LCOV - code coverage report
Current view: top level - random - random-csprng.c (source / functions) Hit Total Coverage
Test: coverage.info Lines: 175 347 50.4 %
Date: 2017-03-02 16:44:37 Functions: 17 27 63.0 %

          Line data    Source code
       1             : /* random-csprng.c - CSPRNG style random number generator (libgcrypt classic)
       2             :  * Copyright (C) 1998, 2000, 2001, 2002, 2003, 2004, 2005, 2006,
       3             :  *               2007, 2008, 2010, 2012  Free Software Foundation, Inc.
       4             :  *
       5             :  * This file is part of Libgcrypt.
       6             :  *
       7             :  * Libgcrypt is free software; you can redistribute it and/or modify
       8             :  * it under the terms of the GNU Lesser General Public License as
       9             :  * published by the Free Software Foundation; either version 2.1 of
      10             :  * the License, or (at your option) any later version.
      11             :  *
      12             :  * Libgcrypt is distributed in the hope that it will be useful,
      13             :  * but WITHOUT ANY WARRANTY; without even the implied warranty of
      14             :  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      15             :  * GNU Lesser General Public License for more details.
      16             :  *
      17             :  * You should have received a copy of the GNU Lesser General Public
      18             :  * License along with this program; if not, see <http://www.gnu.org/licenses/>.
      19             :  */
      20             : 
      21             : /*
      22             :    This random number generator is modelled after the one described in
      23             :    Peter Gutmann's 1998 Usenix Security Symposium paper: "Software
      24             :    Generation of Practically Strong Random Numbers".  See also chapter
      25             :    6 in his book "Cryptographic Security Architecture", New York,
      26             :    2004, ISBN 0-387-95387-6.
      27             : 
      28             :    Note that the acronym CSPRNG stands for "Continuously Seeded
      29             :    PseudoRandom Number Generator" as used in Peter's implementation of
      30             :    the paper and not only for "Cryptographically Secure PseudoRandom
      31             :    Number Generator".
      32             :  */
      33             : 
      34             : 
      35             : #include <config.h>
      36             : #include <stdio.h>
      37             : #include <stdlib.h>
      38             : #include <errno.h>
      39             : #include <string.h>
      40             : #include <sys/time.h>
      41             : #include <sys/types.h>
      42             : #include <sys/stat.h>
      43             : #include <unistd.h>
      44             : #include <fcntl.h>
      45             : #include <time.h>
      46             : #ifdef  HAVE_GETHRTIME
      47             : #include <sys/times.h>
      48             : #endif
      49             : #ifdef HAVE_GETTIMEOFDAY
      50             : #include <sys/time.h>
      51             : #endif
      52             : #ifdef HAVE_GETRUSAGE
      53             : #include <sys/resource.h>
      54             : #endif
      55             : #ifdef __MINGW32__
      56             : #include <process.h>
      57             : #endif
      58             : #include "g10lib.h"
      59             : #include "random.h"
      60             : #include "rand-internal.h"
      61             : #include "cipher.h"         /* _gcry_sha1_hash_buffer  */
      62             : #include "../cipher/sha1.h" /* _gcry_sha1_mixblock     */
      63             : 
      64             : #ifndef RAND_MAX   /* For SunOS. */
      65             : #define RAND_MAX 32767
      66             : #endif
      67             : 
      68             : /* Check whether we can lock the seed file read write. */
      69             : #if defined(HAVE_FCNTL) && defined(HAVE_FTRUNCATE) && !defined(HAVE_W32_SYSTEM)
      70             : #define LOCK_SEED_FILE 1
      71             : #else
      72             : #define LOCK_SEED_FILE 0
      73             : #endif
      74             : 
      75             : /* Define the constant we use for transforming the pool at read-out. */
      76             : #if SIZEOF_UNSIGNED_LONG == 8
      77             : #define ADD_VALUE 0xa5a5a5a5a5a5a5a5
      78             : #elif SIZEOF_UNSIGNED_LONG == 4
      79             : #define ADD_VALUE 0xa5a5a5a5
      80             : #else
      81             : #error weird size for an unsigned long
      82             : #endif
      83             : 
      84             : /* Contstants pertaining to the hash pool. */
      85             : #define BLOCKLEN  64   /* Hash this amount of bytes... */
      86             : #define DIGESTLEN 20   /* ... into a digest of this length (sha-1). */
      87             : /* POOLBLOCKS is the number of digests which make up the pool.  */
      88             : #define POOLBLOCKS 30
      89             : /* POOLSIZE must be a multiple of the digest length to make the AND
      90             :    operations faster, the size should also be a multiple of unsigned
      91             :    long.  */
      92             : #define POOLSIZE (POOLBLOCKS*DIGESTLEN)
      93             : #if (POOLSIZE % SIZEOF_UNSIGNED_LONG)
      94             : #error Please make sure that poolsize is a multiple of unsigned long
      95             : #endif
      96             : #define POOLWORDS (POOLSIZE / SIZEOF_UNSIGNED_LONG)
      97             : 
      98             : 
      99             : /* RNDPOOL is the pool we use to collect the entropy and to stir it
     100             :    up.  Its allocated size is POOLSIZE+BLOCKLEN.  Note that this is
     101             :    also an indication on whether the module has been fully
     102             :    initialized. */
     103             : static unsigned char *rndpool;
     104             : 
     105             : /* KEYPOOL is used as a scratch copy to read out random from RNDPOOL.
     106             :    Its allocated size is also POOLSIZE+BLOCKLEN.  */
     107             : static unsigned char *keypool;
     108             : 
     109             : /* This is the offset into RNDPOOL where the next random bytes are to
     110             :    be mixed in.  */
     111             : static size_t pool_writepos;
     112             : 
     113             : /* When reading data out of KEYPOOL, we start the read at different
     114             :    positions.  This variable keeps track on where to read next.  */
     115             : static size_t pool_readpos;
     116             : 
     117             : /* This flag is set to true as soon as the pool has been completely
     118             :    filled the first time.  This may happen either by rereading a seed
     119             :    file or by adding enough entropy.  */
     120             : static int pool_filled;
     121             : 
     122             : /* This counter is used to track whether the initial seeding has been
     123             :    done with enough bytes from a reliable entropy source.  */
     124             : static size_t pool_filled_counter;
     125             : 
     126             : /* If random of level GCRY_VERY_STRONG_RANDOM has been requested we
     127             :    have stricter requirements on what kind of entropy is in the pool.
     128             :    In particular POOL_FILLED is not sufficient.  Thus we add some
     129             :    extra seeding and set this flag to true if the extra seeding has
     130             :    been done.  */
     131             : static int did_initial_extra_seeding;
     132             : 
     133             : /* This variable is used to estimated the amount of fresh entropy
     134             :    available in RNDPOOL.  */
     135             : static int pool_balance;
     136             : 
     137             : /* After a mixing operation this variable will be set to true and
     138             :    cleared if new entropy has been added or a remix is required for
     139             :    other reasons.  */
     140             : static int just_mixed;
     141             : 
     142             : /* The name of the seed file or NULL if no seed file has been defined.
     143             :    The seed file needs to be regsitered at initialiation time.  We
     144             :    keep a malloced copy here.  */
     145             : static char *seed_file_name;
     146             : 
     147             : /* If a seed file has been registered and maybe updated on exit this
     148             :    flag set. */
     149             : static int allow_seed_file_update;
     150             : 
     151             : /* Option flag set at initialiation time to force allocation of the
     152             :    pool in secure memory.  */
     153             : static int secure_alloc;
     154             : 
     155             : /* This function pointer is set to the actual entropy gathering
     156             :    function during initialization.  After initialization it is
     157             :    guaranteed to point to function.  (On systems without a random
     158             :    gatherer module a dummy function is used).*/
     159             : static int (*slow_gather_fnc)(void (*)(const void*, size_t,
     160             :                                        enum random_origins),
     161             :                               enum random_origins, size_t, int);
     162             : 
     163             : /* This function is set to the actual fast entropy gathering function
     164             :    during initialization.  If it is NULL, no such function is
     165             :    available. */
     166             : static void (*fast_gather_fnc)(void (*)(const void*, size_t,
     167             :                                         enum random_origins),
     168             :                                enum random_origins);
     169             : 
     170             : 
     171             : /* Option flag useful for debugging and the test suite.  If set
     172             :    requests for very strong random are degraded to strong random.  Not
     173             :    used by regular applications.  */
     174             : static int quick_test;
     175             : 
     176             : /* This is the lock we use to protect all pool operations.  */
     177             : GPGRT_LOCK_DEFINE (pool_lock);
     178             : 
     179             : /* This is a helper for assert calls.  These calls are used to assert
     180             :    that functions are called in a locked state.  It is not meant to be
     181             :    thread-safe but as a method to get aware of missing locks in the
     182             :    test suite.  */
     183             : static int pool_is_locked;
     184             : 
     185             : 
     186             : /* We keep some counters in this structure for the sake of the
     187             :    _gcry_random_dump_stats () function.  */
     188             : static struct
     189             : {
     190             :   unsigned long mixrnd;
     191             :   unsigned long mixkey;
     192             :   unsigned long slowpolls;
     193             :   unsigned long fastpolls;
     194             :   unsigned long getbytes1;
     195             :   unsigned long ngetbytes1;
     196             :   unsigned long getbytes2;
     197             :   unsigned long ngetbytes2;
     198             :   unsigned long addbytes;
     199             :   unsigned long naddbytes;
     200             : } rndstats;
     201             : 
     202             : 
     203             : 
     204             : /* --- Stuff pertaining to the random daemon support. --- */
     205             : #ifdef USE_RANDOM_DAEMON
     206             : 
     207             : /* If ALLOW_DAEMON is true, the module will try to use the random
     208             :    daemon first.  If the daemon has failed, this variable is set to
     209             :    back to false and the code continues as normal.  Note, we don't
     210             :    test this flag in a locked state because a wrong value does not
     211             :    harm and the trhead will find out itself that the daemon does not
     212             :    work and set it (again) to false.  */
     213             : static int allow_daemon;
     214             : 
     215             : /* During initialization, the user may set a non-default socket name
     216             :    for accessing the random daemon.  If this value is NULL, the
     217             :    default name will be used. */
     218             : static char *daemon_socket_name;
     219             : 
     220             : #endif /*USE_RANDOM_DAEMON*/
     221             : 
     222             : 
     223             : 
     224             : /* ---  Prototypes  --- */
     225             : static void read_pool (byte *buffer, size_t length, int level );
     226             : static void add_randomness (const void *buffer, size_t length,
     227             :                             enum random_origins origin);
     228             : static void random_poll (void);
     229             : static void do_fast_random_poll (void);
     230             : static int (*getfnc_gather_random (void))(void (*)(const void*, size_t,
     231             :                                                    enum random_origins),
     232             :                                           enum random_origins, size_t, int);
     233             : static void (*getfnc_fast_random_poll (void))(void (*)(const void*, size_t,
     234             :                                                        enum random_origins),
     235             :                                               enum random_origins);
     236             : static void read_random_source (enum random_origins origin,
     237             :                                 size_t length, int level);
     238             : 
     239             : 
     240             : 
     241             : /* ---  Functions  --- */
     242             : 
     243             : 
     244             : /* Basic initialization which is required to initialize mutexes and
     245             :    such.  It does not run a full initialization so that the filling of
     246             :    the random pool can be delayed until it is actually needed.  We
     247             :    assume that this function is used before any concurrent access
     248             :    happens. */
     249             : static void
     250       86230 : initialize_basics(void)
     251             : {
     252             :   static int initialized;
     253             : 
     254       86230 :   if (!initialized)
     255             :     {
     256          32 :       initialized = 1;
     257             : 
     258             : #ifdef USE_RANDOM_DAEMON
     259             :       _gcry_daemon_initialize_basics ();
     260             : #endif /*USE_RANDOM_DAEMON*/
     261             : 
     262             :       /* Make sure that we are still using the values we have
     263             :          traditionally used for the random levels.  */
     264             :       gcry_assert (GCRY_WEAK_RANDOM == 0
     265             :                    && GCRY_STRONG_RANDOM == 1
     266             :                    && GCRY_VERY_STRONG_RANDOM == 2);
     267             :     }
     268       86230 : }
     269             : 
     270             : /* Take the pool lock. */
     271             : static void
     272       87046 : lock_pool (void)
     273             : {
     274             :   int err;
     275             : 
     276       87046 :   err = gpgrt_lock_lock (&pool_lock);
     277       87047 :   if (err)
     278           0 :     log_fatal ("failed to acquire the pool lock: %s\n", gpg_strerror (err));
     279       87047 :   pool_is_locked = 1;
     280       87047 : }
     281             : 
     282             : /* Release the pool lock. */
     283             : static void
     284       87047 : unlock_pool (void)
     285             : {
     286             :   int err;
     287             : 
     288       87047 :   pool_is_locked = 0;
     289       87047 :   err = gpgrt_lock_unlock (&pool_lock);
     290       87047 :   if (err)
     291           0 :     log_fatal ("failed to release the pool lock: %s\n", gpg_strerror (err));
     292       87047 : }
     293             : 
     294             : 
     295             : /* Full initialization of this module. */
     296             : static void
     297       17717 : initialize(void)
     298             : {
     299             :   /* Although the basic initialization should have happened already,
     300             :      we call it here to make sure that all prerequisites are met.  */
     301       17717 :   initialize_basics ();
     302             : 
     303             :   /* Now we can look the pool and complete the initialization if
     304             :      necessary.  */
     305       17717 :   lock_pool ();
     306       17718 :   if (!rndpool)
     307             :     {
     308             :       /* The data buffer is allocated somewhat larger, so that we can
     309             :          use this extra space (which is allocated in secure memory) as
     310             :          a temporary hash buffer */
     311          18 :       rndpool = (secure_alloc
     312          18 :                  ? xcalloc_secure (1, POOLSIZE + BLOCKLEN)
     313             :                  : xcalloc (1, POOLSIZE + BLOCKLEN));
     314          18 :       keypool = (secure_alloc
     315          18 :                  ? xcalloc_secure (1, POOLSIZE + BLOCKLEN)
     316             :                  : xcalloc (1, POOLSIZE + BLOCKLEN));
     317             : 
     318             :       /* Setup the slow entropy gathering function.  The code requires
     319             :          that this function exists. */
     320          18 :       slow_gather_fnc = getfnc_gather_random ();
     321             : 
     322             :       /* Setup the fast entropy gathering function.  */
     323          18 :       fast_gather_fnc = getfnc_fast_random_poll ();
     324             : 
     325             :     }
     326       17718 :   unlock_pool ();
     327       17718 : }
     328             : 
     329             : 
     330             : 
     331             : 
     332             : /* Initialize this random subsystem.  If FULL is false, this function
     333             :    merely calls the initialize and does not do anything more.  Doing
     334             :    this is not really required but when running in a threaded
     335             :    environment we might get a race condition otherwise. */
     336             : void
     337       16901 : _gcry_rngcsprng_initialize (int full)
     338             : {
     339       16901 :   if (!full)
     340          28 :     initialize_basics ();
     341             :   else
     342       16873 :     initialize ();
     343       16902 : }
     344             : 
     345             : 
     346             : /* Try to close the FDs of the random gather module.  This is
     347             :    currently only implemented for rndlinux. */
     348             : void
     349           0 : _gcry_rngcsprng_close_fds (void)
     350             : {
     351           0 :   lock_pool ();
     352             : #if USE_RNDLINUX
     353           0 :   _gcry_rndlinux_gather_random (NULL, 0, 0, 0);
     354           0 :   pool_filled = 0; /* Force re-open on next use.  */
     355             : #endif
     356           0 :   unlock_pool ();
     357           0 : }
     358             : 
     359             : 
     360             : void
     361           0 : _gcry_rngcsprng_dump_stats (void)
     362             : {
     363             :   /* In theory we would need to lock the stats here.  However this
     364             :      function is usually called during cleanup and then we _might_ run
     365             :      into problems.  */
     366             : 
     367           0 :   log_info ("random usage: poolsize=%d mixed=%lu polls=%lu/%lu added=%lu/%lu\n"
     368             :             "              outmix=%lu getlvl1=%lu/%lu getlvl2=%lu/%lu%s\n",
     369             :             POOLSIZE, rndstats.mixrnd, rndstats.slowpolls, rndstats.fastpolls,
     370             :             rndstats.naddbytes, rndstats.addbytes,
     371             :             rndstats.mixkey, rndstats.ngetbytes1, rndstats.getbytes1,
     372             :             rndstats.ngetbytes2, rndstats.getbytes2,
     373           0 :             _gcry_rndhw_failed_p()? " (hwrng failed)":"");
     374           0 : }
     375             : 
     376             : 
     377             : /* This function should be called during initialization and before
     378             :    initialization of this module to place the random pools into secure
     379             :    memory.  */
     380             : void
     381           0 : _gcry_rngcsprng_secure_alloc (void)
     382             : {
     383           0 :   secure_alloc = 1;
     384           0 : }
     385             : 
     386             : 
     387             : /* This may be called before full initialization to degrade the
     388             :    quality of the RNG for the sake of a faster running test suite.  */
     389             : void
     390          18 : _gcry_rngcsprng_enable_quick_gen (void)
     391             : {
     392          18 :   quick_test = 1;
     393          18 : }
     394             : 
     395             : 
     396             : void
     397           0 : _gcry_rngcsprng_set_daemon_socket (const char *socketname)
     398             : {
     399             : #ifdef USE_RANDOM_DAEMON
     400             :   if (daemon_socket_name)
     401             :     BUG ();
     402             : 
     403             :   daemon_socket_name = gcry_xstrdup (socketname);
     404             : #else /*!USE_RANDOM_DAEMON*/
     405             :   (void)socketname;
     406             : #endif /*!USE_RANDOM_DAEMON*/
     407           0 : }
     408             : 
     409             : /* With ONOFF set to 1, enable the use of the daemon.  With ONOFF set
     410             :    to 0, disable the use of the daemon.  With ONOF set to -1, return
     411             :    whether the daemon has been enabled. */
     412             : int
     413           0 : _gcry_rngcsprng_use_daemon (int onoff)
     414             : {
     415             : #ifdef USE_RANDOM_DAEMON
     416             :   int last;
     417             : 
     418             :   /* This is not really thread safe.  However it is expected that this
     419             :      function is being called during initialization and at that point
     420             :      we are for other reasons not really thread safe.  We do not want
     421             :      to lock it because we might eventually decide that this function
     422             :      may even be called prior to gcry_check_version.  */
     423             :   last = allow_daemon;
     424             :   if (onoff != -1)
     425             :     allow_daemon = onoff;
     426             : 
     427             :   return last;
     428             : #else /*!USE_RANDOM_DAEMON*/
     429             :   (void)onoff;
     430           0 :   return 0;
     431             : #endif /*!USE_RANDOM_DAEMON*/
     432             : }
     433             : 
     434             : 
     435             : /* This function returns true if no real RNG is available or the
     436             :    quality of the RNG has been degraded for test purposes.  */
     437             : int
     438           0 : _gcry_rngcsprng_is_faked (void)
     439             : {
     440             :   /* We need to initialize due to the runtime determination of
     441             :      available entropy gather modules.  */
     442           0 :   initialize();
     443           0 :   return quick_test;
     444             : }
     445             : 
     446             : 
     447             : /* Add BUFLEN bytes from BUF to the internal random pool.  QUALITY
     448             :    should be in the range of 0..100 to indicate the goodness of the
     449             :    entropy added, or -1 for goodness not known.  */
     450             : gcry_error_t
     451           0 : _gcry_rngcsprng_add_bytes (const void *buf, size_t buflen, int quality)
     452             : {
     453             :   size_t nbytes;
     454             :   const char *bufptr;
     455             : 
     456           0 :   if (quality == -1)
     457           0 :     quality = 35;
     458           0 :   else if (quality > 100)
     459           0 :     quality = 100;
     460           0 :   else if (quality < 0)
     461           0 :     quality = 0;
     462             : 
     463           0 :   if (!buf)
     464           0 :     return gpg_error (GPG_ERR_INV_ARG);
     465             : 
     466           0 :   if (!buflen || quality < 10)
     467           0 :     return 0; /* Take a shortcut. */
     468             : 
     469             :   /* Because we don't increment the entropy estimation with FASTPOLL,
     470             :      we don't need to take lock that estimation while adding from an
     471             :      external source.  This limited entropy estimation also means that
     472             :      we can't take QUALITY into account.  */
     473           0 :   initialize_basics ();
     474           0 :   bufptr = buf;
     475           0 :   while (buflen)
     476             :     {
     477           0 :       nbytes = buflen > POOLSIZE? POOLSIZE : buflen;
     478           0 :       lock_pool ();
     479           0 :       if (rndpool)
     480           0 :         add_randomness (bufptr, nbytes, RANDOM_ORIGIN_EXTERNAL);
     481           0 :       unlock_pool ();
     482           0 :       bufptr += nbytes;
     483           0 :       buflen -= nbytes;
     484             :     }
     485           0 :   return 0;
     486             : }
     487             : 
     488             : 
     489             : /* Public function to fill the buffer with LENGTH bytes of
     490             :    cryptographically strong random bytes.  Level GCRY_WEAK_RANDOM is
     491             :    not very strong, GCRY_STRONG_RANDOM is strong enough for most
     492             :    usage, GCRY_VERY_STRONG_RANDOM is good for key generation stuff but
     493             :    may be very slow.  */
     494             : void
     495         844 : _gcry_rngcsprng_randomize (void *buffer, size_t length,
     496             :                            enum gcry_random_level level)
     497             : {
     498             :   unsigned char *p;
     499             : 
     500             :   /* Make sure we are initialized. */
     501         844 :   initialize ();
     502             : 
     503             :   /* Handle our hack used for regression tests of Libgcrypt. */
     504         844 :   if ( quick_test && level > GCRY_STRONG_RANDOM )
     505          75 :     level = GCRY_STRONG_RANDOM;
     506             : 
     507             :   /* Make sure the level is okay. */
     508         844 :   level &= 3;
     509             : 
     510             : #ifdef USE_RANDOM_DAEMON
     511             :   if (allow_daemon
     512             :       && !_gcry_daemon_randomize (daemon_socket_name, buffer, length, level))
     513             :     return; /* The daemon succeeded. */
     514             :   allow_daemon = 0; /* Daemon failed - switch off. */
     515             : #endif /*USE_RANDOM_DAEMON*/
     516             : 
     517             :   /* Acquire the pool lock. */
     518         844 :   lock_pool ();
     519             : 
     520             :   /* Update the statistics. */
     521         844 :   if (level >= GCRY_VERY_STRONG_RANDOM)
     522             :     {
     523           0 :       rndstats.getbytes2 += length;
     524           0 :       rndstats.ngetbytes2++;
     525             :     }
     526             :   else
     527             :     {
     528         844 :       rndstats.getbytes1 += length;
     529         844 :       rndstats.ngetbytes1++;
     530             :     }
     531             : 
     532             :   /* Read the random into the provided buffer. */
     533        2532 :   for (p = buffer; length > 0;)
     534             :     {
     535             :       size_t n;
     536             : 
     537         844 :       n = length > POOLSIZE? POOLSIZE : length;
     538         844 :       read_pool (p, n, level);
     539         844 :       length -= n;
     540         844 :       p += n;
     541             :     }
     542             : 
     543             :   /* Release the pool lock. */
     544         844 :   unlock_pool ();
     545         844 : }
     546             : 
     547             : 
     548             : 
     549             : 
     550             : /*
     551             :  * Mix the 600 byte pool.  Note that the 64 byte scratch area directly
     552             :  * follows the pool.  The numbers in the diagram give the number of
     553             :  * bytes.
     554             :  *         <................600...............>   <.64.>
     555             :  * pool   |------------------------------------| |------|
     556             :  *         <20><.24.>                      <20>
     557             :  *          |     |                         +-----+
     558             :  *          +-----|-------------------------------|-+
     559             :  *                +-------------------------------|-|-+
     560             :  *                                                v v v
     561             :  *                                               |------|
     562             :  *                                                <hash>
     563             :  *          +---------------------------------------+
     564             :  *          v
     565             :  *         <20>
     566             :  * pool'  |------------------------------------|
     567             :  *         <20><20><.24.>
     568             :  *          +---|-----|---------------------------+
     569             :  *              +-----|---------------------------|-+
     570             :  *                    +---------------------------|-|-+
     571             :  *                                                v v v
     572             :  *                                               |------|
     573             :  *                                                <hash>
     574             :  *                                                  |
     575             :  *              +-----------------------------------+
     576             :  *              v
     577             :  *             <20>
     578             :  * pool'' |------------------------------------|
     579             :  *         <20><20><20><.24.>
     580             :  *              +---|-----|-----------------------+
     581             :  *                  +-----|-----------------------|-+
     582             :  *                        +-----------------------|-|-+
     583             :  *                                                v v v
     584             :  *
     585             :  * and so on until we did this for all 30 blocks.
     586             :  *
     587             :  * To better protect against implementation errors in this code, we
     588             :  * xor a digest of the entire pool into the pool before mixing.
     589             :  *
     590             :  * Note: this function must only be called with a locked pool.
     591             :  */
     592             : static void
     593       13672 : mix_pool(unsigned char *pool)
     594             : {
     595             :   static unsigned char failsafe_digest[DIGESTLEN];
     596             :   static int failsafe_digest_valid;
     597             : 
     598       13672 :   unsigned char *hashbuf = pool + POOLSIZE;
     599             :   unsigned char *p, *pend;
     600             :   int i, n;
     601             :   SHA1_CONTEXT md;
     602             :   unsigned int nburn;
     603             : 
     604             : #if DIGESTLEN != 20
     605             : #error must have a digest length of 20 for SHA-1
     606             : #endif
     607             : 
     608       13672 :   gcry_assert (pool_is_locked);
     609       13672 :   _gcry_sha1_mixblock_init (&md);
     610             : 
     611             :   /* pool_0 -> pool'.  */
     612       13672 :   pend = pool + POOLSIZE;
     613       13672 :   memcpy (hashbuf, pend - DIGESTLEN, DIGESTLEN);
     614       13672 :   memcpy (hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
     615       13672 :   nburn = _gcry_sha1_mixblock (&md, hashbuf);
     616       13672 :   memcpy (pool, hashbuf, DIGESTLEN);
     617             : 
     618       13672 :   if (failsafe_digest_valid && pool == rndpool)
     619             :     {
     620      269010 :       for (i=0; i < DIGESTLEN; i++)
     621      256200 :         pool[i] ^= failsafe_digest[i];
     622             :     }
     623             : 
     624             :   /* Loop for the remaining iterations.  */
     625       13672 :   p = pool;
     626      410160 :   for (n=1; n < POOLBLOCKS; n++)
     627             :     {
     628      396488 :       if (p + BLOCKLEN < pend)
     629      369144 :         memcpy (hashbuf, p, BLOCKLEN);
     630             :       else
     631             :         {
     632       27344 :           unsigned char *pp = p;
     633             : 
     634     1777360 :           for (i=0; i < BLOCKLEN; i++ )
     635             :             {
     636     1750016 :               if ( pp >= pend )
     637       27344 :                 pp = pool;
     638     1750016 :               hashbuf[i] = *pp++;
     639             :             }
     640             :         }
     641             : 
     642      396488 :       _gcry_sha1_mixblock (&md, hashbuf);
     643      396488 :       p += DIGESTLEN;
     644      396488 :       memcpy (p, hashbuf, DIGESTLEN);
     645             :     }
     646             : 
     647             :   /* Our hash implementation does only leave small parts (64 bytes)
     648             :      of the pool on the stack, so it is okay not to require secure
     649             :      memory here.  Before we use this pool, it will be copied to the
     650             :      help buffer anyway. */
     651       13672 :   if ( pool == rndpool)
     652             :     {
     653       12828 :       _gcry_sha1_hash_buffer (failsafe_digest, pool, POOLSIZE);
     654       12828 :       failsafe_digest_valid = 1;
     655             :     }
     656             : 
     657       13672 :   _gcry_burn_stack (nburn);
     658       13672 : }
     659             : 
     660             : 
     661             : void
     662           0 : _gcry_rngcsprng_set_seed_file (const char *name)
     663             : {
     664           0 :   if (seed_file_name)
     665           0 :     BUG ();
     666           0 :   seed_file_name = xstrdup (name);
     667           0 : }
     668             : 
     669             : 
     670             : /* Lock an open file identified by file descriptor FD and wait a
     671             :    reasonable time to succeed.  With FOR_WRITE set to true a write
     672             :    lock will be taken.  FNAME is used only for diagnostics. Returns 0
     673             :    on success or -1 on error. */
     674             : static int
     675           0 : lock_seed_file (int fd, const char *fname, int for_write)
     676             : {
     677             : #ifdef __GCC__
     678             : #warning Check whether we can lock on Windows.
     679             : #endif
     680             : #if LOCK_SEED_FILE
     681             :   struct flock lck;
     682             :   struct timeval tv;
     683           0 :   int backoff=0;
     684             : 
     685             :   /* We take a lock on the entire file. */
     686           0 :   memset (&lck, 0, sizeof lck);
     687           0 :   lck.l_type = for_write? F_WRLCK : F_RDLCK;
     688           0 :   lck.l_whence = SEEK_SET;
     689             : 
     690           0 :   while (fcntl (fd, F_SETLK, &lck) == -1)
     691             :     {
     692           0 :       if (errno != EAGAIN && errno != EACCES)
     693             :         {
     694           0 :           log_info (_("can't lock `%s': %s\n"), fname, strerror (errno));
     695           0 :           return -1;
     696             :         }
     697             : 
     698           0 :       if (backoff > 2) /* Show the first message after ~2.25 seconds. */
     699           0 :         log_info( _("waiting for lock on `%s'...\n"), fname);
     700             : 
     701           0 :       tv.tv_sec = backoff;
     702           0 :       tv.tv_usec = 250000;
     703           0 :       select (0, NULL, NULL, NULL, &tv);
     704           0 :       if (backoff < 10)
     705           0 :         backoff++ ;
     706             :     }
     707             : #endif /*!LOCK_SEED_FILE*/
     708           0 :   return 0;
     709             : }
     710             : 
     711             : 
     712             : /* Read in a seed from the random_seed file and return true if this
     713             :    was successful.
     714             : 
     715             :    Note: Multiple instances of applications sharing the same random
     716             :    seed file can be started in parallel, in which case they will read
     717             :    out the same pool and then race for updating it (the last update
     718             :    overwrites earlier updates).  They will differentiate only by the
     719             :    weak entropy that is added in read_seed_file based on the PID and
     720             :    clock, and up to 16 bytes of weak random non-blockingly.  The
     721             :    consequence is that the output of these different instances is
     722             :    correlated to some extent.  In the perfect scenario, the attacker
     723             :    can control (or at least guess) the PID and clock of the
     724             :    application, and drain the system's entropy pool to reduce the "up
     725             :    to 16 bytes" above to 0.  Then the dependencies of the initial
     726             :    states of the pools are completely known.  */
     727             : static int
     728          18 : read_seed_file (void)
     729             : {
     730             :   int fd;
     731             :   struct stat sb;
     732             :   unsigned char buffer[POOLSIZE];
     733             :   int n;
     734             : 
     735          18 :   gcry_assert (pool_is_locked);
     736             : 
     737          18 :   if (!seed_file_name)
     738          18 :     return 0;
     739             : 
     740             : #ifdef HAVE_DOSISH_SYSTEM
     741             :   fd = open( seed_file_name, O_RDONLY | O_BINARY );
     742             : #else
     743           0 :   fd = open( seed_file_name, O_RDONLY );
     744             : #endif
     745           0 :   if( fd == -1 && errno == ENOENT)
     746             :     {
     747           0 :       allow_seed_file_update = 1;
     748           0 :       return 0;
     749             :     }
     750             : 
     751           0 :   if (fd == -1 )
     752             :     {
     753           0 :       log_info(_("can't open `%s': %s\n"), seed_file_name, strerror(errno) );
     754           0 :       return 0;
     755             :     }
     756           0 :   if (lock_seed_file (fd, seed_file_name, 0))
     757             :     {
     758           0 :       close (fd);
     759           0 :       return 0;
     760             :     }
     761           0 :   if (fstat( fd, &sb ) )
     762             :     {
     763           0 :       log_info(_("can't stat `%s': %s\n"), seed_file_name, strerror(errno) );
     764           0 :       close(fd);
     765           0 :       return 0;
     766             :     }
     767           0 :   if (!S_ISREG(sb.st_mode) )
     768             :     {
     769           0 :       log_info(_("`%s' is not a regular file - ignored\n"), seed_file_name );
     770           0 :       close(fd);
     771           0 :       return 0;
     772             :     }
     773           0 :   if (!sb.st_size )
     774             :     {
     775           0 :       log_info(_("note: random_seed file is empty\n") );
     776           0 :       close(fd);
     777           0 :       allow_seed_file_update = 1;
     778           0 :       return 0;
     779             :     }
     780           0 :   if (sb.st_size != POOLSIZE )
     781             :     {
     782           0 :       log_info(_("warning: invalid size of random_seed file - not used\n") );
     783           0 :       close(fd);
     784           0 :       return 0;
     785             :     }
     786             : 
     787             :   do
     788             :     {
     789           0 :       n = read( fd, buffer, POOLSIZE );
     790             :     }
     791           0 :   while (n == -1 && errno == EINTR );
     792             : 
     793           0 :   if (n != POOLSIZE)
     794             :     {
     795           0 :       log_fatal(_("can't read `%s': %s\n"), seed_file_name,strerror(errno) );
     796             :       close(fd);/*NOTREACHED*/
     797             :       return 0;
     798             :     }
     799             : 
     800           0 :   close(fd);
     801             : 
     802           0 :   add_randomness( buffer, POOLSIZE, RANDOM_ORIGIN_INIT );
     803             :   /* add some minor entropy to the pool now (this will also force a mixing) */
     804             :   {
     805           0 :     pid_t x = getpid();
     806           0 :     add_randomness( &x, sizeof(x), RANDOM_ORIGIN_INIT );
     807             :   }
     808             :   {
     809           0 :     time_t x = time(NULL);
     810           0 :     add_randomness( &x, sizeof(x), RANDOM_ORIGIN_INIT );
     811             :   }
     812             :   {
     813           0 :     clock_t x = clock();
     814           0 :     add_randomness( &x, sizeof(x), RANDOM_ORIGIN_INIT );
     815             :   }
     816             : 
     817             :   /* And read a few bytes from our entropy source.  By using a level
     818             :    * of 0 this will not block and might not return anything with some
     819             :    * entropy drivers, however the rndlinux driver will use
     820             :    * /dev/urandom and return some stuff - Do not read too much as we
     821             :    * want to be friendly to the scare system entropy resource. */
     822           0 :   read_random_source ( RANDOM_ORIGIN_INIT, 16, GCRY_WEAK_RANDOM );
     823             : 
     824           0 :   allow_seed_file_update = 1;
     825           0 :   return 1;
     826             : }
     827             : 
     828             : 
     829             : void
     830           0 : _gcry_rngcsprng_update_seed_file (void)
     831             : {
     832             :   unsigned long *sp, *dp;
     833             :   int fd, i;
     834             : 
     835             :   /* We do only a basic initialization so that we can lock the pool.
     836             :      This is required to cope with the case that this function is
     837             :      called by some cleanup code at a point where the RNG has never
     838             :      been initialized.  */
     839           0 :   initialize_basics ();
     840           0 :   lock_pool ();
     841             : 
     842           0 :   if ( !seed_file_name || !rndpool || !pool_filled )
     843             :     {
     844           0 :       unlock_pool ();
     845           0 :       return;
     846             :     }
     847           0 :   if ( !allow_seed_file_update )
     848             :     {
     849           0 :       unlock_pool ();
     850           0 :       log_info(_("note: random_seed file not updated\n"));
     851           0 :       return;
     852             :     }
     853             : 
     854             :   /* At this point we know that there is something in the pool and
     855             :      thus we can conclude that the pool has been fully initialized.  */
     856             : 
     857             : 
     858             :   /* Copy the entropy pool to a scratch pool and mix both of them. */
     859           0 :   for (i=0,dp=(unsigned long*)(void*)keypool, sp=(unsigned long*)(void*)rndpool;
     860           0 :        i < POOLWORDS; i++, dp++, sp++ )
     861             :     {
     862           0 :       *dp = *sp + ADD_VALUE;
     863             :     }
     864           0 :   mix_pool(rndpool); rndstats.mixrnd++;
     865           0 :   mix_pool(keypool); rndstats.mixkey++;
     866             : 
     867             : #if defined(HAVE_DOSISH_SYSTEM) || defined(__CYGWIN__)
     868             :   fd = open (seed_file_name, O_WRONLY|O_CREAT|O_TRUNC|O_BINARY,
     869             :              S_IRUSR|S_IWUSR );
     870             : #else
     871             : # if LOCK_SEED_FILE
     872           0 :     fd = open (seed_file_name, O_WRONLY|O_CREAT, S_IRUSR|S_IWUSR );
     873             : # else
     874             :     fd = open (seed_file_name, O_WRONLY|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR );
     875             : # endif
     876             : #endif
     877             : 
     878           0 :   if (fd == -1 )
     879           0 :     log_info (_("can't create `%s': %s\n"), seed_file_name, strerror(errno) );
     880           0 :   else if (lock_seed_file (fd, seed_file_name, 1))
     881             :     {
     882           0 :       close (fd);
     883             :     }
     884             : #if LOCK_SEED_FILE
     885           0 :   else if (ftruncate (fd, 0))
     886             :     {
     887           0 :       log_info(_("can't write `%s': %s\n"), seed_file_name, strerror(errno));
     888           0 :       close (fd);
     889             :     }
     890             : #endif /*LOCK_SEED_FILE*/
     891             :   else
     892             :     {
     893             :       do
     894             :         {
     895           0 :           i = write (fd, keypool, POOLSIZE );
     896             :         }
     897           0 :       while (i == -1 && errno == EINTR);
     898           0 :       if (i != POOLSIZE)
     899           0 :         log_info (_("can't write `%s': %s\n"),seed_file_name, strerror(errno));
     900           0 :       if (close(fd))
     901           0 :         log_info (_("can't close `%s': %s\n"),seed_file_name, strerror(errno));
     902             :     }
     903             : 
     904           0 :   unlock_pool ();
     905             : }
     906             : 
     907             : 
     908             : /* Read random out of the pool.  This function is the core of the
     909             :    public random functions.  Note that Level GCRY_WEAK_RANDOM is not
     910             :    anymore handled special and in fact is an alias in the API for
     911             :    level GCRY_STRONG_RANDOM.  Must be called with the pool already
     912             :    locked.  */
     913             : static void
     914         844 : read_pool (byte *buffer, size_t length, int level)
     915             : {
     916             :   int i;
     917             :   unsigned long *sp, *dp;
     918             :   /* The volatile is there to make sure the compiler does not optimize
     919             :      the code away in case the getpid function is badly attributed.
     920             :      Note that we keep a pid in a static variable as well as in a
     921             :      stack based one; the latter is to detect ill behaving thread
     922             :      libraries, ignoring the pool mutexes. */
     923             :   static volatile pid_t my_pid = (pid_t)(-1);
     924             :   volatile pid_t my_pid2;
     925             : 
     926         844 :   gcry_assert (pool_is_locked);
     927             : 
     928             :  retry:
     929             :   /* Get our own pid, so that we can detect a fork. */
     930         844 :   my_pid2 = getpid ();
     931         844 :   if (my_pid == (pid_t)(-1))
     932          18 :     my_pid = my_pid2;
     933         844 :   if ( my_pid != my_pid2 )
     934             :     {
     935             :       /* We detected a plain fork; i.e. we are now the child.  Update
     936             :          the static pid and add some randomness. */
     937             :       pid_t x;
     938             : 
     939           0 :       my_pid = my_pid2;
     940           0 :       x = my_pid;
     941           0 :       add_randomness (&x, sizeof(x), RANDOM_ORIGIN_INIT);
     942           0 :       just_mixed = 0; /* Make sure it will get mixed. */
     943             :     }
     944             : 
     945         844 :   gcry_assert (pool_is_locked);
     946             : 
     947             :   /* Our code does not allow to extract more than POOLSIZE.  Better
     948             :      check it here. */
     949         844 :   if (length > POOLSIZE)
     950             :     {
     951           0 :       log_bug("too many random bits requested\n");
     952             :     }
     953             : 
     954         844 :   if (!pool_filled)
     955             :     {
     956          18 :       if (read_seed_file() )
     957           0 :         pool_filled = 1;
     958             :     }
     959             : 
     960             :   /* For level 2 quality (key generation) we always make sure that the
     961             :      pool has been seeded enough initially. */
     962         844 :   if (level == GCRY_VERY_STRONG_RANDOM && !did_initial_extra_seeding)
     963             :     {
     964             :       size_t needed;
     965             : 
     966           0 :       pool_balance = 0;
     967           0 :       needed = length - pool_balance;
     968           0 :       if (needed < 16)  /* At least 128 bits.  */
     969           0 :         needed = 16;
     970           0 :       else if( needed > POOLSIZE )
     971           0 :         BUG ();
     972           0 :       read_random_source (RANDOM_ORIGIN_EXTRAPOLL, needed,
     973             :                           GCRY_VERY_STRONG_RANDOM);
     974           0 :       pool_balance += needed;
     975           0 :       did_initial_extra_seeding = 1;
     976             :     }
     977             : 
     978             :   /* For level 2 make sure that there is enough random in the pool. */
     979         844 :   if (level == GCRY_VERY_STRONG_RANDOM && pool_balance < length)
     980             :     {
     981             :       size_t needed;
     982             : 
     983           0 :       if (pool_balance < 0)
     984           0 :         pool_balance = 0;
     985           0 :       needed = length - pool_balance;
     986           0 :       if (needed > POOLSIZE)
     987           0 :         BUG ();
     988           0 :       read_random_source (RANDOM_ORIGIN_EXTRAPOLL, needed,
     989             :                           GCRY_VERY_STRONG_RANDOM);
     990           0 :       pool_balance += needed;
     991             :     }
     992             : 
     993             :   /* Make sure the pool is filled. */
     994        2138 :   while (!pool_filled)
     995         450 :     random_poll();
     996             : 
     997             :   /* Always do a fast random poll (we have to use the unlocked version). */
     998         844 :   do_fast_random_poll();
     999             : 
    1000             :   /* Mix the pid in so that we for sure won't deliver the same random
    1001             :      after a fork. */
    1002             :   {
    1003         844 :     pid_t apid = my_pid;
    1004         844 :     add_randomness (&apid, sizeof (apid), RANDOM_ORIGIN_INIT);
    1005             :   }
    1006             : 
    1007             :   /* Mix the pool (if add_randomness() didn't it). */
    1008         844 :   if (!just_mixed)
    1009             :     {
    1010         678 :       mix_pool(rndpool);
    1011         678 :       rndstats.mixrnd++;
    1012             :     }
    1013             : 
    1014             :   /* Create a new pool. */
    1015       64988 :   for(i=0,dp=(unsigned long*)(void*)keypool, sp=(unsigned long*)(void*)rndpool;
    1016       63300 :       i < POOLWORDS; i++, dp++, sp++ )
    1017       63300 :     *dp = *sp + ADD_VALUE;
    1018             : 
    1019             :   /* Mix both pools. */
    1020         844 :   mix_pool(rndpool); rndstats.mixrnd++;
    1021         844 :   mix_pool(keypool); rndstats.mixkey++;
    1022             : 
    1023             :   /* Read the requested data.  We use a read pointer to read from a
    1024             :      different position each time.  */
    1025       40377 :   while (length--)
    1026             :     {
    1027       38689 :       *buffer++ = keypool[pool_readpos++];
    1028       38689 :       if (pool_readpos >= POOLSIZE)
    1029          61 :         pool_readpos = 0;
    1030       38689 :       pool_balance--;
    1031             :     }
    1032             : 
    1033         844 :   if (pool_balance < 0)
    1034         844 :     pool_balance = 0;
    1035             : 
    1036             :   /* Clear the keypool. */
    1037         844 :   memset (keypool, 0, POOLSIZE);
    1038             : 
    1039             :   /* We need to detect whether a fork has happened.  A fork might have
    1040             :      an identical pool and thus the child and the parent could emit
    1041             :      the very same random number.  This test here is to detect forks
    1042             :      in a multi-threaded process.  It does not work with all thread
    1043             :      implementations in particular not with pthreads.  However it is
    1044             :      good enough for GNU Pth. */
    1045         844 :   if ( getpid () != my_pid2 )
    1046             :     {
    1047           0 :       pid_t x = getpid();
    1048           0 :       add_randomness (&x, sizeof(x), RANDOM_ORIGIN_INIT);
    1049           0 :       just_mixed = 0; /* Make sure it will get mixed. */
    1050           0 :       my_pid = x;     /* Also update the static pid. */
    1051           0 :       goto retry;
    1052             :     }
    1053         844 : }
    1054             : 
    1055             : 
    1056             : 
    1057             : /* Add LENGTH bytes of randomness from buffer to the pool.  ORIGIN is
    1058             :    used to specify the randomness origin.  This is one of the
    1059             :    RANDOM_ORIGIN_* values. */
    1060             : static void
    1061      192479 : add_randomness (const void *buffer, size_t length, enum random_origins origin)
    1062             : {
    1063      192479 :   const unsigned char *p = buffer;
    1064      192479 :   size_t count = 0;
    1065             : 
    1066      192479 :   gcry_assert (pool_is_locked);
    1067             : 
    1068      192479 :   rndstats.addbytes += length;
    1069      192479 :   rndstats.naddbytes++;
    1070     7172046 :   while (length-- )
    1071             :     {
    1072     6787088 :       rndpool[pool_writepos++] ^= *p++;
    1073     6787088 :       count++;
    1074     6787088 :       if (pool_writepos >= POOLSIZE )
    1075             :         {
    1076             :           /* It is possible that we are invoked before the pool is
    1077             :              filled using an unreliable origin of entropy, for example
    1078             :              the fast random poll.  To avoid flagging the pool as
    1079             :              filled in this case, we track the initial filling state
    1080             :              separately.  See also the remarks about the seed file. */
    1081       11306 :           if (origin >= RANDOM_ORIGIN_SLOWPOLL && !pool_filled)
    1082             :             {
    1083          90 :               pool_filled_counter += count;
    1084          90 :               count = 0;
    1085          90 :               if (pool_filled_counter >= POOLSIZE)
    1086          18 :                 pool_filled = 1;
    1087             :             }
    1088       11306 :           pool_writepos = 0;
    1089       11306 :           mix_pool(rndpool); rndstats.mixrnd++;
    1090       11306 :           just_mixed = !length;
    1091             :         }
    1092             :     }
    1093      192479 : }
    1094             : 
    1095             : 
    1096             : 
    1097             : static void
    1098         450 : random_poll()
    1099             : {
    1100         450 :   rndstats.slowpolls++;
    1101         450 :   read_random_source (RANDOM_ORIGIN_SLOWPOLL, POOLSIZE/5, GCRY_STRONG_RANDOM);
    1102         450 : }
    1103             : 
    1104             : 
    1105             : /* Runtime determination of the slow entropy gathering module.  */
    1106             : static int (*
    1107          18 : getfnc_gather_random (void))(void (*)(const void*, size_t,
    1108             :                                       enum random_origins),
    1109             :                              enum random_origins, size_t, int)
    1110             : {
    1111             :   int (*fnc)(void (*)(const void*, size_t, enum random_origins),
    1112             :              enum random_origins, size_t, int);
    1113             : 
    1114             : #if USE_RNDLINUX
    1115          18 :   if ( !access (NAME_OF_DEV_RANDOM, R_OK)
    1116          18 :        && !access (NAME_OF_DEV_URANDOM, R_OK))
    1117             :     {
    1118          18 :       fnc = _gcry_rndlinux_gather_random;
    1119          18 :       return fnc;
    1120             :     }
    1121             : #endif
    1122             : 
    1123             : #if USE_RNDEGD
    1124             :   if ( _gcry_rndegd_connect_socket (1) != -1 )
    1125             :     {
    1126             :       fnc = _gcry_rndegd_gather_random;
    1127             :       return fnc;
    1128             :     }
    1129             : #endif
    1130             : 
    1131             : #if USE_RNDUNIX
    1132             :   fnc = _gcry_rndunix_gather_random;
    1133             :   return fnc;
    1134             : #endif
    1135             : 
    1136             : #if USE_RNDW32
    1137             :   fnc = _gcry_rndw32_gather_random;
    1138             :   return fnc;
    1139             : #endif
    1140             : 
    1141             : #if USE_RNDW32CE
    1142             :   fnc = _gcry_rndw32ce_gather_random;
    1143             :   return fnc;
    1144             : #endif
    1145             : 
    1146           0 :   log_fatal (_("no entropy gathering module detected\n"));
    1147             : 
    1148             :   return NULL; /*NOTREACHED*/
    1149             : }
    1150             : 
    1151             : /* Runtime determination of the fast entropy gathering function.
    1152             :    (Currently a compile time method is used.)  */
    1153             : static void (*
    1154          18 : getfnc_fast_random_poll (void))( void (*)(const void*, size_t,
    1155             :                                           enum random_origins),
    1156             :                                  enum random_origins)
    1157             : {
    1158             : #if USE_RNDW32
    1159             :   return _gcry_rndw32_gather_random_fast;
    1160             : #endif
    1161             : #if USE_RNDW32CE
    1162             :   return _gcry_rndw32ce_gather_random_fast;
    1163             : #endif
    1164          18 :   return NULL;
    1165             : }
    1166             : 
    1167             : 
    1168             : 
    1169             : static void
    1170       38237 : do_fast_random_poll (void)
    1171             : {
    1172       38237 :   gcry_assert (pool_is_locked);
    1173             : 
    1174       38237 :   rndstats.fastpolls++;
    1175             : 
    1176       38237 :   if (fast_gather_fnc)
    1177           0 :     fast_gather_fnc (add_randomness, RANDOM_ORIGIN_FASTPOLL);
    1178             : 
    1179             :   /* Continue with the generic functions. */
    1180             : #if HAVE_GETHRTIME
    1181             :   {
    1182             :     hrtime_t tv;
    1183             :     tv = gethrtime();
    1184             :     add_randomness( &tv, sizeof(tv), RANDOM_ORIGIN_FASTPOLL );
    1185             :   }
    1186             : #elif HAVE_GETTIMEOFDAY
    1187             :   {
    1188             :     struct timeval tv;
    1189       38237 :     if( gettimeofday( &tv, NULL ) )
    1190           0 :       BUG();
    1191       38237 :     add_randomness( &tv.tv_sec, sizeof(tv.tv_sec), RANDOM_ORIGIN_FASTPOLL );
    1192       38237 :     add_randomness( &tv.tv_usec, sizeof(tv.tv_usec), RANDOM_ORIGIN_FASTPOLL );
    1193             :   }
    1194             : #elif HAVE_CLOCK_GETTIME
    1195             :   {     struct timespec tv;
    1196             :   if( clock_gettime( CLOCK_REALTIME, &tv ) == -1 )
    1197             :     BUG();
    1198             :   add_randomness( &tv.tv_sec, sizeof(tv.tv_sec), RANDOM_ORIGIN_FASTPOLL );
    1199             :   add_randomness( &tv.tv_nsec, sizeof(tv.tv_nsec), RANDOM_ORIGIN_FASTPOLL );
    1200             :   }
    1201             : #else /* use times */
    1202             : # ifndef HAVE_DOSISH_SYSTEM
    1203             :   {     struct tms buf;
    1204             :   times( &buf );
    1205             :   add_randomness( &buf, sizeof buf, RANDOM_ORIGIN_FASTPOLL );
    1206             :   }
    1207             : # endif
    1208             : #endif
    1209             : 
    1210             : #ifdef HAVE_GETRUSAGE
    1211             : # ifdef RUSAGE_SELF
    1212             :   {
    1213             :     struct rusage buf;
    1214             :     /* QNX/Neutrino does return ENOSYS - so we just ignore it and add
    1215             :        whatever is in buf.  In a chroot environment it might not work
    1216             :        at all (i.e. because /proc/ is not accessible), so we better
    1217             :        ignore all error codes and hope for the best. */
    1218       38237 :     getrusage (RUSAGE_SELF, &buf );
    1219       38237 :     add_randomness( &buf, sizeof buf, RANDOM_ORIGIN_FASTPOLL );
    1220       38237 :     memset( &buf, 0, sizeof buf );
    1221             :   }
    1222             : # else /*!RUSAGE_SELF*/
    1223             : #  ifdef __GCC__
    1224             : #   warning There is no RUSAGE_SELF on this system
    1225             : #  endif
    1226             : # endif /*!RUSAGE_SELF*/
    1227             : #endif /*HAVE_GETRUSAGE*/
    1228             : 
    1229             :   /* Time and clock are available on all systems - so we better do it
    1230             :      just in case one of the above functions didn't work.  */
    1231             :   {
    1232       38237 :     time_t x = time(NULL);
    1233       38237 :     add_randomness( &x, sizeof(x), RANDOM_ORIGIN_FASTPOLL );
    1234             :   }
    1235             :   {
    1236       38237 :     clock_t x = clock();
    1237       38237 :     add_randomness( &x, sizeof(x), RANDOM_ORIGIN_FASTPOLL );
    1238             :   }
    1239             : 
    1240             :   /* If the system features a fast hardware RNG, read some bytes from
    1241             :      there.  */
    1242       38237 :   _gcry_rndhw_poll_fast (add_randomness, RANDOM_ORIGIN_FASTPOLL);
    1243       38237 : }
    1244             : 
    1245             : 
    1246             : /* The fast random pool function as called at some places in
    1247             :    libgcrypt.  This is merely a wrapper to make sure that this module
    1248             :    is initialized and to lock the pool.  Note, that this function is a
    1249             :    NOP unless a random function has been used or _gcry_initialize (1)
    1250             :    has been used.  We use this hack so that the internal use of this
    1251             :    function in cipher_open and md_open won't start filling up the
    1252             :    random pool, even if no random will be required by the process. */
    1253             : void
    1254       68485 : _gcry_rngcsprng_fast_poll (void)
    1255             : {
    1256       68485 :   initialize_basics ();
    1257             : 
    1258       68485 :   lock_pool ();
    1259       68485 :   if (rndpool)
    1260             :     {
    1261             :       /* Yes, we are fully initialized. */
    1262       37393 :       do_fast_random_poll ();
    1263             :     }
    1264       68485 :   unlock_pool ();
    1265       68485 : }
    1266             : 
    1267             : 
    1268             : 
    1269             : static void
    1270         450 : read_random_source (enum random_origins origin, size_t length, int level)
    1271             : {
    1272         450 :   if ( !slow_gather_fnc )
    1273           0 :     log_fatal ("Slow entropy gathering module not yet initialized\n");
    1274             : 
    1275         450 :   if (slow_gather_fnc (add_randomness, origin, length, level) < 0)
    1276           0 :     log_fatal ("No way to gather entropy for the RNG\n");
    1277         450 : }

Generated by: LCOV version 1.13