getentropy for osx and solaris. will be needed for a portable release

author: beck <> 2014-07-08 10:45:35 +0000
committer: beck <> 2014-07-08 10:45:35 +0000
commit: 98592674a5f83627e876f6c7faebdd3e101d9893 (patch)
tree: 940bb992d87e808bf4acdb03530effd23732902f /src/lib/libcrypto/crypto/getentropy_osx.c
parent: a72d3887d3cb2efb2786d7137f32c21895080ba4 (diff)
download: openbsd-98592674a5f83627e876f6c7faebdd3e101d9893.tar.gz
openbsd-98592674a5f83627e876f6c7faebdd3e101d9893.tar.bz2
openbsd-98592674a5f83627e876f6c7faebdd3e101d9893.zip
1 files changed, 425 insertions, 0 deletions
diff --git a/src/lib/libcrypto/crypto/getentropy_osx.c b/src/lib/libcrypto/crypto/getentropy_osx.c
new file mode 100644
index 0000000000..2ba400f082
--- /dev/null
+++ b/src/lib/libcrypto/crypto/getentropy_osx.c
@@ -0,0 +1,425 @@
+/*      $OpenBSD: getentropy_osx.c,v 1.1 2014/07/08 10:45:35 beck Exp $ */
+/*
+ * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
+ * Copyright (c) 2014 Bob Beck <beck@obtuse.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/ioctl.h>
+#include <sys/resource.h>
+#include <sys/syscall.h>
+#include <sys/sysctl.h>
+#include <sys/statvfs.h>
+#include <sys/socket.h>
+#include <sys/mount.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <termios.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <time.h>
+#include <mach/mach_time.h>
+#include <mach/mach_host.h>
+#include <mach/host_info.h>
+#include <sys/socketvar.h>
+#include <sys/vmmeter.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+#include <netinet/ip_var.h>
+#include <netinet/tcp_var.h>
+#include <netinet/udp_var.h>
+#include <CommonCrypto/CommonDigest.h>
+#define SHA512_Update(a, b, c)  (CC_SHA512_Update((a), (b), (c)))
+#define SHA512_Init(xxx) (CC_SHA512_Init((xxx)))
+#define SHA512_Final(xxx, yyy) (CC_SHA512_Final((xxx), (yyy)))
+#define SHA512_CTX CC_SHA512_CTX
+#define SHA512_DIGEST_LENGTH CC_SHA512_DIGEST_LENGTH
+#define REPEAT 5
+#define min(a, b) (((a) < (b)) ? (a) : (b))
+#define HX(a, b) \
+        do { \
+                if ((a)) \
+                        HD(errno); \
+                else \
+                        HD(b); \
+        } while (0)
+#define HR(x, l) (SHA512_Update(&ctx, (char *)(x), (l)))
+#define HD(x)    (SHA512_Update(&ctx, (char *)&(x), sizeof (x)))
+int     getentropy(void *buf, size_t len);
+extern int main(int, char *argv[]);
+static int gotdata(char *buf, size_t len);
+static int getentropy_urandom(void *buf, size_t len);
+static int getentropy_fallback(void *buf, size_t len);
+int
+getentropy(void *buf, size_t len)
+{
+        int ret = -1;
+        if (len > 256) {
+                errno = EIO;
+                return -1;
+        }
+        /*
+         * Try to get entropy with /dev/urandom
+         *
+         * This can fail if the process is inside a chroot or if file
+         * descriptors are exhausted.
+         */
+        ret = getentropy_urandom(buf, len);
+        if (ret != -1)
+                return (ret);
+        /*
+         * Entropy collection via /dev/urandom and sysctl have failed.
+         *
+         * No other API exists for collecting entropy, and we have
+         * no failsafe way to get it on OSX that is not sensitive
+         * to resource exhaustion.
+         *
+         * We have very few options:
+         *     - Even syslog_r is unsafe to call at this low level, so
+         *       there is no way to alert the user or program.
+         *     - Cannot call abort() because some systems have unsafe
+         *       corefiles.
+         *     - Could raise(SIGKILL) resulting in silent program termination.
+         *     - Return EIO, to hint that arc4random's stir function
+         *       should raise(SIGKILL)
+         *     - Do the best under the circumstances....
+         *
+         * This code path exists to bring light to the issue that OSX
+         * does not provide a failsafe API for entropy collection.
+         *
+         * We hope this demonstrates that OSX should consider
+         * providing a new failsafe API which works in a chroot or
+         * when file descriptors are exhausted.
+         */
+#undef FAIL_WHEN_SYSTEM_ENTROPY_FAILS
+#ifdef FAIL_WHEN_SYSTEM_ENTROPY_FAILS
+        raise(SIGKILL);
+#endif
+        ret = getentropy_fallback(buf, len);
+        if (ret != -1)
+                return (ret);
+        errno = EIO;
+        return (ret);
+}
+/*
+ * Basic sanity checking; wish we could do better.
+ */
+static int
+gotdata(char *buf, size_t len)
+{
+        char    any_set = 0;
+        size_t  i;
+        for (i = 0; i < len; ++i)
+                any_set |= buf[i];
+        if (any_set == 0)
+                return -1;
+        return 0;
+}
+static int
+getentropy_urandom(void *buf, size_t len)
+{
+        struct stat st;
+        size_t i;
+        int fd, cnt, flags;
+        int save_errno = errno;
+start:
+        flags = O_RDONLY;
+#ifdef O_NOFOLLOW
+        flags |= O_NOFOLLOW;
+#endif
+#ifdef O_CLOEXEC
+        flags |= O_CLOEXEC;
+#endif
+        fd = open("/dev/urandom", flags, 0);
+        if (fd == -1) {
+                if (errno == EINTR)
+                        goto start;
+                goto nodevrandom;
+        }
+#ifndef O_CLOEXEC
+        fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
+#endif
+        /* Lightly verify that the device node looks sane */
+        if (fstat(fd, &st) == -1 || !S_ISCHR(st.st_mode)) {
+                close(fd);
+                goto nodevrandom;
+        }
+        for (i = 0; i < len; ) {
+                size_t wanted = len - i;
+                ssize_t ret = read(fd, buf + i, wanted);
+                if (ret == -1) {
+                        if (errno == EAGAIN || errno == EINTR)
+                                continue;
+                        close(fd);
+                        goto nodevrandom;
+                }
+                i += ret;
+        }
+        close(fd);
+        if (gotdata(buf, len) == 0) {
+                errno = save_errno;
+                return 0;               /* satisfied */
+        }
+nodevrandom:
+        errno = EIO;
+        return -1;
+}
+static int
+getentropy_fallback(void *buf, size_t len)
+{
+        int tcpmib[] = { CTL_NET, AF_INET, IPPROTO_TCP, TCPCTL_STATS };
+        int udpmib[] = { CTL_NET, AF_INET, IPPROTO_UDP, UDPCTL_STATS };
+        int ipmib[] = { CTL_NET, AF_INET, IPPROTO_IP, IPCTL_STATS };
+        int kmib[] = { CTL_KERN, KERN_USRSTACK };
+        int hwmib[] = { CTL_HW, HW_USERMEM };
+        int save_errno = errno, e, m, pgs = getpagesize(), faster = 0, repeat;
+        uint8_t results[SHA512_DIGEST_LENGTH];
+        struct tcpstat tcpstat;
+        struct udpstat udpstat;
+        struct ipstat ipstat;
+        u_int64_t mach_time;
+        unsigned int idata;
+        struct timespec ts;
+        struct timeval tv;
+        struct rusage ru;
+        sigset_t sigset;
+        struct stat st;
+        static int cnt;
+        SHA512_CTX ctx;
+        static pid_t lastpid;
+        void * addr;
+        pid_t pid;
+        size_t i, ii;
+        char *p;
+        pid = getpid();
+        if (lastpid == pid) {
+                faster = 1;
+                repeat = 2;
+        } else {
+                faster = 0;
+                lastpid = pid;
+                repeat = REPEAT;
+        }
+        for (i = 0; i < len; ) {
+                int j;
+                SHA512_Init(&ctx);
+                for (j = 0; j < repeat; j++) {
+                        size_t len;
+                        HX((e = gettimeofday(&tv, NULL)) == -1, tv);
+                        if (e != -1) {
+                                cnt += (int)tv.tv_sec;
+                                cnt += (int)tv.tv_usec;
+                        }
+                        mach_time = mach_absolute_time();
+                        HD(mach_time);
+                        len = sizeof(addr);
+                        HX(sysctl(kmib, sizeof(kmib) / sizeof(kmib[0]),
+                                &addr, &len, NULL, 0) == -1, addr);
+                        len = sizeof(idata);
+                        HX(sysctl(hwmib, sizeof(hwmib) / sizeof(hwmib[0]),
+                                &idata, &len, NULL, 0) == -1, idata);
+                        len = sizeof(tcpstat);
+                        HX(sysctl(tcpmib, sizeof(tcpmib) / sizeof(tcpmib[0]),
+                                &tcpstat, &len, NULL, 0) == -1, tcpstat);
+                        len = sizeof(udpstat);
+                        HX(sysctl(udpmib, sizeof(udpmib) / sizeof(udpmib[0]),
+                                &udpstat, &len, NULL, 0) == -1, udpstat);
+                        len = sizeof(ipstat);
+                        HX(sysctl(ipmib, sizeof(ipmib) / sizeof(ipmib[0]),
+                                &ipstat, &len, NULL, 0) == -1, ipstat);
+                        HX((pid = getpid()) == -1, pid);
+                        HX((pid = getsid(pid)) == -1, pid);
+                        HX((pid = getppid()) == -1, pid);
+                        HX((pid = getpgid(0)) == -1, pid);
+                        HX((m = getpriority(0, 0)) == -1, m);
+                        if (!faster) {
+                                ts.tv_sec = 0;
+                                ts.tv_nsec = 1;
+                                (void) nanosleep(&ts, NULL);
+                        }
+                        HX(sigpending(&sigset) == -1, sigset);
+                        HX(sigprocmask(SIG_BLOCK, NULL, &sigset) == -1,
+                            sigset);
+                        HD(main);               /* an addr in program */
+                        HD(getentropy); /* an addr in this library */
+                        HD(printf);             /* an addr in libc */
+                        p = (char *)&p;
+                        HD(p);          /* an addr on stack */
+                        p = (char *)&errno;
+                        HD(p);          /* the addr of errno */
+                        if (i == 0) {
+                                struct sockaddr_storage ss;
+                                struct statvfs stvfs;
+                                struct termios tios;
+                                struct statfs stfs;
+                                socklen_t ssl;
+                                off_t off;
+                                /*
+                                 * Prime-sized mappings encourage fragmentation;
+                                 * thus exposing some address entropy.
+                                 */
+                                struct mm {
+                                        size_t  npg;
+                                        void    *p;
+                                } mm[] =         {
+                                        { 17, MAP_FAILED }, { 3, MAP_FAILED },
+                                        { 11, MAP_FAILED }, { 2, MAP_FAILED },
+                                        { 5, MAP_FAILED }, { 3, MAP_FAILED },
+                                        { 7, MAP_FAILED }, { 1, MAP_FAILED },
+                                        { 57, MAP_FAILED }, { 3, MAP_FAILED },
+                                        { 131, MAP_FAILED }, { 1, MAP_FAILED },
+                                };
+                                for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
+                                        HX(mm[m].p = mmap(NULL,
+                                            mm[m].npg * pgs,
+                                            PROT_READ|PROT_WRITE,
+                                            MAP_PRIVATE|MAP_ANON, -1,
+                                            (off_t)0), mm[m].p);
+                                        if (mm[m].p != MAP_FAILED) {
+                                                size_t mo;
+                                                /* Touch some memory... */
+                                                p = mm[m].p;
+                                                mo = cnt %
+                                                    (mm[m].npg * pgs - 1);
+                                                p[mo] = 1;
+                                                cnt += (int)((long)(mm[m].p)
+                                                    / pgs);
+                                        }
+                                        /* Check cnts and times... */
+                                        mach_time = mach_absolute_time();
+                                        HD(mach_time);
+                                        cnt += (int)mach_time;
+                                        HX((e = getrusage(RUSAGE_SELF,
+                                            &ru)) == -1, ru);
+                                        if (e != -1) {
+                                                cnt += (int)ru.ru_utime.tv_sec;
+                                                cnt += (int)ru.ru_utime.tv_usec;
+                                        }
+                                }
+                                for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
+                                        if (mm[m].p != MAP_FAILED)
+                                                munmap(mm[m].p, mm[m].npg * pgs);
+                                        mm[m].p = MAP_FAILED;
+                                }
+                                HX(stat(".", &st) == -1, st);
+                                HX(statvfs(".", &stvfs) == -1, stvfs);
+                                HX(statfs(".", &stfs) == -1, stfs);
+                                HX(stat("/", &st) == -1, st);
+                                HX(statvfs("/", &stvfs) == -1, stvfs);
+                                HX(statfs("/", &stfs) == -1, stfs);
+                                HX((e = fstat(0, &st)) == -1, st);
+                                if (e == -1) {
+                                        if (S_ISREG(st.st_mode) ||
+                                            S_ISFIFO(st.st_mode) ||
+                                            S_ISSOCK(st.st_mode)) {
+                                                HX(fstatvfs(0, &stvfs) == -1,
+                                                    stvfs);
+                                                HX(fstatfs(0, &stfs) == -1,
+                                                    stfs);
+                                                HX((off = lseek(0, (off_t)0,
+                                                    SEEK_CUR)) < 0, off);
+                                        }
+                                        if (S_ISCHR(st.st_mode)) {
+                                                HX(tcgetattr(0, &tios) == -1,
+                                                    tios);
+                                        } else if (S_ISSOCK(st.st_mode)) {
+                                                memset(&ss, 0, sizeof ss);
+                                                ssl = sizeof(ss);
+                                                HX(getpeername(0,
+                                                    (void *)&ss, &ssl) == -1,
+                                                    ss);
+                                        }
+                                }
+                                HX((e = getrusage(RUSAGE_CHILDREN,
+                                    &ru)) == -1, ru);
+                                if (e != -1) {
+                                        cnt += (int)ru.ru_utime.tv_sec;
+                                        cnt += (int)ru.ru_utime.tv_usec;
+                                }
+                        } else {
+                                /* Subsequent hashes absorb previous result */
+                                HD(results);
+                        }
+                        HX((e = gettimeofday(&tv, NULL)) == -1, tv);
+                        if (e != -1) {
+                                cnt += (int)tv.tv_sec;
+                                cnt += (int)tv.tv_usec;
+                        }
+                        HD(cnt);
+                }
+                SHA512_Final(results, &ctx);
+                memcpy(buf + i, results, min(sizeof(results), len - i));
+                i += min(sizeof(results), len - i);
+        }
+        memset(results, 0, sizeof results);
+        if (gotdata(buf, len) == 0) {
+                errno = save_errno;
+                return 0;               /* satisfied */
+        }
+        errno = EIO;
+        return -1;
+}
author	beck <>	2014-07-08 10:45:35 +0000
committer	beck <>	2014-07-08 10:45:35 +0000
commit	98592674a5f83627e876f6c7faebdd3e101d9893 (patch)
tree	940bb992d87e808bf4acdb03530effd23732902f /src/lib/libcrypto/crypto/getentropy_osx.c
parent	a72d3887d3cb2efb2786d7137f32c21895080ba4 (diff)
download	openbsd-98592674a5f83627e876f6c7faebdd3e101d9893.tar.gz openbsd-98592674a5f83627e876f6c7faebdd3e101d9893.tar.bz2 openbsd-98592674a5f83627e876f6c7faebdd3e101d9893.zip

diff --git a/src/lib/libcrypto/crypto/getentropy_osx.c b/src/lib/libcrypto/crypto/getentropy_osx.c new file mode 100644 index 0000000000..2ba400f082 --- /dev/null +++ b/src/lib/libcrypto/crypto/getentropy_osx.c
@@ -0,0 +1,425 @@
	1	/* $OpenBSD: getentropy_osx.c,v 1.1 2014/07/08 10:45:35 beck Exp $ */
	2
	3	/*
	4	* Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
	5	* Copyright (c) 2014 Bob Beck <beck@obtuse.com>
	6	*
	7	* Permission to use, copy, modify, and distribute this software for any
	8	* purpose with or without fee is hereby granted, provided that the above
	9	* copyright notice and this permission notice appear in all copies.
	10	*
	11	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	12	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	13	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	14	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	15	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	16	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	17	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	18	*/
	19
	20	#include <sys/types.h>
	21	#include <sys/param.h>
	22	#include <sys/ioctl.h>
	23	#include <sys/resource.h>
	24	#include <sys/syscall.h>
	25	#include <sys/sysctl.h>
	26	#include <sys/statvfs.h>
	27	#include <sys/socket.h>
	28	#include <sys/mount.h>
	29	#include <sys/mman.h>
	30	#include <sys/stat.h>
	31	#include <sys/time.h>
	32	#include <stdlib.h>
	33	#include <stdint.h>
	34	#include <stdio.h>
	35	#include <termios.h>
	36	#include <fcntl.h>
	37	#include <signal.h>
	38	#include <string.h>
	39	#include <errno.h>
	40	#include <unistd.h>
	41	#include <time.h>
	42	#include <mach/mach_time.h>
	43	#include <mach/mach_host.h>
	44	#include <mach/host_info.h>
	45	#include <sys/socketvar.h>
	46	#include <sys/vmmeter.h>
	47	#include <netinet/in.h>
	48	#include <netinet/tcp.h>
	49	#include <netinet/udp.h>
	50	#include <netinet/ip_var.h>
	51	#include <netinet/tcp_var.h>
	52	#include <netinet/udp_var.h>
	53	#include <CommonCrypto/CommonDigest.h>
	54	#define SHA512_Update(a, b, c) (CC_SHA512_Update((a), (b), (c)))
	55	#define SHA512_Init(xxx) (CC_SHA512_Init((xxx)))
	56	#define SHA512_Final(xxx, yyy) (CC_SHA512_Final((xxx), (yyy)))
	57	#define SHA512_CTX CC_SHA512_CTX
	58	#define SHA512_DIGEST_LENGTH CC_SHA512_DIGEST_LENGTH
	59
	60	#define REPEAT 5
	61	#define min(a, b) (((a) < (b)) ? (a) : (b))
	62
	63	#define HX(a, b) \
	64	do { \
	65	if ((a)) \
	66	HD(errno); \
	67	else \
	68	HD(b); \
	69	} while (0)
	70	#define HR(x, l) (SHA512_Update(&ctx, (char *)(x), (l)))
	71	#define HD(x) (SHA512_Update(&ctx, (char *)&(x), sizeof (x)))
	72	int getentropy(void *buf, size_t len);
	73
	74	extern int main(int, char *argv[]);
	75	static int gotdata(char *buf, size_t len);
	76	static int getentropy_urandom(void *buf, size_t len);
	77	static int getentropy_fallback(void *buf, size_t len);
	78
	79	int
	80	getentropy(void *buf, size_t len)
	81	{
	82	int ret = -1;
	83
	84	if (len > 256) {
	85	errno = EIO;
	86	return -1;
	87	}
	88
	89	/*
	90	* Try to get entropy with /dev/urandom
	91	*
	92	* This can fail if the process is inside a chroot or if file
	93	* descriptors are exhausted.
	94	*/
	95	ret = getentropy_urandom(buf, len);
	96	if (ret != -1)
	97	return (ret);
	98
	99	/*
	100	* Entropy collection via /dev/urandom and sysctl have failed.
	101	*
	102	* No other API exists for collecting entropy, and we have
	103	* no failsafe way to get it on OSX that is not sensitive
	104	* to resource exhaustion.
	105	*
	106	* We have very few options:
	107	* - Even syslog_r is unsafe to call at this low level, so
	108	* there is no way to alert the user or program.
	109	* - Cannot call abort() because some systems have unsafe
	110	* corefiles.
	111	* - Could raise(SIGKILL) resulting in silent program termination.
	112	* - Return EIO, to hint that arc4random's stir function
	113	* should raise(SIGKILL)
	114	* - Do the best under the circumstances....
	115	*
	116	* This code path exists to bring light to the issue that OSX
	117	* does not provide a failsafe API for entropy collection.
	118	*
	119	* We hope this demonstrates that OSX should consider
	120	* providing a new failsafe API which works in a chroot or
	121	* when file descriptors are exhausted.
	122	*/
	123	#undef FAIL_WHEN_SYSTEM_ENTROPY_FAILS
	124	#ifdef FAIL_WHEN_SYSTEM_ENTROPY_FAILS
	125	raise(SIGKILL);
	126	#endif
	127	ret = getentropy_fallback(buf, len);
	128	if (ret != -1)
	129	return (ret);
	130
	131	errno = EIO;
	132	return (ret);
	133	}
	134
	135	/*
	136	* Basic sanity checking; wish we could do better.
	137	*/
	138	static int
	139	gotdata(char *buf, size_t len)
	140	{
	141	char any_set = 0;
	142	size_t i;
	143
	144	for (i = 0; i < len; ++i)
	145	any_set \|= buf[i];
	146	if (any_set == 0)
	147	return -1;
	148	return 0;
	149	}
	150
	151	static int
	152	getentropy_urandom(void *buf, size_t len)
	153	{
	154	struct stat st;
	155	size_t i;
	156	int fd, cnt, flags;
	157	int save_errno = errno;
	158
	159	start:
	160
	161	flags = O_RDONLY;
	162	#ifdef O_NOFOLLOW
	163	flags \|= O_NOFOLLOW;
	164	#endif
	165	#ifdef O_CLOEXEC
	166	flags \|= O_CLOEXEC;
	167	#endif
	168	fd = open("/dev/urandom", flags, 0);
	169	if (fd == -1) {
	170	if (errno == EINTR)
	171	goto start;
	172	goto nodevrandom;
	173	}
	174	#ifndef O_CLOEXEC
	175	fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) \| FD_CLOEXEC);
	176	#endif
	177
	178	/* Lightly verify that the device node looks sane */
	179	if (fstat(fd, &st) == -1 \|\| !S_ISCHR(st.st_mode)) {
	180	close(fd);
	181	goto nodevrandom;
	182	}
	183	for (i = 0; i < len; ) {
	184	size_t wanted = len - i;
	185	ssize_t ret = read(fd, buf + i, wanted);
	186
	187	if (ret == -1) {
	188	if (errno == EAGAIN \|\| errno == EINTR)
	189	continue;
	190	close(fd);
	191	goto nodevrandom;
	192	}
	193	i += ret;
	194	}
	195	close(fd);
	196	if (gotdata(buf, len) == 0) {
	197	errno = save_errno;
	198	return 0; /* satisfied */
	199	}
	200	nodevrandom:
	201	errno = EIO;
	202	return -1;
	203	}
	204
	205	static int
	206	getentropy_fallback(void *buf, size_t len)
	207	{
	208	int tcpmib[] = { CTL_NET, AF_INET, IPPROTO_TCP, TCPCTL_STATS };
	209	int udpmib[] = { CTL_NET, AF_INET, IPPROTO_UDP, UDPCTL_STATS };
	210	int ipmib[] = { CTL_NET, AF_INET, IPPROTO_IP, IPCTL_STATS };
	211	int kmib[] = { CTL_KERN, KERN_USRSTACK };
	212	int hwmib[] = { CTL_HW, HW_USERMEM };
	213	int save_errno = errno, e, m, pgs = getpagesize(), faster = 0, repeat;
	214	uint8_t results[SHA512_DIGEST_LENGTH];
	215	struct tcpstat tcpstat;
	216	struct udpstat udpstat;
	217	struct ipstat ipstat;
	218	u_int64_t mach_time;
	219	unsigned int idata;
	220	struct timespec ts;
	221	struct timeval tv;
	222	struct rusage ru;
	223	sigset_t sigset;
	224	struct stat st;
	225	static int cnt;
	226	SHA512_CTX ctx;
	227	static pid_t lastpid;
	228	void * addr;
	229	pid_t pid;
	230	size_t i, ii;
	231	char *p;
	232
	233	pid = getpid();
	234	if (lastpid == pid) {
	235	faster = 1;
	236	repeat = 2;
	237	} else {
	238	faster = 0;
	239	lastpid = pid;
	240	repeat = REPEAT;
	241	}
	242	for (i = 0; i < len; ) {
	243	int j;
	244	SHA512_Init(&ctx);
	245	for (j = 0; j < repeat; j++) {
	246	size_t len;
	247	HX((e = gettimeofday(&tv, NULL)) == -1, tv);
	248	if (e != -1) {
	249	cnt += (int)tv.tv_sec;
	250	cnt += (int)tv.tv_usec;
	251	}
	252
	253	mach_time = mach_absolute_time();
	254	HD(mach_time);
	255
	256	len = sizeof(addr);
	257	HX(sysctl(kmib, sizeof(kmib) / sizeof(kmib[0]),
	258	&addr, &len, NULL, 0) == -1, addr);
	259
	260	len = sizeof(idata);
	261	HX(sysctl(hwmib, sizeof(hwmib) / sizeof(hwmib[0]),
	262	&idata, &len, NULL, 0) == -1, idata);
	263
	264	len = sizeof(tcpstat);
	265	HX(sysctl(tcpmib, sizeof(tcpmib) / sizeof(tcpmib[0]),
	266	&tcpstat, &len, NULL, 0) == -1, tcpstat);
	267
	268	len = sizeof(udpstat);
	269	HX(sysctl(udpmib, sizeof(udpmib) / sizeof(udpmib[0]),
	270	&udpstat, &len, NULL, 0) == -1, udpstat);
	271
	272	len = sizeof(ipstat);
	273	HX(sysctl(ipmib, sizeof(ipmib) / sizeof(ipmib[0]),
	274	&ipstat, &len, NULL, 0) == -1, ipstat);
	275
	276	HX((pid = getpid()) == -1, pid);
	277	HX((pid = getsid(pid)) == -1, pid);
	278	HX((pid = getppid()) == -1, pid);
	279	HX((pid = getpgid(0)) == -1, pid);
	280	HX((m = getpriority(0, 0)) == -1, m);
	281
	282	if (!faster) {
	283	ts.tv_sec = 0;
	284	ts.tv_nsec = 1;
	285	(void) nanosleep(&ts, NULL);
	286	}
	287
	288	HX(sigpending(&sigset) == -1, sigset);
	289	HX(sigprocmask(SIG_BLOCK, NULL, &sigset) == -1,
	290	sigset);
	291
	292	HD(main); /* an addr in program */
	293	HD(getentropy); /* an addr in this library */
	294	HD(printf); /* an addr in libc */
	295	p = (char *)&p;
	296	HD(p); /* an addr on stack */
	297	p = (char *)&errno;
	298	HD(p); /* the addr of errno */
	299
	300	if (i == 0) {
	301	struct sockaddr_storage ss;
	302	struct statvfs stvfs;
	303	struct termios tios;
	304	struct statfs stfs;
	305	socklen_t ssl;
	306	off_t off;
	307
	308	/*
	309	* Prime-sized mappings encourage fragmentation;
	310	* thus exposing some address entropy.
	311	*/
	312	struct mm {
	313	size_t npg;
	314	void *p;
	315	} mm[] = {
	316	{ 17, MAP_FAILED }, { 3, MAP_FAILED },
	317	{ 11, MAP_FAILED }, { 2, MAP_FAILED },
	318	{ 5, MAP_FAILED }, { 3, MAP_FAILED },
	319	{ 7, MAP_FAILED }, { 1, MAP_FAILED },
	320	{ 57, MAP_FAILED }, { 3, MAP_FAILED },
	321	{ 131, MAP_FAILED }, { 1, MAP_FAILED },
	322	};
	323
	324	for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
	325	HX(mm[m].p = mmap(NULL,
	326	mm[m].npg * pgs,
	327	PROT_READ\|PROT_WRITE,
	328	MAP_PRIVATE\|MAP_ANON, -1,
	329	(off_t)0), mm[m].p);
	330	if (mm[m].p != MAP_FAILED) {
	331	size_t mo;
	332
	333	/* Touch some memory... */
	334	p = mm[m].p;
	335	mo = cnt %
	336	(mm[m].npg * pgs - 1);
	337	p[mo] = 1;
	338	cnt += (int)((long)(mm[m].p)
	339	/ pgs);
	340	}
	341
	342	/* Check cnts and times... */
	343	mach_time = mach_absolute_time();
	344	HD(mach_time);
	345	cnt += (int)mach_time;
	346
	347	HX((e = getrusage(RUSAGE_SELF,
	348	&ru)) == -1, ru);
	349	if (e != -1) {
	350	cnt += (int)ru.ru_utime.tv_sec;
	351	cnt += (int)ru.ru_utime.tv_usec;
	352	}
	353	}
	354
	355	for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
	356	if (mm[m].p != MAP_FAILED)
	357	munmap(mm[m].p, mm[m].npg * pgs);
	358	mm[m].p = MAP_FAILED;
	359	}
	360
	361	HX(stat(".", &st) == -1, st);
	362	HX(statvfs(".", &stvfs) == -1, stvfs);
	363	HX(statfs(".", &stfs) == -1, stfs);
	364
	365	HX(stat("/", &st) == -1, st);
	366	HX(statvfs("/", &stvfs) == -1, stvfs);
	367	HX(statfs("/", &stfs) == -1, stfs);
	368
	369	HX((e = fstat(0, &st)) == -1, st);
	370	if (e == -1) {
	371	if (S_ISREG(st.st_mode) \|\|
	372	S_ISFIFO(st.st_mode) \|\|
	373	S_ISSOCK(st.st_mode)) {
	374	HX(fstatvfs(0, &stvfs) == -1,
	375	stvfs);
	376	HX(fstatfs(0, &stfs) == -1,
	377	stfs);
	378	HX((off = lseek(0, (off_t)0,
	379	SEEK_CUR)) < 0, off);
	380	}
	381	if (S_ISCHR(st.st_mode)) {
	382	HX(tcgetattr(0, &tios) == -1,
	383	tios);
	384	} else if (S_ISSOCK(st.st_mode)) {
	385	memset(&ss, 0, sizeof ss);
	386	ssl = sizeof(ss);
	387	HX(getpeername(0,
	388	(void *)&ss, &ssl) == -1,
	389	ss);
	390	}
	391	}
	392
	393	HX((e = getrusage(RUSAGE_CHILDREN,
	394	&ru)) == -1, ru);
	395	if (e != -1) {
	396	cnt += (int)ru.ru_utime.tv_sec;
	397	cnt += (int)ru.ru_utime.tv_usec;
	398	}
	399	} else {
	400	/* Subsequent hashes absorb previous result */
	401	HD(results);
	402	}
	403
	404	HX((e = gettimeofday(&tv, NULL)) == -1, tv);
	405	if (e != -1) {
	406	cnt += (int)tv.tv_sec;
	407	cnt += (int)tv.tv_usec;
	408	}
	409
	410	HD(cnt);
	411	}
	412
	413
	414	SHA512_Final(results, &ctx);
	415	memcpy(buf + i, results, min(sizeof(results), len - i));
	416	i += min(sizeof(results), len - i);
	417	}
	418	memset(results, 0, sizeof results);
	419	if (gotdata(buf, len) == 0) {
	420	errno = save_errno;
	421	return 0; /* satisfied */
	422	}
	423	errno = EIO;
	424	return -1;
	425	}