lib/hcrypto/rnd_keys.c

   1 /*
   2  * Copyright (c) 1995, 1996, 1997, 1999 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #ifdef HAVE_CONFIG_H
  35 #include "config.h"
  36
  37 RCSID("$Id$");
  38 #endif
  39
  40 #ifdef KRB5
  41 #include <krb5-types.h>
  42 #endif
  43 #include <des.h>
  44
  45 #include <stdlib.h>
  46 #include <string.h>
  47
  48 #ifdef TIME_WITH_SYS_TIME
  49 #include <sys/time.h>
  50 #include <time.h>
  51 #elif defined(HAVE_SYS_TIME_H)
  52 #include <sys/time.h>
  53 #else
  54 #include <time.h>
  55 #endif
  56
  57 #ifdef HAVE_SYS_TYPES_H
  58 #include <sys/types.h>
  59 #endif
  60
  61 #ifdef HAVE_UNISTD_H
  62 #include <unistd.h>
  63 #endif
  64 #ifdef HAVE_IO_H
  65 #include <io.h>
  66 #endif
  67
  68 #ifdef HAVE_SIGNAL_H
  69 #include <signal.h>
  70 #endif
  71 #ifdef HAVE_FCNTL_H
  72 #include <fcntl.h>
  73 #endif
  74
  75 /*
  76  * Generate "random" data by checksumming a file.
  77  *
  78  * Returns -1 if there were any problems with permissions or I/O
  79  * errors.
  80  */
  81 static
  82 int
  83 sumFile (const char *name, int len, void *res)
  84 {
  85   uint32_t sum[2] = { 0, 0 };
  86   uint32_t buf[1024*2];
  87   int fd, i;
  88
  89   fd = open (name, 0);
  90   if (fd < 0)
  91     return -1;
  92
  93   while (len > 0)
  94     {
  95       int n = read(fd, buf, sizeof(buf));
  96       if (n < 0)
  97         {
  98           close(fd);
  99           return n;
 100         }
 101       for (i = 0; i < (n/sizeof(buf[0])); i++)
 102         {
 103           sum[0] += buf[i];
 104           i++;
 105           sum[1] += buf[i];
 106         }
 107       len -= n;
 108     }
 109   close (fd);
 110   memcpy (res, &sum, sizeof(sum));
 111   return 0;
 112 }
 113
 114 #if 0
 115 static
 116 int
 117 md5sumFile (const char *name, int len, int32_t sum[4])
 118 {
 119   int32_t buf[1024*2];
 120   int fd, cnt;
 121   struct md5 md5;
 122
 123   fd = open (name, 0);
 124   if (fd < 0)
 125     return -1;
 126
 127   md5_init(&md5);
 128   while (len > 0)
 129     {
 130       int n = read(fd, buf, sizeof(buf));
 131       if (n < 0)
 132         {
 133           close(fd);
 134           return n;
 135         }
 136       md5_update(&md5, buf, n);
 137       len -= n;
 138     }
 139   md5_finito(&md5, (unsigned char *)sum);
 140   close (fd);
 141   return 0;
 142 }
 143 #endif
 144
 145 /*
 146  * Create a sequence of random 64 bit blocks.
 147  * The sequence is indexed with a long long and
 148  * based on an initial des key used as a seed.
 149  */
 150 static DES_key_schedule sequence_seed;
 151 static uint32_t sequence_index[2];
 152
 153 /*
 154  * Random number generator based on ideas from truerand in cryptolib
 155  * as described on page 424 in Applied Cryptography 2 ed. by Bruce
 156  * Schneier.
 157  */
 158
 159 static volatile int counter;
 160 static volatile unsigned char *gdata; /* Global data */
 161 static volatile int igdata;     /* Index into global data */
 162 static int gsize;
 163
 164 #if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__)
 165 /* Visual C++ 4.0 (Windows95/NT) */
 166
 167 static
 168 RETSIGTYPE
 169 sigALRM(int sig)
 170 {
 171     if (igdata < gsize)
 172         gdata[igdata++] ^= counter & 0xff;
 173
 174 #ifndef HAVE_SIGACTION
 175     signal(SIGALRM, sigALRM); /* Reinstall SysV signal handler */
 176 #endif
 177     SIGRETURN(0);
 178 }
 179
 180 #endif
 181
 182 #if !defined(HAVE_RANDOM) && defined(HAVE_RAND)
 183 #ifndef srandom
 184 #define srandom srand
 185 #endif
 186 #ifndef random
 187 #define random rand
 188 #endif
 189 #endif
 190
 191 #if !defined(HAVE_SETITIMER) || defined(WIN32) || defined(__EMX__) || defined(__OS2__) || defined(__CYGWIN32__)
 192 static void
 193 des_not_rand_data(unsigned char *data, int size)
 194 {
 195   int i;
 196
 197   srandom (time (NULL));
 198
 199   for(i = 0; i < size; ++i)
 200     data[i] ^= random() % 0x100;
 201 }
 202 #endif
 203
 204 #if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__)
 205
 206 #ifndef HAVE_SETITIMER
 207 static void
 208 pacemaker(struct timeval *tv)
 209 {
 210     fd_set fds;
 211     pid_t pid;
 212     pid = getppid();
 213     while(1){
 214         FD_ZERO(&fds);
 215         FD_SET(0, &fds);
 216         select(1, &fds, NULL, NULL, tv);
 217         kill(pid, SIGALRM);
 218     }
 219 }
 220 #endif
 221
 222 #ifdef HAVE_SIGACTION
 223 /* XXX ugly hack, should perhaps use function from roken */
 224 static RETSIGTYPE
 225 (*fake_signal(int sig, RETSIGTYPE (*f)(int)))(int)
 226 {
 227     struct sigaction sa, osa;
 228     sa.sa_handler = f;
 229     sa.sa_flags = 0;
 230     sigemptyset(&sa.sa_mask);
 231     sigaction(sig, &sa, &osa);
 232     return osa.sa_handler;
 233 }
 234 #define signal(S, F) fake_signal((S), (F))
 235 #endif
 236
 237 /*
 238  * Generate size bytes of "random" data using timed interrupts.
 239  * It takes about 40ms/byte random data.
 240  * It's not neccessary to be root to run it.
 241  */
 242 void
 243 DES_rand_data(void *outdata, int size)
 244 {
 245     unsigned char *data = outdata;
 246     struct itimerval tv, otv;
 247     RETSIGTYPE (*osa)(int);
 248     int i, j;
 249 #ifndef HAVE_SETITIMER
 250     RETSIGTYPE (*ochld)(int);
 251     pid_t pid;
 252 #endif
 253     const char *rnd_devices[] = {"/dev/random",
 254                            "/dev/srandom",
 255                            "/dev/urandom",
 256                            "/dev/arandom",
 257                            NULL};
 258     const char **p;
 259
 260     for(p = rnd_devices; *p; p++) {
 261       int fd = open(*p, O_RDONLY | O_NDELAY);
 262
 263       if(fd >= 0 && read(fd, data, size) == size) {
 264         close(fd);
 265         return;
 266       }
 267       close(fd);
 268     }
 269
 270     /* Paranoia? Initialize data from /dev/mem if we can read it. */
 271     if (size >= 8)
 272       sumFile("/dev/mem", (1024*1024*2), data);
 273
 274     gdata = data;
 275     gsize = size;
 276     igdata = 0;
 277
 278     osa = signal(SIGALRM, sigALRM);
 279
 280     /* Start timer */
 281     tv.it_value.tv_sec = 0;
 282     tv.it_value.tv_usec = 10 * 1000; /* 10 ms */
 283     tv.it_interval = tv.it_value;
 284 #ifdef HAVE_SETITIMER
 285     setitimer(ITIMER_REAL, &tv, &otv);
 286 #else
 287     ochld = signal(SIGCHLD, SIG_IGN);
 288     pid = fork();
 289     if(pid == -1){
 290         signal(SIGCHLD, ochld != SIG_ERR ? ochld : SIG_DFL);
 291         des_not_rand_data(data, size);
 292         return;
 293     }
 294     if(pid == 0)
 295         pacemaker(&tv.it_interval);
 296 #endif
 297
 298     for(i = 0; i < 4; i++) {
 299         for (igdata = 0; igdata < size;) /* igdata++ in sigALRM */
 300             counter++;
 301         for (j = 0; j < size; j++) /* Only use 2 bits each lap */
 302             gdata[j] = (gdata[j]>>2) | (gdata[j]<<6);
 303     }
 304 #ifdef HAVE_SETITIMER
 305     setitimer(ITIMER_REAL, &otv, 0);
 306 #else
 307     kill(pid, SIGKILL);
 308     while(waitpid(pid, NULL, 0) != pid);
 309     signal(SIGCHLD, ochld != SIG_ERR ? ochld : SIG_DFL);
 310 #endif
 311     signal(SIGALRM, osa != SIG_ERR ? osa : SIG_DFL);
 312 }
 313 #else
 314 void
 315 DES_rand_data(unsigned char *p, int s)
 316 {
 317   des_not_rand_data (p, s);
 318 }
 319 #endif
 320
 321 void
 322 DES_generate_random_block(DES_cblock *block)
 323 {
 324   DES_rand_data((unsigned char *)block, sizeof(*block));
 325 }
 326
 327 #define DES_rand_data_key hc_DES_rand_data_key
 328
 329 void
 330 DES_rand_data_key(DES_cblock *key);
 331
 332 /*
 333  * Generate a "random" DES key.
 334  */
 335 void
 336 DES_rand_data_key(DES_cblock *key)
 337 {
 338     unsigned char data[8];
 339     DES_key_schedule sched;
 340     do {
 341         DES_rand_data(data, sizeof(data));
 342         DES_rand_data((unsigned char*)key, sizeof(DES_cblock));
 343         DES_set_odd_parity(key);
 344         DES_set_key(key, &sched);
 345         DES_ecb_encrypt(&data, key, &sched, DES_ENCRYPT);
 346         memset(&data, 0, sizeof(data));
 347         memset(&sched, 0, sizeof(sched));
 348         DES_set_odd_parity(key);
 349     } while(DES_is_weak_key(key));
 350 }
 351
 352 /*
 353  * Generate "random" data by checksumming /dev/mem
 354  *
 355  * It's neccessary to be root to run it. Returns -1 if there were any
 356  * problems with permissions.
 357  */
 358
 359 #define DES_mem_rand8 hc_DES_mem_rand8
 360
 361 int
 362 DES_mem_rand8(unsigned char *data);
 363
 364 int
 365 DES_mem_rand8(unsigned char *data)
 366 {
 367   return 1;
 368 }
 369
 370 /*
 371  * In case the generator does not get initialized use this as fallback.
 372  */
 373 static int initialized;
 374
 375 static void
 376 do_initialize(void)
 377 {
 378     DES_cblock default_seed;
 379     do {
 380         DES_generate_random_block(&default_seed);
 381         DES_set_odd_parity(&default_seed);
 382     } while (DES_is_weak_key(&default_seed));
 383     DES_init_random_number_generator(&default_seed);
 384 }
 385
 386 #define zero_long_long(ll) do { ll[0] = ll[1] = 0; } while (0)
 387
 388 #define incr_long_long(ll) do { if (++ll[0] == 0) ++ll[1]; } while (0)
 389
 390 #define set_sequence_number(ll) \
 391 memcpy((char *)sequence_index, (ll), sizeof(sequence_index));
 392
 393 /*
 394  * Set the sequnce number to this value (a long long).
 395  */
 396 void
 397 DES_set_sequence_number(void *ll)
 398 {
 399     set_sequence_number(ll);
 400 }
 401
 402 /*
 403  * Set the generator seed and reset the sequence number to 0.
 404  */
 405 void
 406 DES_set_random_generator_seed(DES_cblock *seed)
 407 {
 408     DES_set_key(seed, &sequence_seed);
 409     zero_long_long(sequence_index);
 410     initialized = 1;
 411 }
 412
 413 /*
 414  * Generate a sequence of random des keys
 415  * using the random block sequence, fixup
 416  * parity and skip weak keys.
 417  */
 418 int
 419 DES_new_random_key(DES_cblock *key)
 420 {
 421     if (!initialized)
 422         do_initialize();
 423
 424     do {
 425         DES_ecb_encrypt((DES_cblock *) sequence_index,
 426                         key,
 427                         &sequence_seed,
 428                         DES_ENCRYPT);
 429         incr_long_long(sequence_index);
 430         /* random key must have odd parity and not be weak */
 431         DES_set_odd_parity(key);
 432     } while (DES_is_weak_key(key));
 433     return(0);
 434 }
 435
 436 /*
 437  * des_init_random_number_generator:
 438  *
 439  * Initialize the sequence of random 64 bit blocks.  The input seed
 440  * can be a secret key since it should be well hidden and is also not
 441  * kept.
 442  *
 443  */
 444 void
 445 DES_init_random_number_generator(DES_cblock *seed)
 446 {
 447     struct timeval now;
 448     DES_cblock uniq;
 449     DES_cblock new_key;
 450
 451     gettimeofday(&now, (struct timezone *)0);
 452     DES_generate_random_block(&uniq);
 453
 454     /* Pick a unique random key from the shared sequence. */
 455     DES_set_random_generator_seed(seed);
 456     set_sequence_number((unsigned char *)&uniq);
 457     DES_new_random_key(&new_key);
 458
 459     /* Select a new nonshared sequence, */
 460     DES_set_random_generator_seed(&new_key);
 461
 462     /* and use the current time to pick a key for the new sequence. */
 463     set_sequence_number((unsigned char *)&now);
 464     DES_new_random_key(&new_key);
 465     DES_set_random_generator_seed(&new_key);
 466 }
 467
 468 /* This is for backwards compatibility. */
 469 void
 470 DES_random_key(DES_cblock *ret)
 471 {
 472     DES_new_random_key(ret);
 473 }
 474
 475 #ifdef TESTRUN
 476 int
 477 main()
 478 {
 479     unsigned char data[8];
 480     int i;
 481
 482     while (1)
 483         {
 484             if (sumFile("/dev/mem", (1024*1024*8), data) != 0)
 485               { perror("sumFile"); exit(1); }
 486             for (i = 0; i < 8; i++)
 487                 printf("%02x", data[i]);
 488             printf("\n");
 489         }
 490 }
 491 #endif
 492
 493 #ifdef TESTRUN2
 494 int
 495 main()
 496 {
 497     DES_cblock data;
 498     int i;
 499
 500     while (1)
 501         {
 502             do_initialize();
 503             DES_random_key(data);
 504             for (i = 0; i < 8; i++)
 505                 printf("%02x", data[i]);
 506             printf("\n");
 507         }
 508 }
 509 #endif