cfbcf2124b72ca9fc2b877a96af3303b04599bc3
[strongswan.git] / src / pluto / rnd.c
1 /* randomness machinery
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * RCSID $Id$
16 */
17
18 /* A true random number generator (we hope)
19 *
20 * Under LINUX ("linux" predefined), use /dev/urandom.
21 * Under OpenBSD ("__OpenBSD__" predefined), use arc4random().
22 * Otherwise use our own random number generator based on clock skew.
23 * I (ADK) first heard of the idea from John Ioannidis, who heard it
24 * from Matt Blaze and/or Jack Lacy.
25 * ??? Why is mixing need for linux but not OpenBSD?
26 */
27
28 /* Pluto's uses of randomness:
29 *
30 * - Setting up the "secret_of_the_day". This changes every hour! 20
31 * bytes a shot. It is used in building responder cookies.
32 *
33 * - generating initiator cookies (8 bytes, once per Phase 1 initiation).
34 *
35 * - 32 bytes per DH local secret. Once per Main Mode exchange and once
36 * per Quick Mode Exchange with PFS. (Size is our choice, with
37 * tradeoffs.)
38 *
39 * - 16 bytes per nonce we generate. Once per Main Mode exchange and
40 * once per Quick Mode exchange. (Again, we choose the size.)
41 *
42 * - 4 bytes per SPI number that we generate. We choose the SPIs for all
43 * inbound SPIs, one to three per IPSEC SA (one for AH (rare, probably)
44 * one for ESP (almost always), and one for tunnel (very common)).
45 * I don't actually know how the kernel would generate these numbers --
46 * currently Pluto generates them; this isn't the way things will be
47 * done in the future.
48 *
49 * - 4 bytes per Message ID we need to generate. One per Quick Mode
50 * exchange. Eventually, one per informational exchange.
51 */
52
53 #include <stdio.h>
54 #include <stdlib.h>
55 #include <signal.h>
56 #include <unistd.h>
57 #include <errno.h>
58 #include <sys/time.h>
59 #include <fcntl.h>
60
61 #include <freeswan.h>
62
63 #include "sha1.h"
64 #include "constants.h"
65 #include "defs.h"
66 #include "rnd.h"
67 #include "log.h"
68 #include "timer.h"
69
70 #ifdef linux
71 # define USE_DEV_RANDOM 1
72 # define RANDOM_PATH DEV_URANDOM
73 #else
74 # ifdef __OpenBSD__
75 # define USE_ARC4RANDOM
76 # else
77 # define USE_CLOCK_SLEW
78 # endif
79 #endif
80
81 #ifdef USE_ARC4RANDOM
82
83 #define get_rnd_byte() (arc4random() % 256)
84
85 #else /**** start of large #else ****/
86
87 #ifdef USE_DEV_RANDOM
88 static int random_fd = NULL_FD;
89 #endif
90
91 #define RANDOM_POOL_SIZE SHA1_DIGEST_SIZE
92 static u_char random_pool[RANDOM_POOL_SIZE];
93
94 #ifdef USE_DEV_RANDOM
95
96 /* Generate (what we hope is) a true random byte using /dev/urandom */
97 static u_char
98 generate_rnd_byte(void)
99 {
100 u_char c;
101
102 if (read(random_fd, &c, sizeof(c)) == -1)
103 exit_log_errno((e, "read() failed in get_rnd_byte()"));
104
105 return c;
106 }
107
108 #else /* !USE_DEV_RANDOM */
109
110 /* Generate (what we hope is) a true random byte using the clock skew trick.
111 * Note: this code is not maintained! In particular, LINUX signal(2)
112 * semantics changed with glibc2 (and not for the better). It isn't clear
113 * that this code will work. We keep the code because someday it might
114 * come in handy.
115 */
116 # error "This code is not maintained. Please define USE_DEV_RANDOM."
117
118 static volatile sig_atomic_t i, j, k;
119
120 /* timer signal handler */
121 static void
122 rnd_handler(int ignore_me UNUSED)
123 {
124 k <<= 1; /* Shift left by 1 */
125 j++;
126 k |= (i & 0x1); /* Get lsbit of counter */
127
128 if (j != 8)
129 signal(SIGVTALRM, rnd_handler);
130 }
131
132 static u_char
133 generate_rnd_byte(void)
134 {
135 struct itimerval tmval, ntmval;
136
137 # ifdef NEVER /* ??? */
138 # ifdef linux
139 int mask = siggetmask();
140
141 mask |= SIGVTALRM;
142 sigsetmask(mask);
143 # endif
144 # endif
145
146 i = 0;
147 j = 0;
148
149 ntmval.it_interval.tv_sec = 0;
150 ntmval.it_interval.tv_usec = 1;
151 ntmval.it_value.tv_sec = 0;
152 ntmval.it_value.tv_usec = 1;
153 signal(SIGVTALRM, rnd_handler);
154 setitimer(ITIMER_VIRTUAL, &ntmval, &tmval);
155
156 while (j != 8)
157 i++;
158
159 setitimer(ITIMER_VIRTUAL, &tmval, &ntmval);
160 signal(SIGVTALRM, SIG_IGN);
161
162 # ifdef NEVER /* ??? */
163 # ifdef linux
164 mask ^= SIGVTALRM;
165 sigsetmask(mask);
166 # endif
167 # endif
168
169 return k;
170 }
171
172 #endif /* !USE_DEV_RANDOM */
173
174 static void
175 mix_pool(void)
176 {
177 SHA1_CTX ctx;
178
179 SHA1Init(&ctx);
180 SHA1Update(&ctx, random_pool, RANDOM_POOL_SIZE);
181 SHA1Final(random_pool, &ctx);
182 }
183
184 /*
185 * Get a single random byte.
186 */
187 static u_char
188 get_rnd_byte(void)
189 {
190 random_pool[RANDOM_POOL_SIZE - 1] = generate_rnd_byte();
191 random_pool[0] = generate_rnd_byte();
192 mix_pool();
193 return random_pool[0];
194 }
195
196 #endif /* !USE_ARC4RANDOM */ /**** end of large #else ****/
197
198 void
199 get_rnd_bytes(u_char *buffer, int length)
200 {
201 int i;
202
203 for (i = 0; i < length; i++)
204 buffer[i] = get_rnd_byte();
205 }
206
207 /*
208 * Initialize the random pool.
209 */
210 void
211 init_rnd_pool(void)
212 {
213 #ifndef USE_ARC4RANDOM
214 # ifdef USE_DEV_RANDOM
215 DBG(DBG_KLIPS, DBG_log("opening %s", RANDOM_PATH));
216 random_fd = open(RANDOM_PATH, O_RDONLY);
217 if (random_fd == -1)
218 exit_log_errno((e, "open of %s failed in init_rnd_pool()", RANDOM_PATH));
219 fcntl(random_fd, F_SETFD, FD_CLOEXEC);
220 # endif
221
222 get_rnd_bytes(random_pool, RANDOM_POOL_SIZE);
223 mix_pool();
224 #endif /* !USE_ARC4RANDOM */
225
226 /* start of rand(3) on the right foot */
227 {
228 unsigned int seed;
229
230 get_rnd_bytes((void *)&seed, sizeof(seed));
231 srand(seed);
232 }
233 }
234
235 u_char secret_of_the_day[SHA1_DIGEST_SIZE];
236
237 #ifndef NO_PLUTO
238
239 void
240 init_secret(void)
241 {
242 /*
243 * Generate the secret value for responder cookies, and
244 * schedule an event for refresh.
245 */
246 get_rnd_bytes(secret_of_the_day, sizeof(secret_of_the_day));
247 event_schedule(EVENT_REINIT_SECRET, EVENT_REINIT_SECRET_DELAY, NULL);
248 }
249
250 #endif /* NO_PLUTO */