summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbeck <>2014-07-08 10:45:35 +0000
committerbeck <>2014-07-08 10:45:35 +0000
commit98592674a5f83627e876f6c7faebdd3e101d9893 (patch)
tree940bb992d87e808bf4acdb03530effd23732902f
parenta72d3887d3cb2efb2786d7137f32c21895080ba4 (diff)
downloadopenbsd-98592674a5f83627e876f6c7faebdd3e101d9893.tar.gz
openbsd-98592674a5f83627e876f6c7faebdd3e101d9893.tar.bz2
openbsd-98592674a5f83627e876f6c7faebdd3e101d9893.zip
getentropy for osx and solaris. will be needed for a portable release
Diffstat
-rw-r--r--src/lib/libcrypto/arc4random/getentropy_osx.c425
-rw-r--r--src/lib/libcrypto/arc4random/getentropy_solaris.c413
-rw-r--r--src/lib/libcrypto/crypto/getentropy_osx.c425
-rw-r--r--src/lib/libcrypto/crypto/getentropy_solaris.c413
4 files changed, 1676 insertions, 0 deletions
diff --git a/src/lib/libcrypto/arc4random/getentropy_osx.c b/src/lib/libcrypto/arc4random/getentropy_osx.c
new file mode 100644
index 0000000000..2ba400f082
--- /dev/null
+++ b/src/lib/libcrypto/arc4random/getentropy_osx.c
@@ -0,0 +1,425 @@
1/* $OpenBSD: getentropy_osx.c,v 1.1 2014/07/08 10:45:35 beck Exp $ */
2
3/*
4 * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
5 * Copyright (c) 2014 Bob Beck <beck@obtuse.com>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include <sys/types.h>
21#include <sys/param.h>
22#include <sys/ioctl.h>
23#include <sys/resource.h>
24#include <sys/syscall.h>
25#include <sys/sysctl.h>
26#include <sys/statvfs.h>
27#include <sys/socket.h>
28#include <sys/mount.h>
29#include <sys/mman.h>
30#include <sys/stat.h>
31#include <sys/time.h>
32#include <stdlib.h>
33#include <stdint.h>
34#include <stdio.h>
35#include <termios.h>
36#include <fcntl.h>
37#include <signal.h>
38#include <string.h>
39#include <errno.h>
40#include <unistd.h>
41#include <time.h>
42#include <mach/mach_time.h>
43#include <mach/mach_host.h>
44#include <mach/host_info.h>
45#include <sys/socketvar.h>
46#include <sys/vmmeter.h>
47#include <netinet/in.h>
48#include <netinet/tcp.h>
49#include <netinet/udp.h>
50#include <netinet/ip_var.h>
51#include <netinet/tcp_var.h>
52#include <netinet/udp_var.h>
53#include <CommonCrypto/CommonDigest.h>
54#define SHA512_Update(a, b, c) (CC_SHA512_Update((a), (b), (c)))
55#define SHA512_Init(xxx) (CC_SHA512_Init((xxx)))
56#define SHA512_Final(xxx, yyy) (CC_SHA512_Final((xxx), (yyy)))
57#define SHA512_CTX CC_SHA512_CTX
58#define SHA512_DIGEST_LENGTH CC_SHA512_DIGEST_LENGTH
59
60#define REPEAT 5
61#define min(a, b) (((a) < (b)) ? (a) : (b))
62
63#define HX(a, b) \
64 do { \
65 if ((a)) \
66 HD(errno); \
67 else \
68 HD(b); \
69 } while (0)
70#define HR(x, l) (SHA512_Update(&ctx, (char *)(x), (l)))
71#define HD(x) (SHA512_Update(&ctx, (char *)&(x), sizeof (x)))
72int getentropy(void *buf, size_t len);
73
74extern int main(int, char *argv[]);
75static int gotdata(char *buf, size_t len);
76static int getentropy_urandom(void *buf, size_t len);
77static int getentropy_fallback(void *buf, size_t len);
78
79int
80getentropy(void *buf, size_t len)
81{
82 int ret = -1;
83
84 if (len > 256) {
85 errno = EIO;
86 return -1;
87 }
88
89 /*
90 * Try to get entropy with /dev/urandom
91 *
92 * This can fail if the process is inside a chroot or if file
93 * descriptors are exhausted.
94 */
95 ret = getentropy_urandom(buf, len);
96 if (ret != -1)
97 return (ret);
98
99 /*
100 * Entropy collection via /dev/urandom and sysctl have failed.
101 *
102 * No other API exists for collecting entropy, and we have
103 * no failsafe way to get it on OSX that is not sensitive
104 * to resource exhaustion.
105 *
106 * We have very few options:
107 * - Even syslog_r is unsafe to call at this low level, so
108 * there is no way to alert the user or program.
109 * - Cannot call abort() because some systems have unsafe
110 * corefiles.
111 * - Could raise(SIGKILL) resulting in silent program termination.
112 * - Return EIO, to hint that arc4random's stir function
113 * should raise(SIGKILL)
114 * - Do the best under the circumstances....
115 *
116 * This code path exists to bring light to the issue that OSX
117 * does not provide a failsafe API for entropy collection.
118 *
119 * We hope this demonstrates that OSX should consider
120 * providing a new failsafe API which works in a chroot or
121 * when file descriptors are exhausted.
122 */
123#undef FAIL_WHEN_SYSTEM_ENTROPY_FAILS
124#ifdef FAIL_WHEN_SYSTEM_ENTROPY_FAILS
125 raise(SIGKILL);
126#endif
127 ret = getentropy_fallback(buf, len);
128 if (ret != -1)
129 return (ret);
130
131 errno = EIO;
132 return (ret);
133}
134
135/*
136 * Basic sanity checking; wish we could do better.
137 */
138static int
139gotdata(char *buf, size_t len)
140{
141 char any_set = 0;
142 size_t i;
143
144 for (i = 0; i < len; ++i)
145 any_set |= buf[i];
146 if (any_set == 0)
147 return -1;
148 return 0;
149}
150
151static int
152getentropy_urandom(void *buf, size_t len)
153{
154 struct stat st;
155 size_t i;
156 int fd, cnt, flags;
157 int save_errno = errno;
158
159start:
160
161 flags = O_RDONLY;
162#ifdef O_NOFOLLOW
163 flags |= O_NOFOLLOW;
164#endif
165#ifdef O_CLOEXEC
166 flags |= O_CLOEXEC;
167#endif
168 fd = open("/dev/urandom", flags, 0);
169 if (fd == -1) {
170 if (errno == EINTR)
171 goto start;
172 goto nodevrandom;
173 }
174#ifndef O_CLOEXEC
175 fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
176#endif
177
178 /* Lightly verify that the device node looks sane */
179 if (fstat(fd, &st) == -1 || !S_ISCHR(st.st_mode)) {
180 close(fd);
181 goto nodevrandom;
182 }
183 for (i = 0; i < len; ) {
184 size_t wanted = len - i;
185 ssize_t ret = read(fd, buf + i, wanted);
186
187 if (ret == -1) {
188 if (errno == EAGAIN || errno == EINTR)
189 continue;
190 close(fd);
191 goto nodevrandom;
192 }
193 i += ret;
194 }
195 close(fd);
196 if (gotdata(buf, len) == 0) {
197 errno = save_errno;
198 return 0; /* satisfied */
199 }
200nodevrandom:
201 errno = EIO;
202 return -1;
203}
204
205static int
206getentropy_fallback(void *buf, size_t len)
207{
208 int tcpmib[] = { CTL_NET, AF_INET, IPPROTO_TCP, TCPCTL_STATS };
209 int udpmib[] = { CTL_NET, AF_INET, IPPROTO_UDP, UDPCTL_STATS };
210 int ipmib[] = { CTL_NET, AF_INET, IPPROTO_IP, IPCTL_STATS };
211 int kmib[] = { CTL_KERN, KERN_USRSTACK };
212 int hwmib[] = { CTL_HW, HW_USERMEM };
213 int save_errno = errno, e, m, pgs = getpagesize(), faster = 0, repeat;
214 uint8_t results[SHA512_DIGEST_LENGTH];
215 struct tcpstat tcpstat;
216 struct udpstat udpstat;
217 struct ipstat ipstat;
218 u_int64_t mach_time;
219 unsigned int idata;
220 struct timespec ts;
221 struct timeval tv;
222 struct rusage ru;
223 sigset_t sigset;
224 struct stat st;
225 static int cnt;
226 SHA512_CTX ctx;
227 static pid_t lastpid;
228 void * addr;
229 pid_t pid;
230 size_t i, ii;
231 char *p;
232
233 pid = getpid();
234 if (lastpid == pid) {
235 faster = 1;
236 repeat = 2;
237 } else {
238 faster = 0;
239 lastpid = pid;
240 repeat = REPEAT;
241 }
242 for (i = 0; i < len; ) {
243 int j;
244 SHA512_Init(&ctx);
245 for (j = 0; j < repeat; j++) {
246 size_t len;
247 HX((e = gettimeofday(&tv, NULL)) == -1, tv);
248 if (e != -1) {
249 cnt += (int)tv.tv_sec;
250 cnt += (int)tv.tv_usec;
251 }
252
253 mach_time = mach_absolute_time();
254 HD(mach_time);
255
256 len = sizeof(addr);
257 HX(sysctl(kmib, sizeof(kmib) / sizeof(kmib[0]),
258 &addr, &len, NULL, 0) == -1, addr);
259
260 len = sizeof(idata);
261 HX(sysctl(hwmib, sizeof(hwmib) / sizeof(hwmib[0]),
262 &idata, &len, NULL, 0) == -1, idata);
263
264 len = sizeof(tcpstat);
265 HX(sysctl(tcpmib, sizeof(tcpmib) / sizeof(tcpmib[0]),
266 &tcpstat, &len, NULL, 0) == -1, tcpstat);
267
268 len = sizeof(udpstat);
269 HX(sysctl(udpmib, sizeof(udpmib) / sizeof(udpmib[0]),
270 &udpstat, &len, NULL, 0) == -1, udpstat);
271
272 len = sizeof(ipstat);
273 HX(sysctl(ipmib, sizeof(ipmib) / sizeof(ipmib[0]),
274 &ipstat, &len, NULL, 0) == -1, ipstat);
275
276 HX((pid = getpid()) == -1, pid);
277 HX((pid = getsid(pid)) == -1, pid);
278 HX((pid = getppid()) == -1, pid);
279 HX((pid = getpgid(0)) == -1, pid);
280 HX((m = getpriority(0, 0)) == -1, m);
281
282 if (!faster) {
283 ts.tv_sec = 0;
284 ts.tv_nsec = 1;
285 (void) nanosleep(&ts, NULL);
286 }
287
288 HX(sigpending(&sigset) == -1, sigset);
289 HX(sigprocmask(SIG_BLOCK, NULL, &sigset) == -1,
290 sigset);
291
292 HD(main); /* an addr in program */
293 HD(getentropy); /* an addr in this library */
294 HD(printf); /* an addr in libc */
295 p = (char *)&p;
296 HD(p); /* an addr on stack */
297 p = (char *)&errno;
298 HD(p); /* the addr of errno */
299
300 if (i == 0) {
301 struct sockaddr_storage ss;
302 struct statvfs stvfs;
303 struct termios tios;
304 struct statfs stfs;
305 socklen_t ssl;
306 off_t off;
307
308 /*
309 * Prime-sized mappings encourage fragmentation;
310 * thus exposing some address entropy.
311 */
312 struct mm {
313 size_t npg;
314 void *p;
315 } mm[] = {
316 { 17, MAP_FAILED }, { 3, MAP_FAILED },
317 { 11, MAP_FAILED }, { 2, MAP_FAILED },
318 { 5, MAP_FAILED }, { 3, MAP_FAILED },
319 { 7, MAP_FAILED }, { 1, MAP_FAILED },
320 { 57, MAP_FAILED }, { 3, MAP_FAILED },
321 { 131, MAP_FAILED }, { 1, MAP_FAILED },
322 };
323
324 for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
325 HX(mm[m].p = mmap(NULL,
326 mm[m].npg * pgs,
327 PROT_READ|PROT_WRITE,
328 MAP_PRIVATE|MAP_ANON, -1,
329 (off_t)0), mm[m].p);
330 if (mm[m].p != MAP_FAILED) {
331 size_t mo;
332
333 /* Touch some memory... */
334 p = mm[m].p;
335 mo = cnt %
336 (mm[m].npg * pgs - 1);
337 p[mo] = 1;
338 cnt += (int)((long)(mm[m].p)
339 / pgs);
340 }
341
342 /* Check cnts and times... */
343 mach_time = mach_absolute_time();
344 HD(mach_time);
345 cnt += (int)mach_time;
346
347 HX((e = getrusage(RUSAGE_SELF,
348 &ru)) == -1, ru);
349 if (e != -1) {
350 cnt += (int)ru.ru_utime.tv_sec;
351 cnt += (int)ru.ru_utime.tv_usec;
352 }
353 }
354
355 for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
356 if (mm[m].p != MAP_FAILED)
357 munmap(mm[m].p, mm[m].npg * pgs);
358 mm[m].p = MAP_FAILED;
359 }
360
361 HX(stat(".", &st) == -1, st);
362 HX(statvfs(".", &stvfs) == -1, stvfs);
363 HX(statfs(".", &stfs) == -1, stfs);
364
365 HX(stat("/", &st) == -1, st);
366 HX(statvfs("/", &stvfs) == -1, stvfs);
367 HX(statfs("/", &stfs) == -1, stfs);
368
369 HX((e = fstat(0, &st)) == -1, st);
370 if (e == -1) {
371 if (S_ISREG(st.st_mode) ||
372 S_ISFIFO(st.st_mode) ||
373 S_ISSOCK(st.st_mode)) {
374 HX(fstatvfs(0, &stvfs) == -1,
375 stvfs);
376 HX(fstatfs(0, &stfs) == -1,
377 stfs);
378 HX((off = lseek(0, (off_t)0,
379 SEEK_CUR)) < 0, off);
380 }
381 if (S_ISCHR(st.st_mode)) {
382 HX(tcgetattr(0, &tios) == -1,
383 tios);
384 } else if (S_ISSOCK(st.st_mode)) {
385 memset(&ss, 0, sizeof ss);
386 ssl = sizeof(ss);
387 HX(getpeername(0,
388 (void *)&ss, &ssl) == -1,
389 ss);
390 }
391 }
392
393 HX((e = getrusage(RUSAGE_CHILDREN,
394 &ru)) == -1, ru);
395 if (e != -1) {
396 cnt += (int)ru.ru_utime.tv_sec;
397 cnt += (int)ru.ru_utime.tv_usec;
398 }
399 } else {
400 /* Subsequent hashes absorb previous result */
401 HD(results);
402 }
403
404 HX((e = gettimeofday(&tv, NULL)) == -1, tv);
405 if (e != -1) {
406 cnt += (int)tv.tv_sec;
407 cnt += (int)tv.tv_usec;
408 }
409
410 HD(cnt);
411 }
412
413
414 SHA512_Final(results, &ctx);
415 memcpy(buf + i, results, min(sizeof(results), len - i));
416 i += min(sizeof(results), len - i);
417 }
418 memset(results, 0, sizeof results);
419 if (gotdata(buf, len) == 0) {
420 errno = save_errno;
421 return 0; /* satisfied */
422 }
423 errno = EIO;
424 return -1;
425}
diff --git a/src/lib/libcrypto/arc4random/getentropy_solaris.c b/src/lib/libcrypto/arc4random/getentropy_solaris.c
new file mode 100644
index 0000000000..6aeb8713ab
--- /dev/null
+++ b/src/lib/libcrypto/arc4random/getentropy_solaris.c
@@ -0,0 +1,413 @@
1/* $OpenBSD: getentropy_solaris.c,v 1.1 2014/07/08 10:45:35 beck Exp $ */
2
3/*
4 * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
5 * Copyright (c) 2014 Bob Beck <beck@obtuse.com>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include <sys/types.h>
21#include <sys/param.h>
22#include <sys/ioctl.h>
23#include <sys/resource.h>
24#include <sys/syscall.h>
25#include <sys/statvfs.h>
26#include <sys/socket.h>
27#include <sys/mount.h>
28#include <sys/mman.h>
29#include <sys/stat.h>
30#include <sys/time.h>
31#include <stdlib.h>
32#include <stdint.h>
33#include <stdio.h>
34#include <termios.h>
35#include <fcntl.h>
36#include <signal.h>
37#include <string.h>
38#include <errno.h>
39#include <unistd.h>
40#include <time.h>
41#include <sys/sha2.h>
42#define SHA512_Init SHA512Init
43#define SHA512_Update SHA512Update
44#define SHA512_Final SHA512Final
45
46
47#include <sys/vfs.h>
48#include <sys/statfs.h>
49#include <sys/loadavg.h>
50
51#define REPEAT 5
52#define min(a, b) (((a) < (b)) ? (a) : (b))
53
54#define HX(a, b) \
55 do { \
56 if ((a)) \
57 HD(errno); \
58 else \
59 HD(b); \
60 } while (0)
61
62#define HR(x, l) (SHA512_Update(&ctx, (char *)(x), (l)))
63#define HD(x) (SHA512_Update(&ctx, (char *)&(x), sizeof (x)))
64
65int getentropy(void *buf, size_t len);
66
67extern int main(int, char *argv[]);
68static int gotdata(char *buf, size_t len);
69static int getentropy_urandom(void *buf, size_t len);
70static int getentropy_fallback(void *buf, size_t len);
71
72int
73getentropy(void *buf, size_t len)
74{
75 int ret = -1;
76
77 if (len > 256) {
78 errno = EIO;
79 return -1;
80 }
81
82 /*
83 * Try to get entropy with /dev/urandom
84 *
85 * This can fail if the process is inside a chroot or if file
86 * descriptors are exhausted.
87 */
88 ret = getentropy_urandom(buf, len);
89 if (ret != -1)
90 return (ret);
91 /*
92 * Entropy collection via /dev/urandom and sysctl have failed.
93 *
94 * No other API exists for collecting entropy, and we have
95 * no failsafe way to get it on Solaris that is not sensitive
96 * to resource exhaustion.
97 *
98 * We have very few options:
99 * - Even syslog_r is unsafe to call at this low level, so
100 * there is no way to alert the user or program.
101 * - Cannot call abort() because some systems have unsafe
102 * corefiles.
103 * - Could raise(SIGKILL) resulting in silent program termination.
104 * - Return EIO, to hint that arc4random's stir function
105 * should raise(SIGKILL)
106 * - Do the best under the circumstances....
107 *
108 * This code path exists to bring light to the issue that Solaris
109 * does not provide a failsafe API for entropy collection.
110 *
111 * We hope this demonstrates that Solaris should consider
112 * providing a new failsafe API which works in a chroot or
113 * when file descriptors are exhausted.
114 */
115#undef FAIL_WHEN_SYSTEM_ENTROPY_FAILS
116#ifdef FAIL_WHEN_SYSTEM_ENTROPY_FAILS
117 raise(SIGKILL);
118#endif
119 ret = getentropy_fallback(buf, len);
120 if (ret != -1)
121 return (ret);
122
123 errno = EIO;
124 return (ret);
125}
126
127/*
128 * Basic sanity checking; wish we could do better.
129 */
130static int
131gotdata(char *buf, size_t len)
132{
133 char any_set = 0;
134 size_t i;
135
136 for (i = 0; i < len; ++i)
137 any_set |= buf[i];
138 if (any_set == 0)
139 return -1;
140 return 0;
141}
142
143static int
144getentropy_urandom(void *buf, size_t len)
145{
146 struct stat st;
147 size_t i;
148 int fd, flags;
149 int save_errno = errno;
150
151start:
152
153 flags = O_RDONLY;
154#ifdef O_NOFOLLOW
155 flags |= O_NOFOLLOW;
156#endif
157#ifdef O_CLOEXEC
158 flags |= O_CLOEXEC;
159#endif
160 /*
161 * Solaris provides /dev/urandom as a symbolic link.
162 * /devices/pseudo/random@0:urandom should be the
163 * real device path, and we do want O_NOFOLLOW.
164 */
165 fd = open("/devices/pseudo/random@0:urandom", flags, 0);
166 if (fd == -1) {
167 if (errno == EINTR)
168 goto start;
169 goto nodevrandom;
170 }
171#ifndef O_CLOEXEC
172 fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
173#endif
174
175 /* Lightly verify that the device node looks sane */
176 if (fstat(fd, &st) == -1 || !S_ISCHR(st.st_mode)) {
177 close(fd);
178 goto nodevrandom;
179 }
180 for (i = 0; i < len; ) {
181 size_t wanted = len - i;
182 ssize_t ret = read(fd, buf + i, wanted);
183
184 if (ret == -1) {
185 if (errno == EAGAIN || errno == EINTR)
186 continue;
187 close(fd);
188 goto nodevrandom;
189 }
190 i += ret;
191 }
192 close(fd);
193 if (gotdata(buf, len) == 0) {
194 errno = save_errno;
195 return 0; /* satisfied */
196 }
197nodevrandom:
198 errno = EIO;
199 return -1;
200}
201
202static int cl[] = {
203 CLOCK_REALTIME,
204#ifdef CLOCK_MONOTONIC
205 CLOCK_MONOTONIC,
206#endif
207#ifdef CLOCK_MONOTONIC_RAW
208 CLOCK_MONOTONIC_RAW,
209#endif
210#ifdef CLOCK_TAI
211 CLOCK_TAI,
212#endif
213#ifdef CLOCK_VIRTUAL
214 CLOCK_VIRTUAL,
215#endif
216#ifdef CLOCK_UPTIME
217 CLOCK_UPTIME,
218#endif
219#ifdef CLOCK_PROCESS_CPUTIME_ID
220 CLOCK_PROCESS_CPUTIME_ID,
221#endif
222#ifdef CLOCK_THREAD_CPUTIME_ID
223 CLOCK_THREAD_CPUTIME_ID,
224#endif
225};
226
227static int
228getentropy_fallback(void *buf, size_t len)
229{
230 uint8_t results[SHA512_DIGEST_LENGTH];
231 int save_errno = errno, e, m, pgs = getpagesize(), faster = 0, repeat;
232 static int cnt;
233 struct timespec ts;
234 struct timeval tv;
235 double loadavg[3];
236 struct rusage ru;
237 sigset_t sigset;
238 struct stat st;
239 SHA512_CTX ctx;
240 static pid_t lastpid;
241 pid_t pid;
242 size_t i, ii;
243 char *p;
244
245 pid = getpid();
246 if (lastpid == pid) {
247 faster = 1;
248 repeat = 2;
249 } else {
250 faster = 0;
251 lastpid = pid;
252 repeat = REPEAT;
253 }
254 for (i = 0; i < len; ) {
255 int j;
256 SHA512_Init(&ctx);
257 for (j = 0; j < repeat; j++) {
258 HX((e = gettimeofday(&tv, NULL)) == -1, tv);
259 if (e != -1) {
260 cnt += (int)tv.tv_sec;
261 cnt += (int)tv.tv_usec;
262 }
263
264 for (ii = 0; ii < sizeof(cl)/sizeof(cl[0]); ii++)
265 HX(clock_gettime(cl[ii], &ts) == -1, ts);
266 HX((pid = getpid()) == -1, pid);
267 HX((pid = getsid(pid)) == -1, pid);
268 HX((pid = getppid()) == -1, pid);
269 HX((pid = getpgid(0)) == -1, pid);
270 HX((m = getpriority(0, 0)) == -1, m);
271 HX((getloadavg(loadavg, 3) == -1), loadavg);
272
273 if (!faster) {
274 ts.tv_sec = 0;
275 ts.tv_nsec = 1;
276 (void) nanosleep(&ts, NULL);
277 }
278
279 HX(sigpending(&sigset) == -1, sigset);
280 HX(sigprocmask(SIG_BLOCK, NULL, &sigset) == -1,
281 sigset);
282
283 HD(main); /* an addr in program */
284 HD(getentropy); /* an addr in this library */
285 HD(printf); /* an addr in libc */
286 p = (char *)&p;
287 HD(p); /* an addr on stack */
288 p = (char *)&errno;
289 HD(p); /* the addr of errno */
290
291 if (i == 0) {
292 struct sockaddr_storage ss;
293 struct statvfs stvfs;
294 struct termios tios;
295 socklen_t ssl;
296 off_t off;
297
298 /*
299 * Prime-sized mappings encourage fragmentation;
300 * thus exposing some address entropy.
301 */
302 struct mm {
303 size_t npg;
304 void *p;
305 } mm[] = {
306 { 17, MAP_FAILED }, { 3, MAP_FAILED },
307 { 11, MAP_FAILED }, { 2, MAP_FAILED },
308 { 5, MAP_FAILED }, { 3, MAP_FAILED },
309 { 7, MAP_FAILED }, { 1, MAP_FAILED },
310 { 57, MAP_FAILED }, { 3, MAP_FAILED },
311 { 131, MAP_FAILED }, { 1, MAP_FAILED },
312 };
313
314 for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
315 HX(mm[m].p = mmap(NULL,
316 mm[m].npg * pgs,
317 PROT_READ|PROT_WRITE,
318 MAP_PRIVATE|MAP_ANON, -1,
319 (off_t)0), mm[m].p);
320 if (mm[m].p != MAP_FAILED) {
321 size_t mo;
322
323 /* Touch some memory... */
324 p = mm[m].p;
325 mo = cnt %
326 (mm[m].npg * pgs - 1);
327 p[mo] = 1;
328 cnt += (int)((long)(mm[m].p)
329 / pgs);
330 }
331
332 /* Check cnts and times... */
333 for (ii = 0; ii < sizeof(cl)/sizeof(cl[0]);
334 ii++) {
335 HX((e = clock_gettime(cl[ii],
336 &ts)) == -1, ts);
337 if (e != -1)
338 cnt += (int)ts.tv_nsec;
339 }
340
341 HX((e = getrusage(RUSAGE_SELF,
342 &ru)) == -1, ru);
343 if (e != -1) {
344 cnt += (int)ru.ru_utime.tv_sec;
345 cnt += (int)ru.ru_utime.tv_usec;
346 }
347 }
348
349 for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
350 if (mm[m].p != MAP_FAILED)
351 munmap(mm[m].p, mm[m].npg * pgs);
352 mm[m].p = MAP_FAILED;
353 }
354
355 HX(stat(".", &st) == -1, st);
356 HX(statvfs(".", &stvfs) == -1, stvfs);
357
358 HX(stat("/", &st) == -1, st);
359 HX(statvfs("/", &stvfs) == -1, stvfs);
360
361 HX((e = fstat(0, &st)) == -1, st);
362 if (e == -1) {
363 if (S_ISREG(st.st_mode) ||
364 S_ISFIFO(st.st_mode) ||
365 S_ISSOCK(st.st_mode)) {
366 HX(fstatvfs(0, &stvfs) == -1,
367 stvfs);
368 HX((off = lseek(0, (off_t)0,
369 SEEK_CUR)) < 0, off);
370 }
371 if (S_ISCHR(st.st_mode)) {
372 HX(tcgetattr(0, &tios) == -1,
373 tios);
374 } else if (S_ISSOCK(st.st_mode)) {
375 memset(&ss, 0, sizeof ss);
376 ssl = sizeof(ss);
377 HX(getpeername(0,
378 (void *)&ss, &ssl) == -1,
379 ss);
380 }
381 }
382
383 HX((e = getrusage(RUSAGE_CHILDREN,
384 &ru)) == -1, ru);
385 if (e != -1) {
386 cnt += (int)ru.ru_utime.tv_sec;
387 cnt += (int)ru.ru_utime.tv_usec;
388 }
389 } else {
390 /* Subsequent hashes absorb previous result */
391 HD(results);
392 }
393
394 HX((e = gettimeofday(&tv, NULL)) == -1, tv);
395 if (e != -1) {
396 cnt += (int)tv.tv_sec;
397 cnt += (int)tv.tv_usec;
398 }
399
400 HD(cnt);
401 }
402 SHA512_Final(results, &ctx);
403 memcpy(buf + i, results, min(sizeof(results), len - i));
404 i += min(sizeof(results), len - i);
405 }
406 memset(results, 0, sizeof results);
407 if (gotdata(buf, len) == 0) {
408 errno = save_errno;
409 return 0; /* satisfied */
410 }
411 errno = EIO;
412 return -1;
413}
diff --git a/src/lib/libcrypto/crypto/getentropy_osx.c b/src/lib/libcrypto/crypto/getentropy_osx.c
new file mode 100644
index 0000000000..2ba400f082
--- /dev/null
+++ b/src/lib/libcrypto/crypto/getentropy_osx.c
@@ -0,0 +1,425 @@
1/* $OpenBSD: getentropy_osx.c,v 1.1 2014/07/08 10:45:35 beck Exp $ */
2
3/*
4 * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
5 * Copyright (c) 2014 Bob Beck <beck@obtuse.com>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include <sys/types.h>
21#include <sys/param.h>
22#include <sys/ioctl.h>
23#include <sys/resource.h>
24#include <sys/syscall.h>
25#include <sys/sysctl.h>
26#include <sys/statvfs.h>
27#include <sys/socket.h>
28#include <sys/mount.h>
29#include <sys/mman.h>
30#include <sys/stat.h>
31#include <sys/time.h>
32#include <stdlib.h>
33#include <stdint.h>
34#include <stdio.h>
35#include <termios.h>
36#include <fcntl.h>
37#include <signal.h>
38#include <string.h>
39#include <errno.h>
40#include <unistd.h>
41#include <time.h>
42#include <mach/mach_time.h>
43#include <mach/mach_host.h>
44#include <mach/host_info.h>
45#include <sys/socketvar.h>
46#include <sys/vmmeter.h>
47#include <netinet/in.h>
48#include <netinet/tcp.h>
49#include <netinet/udp.h>
50#include <netinet/ip_var.h>
51#include <netinet/tcp_var.h>
52#include <netinet/udp_var.h>
53#include <CommonCrypto/CommonDigest.h>
54#define SHA512_Update(a, b, c) (CC_SHA512_Update((a), (b), (c)))
55#define SHA512_Init(xxx) (CC_SHA512_Init((xxx)))
56#define SHA512_Final(xxx, yyy) (CC_SHA512_Final((xxx), (yyy)))
57#define SHA512_CTX CC_SHA512_CTX
58#define SHA512_DIGEST_LENGTH CC_SHA512_DIGEST_LENGTH
59
60#define REPEAT 5
61#define min(a, b) (((a) < (b)) ? (a) : (b))
62
63#define HX(a, b) \
64 do { \
65 if ((a)) \
66 HD(errno); \
67 else \
68 HD(b); \
69 } while (0)
70#define HR(x, l) (SHA512_Update(&ctx, (char *)(x), (l)))
71#define HD(x) (SHA512_Update(&ctx, (char *)&(x), sizeof (x)))
72int getentropy(void *buf, size_t len);
73
74extern int main(int, char *argv[]);
75static int gotdata(char *buf, size_t len);
76static int getentropy_urandom(void *buf, size_t len);
77static int getentropy_fallback(void *buf, size_t len);
78
79int
80getentropy(void *buf, size_t len)
81{
82 int ret = -1;
83
84 if (len > 256) {
85 errno = EIO;
86 return -1;
87 }
88
89 /*
90 * Try to get entropy with /dev/urandom
91 *
92 * This can fail if the process is inside a chroot or if file
93 * descriptors are exhausted.
94 */
95 ret = getentropy_urandom(buf, len);
96 if (ret != -1)
97 return (ret);
98
99 /*
100 * Entropy collection via /dev/urandom and sysctl have failed.
101 *
102 * No other API exists for collecting entropy, and we have
103 * no failsafe way to get it on OSX that is not sensitive
104 * to resource exhaustion.
105 *
106 * We have very few options:
107 * - Even syslog_r is unsafe to call at this low level, so
108 * there is no way to alert the user or program.
109 * - Cannot call abort() because some systems have unsafe
110 * corefiles.
111 * - Could raise(SIGKILL) resulting in silent program termination.
112 * - Return EIO, to hint that arc4random's stir function
113 * should raise(SIGKILL)
114 * - Do the best under the circumstances....
115 *
116 * This code path exists to bring light to the issue that OSX
117 * does not provide a failsafe API for entropy collection.
118 *
119 * We hope this demonstrates that OSX should consider
120 * providing a new failsafe API which works in a chroot or
121 * when file descriptors are exhausted.
122 */
123#undef FAIL_WHEN_SYSTEM_ENTROPY_FAILS
124#ifdef FAIL_WHEN_SYSTEM_ENTROPY_FAILS
125 raise(SIGKILL);
126#endif
127 ret = getentropy_fallback(buf, len);
128 if (ret != -1)
129 return (ret);
130
131 errno = EIO;
132 return (ret);
133}
134
135/*
136 * Basic sanity checking; wish we could do better.
137 */
138static int
139gotdata(char *buf, size_t len)
140{
141 char any_set = 0;
142 size_t i;
143
144 for (i = 0; i < len; ++i)
145 any_set |= buf[i];
146 if (any_set == 0)
147 return -1;
148 return 0;
149}
150
151static int
152getentropy_urandom(void *buf, size_t len)
153{
154 struct stat st;
155 size_t i;
156 int fd, cnt, flags;
157 int save_errno = errno;
158
159start:
160
161 flags = O_RDONLY;
162#ifdef O_NOFOLLOW
163 flags |= O_NOFOLLOW;
164#endif
165#ifdef O_CLOEXEC
166 flags |= O_CLOEXEC;
167#endif
168 fd = open("/dev/urandom", flags, 0);
169 if (fd == -1) {
170 if (errno == EINTR)
171 goto start;
172 goto nodevrandom;
173 }
174#ifndef O_CLOEXEC
175 fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
176#endif
177
178 /* Lightly verify that the device node looks sane */
179 if (fstat(fd, &st) == -1 || !S_ISCHR(st.st_mode)) {
180 close(fd);
181 goto nodevrandom;
182 }
183 for (i = 0; i < len; ) {
184 size_t wanted = len - i;
185 ssize_t ret = read(fd, buf + i, wanted);
186
187 if (ret == -1) {
188 if (errno == EAGAIN || errno == EINTR)
189 continue;
190 close(fd);
191 goto nodevrandom;
192 }
193 i += ret;
194 }
195 close(fd);
196 if (gotdata(buf, len) == 0) {
197 errno = save_errno;
198 return 0; /* satisfied */
199 }
200nodevrandom:
201 errno = EIO;
202 return -1;
203}
204
205static int
206getentropy_fallback(void *buf, size_t len)
207{
208 int tcpmib[] = { CTL_NET, AF_INET, IPPROTO_TCP, TCPCTL_STATS };
209 int udpmib[] = { CTL_NET, AF_INET, IPPROTO_UDP, UDPCTL_STATS };
210 int ipmib[] = { CTL_NET, AF_INET, IPPROTO_IP, IPCTL_STATS };
211 int kmib[] = { CTL_KERN, KERN_USRSTACK };
212 int hwmib[] = { CTL_HW, HW_USERMEM };
213 int save_errno = errno, e, m, pgs = getpagesize(), faster = 0, repeat;
214 uint8_t results[SHA512_DIGEST_LENGTH];
215 struct tcpstat tcpstat;
216 struct udpstat udpstat;
217 struct ipstat ipstat;
218 u_int64_t mach_time;
219 unsigned int idata;
220 struct timespec ts;
221 struct timeval tv;
222 struct rusage ru;
223 sigset_t sigset;
224 struct stat st;
225 static int cnt;
226 SHA512_CTX ctx;
227 static pid_t lastpid;
228 void * addr;
229 pid_t pid;
230 size_t i, ii;
231 char *p;
232
233 pid = getpid();
234 if (lastpid == pid) {
235 faster = 1;
236 repeat = 2;
237 } else {
238 faster = 0;
239 lastpid = pid;
240 repeat = REPEAT;
241 }
242 for (i = 0; i < len; ) {
243 int j;
244 SHA512_Init(&ctx);
245 for (j = 0; j < repeat; j++) {
246 size_t len;
247 HX((e = gettimeofday(&tv, NULL)) == -1, tv);
248 if (e != -1) {
249 cnt += (int)tv.tv_sec;
250 cnt += (int)tv.tv_usec;
251 }
252
253 mach_time = mach_absolute_time();
254 HD(mach_time);
255
256 len = sizeof(addr);
257 HX(sysctl(kmib, sizeof(kmib) / sizeof(kmib[0]),
258 &addr, &len, NULL, 0) == -1, addr);
259
260 len = sizeof(idata);
261 HX(sysctl(hwmib, sizeof(hwmib) / sizeof(hwmib[0]),
262 &idata, &len, NULL, 0) == -1, idata);
263
264 len = sizeof(tcpstat);
265 HX(sysctl(tcpmib, sizeof(tcpmib) / sizeof(tcpmib[0]),
266 &tcpstat, &len, NULL, 0) == -1, tcpstat);
267
268 len = sizeof(udpstat);
269 HX(sysctl(udpmib, sizeof(udpmib) / sizeof(udpmib[0]),
270 &udpstat, &len, NULL, 0) == -1, udpstat);
271
272 len = sizeof(ipstat);
273 HX(sysctl(ipmib, sizeof(ipmib) / sizeof(ipmib[0]),
274 &ipstat, &len, NULL, 0) == -1, ipstat);
275
276 HX((pid = getpid()) == -1, pid);
277 HX((pid = getsid(pid)) == -1, pid);
278 HX((pid = getppid()) == -1, pid);
279 HX((pid = getpgid(0)) == -1, pid);
280 HX((m = getpriority(0, 0)) == -1, m);
281
282 if (!faster) {
283 ts.tv_sec = 0;
284 ts.tv_nsec = 1;
285 (void) nanosleep(&ts, NULL);
286 }
287
288 HX(sigpending(&sigset) == -1, sigset);
289 HX(sigprocmask(SIG_BLOCK, NULL, &sigset) == -1,
290 sigset);
291
292 HD(main); /* an addr in program */
293 HD(getentropy); /* an addr in this library */
294 HD(printf); /* an addr in libc */
295 p = (char *)&p;
296 HD(p); /* an addr on stack */
297 p = (char *)&errno;
298 HD(p); /* the addr of errno */
299
300 if (i == 0) {
301 struct sockaddr_storage ss;
302 struct statvfs stvfs;
303 struct termios tios;
304 struct statfs stfs;
305 socklen_t ssl;
306 off_t off;
307
308 /*
309 * Prime-sized mappings encourage fragmentation;
310 * thus exposing some address entropy.
311 */
312 struct mm {
313 size_t npg;
314 void *p;
315 } mm[] = {
316 { 17, MAP_FAILED }, { 3, MAP_FAILED },
317 { 11, MAP_FAILED }, { 2, MAP_FAILED },
318 { 5, MAP_FAILED }, { 3, MAP_FAILED },
319 { 7, MAP_FAILED }, { 1, MAP_FAILED },
320 { 57, MAP_FAILED }, { 3, MAP_FAILED },
321 { 131, MAP_FAILED }, { 1, MAP_FAILED },
322 };
323
324 for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
325 HX(mm[m].p = mmap(NULL,
326 mm[m].npg * pgs,
327 PROT_READ|PROT_WRITE,
328 MAP_PRIVATE|MAP_ANON, -1,
329 (off_t)0), mm[m].p);
330 if (mm[m].p != MAP_FAILED) {
331 size_t mo;
332
333 /* Touch some memory... */
334 p = mm[m].p;
335 mo = cnt %
336 (mm[m].npg * pgs - 1);
337 p[mo] = 1;
338 cnt += (int)((long)(mm[m].p)
339 / pgs);
340 }
341
342 /* Check cnts and times... */
343 mach_time = mach_absolute_time();
344 HD(mach_time);
345 cnt += (int)mach_time;
346
347 HX((e = getrusage(RUSAGE_SELF,
348 &ru)) == -1, ru);
349 if (e != -1) {
350 cnt += (int)ru.ru_utime.tv_sec;
351 cnt += (int)ru.ru_utime.tv_usec;
352 }
353 }
354
355 for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
356 if (mm[m].p != MAP_FAILED)
357 munmap(mm[m].p, mm[m].npg * pgs);
358 mm[m].p = MAP_FAILED;
359 }
360
361 HX(stat(".", &st) == -1, st);
362 HX(statvfs(".", &stvfs) == -1, stvfs);
363 HX(statfs(".", &stfs) == -1, stfs);
364
365 HX(stat("/", &st) == -1, st);
366 HX(statvfs("/", &stvfs) == -1, stvfs);
367 HX(statfs("/", &stfs) == -1, stfs);
368
369 HX((e = fstat(0, &st)) == -1, st);
370 if (e == -1) {
371 if (S_ISREG(st.st_mode) ||
372 S_ISFIFO(st.st_mode) ||
373 S_ISSOCK(st.st_mode)) {
374 HX(fstatvfs(0, &stvfs) == -1,
375 stvfs);
376 HX(fstatfs(0, &stfs) == -1,
377 stfs);
378 HX((off = lseek(0, (off_t)0,
379 SEEK_CUR)) < 0, off);
380 }
381 if (S_ISCHR(st.st_mode)) {
382 HX(tcgetattr(0, &tios) == -1,
383 tios);
384 } else if (S_ISSOCK(st.st_mode)) {
385 memset(&ss, 0, sizeof ss);
386 ssl = sizeof(ss);
387 HX(getpeername(0,
388 (void *)&ss, &ssl) == -1,
389 ss);
390 }
391 }
392
393 HX((e = getrusage(RUSAGE_CHILDREN,
394 &ru)) == -1, ru);
395 if (e != -1) {
396 cnt += (int)ru.ru_utime.tv_sec;
397 cnt += (int)ru.ru_utime.tv_usec;
398 }
399 } else {
400 /* Subsequent hashes absorb previous result */
401 HD(results);
402 }
403
404 HX((e = gettimeofday(&tv, NULL)) == -1, tv);
405 if (e != -1) {
406 cnt += (int)tv.tv_sec;
407 cnt += (int)tv.tv_usec;
408 }
409
410 HD(cnt);
411 }
412
413
414 SHA512_Final(results, &ctx);
415 memcpy(buf + i, results, min(sizeof(results), len - i));
416 i += min(sizeof(results), len - i);
417 }
418 memset(results, 0, sizeof results);
419 if (gotdata(buf, len) == 0) {
420 errno = save_errno;
421 return 0; /* satisfied */
422 }
423 errno = EIO;
424 return -1;
425}
diff --git a/src/lib/libcrypto/crypto/getentropy_solaris.c b/src/lib/libcrypto/crypto/getentropy_solaris.c
new file mode 100644
index 0000000000..6aeb8713ab
--- /dev/null
+++ b/src/lib/libcrypto/crypto/getentropy_solaris.c
@@ -0,0 +1,413 @@
1/* $OpenBSD: getentropy_solaris.c,v 1.1 2014/07/08 10:45:35 beck Exp $ */
2
3/*
4 * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
5 * Copyright (c) 2014 Bob Beck <beck@obtuse.com>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include <sys/types.h>
21#include <sys/param.h>
22#include <sys/ioctl.h>
23#include <sys/resource.h>
24#include <sys/syscall.h>
25#include <sys/statvfs.h>
26#include <sys/socket.h>
27#include <sys/mount.h>
28#include <sys/mman.h>
29#include <sys/stat.h>
30#include <sys/time.h>
31#include <stdlib.h>
32#include <stdint.h>
33#include <stdio.h>
34#include <termios.h>
35#include <fcntl.h>
36#include <signal.h>
37#include <string.h>
38#include <errno.h>
39#include <unistd.h>
40#include <time.h>
41#include <sys/sha2.h>
42#define SHA512_Init SHA512Init
43#define SHA512_Update SHA512Update
44#define SHA512_Final SHA512Final
45
46
47#include <sys/vfs.h>
48#include <sys/statfs.h>
49#include <sys/loadavg.h>
50
51#define REPEAT 5
52#define min(a, b) (((a) < (b)) ? (a) : (b))
53
54#define HX(a, b) \
55 do { \
56 if ((a)) \
57 HD(errno); \
58 else \
59 HD(b); \
60 } while (0)
61
62#define HR(x, l) (SHA512_Update(&ctx, (char *)(x), (l)))
63#define HD(x) (SHA512_Update(&ctx, (char *)&(x), sizeof (x)))
64
65int getentropy(void *buf, size_t len);
66
67extern int main(int, char *argv[]);
68static int gotdata(char *buf, size_t len);
69static int getentropy_urandom(void *buf, size_t len);
70static int getentropy_fallback(void *buf, size_t len);
71
72int
73getentropy(void *buf, size_t len)
74{
75 int ret = -1;
76
77 if (len > 256) {
78 errno = EIO;
79 return -1;
80 }
81
82 /*
83 * Try to get entropy with /dev/urandom
84 *
85 * This can fail if the process is inside a chroot or if file
86 * descriptors are exhausted.
87 */
88 ret = getentropy_urandom(buf, len);
89 if (ret != -1)
90 return (ret);
91 /*
92 * Entropy collection via /dev/urandom and sysctl have failed.
93 *
94 * No other API exists for collecting entropy, and we have
95 * no failsafe way to get it on Solaris that is not sensitive
96 * to resource exhaustion.
97 *
98 * We have very few options:
99 * - Even syslog_r is unsafe to call at this low level, so
100 * there is no way to alert the user or program.
101 * - Cannot call abort() because some systems have unsafe
102 * corefiles.
103 * - Could raise(SIGKILL) resulting in silent program termination.
104 * - Return EIO, to hint that arc4random's stir function
105 * should raise(SIGKILL)
106 * - Do the best under the circumstances....
107 *
108 * This code path exists to bring light to the issue that Solaris
109 * does not provide a failsafe API for entropy collection.
110 *
111 * We hope this demonstrates that Solaris should consider
112 * providing a new failsafe API which works in a chroot or
113 * when file descriptors are exhausted.
114 */
115#undef FAIL_WHEN_SYSTEM_ENTROPY_FAILS
116#ifdef FAIL_WHEN_SYSTEM_ENTROPY_FAILS
117 raise(SIGKILL);
118#endif
119 ret = getentropy_fallback(buf, len);
120 if (ret != -1)
121 return (ret);
122
123 errno = EIO;
124 return (ret);
125}
126
127/*
128 * Basic sanity checking; wish we could do better.
129 */
130static int
131gotdata(char *buf, size_t len)
132{
133 char any_set = 0;
134 size_t i;
135
136 for (i = 0; i < len; ++i)
137 any_set |= buf[i];
138 if (any_set == 0)
139 return -1;
140 return 0;
141}
142
143static int
144getentropy_urandom(void *buf, size_t len)
145{
146 struct stat st;
147 size_t i;
148 int fd, flags;
149 int save_errno = errno;
150
151start:
152
153 flags = O_RDONLY;
154#ifdef O_NOFOLLOW
155 flags |= O_NOFOLLOW;
156#endif
157#ifdef O_CLOEXEC
158 flags |= O_CLOEXEC;
159#endif
160 /*
161 * Solaris provides /dev/urandom as a symbolic link.
162 * /devices/pseudo/random@0:urandom should be the
163 * real device path, and we do want O_NOFOLLOW.
164 */
165 fd = open("/devices/pseudo/random@0:urandom", flags, 0);
166 if (fd == -1) {
167 if (errno == EINTR)
168 goto start;
169 goto nodevrandom;
170 }
171#ifndef O_CLOEXEC
172 fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
173#endif
174
175 /* Lightly verify that the device node looks sane */
176 if (fstat(fd, &st) == -1 || !S_ISCHR(st.st_mode)) {
177 close(fd);
178 goto nodevrandom;
179 }
180 for (i = 0; i < len; ) {
181 size_t wanted = len - i;
182 ssize_t ret = read(fd, buf + i, wanted);
183
184 if (ret == -1) {
185 if (errno == EAGAIN || errno == EINTR)
186 continue;
187 close(fd);
188 goto nodevrandom;
189 }
190 i += ret;
191 }
192 close(fd);
193 if (gotdata(buf, len) == 0) {
194 errno = save_errno;
195 return 0; /* satisfied */
196 }
197nodevrandom:
198 errno = EIO;
199 return -1;
200}
201
202static int cl[] = {
203 CLOCK_REALTIME,
204#ifdef CLOCK_MONOTONIC
205 CLOCK_MONOTONIC,
206#endif
207#ifdef CLOCK_MONOTONIC_RAW
208 CLOCK_MONOTONIC_RAW,
209#endif
210#ifdef CLOCK_TAI
211 CLOCK_TAI,
212#endif
213#ifdef CLOCK_VIRTUAL
214 CLOCK_VIRTUAL,
215#endif
216#ifdef CLOCK_UPTIME
217 CLOCK_UPTIME,
218#endif
219#ifdef CLOCK_PROCESS_CPUTIME_ID
220 CLOCK_PROCESS_CPUTIME_ID,
221#endif
222#ifdef CLOCK_THREAD_CPUTIME_ID
223 CLOCK_THREAD_CPUTIME_ID,
224#endif
225};
226
227static int
228getentropy_fallback(void *buf, size_t len)
229{
230 uint8_t results[SHA512_DIGEST_LENGTH];
231 int save_errno = errno, e, m, pgs = getpagesize(), faster = 0, repeat;
232 static int cnt;
233 struct timespec ts;
234 struct timeval tv;
235 double loadavg[3];
236 struct rusage ru;
237 sigset_t sigset;
238 struct stat st;
239 SHA512_CTX ctx;
240 static pid_t lastpid;
241 pid_t pid;
242 size_t i, ii;
243 char *p;
244
245 pid = getpid();
246 if (lastpid == pid) {
247 faster = 1;
248 repeat = 2;
249 } else {
250 faster = 0;
251 lastpid = pid;
252 repeat = REPEAT;
253 }
254 for (i = 0; i < len; ) {
255 int j;
256 SHA512_Init(&ctx);
257 for (j = 0; j < repeat; j++) {
258 HX((e = gettimeofday(&tv, NULL)) == -1, tv);
259 if (e != -1) {
260 cnt += (int)tv.tv_sec;
261 cnt += (int)tv.tv_usec;
262 }
263
264 for (ii = 0; ii < sizeof(cl)/sizeof(cl[0]); ii++)
265 HX(clock_gettime(cl[ii], &ts) == -1, ts);
266 HX((pid = getpid()) == -1, pid);
267 HX((pid = getsid(pid)) == -1, pid);
268 HX((pid = getppid()) == -1, pid);
269 HX((pid = getpgid(0)) == -1, pid);
270 HX((m = getpriority(0, 0)) == -1, m);
271 HX((getloadavg(loadavg, 3) == -1), loadavg);
272
273 if (!faster) {
274 ts.tv_sec = 0;
275 ts.tv_nsec = 1;
276 (void) nanosleep(&ts, NULL);
277 }
278
279 HX(sigpending(&sigset) == -1, sigset);
280 HX(sigprocmask(SIG_BLOCK, NULL, &sigset) == -1,
281 sigset);
282
283 HD(main); /* an addr in program */
284 HD(getentropy); /* an addr in this library */
285 HD(printf); /* an addr in libc */
286 p = (char *)&p;
287 HD(p); /* an addr on stack */
288 p = (char *)&errno;
289 HD(p); /* the addr of errno */
290
291 if (i == 0) {
292 struct sockaddr_storage ss;
293 struct statvfs stvfs;
294 struct termios tios;
295 socklen_t ssl;
296 off_t off;
297
298 /*
299 * Prime-sized mappings encourage fragmentation;
300 * thus exposing some address entropy.
301 */
302 struct mm {
303 size_t npg;
304 void *p;
305 } mm[] = {
306 { 17, MAP_FAILED }, { 3, MAP_FAILED },
307 { 11, MAP_FAILED }, { 2, MAP_FAILED },
308 { 5, MAP_FAILED }, { 3, MAP_FAILED },
309 { 7, MAP_FAILED }, { 1, MAP_FAILED },
310 { 57, MAP_FAILED }, { 3, MAP_FAILED },
311 { 131, MAP_FAILED }, { 1, MAP_FAILED },
312 };
313
314 for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
315 HX(mm[m].p = mmap(NULL,
316 mm[m].npg * pgs,
317 PROT_READ|PROT_WRITE,
318 MAP_PRIVATE|MAP_ANON, -1,
319 (off_t)0), mm[m].p);
320 if (mm[m].p != MAP_FAILED) {
321 size_t mo;
322
323 /* Touch some memory... */
324 p = mm[m].p;
325 mo = cnt %
326 (mm[m].npg * pgs - 1);
327 p[mo] = 1;
328 cnt += (int)((long)(mm[m].p)
329 / pgs);
330 }
331
332 /* Check cnts and times... */
333 for (ii = 0; ii < sizeof(cl)/sizeof(cl[0]);
334 ii++) {
335 HX((e = clock_gettime(cl[ii],
336 &ts)) == -1, ts);
337 if (e != -1)
338 cnt += (int)ts.tv_nsec;
339 }
340
341 HX((e = getrusage(RUSAGE_SELF,
342 &ru)) == -1, ru);
343 if (e != -1) {
344 cnt += (int)ru.ru_utime.tv_sec;
345 cnt += (int)ru.ru_utime.tv_usec;
346 }
347 }
348
349 for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
350 if (mm[m].p != MAP_FAILED)
351 munmap(mm[m].p, mm[m].npg * pgs);
352 mm[m].p = MAP_FAILED;
353 }
354
355 HX(stat(".", &st) == -1, st);
356 HX(statvfs(".", &stvfs) == -1, stvfs);
357
358 HX(stat("/", &st) == -1, st);
359 HX(statvfs("/", &stvfs) == -1, stvfs);
360
361 HX((e = fstat(0, &st)) == -1, st);
362 if (e == -1) {
363 if (S_ISREG(st.st_mode) ||
364 S_ISFIFO(st.st_mode) ||
365 S_ISSOCK(st.st_mode)) {
366 HX(fstatvfs(0, &stvfs) == -1,
367 stvfs);
368 HX((off = lseek(0, (off_t)0,
369 SEEK_CUR)) < 0, off);
370 }
371 if (S_ISCHR(st.st_mode)) {
372 HX(tcgetattr(0, &tios) == -1,
373 tios);
374 } else if (S_ISSOCK(st.st_mode)) {
375 memset(&ss, 0, sizeof ss);
376 ssl = sizeof(ss);
377 HX(getpeername(0,
378 (void *)&ss, &ssl) == -1,
379 ss);
380 }
381 }
382
383 HX((e = getrusage(RUSAGE_CHILDREN,
384 &ru)) == -1, ru);
385 if (e != -1) {
386 cnt += (int)ru.ru_utime.tv_sec;
387 cnt += (int)ru.ru_utime.tv_usec;
388 }
389 } else {
390 /* Subsequent hashes absorb previous result */
391 HD(results);
392 }
393
394 HX((e = gettimeofday(&tv, NULL)) == -1, tv);
395 if (e != -1) {
396 cnt += (int)tv.tv_sec;
397 cnt += (int)tv.tv_usec;
398 }
399
400 HD(cnt);
401 }
402 SHA512_Final(results, &ctx);
403 memcpy(buf + i, results, min(sizeof(results), len - i));
404 i += min(sizeof(results), len - i);
405 }
406 memset(results, 0, sizeof results);
407 if (gotdata(buf, len) == 0) {
408 errno = save_errno;
409 return 0; /* satisfied */
410 }
411 errno = EIO;
412 return -1;
413}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 17:41:06 +0000