1 /*	$OpenBSD: getentropy_solaris.c,v 1.15 2021/10/24 21:24:20 deraadt Exp $	*/
2 
3 /*
4  * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
5  * Copyright (c) 2014 Bob Beck <beck@obtuse.com>
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  *
19  * Emulation of getentropy(2) as documented at:
20  * http://man.openbsd.org/getentropy.2
21  */
22 
23 #include <sys/types.h>
24 #include <sys/param.h>
25 #include <sys/ioctl.h>
26 #include <sys/resource.h>
27 #include <sys/syscall.h>
28 #include <sys/statvfs.h>
29 #include <sys/socket.h>
30 #include <sys/mount.h>
31 #include <sys/mman.h>
32 #include <sys/stat.h>
33 #include <sys/time.h>
34 #include <stdlib.h>
35 #include <stdint.h>
36 #include <stdio.h>
37 #include <link.h>
38 #include <termios.h>
39 #include <fcntl.h>
40 #include <signal.h>
41 #include <string.h>
42 #include <errno.h>
43 #include <unistd.h>
44 #include <time.h>
45 #include <sys/sha2.h>
46 #define SHA512_Init SHA512Init
47 #define SHA512_Update SHA512Update
48 #define SHA512_Final SHA512Final
49 
50 #include <sys/vfs.h>
51 #include <sys/statfs.h>
52 #include <sys/loadavg.h>
53 
54 #define REPEAT 5
55 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))
56 
57 #define HX(a, b) \
58 	do { \
59 		if ((a)) \
60 			HD(errno); \
61 		else \
62 			HD(b); \
63 	} while (0)
64 
65 #define HR(x, l) (SHA512_Update(&ctx, (char *)(x), (l)))
66 #define HD(x)	 (SHA512_Update(&ctx, (char *)&(x), sizeof (x)))
67 #define HF(x)    (SHA512_Update(&ctx, (char *)&(x), sizeof (void*)))
68 
69 int	getentropy(void *buf, size_t len);
70 
71 static int getentropy_urandom(void *buf, size_t len, const char *path,
72     int devfscheck);
73 static int getentropy_fallback(void *buf, size_t len);
74 static int getentropy_phdr(struct dl_phdr_info *info, size_t size, void *data);
75 
76 int
77 getentropy(void *buf, size_t len)
78 {
79 	int ret = -1;
80 
81 	if (len > 256) {
82 		errno = EIO;
83 		return (-1);
84 	}
85 
86 	/*
87 	 * Try to get entropy with /dev/urandom
88 	 *
89 	 * Solaris provides /dev/urandom as a symbolic link to
90 	 * /devices/pseudo/random@0:urandom which is provided by
91 	 * a devfs filesystem.  Best practice is to use O_NOFOLLOW,
92 	 * so we must try the unpublished name directly.
93 	 *
94 	 * This can fail if the process is inside a chroot which lacks
95 	 * the devfs mount, or if file descriptors are exhausted.
96 	 */
97 	ret = getentropy_urandom(buf, len,
98 	    "/devices/pseudo/random@0:urandom", 1);
99 	if (ret != -1)
100 		return (ret);
101 
102 	/*
103 	 * Unfortunately, chroot spaces on Solaris are sometimes setup
104 	 * with direct device node of the well-known /dev/urandom name
105 	 * (perhaps to avoid dragging all of devfs into the space).
106 	 *
107 	 * This can fail if the process is inside a chroot or if file
108 	 * descriptors are exhausted.
109 	 */
110 	ret = getentropy_urandom(buf, len, "/dev/urandom", 0);
111 	if (ret != -1)
112 		return (ret);
113 
114 	/*
115 	 * Entropy collection via /dev/urandom has failed.
116 	 *
117 	 * No other API exists for collecting entropy, and we have
118 	 * no failsafe way to get it on Solaris that is not sensitive
119 	 * to resource exhaustion.
120 	 *
121 	 * We have very few options:
122 	 *     - Even syslog_r is unsafe to call at this low level, so
123 	 *	 there is no way to alert the user or program.
124 	 *     - Cannot call abort() because some systems have unsafe
125 	 *	 corefiles.
126 	 *     - Could raise(SIGKILL) resulting in silent program termination.
127 	 *     - Return EIO, to hint that arc4random's stir function
128 	 *       should raise(SIGKILL)
129 	 *     - Do the best under the circumstances....
130 	 *
131 	 * This code path exists to bring light to the issue that Solaris
132 	 * does not provide a failsafe API for entropy collection.
133 	 *
134 	 * We hope this demonstrates that Solaris should consider
135 	 * providing a new failsafe API which works in a chroot or
136 	 * when file descriptors are exhausted.
137 	 */
138 #undef FAIL_INSTEAD_OF_TRYING_FALLBACK
139 #ifdef FAIL_INSTEAD_OF_TRYING_FALLBACK
140 	raise(SIGKILL);
141 #endif
142 	ret = getentropy_fallback(buf, len);
143 	if (ret != -1)
144 		return (ret);
145 
146 	errno = EIO;
147 	return (ret);
148 }
149 
150 static int
151 getentropy_urandom(void *buf, size_t len, const char *path, int devfscheck)
152 {
153 	struct stat st;
154 	size_t i;
155 	int fd, flags;
156 	int save_errno = errno;
157 
158 start:
159 
160 	flags = O_RDONLY;
161 #ifdef O_NOFOLLOW
162 	flags |= O_NOFOLLOW;
163 #endif
164 #ifdef O_CLOEXEC
165 	flags |= O_CLOEXEC;
166 #endif
167 	fd = open(path, flags);
168 	if (fd == -1) {
169 		if (errno == EINTR)
170 			goto start;
171 		goto nodevrandom;
172 	}
173 #ifndef O_CLOEXEC
174 	fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
175 #endif
176 
177 	/* Lightly verify that the device node looks sane */
178 	if (fstat(fd, &st) == -1 || !S_ISCHR(st.st_mode) ||
179 	    (devfscheck && (strcmp(st.st_fstype, "devfs") != 0))) {
180 		close(fd);
181 		goto nodevrandom;
182 	}
183 	for (i = 0; i < len; ) {
184 		size_t wanted = len - i;
185 		ssize_t ret = read(fd, (char *)buf + i, wanted);
186 
187 		if (ret == -1) {
188 			if (errno == EAGAIN || errno == EINTR)
189 				continue;
190 			close(fd);
191 			goto nodevrandom;
192 		}
193 		i += ret;
194 	}
195 	close(fd);
196 	errno = save_errno;
197 	return (0);		/* satisfied */
198 nodevrandom:
199 	errno = EIO;
200 	return (-1);
201 }
202 
203 static const int cl[] = {
204 	CLOCK_REALTIME,
205 #ifdef CLOCK_MONOTONIC
206 	CLOCK_MONOTONIC,
207 #endif
208 #ifdef CLOCK_MONOTONIC_RAW
209 	CLOCK_MONOTONIC_RAW,
210 #endif
211 #ifdef CLOCK_TAI
212 	CLOCK_TAI,
213 #endif
214 #ifdef CLOCK_VIRTUAL
215 	CLOCK_VIRTUAL,
216 #endif
217 #ifdef CLOCK_UPTIME
218 	CLOCK_UPTIME,
219 #endif
220 #ifdef CLOCK_PROCESS_CPUTIME_ID
221 	CLOCK_PROCESS_CPUTIME_ID,
222 #endif
223 #ifdef CLOCK_THREAD_CPUTIME_ID
224 	CLOCK_THREAD_CPUTIME_ID,
225 #endif
226 };
227 
228 static int
229 getentropy_phdr(struct dl_phdr_info *info, size_t size, void *data)
230 {
231 	SHA512_CTX *ctx = data;
232 
233 	SHA512_Update(ctx, &info->dlpi_addr, sizeof (info->dlpi_addr));
234 	return (0);
235 }
236 
237 static int
238 getentropy_fallback(void *buf, size_t len)
239 {
240 	uint8_t results[SHA512_DIGEST_LENGTH];
241 	int save_errno = errno, e, pgs = getpagesize(), faster = 0, repeat;
242 	static int cnt;
243 	struct timespec ts;
244 	struct timeval tv;
245 	double loadavg[3];
246 	struct rusage ru;
247 	sigset_t sigset;
248 	struct stat st;
249 	SHA512_CTX ctx;
250 	static pid_t lastpid;
251 	pid_t pid;
252 	size_t i, ii, m;
253 	char *p;
254 
255 	pid = getpid();
256 	if (lastpid == pid) {
257 		faster = 1;
258 		repeat = 2;
259 	} else {
260 		faster = 0;
261 		lastpid = pid;
262 		repeat = REPEAT;
263 	}
264 	for (i = 0; i < len; ) {
265 		int j;
266 		SHA512_Init(&ctx);
267 		for (j = 0; j < repeat; j++) {
268 			HX((e = gettimeofday(&tv, NULL)) == -1, tv);
269 			if (e != -1) {
270 				cnt += (int)tv.tv_sec;
271 				cnt += (int)tv.tv_usec;
272 			}
273 
274 			dl_iterate_phdr(getentropy_phdr, &ctx);
275 
276 			for (ii = 0; ii < sizeof(cl)/sizeof(cl[0]); ii++)
277 				HX(clock_gettime(cl[ii], &ts) == -1, ts);
278 
279 			HX((pid = getpid()) == -1, pid);
280 			HX((pid = getsid(pid)) == -1, pid);
281 			HX((pid = getppid()) == -1, pid);
282 			HX((pid = getpgid(0)) == -1, pid);
283 			HX((e = getpriority(0, 0)) == -1, e);
284 			HX((getloadavg(loadavg, 3) == -1), loadavg);
285 
286 			if (!faster) {
287 				ts.tv_sec = 0;
288 				ts.tv_nsec = 1;
289 				(void) nanosleep(&ts, NULL);
290 			}
291 
292 			HX(sigpending(&sigset) == -1, sigset);
293 			HX(sigprocmask(SIG_BLOCK, NULL, &sigset) == -1,
294 			    sigset);
295 
296 			HF(getentropy);	/* an addr in this library */
297 			HF(printf);		/* an addr in libc */
298 			p = (char *)&p;
299 			HD(p);		/* an addr on stack */
300 			p = (char *)&errno;
301 			HD(p);		/* the addr of errno */
302 
303 			if (i == 0) {
304 				struct sockaddr_storage ss;
305 				struct statvfs stvfs;
306 				struct termios tios;
307 				socklen_t ssl;
308 				off_t off;
309 
310 				/*
311 				 * Prime-sized mappings encourage fragmentation;
312 				 * thus exposing some address entropy.
313 				 */
314 				struct mm {
315 					size_t	npg;
316 					void	*p;
317 				} mm[] =	 {
318 					{ 17, MAP_FAILED }, { 3, MAP_FAILED },
319 					{ 11, MAP_FAILED }, { 2, MAP_FAILED },
320 					{ 5, MAP_FAILED }, { 3, MAP_FAILED },
321 					{ 7, MAP_FAILED }, { 1, MAP_FAILED },
322 					{ 57, MAP_FAILED }, { 3, MAP_FAILED },
323 					{ 131, MAP_FAILED }, { 1, MAP_FAILED },
324 				};
325 
326 				for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
327 					HX(mm[m].p = mmap(NULL,
328 					    mm[m].npg * pgs,
329 					    PROT_READ|PROT_WRITE,
330 					    MAP_PRIVATE|MAP_ANON, -1,
331 					    (off_t)0), mm[m].p);
332 					if (mm[m].p != MAP_FAILED) {
333 						size_t mo;
334 
335 						/* Touch some memory... */
336 						p = mm[m].p;
337 						mo = cnt %
338 						    (mm[m].npg * pgs - 1);
339 						p[mo] = 1;
340 						cnt += (int)((long)(mm[m].p)
341 						    / pgs);
342 					}
343 
344 					/* Check cnts and times... */
345 					for (ii = 0; ii < sizeof(cl)/sizeof(cl[0]);
346 					    ii++) {
347 						HX((e = clock_gettime(cl[ii],
348 						    &ts)) == -1, ts);
349 						if (e != -1)
350 							cnt += (int)ts.tv_nsec;
351 					}
352 
353 					HX((e = getrusage(RUSAGE_SELF,
354 					    &ru)) == -1, ru);
355 					if (e != -1) {
356 						cnt += (int)ru.ru_utime.tv_sec;
357 						cnt += (int)ru.ru_utime.tv_usec;
358 					}
359 				}
360 
361 				for (m = 0; m < sizeof mm/sizeof(mm[0]); m++) {
362 					if (mm[m].p != MAP_FAILED)
363 						munmap(mm[m].p, mm[m].npg * pgs);
364 					mm[m].p = MAP_FAILED;
365 				}
366 
367 				HX(stat(".", &st) == -1, st);
368 				HX(statvfs(".", &stvfs) == -1, stvfs);
369 
370 				HX(stat("/", &st) == -1, st);
371 				HX(statvfs("/", &stvfs) == -1, stvfs);
372 
373 				HX((e = fstat(0, &st)) == -1, st);
374 				if (e == -1) {
375 					if (S_ISREG(st.st_mode) ||
376 					    S_ISFIFO(st.st_mode) ||
377 					    S_ISSOCK(st.st_mode)) {
378 						HX(fstatvfs(0, &stvfs) == -1,
379 						    stvfs);
380 						HX((off = lseek(0, (off_t)0,
381 						    SEEK_CUR)) < 0, off);
382 					}
383 					if (S_ISCHR(st.st_mode)) {
384 						HX(tcgetattr(0, &tios) == -1,
385 						    tios);
386 					} else if (S_ISSOCK(st.st_mode)) {
387 						memset(&ss, 0, sizeof ss);
388 						ssl = sizeof(ss);
389 						HX(getpeername(0,
390 						    (void *)&ss, &ssl) == -1,
391 						    ss);
392 					}
393 				}
394 
395 				HX((e = getrusage(RUSAGE_CHILDREN,
396 				    &ru)) == -1, ru);
397 				if (e != -1) {
398 					cnt += (int)ru.ru_utime.tv_sec;
399 					cnt += (int)ru.ru_utime.tv_usec;
400 				}
401 			} else {
402 				/* Subsequent hashes absorb previous result */
403 				HD(results);
404 			}
405 
406 			HX((e = gettimeofday(&tv, NULL)) == -1, tv);
407 			if (e != -1) {
408 				cnt += (int)tv.tv_sec;
409 				cnt += (int)tv.tv_usec;
410 			}
411 
412 			HD(cnt);
413 		}
414 		SHA512_Final(results, &ctx);
415 		memcpy((char *)buf + i, results, MINIMUM(sizeof(results), len - i));
416 		i += MINIMUM(sizeof(results), len - i);
417 	}
418 	explicit_bzero(&ctx, sizeof ctx);
419 	explicit_bzero(results, sizeof results);
420 	errno = save_errno;
421 	return (0);		/* satisfied */
422 }
423