/* Copyright (c) 2014, Google Inc. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include #if !defined(OPENSSL_WINDOWS) #include #include #include #include #include #include #include /* This file implements a PRNG by reading from /dev/urandom, optionally with a * fork-safe buffer. * * If buffering is enabled then it maintains a global, linked list of buffers. * Threads which need random bytes grab a buffer from the list under a lock and * copy out the bytes that they need. In the rare case that the buffer is * empty, it's refilled from /dev/urandom outside of the lock. * * Large requests are always serviced from /dev/urandom directly. * * Each buffer contains the PID of the process that created it and it's tested * against the current PID each time. Thus processes that fork will discard all * the buffers filled by the parent process. There are two problems with this: * * 1) glibc maintains a cache of the current PID+PPID and, if this cache isn't * correctly invalidated, the getpid() will continue to believe that * it's the old process. Glibc depends on the glibc wrappers for fork, * vfork and clone being used in order to invalidate the getpid() cache. * * 2) If a process forks, dies and then its child forks, it's possible that * the third process will end up with the same PID as the original process. * If the second process never used any random values then this will mean * that the third process has stale, cached values and won't notice. */ /* BUF_SIZE is intended to be a 4K allocation with malloc overhead. struct * rand_buffer also fits in this space and the remainder is entropy. */ #define BUF_SIZE (4096 - 16) /* rand_buffer contains unused, random bytes. These structures form a linked * list via the |next| pointer, which is NULL in the final element. */ struct rand_buffer { size_t used; /* used contains the number of bytes of |rand| that have been consumed. */ struct rand_buffer *next; pid_t pid; /* pid contains the pid at the time that the buffer was created so that data is not duplicated after a fork. */ pid_t ppid; /* ppid contains the parent pid in order to try and reduce the possibility of duplicated PID confusing the detection of a fork. */ uint8_t rand[]; }; /* rand_bytes_per_buf is the number of actual entropy bytes in a buffer. */ static const size_t rand_bytes_per_buf = BUF_SIZE - sizeof(struct rand_buffer); /* list_head is the start of a global, linked-list of rand_buffer objects. It's * protected by CRYPTO_LOCK_RAND. */ static struct rand_buffer *list_head; /* urandom_fd is a file descriptor to /dev/urandom. It's protected by * CRYPTO_LOCK_RAND. */ static int urandom_fd = -2; /* urandom_buffering controls whether buffering is enabled (1) or not (0). This * is protected by CRYPTO_LOCK_RAND. */ static int urandom_buffering = 0; /* urandom_get_fd_locked returns a file descriptor to /dev/urandom. The caller * of this function must hold CRYPTO_LOCK_RAND. */ static int urandom_get_fd_locked(void) { if (urandom_fd != -2) { return urandom_fd; } urandom_fd = open("/dev/urandom", O_RDONLY); return urandom_fd; } /* RAND_cleanup frees all buffers, closes any cached file descriptor * and resets the global state. */ void RAND_cleanup(void) { struct rand_buffer *cur; CRYPTO_w_lock(CRYPTO_LOCK_RAND); while ((cur = list_head)) { list_head = cur->next; OPENSSL_free(cur); } if (urandom_fd >= 0) { close(urandom_fd); } urandom_fd = -2; list_head = NULL; CRYPTO_w_unlock(CRYPTO_LOCK_RAND); } /* read_full reads exactly |len| bytes from |fd| into |out| and returns 1. In * the case of an error it returns 0. */ static char read_full(int fd, uint8_t *out, size_t len) { ssize_t r; while (len > 0) { do { r = read(fd, out, len); } while (r == -1 && errno == EINTR); if (r <= 0) { return 0; } out += r; len -= r; } return 1; } /* urandom_rand_pseudo_bytes puts |num| random bytes into |out|. It returns * one on success and zero otherwise. */ int RAND_bytes(uint8_t *out, size_t requested) { int fd; struct rand_buffer *buf; size_t todo; pid_t pid, ppid; if (requested == 0) { return 1; } CRYPTO_w_lock(CRYPTO_LOCK_RAND); fd = urandom_get_fd_locked(); if (fd < 0) { CRYPTO_w_unlock(CRYPTO_LOCK_RAND); abort(); return 0; } /* If buffering is not enabled, or if the request is large, then the * result comes directly from urandom. */ if (!urandom_buffering || requested > BUF_SIZE / 2) { CRYPTO_w_unlock(CRYPTO_LOCK_RAND); if (!read_full(fd, out, requested)) { abort(); return 0; } return 1; } pid = getpid(); ppid = getppid(); for (;;) { buf = list_head; if (buf && buf->pid == pid && buf->ppid == ppid && rand_bytes_per_buf - buf->used >= requested) { memcpy(out, &buf->rand[buf->used], requested); buf->used += requested; CRYPTO_w_unlock(CRYPTO_LOCK_RAND); return 1; } /* If we don't immediately have enough entropy with the correct * PID, remove the buffer from the list in order to gain * exclusive access and unlock. */ if (buf) { list_head = buf->next; } CRYPTO_w_unlock(CRYPTO_LOCK_RAND); if (!buf) { buf = (struct rand_buffer *)OPENSSL_malloc(BUF_SIZE); if (!buf) { abort(); return 0; } /* The buffer doesn't contain any random bytes yet * so we mark it as fully used so that it will be * filled below. */ buf->used = rand_bytes_per_buf; buf->next = NULL; buf->pid = pid; buf->ppid = ppid; } if (buf->pid == pid && buf->ppid == ppid) { break; } /* We have forked and so cannot use these bytes as they * may have been used in another process. */ OPENSSL_free(buf); CRYPTO_w_lock(CRYPTO_LOCK_RAND); } while (requested > 0) { todo = rand_bytes_per_buf - buf->used; if (todo > requested) { todo = requested; } memcpy(out, &buf->rand[buf->used], todo); requested -= todo; out += todo; buf->used += todo; if (buf->used < rand_bytes_per_buf) { break; } if (!read_full(fd, buf->rand, rand_bytes_per_buf)) { OPENSSL_free(buf); abort(); return 0; } buf->used = 0; } CRYPTO_w_lock(CRYPTO_LOCK_RAND); assert(list_head != buf); buf->next = list_head; list_head = buf; CRYPTO_w_unlock(CRYPTO_LOCK_RAND); return 1; } #endif /* !OPENSSL_WINDOWS */