random: Add a RNG selection interface and system RNG wrapper.

* random/random-system.c: New.
* random/Makefile.am (librandom_la_SOURCES): Add new module.
* random/random.c (struct rng_types): New.
(_gcry_set_preferred_rng_type, _gcry_get_rng_type): New.
(_gcry_random_initialize, gcry_random_add_bytes, do_randomize)
(_gcry_set_random_seed_file, _gcry_update_random_seed_file)
(_gcry_fast_random_poll): Dispatch to the actual RNG.
* src/gcrypt.h.in (GCRYCTL_SET_PREFERRED_RNG_TYPE): New.
GCRYCTL_GET_CURRENT_RNG_TYPE): New.
(gcry_rng_types): New.
* src/global.c (print_config): Print the TNG type.
(global_init, _gcry_vcontrol): Implement the new control codes.
* doc/gcrypt.texi (Controlling the library): Document the new control
codes.

* tests/benchmark.c (main): Add options to test the RNG types.
* tests/random.c (main): Add new options.
(print_hex): Print to stderr.
(progress_cb, rng_type): New.
(check_rng_type_switching, check_early_rng_type_switching): New.
(run_all_rng_tests): New.
--

The purpose of this change is to allow applications with moderate
random requirements to use the system's RNG (e.g. /dev/urandom).  The
type switching logic makes sure that existing applications won't be
affected by this change.  A library is in almost all cases not able to
degrade the quality of the RNG.  The definition of "degrade" comes
from our own assertion of the quality/trustworthiness of the RNGs:

The most trustworthy RNG is the CSPRNG which dates back to the early
GnuPG days.  It is quite conservative and often requires more seeding
than might be justified.  GCRY_RNG_TYPE_STANDARD is the default unless
the process is in FIPS mode.

The second trustworthy RNG is the FIPS recommended X9.81 AES based
implementation.  It is seeded by the system's RNG.  GCRY_RNG_TYPE_FIPS
is the only available RNG if running in FIPS mode.

The third trustworthy RNG is a mere wrapper around the system's native
RNG.  Thus there is no extra step on top of what, for example,
/dev/random provides.  GCRY_RNG_TYPE_SYSTEM may be used by
applications which would use /dev/random or /dev/urandom instead.

5 files changed, 375 insertions, 5 deletions

diff --git a/random/Makefile.am b/random/Makefile.am
index 603226d8..c9d587a2 100644
--- a/random/Makefile.am
+++ b/random/Makefile.am
@@ -35,6 +35,7 @@ random.c random.h \
 rand-internal.h \
 random-csprng.c \
 random-fips.c \
+random-system.c \
 rndhw.c
 
 if USE_RANDOM_DAEMON
diff --git a/random/rand-internal.h b/random/rand-internal.h
index a72d88c1..f59a1027 100644
--- a/random/rand-internal.h
+++ b/random/rand-internal.h
@@ -87,6 +87,14 @@ gcry_err_code_t _gcry_rngfips_run_external_test (void *context,
 void _gcry_rngfips_deinit_external_test (void *context);
 
 
+/*-- random-system.c --*/
+void _gcry_rngsystem_initialize (int full);
+void _gcry_rngsystem_dump_stats (void);
+int  _gcry_rngsystem_is_faked (void);
+gcry_error_t _gcry_rngsystem_add_bytes (const void *buf, size_t buflen,
+                                        int quality);
+void _gcry_rngsystem_randomize (void *buffer, size_t length,
+                                enum gcry_random_level level);
 
 
 
diff --git a/random/random-system.c b/random/random-system.c
new file mode 100644
index 00000000..0ef9d247
--- /dev/null
+++ b/random/random-system.c
@@ -0,0 +1,243 @@
+/* random-system.c - wrapper around the system's RNG
+ * Copyright (C) 2012  Free Software Foundation, Inc.
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+   This RNG is merely wrapper around the system's native RNG.  For
+   example on Unix systems it directly uses /dev/{u,}random.
+ */
+
+#include <config.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <unistd.h>
+#ifdef HAVE_GETTIMEOFDAY
+#include <sys/time.h>
+#endif
+
+#include "g10lib.h"
+#include "random.h"
+#include "rand-internal.h"
+#include "ath.h"
+
+/* This is the lock we use to serialize access to this RNG.  The extra
+   integer variable is only used to check the locking state; that is,
+   it is not meant to be thread-safe but merely as a failsafe feature
+   to assert proper locking.  */
+static ath_mutex_t system_rng_lock;
+static int system_rng_is_locked;
+
+
+/* --- Local prototypes ---  */
+
+
+
+
+/* --- Functions  --- */
+
+/* Basic initialization is required to initialize mutexes and
+   do a few checks on the implementation.  */
+static void
+basic_initialization (void)
+{
+  static int initialized;
+  int my_errno;
+
+  if (initialized)
+    return;
+  initialized = 1;
+
+  my_errno = ath_mutex_init (&system_rng_lock);
+  if (my_errno)
+    log_fatal ("failed to create the System RNG lock: %s\n",
+               strerror (my_errno));
+  system_rng_is_locked = 0;
+
+  /* Make sure that we are still using the values we traditionally
+     used for the random levels.  */
+  gcry_assert (GCRY_WEAK_RANDOM == 0
+               && GCRY_STRONG_RANDOM == 1
+               && GCRY_VERY_STRONG_RANDOM == 2);
+
+}
+
+
+/* Acquire the system_rng_lock.  */
+static void
+lock_rng (void)
+{
+  int my_errno;
+
+  my_errno = ath_mutex_lock (&system_rng_lock);
+  if (my_errno)
+    log_fatal ("failed to acquire the System RNG lock: %s\n",
+               strerror (my_errno));
+  system_rng_is_locked = 1;
+}
+
+
+/* Release the system_rng_lock.  */
+static void
+unlock_rng (void)
+{
+  int my_errno;
+
+  system_rng_is_locked = 0;
+  my_errno = ath_mutex_unlock (&system_rng_lock);
+  if (my_errno)
+    log_fatal ("failed to release the System RNG lock: %s\n",
+               strerror (my_errno));
+}
+
+
+/* Helper variables for read_cb().
+
+   The _gcry_rnd*_gather_random interface does not allow to provide a
+   data pointer.  Thus we need to use a global variable for
+   communication.  However, the then required locking is anyway a good
+   idea because it does not make sense to have several readers of (say
+   /dev/random).  It is easier to serve them one after the other.  */
+static unsigned char *read_cb_buffer;   /* The buffer.  */
+static size_t         read_cb_size;     /* Size of the buffer.  */
+static size_t         read_cb_len;      /* Used length.  */
+
+
+/* Callback for _gcry_rnd*_gather_random.  */
+static void
+read_cb (const void *buffer, size_t length, enum random_origins origin)
+{
+  const unsigned char *p = buffer;
+
+  (void)origin;
+
+  gcry_assert (system_rng_is_locked);
+  gcry_assert (read_cb_buffer);
+
+  /* Note that we need to protect against gatherers returning more
+     than the requested bytes (e.g. rndw32).  */
+  while (length-- && read_cb_len < read_cb_size)
+    {
+      read_cb_buffer[read_cb_len++] = *p++;
+    }
+}
+
+
+/* Fill BUFFER with LENGTH bytes of random at quality LEVEL.  The
+   function either succeeds or terminates the process in case of a
+   fatal error. */
+static void
+get_random (void *buffer, size_t length, int level)
+{
+  int rc;
+
+  gcry_assert (buffer);
+
+  read_cb_buffer = buffer;
+  read_cb_size   = length;
+  read_cb_len    = 0;
+
+#if USE_RNDLINUX
+  rc = _gcry_rndlinux_gather_random (read_cb, 0, length, level);
+#elif USE_RNDUNIX
+  rc = _gcry_rndunix_gather_random (read_cb, 0, length, level);
+#elif USE_RNDW32
+  do
+    {
+      rc = _gcry_rndw32_gather_random (read_cb, 0, length, level);
+    }
+  while (rc >= 0 && read_cb_len < read_cb_size);
+#else
+  rc = -1;
+#endif
+
+  if (rc < 0 || read_cb_len != read_cb_size)
+    {
+      log_fatal ("error reading random from system RNG (rc=%d)\n", rc);
+    }
+}
+
+
+
+/* --- Public Functions --- */
+
+/* Initialize this random subsystem.  If FULL is false, this function
+   merely calls the basic initialization of the module and does not do
+   anything more.  Doing this is not really required but when running
+   in a threaded environment we might get a race condition
+   otherwise. */
+void
+_gcry_rngsystem_initialize (int full)
+{
+  basic_initialization ();
+  if (!full)
+    return;
+  /* Nothing more to initialize.  */
+  return;
+}
+
+
+/* Print some statistics about the RNG.  */
+void
+_gcry_rngsystem_dump_stats (void)
+{
+  /* Not yet implemented.  */
+}
+
+
+/* This function returns true if no real RNG is available or the
+   quality of the RNG has been degraded for test purposes.  */
+int
+_gcry_rngsystem_is_faked (void)
+{
+  return 0;  /* Faked random is not supported.  */
+}
+
+
+/* Add BUFLEN bytes from BUF to the internal random pool.  QUALITY
+   should be in the range of 0..100 to indicate the goodness of the
+   entropy added, or -1 for goodness not known. */
+gcry_error_t
+_gcry_rngsystem_add_bytes (const void *buf, size_t buflen, int quality)
+{
+  (void)buf;
+  (void)buflen;
+  (void)quality;
+  return 0;  /* Not implemented. */
+}
+
+
+/* Public function to fill the buffer with LENGTH bytes of
+   cryptographically strong random bytes.  Level GCRY_WEAK_RANDOM is
+   here mapped to GCRY_STRONG_RANDOM, GCRY_STRONG_RANDOM is strong
+   enough for most usage, GCRY_VERY_STRONG_RANDOM is good for key
+   generation stuff but may be very slow.  */
+void
+_gcry_rngsystem_randomize (void *buffer, size_t length,
+                           enum gcry_random_level level)
+{
+  _gcry_rngsystem_initialize (1);  /* Auto-initialize if needed.  */
+
+  if (level != GCRY_VERY_STRONG_RANDOM)
+    level = GCRY_STRONG_RANDOM;
+
+  lock_rng ();
+  get_random (buffer, length, level);
+  unlock_rng ();
+}
diff --git a/random/random.c b/random/random.c
index 9a5b166c..e56eb8a9 100644
--- a/random/random.c
+++ b/random/random.c
@@ -43,6 +43,15 @@
 static void (*progress_cb) (void *,const char*,int,int, int );
 static void *progress_cb_data;
 
+/* Flags indicating the requested RNG types.  */
+static struct
+{
+  int standard;
+  int fips;
+  int system;
+} rng_types;
+
+
 /* This is the lock we use to protect the buffer used by the nonce
    generation.  */
 static ath_mutex_t nonce_buffer_lock;
@@ -73,6 +82,55 @@ _gcry_random_progress (const char *what, int printchar, int current, int total)
 }
 
 
+/* Set the preferred RNG type.  This may be called at any time even
+   before gcry_check_version.  Thus we can't assume any thread system
+   initialization.  A type of 0 is used to indicate that any Libgcrypt
+   initialization has been done.*/
+void
+_gcry_set_preferred_rng_type (int type)
+{
+  static int any_init;
+
+  if (!type)
+    {
+      any_init = 1;
+    }
+  else if (type == GCRY_RNG_TYPE_STANDARD)
+    {
+      rng_types.standard = 1;
+    }
+  else if (any_init)
+    {
+      /* After any initialization has been done we only allow to
+         upgrade to the standard RNG (handled above).  All other
+         requests are ignored.  The idea is that the application needs
+         to declare a preference for a weaker RNG as soon as possible
+         and before any library sets a preference.  We assume that a
+         library which uses Libgcrypt calls an init function very
+         early.  This way --- even if the library gets initialized
+         early by the application --- it is unlikely that it can
+         select a lower priority RNG.
+
+         This scheme helps to ensure that existing unmodified
+         applications (e.g. gpg2), which don't known about the new RNG
+         selection system, will continue to use the standard RNG and
+         not be tricked by some library to use a lower priority RNG.
+         There are some loopholes here but at least most GnuPG stuff
+         should be save because it calls src_c{gcry_control
+         (GCRYCTL_SUSPEND_SECMEM_WARN);} quite early and thus inhibits
+         switching to a low priority RNG.
+       */
+    }
+  else if (type == GCRY_RNG_TYPE_FIPS)
+    {
+      rng_types.fips = 1;
+    }
+  else if (type == GCRY_RNG_TYPE_SYSTEM)
+    {
+      rng_types.system = 1;
+    }
+}
+
 
 /* Initialize this random subsystem.  If FULL is false, this function
    merely calls the basic initialization of the module and does not do
@@ -96,11 +154,39 @@ _gcry_random_initialize (int full)
 
   if (fips_mode ())
     _gcry_rngfips_initialize (full);
+  else if (rng_types.standard)
+    _gcry_rngcsprng_initialize (full);
+  else if (rng_types.fips)
+    _gcry_rngfips_initialize (full);
+  else if (rng_types.system)
+    _gcry_rngsystem_initialize (full);
   else
     _gcry_rngcsprng_initialize (full);
 }
 
 
+/* Return the current RNG type.  IGNORE_FIPS_MODE is a flag used to
+   skip the test for FIPS.  This is useful, so that we are able to
+   return the type of the RNG even before we have setup FIPS mode
+   (note that FIPS mode is enabled by default until it is switched off
+   by the initialization).  This is mostly useful for the regression
+   test.  */
+int
+_gcry_get_rng_type (int ignore_fips_mode)
+{
+  if (!ignore_fips_mode && fips_mode ())
+    return GCRY_RNG_TYPE_FIPS;
+  else if (rng_types.standard)
+    return GCRY_RNG_TYPE_STANDARD;
+  else if (rng_types.fips)
+    return GCRY_RNG_TYPE_FIPS;
+  else if (rng_types.system)
+    return GCRY_RNG_TYPE_SYSTEM;
+  else
+    return GCRY_RNG_TYPE_STANDARD;
+}
+
+
 void
 _gcry_random_dump_stats (void)
 {
@@ -178,7 +264,13 @@ gcry_random_add_bytes (const void *buf, size_t buflen, int quality)
 {
   if (fips_mode ())
     return 0; /* No need for this in fips mode.  */
-  else
+  else if (rng_types.standard)
+    return _gcry_rngcsprng_add_bytes (buf, buflen, quality);
+  else if (rng_types.fips)
+    return 0;
+  else if (rng_types.system)
+    return 0;
+  else /* default */
     return _gcry_rngcsprng_add_bytes (buf, buflen, quality);
 }
 
@@ -189,7 +281,13 @@ do_randomize (void *buffer, size_t length, enum gcry_random_level level)
 {
   if (fips_mode ())
     _gcry_rngfips_randomize (buffer, length, level);
-  else
+  else if (rng_types.standard)
+    _gcry_rngcsprng_randomize (buffer, length, level);
+  else if (rng_types.fips)
+    _gcry_rngfips_randomize (buffer, length, level);
+  else if (rng_types.system)
+    _gcry_rngsystem_randomize (buffer, length, level);
+  else /* default */
     _gcry_rngcsprng_randomize (buffer, length, level);
 }
 
@@ -244,7 +342,13 @@ _gcry_set_random_seed_file (const char *name)
 {
   if (fips_mode ())
     ; /* No need for this in fips mode.  */
-  else
+  else if (rng_types.standard)
+    _gcry_rngcsprng_set_seed_file (name);
+  else if (rng_types.fips)
+    ;
+  else if (rng_types.system)
+    ;
+  else /* default */
     _gcry_rngcsprng_set_seed_file (name);
 }
 
@@ -256,7 +360,13 @@ _gcry_update_random_seed_file (void)
 {
   if (fips_mode ())
     ; /* No need for this in fips mode.  */
-  else
+  else if (rng_types.standard)
+    _gcry_rngcsprng_update_seed_file ();
+  else if (rng_types.fips)
+    ;
+  else if (rng_types.system)
+    ;
+  else /* default */
     _gcry_rngcsprng_update_seed_file ();
 }
 
@@ -274,7 +384,13 @@ _gcry_fast_random_poll (void)
 {
   if (fips_mode ())
     ; /* No need for this in fips mode.  */
-  else
+  else if (rng_types.standard)
+    _gcry_rngcsprng_fast_poll ();
+  else if (rng_types.fips)
+    ;
+  else if (rng_types.system)
+    ;
+  else /* default */
     _gcry_rngcsprng_fast_poll ();
 }
 
diff --git a/random/random.h b/random/random.h
index 5f6a42c1..aae07ab0 100644
--- a/random/random.h
+++ b/random/random.h
@@ -26,7 +26,9 @@
 void _gcry_register_random_progress (void (*cb)(void *,const char*,int,int,int),
                                      void *cb_data );
 
+void _gcry_set_preferred_rng_type (int type);
 void _gcry_random_initialize (int full);
+int  _gcry_get_rng_type (int ignore_fips_mode);
 void _gcry_random_dump_stats(void);
 void _gcry_secure_random_alloc(void);
 void _gcry_enable_quick_random_gen (void);