1 files changed, 241 insertions, 0 deletions
diff --git a/src/crypto/rand/urandom.c b/src/crypto/rand/urandom.c
new file mode 100644
index 0000000..2ad4af0
--- /dev/null
+++ b/src/crypto/rand/urandom.c
@@ -0,0 +1,241 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/rand.h>
+
+#if !defined(OPENSSL_WINDOWS)
+
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <openssl/thread.h>
+#include <openssl/mem.h>
+
+
+/* This file implements a PRNG by reading from /dev/urandom, optionally with a
+ * fork-safe buffer.
+ *
+ * If buffering is enabled then it maintains a global, linked list of buffers.
+ * Threads which need random bytes grab a buffer from the list under a lock and
+ * copy out the bytes that they need. In the rare case that the buffer is
+ * empty, it's refilled from /dev/urandom outside of the lock.
+ *
+ * Large requests are always serviced from /dev/urandom directly.
+ *
+ * Each buffer contains the PID of the process that created it and it's tested
+ * against the current PID each time. Thus processes that fork will discard all
+ * the buffers filled by the parent process. There are two problems with this:
+ *
+ * 1) glibc maintains a cache of the current PID+PPID and, if this cache isn't
+ *    correctly invalidated, the getpid() will continue to believe that
+ *    it's the old process. Glibc depends on the glibc wrappers for fork,
+ *    vfork and clone being used in order to invalidate the getpid() cache.
+ *
+ * 2) If a process forks, dies and then its child forks, it's possible that
+ *    the third process will end up with the same PID as the original process.
+ *    If the second process never used any random values then this will mean
+ *    that the third process has stale, cached values and won't notice.
+ */
+
+/* BUF_SIZE is intended to be a 4K allocation with malloc overhead. struct
+ * rand_buffer also fits in this space and the remainder is entropy. */
+#define BUF_SIZE (4096 - 16)
+
+/* rand_buffer contains unused, random bytes. These structures form a linked
+ * list via the |next| pointer, which is NULL in the final element. */
+struct rand_buffer {
+  size_t used; /* used contains the number of bytes of |rand| that have
+                  been consumed. */
+  struct rand_buffer *next;
+  pid_t pid; /* pid contains the pid at the time that the buffer was
+                created so that data is not duplicated after a fork. */
+  pid_t ppid; /* ppid contains the parent pid in order to try and reduce
+                 the possibility of duplicated PID confusing the
+                 detection of a fork. */
+  uint8_t rand[];
+};
+
+/* rand_bytes_per_buf is the number of actual entropy bytes in a buffer. */
+static const size_t rand_bytes_per_buf = BUF_SIZE - sizeof(struct rand_buffer);
+
+/* list_head is the start of a global, linked-list of rand_buffer objects. It's
+ * protected by CRYPTO_LOCK_RAND. */
+static struct rand_buffer *list_head;
+
+/* urandom_fd is a file descriptor to /dev/urandom. It's protected by
+ * CRYPTO_LOCK_RAND. */
+static int urandom_fd = -2;
+
+/* urandom_buffering controls whether buffering is enabled (1) or not (0). This
+ * is protected by CRYPTO_LOCK_RAND. */
+static int urandom_buffering = 0;
+
+/* urandom_get_fd_locked returns a file descriptor to /dev/urandom. The caller
+ * of this function must hold CRYPTO_LOCK_RAND. */
+static int urandom_get_fd_locked(void) {
+  if (urandom_fd != -2)
+    return urandom_fd;
+
+  urandom_fd = open("/dev/urandom", O_RDONLY);
+  return urandom_fd;
+}
+
+/* RAND_cleanup frees all buffers, closes any cached file descriptor
+ * and resets the global state. */
+void RAND_cleanup(void) {
+  struct rand_buffer *cur;
+
+  CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+  while ((cur = list_head)) {
+    list_head = cur->next;
+    OPENSSL_free(cur);
+  }
+  if (urandom_fd >= 0) {
+    close(urandom_fd);
+  }
+  urandom_fd = -2;
+  list_head = NULL;
+  CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+}
+
+/* read_full reads exactly |len| bytes from |fd| into |out| and returns 1. In
+ * the case of an error it returns 0. */
+static char read_full(int fd, uint8_t *out, size_t len) {
+  ssize_t r;
+
+  while (len > 0) {
+    do {
+      r = read(fd, out, len);
+    } while (r == -1 && errno == EINTR);
+
+    if (r <= 0) {
+      return 0;
+    }
+    out += r;
+    len -= r;
+  }
+
+  return 1;
+}
+
+/* urandom_rand_pseudo_bytes puts |num| random bytes into |out|. It returns
+ * one on success and zero otherwise. */
+int RAND_bytes(uint8_t *out, size_t requested) {
+  int fd;
+  struct rand_buffer *buf;
+  size_t todo;
+  pid_t pid, ppid;
+
+  if (requested == 0) {
+    return 1;
+  }
+
+  CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+  fd = urandom_get_fd_locked();
+
+  if (fd < 0) {
+    CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+    abort();
+    return 0;
+  }
+
+  /* If buffering is not enabled, or if the request is large, then the
+   * result comes directly from urandom. */
+  if (!urandom_buffering || requested > BUF_SIZE / 2) {
+    CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+    if (!read_full(fd, out, requested)) {
+      abort();
+      return 0;
+    }
+    return 1;
+  }
+
+  pid = getpid();
+  ppid = getppid();
+
+  for (;;) {
+    buf = list_head;
+    if (buf && buf->pid == pid && buf->ppid == ppid &&
+        rand_bytes_per_buf - buf->used >= requested) {
+      memcpy(out, &buf->rand[buf->used], requested);
+      buf->used += requested;
+      CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+      return 1;
+    }
+
+    /* If we don't immediately have enough entropy with the correct
+     * PID, remove the buffer from the list in order to gain
+     * exclusive access and unlock. */
+    if (buf) {
+      list_head = buf->next;
+    }
+    CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+
+    if (!buf) {
+      buf = (struct rand_buffer *)OPENSSL_malloc(BUF_SIZE);
+      /* The buffer doesn't contain any random bytes yet
+       * so we mark it as fully used so that it will be
+       * filled below. */
+      buf->used = rand_bytes_per_buf;
+      buf->next = NULL;
+      buf->pid = pid;
+      buf->ppid = ppid;
+    }
+
+    if (buf->pid == pid && buf->ppid == ppid) {
+      break;
+    }
+
+    /* We have forked and so cannot use these bytes as they
+     * may have been used in another process. */
+    OPENSSL_free(buf);
+    CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+  }
+
+  while (requested > 0) {
+    todo = rand_bytes_per_buf - buf->used;
+    if (todo > requested) {
+      todo = requested;
+    }
+    memcpy(out, &buf->rand[buf->used], todo);
+    requested -= todo;
+    out += todo;
+    buf->used += todo;
+
+    if (buf->used < rand_bytes_per_buf) {
+      break;
+    }
+
+    if (!read_full(fd, buf->rand, rand_bytes_per_buf)) {
+      OPENSSL_free(buf);
+      abort();
+      return 0;
+    }
+
+    buf->used = 0;
+  }
+
+  CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+  assert(list_head != buf);
+  buf->next = list_head;
+  list_head = buf;
+  CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+  return 1;
+}
+
+#endif  /* !OPENSSL_WINDOWS */