1 /* random.c - random number generator
2 * Copyright (C) 1998, 2000, 2001, 2002 Free Software Foundation, Inc.
4 * This file is part of Libgcrypt.
6 * Libgcrypt is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU Lesser General Public License as
8 * published by the Free Software Foundation; either version 2.1 of
9 * the License, or (at your option) any later version.
11 * Libgcrypt is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
22 * This random number generator is modelled after the one described
23 * in Peter Gutmann's Paper: "Software Generation of Practically
24 * Strong Random Numbers".
35 #include <sys/types.h>
41 #include <sys/times.h>
43 #ifdef HAVE_GETTIMEOFDAY
44 #include <sys/times.h>
47 #include <sys/resource.h>
55 #include "rand-internal.h"
57 #include "cipher.h" /* only used for the rmd160_hash_buffer() prototype */
60 #ifndef RAND_MAX /* for SunOS */
61 #define RAND_MAX 32767
65 #if SIZEOF_UNSIGNED_LONG == 8
66 #define ADD_VALUE 0xa5a5a5a5a5a5a5a5
67 #elif SIZEOF_UNSIGNED_LONG == 4
68 #define ADD_VALUE 0xa5a5a5a5
70 #error weird size for an unsigned long
73 #define BLOCKLEN 64 /* hash this amount of bytes */
74 #define DIGESTLEN 20 /* into a digest of this length (rmd160) */
75 /* poolblocks is the number of digests which make up the pool
76 * and poolsize must be a multiple of the digest length
77 * to make the AND operations faster, the size should also be
81 #define POOLSIZE (POOLBLOCKS*DIGESTLEN)
82 #if (POOLSIZE % SIZEOF_UNSIGNED_LONG)
83 #error Please make sure that poolsize is a multiple of ulong
85 #define POOLWORDS (POOLSIZE / SIZEOF_UNSIGNED_LONG)
88 static int is_initialized;
89 #define MASK_LEVEL(a) do {if( a > 2 ) a = 2; else if( a < 0 ) a = 0; } while(0)
90 static char *rndpool; /* allocated size is POOLSIZE+BLOCKLEN */
91 static char *keypool; /* allocated size is POOLSIZE+BLOCKLEN */
92 static size_t pool_readpos;
93 static size_t pool_writepos;
94 static int pool_filled;
95 static int pool_balance;
96 static int just_mixed;
97 static int did_initial_extra_seeding;
98 static char *seed_file_name;
99 static int allow_seed_file_update;
101 static unsigned char failsafe_digest[DIGESTLEN];
102 static int failsafe_digest_valid;
104 static int secure_alloc;
105 static int quick_test;
106 static int faked_rng;
108 static mutex_t pool_lock;
109 static int pool_is_locked; /* only for assertion */
111 static byte *get_random_bytes( size_t nbytes, int level, int secure );
112 static void read_pool( byte *buffer, size_t length, int level );
113 static void add_randomness( const void *buffer, size_t length, int source );
114 static void random_poll(void);
115 static void do_fast_random_poll (void);
116 static void read_random_source( int requester, size_t length, int level);
117 static int gather_faked( void (*add)(const void*, size_t, int), int requester,
118 size_t length, int level );
134 /* Note, we assume that this function is used before any concurrent
141 err = mutex_init (pool_lock);
143 log_fatal ("failed to create the pool lock: %s\n", strerror (err) );
145 /* The data buffer is allocated somewhat larger, so that we can use
146 this extra space (which is allocated in secure memory) as a
147 temporary hash buffer */
148 rndpool = secure_alloc ? gcry_xcalloc_secure(1,POOLSIZE+BLOCKLEN)
149 : gcry_xcalloc(1,POOLSIZE+BLOCKLEN);
150 keypool = secure_alloc ? gcry_xcalloc_secure(1,POOLSIZE+BLOCKLEN)
151 : gcry_xcalloc(1,POOLSIZE+BLOCKLEN);
153 _gcry_cipher_modules_constructor ();
157 burn_stack (int bytes)
161 memset (buf, 0, sizeof buf);
169 _gcry_random_dump_stats()
172 "random usage: poolsize=%d mixed=%lu polls=%lu/%lu added=%lu/%lu\n"
173 " outmix=%lu getlvl1=%lu/%lu getlvl2=%lu/%lu\n",
174 POOLSIZE, rndstats.mixrnd, rndstats.slowpolls, rndstats.fastpolls,
175 rndstats.naddbytes, rndstats.addbytes,
176 rndstats.mixkey, rndstats.ngetbytes1, rndstats.getbytes1,
177 rndstats.ngetbytes2, rndstats.getbytes2 );
181 _gcry_secure_random_alloc()
188 _gcry_quick_random_gen( int onoff )
192 /* No need to lock it here because we are only initializing. A
193 prerequisite of the entire code is that it has already been
194 initialized before any possible concurrent access */
195 read_random_source(0,0,0); /* init */
199 return faked_rng? 1 : last;
204 * Fill the buffer with LENGTH bytes of cryptographically strong
205 * random bytes. level 0 is not very strong, 1 is strong enough
206 * for most usage, 2 is good for key generation stuff but may be very slow.
209 gcry_randomize( byte *buffer, size_t length, enum gcry_random_level level )
211 char *p = get_random_bytes( length, level, 1 );
212 memcpy( buffer, p, length );
218 _gcry_random_is_faked()
220 if( !is_initialized )
222 return faked_rng || quick_test;
226 * Return a pointer to a randomized buffer of level 0 and LENGTH bits
227 * caller must free the buffer.
228 * Note: The returned value is rounded up to bytes.
231 get_random_bytes( size_t nbytes, int level, int secure )
236 if( quick_test && level > 1 )
240 err = mutex_lock (pool_lock);
242 log_fatal ("failed to acquire the pool lock: %s\n", strerror (err));
245 rndstats.getbytes1 += nbytes;
246 rndstats.ngetbytes1++;
248 else if( level >= 2 ) {
249 rndstats.getbytes2 += nbytes;
250 rndstats.ngetbytes2++;
253 buf = secure && secure_alloc ? gcry_xmalloc_secure( nbytes )
254 : gcry_xmalloc( nbytes );
255 for( p = buf; nbytes > 0; ) {
256 size_t n = nbytes > POOLSIZE? POOLSIZE : nbytes;
257 read_pool( p, n, level );
263 err = mutex_unlock (pool_lock);
265 log_fatal ("failed to release the pool lock: %s\n", strerror (err));
270 gcry_random_bytes( size_t nbytes, enum gcry_random_level level )
272 return get_random_bytes( nbytes, level, 0 );
276 gcry_random_bytes_secure( size_t nbytes, enum gcry_random_level level )
278 return get_random_bytes( nbytes, level, 1 );
285 |........blocks*20byte........|20byte|..44byte..|
286 <..44byte..> <20byte>
289 +---------------------------|----------+
291 |........blocks*20byte........|20byte|..44byte..|
294 +----------------------------------+
297 |.............................|20byte|..44byte..|
298 <20byte><20byte><..44byte..>
300 | +---------------------+
301 +-----------------------------+ |
303 |.............................|20byte|..44byte..|
306 +-------------------------+
309 |.............................|20byte|..44byte..|
310 <20byte><20byte><..44byte..>
312 and so on until we did this for all blocks.
318 char *hashbuf = pool + POOLSIZE;
323 assert (pool_is_locked);
324 _gcry_rmd160_init( &md );
326 # error must have a digest length of 20 for ripe-md-160
328 /* loop over the pool */
329 pend = pool + POOLSIZE;
330 memcpy(hashbuf, pend - DIGESTLEN, DIGESTLEN );
331 memcpy(hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
332 _gcry_rmd160_mixblock( &md, hashbuf);
333 memcpy(pool, hashbuf, 20 );
334 if (failsafe_digest_valid && (char *)pool == rndpool)
336 for (i=0; i < 20; i++)
337 pool[i] ^= failsafe_digest[i];
341 for( n=1; n < POOLBLOCKS; n++ ) {
342 memcpy(hashbuf, p, DIGESTLEN );
345 if( p+DIGESTLEN+BLOCKLEN < pend )
346 memcpy(hashbuf+DIGESTLEN, p+DIGESTLEN, BLOCKLEN-DIGESTLEN);
348 char *pp = p+DIGESTLEN;
349 for(i=DIGESTLEN; i < BLOCKLEN; i++ ) {
356 _gcry_rmd160_mixblock( &md, hashbuf);
357 memcpy(p, hashbuf, 20 );
359 /* Hmmm: our hash implementation does only leave small parts (64
360 bytes) of the pool on the stack, so I thnik it ios okay not to
361 require secure memory here. Before we use this pool, it gets
362 copied to the help buffer anyway. */
363 if ( (char*)pool == rndpool)
365 _gcry_rmd160_hash_buffer (failsafe_digest, pool, POOLSIZE);
366 failsafe_digest_valid = 1;
368 burn_stack (384); /* for the rmd160_mixblock(), rmd160_hash_buffer */
372 _gcry_set_random_seed_file( const char *name )
376 seed_file_name = gcry_xstrdup( name );
380 * Read in a seed form the random_seed file
381 * and return true if this was successful
388 unsigned char buffer[POOLSIZE];
391 assert (pool_is_locked);
392 if( !seed_file_name )
395 #ifdef HAVE_DOSISH_SYSTEM
396 fd = open( seed_file_name, O_RDONLY | O_BINARY );
398 fd = open( seed_file_name, O_RDONLY );
400 if( fd == -1 && errno == ENOENT) {
401 allow_seed_file_update = 1;
406 log_info(_("can't open `%s': %s\n"), seed_file_name, strerror(errno) );
409 if( fstat( fd, &sb ) ) {
410 log_info(_("can't stat `%s': %s\n"), seed_file_name, strerror(errno) );
414 if( !S_ISREG(sb.st_mode) ) {
415 log_info(_("`%s' is not a regular file - ignored\n"), seed_file_name );
420 log_info(_("note: random_seed file is empty\n") );
422 allow_seed_file_update = 1;
425 if( sb.st_size != POOLSIZE ) {
426 log_info(_("warning: invalid size of random_seed file - not used\n") );
431 n = read( fd, buffer, POOLSIZE );
432 } while( n == -1 && errno == EINTR );
433 if( n != POOLSIZE ) {
434 log_fatal(_("can't read `%s': %s\n"), seed_file_name,strerror(errno) );
441 add_randomness( buffer, POOLSIZE, 0 );
442 /* add some minor entropy to the pool now (this will also force a mixing) */
443 { pid_t x = getpid();
444 add_randomness( &x, sizeof(x), 0 );
446 { time_t x = time(NULL);
447 add_randomness( &x, sizeof(x), 0 );
449 { clock_t x = clock();
450 add_randomness( &x, sizeof(x), 0 );
452 /* And read a few bytes from our entropy source. By using
453 * a level of 0 this will not block and might not return anything
454 * with some entropy drivers, however the rndlinux driver will use
455 * /dev/urandom and return some stuff - Do not read to much as we
456 * want to be friendly to the scare system entropy resource. */
457 read_random_source( 0, 16, 0 );
459 allow_seed_file_update = 1;
464 _gcry_update_random_seed_file()
470 if ( !seed_file_name || !is_initialized || !pool_filled )
472 if ( !allow_seed_file_update )
474 log_info(_("note: random_seed file not updated\n"));
478 err = mutex_lock (pool_lock);
480 log_fatal ("failed to acquire the pool lock: %s\n", strerror (err));
483 /* copy the entropy pool to a scratch pool and mix both of them */
484 for (i=0,dp=(ulong*)keypool, sp=(ulong*)rndpool;
485 i < POOLWORDS; i++, dp++, sp++ )
487 *dp = *sp + ADD_VALUE;
489 mix_pool(rndpool); rndstats.mixrnd++;
490 mix_pool(keypool); rndstats.mixkey++;
492 #ifdef HAVE_DOSISH_SYSTEM
493 fd = open (seed_file_name, O_WRONLY|O_CREAT|O_TRUNC|O_BINARY,
496 fd = open (seed_file_name, O_WRONLY|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR );
500 log_info (_("can't create `%s': %s\n"), seed_file_name, strerror(errno) );
504 i = write (fd, keypool, POOLSIZE );
505 } while( i == -1 && errno == EINTR );
507 log_info(_("can't write `%s': %s\n"), seed_file_name, strerror(errno) );
509 log_info(_("can't close `%s': %s\n"), seed_file_name, strerror(errno) );
513 err = mutex_unlock (pool_lock);
515 log_fatal ("failed to release the pool lock: %s\n", strerror (err));
520 read_pool( byte *buffer, size_t length, int level )
525 assert (pool_is_locked);
526 if( length > POOLSIZE ) {
527 log_bug("too many random bits requested\n");
531 if( read_seed_file() )
535 /* For level 2 quality (key generation) we always make
536 * sure that the pool has been seeded enough initially */
537 if( level == 2 && !did_initial_extra_seeding ) {
541 needed = length - pool_balance;
542 if( needed < POOLSIZE/2 )
544 else if( needed > POOLSIZE )
546 read_random_source( 3, needed, 2 );
547 pool_balance += needed;
548 did_initial_extra_seeding=1;
551 /* for level 2 make sure that there is enough random in the pool */
552 if( level == 2 && pool_balance < length ) {
555 if( pool_balance < 0 )
557 needed = length - pool_balance;
558 if( needed > POOLSIZE )
560 read_random_source( 3, needed, 2 );
561 pool_balance += needed;
564 /* make sure the pool is filled */
565 while( !pool_filled )
568 /* always do a fast random poll - we have to use the unlocked version*/
569 do_fast_random_poll();
571 if( !level ) { /* no need for cryptographic strong random */
572 /* create a new pool */
573 for(i=0,dp=(ulong*)keypool, sp=(ulong*)rndpool;
574 i < POOLWORDS; i++, dp++, sp++ )
575 *dp = *sp + ADD_VALUE;
576 /* must mix both pools */
577 mix_pool(rndpool); rndstats.mixrnd++;
578 mix_pool(keypool); rndstats.mixkey++;
579 memcpy( buffer, keypool, length );
582 /* mix the pool (if add_randomness() didn't it) */
587 /* create a new pool */
588 for(i=0,dp=(ulong*)keypool, sp=(ulong*)rndpool;
589 i < POOLWORDS; i++, dp++, sp++ )
590 *dp = *sp + ADD_VALUE;
591 /* and mix both pools */
592 mix_pool(rndpool); rndstats.mixrnd++;
593 mix_pool(keypool); rndstats.mixkey++;
594 /* read the required data
595 * we use a readpoiter to read from a different postion each
598 *buffer++ = keypool[pool_readpos++];
599 if( pool_readpos >= POOLSIZE )
603 if( pool_balance < 0 )
605 /* and clear the keypool */
606 memset( keypool, 0, POOLSIZE );
612 * Add LENGTH bytes of randomness from buffer to the pool.
613 * source may be used to specify the randomness source.
615 * 0 - used ony for initialization
616 * 1 - fast random poll function
617 * 2 - normal poll function
618 * 3 - used when level 2 random quality has been requested
619 * to do an extra pool seed.
622 add_randomness( const void *buffer, size_t length, int source )
624 const byte *p = buffer;
626 assert (pool_is_locked);
627 if( !is_initialized )
629 rndstats.addbytes += length;
630 rndstats.naddbytes++;
632 rndpool[pool_writepos++] ^= *p++;
633 if( pool_writepos >= POOLSIZE ) {
637 mix_pool(rndpool); rndstats.mixrnd++;
638 just_mixed = !length;
648 rndstats.slowpolls++;
649 read_random_source( 2, POOLSIZE/5, 1 );
655 do_fast_random_poll ()
657 static void (*fnc)( void (*)(const void*, size_t, int), int) = NULL;
658 static int initialized = 0;
660 assert (pool_is_locked);
661 rndstats.fastpolls++;
663 if( !is_initialized )
666 fnc = _gcry_dynload_getfnc_fast_random_poll();
669 (*fnc)( add_randomness, 1 );
673 /* fall back to the generic function */
677 add_randomness( &tv, sizeof(tv), 1 );
679 #elif HAVE_GETTIMEOFDAY
681 if( gettimeofday( &tv, NULL ) )
683 add_randomness( &tv.tv_sec, sizeof(tv.tv_sec), 1 );
684 add_randomness( &tv.tv_usec, sizeof(tv.tv_usec), 1 );
686 #elif HAVE_CLOCK_GETTIME
687 { struct timespec tv;
688 if( clock_gettime( CLOCK_REALTIME, &tv ) == -1 )
690 add_randomness( &tv.tv_sec, sizeof(tv.tv_sec), 1 );
691 add_randomness( &tv.tv_nsec, sizeof(tv.tv_nsec), 1 );
693 #else /* use times */
694 #ifndef HAVE_DOSISH_SYSTEM
697 add_randomness( &buf, sizeof buf, 1 );
701 #ifdef HAVE_GETRUSAGE
704 #warning There is no RUSAGE_SELF on this system
709 /* QNX/Neutrino does return ENOSYS - so we just ignore it and
710 * add whatever is in buf. In a chroot environment it might not
711 * work at all (i.e. because /proc/ is not accessible), so we better
712 * ugnore all error codes and hope for the best
714 getrusage (RUSAGE_SELF, &buf );
715 add_randomness( &buf, sizeof buf, 1 );
716 memset( &buf, 0, sizeof buf );
720 /* time and clock are availabe on all systems - so
721 * we better do it just in case one of the above functions
723 { time_t x = time(NULL);
724 add_randomness( &x, sizeof(x), 1 );
726 { clock_t x = clock();
727 add_randomness( &x, sizeof(x), 1 );
733 _gcry_fast_random_poll()
737 /* We have to make sure that the intialization is done because this
738 gatherer might be called before any other functions and it is not
739 sufficient to initialize it within do_fast_random_pool becuase we
740 want to use the mutex here. FIXME: Weh should initialie the mutex
741 using a global constructore independent from the initialization
745 err = mutex_lock (pool_lock);
747 log_fatal ("failed to acquire the pool lock: %s\n", strerror (err));
749 do_fast_random_poll ();
751 err = mutex_unlock (pool_lock);
753 log_fatal ("failed to acquire the pool lock: %s\n", strerror (err));
760 read_random_source( int requester, size_t length, int level )
762 static int (*fnc)(void (*)(const void*, size_t, int), int,
765 if( !is_initialized )
767 fnc = _gcry_dynload_getfnc_gather_random();
772 if( !requester && !length && !level )
773 return; /* init only */
775 if( (*fnc)( add_randomness, requester, length, level ) < 0 )
776 log_fatal("No way to gather entropy for the RNG\n");
781 gather_faked( void (*add)(const void*, size_t, int), int requester,
782 size_t length, int level )
784 static int initialized=0;
789 log_info(_("WARNING: using insecure random number generator!!\n"));
790 /* we can't use tty_printf here - do we need this function at
791 all - does it really make sense or canit be viewed as a potential
792 security problem ? wk 17.11.99 */
794 tty_printf(_("The random number generator is only a kludge to let\n"
795 "it run - it is in no way a strong RNG!\n\n"
796 "DON'T USE ANY DATA GENERATED BY THIS PROGRAM!!\n\n"));
800 srand( time(NULL)*getpid());
802 srandom( time(NULL)*getpid());
806 p = buffer = gcry_xmalloc( length );
810 *p++ = ((unsigned)(1 + (int) (256.0*rand()/(RAND_MAX+1.0)))-1);
813 *p++ = ((unsigned)(1 + (int) (256.0*random()/(RAND_MAX+1.0)))-1);
815 add_randomness( buffer, length, requester );
projects / libgcrypt.git / blob