rand_unix.c 23.5 KB
Newer Older
R
Rich Salz 已提交
1
/*
M
Matt Caswell 已提交
2
 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
3
 *
R
Rich Salz 已提交
4 5 6 7
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
8
 */
R
Rich Salz 已提交
9

10 11 12
#ifndef _GNU_SOURCE
# define _GNU_SOURCE
#endif
13
#include "e_os.h"
14
#include <stdio.h>
15
#include "internal/cryptlib.h"
16
#include <openssl/rand.h>
17
#include <openssl/crypto.h>
18
#include "rand_local.h"
19
#include "crypto/rand.h"
R
Rich Salz 已提交
20
#include <stdio.h>
21
#include "internal/dso.h"
B
Bernd Edlinger 已提交
22 23 24 25 26 27
#ifdef __linux
# include <sys/syscall.h>
# ifdef DEVRANDOM_WAIT
#  include <sys/shm.h>
#  include <sys/utsname.h>
# endif
28
#endif
29
#if defined(__FreeBSD__) && !defined(OPENSSL_SYS_UEFI)
30 31 32 33
# include <sys/types.h>
# include <sys/sysctl.h>
# include <sys/param.h>
#endif
34
#if defined(__OpenBSD__) || defined(__NetBSD__)
35 36
# include <sys/param.h>
#endif
37 38

#if defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__)
39
# include <sys/types.h>
40 41
# include <sys/stat.h>
# include <fcntl.h>
42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82
# include <unistd.h>
# include <sys/time.h>

static uint64_t get_time_stamp(void);
static uint64_t get_timer_bits(void);

/* Macro to convert two thirty two bit values into a sixty four bit one */
# define TWO32TO64(a, b) ((((uint64_t)(a)) << 32) + (b))

/*
 * Check for the existence and support of POSIX timers.  The standard
 * says that the _POSIX_TIMERS macro will have a positive value if they
 * are available.
 *
 * However, we want an additional constraint: that the timer support does
 * not require an extra library dependency.  Early versions of glibc
 * require -lrt to be specified on the link line to access the timers,
 * so this needs to be checked for.
 *
 * It is worse because some libraries define __GLIBC__ but don't
 * support the version testing macro (e.g. uClibc).  This means
 * an extra check is needed.
 *
 * The final condition is:
 *      "have posix timers and either not glibc or glibc without -lrt"
 *
 * The nested #if sequences are required to avoid using a parameterised
 * macro that might be undefined.
 */
# undef OSSL_POSIX_TIMER_OKAY
# if defined(_POSIX_TIMERS) && _POSIX_TIMERS > 0
#  if defined(__GLIBC__)
#   if defined(__GLIBC_PREREQ)
#    if __GLIBC_PREREQ(2, 17)
#     define OSSL_POSIX_TIMER_OKAY
#    endif
#   endif
#  else
#   define OSSL_POSIX_TIMER_OKAY
#  endif
# endif
83
#endif /* defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) */
84

85 86 87 88 89 90 91 92 93 94 95
#if defined(OPENSSL_RAND_SEED_NONE)
/* none means none. this simplifies the following logic */
# undef OPENSSL_RAND_SEED_OS
# undef OPENSSL_RAND_SEED_GETRANDOM
# undef OPENSSL_RAND_SEED_LIBRANDOM
# undef OPENSSL_RAND_SEED_DEVRANDOM
# undef OPENSSL_RAND_SEED_RDTSC
# undef OPENSSL_RAND_SEED_RDCPU
# undef OPENSSL_RAND_SEED_EGD
#endif

96
#if (defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)) && \
R
Rich Salz 已提交
97
        !defined(OPENSSL_RAND_SEED_NONE)
98 99 100
# error "UEFI and VXWorks only support seeding NONE"
#endif

101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121
#if defined(OPENSSL_SYS_VXWORKS)
/* empty implementation */
int rand_pool_init(void)
{
    return 1;
}

void rand_pool_cleanup(void)
{
}

void rand_pool_keep_random_devices_open(int keep)
{
}

size_t rand_pool_acquire_entropy(RAND_POOL *pool)
{
    return rand_pool_entropy_available(pool);
}
#endif

122 123 124
#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) \
    || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_VXWORKS) \
    || defined(OPENSSL_SYS_UEFI))
125 126 127

# if defined(OPENSSL_SYS_VOS)

R
Rich Salz 已提交
128 129 130 131 132 133 134 135 136 137 138
#  ifndef OPENSSL_RAND_SEED_OS
#   error "Unsupported seeding method configured; must be os"
#  endif

#  if defined(OPENSSL_SYS_VOS_HPPA) && defined(OPENSSL_SYS_VOS_IA32)
#   error "Unsupported HP-PA and IA32 at the same time."
#  endif
#  if !defined(OPENSSL_SYS_VOS_HPPA) && !defined(OPENSSL_SYS_VOS_IA32)
#   error "Must have one of HP-PA or IA32"
#  endif

139 140 141 142 143 144
/*
 * The following algorithm repeatedly samples the real-time clock (RTC) to
 * generate a sequence of unpredictable data.  The algorithm relies upon the
 * uneven execution speed of the code (due to factors such as cache misses,
 * interrupts, bus activity, and scheduling) and upon the rather large
 * relative difference between the speed of the clock and the rate at which
R
Rich Salz 已提交
145 146 147 148 149
 * it can be read.  If it is ported to an environment where execution speed
 * is more constant or where the RTC ticks at a much slower rate, or the
 * clock can be read with fewer instructions, it is likely that the results
 * would be far more predictable.  This should only be used for legacy
 * platforms.
150
 *
151
 * As a precaution, we assume only 2 bits of entropy per byte.
152
 */
153
size_t rand_pool_acquire_entropy(RAND_POOL *pool)
D
Dr. Stephen Henson 已提交
154
{
155 156
    short int code;
    int i, k;
157
    size_t bytes_needed;
158 159 160 161 162 163 164 165
    struct timespec ts;
    unsigned char v;
#  ifdef OPENSSL_SYS_VOS_HPPA
    long duration;
    extern void s$sleep(long *_duration, short int *_code);
#  else
    long long duration;
    extern void s$sleep2(long long *_duration, short int *_code);
R
Rich Salz 已提交
166
#  endif
167

168
    bytes_needed = rand_pool_bytes_needed(pool, 4 /*entropy_factor*/);
169 170

    for (i = 0; i < bytes_needed; i++) {
171 172 173 174 175 176 177 178 179 180 181 182 183 184 185
        /*
         * burn some cpu; hope for interrupts, cache collisions, bus
         * interference, etc.
         */
        for (k = 0; k < 99; k++)
            ts.tv_nsec = random();

#  ifdef OPENSSL_SYS_VOS_HPPA
        /* sleep for 1/1024 of a second (976 us).  */
        duration = 1;
        s$sleep(&duration, &code);
#  else
        /* sleep for 1/65536 of a second (15 us).  */
        duration = 1;
        s$sleep2(&duration, &code);
R
Rich Salz 已提交
186
#  endif
187

R
Rich Salz 已提交
188
        /* Get wall clock time, take 8 bits. */
189
        clock_gettime(CLOCK_REALTIME, &ts);
R
Rich Salz 已提交
190
        v = (unsigned char)(ts.tv_nsec & 0xFF);
191
        rand_pool_add(pool, arg, &v, sizeof(v) , 2);
192
    }
193
    return rand_pool_entropy_available(pool);
D
Dr. Stephen Henson 已提交
194
}
R
Rich Salz 已提交
195

196 197 198 199 200 201 202 203
void rand_pool_cleanup(void)
{
}

void rand_pool_keep_random_devices_open(int keep)
{
}

R
Rich Salz 已提交
204
# else
R
Rich Salz 已提交
205 206 207 208

#  if defined(OPENSSL_RAND_SEED_EGD) && \
        (defined(OPENSSL_NO_EGD) || !defined(DEVRANDOM_EGD))
#   error "Seeding uses EGD but EGD is turned off or no device given"
209 210
#  endif

R
Rich Salz 已提交
211 212 213
#  if defined(OPENSSL_RAND_SEED_DEVRANDOM) && !defined(DEVRANDOM)
#   error "Seeding uses urandom but DEVRANDOM is not configured"
#  endif
214

R
Rich Salz 已提交
215
#  if defined(OPENSSL_RAND_SEED_OS)
216
#   if !defined(DEVRANDOM)
R
Rich Salz 已提交
217
#    error "OS seeding requires DEVRANDOM to be configured"
218
#   endif
219
#   define OPENSSL_RAND_SEED_GETRANDOM
220
#   define OPENSSL_RAND_SEED_DEVRANDOM
R
Rich Salz 已提交
221
#  endif
222

R
Rich Salz 已提交
223 224 225
#  if defined(OPENSSL_RAND_SEED_LIBRANDOM)
#   error "librandom not (yet) supported"
#  endif
226

227
#  if (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
228 229
/*
 * sysctl_random(): Use sysctl() to read a random number from the kernel
230
 * Returns the number of bytes returned in buf on success, -1 on failure.
231
 */
232
static ssize_t sysctl_random(char *buf, size_t buflen)
233 234 235 236 237
{
    int mib[2];
    size_t done = 0;
    size_t len;

238 239 240 241 242
    /*
     * Note: sign conversion between size_t and ssize_t is safe even
     * without a range check, see comment in syscall_random()
     */

243
    /*
244 245 246 247
     * On FreeBSD old implementations returned longs, newer versions support
     * variable sizes up to 256 byte. The code below would not work properly
     * when the sysctl returns long and we want to request something not a
     * multiple of longs, which should never be the case.
248
     */
249 250 251 252
    if (!ossl_assert(buflen % sizeof(long) == 0)) {
        errno = EINVAL;
        return -1;
    }
253

254 255 256 257 258 259 260 261
    /*
     * On NetBSD before 4.0 KERN_ARND was an alias for KERN_URND, and only
     * filled in an int, leaving the rest uninitialized. Since NetBSD 4.0
     * it returns a variable number of bytes with the current version supporting
     * up to 256 bytes.
     * Just return an error on older NetBSD versions.
     */
#if   defined(__NetBSD__) && __NetBSD_Version__ < 400000000
262 263
    errno = ENOSYS;
    return -1;
264 265
#endif

266 267 268 269 270 271
    mib[0] = CTL_KERN;
    mib[1] = KERN_ARND;

    do {
        len = buflen;
        if (sysctl(mib, 2, buf, &len, NULL, 0) == -1)
272
            return done > 0 ? done : -1;
273 274 275 276 277 278 279 280 281
        done += len;
        buf += len;
        buflen -= len;
    } while (buflen > 0);

    return done;
}
#  endif

282
#  if defined(OPENSSL_RAND_SEED_GETRANDOM)
283 284 285 286

#   if defined(__linux) && !defined(__NR_getrandom)
#    if defined(__arm__) && defined(__NR_SYSCALL_BASE)
#     define __NR_getrandom    (__NR_SYSCALL_BASE+384)
287 288 289 290
#    elif defined(__i386__)
#     define __NR_getrandom    355
#    elif defined(__x86_64__) && !defined(__ILP32__)
#     define __NR_getrandom    318
291 292 293
#    endif
#   endif

294 295
/*
 * syscall_random(): Try to get random data using a system call
296
 * returns the number of bytes returned in buf, or < 0 on error.
297
 */
298
static ssize_t syscall_random(void *buf, size_t buflen)
299
{
300 301 302 303
    /*
     * Note: 'buflen' equals the size of the buffer which is used by the
     * get_entropy() callback of the RAND_DRBG. It is roughly bounded by
     *
304
     *   2 * RAND_POOL_FACTOR * (RAND_DRBG_STRENGTH / 8) = 2^14
305 306 307 308 309
     *
     * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
     * between size_t and ssize_t is safe even without a range check.
     */

310 311 312 313 314 315 316 317 318 319
    /*
     * Do runtime detection to find getentropy().
     *
     * Known OSs that should support this:
     * - Darwin since 16 (OSX 10.12, IOS 10.0).
     * - Solaris since 11.3
     * - OpenBSD since 5.6
     * - Linux since 3.17 with glibc 2.25
     * - FreeBSD since 12.0 (1200061)
     */
320
#  if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
321
    extern int getentropy(void *buffer, size_t length) __attribute__((weak));
322 323

    if (getentropy != NULL)
324
        return getentropy(buf, buflen) == 0 ? (ssize_t)buflen : -1;
325 326 327 328 329 330 331 332 333 334
#  else
    union {
        void *p;
        int (*f)(void *buffer, size_t length);
    } p_getentropy;

    /*
     * We could cache the result of the lookup, but we normally don't
     * call this function often.
     */
335
    ERR_set_mark();
336
    p_getentropy.p = DSO_global_lookup("getentropy");
337
    ERR_pop_to_mark();
338
    if (p_getentropy.p != NULL)
339
        return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
340
#  endif
341 342

    /* Linux supports this since version 3.17 */
343 344
#  if defined(__linux) && defined(__NR_getrandom)
    return syscall(__NR_getrandom, buf, buflen, 0);
345 346 347 348
#  elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
    return sysctl_random(buf, buflen);
#  else
    errno = ENOSYS;
349
    return -1;
350
#  endif
351
}
352
#  endif    /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
353

354
#  if defined(OPENSSL_RAND_SEED_DEVRANDOM)
355 356 357 358 359 360 361 362 363 364
static const char *random_device_paths[] = { DEVRANDOM };
static struct random_device {
    int fd;
    dev_t dev;
    ino_t ino;
    mode_t mode;
    dev_t rdev;
} random_devices[OSSL_NELEM(random_device_paths)];
static int keep_random_devices_open = 1;

365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389
#   if defined(__linux) && defined(DEVRANDOM_WAIT)
static void *shm_addr;

static void cleanup_shm(void)
{
    shmdt(shm_addr);
}

/*
 * Ensure that the system randomness source has been adequately seeded.
 * This is done by having the first start of libcrypto, wait until the device
 * /dev/random becomes able to supply a byte of entropy.  Subsequent starts
 * of the library and later reseedings do not need to do this.
 */
static int wait_random_seeded(void)
{
    static int seeded = OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID < 0;
    static const int kernel_version[] = { DEVRANDOM_SAFE_KERNEL };
    int kernel[2];
    int shm_id, fd, r;
    char c, *p;
    struct utsname un;
    fd_set fds;

    if (!seeded) {
390
        /* See if anything has created the global seeded indication */
391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412
        if ((shm_id = shmget(OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID, 1, 0)) == -1) {
            /*
             * Check the kernel's version and fail if it is too recent.
             *
             * Linux kernels from 4.8 onwards do not guarantee that
             * /dev/urandom is properly seeded when /dev/random becomes
             * readable.  However, such kernels support the getentropy(2)
             * system call and this should always succeed which renders
             * this alternative but essentially identical source moot.
             */
            if (uname(&un) == 0) {
                kernel[0] = atoi(un.release);
                p = strchr(un.release, '.');
                kernel[1] = p == NULL ? 0 : atoi(p + 1);
                if (kernel[0] > kernel_version[0]
                    || (kernel[0] == kernel_version[0]
                        && kernel[1] >= kernel_version[1])) {
                    return 0;
                }
            }
            /* Open /dev/random and wait for it to be readable */
            if ((fd = open(DEVRANDOM_WAIT, O_RDONLY)) != -1) {
413
                if (DEVRANDM_WAIT_USE_SELECT && fd < FD_SETSIZE) {
414 415 416 417 418 419 420 421 422 423
                    FD_ZERO(&fds);
                    FD_SET(fd, &fds);
                    while ((r = select(fd + 1, &fds, NULL, NULL, NULL)) < 0
                           && errno == EINTR);
                } else {
                    while ((r = read(fd, &c, 1)) < 0 && errno == EINTR);
                }
                close(fd);
                if (r == 1) {
                    seeded = 1;
424
                    /* Create the shared memory indicator */
425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449
                    shm_id = shmget(OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID, 1,
                                    IPC_CREAT | S_IRUSR | S_IRGRP | S_IROTH);
                }
            }
        }
        if (shm_id != -1) {
            seeded = 1;
            /*
             * Map the shared memory to prevent its premature destruction.
             * If this call fails, it isn't a big problem.
             */
            shm_addr = shmat(shm_id, NULL, SHM_RDONLY);
            if (shm_addr != (void *)-1)
                OPENSSL_atexit(&cleanup_shm);
        }
    }
    return seeded;
}
#   else /* defined __linux */
static int wait_random_seeded(void)
{
    return 1;
}
#   endif

450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516
/*
 * Verify that the file descriptor associated with the random source is
 * still valid. The rationale for doing this is the fact that it is not
 * uncommon for daemons to close all open file handles when daemonizing.
 * So the handle might have been closed or even reused for opening
 * another file.
 */
static int check_random_device(struct random_device * rd)
{
    struct stat st;

    return rd->fd != -1
           && fstat(rd->fd, &st) != -1
           && rd->dev == st.st_dev
           && rd->ino == st.st_ino
           && ((rd->mode ^ st.st_mode) & ~(S_IRWXU | S_IRWXG | S_IRWXO)) == 0
           && rd->rdev == st.st_rdev;
}

/*
 * Open a random device if required and return its file descriptor or -1 on error
 */
static int get_random_device(size_t n)
{
    struct stat st;
    struct random_device * rd = &random_devices[n];

    /* reuse existing file descriptor if it is (still) valid */
    if (check_random_device(rd))
        return rd->fd;

    /* open the random device ... */
    if ((rd->fd = open(random_device_paths[n], O_RDONLY)) == -1)
        return rd->fd;

    /* ... and cache its relevant stat(2) data */
    if (fstat(rd->fd, &st) != -1) {
        rd->dev = st.st_dev;
        rd->ino = st.st_ino;
        rd->mode = st.st_mode;
        rd->rdev = st.st_rdev;
    } else {
        close(rd->fd);
        rd->fd = -1;
    }

    return rd->fd;
}

/*
 * Close a random device making sure it is a random device
 */
static void close_random_device(size_t n)
{
    struct random_device * rd = &random_devices[n];

    if (check_random_device(rd))
        close(rd->fd);
    rd->fd = -1;
}

int rand_pool_init(void)
{
    size_t i;

    for (i = 0; i < OSSL_NELEM(random_devices); i++)
        random_devices[i].fd = -1;
517

518 519 520 521 522 523 524 525 526 527 528 529 530
    return 1;
}

void rand_pool_cleanup(void)
{
    size_t i;

    for (i = 0; i < OSSL_NELEM(random_devices); i++)
        close_random_device(i);
}

void rand_pool_keep_random_devices_open(int keep)
{
531
    if (!keep)
532
        rand_pool_cleanup();
533

534 535 536
    keep_random_devices_open = keep;
}

537
#  else     /* !defined(OPENSSL_RAND_SEED_DEVRANDOM) */
538 539 540 541 542 543 544 545 546 547 548 549 550 551

int rand_pool_init(void)
{
    return 1;
}

void rand_pool_cleanup(void)
{
}

void rand_pool_keep_random_devices_open(int keep)
{
}

552
#  endif    /* defined(OPENSSL_RAND_SEED_DEVRANDOM) */
553

R
Rich Salz 已提交
554
/*
555 556 557 558 559 560 561 562 563 564 565 566 567 568 569
 * Try the various seeding methods in turn, exit when successful.
 *
 * TODO(DRBG): If more than one entropy source is available, is it
 * preferable to stop as soon as enough entropy has been collected
 * (as favored by @rsalz) or should one rather be defensive and add
 * more entropy than requested and/or from different sources?
 *
 * Currently, the user can select multiple entropy sources in the
 * configure step, yet in practice only the first available source
 * will be used. A more flexible solution has been requested, but
 * currently it is not clear how this can be achieved without
 * overengineering the problem. There are many parameters which
 * could be taken into account when selecting the order and amount
 * of input from the different entropy sources (trust, quality,
 * possibility of blocking).
R
Rich Salz 已提交
570
 */
571
size_t rand_pool_acquire_entropy(RAND_POOL *pool)
R
Rich Salz 已提交
572
{
573
#  if defined(OPENSSL_RAND_SEED_NONE)
574
    return rand_pool_entropy_available(pool);
R
Rich Salz 已提交
575
#  else
576
    size_t entropy_available;
577

578
#   if defined(OPENSSL_RAND_SEED_GETRANDOM)
579
    {
580 581
        size_t bytes_needed;
        unsigned char *buffer;
582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597
        ssize_t bytes;
        /* Maximum allowed number of consecutive unsuccessful attempts */
        int attempts = 3;

        bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
        while (bytes_needed != 0 && attempts-- > 0) {
            buffer = rand_pool_add_begin(pool, bytes_needed);
            bytes = syscall_random(buffer, bytes_needed);
            if (bytes > 0) {
                rand_pool_add_end(pool, bytes, 8 * bytes);
                bytes_needed -= bytes;
                attempts = 3; /* reset counter after successful attempt */
            } else if (bytes < 0 && errno != EINTR) {
                break;
            }
        }
R
Rich Salz 已提交
598
    }
599
    entropy_available = rand_pool_entropy_available(pool);
600 601
    if (entropy_available > 0)
        return entropy_available;
602 603
#   endif

R
Rich Salz 已提交
604
#   if defined(OPENSSL_RAND_SEED_LIBRANDOM)
R
Rich Salz 已提交
605
    {
R
Rich Salz 已提交
606
        /* Not yet implemented. */
607
    }
R
Rich Salz 已提交
608
#   endif
609

610
#   if defined(OPENSSL_RAND_SEED_DEVRANDOM)
611
    if (wait_random_seeded()) {
612 613
        size_t bytes_needed;
        unsigned char *buffer;
614
        size_t i;
615

616 617 618
        bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
        for (i = 0; bytes_needed > 0 && i < OSSL_NELEM(random_device_paths);
             i++) {
619
            ssize_t bytes = 0;
620
            /* Maximum number of consecutive unsuccessful attempts */
621
            int attempts = 3;
622 623 624
            const int fd = get_random_device(i);

            if (fd == -1)
R
Rich Salz 已提交
625
                continue;
626

627 628 629
            while (bytes_needed != 0 && attempts-- > 0) {
                buffer = rand_pool_add_begin(pool, bytes_needed);
                bytes = read(fd, buffer, bytes_needed);
630

631 632 633
                if (bytes > 0) {
                    rand_pool_add_end(pool, bytes, 8 * bytes);
                    bytes_needed -= bytes;
634
                    attempts = 3; /* reset counter on successful attempt */
635 636 637
                } else if (bytes < 0 && errno != EINTR) {
                    break;
                }
R
Rich Salz 已提交
638
            }
639
            if (bytes < 0 || !keep_random_devices_open)
640
                close_random_device(i);
641

642
            bytes_needed = rand_pool_bytes_needed(pool, 1);
R
Rich Salz 已提交
643
        }
644 645 646
        entropy_available = rand_pool_entropy_available(pool);
        if (entropy_available > 0)
            return entropy_available;
647
    }
R
Rich Salz 已提交
648
#   endif
649

650
#   if defined(OPENSSL_RAND_SEED_RDTSC)
651 652 653
    entropy_available = rand_acquire_entropy_from_tsc(pool);
    if (entropy_available > 0)
        return entropy_available;
R
Rich Salz 已提交
654 655
#   endif

656
#   if defined(OPENSSL_RAND_SEED_RDCPU)
657 658 659
    entropy_available = rand_acquire_entropy_from_cpu(pool);
    if (entropy_available > 0)
        return entropy_available;
R
Rich Salz 已提交
660 661
#   endif

662
#   if defined(OPENSSL_RAND_SEED_EGD)
663
    {
R
Rich Salz 已提交
664
        static const char *paths[] = { DEVRANDOM_EGD, NULL };
665 666
        size_t bytes_needed;
        unsigned char *buffer;
R
Rich Salz 已提交
667
        int i;
668

669 670 671 672 673
        bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
        for (i = 0; bytes_needed > 0 && paths[i] != NULL; i++) {
            size_t bytes = 0;
            int num;

674
            buffer = rand_pool_add_begin(pool, bytes_needed);
675 676 677 678
            num = RAND_query_egd_bytes(paths[i],
                                       buffer, (int)bytes_needed);
            if (num == (int)bytes_needed)
                bytes = bytes_needed;
679

680 681
            rand_pool_add_end(pool, bytes, 8 * bytes);
            bytes_needed = rand_pool_bytes_needed(pool, 1);
R
Rich Salz 已提交
682
        }
683 684 685
        entropy_available = rand_pool_entropy_available(pool);
        if (entropy_available > 0)
            return entropy_available;
R
Rich Salz 已提交
686 687
    }
#   endif
688

689
    return rand_pool_entropy_available(pool);
690
#  endif
691
}
R
Rich Salz 已提交
692
# endif
693 694
#endif

695
#if defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__)
696 697 698 699 700 701 702 703 704 705
int rand_pool_add_nonce_data(RAND_POOL *pool)
{
    struct {
        pid_t pid;
        CRYPTO_THREAD_ID tid;
        uint64_t time;
    } data = { 0 };

    /*
     * Add process id, thread id, and a high resolution timestamp to
706
     * ensure that the nonce is unique with high probability for
707 708 709 710 711 712 713 714 715 716 717 718
     * different process instances.
     */
    data.pid = getpid();
    data.tid = CRYPTO_THREAD_get_current_id();
    data.time = get_time_stamp();

    return rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0);
}

int rand_pool_add_additional_data(RAND_POOL *pool)
{
    struct {
719
        int fork_id;
720 721 722 723 724 725
        CRYPTO_THREAD_ID tid;
        uint64_t time;
    } data = { 0 };

    /*
     * Add some noise from the thread id and a high resolution timer.
726
     * The fork_id adds some extra fork-safety.
727 728 729
     * The thread id adds a little randomness if the drbg is accessed
     * concurrently (which is the case for the <master> drbg).
     */
730
    data.fork_id = openssl_get_fork_id();
731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809
    data.tid = CRYPTO_THREAD_get_current_id();
    data.time = get_timer_bits();

    return rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0);
}


/*
 * Get the current time with the highest possible resolution
 *
 * The time stamp is added to the nonce, so it is optimized for not repeating.
 * The current time is ideal for this purpose, provided the computer's clock
 * is synchronized.
 */
static uint64_t get_time_stamp(void)
{
# if defined(OSSL_POSIX_TIMER_OKAY)
    {
        struct timespec ts;

        if (clock_gettime(CLOCK_REALTIME, &ts) == 0)
            return TWO32TO64(ts.tv_sec, ts.tv_nsec);
    }
# endif
# if defined(__unix__) \
     || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L)
    {
        struct timeval tv;

        if (gettimeofday(&tv, NULL) == 0)
            return TWO32TO64(tv.tv_sec, tv.tv_usec);
    }
# endif
    return time(NULL);
}

/*
 * Get an arbitrary timer value of the highest possible resolution
 *
 * The timer value is added as random noise to the additional data,
 * which is not considered a trusted entropy sourec, so any result
 * is acceptable.
 */
static uint64_t get_timer_bits(void)
{
    uint64_t res = OPENSSL_rdtsc();

    if (res != 0)
        return res;

# if defined(__sun) || defined(__hpux)
    return gethrtime();
# elif defined(_AIX)
    {
        timebasestruct_t t;

        read_wall_time(&t, TIMEBASE_SZ);
        return TWO32TO64(t.tb_high, t.tb_low);
    }
# elif defined(OSSL_POSIX_TIMER_OKAY)
    {
        struct timespec ts;

#  ifdef CLOCK_BOOTTIME
#   define CLOCK_TYPE CLOCK_BOOTTIME
#  elif defined(_POSIX_MONOTONIC_CLOCK)
#   define CLOCK_TYPE CLOCK_MONOTONIC
#  else
#   define CLOCK_TYPE CLOCK_REALTIME
#  endif

        if (clock_gettime(CLOCK_TYPE, &ts) == 0)
            return TWO32TO64(ts.tv_sec, ts.tv_nsec);
    }
# endif
# if defined(__unix__) \
     || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L)
    {
        struct timeval tv;
810

811 812 813 814 815 816
        if (gettimeofday(&tv, NULL) == 0)
            return TWO32TO64(tv.tv_sec, tv.tv_usec);
    }
# endif
    return time(NULL);
}
817
#endif /* defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) */