/*----------------------------------------------------------------------------*/
int zrtp_entropy_add(zrtp_global_t* zrtp, const unsigned char *buffer, uint32_t length)
{
if (buffer && length) {
MD_Update(&zrtp->rand_ctx, buffer, length);
}
return zrtp_add_system_state(zrtp, &zrtp->rand_ctx);
}
/*----------------------------------------------------------------------------*/
int zrtp_add_system_state(zrtp_global_t* zrtp, MD_CTX *ctx)
{
LARGE_INTEGER li1;
LARGE_INTEGER li2;
ULONG ul1;
ULONG ul2;
ULONGLONG ull;
PKTHREAD thread;
static int tsc_ok = 1;
/*
* WARNING!
* Of course it's not a real size of entropy added to the context. It's very
* difficult to compute the size of real random data and estimate its quality.
* This value means: size of maximum possible random data which this function can provide.
*/
static int entropy_length = sizeof(LARGE_INTEGER)*2 + sizeof(PKTHREAD) +
sizeof(ULONG)*2 + sizeof(LARGE_INTEGER)*2 + sizeof(ULONG)*2;
li2 = KeQueryPerformanceCounter(&li1);
MD_Update(ctx, &li1, sizeof(LARGE_INTEGER));
MD_Update(ctx, &li2, sizeof(LARGE_INTEGER));
ull = KeQueryInterruptTime();
MD_Update(ctx, &ull, sizeof(ULONGLONG));
thread = KeGetCurrentThread();
MD_Update(ctx, &thread, sizeof(PKTHREAD));
ul2 = KeQueryRuntimeThread(thread, &ul1);
MD_Update(ctx, &ul1, sizeof(ULONG));
MD_Update(ctx, &ul2, sizeof(ULONG));
KeQuerySystemTime(&li1);
MD_Update(ctx, &li1, sizeof(LARGE_INTEGER));
KeQueryTickCount(&li1);
MD_Update(ctx, &li1, sizeof(LARGE_INTEGER));
if (tsc_ok) {
__try {
ull = _RDTSC();
MD_Update(ctx, &ull, sizeof(ULONGLONG));
} __except(EXCEPTION_EXECUTE_HANDLER) {
tsc_ok = 0;
}
}
return entropy_length;
}
int zrtp_add_system_state(zrtp_global_t* zrtp, MD_CTX *ctx)
{
uint8_t buffer[64];
if(!CryptGenRandom(g_hCryptProv, sizeof(buffer), buffer)) {
ZRTP_LOG(1,(_ZTU_,"\tERROR! Error during CryptGenRandom.\n"));
return 0;
}
MD_Update(ctx, buffer, sizeof(buffer));
ZeroMemory((PVOID)buffer, sizeof(buffer));
return sizeof(buffer);
}
static void rand_hw_seed(EVP_MD_CTX *ctx)
{
int i;
if (!(OPENSSL_ia32cap_P[1] & (1<<(62-32))))
return;
for (i = 0; i < RDRAND_CALLS; i++)
{
size_t rnd;
rnd = OPENSSL_ia32_rdrand();
if (rnd == 0)
return;
MD_Update(ctx, (unsigned char *)&rnd, sizeof(size_t));
}
}
int zrtp_add_system_state(zrtp_global_t* zrtp, MD_CTX *ctx) {
uint64_t sysdate;
unsigned int pid;
uint32_t crazy_pid_sum;
uint32_t heap_size;
static int entropy_length = sizeof(sysdate) + sizeof(pid)
+ sizeof(crazy_pid_sum) + sizeof(heap_size);
sysdate = zrtp_get_system_time_crazy();
MD_Update(ctx,&sysdate,sizeof(sysdate));
pid = zrtp_get_pid();
MD_Update(ctx,&pid,sizeof(pid));
crazy_pid_sum = zrtp_sum_of_pid_and_number_of_poccesses();
MD_Update(ctx,&crazy_pid_sum,sizeof(crazy_pid_sum));
heap_size = zrtp_get_availible_heap();
MD_Update(ctx,&heap_size,sizeof(heap_size));
return entropy_length;
}
/*----------------------------------------------------------------------------*/
int zrtp_add_system_state(zrtp_global_t* zrtp, MD_CTX *ctx)
{
uint8_t buffer[64];
size_t bytes_read = 0;
static size_t length= sizeof(buffer);
FILE *fp = NULL;
fp = fopen("/dev/urandom", "rb");
if (!fp) {
ZRTP_LOG(1,(_ZTU_,"\tERROR! can't get access to /dev/urandom - trying /dev/random.\n"));
fp = fopen("/dev/random", "rb");
}
if (fp) {
int number_of_retries = 1024;
while ((bytes_read < length) && (number_of_retries-- > 0)) {
setbuf(fp, NULL); /* Otherwise fread() tries to read() 4096 bytes or other default value */
bytes_read += fread(buffer+bytes_read, 1, length-bytes_read, fp);
}
if (0 != fclose(fp)) {
ZRTP_LOG(1,(_ZTU_,"\tERROR! unable to cloas /dev/random\n"));
}
} else {
ZRTP_LOG(1,(_ZTU_,"\tERROR! RNG Can't open /dev/random\n"));
}
if (bytes_read < length) {
ZRTP_LOG(1,(_ZTU_,"\tERROR! can't read random string! Current session have to be closed.\n"));
return -1;
}
MD_Update(ctx, buffer, length);
zrtp_memset(buffer, 0, sizeof(buffer));
return bytes_read;
}
static int ssleay_rand_bytes(unsigned char *buf, int num)
{
static volatile int stirred_pool = 0;
int i,j,k,st_num,st_idx;
int num_ceil;
int ok;
long md_c[2];
unsigned char local_md[MD_DIGEST_LENGTH];
EVP_MD_CTX m;
#ifndef GETPID_IS_MEANINGLESS
pid_t curr_pid = TINYCLR_SSL_GETPID();
#endif
int do_stir_pool = 0;
#ifdef PREDICT
if (rand_predictable)
{
static unsigned char val=0;
for (i=0; i<num; i++)
buf[i]=val++;
return(1);
}
#endif
if (num <= 0)
return 1;
EVP_MD_CTX_init(&m);
/* round upwards to multiple of MD_DIGEST_LENGTH/2 */
num_ceil = (1 + (num-1)/(MD_DIGEST_LENGTH/2)) * (MD_DIGEST_LENGTH/2);
/*
* (Based on the rand(3) manpage:)
*
* For each group of 10 bytes (or less), we do the following:
*
* Input into the hash function the local 'md' (which is initialized from
* the global 'md' before any bytes are generated), the bytes that are to
* be overwritten by the random bytes, and bytes from the 'state'
* (incrementing looping index). From this digest output (which is kept
* in 'md'), the top (up to) 10 bytes are returned to the caller and the
* bottom 10 bytes are xored into the 'state'.
*
* Finally, after we have finished 'num' random bytes for the
* caller, 'count' (which is incremented) and the local and global 'md'
* are fed into the hash function and the results are kept in the
* global 'md'.
*/
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
CRYPTO_THREADID_current(&locking_threadid);
CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
crypto_lock_rand = 1;
if (!initialized)
{
RAND_poll();
initialized = 1;
}
if (!stirred_pool)
do_stir_pool = 1;
ok = (entropy >= ENTROPY_NEEDED);
if (!ok)
{
/* If the PRNG state is not yet unpredictable, then seeing
* the PRNG output may help attackers to determine the new
* state; thus we have to decrease the entropy estimate.
* Once we've had enough initial seeding we don't bother to
* adjust the entropy count, though, because we're not ambitious
* to provide *information-theoretic* randomness.
*
* NOTE: This approach fails if the program forks before
* we have enough entropy. Entropy should be collected
* in a separate input pool and be transferred to the
* output pool only when the entropy limit has been reached.
*/
entropy -= num;
if (entropy < 0)
entropy = 0;
}
if (do_stir_pool)
{
/* In the output function only half of 'md' remains secret,
* so we better make sure that the required entropy gets
* 'evenly distributed' through 'state', our randomness pool.
* The input function (ssleay_rand_add) chains all of 'md',
* which makes it more suitable for this purpose.
*/
int n = STATE_SIZE; /* so that the complete pool gets accessed */
while (n > 0)
{
#if MD_DIGEST_LENGTH > 20
# error "Please adjust DUMMY_SEED."
#endif
#define DUMMY_SEED "...................." /* at least MD_DIGEST_LENGTH */
/* Note that the seed does not matter, it's just that
* ssleay_rand_add expects to have something to hash. */
ssleay_rand_add(DUMMY_SEED, MD_DIGEST_LENGTH, 0.0);
n -= MD_DIGEST_LENGTH;
}
if (ok)
stirred_pool = 1;
}
st_idx=state_index;
st_num=state_num;
md_c[0] = md_count[0];
md_c[1] = md_count[1];
TINYCLR_SSL_MEMCPY(local_md, md, sizeof md);
state_index+=num_ceil;
if (state_index > state_num)
state_index %= state_num;
/* state[st_idx], ..., state[(st_idx + num_ceil - 1) % st_num]
* are now ours (but other threads may use them too) */
md_count[0] += 1;
/* before unlocking, we must clear 'crypto_lock_rand' */
crypto_lock_rand = 0;
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
while (num > 0)
{
/* num_ceil -= MD_DIGEST_LENGTH/2 */
j=(num >= MD_DIGEST_LENGTH/2)?MD_DIGEST_LENGTH/2:num;
num-=j;
MD_Init(&m);
#ifndef GETPID_IS_MEANINGLESS
if (curr_pid) /* just in the first iteration to save time */
{
MD_Update(&m,(unsigned char*)&curr_pid,sizeof curr_pid);
curr_pid = 0;
}
#endif
MD_Update(&m,local_md,MD_DIGEST_LENGTH);
MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
#ifndef PURIFY /* purify complains */
/* The following line uses the supplied buffer as a small
* source of entropy: since this buffer is often uninitialised
* it may cause programs such as purify or valgrind to
* complain. So for those builds it is not used: the removal
* of such a small source of entropy has negligible impact on
* security.
*/
MD_Update(&m,buf,j);
#endif
k=(st_idx+MD_DIGEST_LENGTH/2)-st_num;
if (k > 0)
{
MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2-k);
MD_Update(&m,&(state[0]),k);
}
else
MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2);
MD_Final(&m,local_md);
for (i=0; i<MD_DIGEST_LENGTH/2; i++)
{
state[st_idx++]^=local_md[i]; /* may compete with other threads */
if (st_idx >= st_num)
st_idx=0;
if (i < j)
*(buf++)=local_md[i+MD_DIGEST_LENGTH/2];
}
}
MD_Init(&m);
MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
MD_Update(&m,local_md,MD_DIGEST_LENGTH);
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
MD_Update(&m,md,MD_DIGEST_LENGTH);
MD_Final(&m,md);
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
EVP_MD_CTX_cleanup(&m);
if (ok)
return(1);
else
{
RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED);
ERR_add_error_data(1, "You need to read the OpenSSL FAQ, "
"http://www.openssl.org/support/faq.html");
return(0);
}
}
static void ssleay_rand_add(const void *buf, int num, double add)
{
int i,j,k,st_idx;
long md_c[2];
unsigned char local_md[MD_DIGEST_LENGTH];
EVP_MD_CTX m;
int do_not_lock;
/*
* (Based on the rand(3) manpage)
*
* The input is chopped up into units of 20 bytes (or less for
* the last block). Each of these blocks is run through the hash
* function as follows: The data passed to the hash function
* is the current 'md', the same number of bytes from the 'state'
* (the location determined by in incremented looping index) as
* the current 'block', the new key data 'block', and 'count'
* (which is incremented after each use).
* The result of this is kept in 'md' and also xored into the
* 'state' at the same locations that were used as input into the
* hash function.
*/
/* check if we already have the lock */
if (crypto_lock_rand)
{
CRYPTO_THREADID cur;
CRYPTO_THREADID_current(&cur);
CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur);
CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
}
else
do_not_lock = 0;
if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
st_idx=state_index;
/* use our own copies of the counters so that even
* if a concurrent thread seeds with exactly the
* same data and uses the same subarray there's _some_
* difference */
md_c[0] = md_count[0];
md_c[1] = md_count[1];
TINYCLR_SSL_MEMCPY(local_md, md, sizeof md);
/* state_index <= state_num <= STATE_SIZE */
state_index += num;
if (state_index >= STATE_SIZE)
{
state_index%=STATE_SIZE;
state_num=STATE_SIZE;
}
else if (state_num < STATE_SIZE)
{
if (state_index > state_num)
state_num=state_index;
}
/* state_index <= state_num <= STATE_SIZE */
/* state[st_idx], ..., state[(st_idx + num - 1) % STATE_SIZE]
* are what we will use now, but other threads may use them
* as well */
md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0);
if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
EVP_MD_CTX_init(&m);
for (i=0; i<num; i+=MD_DIGEST_LENGTH)
{
j=(num-i);
j=(j > MD_DIGEST_LENGTH)?MD_DIGEST_LENGTH:j;
MD_Init(&m);
MD_Update(&m,local_md,MD_DIGEST_LENGTH);
k=(st_idx+j)-STATE_SIZE;
if (k > 0)
{
MD_Update(&m,&(state[st_idx]),j-k);
MD_Update(&m,&(state[0]),k);
}
else
MD_Update(&m,&(state[st_idx]),j);
/* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */
MD_Update(&m,buf,j);
/* We know that line may cause programs such as
purify and valgrind to complain about use of
uninitialized data. The problem is not, it's
with the caller. Removing that line will make
sure you get really bad randomness and thereby
other problems such as very insecure keys. */
MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
MD_Final(&m,local_md);
md_c[1]++;
buf=(const char *)buf + j;
for (k=0; k<j; k++)
{
/* Parallel threads may interfere with this,
* but always each byte of the new state is
* the XOR of some previous value of its
* and local_md (itermediate values may be lost).
* Alway using locking could hurt performance more
* than necessary given that conflicts occur only
* when the total seeding is longer than the random
* state. */
state[st_idx++]^=local_md[k];
if (st_idx >= STATE_SIZE)
st_idx=0;
}
}
EVP_MD_CTX_cleanup(&m);
if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
/* Don't just copy back local_md into md -- this could mean that
* other thread's seeding remains without effect (except for
* the incremented counter). By XORing it we keep at least as
* much entropy as fits into md. */
for (k = 0; k < (int)sizeof(md); k++)
{
md[k] ^= local_md[k];
}
if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */
entropy += add;
if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
#if !defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_ARM) && !defined(OPENSSL_SYS_SH)
TINYCLR_SSL_ASSERT(md_c[1] == md_count[1]);
#endif
}
static void ssleay_rand_add(const void *buf, int num, double add)
{
int i,j,k,st_idx;
long md_c[2];
unsigned char local_md[MD_DIGEST_LENGTH];
MD_CTX m;
int do_not_lock;
/*
* (Based on the rand(3) manpage)
*
* The input is chopped up into units of 20 bytes (or less for
* the last block). Each of these blocks is run through the hash
* function as follows: The data passed to the hash function
* is the current 'md', the same number of bytes from the 'state'
* (the location determined by in incremented looping index) as
* the current 'block', the new key data 'block', and 'count'
* (which is incremented after each use).
* The result of this is kept in 'md' and also xored into the
* 'state' at the same locations that were used as input into the
* hash function.
*/
/* check if we already have the lock */
do_not_lock = crypto_lock_rand && (locking_thread == CRYPTO_thread_id());
if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
st_idx=state_index;
/* use our own copies of the counters so that even
* if a concurrent thread seeds with exactly the
* same data and uses the same subarray there's _some_
* difference */
md_c[0] = md_count[0];
md_c[1] = md_count[1];
memcpy(local_md, md, sizeof md);
/* state_index <= state_num <= STATE_SIZE */
state_index += num;
if (state_index >= STATE_SIZE)
{
state_index%=STATE_SIZE;
state_num=STATE_SIZE;
}
else if (state_num < STATE_SIZE)
{
if (state_index > state_num)
state_num=state_index;
}
/* state_index <= state_num <= STATE_SIZE */
/* state[st_idx], ..., state[(st_idx + num - 1) % STATE_SIZE]
* are what we will use now, but other threads may use them
* as well */
md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0);
if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
for (i=0; i<num; i+=MD_DIGEST_LENGTH)
{
j=(num-i);
j=(j > MD_DIGEST_LENGTH)?MD_DIGEST_LENGTH:j;
MD_Init(&m);
MD_Update(&m,local_md,MD_DIGEST_LENGTH);
k=(st_idx+j)-STATE_SIZE;
if (k > 0)
{
MD_Update(&m,&(state[st_idx]),j-k);
MD_Update(&m,&(state[0]),k);
}
else
MD_Update(&m,&(state[st_idx]),j);
MD_Update(&m,buf,j);
MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
MD_Final(local_md,&m);
md_c[1]++;
buf=(const char *)buf + j;
for (k=0; k<j; k++)
{
/* Parallel threads may interfere with this,
* but always each byte of the new state is
* the XOR of some previous value of its
* and local_md (itermediate values may be lost).
* Alway using locking could hurt performance more
* than necessary given that conflicts occur only
* when the total seeding is longer than the random
* state. */
state[st_idx++]^=local_md[k];
if (st_idx >= STATE_SIZE)
st_idx=0;
}
}
memset((char *)&m,0,sizeof(m));
if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
/* Don't just copy back local_md into md -- this could mean that
* other thread's seeding remains without effect (except for
* the incremented counter). By XORing it we keep at least as
* much entropy as fits into md. */
for (k = 0; k < sizeof md; k++)
{
md[k] ^= local_md[k];
}
if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */
entropy += add;
if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
#if !defined(THREADS) && !defined(WIN32)
assert(md_c[1] == md_count[1]);
#endif
}
static int rand_bytes(unsigned char *buf, int num, int pseudo)
{
static volatile int stirred_pool = 0;
int i, j, k;
size_t num_ceil, st_idx, st_num;
int ok;
long md_c[2];
unsigned char local_md[MD_DIGEST_LENGTH];
EVP_MD_CTX *m;
#ifndef GETPID_IS_MEANINGLESS
pid_t curr_pid = getpid();
#endif
time_t curr_time = time(NULL);
int do_stir_pool = 0;
/* time value for various platforms */
#ifdef OPENSSL_SYS_WIN32
FILETIME tv;
# ifdef _WIN32_WCE
SYSTEMTIME t;
GetSystemTime(&t);
SystemTimeToFileTime(&t, &tv);
# else
GetSystemTimeAsFileTime(&tv);
# endif
#elif defined(OPENSSL_SYS_VXWORKS)
struct timespec tv;
clock_gettime(CLOCK_REALTIME, &ts);
#elif defined(OPENSSL_SYS_DSPBIOS)
unsigned long long tv, OPENSSL_rdtsc();
tv = OPENSSL_rdtsc();
#else
struct timeval tv;
gettimeofday(&tv, NULL);
#endif
#ifdef PREDICT
if (rand_predictable) {
static unsigned char val = 0;
for (i = 0; i < num; i++)
buf[i] = val++;
return (1);
}
#endif
if (num <= 0)
return 1;
m = EVP_MD_CTX_new();
if (m == NULL)
goto err_mem;
/* round upwards to multiple of MD_DIGEST_LENGTH/2 */
num_ceil =
(1 + (num - 1) / (MD_DIGEST_LENGTH / 2)) * (MD_DIGEST_LENGTH / 2);
/*
* (Based on the rand(3) manpage:)
*
* For each group of 10 bytes (or less), we do the following:
*
* Input into the hash function the local 'md' (which is initialized from
* the global 'md' before any bytes are generated), the bytes that are to
* be overwritten by the random bytes, and bytes from the 'state'
* (incrementing looping index). From this digest output (which is kept
* in 'md'), the top (up to) 10 bytes are returned to the caller and the
* bottom 10 bytes are xored into the 'state'.
*
* Finally, after we have finished 'num' random bytes for the
* caller, 'count' (which is incremented) and the local and global 'md'
* are fed into the hash function and the results are kept in the
* global 'md'.
*/
if (!RUN_ONCE(&rand_lock_init, do_rand_lock_init))
goto err_mem;
CRYPTO_THREAD_write_lock(rand_lock);
/*
* We could end up in an async engine while holding this lock so ensure
* we don't pause and cause a deadlock
*/
ASYNC_block_pause();
/* prevent rand_bytes() from trying to obtain the lock again */
CRYPTO_THREAD_write_lock(rand_tmp_lock);
locking_threadid = CRYPTO_THREAD_get_current_id();
CRYPTO_THREAD_unlock(rand_tmp_lock);
crypto_lock_rand = 1;
if (!initialized) {
RAND_poll();
initialized = 1;
}
if (!stirred_pool)
do_stir_pool = 1;
ok = (entropy >= ENTROPY_NEEDED);
if (!ok) {
/*
* If the PRNG state is not yet unpredictable, then seeing the PRNG
* output may help attackers to determine the new state; thus we have
* to decrease the entropy estimate. Once we've had enough initial
* seeding we don't bother to adjust the entropy count, though,
* because we're not ambitious to provide *information-theoretic*
* randomness. NOTE: This approach fails if the program forks before
* we have enough entropy. Entropy should be collected in a separate
* input pool and be transferred to the output pool only when the
* entropy limit has been reached.
*/
entropy -= num;
if (entropy < 0)
entropy = 0;
}
if (do_stir_pool) {
/*
* In the output function only half of 'md' remains secret, so we
* better make sure that the required entropy gets 'evenly
* distributed' through 'state', our randomness pool. The input
* function (rand_add) chains all of 'md', which makes it more
* suitable for this purpose.
*/
int n = STATE_SIZE; /* so that the complete pool gets accessed */
while (n > 0) {
#if MD_DIGEST_LENGTH > 20
# error "Please adjust DUMMY_SEED."
#endif
#define DUMMY_SEED "...................." /* at least MD_DIGEST_LENGTH */
/*
* Note that the seed does not matter, it's just that
* rand_add expects to have something to hash.
*/
rand_add(DUMMY_SEED, MD_DIGEST_LENGTH, 0.0);
n -= MD_DIGEST_LENGTH;
}
if (ok)
stirred_pool = 1;
}
st_idx = state_index;
st_num = state_num;
md_c[0] = md_count[0];
md_c[1] = md_count[1];
memcpy(local_md, md, sizeof md);
state_index += num_ceil;
if (state_index > state_num)
state_index %= state_num;
/*
* state[st_idx], ..., state[(st_idx + num_ceil - 1) % st_num] are now
* ours (but other threads may use them too)
*/
md_count[0] += 1;
/* before unlocking, we must clear 'crypto_lock_rand' */
crypto_lock_rand = 0;
ASYNC_unblock_pause();
CRYPTO_THREAD_unlock(rand_lock);
while (num > 0) {
/* num_ceil -= MD_DIGEST_LENGTH/2 */
j = (num >= MD_DIGEST_LENGTH / 2) ? MD_DIGEST_LENGTH / 2 : num;
num -= j;
if (!MD_Init(m))
goto err;
#ifndef GETPID_IS_MEANINGLESS
if (curr_pid) { /* just in the first iteration to save time */
if (!MD_Update(m, (unsigned char *)&curr_pid, sizeof curr_pid))
goto err;
curr_pid = 0;
}
#endif
if (curr_time) { /* just in the first iteration to save time */
if (!MD_Update(m, (unsigned char *)&curr_time, sizeof curr_time))
goto err;
if (!MD_Update(m, (unsigned char *)&tv, sizeof tv))
goto err;
curr_time = 0;
if (!rand_hw_seed(m))
goto err;
}
if (!MD_Update(m, local_md, MD_DIGEST_LENGTH))
goto err;
if (!MD_Update(m, (unsigned char *)&(md_c[0]), sizeof(md_c)))
goto err;
k = (st_idx + MD_DIGEST_LENGTH / 2) - st_num;
if (k > 0) {
if (!MD_Update(m, &(state[st_idx]), MD_DIGEST_LENGTH / 2 - k))
goto err;
if (!MD_Update(m, &(state[0]), k))
goto err;
} else if (!MD_Update(m, &(state[st_idx]), MD_DIGEST_LENGTH / 2))
goto err;
if (!MD_Final(m, local_md))
goto err;
for (i = 0; i < MD_DIGEST_LENGTH / 2; i++) {
/* may compete with other threads */
state[st_idx++] ^= local_md[i];
if (st_idx >= st_num)
st_idx = 0;
if (i < j)
*(buf++) = local_md[i + MD_DIGEST_LENGTH / 2];
}
}
if (!MD_Init(m)
|| !MD_Update(m, (unsigned char *)&(md_c[0]), sizeof(md_c))
|| !MD_Update(m, local_md, MD_DIGEST_LENGTH))
goto err;
CRYPTO_THREAD_write_lock(rand_lock);
/*
* Prevent deadlocks if we end up in an async engine
*/
ASYNC_block_pause();
if (!MD_Update(m, md, MD_DIGEST_LENGTH) || !MD_Final(m, md)) {
CRYPTO_THREAD_unlock(rand_lock);
goto err;
}
ASYNC_unblock_pause();
CRYPTO_THREAD_unlock(rand_lock);
EVP_MD_CTX_free(m);
if (ok)
return (1);
else if (pseudo)
return 0;
else {
RANDerr(RAND_F_RAND_BYTES, RAND_R_PRNG_NOT_SEEDED);
ERR_add_error_data(1, "You need to read the OpenSSL FAQ, "
"https://www.openssl.org/docs/faq.html");
return (0);
}
err:
RANDerr(RAND_F_RAND_BYTES, ERR_R_EVP_LIB);
EVP_MD_CTX_free(m);
return 0;
err_mem:
RANDerr(RAND_F_RAND_BYTES, ERR_R_MALLOC_FAILURE);
EVP_MD_CTX_free(m);
return 0;
}
static int rand_add(const void *buf, int num, double add)
{
int i, j, k, st_idx;
long md_c[2];
unsigned char local_md[MD_DIGEST_LENGTH];
EVP_MD_CTX *m;
int do_not_lock;
int rv = 0;
if (!num)
return 1;
/*
* (Based on the rand(3) manpage)
*
* The input is chopped up into units of 20 bytes (or less for
* the last block). Each of these blocks is run through the hash
* function as follows: The data passed to the hash function
* is the current 'md', the same number of bytes from the 'state'
* (the location determined by in incremented looping index) as
* the current 'block', the new key data 'block', and 'count'
* (which is incremented after each use).
* The result of this is kept in 'md' and also xored into the
* 'state' at the same locations that were used as input into the
* hash function.
*/
m = EVP_MD_CTX_new();
if (m == NULL)
goto err;
if (!RUN_ONCE(&rand_lock_init, do_rand_lock_init))
goto err;
/* check if we already have the lock */
if (crypto_lock_rand) {
CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id();
CRYPTO_THREAD_read_lock(rand_tmp_lock);
do_not_lock = CRYPTO_THREAD_compare_id(locking_threadid, cur);
CRYPTO_THREAD_unlock(rand_tmp_lock);
} else
do_not_lock = 0;
if (!do_not_lock)
CRYPTO_THREAD_write_lock(rand_lock);
st_idx = state_index;
/*
* use our own copies of the counters so that even if a concurrent thread
* seeds with exactly the same data and uses the same subarray there's
* _some_ difference
*/
md_c[0] = md_count[0];
md_c[1] = md_count[1];
memcpy(local_md, md, sizeof md);
/* state_index <= state_num <= STATE_SIZE */
state_index += num;
if (state_index >= STATE_SIZE) {
state_index %= STATE_SIZE;
state_num = STATE_SIZE;
} else if (state_num < STATE_SIZE) {
if (state_index > state_num)
state_num = state_index;
}
/* state_index <= state_num <= STATE_SIZE */
/*
* state[st_idx], ..., state[(st_idx + num - 1) % STATE_SIZE] are what we
* will use now, but other threads may use them as well
*/
md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0);
if (!do_not_lock)
CRYPTO_THREAD_unlock(rand_lock);
for (i = 0; i < num; i += MD_DIGEST_LENGTH) {
j = (num - i);
j = (j > MD_DIGEST_LENGTH) ? MD_DIGEST_LENGTH : j;
if (!MD_Init(m))
goto err;
if (!MD_Update(m, local_md, MD_DIGEST_LENGTH))
goto err;
k = (st_idx + j) - STATE_SIZE;
if (k > 0) {
if (!MD_Update(m, &(state[st_idx]), j - k))
goto err;
if (!MD_Update(m, &(state[0]), k))
goto err;
} else if (!MD_Update(m, &(state[st_idx]), j))
goto err;
/* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */
if (!MD_Update(m, buf, j))
goto err;
/*
* We know that line may cause programs such as purify and valgrind
* to complain about use of uninitialized data. The problem is not,
* it's with the caller. Removing that line will make sure you get
* really bad randomness and thereby other problems such as very
* insecure keys.
*/
if (!MD_Update(m, (unsigned char *)&(md_c[0]), sizeof(md_c)))
goto err;
if (!MD_Final(m, local_md))
goto err;
md_c[1]++;
buf = (const char *)buf + j;
for (k = 0; k < j; k++) {
/*
* Parallel threads may interfere with this, but always each byte
* of the new state is the XOR of some previous value of its and
* local_md (intermediate values may be lost). Alway using locking
* could hurt performance more than necessary given that
* conflicts occur only when the total seeding is longer than the
* random state.
*/
state[st_idx++] ^= local_md[k];
if (st_idx >= STATE_SIZE)
st_idx = 0;
}
}
if (!do_not_lock)
CRYPTO_THREAD_write_lock(rand_lock);
/*
* Don't just copy back local_md into md -- this could mean that other
* thread's seeding remains without effect (except for the incremented
* counter). By XORing it we keep at least as much entropy as fits into
* md.
*/
for (k = 0; k < (int)sizeof(md); k++) {
md[k] ^= local_md[k];
}
if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */
entropy += add;
if (!do_not_lock)
CRYPTO_THREAD_unlock(rand_lock);
rv = 1;
err:
EVP_MD_CTX_free(m);
return rv;
}
