summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorbeck <>2014-06-20 19:08:11 +0000
committerbeck <>2014-06-20 19:08:11 +0000
commitf5e0b958d186c5db4ba79c6257728af543fcc44c (patch)
treee41de4bf952586fef68e9ab63f82f048e4f93240 /src
parente32ded559ab1f2969308a51c54bd37b42ba5ee5d (diff)
downloadopenbsd-f5e0b958d186c5db4ba79c6257728af543fcc44c.tar.gz
openbsd-f5e0b958d186c5db4ba79c6257728af543fcc44c.tar.bz2
openbsd-f5e0b958d186c5db4ba79c6257728af543fcc44c.zip
Work in progress on how to deal with the inherit unreliability of
/dev/urandom. Does well in the fallback case. Get it in tree so it can be worked on. ok otto@ deraadt@
Diffstat (limited to 'src')
-rw-r--r--src/lib/libcrypto/arc4random/getentropy_linux.c439
-rw-r--r--src/lib/libcrypto/crypto/getentropy_linux.c439
2 files changed, 878 insertions, 0 deletions
diff --git a/src/lib/libcrypto/arc4random/getentropy_linux.c b/src/lib/libcrypto/arc4random/getentropy_linux.c
new file mode 100644
index 0000000000..1a22d2d306
--- /dev/null
+++ b/src/lib/libcrypto/arc4random/getentropy_linux.c
@@ -0,0 +1,439 @@
1/* $OpenBSD: getentropy_linux.c,v 1.1 2014/06/20 19:08:11 beck Exp $ */
2
3/*
4 * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
5 * Copyright (c) 2014 Bob Beck <beck@obtuse.com>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#define _POSIX_C_SOURCE 199309L
21#define _GNU_SOURCE 1
22#include <sys/types.h>
23#include <sys/param.h>
24#include <sys/ioctl.h>
25#include <sys/resource.h>
26#include <sys/syscall.h>
27#include <sys/sysctl.h>
28#include <sys/statvfs.h>
29#include <sys/socket.h>
30#include <sys/mount.h>
31#include <sys/mman.h>
32#include <sys/stat.h>
33#include <sys/time.h>
34#include <stdlib.h>
35#include <stdint.h>
36#include <stdio.h>
37#include <termios.h>
38#include <fcntl.h>
39#include <signal.h>
40#include <string.h>
41#include <errno.h>
42#include <unistd.h>
43#include <time.h>
44#include <openssl/sha.h>
45
46#include <linux/random.h>
47#include <sys/vfs.h>
48
49#define REPEAT 5
50#define min(a, b) (((a) < (b)) ? (a) : (b))
51
52#define HASHX(a, b) \
53 do { \
54 if ((a)) \
55 HASHD(errno); \
56 else \
57 HASHD(b); \
58 } while (0)
59
60#define HASHD(xxx) (SHA512_Update(&ctx, (char *)&(xxx), sizeof (xxx)))
61
62int getentropy(void *buf, size_t len);
63
64extern int main(int, char *argv[]);
65static int gotdata(char *buf, size_t len);
66
67/*
68 * XXX Should be replaced with a proper entropy measure.
69 */
70static int
71gotdata(char *buf, size_t len)
72{
73 char any_set = 0;
74 size_t i;
75
76 for (i = 0; i < len; ++i)
77 any_set |= buf[i];
78 if (any_set == 0)
79 return -1;
80 return 0;
81}
82
83static int
84getentropy_urandom(void *buf, size_t len)
85{
86 struct stat st;
87 size_t i;
88 int fd, cnt;
89 int save_errno = errno;
90
91start:
92#ifdef O_CLOEXEC
93 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC, 0);
94 if (fd == -1) {
95 if (errno == EINTR)
96 goto start;
97 goto nodevrandom;
98 }
99#else
100 fd = open("/dev/urandom", O_RDONLY, 0);
101 if (fd == -1) {
102 if (errno == EINTR)
103 goto start;
104 goto nodevrandom;
105 }
106 fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
107#endif
108
109 /* Lightly verify that the device node looks sane */
110 if (fstat(fd, &st) == -1 || !S_ISCHR(st.st_mode)) {
111 close(fd);
112 goto nodevrandom;
113 }
114 if (ioctl(fd, RNDGETENTCNT, &cnt) == -1) {
115 close(fd);
116 goto nodevrandom;
117 }
118 for (i = 0; i < len; ) {
119 size_t wanted = len - i;
120 ssize_t ret = read(fd, buf + i, wanted);
121
122 if (ret == -1) {
123 if (errno == EAGAIN || errno == EINTR)
124 continue;
125 close(fd);
126 goto nodevrandom;
127 }
128 i += ret;
129 }
130 close(fd);
131 if (gotdata(buf, len) == 0) {
132 errno = save_errno;
133 return 0; /* satisfied */
134 }
135nodevrandom:
136 errno = EIO;
137 return -1;
138}
139
140#ifdef RANDOM_UUID
141static int
142getentropy_sysctl(void *buf, size_t len)
143{
144 static const int mib[] = { CTL_KERN, KERN_RANDOM, RANDOM_UUID };
145 size_t i, chunk;
146 int save_errno = errno;
147
148 for (i = 0; i < len; ) {
149 chunk = min(len - i, 16);
150
151 /* SYS__sysctl because some systems already removed sysctl() */
152 struct __sysctl_args args = {
153 .name = mib,
154 .nlen = 3,
155 .oldval = &buf[i],
156 .oldlenp = &chunk,
157 };
158 if (syscall(SYS__sysctl, &args) != 0)
159 goto sysctlfailed;
160 i += chunk;
161 }
162 if (gotdata(buf, len) == 0) {
163 errno = save_errno;
164 return (0); /* satisfied */
165 }
166sysctlfailed:
167 errno = EIO;
168 return -1;
169}
170#endif /* RANDOM_UUID */
171
172static int cl[] = {
173 CLOCK_REALTIME,
174#ifdef CLOCK_MONOTONIC
175 CLOCK_MONOTONIC,
176#endif
177#ifdef CLOCK_MONOTONIC_RAW
178 CLOCK_MONOTONIC_RAW,
179#endif
180#ifdef CLOCK_TAI
181 CLOCK_TAI,
182#endif
183#ifdef CLOCK_VIRTUAL
184 CLOCK_VIRTUAL,
185#endif
186#ifdef CLOCK_UPTIME
187 CLOCK_UPTIME,
188#endif
189#ifdef CLOCK_PROCESS_CPUTIME_ID
190 CLOCK_PROCESS_CPUTIME_ID,
191#endif
192#ifdef CLOCK_THREAD_CPUTIME_ID
193 CLOCK_THREAD_CPUTIME_ID,
194#endif
195};
196
197static int
198getentropy_fallback(void *buf, size_t len)
199{
200 uint8_t results[SHA512_DIGEST_LENGTH];
201 int save_errno = errno, e, m, pgsiz = getpagesize(), repeat;
202 static int counter;
203 struct timespec ts;
204 struct timeval tv;
205 struct rusage ru;
206 sigset_t sigset;
207 struct stat st;
208 SHA512_CTX ctx;
209 pid_t pid;
210 size_t i, ii;
211 void *p;
212
213 for (i = 0; i < len; ) {
214 SHA512_Init(&ctx);
215 for (repeat = 0; repeat < REPEAT; repeat++) {
216
217 HASHX((e = gettimeofday(&tv, NULL)) == -1, tv);
218 if (e != -1) {
219 counter += (int)tv.tv_sec;
220 counter += (int)tv.tv_usec;
221 }
222
223 for (ii = 0; ii < sizeof(cl)/sizeof(cl[0]); ii++)
224 HASHX(clock_gettime(cl[ii], &ts) == -1, ts);
225
226 HASHX((pid = getpid()) == -1, pid);
227 HASHX((pid = getsid(pid)) == -1, pid);
228 HASHX((pid = getppid()) == -1, pid);
229 HASHX((pid = getpgid(0)) == -1, pid);
230 HASHX((m = getpriority(0, 0)) == -1, m);
231
232 ts.tv_sec = 0;
233 ts.tv_nsec = 1;
234 (void) nanosleep(&ts, NULL);
235
236 HASHX(sigpending(&sigset) == -1, sigset);
237 HASHX(sigprocmask(SIG_BLOCK, NULL, &sigset) == -1, sigset);
238
239 HASHD(main); /* an address in the main program */
240 HASHD(getentropy); /* an address in this library */
241 HASHD(printf); /* an address in libc */
242 p = (void *)&p;
243 HASHD(p); /* an address on stack */
244 p = (void *)&errno;
245 HASHD(p); /* the address of errno */
246
247 if (i == 0) {
248 struct sockaddr_storage ss;
249 struct statvfs stvfs;
250 struct termios tios;
251 struct statfs stfs;
252 socklen_t ssl;
253 off_t off;
254
255 /*
256 * Prime-sized mappings encourage fragmentation;
257 * thus exposing some address entropy.
258 */
259 struct mm {
260 size_t npg;
261 void *p;
262 } mm[] = {
263 { 17, MAP_FAILED }, { 3, MAP_FAILED },
264 { 11, MAP_FAILED }, { 2, MAP_FAILED },
265 { 5, MAP_FAILED }, { 3, MAP_FAILED },
266 { 7, MAP_FAILED }, { 1, MAP_FAILED },
267 { 57, MAP_FAILED }, { 3, MAP_FAILED },
268 { 131, MAP_FAILED }, { 1, MAP_FAILED },
269 };
270
271 for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
272 HASHX(mm[m].p = mmap(NULL, mm[m].npg * pgsiz,
273 PROT_READ|PROT_WRITE,
274 MAP_PRIVATE|MAP_ANON, -1, (off_t)0), p);
275 if (mm[m].p != MAP_FAILED) {
276 char *mp;
277
278 /* Touch some memory... */
279 mp = mm[m].p;
280 mp[counter % (mm[m].npg * pgsiz - 1)] = 1;
281 counter += (int)((long)(mm[m].p) / pgsiz);
282 }
283
284 /* Check counters and times... */
285 for (ii = 0; ii < sizeof(cl)/sizeof(cl[0]);
286 ii++) {
287 HASHX((e = clock_gettime(cl[ii], &ts)) == -1,
288 ts);
289 if (e != -1)
290 counter += (int)ts.tv_nsec;
291 }
292
293 HASHX((e = getrusage(RUSAGE_SELF, &ru)) == -1, ru);
294 if (e != -1) {
295 counter += (int)ru.ru_utime.tv_sec;
296 counter += (int)ru.ru_utime.tv_usec;
297 }
298 }
299
300 for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
301 if (mm[m].p != MAP_FAILED)
302 munmap(mm[m].p, mm[m].npg * pgsiz);
303 mm[m].p = MAP_FAILED;
304 }
305
306 HASHX(stat(".", &st) == -1, st);
307 HASHX(statvfs(".", &stvfs) == -1, stvfs);
308 HASHX(statfs(".", &stfs) == -1, stfs);
309
310 HASHX(stat("/", &st) == -1, st);
311 HASHX(statvfs("/", &stvfs) == -1, stvfs);
312 HASHX(statfs("/", &stfs) == -1, stfs);
313
314 HASHX((e = fstat(0, &st)) == -1, st);
315 if (e == -1) {
316 if (S_ISREG(st.st_mode) || S_ISFIFO(st.st_mode) ||
317 S_ISSOCK(st.st_mode)) {
318 HASHX(fstatvfs(0, &stvfs) == -1, stvfs);
319 HASHX(fstatfs(0, &stfs) == -1, stfs);
320 HASHX((off = lseek(0, (off_t)0,
321 SEEK_CUR)) < 0, off);
322 }
323 if (S_ISCHR(st.st_mode)) {
324 HASHX(tcgetattr(0, &tios) == -1, tios);
325 } else if (S_ISSOCK(st.st_mode)) {
326 memset(&ss, 0, sizeof ss);
327 ssl = sizeof(ss);
328 HASHX(getpeername(0, (void *)&ss,
329 &ssl) == -1, ss);
330 }
331 }
332
333 HASHX((e = getrusage(RUSAGE_CHILDREN, &ru)) == -1, ru);
334 if (e != -1) {
335 counter += (int)ru.ru_utime.tv_sec;
336 counter += (int)ru.ru_utime.tv_usec;
337 }
338 } else {
339 /* Subsequent hashes absorb previous result */
340 HASHD(results);
341 }
342
343 HASHX((e = gettimeofday(&tv, NULL)) == -1, tv);
344 if (e != -1) {
345 counter += (int)tv.tv_sec;
346 counter += (int)tv.tv_usec;
347 }
348
349 HASHD(counter);
350
351 } /* repeat */
352 SHA512_Final(results, &ctx);
353 memcpy(buf + i, results, min(sizeof(results), len - i));
354 i += min(sizeof(results), len - i);
355 }
356 memset(results, 0, sizeof results);
357 if (gotdata(buf, len) == 0) {
358 errno = save_errno;
359 return 0; /* satisfied */
360 }
361 errno = EIO;
362 return -1;
363}
364
365int
366getentropy(void *buf, size_t len)
367{
368 int ret = -1;
369
370 if (len > 256) {
371 errno = EIO;
372 return -1;
373 }
374
375 /*
376 * Try to get entropy with /dev/urandom
377 *
378 * This can fail if the process is inside a chroot or if file
379 * descriptors are exhausted.
380 */
381 ret = getentropy_urandom(buf, len);
382 if (ret != -1)
383 return (ret);
384
385#ifdef RANDOM_UUID
386 /*
387 * Try to use sysctl CTL_KERN, KERN_RANDOM, RANDOM_UUID. sysctl is
388 * a failsafe API, so it guarantees a result. This should work
389 * inside a chroot, or when file descriptors are exhuasted.
390 *
391 * However this can fail if the Linux kernel removes support for sysctl.
392 * Starting in 2007, there have been efforts to deprecate the sysctl
393 * API/ABI, and push callers towards use of the chroot-unavailable
394 * fd-using /proc mechanism -- essentially the same problems as
395 * /dev/urandom.
396 *
397 * Numerous setbacks have been encountered in their deprecation
398 * schedule, so as of June 2014 the kernel ABI still exists. The
399 * sysctl() stub in libc is missing on some systems. There are
400 * also reports that some kernels spew messages to the console.
401 */
402 ret = getentropy_sysctl(buf, len);
403 if (ret != -1)
404 return (ret);
405#endif /* RANDOM_UUID */
406
407 /*
408 * Entropy collection via /dev/urandom and sysctl have failed.
409 *
410 * No other API exists for collecting entropy. See the large
411 * comment block above.
412 *
413 * We have very few options:
414 * - Even syslog_r is unsafe to call at this low level, so
415 * there is no way to alert the user or program.
416 * - Cannot call abort() because some systems have unsafe corefiles.
417 * - Could raise(SIGKILL) resulting in silent program termination.
418 * - Return EIO, to hint that arc4random's stir function
419 * should raise(SIGKILL)
420 * - Do the best under the circumstances....
421 *
422 * This code path exists to bring light to the issue that Linux
423 * does not provide a failsafe API for entropy collection.
424 *
425 * We hope this demonstrates that Linux should either retain their
426 * sysctl ABI, or consider providing a new failsafe API which
427 * works in a chroot or when file descriptors are exhausted.
428 */
429#undef FAIL_HARD_WHEN_LINUX_DEPRECATES_SYSCTL
430#ifdef FAIL_HARD_WHEN_LINUX_DEPRECATES_SYSCTL
431 raise(SIGKILL);
432#endif
433 ret = getentropy_fallback(buf, len);
434 if (ret != -1)
435 return (ret);
436
437 errno = EIO;
438 return (ret);
439}
diff --git a/src/lib/libcrypto/crypto/getentropy_linux.c b/src/lib/libcrypto/crypto/getentropy_linux.c
new file mode 100644
index 0000000000..1a22d2d306
--- /dev/null
+++ b/src/lib/libcrypto/crypto/getentropy_linux.c
@@ -0,0 +1,439 @@
1/* $OpenBSD: getentropy_linux.c,v 1.1 2014/06/20 19:08:11 beck Exp $ */
2
3/*
4 * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
5 * Copyright (c) 2014 Bob Beck <beck@obtuse.com>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#define _POSIX_C_SOURCE 199309L
21#define _GNU_SOURCE 1
22#include <sys/types.h>
23#include <sys/param.h>
24#include <sys/ioctl.h>
25#include <sys/resource.h>
26#include <sys/syscall.h>
27#include <sys/sysctl.h>
28#include <sys/statvfs.h>
29#include <sys/socket.h>
30#include <sys/mount.h>
31#include <sys/mman.h>
32#include <sys/stat.h>
33#include <sys/time.h>
34#include <stdlib.h>
35#include <stdint.h>
36#include <stdio.h>
37#include <termios.h>
38#include <fcntl.h>
39#include <signal.h>
40#include <string.h>
41#include <errno.h>
42#include <unistd.h>
43#include <time.h>
44#include <openssl/sha.h>
45
46#include <linux/random.h>
47#include <sys/vfs.h>
48
49#define REPEAT 5
50#define min(a, b) (((a) < (b)) ? (a) : (b))
51
52#define HASHX(a, b) \
53 do { \
54 if ((a)) \
55 HASHD(errno); \
56 else \
57 HASHD(b); \
58 } while (0)
59
60#define HASHD(xxx) (SHA512_Update(&ctx, (char *)&(xxx), sizeof (xxx)))
61
62int getentropy(void *buf, size_t len);
63
64extern int main(int, char *argv[]);
65static int gotdata(char *buf, size_t len);
66
67/*
68 * XXX Should be replaced with a proper entropy measure.
69 */
70static int
71gotdata(char *buf, size_t len)
72{
73 char any_set = 0;
74 size_t i;
75
76 for (i = 0; i < len; ++i)
77 any_set |= buf[i];
78 if (any_set == 0)
79 return -1;
80 return 0;
81}
82
83static int
84getentropy_urandom(void *buf, size_t len)
85{
86 struct stat st;
87 size_t i;
88 int fd, cnt;
89 int save_errno = errno;
90
91start:
92#ifdef O_CLOEXEC
93 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC, 0);
94 if (fd == -1) {
95 if (errno == EINTR)
96 goto start;
97 goto nodevrandom;
98 }
99#else
100 fd = open("/dev/urandom", O_RDONLY, 0);
101 if (fd == -1) {
102 if (errno == EINTR)
103 goto start;
104 goto nodevrandom;
105 }
106 fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
107#endif
108
109 /* Lightly verify that the device node looks sane */
110 if (fstat(fd, &st) == -1 || !S_ISCHR(st.st_mode)) {
111 close(fd);
112 goto nodevrandom;
113 }
114 if (ioctl(fd, RNDGETENTCNT, &cnt) == -1) {
115 close(fd);
116 goto nodevrandom;
117 }
118 for (i = 0; i < len; ) {
119 size_t wanted = len - i;
120 ssize_t ret = read(fd, buf + i, wanted);
121
122 if (ret == -1) {
123 if (errno == EAGAIN || errno == EINTR)
124 continue;
125 close(fd);
126 goto nodevrandom;
127 }
128 i += ret;
129 }
130 close(fd);
131 if (gotdata(buf, len) == 0) {
132 errno = save_errno;
133 return 0; /* satisfied */
134 }
135nodevrandom:
136 errno = EIO;
137 return -1;
138}
139
140#ifdef RANDOM_UUID
141static int
142getentropy_sysctl(void *buf, size_t len)
143{
144 static const int mib[] = { CTL_KERN, KERN_RANDOM, RANDOM_UUID };
145 size_t i, chunk;
146 int save_errno = errno;
147
148 for (i = 0; i < len; ) {
149 chunk = min(len - i, 16);
150
151 /* SYS__sysctl because some systems already removed sysctl() */
152 struct __sysctl_args args = {
153 .name = mib,
154 .nlen = 3,
155 .oldval = &buf[i],
156 .oldlenp = &chunk,
157 };
158 if (syscall(SYS__sysctl, &args) != 0)
159 goto sysctlfailed;
160 i += chunk;
161 }
162 if (gotdata(buf, len) == 0) {
163 errno = save_errno;
164 return (0); /* satisfied */
165 }
166sysctlfailed:
167 errno = EIO;
168 return -1;
169}
170#endif /* RANDOM_UUID */
171
172static int cl[] = {
173 CLOCK_REALTIME,
174#ifdef CLOCK_MONOTONIC
175 CLOCK_MONOTONIC,
176#endif
177#ifdef CLOCK_MONOTONIC_RAW
178 CLOCK_MONOTONIC_RAW,
179#endif
180#ifdef CLOCK_TAI
181 CLOCK_TAI,
182#endif
183#ifdef CLOCK_VIRTUAL
184 CLOCK_VIRTUAL,
185#endif
186#ifdef CLOCK_UPTIME
187 CLOCK_UPTIME,
188#endif
189#ifdef CLOCK_PROCESS_CPUTIME_ID
190 CLOCK_PROCESS_CPUTIME_ID,
191#endif
192#ifdef CLOCK_THREAD_CPUTIME_ID
193 CLOCK_THREAD_CPUTIME_ID,
194#endif
195};
196
197static int
198getentropy_fallback(void *buf, size_t len)
199{
200 uint8_t results[SHA512_DIGEST_LENGTH];
201 int save_errno = errno, e, m, pgsiz = getpagesize(), repeat;
202 static int counter;
203 struct timespec ts;
204 struct timeval tv;
205 struct rusage ru;
206 sigset_t sigset;
207 struct stat st;
208 SHA512_CTX ctx;
209 pid_t pid;
210 size_t i, ii;
211 void *p;
212
213 for (i = 0; i < len; ) {
214 SHA512_Init(&ctx);
215 for (repeat = 0; repeat < REPEAT; repeat++) {
216
217 HASHX((e = gettimeofday(&tv, NULL)) == -1, tv);
218 if (e != -1) {
219 counter += (int)tv.tv_sec;
220 counter += (int)tv.tv_usec;
221 }
222
223 for (ii = 0; ii < sizeof(cl)/sizeof(cl[0]); ii++)
224 HASHX(clock_gettime(cl[ii], &ts) == -1, ts);
225
226 HASHX((pid = getpid()) == -1, pid);
227 HASHX((pid = getsid(pid)) == -1, pid);
228 HASHX((pid = getppid()) == -1, pid);
229 HASHX((pid = getpgid(0)) == -1, pid);
230 HASHX((m = getpriority(0, 0)) == -1, m);
231
232 ts.tv_sec = 0;
233 ts.tv_nsec = 1;
234 (void) nanosleep(&ts, NULL);
235
236 HASHX(sigpending(&sigset) == -1, sigset);
237 HASHX(sigprocmask(SIG_BLOCK, NULL, &sigset) == -1, sigset);
238
239 HASHD(main); /* an address in the main program */
240 HASHD(getentropy); /* an address in this library */
241 HASHD(printf); /* an address in libc */
242 p = (void *)&p;
243 HASHD(p); /* an address on stack */
244 p = (void *)&errno;
245 HASHD(p); /* the address of errno */
246
247 if (i == 0) {
248 struct sockaddr_storage ss;
249 struct statvfs stvfs;
250 struct termios tios;
251 struct statfs stfs;
252 socklen_t ssl;
253 off_t off;
254
255 /*
256 * Prime-sized mappings encourage fragmentation;
257 * thus exposing some address entropy.
258 */
259 struct mm {
260 size_t npg;
261 void *p;
262 } mm[] = {
263 { 17, MAP_FAILED }, { 3, MAP_FAILED },
264 { 11, MAP_FAILED }, { 2, MAP_FAILED },
265 { 5, MAP_FAILED }, { 3, MAP_FAILED },
266 { 7, MAP_FAILED }, { 1, MAP_FAILED },
267 { 57, MAP_FAILED }, { 3, MAP_FAILED },
268 { 131, MAP_FAILED }, { 1, MAP_FAILED },
269 };
270
271 for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
272 HASHX(mm[m].p = mmap(NULL, mm[m].npg * pgsiz,
273 PROT_READ|PROT_WRITE,
274 MAP_PRIVATE|MAP_ANON, -1, (off_t)0), p);
275 if (mm[m].p != MAP_FAILED) {
276 char *mp;
277
278 /* Touch some memory... */
279 mp = mm[m].p;
280 mp[counter % (mm[m].npg * pgsiz - 1)] = 1;
281 counter += (int)((long)(mm[m].p) / pgsiz);
282 }
283
284 /* Check counters and times... */
285 for (ii = 0; ii < sizeof(cl)/sizeof(cl[0]);
286 ii++) {
287 HASHX((e = clock_gettime(cl[ii], &ts)) == -1,
288 ts);
289 if (e != -1)
290 counter += (int)ts.tv_nsec;
291 }
292
293 HASHX((e = getrusage(RUSAGE_SELF, &ru)) == -1, ru);
294 if (e != -1) {
295 counter += (int)ru.ru_utime.tv_sec;
296 counter += (int)ru.ru_utime.tv_usec;
297 }
298 }
299
300 for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
301 if (mm[m].p != MAP_FAILED)
302 munmap(mm[m].p, mm[m].npg * pgsiz);
303 mm[m].p = MAP_FAILED;
304 }
305
306 HASHX(stat(".", &st) == -1, st);
307 HASHX(statvfs(".", &stvfs) == -1, stvfs);
308 HASHX(statfs(".", &stfs) == -1, stfs);
309
310 HASHX(stat("/", &st) == -1, st);
311 HASHX(statvfs("/", &stvfs) == -1, stvfs);
312 HASHX(statfs("/", &stfs) == -1, stfs);
313
314 HASHX((e = fstat(0, &st)) == -1, st);
315 if (e == -1) {
316 if (S_ISREG(st.st_mode) || S_ISFIFO(st.st_mode) ||
317 S_ISSOCK(st.st_mode)) {
318 HASHX(fstatvfs(0, &stvfs) == -1, stvfs);
319 HASHX(fstatfs(0, &stfs) == -1, stfs);
320 HASHX((off = lseek(0, (off_t)0,
321 SEEK_CUR)) < 0, off);
322 }
323 if (S_ISCHR(st.st_mode)) {
324 HASHX(tcgetattr(0, &tios) == -1, tios);
325 } else if (S_ISSOCK(st.st_mode)) {
326 memset(&ss, 0, sizeof ss);
327 ssl = sizeof(ss);
328 HASHX(getpeername(0, (void *)&ss,
329 &ssl) == -1, ss);
330 }
331 }
332
333 HASHX((e = getrusage(RUSAGE_CHILDREN, &ru)) == -1, ru);
334 if (e != -1) {
335 counter += (int)ru.ru_utime.tv_sec;
336 counter += (int)ru.ru_utime.tv_usec;
337 }
338 } else {
339 /* Subsequent hashes absorb previous result */
340 HASHD(results);
341 }
342
343 HASHX((e = gettimeofday(&tv, NULL)) == -1, tv);
344 if (e != -1) {
345 counter += (int)tv.tv_sec;
346 counter += (int)tv.tv_usec;
347 }
348
349 HASHD(counter);
350
351 } /* repeat */
352 SHA512_Final(results, &ctx);
353 memcpy(buf + i, results, min(sizeof(results), len - i));
354 i += min(sizeof(results), len - i);
355 }
356 memset(results, 0, sizeof results);
357 if (gotdata(buf, len) == 0) {
358 errno = save_errno;
359 return 0; /* satisfied */
360 }
361 errno = EIO;
362 return -1;
363}
364
365int
366getentropy(void *buf, size_t len)
367{
368 int ret = -1;
369
370 if (len > 256) {
371 errno = EIO;
372 return -1;
373 }
374
375 /*
376 * Try to get entropy with /dev/urandom
377 *
378 * This can fail if the process is inside a chroot or if file
379 * descriptors are exhausted.
380 */
381 ret = getentropy_urandom(buf, len);
382 if (ret != -1)
383 return (ret);
384
385#ifdef RANDOM_UUID
386 /*
387 * Try to use sysctl CTL_KERN, KERN_RANDOM, RANDOM_UUID. sysctl is
388 * a failsafe API, so it guarantees a result. This should work
389 * inside a chroot, or when file descriptors are exhuasted.
390 *
391 * However this can fail if the Linux kernel removes support for sysctl.
392 * Starting in 2007, there have been efforts to deprecate the sysctl
393 * API/ABI, and push callers towards use of the chroot-unavailable
394 * fd-using /proc mechanism -- essentially the same problems as
395 * /dev/urandom.
396 *
397 * Numerous setbacks have been encountered in their deprecation
398 * schedule, so as of June 2014 the kernel ABI still exists. The
399 * sysctl() stub in libc is missing on some systems. There are
400 * also reports that some kernels spew messages to the console.
401 */
402 ret = getentropy_sysctl(buf, len);
403 if (ret != -1)
404 return (ret);
405#endif /* RANDOM_UUID */
406
407 /*
408 * Entropy collection via /dev/urandom and sysctl have failed.
409 *
410 * No other API exists for collecting entropy. See the large
411 * comment block above.
412 *
413 * We have very few options:
414 * - Even syslog_r is unsafe to call at this low level, so
415 * there is no way to alert the user or program.
416 * - Cannot call abort() because some systems have unsafe corefiles.
417 * - Could raise(SIGKILL) resulting in silent program termination.
418 * - Return EIO, to hint that arc4random's stir function
419 * should raise(SIGKILL)
420 * - Do the best under the circumstances....
421 *
422 * This code path exists to bring light to the issue that Linux
423 * does not provide a failsafe API for entropy collection.
424 *
425 * We hope this demonstrates that Linux should either retain their
426 * sysctl ABI, or consider providing a new failsafe API which
427 * works in a chroot or when file descriptors are exhausted.
428 */
429#undef FAIL_HARD_WHEN_LINUX_DEPRECATES_SYSCTL
430#ifdef FAIL_HARD_WHEN_LINUX_DEPRECATES_SYSCTL
431 raise(SIGKILL);
432#endif
433 ret = getentropy_fallback(buf, len);
434 if (ret != -1)
435 return (ret);
436
437 errno = EIO;
438 return (ret);
439}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-24 00:49:34 +0000