1 /*
  2  * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
  3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  4  *
  5  * This code is free software; you can redistribute it and/or modify it
  6  * under the terms of the GNU General Public License version 2 only, as
  7  * published by the Free Software Foundation.  Oracle designates this
  8  * particular file as subject to the "Classpath" exception as provided
  9  * by Oracle in the LICENSE file that accompanied this code.
 10  *
 11  * This code is distributed in the hope that it will be useful, but WITHOUT
 12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 14  * version 2 for more details (a copy is included in the LICENSE file that
 15  * accompanied this code).
 16  *
 17  * You should have received a copy of the GNU General Public License version
 18  * 2 along with this work; if not, write to the Free Software Foundation,
 19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 20  *
 21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 22  * or visit www.oracle.com if you need additional information or have any
 23  * questions.
 24  */
 25 
 26 package sun.security.provider;
 27 
 28 import java.io.*;
 29 import java.net.*;
 30 import java.security.*;
 31 import java.util.Arrays;
 32 
 33 import sun.security.util.Debug;
 34 
 35 /**
 36  * Native PRNG implementation for Linux/MacOS.
 37  * <p>
 38  * It obtains seed and random numbers by reading system files such as
 39  * the special device files /dev/random and /dev/urandom.  This
 40  * implementation respects the {@code securerandom.source} Security
 41  * property and {@code java.security.egd} System property for obtaining
 42  * seed material.  If the file specified by the properties does not
 43  * exist, /dev/random is the default seed source.  /dev/urandom is
 44  * the default source of random numbers.
 45  * <p>
 46  * On some Unix platforms, /dev/random may block until enough entropy is
 47  * available, but that may negatively impact the perceived startup
 48  * time.  By selecting these sources, this implementation tries to
 49  * strike a balance between performance and security.
 50  * <p>
 51  * generateSeed() and setSeed() attempt to directly read/write to the seed
 52  * source. However, this file may only be writable by root in many
 53  * configurations. Because we cannot just ignore bytes specified via
 54  * setSeed(), we keep a SHA1PRNG around in parallel.
 55  * <p>
 56  * nextBytes() reads the bytes directly from the source of random
 57  * numbers (and then mixes them with bytes from the SHA1PRNG for the
 58  * reasons explained above). Reading bytes from the random generator means
 59  * that we are generally getting entropy from the operating system. This
 60  * is a notable advantage over the SHA1PRNG model, which acquires
 61  * entropy only initially during startup although the VM may be running
 62  * for months.
 63  * <p>
 64  * Also note for nextBytes() that we do not need any initial pure random
 65  * seed from /dev/random. This is an advantage because on some versions
 66  * of Linux entropy can be exhausted very quickly and could thus impact
 67  * startup time.
 68  * <p>
 69  * Finally, note that we use a singleton for the actual work (RandomIO)
 70  * to avoid having to open and close /dev/[u]random constantly. However,
 71  * there may be many NativePRNG instances created by the JCA framework.
 72  *
 73  * @since   1.5
 74  * @author  Andreas Sterbenz
 75  */
 76 public final class NativePRNG extends SecureRandomSpi {
 77 
 78     private static final long serialVersionUID = -6599091113397072932L;
 79 
 80     private static final Debug debug = Debug.getInstance("provider");
 81 
 82     // name of the pure random file (also used for setSeed())
 83     private static final String NAME_RANDOM = "/dev/random";
 84     // name of the pseudo random file
 85     private static final String NAME_URANDOM = "/dev/urandom";
 86 
 87     // which kind of RandomIO object are we creating?
 88     private enum Variant {
 89         MIXED, BLOCKING, NONBLOCKING
 90     }
 91 
 92     // singleton instance or null if not available
 93     private static final RandomIO INSTANCE = initIO(Variant.MIXED);
 94 
 95     /**
 96      * Get the System egd source (if defined).  We only allow "file:"
 97      * URLs for now. If there is a egd value, parse it.
 98      *
 99      * @return the URL or null if not available.
100      */
101     private static URL getEgdUrl() {
102         // This will return "" if nothing was set.
103         String egdSource = SunEntries.getSeedSource();
104         URL egdUrl;
105 
106         if (egdSource.length() != 0) {
107             if (debug != null) {
108                 debug.println("NativePRNG egdUrl: " + egdSource);
109             }
110             try {
111                 @SuppressWarnings("deprecation")
112                 var _unused = egdUrl = new URL(egdSource);
113                 if (!egdUrl.getProtocol().equalsIgnoreCase("file")) {
114                     return null;
115                 }
116             } catch (MalformedURLException e) {
117                 return null;
118             }
119         } else {
120             egdUrl = null;
121         }
122 
123         return egdUrl;
124     }
125 
126     /**
127      * Create a RandomIO object for all I/O of this Variant type.
128      */
129     @SuppressWarnings("removal")
130     private static RandomIO initIO(final Variant v) {
131         return AccessController.doPrivileged(
132             new PrivilegedAction<>() {
133                 @Override
134                 public RandomIO run() {
135 
136                     File seedFile;
137                     File nextFile;
138 
139                     switch(v) {
140                     case MIXED:
141                         URL egdUrl;
142                         File egdFile = null;
143 
144                         if ((egdUrl = getEgdUrl()) != null) {
145                             try {
146                                 egdFile = SunEntries.getDeviceFile(egdUrl);
147                             } catch (IOException e) {
148                                 // Swallow, seedFile is still null
149                             }
150                         }
151 
152                         // Try egd first.
153                         if ((egdFile != null) && egdFile.canRead()) {
154                             seedFile = egdFile;
155                         } else {
156                             // fall back to /dev/random.
157                             seedFile = new File(NAME_RANDOM);
158                         }
159                         nextFile = new File(NAME_URANDOM);
160                         break;
161 
162                     case BLOCKING:
163                         seedFile = new File(NAME_RANDOM);
164                         nextFile = new File(NAME_RANDOM);
165                         break;
166 
167                     case NONBLOCKING:
168                         seedFile = new File(NAME_URANDOM);
169                         nextFile = new File(NAME_URANDOM);
170                         break;
171 
172                     default:
173                         // Shouldn't happen!
174                         return null;
175                     }
176 
177                     if (debug != null) {
178                         debug.println("NativePRNG." + v +
179                             " seedFile: " + seedFile +
180                             " nextFile: " + nextFile);
181                     }
182 
183                     if (!seedFile.canRead() || !nextFile.canRead()) {
184                         if (debug != null) {
185                             debug.println("NativePRNG." + v +
186                                 " Couldn't read Files.");
187                         }
188                         return null;
189                     }
190 
191                     try {
192                         return new RandomIO(seedFile, nextFile);
193                     } catch (Exception e) {
194                         return null;
195                     }
196                 }
197         });
198     }
199 
200     // return whether the NativePRNG is available
201     static boolean isAvailable() {
202         return INSTANCE != null;
203     }
204 
205     // constructor, called by the JCA framework
206     public NativePRNG() {
207         super();
208         if (INSTANCE == null) {
209             throw new AssertionError("NativePRNG not available");
210         }
211     }
212 
213     // set the seed
214     @Override
215     protected void engineSetSeed(byte[] seed) {
216         INSTANCE.implSetSeed(seed);
217     }
218 
219     // get pseudo random bytes
220     @Override
221     protected void engineNextBytes(byte[] bytes) {
222         INSTANCE.implNextBytes(bytes);
223     }
224 
225     // get true random bytes
226     @Override
227     protected byte[] engineGenerateSeed(int numBytes) {
228         return INSTANCE.implGenerateSeed(numBytes);
229     }
230 
231     /**
232      * A NativePRNG-like class that uses /dev/random for both
233      * seed and random material.
234      *
235      * Note that it does not respect the egd properties, since we have
236      * no way of knowing what those qualities are.
237      *
238      * This is very similar to the outer NativePRNG class, minimizing any
239      * breakage to the serialization of the existing implementation.
240      *
241      * @since   1.8
242      */
243     public static final class Blocking extends SecureRandomSpi {
244         private static final long serialVersionUID = -6396183145759983347L;
245 
246         private static final RandomIO INSTANCE = initIO(Variant.BLOCKING);
247 
248         // return whether this is available
249         static boolean isAvailable() {
250             return INSTANCE != null;
251         }
252 
253         // constructor, called by the JCA framework
254         public Blocking() {
255             super();
256             if (INSTANCE == null) {
257                 throw new AssertionError("NativePRNG$Blocking not available");
258             }
259         }
260 
261         // set the seed
262         @Override
263         protected void engineSetSeed(byte[] seed) {
264             INSTANCE.implSetSeed(seed);
265         }
266 
267         // get pseudo random bytes
268         @Override
269         protected void engineNextBytes(byte[] bytes) {
270             INSTANCE.implNextBytes(bytes);
271         }
272 
273         // get true random bytes
274         @Override
275         protected byte[] engineGenerateSeed(int numBytes) {
276             return INSTANCE.implGenerateSeed(numBytes);
277         }
278     }
279 
280     /**
281      * A NativePRNG-like class that uses /dev/urandom for both
282      * seed and random material.
283      *
284      * Note that it does not respect the egd properties, since we have
285      * no way of knowing what those qualities are.
286      *
287      * This is very similar to the outer NativePRNG class, minimizing any
288      * breakage to the serialization of the existing implementation.
289      *
290      * @since   1.8
291      */
292     public static final class NonBlocking extends SecureRandomSpi {
293         private static final long serialVersionUID = -1102062982994105487L;
294 
295         private static final RandomIO INSTANCE = initIO(Variant.NONBLOCKING);
296 
297         // return whether this is available
298         static boolean isAvailable() {
299             return INSTANCE != null;
300         }
301 
302         // constructor, called by the JCA framework
303         public NonBlocking() {
304             super();
305             if (INSTANCE == null) {
306                 throw new AssertionError(
307                     "NativePRNG$NonBlocking not available");
308             }
309         }
310 
311         // set the seed
312         @Override
313         protected void engineSetSeed(byte[] seed) {
314             INSTANCE.implSetSeed(seed);
315         }
316 
317         // get pseudo random bytes
318         @Override
319         protected void engineNextBytes(byte[] bytes) {
320             INSTANCE.implNextBytes(bytes);
321         }
322 
323         // get true random bytes
324         @Override
325         protected byte[] engineGenerateSeed(int numBytes) {
326             return INSTANCE.implGenerateSeed(numBytes);
327         }
328     }
329 
330     /**
331      * Nested class doing the actual work. Singleton, see INSTANCE above.
332      */
333     private static class RandomIO {
334 
335         // we buffer data we read from the "next" file for efficiency,
336         // but we limit the lifetime to avoid using stale bits
337         // lifetime in ms, currently 100 ms (0.1 s)
338         private static final long MAX_BUFFER_TIME = 100;
339 
340         // size of the "next" buffer
341         private static final int MAX_BUFFER_SIZE = 65536;
342         private static final int MIN_BUFFER_SIZE = 32;
343         private int bufferSize = 256;
344 
345         // Holder for the seedFile.  Used if we ever add seed material.
346         File seedFile;
347 
348         // In/OutputStream for "seed" and "next"
349         private final InputStream seedIn, nextIn;
350         private OutputStream seedOut;
351 
352         // flag indicating if we have tried to open seedOut yet
353         private boolean seedOutInitialized;
354 
355         // SHA1PRNG instance for mixing
356         // initialized lazily on demand to avoid problems during startup
357         private volatile sun.security.provider.SecureRandom mixRandom;
358 
359         // buffer for next bits
360         private byte[] nextBuffer;
361 
362         // number of bytes left in nextBuffer
363         private int buffered;
364 
365         // time we read the data into the nextBuffer
366         private long lastRead;
367 
368         // Count for the number of buffer size changes requests
369         // Positive value in increase size, negative to lower it.
370         private int change_buffer = 0;
371 
372         // Request limit to trigger an increase in nextBuffer size
373         private static final int REQ_LIMIT_INC = 1000;
374 
375         // Request limit to trigger a decrease in nextBuffer size
376         private static final int REQ_LIMIT_DEC = -100;
377 
378         // mutex lock for nextBytes()
379         private final Object LOCK_GET_BYTES = new Object();
380 
381         // mutex lock for generateSeed()
382         private final Object LOCK_GET_SEED = new Object();
383 
384         // mutex lock for setSeed()
385         private final Object LOCK_SET_SEED = new Object();
386 
387         // constructor, called only once from initIO()
388         private RandomIO(File seedFile, File nextFile) throws IOException {
389             this.seedFile = seedFile;
390             seedIn = FileInputStreamPool.getInputStream(seedFile);
391             nextIn = FileInputStreamPool.getInputStream(nextFile);
392             nextBuffer = new byte[bufferSize];
393         }
394 
395         // get the SHA1PRNG for mixing
396         // initialize if not yet created
397         private sun.security.provider.SecureRandom getMixRandom() {
398             sun.security.provider.SecureRandom r = mixRandom;
399             if (r == null) {
400                 synchronized (LOCK_GET_BYTES) {
401                     r = mixRandom;
402                     if (r == null) {
403                         r = new sun.security.provider.SecureRandom();
404                         try {
405                             byte[] b = new byte[20];
406                             readFully(nextIn, b);
407                             r.engineSetSeed(b);
408                         } catch (IOException e) {
409                             throw new ProviderException("init failed", e);
410                         }
411                         mixRandom = r;
412                     }
413                 }
414             }
415             return r;
416         }
417 
418         // read data.length bytes from in
419         // These are not normal files, so we need to loop the read.
420         // just keep trying as long as we are making progress
421         private static void readFully(InputStream in, byte[] data)
422                 throws IOException {
423             int len = data.length;
424             int ofs = 0;
425             while (len > 0) {
426                 int k = in.read(data, ofs, len);
427                 if (k <= 0) {
428                     throw new EOFException("File(s) closed?");
429                 }
430                 ofs += k;
431                 len -= k;
432             }
433             if (len > 0) {
434                 throw new IOException("Could not read from file(s)");
435             }
436         }
437 
438         // get true random bytes, just read from "seed"
439         private byte[] implGenerateSeed(int numBytes) {
440             synchronized (LOCK_GET_SEED) {
441                 try {
442                     byte[] b = new byte[numBytes];
443                     readFully(seedIn, b);
444                     return b;
445                 } catch (IOException e) {
446                     throw new ProviderException("generateSeed() failed", e);
447                 }
448             }
449         }
450 
451         // supply random bytes to the OS
452         // write to "seed" if possible
453         // always add the seed to our mixing random
454         @SuppressWarnings("removal")
455         private void implSetSeed(byte[] seed) {
456             synchronized (LOCK_SET_SEED) {
457                 if (seedOutInitialized == false) {
458                     seedOutInitialized = true;
459                     seedOut = AccessController.doPrivileged(
460                             new PrivilegedAction<>() {
461                         @Override
462                         public OutputStream run() {
463                             try {
464                                 return new FileOutputStream(seedFile, true);
465                             } catch (Exception e) {
466                                 return null;
467                             }
468                         }
469                     });
470                 }
471                 if (seedOut != null) {
472                     try {
473                         seedOut.write(seed);
474                     } catch (IOException e) {
475                         // Ignored. On Mac OS X, /dev/urandom can be opened
476                         // for write, but actual write is not permitted.
477                     }
478                 }
479                 getMixRandom().engineSetSeed(seed);
480             }
481         }
482 
483         // ensure that there is at least one valid byte in the buffer
484         // if not, read new bytes
485         private void ensureBufferValid() throws IOException {
486             long time = System.currentTimeMillis();
487             int new_buffer_size = 0;
488 
489             // Check if buffer has bytes available that are not too old
490             if (buffered > 0) {
491                 if (time - lastRead < MAX_BUFFER_TIME) {
492                     return;
493                 } else {
494                     // byte is old, so subtract from counter to shrink buffer
495                     change_buffer--;
496                 }
497             } else {
498                 // No bytes available, so add to count to increase buffer
499                 change_buffer++;
500             }
501 
502             // If counter has it a limit, increase or decrease size
503             if (change_buffer > REQ_LIMIT_INC) {
504                 new_buffer_size = nextBuffer.length * 2;
505             } else if (change_buffer < REQ_LIMIT_DEC) {
506                 new_buffer_size = nextBuffer.length / 2;
507             }
508 
509             // If buffer size is to be changed, replace nextBuffer.
510             if (new_buffer_size > 0) {
511                 if (new_buffer_size <= MAX_BUFFER_SIZE &&
512                         new_buffer_size >= MIN_BUFFER_SIZE) {
513                     nextBuffer = new byte[new_buffer_size];
514                     if (debug != null) {
515                         debug.println("Buffer size changed to " +
516                                 new_buffer_size);
517                     }
518                 } else {
519                     if (debug != null) {
520                         debug.println("Buffer reached limit: " +
521                                 nextBuffer.length);
522                     }
523                 }
524                 change_buffer = 0;
525             }
526 
527             // Load fresh random bytes into nextBuffer
528             lastRead = time;
529             readFully(nextIn, nextBuffer);
530             buffered = nextBuffer.length;
531         }
532 
533         // get pseudo random bytes
534         // read from "next" and XOR with bytes generated by the
535         // mixing SHA1PRNG
536         private void implNextBytes(byte[] data) {
537                 try {
538                     getMixRandom().engineNextBytes(data);
539                     int data_len = data.length;
540                     int ofs = 0;
541                     int len;
542                     int buf_pos;
543                     int localofs;
544                     byte[] localBuffer;
545 
546                     while (data_len > 0) {
547                         synchronized (LOCK_GET_BYTES) {
548                             ensureBufferValid();
549                             buf_pos = nextBuffer.length - buffered;
550                             if (data_len > buffered) {
551                                 len = buffered;
552                                 buffered = 0;
553                             } else {
554                                 len = data_len;
555                                 buffered -= len;
556                             }
557                             localBuffer = Arrays.copyOfRange(nextBuffer, buf_pos,
558                                     buf_pos + len);
559                         }
560                         localofs = 0;
561                         while (len > localofs) {
562                             data[ofs] ^= localBuffer[localofs];
563                             ofs++;
564                             localofs++;
565                         }
566                     data_len -= len;
567                     }
568                 } catch (IOException e){
569                     throw new ProviderException("nextBytes() failed", e);
570                 }
571         }
572         }
573 }