/*
* Copyright (c) 2003, 2004, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.provider;
import java.io.*;
import java.security.*;
import java.security.SecureRandom;
Native PRNG implementation for Solaris/Linux. It interacts with
/dev/random and /dev/urandom, so it is only available if those
files are present. Otherwise, SHA1PRNG is used instead of this class.
getSeed() and setSeed() directly read/write /dev/random. However,
/dev/random is only writable by root in many configurations. Because
we cannot just ignore bytes specified via setSeed(), we keep a
SHA1PRNG around in parallel.
nextBytes() reads the bytes directly from /dev/urandom (and then
mixes them with bytes from the SHA1PRNG for the reasons explained
above). Reading bytes from /dev/urandom means that constantly get
new entropy the operating system has collected. This is a notable
advantage over the SHA1PRNG model, which acquires entropy only
initially during startup although the VM may be running for months.
Also note that we do not need any initial pure random seed from
/dev/random. This is an advantage because on some versions of Linux
it can be exhausted very quickly and could thus impact startup time.
Finally, note that we use a singleton for the actual work (RandomIO)
to avoid having to open and close /dev/[u]random constantly. However,
there may me many NativePRNG instances created by the JCA framework.
Author: Andreas Sterbenz Since: 1.5
/**
* Native PRNG implementation for Solaris/Linux. It interacts with
* /dev/random and /dev/urandom, so it is only available if those
* files are present. Otherwise, SHA1PRNG is used instead of this class.
*
* getSeed() and setSeed() directly read/write /dev/random. However,
* /dev/random is only writable by root in many configurations. Because
* we cannot just ignore bytes specified via setSeed(), we keep a
* SHA1PRNG around in parallel.
*
* nextBytes() reads the bytes directly from /dev/urandom (and then
* mixes them with bytes from the SHA1PRNG for the reasons explained
* above). Reading bytes from /dev/urandom means that constantly get
* new entropy the operating system has collected. This is a notable
* advantage over the SHA1PRNG model, which acquires entropy only
* initially during startup although the VM may be running for months.
*
* Also note that we do not need any initial pure random seed from
* /dev/random. This is an advantage because on some versions of Linux
* it can be exhausted very quickly and could thus impact startup time.
*
* Finally, note that we use a singleton for the actual work (RandomIO)
* to avoid having to open and close /dev/[u]random constantly. However,
* there may me many NativePRNG instances created by the JCA framework.
*
* @since 1.5
* @author Andreas Sterbenz
*/
public final class NativePRNG extends SecureRandomSpi {
private static final long serialVersionUID = -6599091113397072932L;
// name of the pure random file (also used for setSeed())
private static final String NAME_RANDOM = "/dev/random";
// name of the pseudo random file
private static final String NAME_URANDOM = "/dev/urandom";
// singleton instance or null if not available
private static final RandomIO INSTANCE = initIO();
private static RandomIO initIO() {
return AccessController.doPrivileged(
new PrivilegedAction<RandomIO>() {
public RandomIO run() {
File randomFile = new File(NAME_RANDOM);
if (randomFile.exists() == false) {
return null;
}
File urandomFile = new File(NAME_URANDOM);
if (urandomFile.exists() == false) {
return null;
}
try {
return new RandomIO(randomFile, urandomFile);
} catch (Exception e) {
return null;
}
}
});
}
// return whether the NativePRNG is available
static boolean isAvailable() {
return INSTANCE != null;
}
// constructor, called by the JCA framework
public NativePRNG() {
super();
if (INSTANCE == null) {
throw new AssertionError("NativePRNG not available");
}
}
// set the seed
protected void engineSetSeed(byte[] seed) {
INSTANCE.implSetSeed(seed);
}
// get pseudo random bytes
protected void engineNextBytes(byte[] bytes) {
INSTANCE.implNextBytes(bytes);
}
// get true random bytes
protected byte[] engineGenerateSeed(int numBytes) {
return INSTANCE.implGenerateSeed(numBytes);
}
Nested class doing the actual work. Singleton, see INSTANCE above.
/**
* Nested class doing the actual work. Singleton, see INSTANCE above.
*/
private static class RandomIO {
// we buffer data we read from /dev/urandom for efficiency,
// but we limit the lifetime to avoid using stale bits
// lifetime in ms, currently 100 ms (0.1 s)
private final static long MAX_BUFFER_TIME = 100;
// size of the /dev/urandom buffer
private final static int BUFFER_SIZE = 32;
// In/OutputStream for /dev/random and /dev/urandom
private final InputStream randomIn, urandomIn;
private OutputStream randomOut;
// flag indicating if we have tried to open randomOut yet
private boolean randomOutInitialized;
// SHA1PRNG instance for mixing
// initialized lazily on demand to avoid problems during startup
private volatile sun.security.provider.SecureRandom mixRandom;
// buffer for /dev/urandom bits
private final byte[] urandomBuffer;
// number of bytes left in urandomBuffer
private int buffered;
// time we read the data into the urandomBuffer
private long lastRead;
// mutex lock for nextBytes()
private final Object LOCK_GET_BYTES = new Object();
// mutex lock for getSeed()
private final Object LOCK_GET_SEED = new Object();
// mutex lock for setSeed()
private final Object LOCK_SET_SEED = new Object();
// constructor, called only once from initIO()
private RandomIO(File randomFile, File urandomFile) throws IOException {
randomIn = new FileInputStream(randomFile);
urandomIn = new FileInputStream(urandomFile);
urandomBuffer = new byte[BUFFER_SIZE];
}
// get the SHA1PRNG for mixing
// initialize if not yet created
private sun.security.provider.SecureRandom getMixRandom() {
sun.security.provider.SecureRandom r = mixRandom;
if (r == null) {
synchronized (LOCK_GET_BYTES) {
r = mixRandom;
if (r == null) {
r = new sun.security.provider.SecureRandom();
try {
byte[] b = new byte[20];
readFully(urandomIn, b);
r.engineSetSeed(b);
} catch (IOException e) {
throw new ProviderException("init failed", e);
}
mixRandom = r;
}
}
}
return r;
}
// read data.length bytes from in
// /dev/[u]random are not normal files, so we need to loop the read.
// just keep trying as long as we are making progress
private static void readFully(InputStream in, byte[] data)
throws IOException {
int len = data.length;
int ofs = 0;
while (len > 0) {
int k = in.read(data, ofs, len);
if (k <= 0) {
throw new EOFException("/dev/[u]random closed?");
}
ofs += k;
len -= k;
}
if (len > 0) {
throw new IOException("Could not read from /dev/[u]random");
}
}
// get true random bytes, just read from /dev/random
private byte[] implGenerateSeed(int numBytes) {
synchronized (LOCK_GET_SEED) {
try {
byte[] b = new byte[numBytes];
readFully(randomIn, b);
return b;
} catch (IOException e) {
throw new ProviderException("generateSeed() failed", e);
}
}
}
// supply random bytes to the OS
// write to /dev/random if possible
// always add the seed to our mixing random
private void implSetSeed(byte[] seed) {
synchronized (LOCK_SET_SEED) {
if (randomOutInitialized == false) {
randomOutInitialized = true;
randomOut = AccessController.doPrivileged(
new PrivilegedAction<OutputStream>() {
public OutputStream run() {
try {
return new FileOutputStream(NAME_RANDOM, true);
} catch (Exception e) {
return null;
}
}
});
}
if (randomOut != null) {
try {
randomOut.write(seed);
} catch (IOException e) {
throw new ProviderException("setSeed() failed", e);
}
}
getMixRandom().engineSetSeed(seed);
}
}
// ensure that there is at least one valid byte in the buffer
// if not, read new bytes
private void ensureBufferValid() throws IOException {
long time = System.currentTimeMillis();
if ((buffered > 0) && (time - lastRead < MAX_BUFFER_TIME)) {
return;
}
lastRead = time;
readFully(urandomIn, urandomBuffer);
buffered = urandomBuffer.length;
}
// get pseudo random bytes
// read from /dev/urandom and XOR with bytes generated by the
// mixing SHA1PRNG
private void implNextBytes(byte[] data) {
synchronized (LOCK_GET_BYTES) {
try {
getMixRandom().engineNextBytes(data);
int len = data.length;
int ofs = 0;
while (len > 0) {
ensureBufferValid();
int bufferOfs = urandomBuffer.length - buffered;
while ((len > 0) && (buffered > 0)) {
data[ofs++] ^= urandomBuffer[bufferOfs++];
len--;
buffered--;
}
}
} catch (IOException e) {
throw new ProviderException("nextBytes() failed", e);
}
}
}
}
}