1*d3273b5bSchristos /* $NetBSD: crypto-rand.c,v 1.2 2017/01/28 21:31:49 christos Exp $ */
2ca1c9b0cSelric
3ca1c9b0cSelric /*
4ca1c9b0cSelric * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
5ca1c9b0cSelric * (Royal Institute of Technology, Stockholm, Sweden).
6ca1c9b0cSelric * All rights reserved.
7ca1c9b0cSelric *
8ca1c9b0cSelric * Redistribution and use in source and binary forms, with or without
9ca1c9b0cSelric * modification, are permitted provided that the following conditions
10ca1c9b0cSelric * are met:
11ca1c9b0cSelric *
12ca1c9b0cSelric * 1. Redistributions of source code must retain the above copyright
13ca1c9b0cSelric * notice, this list of conditions and the following disclaimer.
14ca1c9b0cSelric *
15ca1c9b0cSelric * 2. Redistributions in binary form must reproduce the above copyright
16ca1c9b0cSelric * notice, this list of conditions and the following disclaimer in the
17ca1c9b0cSelric * documentation and/or other materials provided with the distribution.
18ca1c9b0cSelric *
19ca1c9b0cSelric * 3. Neither the name of the Institute nor the names of its contributors
20ca1c9b0cSelric * may be used to endorse or promote products derived from this software
21ca1c9b0cSelric * without specific prior written permission.
22ca1c9b0cSelric *
23ca1c9b0cSelric * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24ca1c9b0cSelric * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25ca1c9b0cSelric * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26ca1c9b0cSelric * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27ca1c9b0cSelric * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28ca1c9b0cSelric * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29ca1c9b0cSelric * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30ca1c9b0cSelric * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31ca1c9b0cSelric * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32ca1c9b0cSelric * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33ca1c9b0cSelric * SUCH DAMAGE.
34ca1c9b0cSelric */
35ca1c9b0cSelric
36ca1c9b0cSelric #include "krb5_locl.h"
37ca1c9b0cSelric
38b9d004c6Schristos #undef HEIMDAL_WARN_UNUSED_RESULT_ATTRIBUTE
39b9d004c6Schristos #define HEIMDAL_WARN_UNUSED_RESULT_ATTRIBUTE
40b9d004c6Schristos
41ca1c9b0cSelric #define ENTROPY_NEEDED 128
42ca1c9b0cSelric
43ca1c9b0cSelric static HEIMDAL_MUTEX crypto_mutex = HEIMDAL_MUTEX_INITIALIZER;
44ca1c9b0cSelric
45ca1c9b0cSelric static int
seed_something(void)46ca1c9b0cSelric seed_something(void)
47ca1c9b0cSelric {
48b9d004c6Schristos #ifndef NO_RANDFILE
49ca1c9b0cSelric char buf[1024], seedfile[256];
50ca1c9b0cSelric
51ca1c9b0cSelric /* If there is a seed file, load it. But such a file cannot be trusted,
52ca1c9b0cSelric so use 0 for the entropy estimate */
53ca1c9b0cSelric if (RAND_file_name(seedfile, sizeof(seedfile))) {
54ca1c9b0cSelric int fd;
55ca1c9b0cSelric fd = open(seedfile, O_RDONLY | O_BINARY | O_CLOEXEC);
56ca1c9b0cSelric if (fd >= 0) {
57ca1c9b0cSelric ssize_t ret;
58ca1c9b0cSelric rk_cloexec(fd);
59ca1c9b0cSelric ret = read(fd, buf, sizeof(buf));
60ca1c9b0cSelric if (ret > 0)
61ca1c9b0cSelric RAND_add(buf, ret, 0.0);
62ca1c9b0cSelric close(fd);
63ca1c9b0cSelric } else
64ca1c9b0cSelric seedfile[0] = '\0';
65ca1c9b0cSelric } else
66ca1c9b0cSelric seedfile[0] = '\0';
67b9d004c6Schristos #endif
68ca1c9b0cSelric
69ca1c9b0cSelric /* Calling RAND_status() will try to use /dev/urandom if it exists so
70ca1c9b0cSelric we do not have to deal with it. */
71ca1c9b0cSelric if (RAND_status() != 1) {
72ca1c9b0cSelric /* TODO: Once a Windows CryptoAPI RAND method is defined, we
73ca1c9b0cSelric can use that and failover to another method. */
74ca1c9b0cSelric }
75ca1c9b0cSelric
76ca1c9b0cSelric if (RAND_status() == 1) {
77b9d004c6Schristos #ifndef NO_RANDFILE
78ca1c9b0cSelric /* Update the seed file */
79ca1c9b0cSelric if (seedfile[0])
80ca1c9b0cSelric RAND_write_file(seedfile);
81b9d004c6Schristos #endif
82ca1c9b0cSelric
83ca1c9b0cSelric return 0;
84ca1c9b0cSelric } else
85ca1c9b0cSelric return -1;
86ca1c9b0cSelric }
87ca1c9b0cSelric
88b9d004c6Schristos /**
89b9d004c6Schristos * Fill buffer buf with len bytes of PRNG randomness that is ok to use
90b9d004c6Schristos * for key generation, padding and public diclosing the randomness w/o
91b9d004c6Schristos * disclosing the randomness source.
92b9d004c6Schristos *
93b9d004c6Schristos * This function can fail, and callers must check the return value.
94b9d004c6Schristos *
95b9d004c6Schristos * @param buf a buffer to fill with randomness
96b9d004c6Schristos * @param len length of memory that buf points to.
97b9d004c6Schristos *
98b9d004c6Schristos * @return return 0 on success or HEIM_ERR_RANDOM_OFFLINE if the
99b9d004c6Schristos * funcation failed to initialize the randomness source.
100b9d004c6Schristos *
101b9d004c6Schristos * @ingroup krb5_crypto
102b9d004c6Schristos */
103b9d004c6Schristos
104b9d004c6Schristos HEIMDAL_WARN_UNUSED_RESULT_ATTRIBUTE
105b9d004c6Schristos KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_generate_random(void * buf,size_t len)106b9d004c6Schristos krb5_generate_random(void *buf, size_t len)
107ca1c9b0cSelric {
108ca1c9b0cSelric static int rng_initialized = 0;
109b9d004c6Schristos int ret;
110ca1c9b0cSelric
111ca1c9b0cSelric HEIMDAL_MUTEX_lock(&crypto_mutex);
112ca1c9b0cSelric if (!rng_initialized) {
113b9d004c6Schristos if (seed_something()) {
114b9d004c6Schristos HEIMDAL_MUTEX_unlock(&crypto_mutex);
115b9d004c6Schristos return HEIM_ERR_RANDOM_OFFLINE;
116b9d004c6Schristos }
117ca1c9b0cSelric rng_initialized = 1;
118ca1c9b0cSelric }
119ca1c9b0cSelric if (RAND_bytes(buf, len) <= 0)
120b9d004c6Schristos ret = HEIM_ERR_RANDOM_OFFLINE;
121b9d004c6Schristos else
122b9d004c6Schristos ret = 0;
123b9d004c6Schristos HEIMDAL_MUTEX_unlock(&crypto_mutex);
124b9d004c6Schristos
125b9d004c6Schristos return ret;
126b9d004c6Schristos }
127b9d004c6Schristos
128b9d004c6Schristos /**
129b9d004c6Schristos * Fill buffer buf with len bytes of PRNG randomness that is ok to use
130b9d004c6Schristos * for key generation, padding and public diclosing the randomness w/o
131b9d004c6Schristos * disclosing the randomness source.
132b9d004c6Schristos *
133b9d004c6Schristos * This function can NOT fail, instead it will abort() and program will crash.
134b9d004c6Schristos *
135b9d004c6Schristos * If this function is called after a successful krb5_init_context(),
136b9d004c6Schristos * the chance of it failing is low due to that krb5_init_context()
137b9d004c6Schristos * pulls out some random, and quite commonly the randomness sources
138b9d004c6Schristos * will not fail once it have started to produce good output,
139b9d004c6Schristos * /dev/urandom behavies that way.
140b9d004c6Schristos *
141b9d004c6Schristos * @param buf a buffer to fill with randomness
142b9d004c6Schristos * @param len length of memory that buf points to.
143b9d004c6Schristos *
144b9d004c6Schristos * @ingroup krb5_crypto
145b9d004c6Schristos */
146b9d004c6Schristos
147b9d004c6Schristos
148b9d004c6Schristos KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_generate_random_block(void * buf,size_t len)149b9d004c6Schristos krb5_generate_random_block(void *buf, size_t len)
150b9d004c6Schristos {
151b9d004c6Schristos int ret = krb5_generate_random(buf, len);
152b9d004c6Schristos if (ret)
153ca1c9b0cSelric krb5_abortx(NULL, "Failed to generate random block");
154ca1c9b0cSelric }
155