1/* $NetBSD: crypto-rand.c,v 1.2 2017/01/28 21:31:49 christos Exp $ */ 2 3/* 4 * Copyright (c) 1997 - 2008 Kungliga Tekniska H��gskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36#include "krb5_locl.h" 37 38#undef HEIMDAL_WARN_UNUSED_RESULT_ATTRIBUTE 39#define HEIMDAL_WARN_UNUSED_RESULT_ATTRIBUTE 40 41#define ENTROPY_NEEDED 128 42 43static HEIMDAL_MUTEX crypto_mutex = HEIMDAL_MUTEX_INITIALIZER; 44 45static int 46seed_something(void) 47{ 48#ifndef NO_RANDFILE 49 char buf[1024], seedfile[256]; 50 51 /* If there is a seed file, load it. But such a file cannot be trusted, 52 so use 0 for the entropy estimate */ 53 if (RAND_file_name(seedfile, sizeof(seedfile))) { 54 int fd; 55 fd = open(seedfile, O_RDONLY | O_BINARY | O_CLOEXEC); 56 if (fd >= 0) { 57 ssize_t ret; 58 rk_cloexec(fd); 59 ret = read(fd, buf, sizeof(buf)); 60 if (ret > 0) 61 RAND_add(buf, ret, 0.0); 62 close(fd); 63 } else 64 seedfile[0] = '\0'; 65 } else 66 seedfile[0] = '\0'; 67#endif 68 69 /* Calling RAND_status() will try to use /dev/urandom if it exists so 70 we do not have to deal with it. */ 71 if (RAND_status() != 1) { 72 /* TODO: Once a Windows CryptoAPI RAND method is defined, we 73 can use that and failover to another method. */ 74 } 75 76 if (RAND_status() == 1) { 77#ifndef NO_RANDFILE 78 /* Update the seed file */ 79 if (seedfile[0]) 80 RAND_write_file(seedfile); 81#endif 82 83 return 0; 84 } else 85 return -1; 86} 87 88/** 89 * Fill buffer buf with len bytes of PRNG randomness that is ok to use 90 * for key generation, padding and public diclosing the randomness w/o 91 * disclosing the randomness source. 92 * 93 * This function can fail, and callers must check the return value. 94 * 95 * @param buf a buffer to fill with randomness 96 * @param len length of memory that buf points to. 97 * 98 * @return return 0 on success or HEIM_ERR_RANDOM_OFFLINE if the 99 * funcation failed to initialize the randomness source. 100 * 101 * @ingroup krb5_crypto 102 */ 103 104HEIMDAL_WARN_UNUSED_RESULT_ATTRIBUTE 105KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 106krb5_generate_random(void *buf, size_t len) 107{ 108 static int rng_initialized = 0; 109 int ret; 110 111 HEIMDAL_MUTEX_lock(&crypto_mutex); 112 if (!rng_initialized) { 113 if (seed_something()) { 114 HEIMDAL_MUTEX_unlock(&crypto_mutex); 115 return HEIM_ERR_RANDOM_OFFLINE; 116 } 117 rng_initialized = 1; 118 } 119 if (RAND_bytes(buf, len) <= 0) 120 ret = HEIM_ERR_RANDOM_OFFLINE; 121 else 122 ret = 0; 123 HEIMDAL_MUTEX_unlock(&crypto_mutex); 124 125 return ret; 126} 127 128/** 129 * Fill buffer buf with len bytes of PRNG randomness that is ok to use 130 * for key generation, padding and public diclosing the randomness w/o 131 * disclosing the randomness source. 132 * 133 * This function can NOT fail, instead it will abort() and program will crash. 134 * 135 * If this function is called after a successful krb5_init_context(), 136 * the chance of it failing is low due to that krb5_init_context() 137 * pulls out some random, and quite commonly the randomness sources 138 * will not fail once it have started to produce good output, 139 * /dev/urandom behavies that way. 140 * 141 * @param buf a buffer to fill with randomness 142 * @param len length of memory that buf points to. 143 * 144 * @ingroup krb5_crypto 145 */ 146 147 148KRB5_LIB_FUNCTION void KRB5_LIB_CALL 149krb5_generate_random_block(void *buf, size_t len) 150{ 151 int ret = krb5_generate_random(buf, len); 152 if (ret) 153 krb5_abortx(NULL, "Failed to generate random block"); 154} 155