1 /* 2 * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.provider; 27 28 import java.io.*; 29 import java.net.*; 30 import java.security.*; 31 import java.util.Arrays; 32 33 import sun.security.util.Debug; 34 35 /** 36 * Native PRNG implementation for Solaris/Linux/MacOS. 37 * <p> 38 * It obtains seed and random numbers by reading system files such as 39 * the special device files /dev/random and /dev/urandom. This 40 * implementation respects the {@code securerandom.source} Security 41 * property and {@code java.security.egd} System property for obtaining 42 * seed material. If the file specified by the properties does not 43 * exist, /dev/random is the default seed source. /dev/urandom is 44 * the default source of random numbers. 45 * <p> 46 * On some Unix platforms, /dev/random may block until enough entropy is 47 * available, but that may negatively impact the perceived startup 48 * time. By selecting these sources, this implementation tries to 49 * strike a balance between performance and security. 50 * <p> 51 * generateSeed() and setSeed() attempt to directly read/write to the seed 52 * source. However, this file may only be writable by root in many 53 * configurations. Because we cannot just ignore bytes specified via 54 * setSeed(), we keep a SHA1PRNG around in parallel. 55 * <p> 56 * nextBytes() reads the bytes directly from the source of random 57 * numbers (and then mixes them with bytes from the SHA1PRNG for the 58 * reasons explained above). Reading bytes from the random generator means 59 * that we are generally getting entropy from the operating system. This 60 * is a notable advantage over the SHA1PRNG model, which acquires 61 * entropy only initially during startup although the VM may be running 62 * for months. 63 * <p> 64 * Also note for nextBytes() that we do not need any initial pure random 65 * seed from /dev/random. This is an advantage because on some versions 66 * of Linux entropy can be exhausted very quickly and could thus impact 67 * startup time. 68 * <p> 69 * Finally, note that we use a singleton for the actual work (RandomIO) 70 * to avoid having to open and close /dev/[u]random constantly. However, 71 * there may be many NativePRNG instances created by the JCA framework. 72 * 73 * @since 1.5 74 * @author Andreas Sterbenz 75 */ 76 public final class NativePRNG extends SecureRandomSpi { 77 78 private static final long serialVersionUID = -6599091113397072932L; 79 80 private static final Debug debug = Debug.getInstance("provider"); 81 82 // name of the pure random file (also used for setSeed()) 83 private static final String NAME_RANDOM = "/dev/random"; 84 // name of the pseudo random file 85 private static final String NAME_URANDOM = "/dev/urandom"; 86 87 // which kind of RandomIO object are we creating? 88 private enum Variant { 89 MIXED, BLOCKING, NONBLOCKING 90 } 91 92 // singleton instance or null if not available 93 private static final RandomIO INSTANCE = initIO(Variant.MIXED); 94 95 /** 96 * Get the System egd source (if defined). We only allow "file:" 97 * URLs for now. If there is a egd value, parse it. 98 * 99 * @return the URL or null if not available. 100 */ getEgdUrl()101 private static URL getEgdUrl() { 102 // This will return "" if nothing was set. 103 String egdSource = SunEntries.getSeedSource(); 104 URL egdUrl; 105 106 if (egdSource.length() != 0) { 107 if (debug != null) { 108 debug.println("NativePRNG egdUrl: " + egdSource); 109 } 110 try { 111 egdUrl = new URL(egdSource); 112 if (!egdUrl.getProtocol().equalsIgnoreCase("file")) { 113 return null; 114 } 115 } catch (MalformedURLException e) { 116 return null; 117 } 118 } else { 119 egdUrl = null; 120 } 121 122 return egdUrl; 123 } 124 125 /** 126 * Create a RandomIO object for all I/O of this Variant type. 127 */ initIO(final Variant v)128 private static RandomIO initIO(final Variant v) { 129 return AccessController.doPrivileged( 130 new PrivilegedAction<>() { 131 @Override 132 public RandomIO run() { 133 134 File seedFile; 135 File nextFile; 136 137 switch(v) { 138 case MIXED: 139 URL egdUrl; 140 File egdFile = null; 141 142 if ((egdUrl = getEgdUrl()) != null) { 143 try { 144 egdFile = SunEntries.getDeviceFile(egdUrl); 145 } catch (IOException e) { 146 // Swallow, seedFile is still null 147 } 148 } 149 150 // Try egd first. 151 if ((egdFile != null) && egdFile.canRead()) { 152 seedFile = egdFile; 153 } else { 154 // fall back to /dev/random. 155 seedFile = new File(NAME_RANDOM); 156 } 157 nextFile = new File(NAME_URANDOM); 158 break; 159 160 case BLOCKING: 161 seedFile = new File(NAME_RANDOM); 162 nextFile = new File(NAME_RANDOM); 163 break; 164 165 case NONBLOCKING: 166 seedFile = new File(NAME_URANDOM); 167 nextFile = new File(NAME_URANDOM); 168 break; 169 170 default: 171 // Shouldn't happen! 172 return null; 173 } 174 175 if (debug != null) { 176 debug.println("NativePRNG." + v + 177 " seedFile: " + seedFile + 178 " nextFile: " + nextFile); 179 } 180 181 if (!seedFile.canRead() || !nextFile.canRead()) { 182 if (debug != null) { 183 debug.println("NativePRNG." + v + 184 " Couldn't read Files."); 185 } 186 return null; 187 } 188 189 try { 190 return new RandomIO(seedFile, nextFile); 191 } catch (Exception e) { 192 return null; 193 } 194 } 195 }); 196 } 197 198 // return whether the NativePRNG is available 199 static boolean isAvailable() { 200 return INSTANCE != null; 201 } 202 203 // constructor, called by the JCA framework 204 public NativePRNG() { 205 super(); 206 if (INSTANCE == null) { 207 throw new AssertionError("NativePRNG not available"); 208 } 209 } 210 211 // set the seed 212 @Override 213 protected void engineSetSeed(byte[] seed) { 214 INSTANCE.implSetSeed(seed); 215 } 216 217 // get pseudo random bytes 218 @Override 219 protected void engineNextBytes(byte[] bytes) { 220 INSTANCE.implNextBytes(bytes); 221 } 222 223 // get true random bytes 224 @Override 225 protected byte[] engineGenerateSeed(int numBytes) { 226 return INSTANCE.implGenerateSeed(numBytes); 227 } 228 229 /** 230 * A NativePRNG-like class that uses /dev/random for both 231 * seed and random material. 232 * 233 * Note that it does not respect the egd properties, since we have 234 * no way of knowing what those qualities are. 235 * 236 * This is very similar to the outer NativePRNG class, minimizing any 237 * breakage to the serialization of the existing implementation. 238 * 239 * @since 1.8 240 */ 241 public static final class Blocking extends SecureRandomSpi { 242 private static final long serialVersionUID = -6396183145759983347L; 243 244 private static final RandomIO INSTANCE = initIO(Variant.BLOCKING); 245 246 // return whether this is available 247 static boolean isAvailable() { 248 return INSTANCE != null; 249 } 250 251 // constructor, called by the JCA framework 252 public Blocking() { 253 super(); 254 if (INSTANCE == null) { 255 throw new AssertionError("NativePRNG$Blocking not available"); 256 } 257 } 258 259 // set the seed 260 @Override 261 protected void engineSetSeed(byte[] seed) { 262 INSTANCE.implSetSeed(seed); 263 } 264 265 // get pseudo random bytes 266 @Override 267 protected void engineNextBytes(byte[] bytes) { 268 INSTANCE.implNextBytes(bytes); 269 } 270 271 // get true random bytes 272 @Override 273 protected byte[] engineGenerateSeed(int numBytes) { 274 return INSTANCE.implGenerateSeed(numBytes); 275 } 276 } 277 278 /** 279 * A NativePRNG-like class that uses /dev/urandom for both 280 * seed and random material. 281 * 282 * Note that it does not respect the egd properties, since we have 283 * no way of knowing what those qualities are. 284 * 285 * This is very similar to the outer NativePRNG class, minimizing any 286 * breakage to the serialization of the existing implementation. 287 * 288 * @since 1.8 289 */ 290 public static final class NonBlocking extends SecureRandomSpi { 291 private static final long serialVersionUID = -1102062982994105487L; 292 293 private static final RandomIO INSTANCE = initIO(Variant.NONBLOCKING); 294 295 // return whether this is available 296 static boolean isAvailable() { 297 return INSTANCE != null; 298 } 299 300 // constructor, called by the JCA framework 301 public NonBlocking() { 302 super(); 303 if (INSTANCE == null) { 304 throw new AssertionError( 305 "NativePRNG$NonBlocking not available"); 306 } 307 } 308 309 // set the seed 310 @Override 311 protected void engineSetSeed(byte[] seed) { 312 INSTANCE.implSetSeed(seed); 313 } 314 315 // get pseudo random bytes 316 @Override 317 protected void engineNextBytes(byte[] bytes) { 318 INSTANCE.implNextBytes(bytes); 319 } 320 321 // get true random bytes 322 @Override 323 protected byte[] engineGenerateSeed(int numBytes) { 324 return INSTANCE.implGenerateSeed(numBytes); 325 } 326 } 327 328 /** 329 * Nested class doing the actual work. Singleton, see INSTANCE above. 330 */ 331 private static class RandomIO { 332 333 // we buffer data we read from the "next" file for efficiency, 334 // but we limit the lifetime to avoid using stale bits 335 // lifetime in ms, currently 100 ms (0.1 s) 336 private static final long MAX_BUFFER_TIME = 100; 337 338 // size of the "next" buffer 339 private static final int MAX_BUFFER_SIZE = 65536; 340 private static final int MIN_BUFFER_SIZE = 32; 341 private int bufferSize = 256; 342 343 // Holder for the seedFile. Used if we ever add seed material. 344 File seedFile; 345 346 // In/OutputStream for "seed" and "next" 347 private final InputStream seedIn, nextIn; 348 private OutputStream seedOut; 349 350 // flag indicating if we have tried to open seedOut yet 351 private boolean seedOutInitialized; 352 353 // SHA1PRNG instance for mixing 354 // initialized lazily on demand to avoid problems during startup 355 private volatile sun.security.provider.SecureRandom mixRandom; 356 357 // buffer for next bits 358 private byte[] nextBuffer; 359 360 // number of bytes left in nextBuffer 361 private int buffered; 362 363 // time we read the data into the nextBuffer 364 private long lastRead; 365 366 // Count for the number of buffer size changes requests 367 // Positive value in increase size, negative to lower it. 368 private int change_buffer = 0; 369 370 // Request limit to trigger an increase in nextBuffer size 371 private static final int REQ_LIMIT_INC = 1000; 372 373 // Request limit to trigger a decrease in nextBuffer size 374 private static final int REQ_LIMIT_DEC = -100; 375 376 // mutex lock for nextBytes() 377 private final Object LOCK_GET_BYTES = new Object(); 378 379 // mutex lock for generateSeed() 380 private final Object LOCK_GET_SEED = new Object(); 381 382 // mutex lock for setSeed() 383 private final Object LOCK_SET_SEED = new Object(); 384 385 // constructor, called only once from initIO() 386 private RandomIO(File seedFile, File nextFile) throws IOException { 387 this.seedFile = seedFile; 388 seedIn = FileInputStreamPool.getInputStream(seedFile); 389 nextIn = FileInputStreamPool.getInputStream(nextFile); 390 nextBuffer = new byte[bufferSize]; 391 } 392 393 // get the SHA1PRNG for mixing 394 // initialize if not yet created 395 private sun.security.provider.SecureRandom getMixRandom() { 396 sun.security.provider.SecureRandom r = mixRandom; 397 if (r == null) { 398 synchronized (LOCK_GET_BYTES) { 399 r = mixRandom; 400 if (r == null) { 401 r = new sun.security.provider.SecureRandom(); 402 try { 403 byte[] b = new byte[20]; 404 readFully(nextIn, b); 405 r.engineSetSeed(b); 406 } catch (IOException e) { 407 throw new ProviderException("init failed", e); 408 } 409 mixRandom = r; 410 } 411 } 412 } 413 return r; 414 } 415 416 // read data.length bytes from in 417 // These are not normal files, so we need to loop the read. 418 // just keep trying as long as we are making progress 419 private static void readFully(InputStream in, byte[] data) 420 throws IOException { 421 int len = data.length; 422 int ofs = 0; 423 while (len > 0) { 424 int k = in.read(data, ofs, len); 425 if (k <= 0) { 426 throw new EOFException("File(s) closed?"); 427 } 428 ofs += k; 429 len -= k; 430 } 431 if (len > 0) { 432 throw new IOException("Could not read from file(s)"); 433 } 434 } 435 436 // get true random bytes, just read from "seed" 437 private byte[] implGenerateSeed(int numBytes) { 438 synchronized (LOCK_GET_SEED) { 439 try { 440 byte[] b = new byte[numBytes]; 441 readFully(seedIn, b); 442 return b; 443 } catch (IOException e) { 444 throw new ProviderException("generateSeed() failed", e); 445 } 446 } 447 } 448 449 // supply random bytes to the OS 450 // write to "seed" if possible 451 // always add the seed to our mixing random 452 private void implSetSeed(byte[] seed) { 453 synchronized (LOCK_SET_SEED) { 454 if (seedOutInitialized == false) { 455 seedOutInitialized = true; 456 seedOut = AccessController.doPrivileged( 457 new PrivilegedAction<>() { 458 @Override 459 public OutputStream run() { 460 try { 461 return new FileOutputStream(seedFile, true); 462 } catch (Exception e) { 463 return null; 464 } 465 } 466 }); 467 } 468 if (seedOut != null) { 469 try { 470 seedOut.write(seed); 471 } catch (IOException e) { 472 // Ignored. On Mac OS X, /dev/urandom can be opened 473 // for write, but actual write is not permitted. 474 } 475 } 476 getMixRandom().engineSetSeed(seed); 477 } 478 } 479 480 // ensure that there is at least one valid byte in the buffer 481 // if not, read new bytes 482 private void ensureBufferValid() throws IOException { 483 long time = System.currentTimeMillis(); 484 int new_buffer_size = 0; 485 486 // Check if buffer has bytes available that are not too old 487 if (buffered > 0) { 488 if (time - lastRead < MAX_BUFFER_TIME) { 489 return; 490 } else { 491 // byte is old, so subtract from counter to shrink buffer 492 change_buffer--; 493 } 494 } else { 495 // No bytes available, so add to count to increase buffer 496 change_buffer++; 497 } 498 499 // If counter has it a limit, increase or decrease size 500 if (change_buffer > REQ_LIMIT_INC) { 501 new_buffer_size = nextBuffer.length * 2; 502 } else if (change_buffer < REQ_LIMIT_DEC) { 503 new_buffer_size = nextBuffer.length / 2; 504 } 505 506 // If buffer size is to be changed, replace nextBuffer. 507 if (new_buffer_size > 0) { 508 if (new_buffer_size <= MAX_BUFFER_SIZE && 509 new_buffer_size >= MIN_BUFFER_SIZE) { 510 nextBuffer = new byte[new_buffer_size]; 511 if (debug != null) { 512 debug.println("Buffer size changed to " + 513 new_buffer_size); 514 } 515 } else { 516 if (debug != null) { 517 debug.println("Buffer reached limit: " + 518 nextBuffer.length); 519 } 520 } 521 change_buffer = 0; 522 } 523 524 // Load fresh random bytes into nextBuffer 525 lastRead = time; 526 readFully(nextIn, nextBuffer); 527 buffered = nextBuffer.length; 528 } 529 530 // get pseudo random bytes 531 // read from "next" and XOR with bytes generated by the 532 // mixing SHA1PRNG 533 private void implNextBytes(byte[] data) { 534 try { 535 getMixRandom().engineNextBytes(data); 536 int data_len = data.length; 537 int ofs = 0; 538 int len; 539 int buf_pos; 540 int localofs; 541 byte[] localBuffer; 542 543 while (data_len > 0) { 544 synchronized (LOCK_GET_BYTES) { 545 ensureBufferValid(); 546 buf_pos = nextBuffer.length - buffered; 547 if (data_len > buffered) { 548 len = buffered; 549 buffered = 0; 550 } else { 551 len = data_len; 552 buffered -= len; 553 } 554 localBuffer = Arrays.copyOfRange(nextBuffer, buf_pos, 555 buf_pos + len); 556 } 557 localofs = 0; 558 while (len > localofs) { 559 data[ofs] ^= localBuffer[localofs]; 560 ofs++; 561 localofs++; 562 } 563 data_len -= len; 564 } 565 } catch (IOException e){ 566 throw new ProviderException("nextBytes() failed", e); 567 } 568 } 569 } 570 } 571