6666204 meta slot opens and closes /dev/urandom needlessly for every read

6722460 finish moving /dev/random and /dev/urandom seeding and usage to libcryptoutil

9 files changed, 51 insertions, 199 deletions

diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softEC.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softEC.c
index 27d18b290b..50fdcc1ea9 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softEC.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softEC.c
@@ -19,12 +19,10 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <stdlib.h>
 #include <string.h>
 #include <strings.h>
@@ -37,7 +35,6 @@
 #include "softSession.h"
 #include "softObject.h"
 #include "softEC.h"
-#include "softRandom.h"
 #include "softCrypt.h"
 #include "softOps.h"
 #include "softMAC.h"
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGeneral.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGeneral.c
index d215dc11e2..ab52db753c 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGeneral.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGeneral.c
@@ -120,10 +120,6 @@ soft_session_t *soft_session_list = NULL;
 
 int all_sessions_closing = 0;
 
-int soft_urandom_fd = -1;
-int soft_urandom_seed_fd = -1;
-int soft_random_fd = -1;
-
 slot_t soft_slot;
 obj_to_be_freed_list_t obj_delay_freed;
 ses_to_be_freed_list_t ses_delay_freed;
@@ -328,20 +324,9 @@ finalize_common(boolean_t force, CK_VOID_PTR pReserved) {
 	softtoken_initialized = B_FALSE;
 	softtoken_pid = 0;
 
-	if (soft_urandom_fd > 0) {
-		(void) close(soft_urandom_fd);
-		soft_urandom_fd = -1;
-	}
-
-	if (soft_urandom_seed_fd > 0) {
-		(void) close(soft_urandom_seed_fd);
-		soft_urandom_seed_fd = -1;
-	}
-
-	if (soft_random_fd > 0) {
-		(void) close(soft_random_fd);
-		soft_random_fd = -1;
-	}
+	pkcs11_close_urandom();
+	pkcs11_close_urandom_seed();
+	pkcs11_close_random();
 
 	/* Destroy the session list lock here */
 	(void) pthread_mutex_destroy(&soft_sessionlist_mutex);
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeysUtil.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeysUtil.c
index 56dfc75069..c4fa438210 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeysUtil.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeysUtil.c
@@ -19,12 +19,10 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <pthread.h>
 #include <stdlib.h>
 #include <string.h>
@@ -36,6 +34,7 @@
 #include <blowfish_impl.h>
 #include <des_impl.h>
 #include <arcfour.h>
+#include <cryptoutil.h>
 #include "softGlobal.h"
 #include "softSession.h"
 #include "softObject.h"
@@ -43,7 +42,6 @@
 #include "softRSA.h"
 #include "softDH.h"
 #include "softEC.h"
-#include "softRandom.h"
 #include "softMAC.h"
 #include "softOps.h"
 #include "softKeys.h"
@@ -346,12 +344,13 @@ soft_genkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
 		break;
 	default:
 		do {
-			rv = soft_random_generator(
-			    OBJ_SEC_VALUE(secret_key), keylen, B_FALSE);
-
 			/* If this fails, bail out */
-			if (rv != CKR_OK)
+			rv = CKR_OK;
+			if (pkcs11_get_urandom(
+			    OBJ_SEC_VALUE(secret_key), keylen) < 0) {
+				rv = CKR_DEVICE_ERROR;
 				break;
+			}
 
 			/* Perform weak key checking for DES and DES3. */
 			if (des_strength > 0) {
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystore.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystore.c
index b0ee8d2acb..027de2b195 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystore.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystore.c
@@ -19,12 +19,10 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <crypt.h>
 #include <cryptoutil.h>
 #include <pwd.h>
@@ -42,25 +40,12 @@
 #include "softKeys.h"
 #include "softKeystore.h"
 #include "softKeystoreUtil.h"
-#include "softRandom.h"
 #include "softMAC.h"
 #include "softOps.h"
 
 soft_session_t token_session;
 
 /*
- * Generate a 16-byte Initialization Vector (IV).
- */
-CK_RV
-soft_gen_iv(CK_BYTE *iv)
-{
-
-	return (soft_nzero_random_generator(iv, 16));
-
-}
-
-
-/*
  * soft_gen_hashed_pin()
  *
  * Arguments:
@@ -718,7 +703,7 @@ soft_pack_object_size(soft_object_t *objp)
 		 * value_len + value
 		 */
 		return (ROUNDUP(OBJ_SEC_VALUE_LEN(objp), 8) +
-			sizeof (uint64_t));
+		    sizeof (uint64_t));
 
 	case CKO_CERTIFICATE:
 		switch (certtype) {
@@ -727,20 +712,20 @@ soft_pack_object_size(soft_object_t *objp)
 			 * subject_len + subject + value_len + value
 			 */
 			return (ROUNDUP(((cert_attr_t *)
-				X509_CERT_SUBJECT(objp))->length, 8) +
-				ROUNDUP(((cert_attr_t *)
-				X509_CERT_VALUE(objp))->length, 8) +
-				2 * sizeof (uint64_t));
+			    X509_CERT_SUBJECT(objp))->length, 8) +
+			    ROUNDUP(((cert_attr_t *)
+			    X509_CERT_VALUE(objp))->length, 8) +
+			    2 * sizeof (uint64_t));
 
 		case CKC_X_509_ATTR_CERT:
 			/*
 			 * owner_len + owner + value_len + value
 			 */
 			return (ROUNDUP(((cert_attr_t *)
-				X509_ATTR_CERT_OWNER(objp))->length, 8) +
-				ROUNDUP(((cert_attr_t *)
-				X509_ATTR_CERT_VALUE(objp))->length, 8) +
-				2 * sizeof (uint64_t));
+			    X509_ATTR_CERT_OWNER(objp))->length, 8) +
+			    ROUNDUP(((cert_attr_t *)
+			    X509_ATTR_CERT_VALUE(objp))->length, 8) +
+			    2 * sizeof (uint64_t));
 		}
 		return (0);
 
@@ -1717,7 +1702,7 @@ soft_unpack_object(soft_object_t *objp, uchar_t *buf)
 			/* subject */
 			if ((rv = soft_unpack_obj_attribute(buf, NULL,
 			    &cert->cert_type_u.x509.subject,
-				&offset, B_TRUE)) != CKR_OK) {
+			    &offset, B_TRUE)) != CKR_OK) {
 				free(cert);
 				return (rv);
 			}
@@ -1727,7 +1712,7 @@ soft_unpack_object(soft_object_t *objp, uchar_t *buf)
 			/* value */
 			if ((rv = soft_unpack_obj_attribute(buf, NULL,
 			    &cert->cert_type_u.x509.value,
-				&offset, B_TRUE)) != CKR_OK) {
+			    &offset, B_TRUE)) != CKR_OK) {
 				free(cert);
 				return (rv);
 			}
@@ -1738,7 +1723,7 @@ soft_unpack_object(soft_object_t *objp, uchar_t *buf)
 			/* owner */
 			if ((rv = soft_unpack_obj_attribute(buf, NULL,
 			    &cert->cert_type_u.x509_attr.owner,
-				&offset, B_TRUE)) != CKR_OK) {
+			    &offset, B_TRUE)) != CKR_OK) {
 				free(cert);
 				return (rv);
 			}
@@ -1748,7 +1733,7 @@ soft_unpack_object(soft_object_t *objp, uchar_t *buf)
 			/* value */
 			if ((rv = soft_unpack_obj_attribute(buf, NULL,
 			    &cert->cert_type_u.x509_attr.value,
-				&offset, B_TRUE)) != CKR_OK) {
+			    &offset, B_TRUE)) != CKR_OK) {
 				free(cert);
 				return (rv);
 			}
@@ -1989,7 +1974,7 @@ soft_gen_crypt_key(uchar_t *pPIN, soft_object_t **key, CK_BYTE **saltdata)
 
 	if (*saltdata == NULL) {
 		bzero(salt, sizeof (salt));
-		(void) soft_nzero_random_generator(salt, sizeof (salt));
+		(void) pkcs11_get_nzero_urandom(salt, sizeof (salt));
 		*saltdata = malloc(PBKD2_SALT_SIZE);
 		if (*saltdata == NULL)
 			return (CKR_HOST_MEMORY);
@@ -2112,7 +2097,7 @@ soft_gen_hmac_key(uchar_t *pPIN, soft_object_t **key, CK_BYTE **saltdata)
 
 	if (*saltdata == NULL) {
 		bzero(salt, sizeof (salt));
-		(void) soft_nzero_random_generator(salt, sizeof (salt));
+		(void) pkcs11_get_nzero_urandom(salt, sizeof (salt));
 		*saltdata = malloc(PBKD2_SALT_SIZE);
 		if (*saltdata == NULL)
 			return (CKR_HOST_MEMORY);
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystore.h b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystore.h
index d62fe19c96..aab64ac405 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystore.h
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystore.h
@@ -19,15 +19,13 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
 #ifndef _SOFTKEYSTORE_H
 #define	_SOFTKEYSTORE_H
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -87,8 +85,6 @@ typedef struct ks_attr_hdr {
 /*
  * Function Prototypes
  */
-CK_RV soft_gen_iv(CK_BYTE *iv);
-
 int soft_gen_hashed_pin(CK_UTF8CHAR_PTR pPin, char **result, char **salt);
 
 CK_RV soft_verify_pin(CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen);
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystoreUtil.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystoreUtil.c
index 1b30da9021..8498d2985b 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystoreUtil.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystoreUtil.c
@@ -1180,6 +1180,18 @@ cleanup:
 	return (ret_val);
 }
 
+
+/*
+ * Generate a 16-byte Initialization Vector (IV).
+ */
+CK_RV
+soft_gen_iv(CK_BYTE *iv)
+{
+	return (pkcs11_get_nzero_urandom(iv, 16) < 0 ?
+	    CKR_DEVICE_ERROR : CKR_OK);
+}
+
+
 /*
  * This function reads all the data until the end of the file, and
  * put the data into the "buf" in argument.  Memory for buf will
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRand.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRand.c
index 0ef1586274..9c602110c1 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRand.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRand.c
@@ -30,7 +30,6 @@
 #include <security/cryptoki.h>
 #include <cryptoutil.h>
 #include "softGlobal.h"
-#include "softRandom.h"
 #include "softSession.h"
 
 CK_RV
@@ -40,7 +39,6 @@ C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen)
 	CK_RV	rv;
 	soft_session_t	*session_p;
 	boolean_t	lock_held = B_FALSE;
-	long		nwrite;
 
 	if (!softtoken_initialized)
 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
@@ -56,27 +54,11 @@ C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen)
 		return (CKR_ARGUMENTS_BAD);
 	}
 
-	if (soft_urandom_seed_fd < 0) {
-		(void) pthread_mutex_lock(&soft_giant_mutex);
-		/* Check again holding the mutex */
-		if (soft_urandom_seed_fd < 0) {
-			soft_urandom_seed_fd = open_nointr(DEV_URANDOM,
-			    O_WRONLY);
-			if (soft_urandom_seed_fd < 0) {
-				(void) pthread_mutex_unlock(&soft_giant_mutex);
-				if (errno == EACCES)
-					return (CKR_RANDOM_SEED_NOT_SUPPORTED);
-				return (CKR_DEVICE_ERROR);
-			}
-		}
-		(void) pthread_mutex_unlock(&soft_giant_mutex);
-	}
-
-	nwrite = writen_nointr(soft_urandom_seed_fd, pSeed, ulSeedLen);
-	if (nwrite <= 0) {
+	if (pkcs11_seed_urandom(pSeed, ulSeedLen) < 0) {
+		if (errno == EACCES)
+			return (CKR_RANDOM_SEED_NOT_SUPPORTED);
 		return (CKR_DEVICE_ERROR);
 	}
-
 	return (CKR_OK);
 
 }
@@ -104,6 +86,8 @@ C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pRandomData,
 		return (CKR_ARGUMENTS_BAD);
 	}
 
-	return (soft_random_generator(pRandomData, ulRandomLen, B_FALSE));
+	if (pkcs11_get_urandom(pRandomData, ulRandomLen) < 0)
+		return (CKR_DEVICE_ERROR);
+	return (CKR_OK);
 
 }
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRandUtil.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRandUtil.c
index bf2c843ba5..0a63501cf2 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRandUtil.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRandUtil.c
@@ -42,111 +42,18 @@
 CK_RV
 soft_random_generator(CK_BYTE *ran_out, CK_ULONG ran_len, boolean_t token)
 {
-
-	long	nread;
-
 	/*
 	 * When random-number generator is called by asymmetric token
 	 * (persistent) key generation, use /dev/random. Otherwise,
 	 * use /dev/urandom.
 	 */
 	if (token) {
-		if (soft_random_fd < 0) {
-			(void) pthread_mutex_lock(&soft_giant_mutex);
-			/* Check again holding the mutex */
-			if (soft_random_fd < 0) {
-				soft_random_fd = open_nointr(DEV_RANDOM,
-				    O_RDONLY);
-				if (soft_random_fd < 0) {
-					(void) pthread_mutex_unlock(
-					    &soft_giant_mutex);
-					return (CKR_DEVICE_ERROR);
-				}
-			}
-			(void) pthread_mutex_unlock(&soft_giant_mutex);
-		}
+		if (pkcs11_get_random(ran_out, ran_len) < 0)
+			return (CKR_DEVICE_ERROR);
 	} else {
-		if (soft_urandom_fd < 0) {
-			(void) pthread_mutex_lock(&soft_giant_mutex);
-			/* Check again holding the mutex */
-			if (soft_urandom_fd < 0) {
-				soft_urandom_fd = open_nointr(DEV_URANDOM,
-				    O_RDONLY);
-				if (soft_urandom_fd < 0) {
-					(void) pthread_mutex_unlock(
-					    &soft_giant_mutex);
-					return (CKR_DEVICE_ERROR);
-				}
-			}
-			(void) pthread_mutex_unlock(&soft_giant_mutex);
-		}
-	}
-
-	if (token)
-		nread = readn_nointr(soft_random_fd, ran_out, ran_len);
-	else
-		nread = readn_nointr(soft_urandom_fd, ran_out, ran_len);
-
-	if (nread <= 0) {
-		return (CKR_DEVICE_ERROR);
-	}
-	return (CKR_OK);
-
-}
-
-
-/*
- * This function guarantees to return non-zero random numbers.
- */
-CK_RV
-soft_nzero_random_generator(CK_BYTE *ran_out, CK_ULONG ran_len)
-{
-
-	CK_RV rv = CKR_OK;
-	size_t ebc = 0; /* count of extra bytes in extrarand */
-	size_t i = 0;
-	char extrarand[32];
-	size_t extrarand_len;
-
-	/*
-	 * soft_random_generator() may return zeros.
-	 */
-	if ((rv = soft_random_generator(ran_out, ran_len, B_FALSE)) != CKR_OK) {
-		return (rv);
-	}
-
-	/*
-	 * Walk through the returned random numbers pointed by ran_out,
-	 * and look for any random number which is zero.
-	 * If we find zero, call soft_random_generator() to generate
-	 * another 32 random numbers pool. Replace any zeros in ran_out[]
-	 * from the random number in pool.
-	 */
-	while (i < ran_len) {
-		if (((char *)ran_out)[i] != 0) {
-			i++;
-			continue;
-		}
-
-		if (ebc == 0) {
-			/* refresh extrarand */
-			extrarand_len = sizeof (extrarand);
-			if ((rv = soft_random_generator((CK_BYTE *)extrarand,
-			    extrarand_len, B_FALSE)) != CKR_OK) {
-				return (rv);
-			}
-
-			ebc = extrarand_len;
-		}
-		-- ebc;
-
-		/*
-		 * The new random byte zero/non-zero will be checked in
-		 * the next pass through the loop.
-		 */
-		((char *)ran_out)[i] = extrarand[ebc];
+		if (pkcs11_get_urandom(ran_out, ran_len) < 0)
+			return (CKR_DEVICE_ERROR);
 	}
-
 	return (CKR_OK);
 }
 
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRandom.h b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRandom.h
index 6f0f5ce440..2307ac7264 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRandom.h
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRandom.h
@@ -19,15 +19,13 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
 #ifndef _SOFTRANDOM_H
 #define	_SOFTRANDOM_H
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -37,17 +35,6 @@ extern "C" {
 #include <bignum.h>
 #include "softSession.h"
 
-extern int soft_urandom_fd;
-extern int soft_urandom_seed_fd;
-extern int soft_random_fd;
-
-#define	DEV_URANDOM		"/dev/urandom"
-#define	DEV_RANDOM		"/dev/random"
-
-CK_RV soft_random_generator(CK_BYTE *, CK_ULONG, boolean_t);
-
-CK_RV soft_nzero_random_generator(CK_BYTE *, CK_ULONG);
-
 BIG_ERR_CODE random_bignum(BIGNUM *, int, boolean_t);
 
 #ifdef	__cplusplus