static int
wrap_nettle_rnd(void *_ctx, int level, void *data, size_t datasize)
{
int ret, reseed = 0;
struct event_st event;
if (level == GNUTLS_RND_NONCE)
return wrap_nettle_rnd_nonce(_ctx, data, datasize);
_rnd_get_event(&event);
RND_LOCK(&rnd_ctx);
if (_gnutls_detect_fork(rnd_ctx.forkid)) { /* fork() detected */
memset(&rnd_ctx.device_last_read, 0, sizeof(rnd_ctx.device_last_read));
reseed = 1;
}
/* reseed main */
ret = do_trivia_source(&rnd_ctx, 0, &event);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = do_device_source(&rnd_ctx, 0, &event);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
if (reseed != 0) {
yarrow256_slow_reseed(&rnd_ctx.yctx);
rnd_ctx.forkid = _gnutls_get_forkid();
}
yarrow256_random(&rnd_ctx.yctx, datasize, data);
ret = 0;
cleanup:
RND_UNLOCK(&rnd_ctx);
return ret;
}
static int
wrap_nettle_rnd_nonce(void *_ctx, void *data, size_t datasize)
{
int ret, reseed = 0;
uint8_t nonce_key[NONCE_KEY_SIZE];
/* we don't really need memset here, but otherwise we
* get filled with valgrind warnings */
memset(data, 0, datasize);
RND_LOCK(&nonce_ctx);
if (_gnutls_detect_fork(nonce_ctx.forkid)) {
reseed = 1;
}
if (reseed != 0 || nonce_ctx.counter > NONCE_RESEED_BYTES) {
/* reseed nonce */
ret = _rnd_get_system_entropy(nonce_key, sizeof(nonce_key));
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = nonce_rng_init(&nonce_ctx, nonce_key, sizeof(nonce_key), 0);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
nonce_ctx.forkid = _gnutls_get_forkid();
}
salsa20r12_crypt(&nonce_ctx.ctx, datasize, data, data);
nonce_ctx.counter += datasize;
ret = 0;
cleanup:
RND_UNLOCK(&nonce_ctx);
return ret;
}
static int
wrap_nettle_rnd(void *_ctx, int level, void *data, size_t datasize)
{
struct generators_ctx_st *ctx = _ctx;
struct prng_ctx_st *prng_ctx;
int ret, reseed = 0;
uint8_t new_key[PRNG_KEY_SIZE];
time_t now;
if (level == GNUTLS_RND_RANDOM || level == GNUTLS_RND_KEY)
prng_ctx = &ctx->normal;
else if (level == GNUTLS_RND_NONCE)
prng_ctx = &ctx->nonce;
else
return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
/* Two reasons for this memset():
* 1. avoid getting filled with valgrind warnings
* 2. avoid a cipher/PRNG failure to expose stack data
*/
memset(data, 0, datasize);
now = gnutls_time(0);
/* We re-seed based on time in addition to output data. That is,
* to prevent a temporal state compromise to become permanent for low
* traffic sites */
if (unlikely(_gnutls_detect_fork(prng_ctx->forkid))) {
reseed = 1;
} else {
if (now > prng_ctx->last_reseed + prng_reseed_time[level])
reseed = 1;
}
if (reseed != 0 || prng_ctx->counter > prng_reseed_limits[level]) {
if (level == GNUTLS_RND_NONCE) {
ret = wrap_nettle_rnd(_ctx, GNUTLS_RND_RANDOM, new_key, sizeof(new_key));
} else {
/* we also use the system entropy to reduce the impact
* of a temporal state compromise for these two levels. */
ret = _rnd_get_system_entropy(new_key, sizeof(new_key));
}
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = single_prng_init(prng_ctx, new_key, sizeof(new_key), 0);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
prng_ctx->last_reseed = now;
prng_ctx->forkid = _gnutls_get_forkid();
}
chacha_crypt(&prng_ctx->ctx, datasize, data, data);
prng_ctx->counter += datasize;
if (level == GNUTLS_RND_KEY) { /* prevent backtracking */
ret = wrap_nettle_rnd(_ctx, GNUTLS_RND_RANDOM, new_key, sizeof(new_key));
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = single_prng_init(prng_ctx, new_key, sizeof(new_key), 0);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
}
ret = 0;
cleanup:
return ret;
}
