static uint64_t get_timer_bits(void)
{
uint64_t res = OPENSSL_rdtsc();
struct timespec ts;
if (res != 0)
return res;
if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
return TWO32TO64(ts.tv_sec, ts.tv_nsec);
return time(NULL);
}
/*
* Since we get some randomness from the low-order bits of the
* high-speec clock, it can help. But don't return a status since
* it's not sufficient to indicate whether or not the seeding was
* done.
*/
void rand_read_tsc(RAND_poll_cb rand_add, void *arg)
{
unsigned char c;
int i;
if ((OPENSSL_ia32cap_P[0] & (1 << 4)) != 0) {
for (i = 0; i < TSC_READ_COUNT; i++) {
c = (unsigned char)(OPENSSL_rdtsc() & 0xFF);
rand_add(arg, &c, 1, 0.5);
}
}
}
static int benchmark_siphash(void)
{
# ifdef OPENSSL_CPUID_OBJ
SIPHASH siphash;
unsigned char key[SIPHASH_KEY_SIZE];
unsigned char buf[8192];
uint32_t stopwatch;
unsigned int i;
memset (buf,0x55,sizeof(buf));
memset (key,0xAA,sizeof(key));
(void)SipHash_Init(&siphash, key, 0, 0, 0);
for (i=0;i<100000;i++)
SipHash_Update(&siphash, buf, sizeof(buf));
stopwatch = OPENSSL_rdtsc();
for (i=0;i<10000;i++)
SipHash_Update(&siphash, buf, sizeof(buf));
stopwatch = OPENSSL_rdtsc() - stopwatch;
BIO_printf(b_stdout, "%g\n",stopwatch/(double)(i*sizeof(buf)));
stopwatch = OPENSSL_rdtsc();
for (i=0;i<10000;i++) {
(void)SipHash_Init(&siphash, key, 0, 0, 0);
SipHash_Update(&siphash, buf, 16);
(void)SipHash_Final(&siphash, buf, SIPHASH_MAX_DIGEST_SIZE);
}
stopwatch = OPENSSL_rdtsc() - stopwatch;
BIO_printf(b_stdout, "%g\n",stopwatch/(double)(i));
# else
BIO_printf(b_stderr,
"Benchmarking of siphash isn't available on this platform\n");
# endif
return 1;
}
/*
* Acquire entropy from high-speed clock
*
* Since we get some randomness from the low-order bits of the
* high-speed clock, it can help.
*
* Returns the total entropy count, if it exceeds the requested
* entropy count. Otherwise, returns an entropy count of 0.
*/
size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool)
{
unsigned char c;
int i;
if ((OPENSSL_ia32cap_P[0] & (1 << 4)) != 0) {
for (i = 0; i < TSC_READ_COUNT; i++) {
c = (unsigned char)(OPENSSL_rdtsc() & 0xFF);
RAND_POOL_add(pool, &c, 1, 4);
}
}
return RAND_POOL_entropy_available(pool);
}
static void benchmark_gcm128(const unsigned char *K, size_t Klen,
const unsigned char *IV, size_t IVlen)
{
#ifdef OPENSSL_CPUID_OBJ
GCM128_CONTEXT ctx;
AES_KEY key;
uint32_t start, gcm_t, ctr_t;
union {
u64 u;
u8 c[1024];
} buf;
AES_set_encrypt_key(K, Klen * 8, &key);
CRYPTO_gcm128_init(&ctx, &key, (block128_f) AES_encrypt);
CRYPTO_gcm128_setiv(&ctx, IV, IVlen);
CRYPTO_gcm128_encrypt(&ctx, buf.c, buf.c, sizeof(buf));
start = OPENSSL_rdtsc();
CRYPTO_gcm128_encrypt(&ctx, buf.c, buf.c, sizeof(buf));
gcm_t = OPENSSL_rdtsc() - start;
CRYPTO_ctr128_encrypt(buf.c, buf.c, sizeof(buf),
&key, ctx.Yi.c, ctx.EKi.c, &ctx.mres,
(block128_f) AES_encrypt);
start = OPENSSL_rdtsc();
CRYPTO_ctr128_encrypt(buf.c, buf.c, sizeof(buf),
&key, ctx.Yi.c, ctx.EKi.c, &ctx.mres,
(block128_f) AES_encrypt);
ctr_t = OPENSSL_rdtsc() - start;
printf("%.2f-%.2f=%.2f\n",
gcm_t / (double)sizeof(buf),
ctr_t / (double)sizeof(buf),
(gcm_t - ctr_t) / (double)sizeof(buf));
# ifdef GHASH
{
void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
const u8 *inp, size_t len) = ctx.ghash;
GHASH((&ctx), buf.c, sizeof(buf));
start = OPENSSL_rdtsc();
for (i = 0; i < 100; ++i)
GHASH((&ctx), buf.c, sizeof(buf));
gcm_t = OPENSSL_rdtsc() - start;
printf("%.2f\n", gcm_t / (double)sizeof(buf) / (double)i);
}
# endif
#else
fprintf(stderr,
"Benchmarking of modes isn't available on this platform\n");
#endif
}
/*
* Get an arbitrary timer value of the highest possible resolution
*
* The timer value is added as random noise to the additional data,
* which is not considered a trusted entropy sourec, so any result
* is acceptable.
*/
static uint64_t get_timer_bits(void)
{
uint64_t res = OPENSSL_rdtsc();
if (res != 0)
return res;
# if defined(__sun) || defined(__hpux)
return gethrtime();
# elif defined(_AIX)
{
timebasestruct_t t;
read_wall_time(&t, TIMEBASE_SZ);
return TWO32TO64(t.tb_high, t.tb_low);
}
# elif defined(OSSL_POSIX_TIMER_OKAY)
{
struct timespec ts;
# ifdef CLOCK_BOOTTIME
# define CLOCK_TYPE CLOCK_BOOTTIME
# elif defined(_POSIX_MONOTONIC_CLOCK)
# define CLOCK_TYPE CLOCK_MONOTONIC
# else
# define CLOCK_TYPE CLOCK_REALTIME
# endif
if (clock_gettime(CLOCK_TYPE, &ts) == 0)
return TWO32TO64(ts.tv_sec, ts.tv_nsec);
}
# endif
# if defined(__unix__) \
|| (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L)
{
struct timeval tv;
if (gettimeofday(&tv, NULL) == 0)
return TWO32TO64(tv.tv_sec, tv.tv_usec);
}
# endif
return time(NULL);
}
static int rand_bytes(unsigned char *buf, int num, int pseudo)
{
static volatile int stirred_pool = 0;
int i, j, k;
size_t num_ceil, st_idx, st_num;
int ok;
long md_c[2];
unsigned char local_md[MD_DIGEST_LENGTH];
EVP_MD_CTX *m;
#ifndef GETPID_IS_MEANINGLESS
pid_t curr_pid = getpid();
#endif
time_t curr_time = time(NULL);
int do_stir_pool = 0;
/* time value for various platforms */
#ifdef OPENSSL_SYS_WIN32
FILETIME tv;
# ifdef _WIN32_WCE
SYSTEMTIME t;
GetSystemTime(&t);
SystemTimeToFileTime(&t, &tv);
# else
GetSystemTimeAsFileTime(&tv);
# endif
#elif defined(OPENSSL_SYS_VXWORKS)
struct timespec tv;
clock_gettime(CLOCK_REALTIME, &ts);
#elif defined(OPENSSL_SYS_DSPBIOS)
unsigned long long tv, OPENSSL_rdtsc();
tv = OPENSSL_rdtsc();
#else
struct timeval tv;
gettimeofday(&tv, NULL);
#endif
#ifdef PREDICT
if (rand_predictable) {
static unsigned char val = 0;
for (i = 0; i < num; i++)
buf[i] = val++;
return (1);
}
#endif
if (num <= 0)
return 1;
m = EVP_MD_CTX_new();
if (m == NULL)
goto err_mem;
/* round upwards to multiple of MD_DIGEST_LENGTH/2 */
num_ceil =
(1 + (num - 1) / (MD_DIGEST_LENGTH / 2)) * (MD_DIGEST_LENGTH / 2);
/*
* (Based on the rand(3) manpage:)
*
* For each group of 10 bytes (or less), we do the following:
*
* Input into the hash function the local 'md' (which is initialized from
* the global 'md' before any bytes are generated), the bytes that are to
* be overwritten by the random bytes, and bytes from the 'state'
* (incrementing looping index). From this digest output (which is kept
* in 'md'), the top (up to) 10 bytes are returned to the caller and the
* bottom 10 bytes are xored into the 'state'.
*
* Finally, after we have finished 'num' random bytes for the
* caller, 'count' (which is incremented) and the local and global 'md'
* are fed into the hash function and the results are kept in the
* global 'md'.
*/
if (!RUN_ONCE(&rand_lock_init, do_rand_lock_init))
goto err_mem;
CRYPTO_THREAD_write_lock(rand_lock);
/*
* We could end up in an async engine while holding this lock so ensure
* we don't pause and cause a deadlock
*/
ASYNC_block_pause();
/* prevent rand_bytes() from trying to obtain the lock again */
CRYPTO_THREAD_write_lock(rand_tmp_lock);
locking_threadid = CRYPTO_THREAD_get_current_id();
CRYPTO_THREAD_unlock(rand_tmp_lock);
crypto_lock_rand = 1;
if (!initialized) {
RAND_poll();
initialized = 1;
}
if (!stirred_pool)
do_stir_pool = 1;
ok = (entropy >= ENTROPY_NEEDED);
if (!ok) {
/*
* If the PRNG state is not yet unpredictable, then seeing the PRNG
* output may help attackers to determine the new state; thus we have
* to decrease the entropy estimate. Once we've had enough initial
* seeding we don't bother to adjust the entropy count, though,
* because we're not ambitious to provide *information-theoretic*
* randomness. NOTE: This approach fails if the program forks before
* we have enough entropy. Entropy should be collected in a separate
* input pool and be transferred to the output pool only when the
* entropy limit has been reached.
*/
entropy -= num;
if (entropy < 0)
entropy = 0;
}
if (do_stir_pool) {
/*
* In the output function only half of 'md' remains secret, so we
* better make sure that the required entropy gets 'evenly
* distributed' through 'state', our randomness pool. The input
* function (rand_add) chains all of 'md', which makes it more
* suitable for this purpose.
*/
int n = STATE_SIZE; /* so that the complete pool gets accessed */
while (n > 0) {
#if MD_DIGEST_LENGTH > 20
# error "Please adjust DUMMY_SEED."
#endif
#define DUMMY_SEED "...................." /* at least MD_DIGEST_LENGTH */
/*
* Note that the seed does not matter, it's just that
* rand_add expects to have something to hash.
*/
rand_add(DUMMY_SEED, MD_DIGEST_LENGTH, 0.0);
n -= MD_DIGEST_LENGTH;
}
if (ok)
stirred_pool = 1;
}
st_idx = state_index;
st_num = state_num;
md_c[0] = md_count[0];
md_c[1] = md_count[1];
memcpy(local_md, md, sizeof md);
state_index += num_ceil;
if (state_index > state_num)
state_index %= state_num;
/*
* state[st_idx], ..., state[(st_idx + num_ceil - 1) % st_num] are now
* ours (but other threads may use them too)
*/
md_count[0] += 1;
/* before unlocking, we must clear 'crypto_lock_rand' */
crypto_lock_rand = 0;
ASYNC_unblock_pause();
CRYPTO_THREAD_unlock(rand_lock);
while (num > 0) {
/* num_ceil -= MD_DIGEST_LENGTH/2 */
j = (num >= MD_DIGEST_LENGTH / 2) ? MD_DIGEST_LENGTH / 2 : num;
num -= j;
if (!MD_Init(m))
goto err;
#ifndef GETPID_IS_MEANINGLESS
if (curr_pid) { /* just in the first iteration to save time */
if (!MD_Update(m, (unsigned char *)&curr_pid, sizeof curr_pid))
goto err;
curr_pid = 0;
}
#endif
if (curr_time) { /* just in the first iteration to save time */
if (!MD_Update(m, (unsigned char *)&curr_time, sizeof curr_time))
goto err;
if (!MD_Update(m, (unsigned char *)&tv, sizeof tv))
goto err;
curr_time = 0;
if (!rand_hw_seed(m))
goto err;
}
if (!MD_Update(m, local_md, MD_DIGEST_LENGTH))
goto err;
if (!MD_Update(m, (unsigned char *)&(md_c[0]), sizeof(md_c)))
goto err;
k = (st_idx + MD_DIGEST_LENGTH / 2) - st_num;
if (k > 0) {
if (!MD_Update(m, &(state[st_idx]), MD_DIGEST_LENGTH / 2 - k))
goto err;
if (!MD_Update(m, &(state[0]), k))
goto err;
} else if (!MD_Update(m, &(state[st_idx]), MD_DIGEST_LENGTH / 2))
goto err;
if (!MD_Final(m, local_md))
goto err;
for (i = 0; i < MD_DIGEST_LENGTH / 2; i++) {
/* may compete with other threads */
state[st_idx++] ^= local_md[i];
if (st_idx >= st_num)
st_idx = 0;
if (i < j)
*(buf++) = local_md[i + MD_DIGEST_LENGTH / 2];
}
}
if (!MD_Init(m)
|| !MD_Update(m, (unsigned char *)&(md_c[0]), sizeof(md_c))
|| !MD_Update(m, local_md, MD_DIGEST_LENGTH))
goto err;
CRYPTO_THREAD_write_lock(rand_lock);
/*
* Prevent deadlocks if we end up in an async engine
*/
ASYNC_block_pause();
if (!MD_Update(m, md, MD_DIGEST_LENGTH) || !MD_Final(m, md)) {
CRYPTO_THREAD_unlock(rand_lock);
goto err;
}
ASYNC_unblock_pause();
CRYPTO_THREAD_unlock(rand_lock);
EVP_MD_CTX_free(m);
if (ok)
return (1);
else if (pseudo)
return 0;
else {
RANDerr(RAND_F_RAND_BYTES, RAND_R_PRNG_NOT_SEEDED);
ERR_add_error_data(1, "You need to read the OpenSSL FAQ, "
"https://www.openssl.org/docs/faq.html");
return (0);
}
err:
RANDerr(RAND_F_RAND_BYTES, ERR_R_EVP_LIB);
EVP_MD_CTX_free(m);
return 0;
err_mem:
RANDerr(RAND_F_RAND_BYTES, ERR_R_MALLOC_FAILURE);
EVP_MD_CTX_free(m);
return 0;
}
/*
* Find a suitable source of time. Start with the highest resolution source
* and work down to the slower ones. This is added as additional data and
* isn't counted as randomness, so any result is acceptable.
*
* Returns 0 when we weren't able to find any time source
*/
static uint64_t get_timer_bits(void)
{
uint64_t res = OPENSSL_rdtsc();
if (res != 0)
return res;
#if defined(_WIN32)
{
LARGE_INTEGER t;
FILETIME ft;
if (QueryPerformanceCounter(&t) != 0)
return t.QuadPart;
GetSystemTimeAsFileTime(&ft);
return TWO32TO64(ft.dwHighDateTime, ft.dwLowDateTime);
}
#elif defined(__sun) || defined(__hpux)
return gethrtime();
#elif defined(_AIX)
{
timebasestruct_t t;
read_wall_time(&t, TIMEBASE_SZ);
return TWO32TO64(t.tb_high, t.tb_low);
}
#else
# if defined(OSSL_POSIX_TIMER_OKAY)
{
struct timespec ts;
clockid_t cid;
# ifdef CLOCK_BOOTTIME
cid = CLOCK_BOOTTIME;
# elif defined(_POSIX_MONOTONIC_CLOCK)
cid = CLOCK_MONOTONIC;
# else
cid = CLOCK_REALTIME;
# endif
if (clock_gettime(cid, &ts) == 0)
return TWO32TO64(ts.tv_sec, ts.tv_nsec);
}
# endif
# if defined(__unix__) \
|| (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L)
{
struct timeval tv;
if (gettimeofday(&tv, NULL) == 0)
return TWO32TO64(tv.tv_sec, tv.tv_usec);
}
# endif
{
time_t t = time(NULL);
if (t == (time_t)-1)
return 0;
return t;
}
#endif
}