0 ? (ssize_t)buflen : -1; |
913cebc8 AP |
278 | # else |
279 | union { | |
280 | void *p; | |
281 | int (*f)(void *buffer, size_t length); | |
282 | } p_getentropy; | |
283 | ||
284 | /* | |
285 | * We could cache the result of the lookup, but we normally don't | |
286 | * call this function often. | |
287 | */ | |
46ceca3c | 288 | ERR_set_mark(); |
cf0891b8 | 289 | p_getentropy.p = DSO_global_lookup("getentropy"); |
46ceca3c | 290 | ERR_pop_to_mark(); |
cf0891b8 | 291 | if (p_getentropy.p != NULL) |
9b5f1c8f | 292 | return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; |
913cebc8 | 293 | # endif |
cf0891b8 | 294 | |
cf0891b8 | 295 | /* Linux supports this since version 3.17 */ |
14879629 | 296 | # if defined(__linux) && defined(SYS_getrandom) |
9b5f1c8f DMSP |
297 | return syscall(SYS_getrandom, buf, buflen, 0); |
298 | # elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) | |
299 | return sysctl_random(buf, buflen); | |
300 | # else | |
301 | errno = ENOSYS; | |
14879629 | 302 | return -1; |
9b5f1c8f | 303 | # endif |
14879629 KR |
304 | } |
305 | ||
c7504aeb P |
306 | #if !defined(OPENSSL_RAND_SEED_NONE) && defined(OPENSSL_RAND_SEED_DEVRANDOM) |
307 | static const char *random_device_paths[] = { DEVRANDOM }; | |
308 | static struct random_device { | |
309 | int fd; | |
310 | dev_t dev; | |
311 | ino_t ino; | |
312 | mode_t mode; | |
313 | dev_t rdev; | |
314 | } random_devices[OSSL_NELEM(random_device_paths)]; | |
315 | static int keep_random_devices_open = 1; | |
316 | ||
317 | /* | |
318 | * Verify that the file descriptor associated with the random source is | |
319 | * still valid. The rationale for doing this is the fact that it is not | |
320 | * uncommon for daemons to close all open file handles when daemonizing. | |
321 | * So the handle might have been closed or even reused for opening | |
322 | * another file. | |
323 | */ | |
324 | static int check_random_device(struct random_device * rd) | |
325 | { | |
326 | struct stat st; | |
327 | ||
328 | return rd->fd != -1 | |
329 | && fstat(rd->fd, &st) != -1 | |
330 | && rd->dev == st.st_dev | |
331 | && rd->ino == st.st_ino | |
332 | && ((rd->mode ^ st.st_mode) & ~(S_IRWXU | S_IRWXG | S_IRWXO)) == 0 | |
333 | && rd->rdev == st.st_rdev; | |
334 | } | |
335 | ||
336 | /* | |
337 | * Open a random device if required and return its file descriptor or -1 on error | |
338 | */ | |
339 | static int get_random_device(size_t n) | |
340 | { | |
341 | struct stat st; | |
342 | struct random_device * rd = &random_devices[n]; | |
343 | ||
344 | /* reuse existing file descriptor if it is (still) valid */ | |
345 | if (check_random_device(rd)) | |
346 | return rd->fd; | |
347 | ||
348 | /* open the random device ... */ | |
349 | if ((rd->fd = open(random_device_paths[n], O_RDONLY)) == -1) | |
350 | return rd->fd; | |
351 | ||
352 | /* ... and cache its relevant stat(2) data */ | |
353 | if (fstat(rd->fd, &st) != -1) { | |
354 | rd->dev = st.st_dev; | |
355 | rd->ino = st.st_ino; | |
356 | rd->mode = st.st_mode; | |
357 | rd->rdev = st.st_rdev; | |
358 | } else { | |
359 | close(rd->fd); | |
360 | rd->fd = -1; | |
361 | } | |
362 | ||
363 | return rd->fd; | |
364 | } | |
365 | ||
366 | /* | |
367 | * Close a random device making sure it is a random device | |
368 | */ | |
369 | static void close_random_device(size_t n) | |
370 | { | |
371 | struct random_device * rd = &random_devices[n]; | |
372 | ||
373 | if (check_random_device(rd)) | |
374 | close(rd->fd); | |
375 | rd->fd = -1; | |
376 | } | |
377 | ||
378 | static void open_random_devices(void) | |
379 | { | |
380 | size_t i; | |
381 | ||
382 | for (i = 0; i < OSSL_NELEM(random_devices); i++) | |
383 | (void)get_random_device(i); | |
384 | } | |
385 | ||
386 | int rand_pool_init(void) | |
387 | { | |
388 | size_t i; | |
389 | ||
390 | for (i = 0; i < OSSL_NELEM(random_devices); i++) | |
391 | random_devices[i].fd = -1; | |
392 | open_random_devices(); | |
393 | return 1; | |
394 | } | |
395 | ||
396 | void rand_pool_cleanup(void) | |
397 | { | |
398 | size_t i; | |
399 | ||
400 | for (i = 0; i < OSSL_NELEM(random_devices); i++) | |
401 | close_random_device(i); | |
402 | } | |
403 | ||
404 | void rand_pool_keep_random_devices_open(int keep) | |
405 | { | |
406 | if (keep) | |
407 | open_random_devices(); | |
408 | else | |
409 | rand_pool_cleanup(); | |
410 | keep_random_devices_open = keep; | |
411 | } | |
412 | ||
413 | # else /* defined(OPENSSL_RAND_SEED_NONE) | |
414 | * || !defined(OPENSSL_RAND_SEED_DEVRANDOM) | |
415 | */ | |
416 | ||
417 | int rand_pool_init(void) | |
418 | { | |
419 | return 1; | |
420 | } | |
421 | ||
422 | void rand_pool_cleanup(void) | |
423 | { | |
424 | } | |
425 | ||
426 | void rand_pool_keep_random_devices_open(int keep) | |
427 | { | |
428 | } | |
429 | ||
430 | # endif /* !defined(OPENSSL_RAND_SEED_NONE) | |
431 | * && defined(OPENSSL_RAND_SEED_DEVRANDOM) | |
432 | */ | |
433 | ||
75e2c877 | 434 | /* |
c16de9d8 DMSP |
435 | * Try the various seeding methods in turn, exit when successful. |
436 | * | |
437 | * TODO(DRBG): If more than one entropy source is available, is it | |
438 | * preferable to stop as soon as enough entropy has been collected | |
439 | * (as favored by @rsalz) or should one rather be defensive and add | |
440 | * more entropy than requested and/or from different sources? | |
441 | * | |
442 | * Currently, the user can select multiple entropy sources in the | |
443 | * configure step, yet in practice only the first available source | |
444 | * will be used. A more flexible solution has been requested, but | |
445 | * currently it is not clear how this can be achieved without | |
446 | * overengineering the problem. There are many parameters which | |
447 | * could be taken into account when selecting the order and amount | |
448 | * of input from the different entropy sources (trust, quality, | |
449 | * possibility of blocking). | |
75e2c877 | 450 | */ |
6decf943 | 451 | size_t rand_pool_acquire_entropy(RAND_POOL *pool) |
8389ec4b RS |
452 | { |
453 | # ifdef OPENSSL_RAND_SEED_NONE | |
6decf943 | 454 | return rand_pool_entropy_available(pool); |
8389ec4b | 455 | # else |
c16de9d8 DMSP |
456 | size_t bytes_needed; |
457 | size_t entropy_available = 0; | |
458 | unsigned char *buffer; | |
0f113f3e | 459 | |
75e2c877 | 460 | # ifdef OPENSSL_RAND_SEED_GETRANDOM |
630ce41e DMSP |
461 | { |
462 | ssize_t bytes; | |
463 | /* Maximum allowed number of consecutive unsuccessful attempts */ | |
464 | int attempts = 3; | |
465 | ||
466 | bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); | |
467 | while (bytes_needed != 0 && attempts-- > 0) { | |
468 | buffer = rand_pool_add_begin(pool, bytes_needed); | |
469 | bytes = syscall_random(buffer, bytes_needed); | |
470 | if (bytes > 0) { | |
471 | rand_pool_add_end(pool, bytes, 8 * bytes); | |
472 | bytes_needed -= bytes; | |
473 | attempts = 3; /* reset counter after successful attempt */ | |
474 | } else if (bytes < 0 && errno != EINTR) { | |
475 | break; | |
476 | } | |
477 | } | |
75e2c877 | 478 | } |
630ce41e | 479 | entropy_available = rand_pool_entropy_available(pool); |
c16de9d8 DMSP |
480 | if (entropy_available > 0) |
481 | return entropy_available; | |
0f113f3e MC |
482 | # endif |
483 | ||
75e2c877 | 484 | # if defined(OPENSSL_RAND_SEED_LIBRANDOM) |
8389ec4b | 485 | { |
75e2c877 | 486 | /* Not yet implemented. */ |
0f113f3e | 487 | } |
8389ec4b | 488 | # endif |
0f113f3e | 489 | |
8389ec4b | 490 | # ifdef OPENSSL_RAND_SEED_DEVRANDOM |
6ebb49f3 | 491 | bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); |
c7504aeb P |
492 | { |
493 | size_t i; | |
0f113f3e | 494 | |
c7504aeb | 495 | for (i = 0; bytes_needed > 0 && i < OSSL_NELEM(random_device_paths); i++) { |
cca99621 DMSP |
496 | ssize_t bytes = 0; |
497 | /* Maximum allowed number of consecutive unsuccessful attempts */ | |
498 | int attempts = 3; | |
c7504aeb P |
499 | const int fd = get_random_device(i); |
500 | ||
501 | if (fd == -1) | |
8389ec4b | 502 | continue; |
c16de9d8 | 503 | |
cca99621 DMSP |
504 | while (bytes_needed != 0 && attempts-- > 0) { |
505 | buffer = rand_pool_add_begin(pool, bytes_needed); | |
506 | bytes = read(fd, buffer, bytes_needed); | |
c7504aeb | 507 | |
cca99621 DMSP |
508 | if (bytes > 0) { |
509 | rand_pool_add_end(pool, bytes, 8 * bytes); | |
510 | bytes_needed -= bytes; | |
511 | attempts = 3; /* reset counter after successful attempt */ | |
512 | } else if (bytes < 0 && errno != EINTR) { | |
513 | break; | |
514 | } | |
8389ec4b | 515 | } |
cca99621 | 516 | if (bytes < 0 || !keep_random_devices_open) |
c7504aeb | 517 | close_random_device(i); |
c16de9d8 | 518 | |
6ebb49f3 | 519 | bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); |
8389ec4b | 520 | } |
c7504aeb P |
521 | entropy_available = rand_pool_entropy_available(pool); |
522 | if (entropy_available > 0) | |
523 | return entropy_available; | |
0f113f3e | 524 | } |
8389ec4b | 525 | # endif |
0f113f3e | 526 | |
75e2c877 | 527 | # ifdef OPENSSL_RAND_SEED_RDTSC |
c16de9d8 DMSP |
528 | entropy_available = rand_acquire_entropy_from_tsc(pool); |
529 | if (entropy_available > 0) | |
530 | return entropy_available; | |
75e2c877 RS |
531 | # endif |
532 | ||
533 | # ifdef OPENSSL_RAND_SEED_RDCPU | |
c16de9d8 DMSP |
534 | entropy_available = rand_acquire_entropy_from_cpu(pool); |
535 | if (entropy_available > 0) | |
536 | return entropy_available; | |
75e2c877 RS |
537 | # endif |
538 | ||
539 | # ifdef OPENSSL_RAND_SEED_EGD | |
6ebb49f3 | 540 | bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); |
c16de9d8 | 541 | if (bytes_needed > 0) { |
75e2c877 RS |
542 | static const char *paths[] = { DEVRANDOM_EGD, NULL }; |
543 | int i; | |
0f113f3e | 544 | |
75e2c877 | 545 | for (i = 0; paths[i] != NULL; i++) { |
6decf943 | 546 | buffer = rand_pool_add_begin(pool, bytes_needed); |
c16de9d8 DMSP |
547 | if (buffer != NULL) { |
548 | size_t bytes = 0; | |
549 | int num = RAND_query_egd_bytes(paths[i], | |
550 | buffer, (int)bytes_needed); | |
551 | if (num == (int)bytes_needed) | |
552 | bytes = bytes_needed; | |
553 | ||
8e2bec9b RL |
554 | rand_pool_add_end(pool, bytes, 8 * bytes); |
555 | entropy_available = rand_pool_entropy_available(pool); | |
75e2c877 | 556 | } |
c16de9d8 DMSP |
557 | if (entropy_available > 0) |
558 | return entropy_available; | |
8389ec4b RS |
559 | } |
560 | } | |
561 | # endif | |
0f113f3e | 562 | |
6decf943 | 563 | return rand_pool_entropy_available(pool); |
0f113f3e | 564 | # endif |
0c61e299 | 565 | } |
8389ec4b | 566 | # endif |
5bc6bcf8 DMSP |
567 | #endif |
568 | ||
748eb991 | 569 | #if defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) |
5bc6bcf8 DMSP |
570 | int rand_pool_add_nonce_data(RAND_POOL *pool) |
571 | { | |
572 | struct { | |
573 | pid_t pid; | |
574 | CRYPTO_THREAD_ID tid; | |
575 | uint64_t time; | |
576 | } data = { 0 }; | |
577 | ||
578 | /* | |
579 | * Add process id, thread id, and a high resolution timestamp to | |
580 | * ensure that the nonce is unique whith high probability for | |
581 | * different process instances. | |
582 | */ | |
583 | data.pid = getpid(); | |
584 | data.tid = CRYPTO_THREAD_get_current_id(); | |
585 | data.time = get_time_stamp(); | |
586 | ||
587 | return rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); | |
588 | } | |
589 | ||
590 | int rand_pool_add_additional_data(RAND_POOL *pool) | |
591 | { | |
592 | struct { | |
593 | CRYPTO_THREAD_ID tid; | |
594 | uint64_t time; | |
595 | } data = { 0 }; | |
596 | ||
597 | /* | |
598 | * Add some noise from the thread id and a high resolution timer. | |
599 | * The thread id adds a little randomness if the drbg is accessed | |
600 | * concurrently (which is the case for the <master> drbg). | |
601 | */ | |
602 | data.tid = CRYPTO_THREAD_get_current_id(); | |
603 | data.time = get_timer_bits(); | |
604 | ||
605 | return rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); | |
606 | } | |
607 | ||
608 | ||
5bc6bcf8 DMSP |
609 | /* |
610 | * Get the current time with the highest possible resolution | |
611 | * | |
612 | * The time stamp is added to the nonce, so it is optimized for not repeating. | |
613 | * The current time is ideal for this purpose, provided the computer's clock | |
614 | * is synchronized. | |
615 | */ | |
616 | static uint64_t get_time_stamp(void) | |
617 | { | |
618 | # if defined(OSSL_POSIX_TIMER_OKAY) | |
619 | { | |
620 | struct timespec ts; | |
621 | ||
622 | if (clock_gettime(CLOCK_REALTIME, &ts) == 0) | |
623 | return TWO32TO64(ts.tv_sec, ts.tv_nsec); | |
624 | } | |
625 | # endif | |
626 | # if defined(__unix__) \ | |
627 | || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) | |
628 | { | |
629 | struct timeval tv; | |
630 | ||
631 | if (gettimeofday(&tv, NULL) == 0) | |
632 | return TWO32TO64(tv.tv_sec, tv.tv_usec); | |
633 | } | |
634 | # endif | |
635 | return time(NULL); | |
636 | } | |
637 | ||
638 | /* | |
639 | * Get an arbitrary timer value of the highest possible resolution | |
640 | * | |
641 | * The timer value is added as random noise to the additional data, | |
642 | * which is not considered a trusted entropy sourec, so any result | |
643 | * is acceptable. | |
644 | */ | |
645 | static uint64_t get_timer_bits(void) | |
646 | { | |
647 | uint64_t res = OPENSSL_rdtsc(); | |
648 | ||
649 | if (res != 0) | |
650 | return res; | |
651 | ||
652 | # if defined(__sun) || defined(__hpux) | |
653 | return gethrtime(); | |
654 | # elif defined(_AIX) | |
655 | { | |
656 | timebasestruct_t t; | |
657 | ||
658 | read_wall_time(&t, TIMEBASE_SZ); | |
659 | return TWO32TO64(t.tb_high, t.tb_low); | |
660 | } | |
661 | # elif defined(OSSL_POSIX_TIMER_OKAY) | |
662 | { | |
663 | struct timespec ts; | |
664 | ||
665 | # ifdef CLOCK_BOOTTIME | |
666 | # define CLOCK_TYPE CLOCK_BOOTTIME | |
667 | # elif defined(_POSIX_MONOTONIC_CLOCK) | |
668 | # define CLOCK_TYPE CLOCK_MONOTONIC | |
669 | # else | |
670 | # define CLOCK_TYPE CLOCK_REALTIME | |
671 | # endif | |
672 | ||
673 | if (clock_gettime(CLOCK_TYPE, &ts) == 0) | |
674 | return TWO32TO64(ts.tv_sec, ts.tv_nsec); | |
675 | } | |
676 | # endif | |
677 | # if defined(__unix__) \ | |
678 | || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) | |
679 | { | |
680 | struct timeval tv; | |
0c61e299 | 681 | |
5bc6bcf8 DMSP |
682 | if (gettimeofday(&tv, NULL) == 0) |
683 | return TWO32TO64(tv.tv_sec, tv.tv_usec); | |
684 | } | |
685 | # endif | |
686 | return time(NULL); | |
687 | } | |
748eb991 | 688 | #endif /* defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) */ |