busybox/util-linux/seedrng.c
Jason A. Donenfeld 31ec481baf seedrng: hoist bb_strtoul out of min/max
- Hoist bb_strtoul out of min/max to prevent quadruple evaluation.
- Don't use separate variables for boottime/realtime.
- Make use of ENABLE_FEATURE_CLEAN_UP where appropriate.
- Order hash initialization after lock taking per Bernhard's taste.
- Add comment description of theory of operation.

function                                             old     new   delta
seed_from_file_if_exists                             533     456     -77
seedrng_main                                        1218    1086    -132
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 0/2 up/down: 0/-209)           Total: -209 bytes
   text	   data	    bss	    dec	    hex	filename
 976445	   4227	   1848	 982520	  efdf8	busybox_old
 976236	   4227	   1848	 982311	  efd27	busybox_unstripped

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2022-04-20 15:42:53 +02:00

297 lines
8.9 KiB
C

// SPDX-License-Identifier: GPL-2.0 OR MIT
/*
* Copyright (C) 2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
*
* SeedRNG is a simple program made for seeding the Linux kernel random number
* generator from seed files. It is is useful in light of the fact that the
* Linux kernel RNG cannot be initialized from shell scripts, and new seeds
* cannot be safely generated from boot time shell scripts either. It should
* be run once at init time and once at shutdown time. It can be run at other
* times on a timer as well. Whenever it is run, it writes existing seed files
* into the RNG pool, and then creates a new seed file. If the RNG is
* initialized at the time of creating a new seed file, then that new seed file
* is marked as "creditable", which means it can be used to initialize the RNG.
* Otherwise, it is marked as "non-creditable", in which case it is still used
* to seed the RNG's pool, but will not initialize the RNG. In order to ensure
* that entropy only ever stays the same or increases from one seed file to the
* next, old seed values are hashed together with new seed values when writing
* new seed files.
*
* This is based on code from <https://git.zx2c4.com/seedrng/about/>.
*/
//config:config SEEDRNG
//config: bool "seedrng (2.5 kb)"
//config: default y
//config: help
//config: Seed the kernel RNG from seed files, meant to be called
//config: once during startup, once during shutdown, and optionally
//config: at some periodic interval in between.
//applet:IF_SEEDRNG(APPLET(seedrng, BB_DIR_USR_SBIN, BB_SUID_DROP))
//kbuild:lib-$(CONFIG_SEEDRNG) += seedrng.o
//usage:#define seedrng_trivial_usage
//usage: "[-d SEED_DIRECTORY] [-l LOCK_FILE] [-n]"
//usage:#define seedrng_full_usage "\n\n"
//usage: "Seed the kernel RNG from seed files."
//usage: "\n"
//usage: "\n -d, --seed-dir DIR Use seed files from specified directory (default: /var/lib/seedrng)"
//usage: "\n -l, --lock-file FILE Use file as exclusive lock (default: /var/run/seedrng.lock)"
//usage: "\n -n, --skip-credit Skip crediting seeds, even if creditable"
#include "libbb.h"
#include <linux/random.h>
#include <sys/random.h>
#include <sys/ioctl.h>
#include <sys/file.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <poll.h>
#include <unistd.h>
#include <time.h>
#include <errno.h>
#include <endian.h>
#include <stdbool.h>
#include <stdint.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#ifndef GRND_INSECURE
#define GRND_INSECURE 0x0004 /* Apparently some headers don't ship with this yet. */
#endif
#if ENABLE_PID_FILE_PATH
#define PID_FILE_PATH CONFIG_PID_FILE_PATH
#else
#define PID_FILE_PATH "/var/run"
#endif
#define DEFAULT_SEED_DIR "/var/lib/seedrng"
#define DEFAULT_LOCK_FILE PID_FILE_PATH "/seedrng.lock"
#define CREDITABLE_SEED_NAME "seed.credit"
#define NON_CREDITABLE_SEED_NAME "seed.no-credit"
static char *seed_dir, *lock_file, *creditable_seed, *non_creditable_seed;
enum seedrng_lengths {
MIN_SEED_LEN = SHA256_OUTSIZE,
MAX_SEED_LEN = 512
};
static size_t determine_optimal_seed_len(void)
{
char poolsize_str[11] = { 0 };
unsigned long poolsize;
if (open_read_close("/proc/sys/kernel/random/poolsize", poolsize_str, sizeof(poolsize_str) - 1) < 0) {
bb_perror_msg("unable to determine pool size, falling back to %u bits", MIN_SEED_LEN * 8);
return MIN_SEED_LEN;
}
poolsize = (bb_strtoul(poolsize_str, NULL, 10) + 7) / 8;
return MAX(MIN(poolsize, MAX_SEED_LEN), MIN_SEED_LEN);
}
static int read_new_seed(uint8_t *seed, size_t len, bool *is_creditable)
{
ssize_t ret;
*is_creditable = false;
ret = getrandom(seed, len, GRND_NONBLOCK);
if (ret == (ssize_t)len) {
*is_creditable = true;
return 0;
} else if (ret < 0 && errno == ENOSYS) {
struct pollfd random_fd = {
.fd = open("/dev/random", O_RDONLY),
.events = POLLIN
};
if (random_fd.fd < 0)
return -1;
*is_creditable = safe_poll(&random_fd, 1, 0) == 1;
close(random_fd.fd);
} else if (getrandom(seed, len, GRND_INSECURE) == (ssize_t)len)
return 0;
if (open_read_close("/dev/urandom", seed, len) == (ssize_t)len)
return 0;
if (!errno)
errno = EIO;
return -1;
}
static int seed_rng(uint8_t *seed, size_t len, bool credit)
{
struct {
int entropy_count;
int buf_size;
uint8_t buffer[MAX_SEED_LEN];
} req = {
.entropy_count = credit ? len * 8 : 0,
.buf_size = len
};
int random_fd, ret;
if (len > sizeof(req.buffer)) {
errno = EFBIG;
return -1;
}
memcpy(req.buffer, seed, len);
random_fd = open("/dev/random", O_RDWR);
if (random_fd < 0)
return -1;
ret = ioctl(random_fd, RNDADDENTROPY, &req);
if (ret)
ret = -errno ? -errno : -EIO;
if (ENABLE_FEATURE_CLEAN_UP)
close(random_fd);
errno = -ret;
return ret ? -1 : 0;
}
static int seed_from_file_if_exists(const char *filename, bool credit, sha256_ctx_t *hash)
{
uint8_t seed[MAX_SEED_LEN];
ssize_t seed_len;
int dfd = -1, ret = 0;
dfd = open(seed_dir, O_DIRECTORY | O_RDONLY);
if (dfd < 0) {
ret = -errno;
bb_simple_perror_msg("unable to open seed directory");
goto out;
}
seed_len = open_read_close(filename, seed, sizeof(seed));
if (seed_len < 0) {
if (errno != ENOENT) {
ret = -errno;
bb_simple_perror_msg("unable to read seed file");
}
goto out;
}
if ((unlink(filename) < 0 || fsync(dfd) < 0) && seed_len) {
ret = -errno;
bb_simple_perror_msg("unable to remove seed after reading, so not seeding");
goto out;
}
if (!seed_len)
goto out;
sha256_hash(hash, &seed_len, sizeof(seed_len));
sha256_hash(hash, seed, seed_len);
printf("Seeding %zd bits %s crediting\n", seed_len * 8, credit ? "and" : "without");
ret = seed_rng(seed, seed_len, credit);
if (ret < 0)
bb_simple_perror_msg("unable to seed");
out:
if (ENABLE_FEATURE_CLEAN_UP && dfd >= 0)
close(dfd);
errno = -ret;
return ret ? -1 : 0;
}
int seedrng_main(int argc, char *argv[]) MAIN_EXTERNALLY_VISIBLE;
int seedrng_main(int argc UNUSED_PARAM, char *argv[])
{
static const char seedrng_prefix[] = "SeedRNG v1 Old+New Prefix";
static const char seedrng_failure[] = "SeedRNG v1 No New Seed Failure";
int ret, fd = -1, lock, program_ret = 0;
uint8_t new_seed[MAX_SEED_LEN];
size_t new_seed_len;
bool new_seed_creditable;
bool skip_credit = false;
struct timespec timestamp = { 0 };
sha256_ctx_t hash;
int opt;
enum {
OPT_d = (1 << 0),
OPT_l = (1 << 1),
OPT_n = (1 << 2)
};
#if ENABLE_LONG_OPTS
static const char longopts[] ALIGN1 =
"seed-dir\0" Required_argument "d"
"lock-file\0" Required_argument "l"
"skip-credit\0" No_argument "n"
;
#endif
opt = getopt32long(argv, "d:l:n", longopts, &seed_dir, &lock_file);
if (!(opt & OPT_d) || !seed_dir)
seed_dir = xstrdup(DEFAULT_SEED_DIR);
if (!(opt & OPT_l) || !lock_file)
lock_file = xstrdup(DEFAULT_LOCK_FILE);
skip_credit = opt & OPT_n;
creditable_seed = concat_path_file(seed_dir, CREDITABLE_SEED_NAME);
non_creditable_seed = concat_path_file(seed_dir, NON_CREDITABLE_SEED_NAME);
umask(0077);
if (getuid())
bb_simple_error_msg_and_die("this program requires root");
if (mkdir(seed_dir, 0700) < 0 && errno != EEXIST)
bb_simple_perror_msg_and_die("unable to create seed directory");
lock = open(lock_file, O_WRONLY | O_CREAT, 0000);
if (lock < 0 || flock(lock, LOCK_EX) < 0) {
bb_simple_perror_msg("unable to open lock file");
program_ret = 1;
goto out;
}
sha256_begin(&hash);
sha256_hash(&hash, seedrng_prefix, strlen(seedrng_prefix));
clock_gettime(CLOCK_REALTIME, &timestamp);
sha256_hash(&hash, &timestamp, sizeof(timestamp));
clock_gettime(CLOCK_BOOTTIME, &timestamp);
sha256_hash(&hash, &timestamp, sizeof(timestamp));
ret = seed_from_file_if_exists(non_creditable_seed, false, &hash);
if (ret < 0)
program_ret |= 1 << 1;
ret = seed_from_file_if_exists(creditable_seed, !skip_credit, &hash);
if (ret < 0)
program_ret |= 1 << 2;
new_seed_len = determine_optimal_seed_len();
ret = read_new_seed(new_seed, new_seed_len, &new_seed_creditable);
if (ret < 0) {
bb_simple_perror_msg("unable to read new seed");
new_seed_len = SHA256_OUTSIZE;
strncpy((char *)new_seed, seedrng_failure, new_seed_len);
program_ret |= 1 << 3;
}
sha256_hash(&hash, &new_seed_len, sizeof(new_seed_len));
sha256_hash(&hash, new_seed, new_seed_len);
sha256_end(&hash, new_seed + new_seed_len - SHA256_OUTSIZE);
printf("Saving %zu bits of %s seed for next boot\n", new_seed_len * 8, new_seed_creditable ? "creditable" : "non-creditable");
fd = open(non_creditable_seed, O_WRONLY | O_CREAT | O_TRUNC, 0400);
if (fd < 0) {
bb_simple_perror_msg("unable to open seed file for writing");
program_ret |= 1 << 4;
goto out;
}
if (write(fd, new_seed, new_seed_len) != (ssize_t)new_seed_len || fsync(fd) < 0) {
bb_simple_perror_msg("unable to write seed file");
program_ret |= 1 << 5;
goto out;
}
if (new_seed_creditable && rename(non_creditable_seed, creditable_seed) < 0) {
bb_simple_perror_msg("unable to make new seed creditable");
program_ret |= 1 << 6;
}
out:
if (ENABLE_FEATURE_CLEAN_UP && fd >= 0)
close(fd);
if (ENABLE_FEATURE_CLEAN_UP && lock >= 0)
close(lock);
return program_ret;
}