Merge pull request #111 from alon-sh/rng_mix

Change CRIU RNG to be non-blocking, mixing in SHA1PRNG data

Author: JasonFengJ9

closed/src/java.base/share/classes/openj9/internal/criu/CRIUSECProvider.java

@@ -57,7 +57,8 @@ public CRIUSECProvider() {
     /**
      * Resets the security digests.
      */
-    public static void resetDigests() {
+    public static void resetCRIUSEC() {
+        NativePRNG.clearRNGState();
         DigestBase.resetDigests();
     }
 }

closed/src/java.base/share/classes/openj9/internal/criu/NativePRNG.java

@@ -73,6 +73,9 @@ public final class NativePRNG extends SecureRandomSpi {
     // name of the pure random file (also used for setSeed())
     private static final String NAME_RANDOM = "/dev/random";
 
+    // name of the pseudo random file
+    private static final String NAME_URANDOM = "/dev/urandom";
+
     // singleton instance or null if not available
     private static final RandomIO INSTANCE = initIO();
 
@@ -85,7 +88,7 @@ private static RandomIO initIO() {
                 @Override
                 public RandomIO run() {
                     File seedFile = new File(NAME_RANDOM);
-                    File nextFile = new File(NAME_RANDOM);
+                    File nextFile = new File(NAME_URANDOM);
 
                     if (debug != null) {
                         debug.println("NativePRNG." +
@@ -132,9 +135,7 @@ protected void engineSetSeed(byte[] seed) {
     // get pseudo random bytes
     @Override
     protected void engineNextBytes(byte[] bytes) {
-        int len = bytes.length;
-        byte[] b = INSTANCE.implGenerateSeed(len);
-        System.arraycopy(b, 0, bytes, 0, len);
+        INSTANCE.implNextBytes(bytes);
     }
 
     // get true random bytes
@@ -143,12 +144,16 @@ protected byte[] engineGenerateSeed(int numBytes) {
         return INSTANCE.implGenerateSeed(numBytes);
     }
 
+    static void clearRNGState() {
+        INSTANCE.clearRNGState();
+    }
+
     /**
      * Nested class doing the actual work. Singleton, see INSTANCE above.
      */
     private static final class RandomIO {
 
-        // Holder for the seedFile.  Used if we ever add seed material.
+        // holder for the seedFile, used if we ever add seed material
         private File seedFile;
 
         // In/OutputStream for "seed" and "next".
@@ -158,11 +163,12 @@ private static final class RandomIO {
         // flag indicating if we have tried to open seedOut yet
         private boolean seedOutInitialized;
 
-        // mutex lock for generateSeed()
-        private final Object LOCK_GET_SEED = new Object();
+        // SHA1PRNG instance for mixing
+        // initialized lazily on demand to avoid problems during startup
+        private volatile SHA1PRNG mixRandom;
 
-        // mutex lock for setSeed()
-        private final Object LOCK_SET_SEED = new Object();
+        // mutex lock for accessing the seed file stream
+        private final Object LOCK_GET_SEED = new Object();
 
         // constructor, called only once from initIO()
         private RandomIO(File seedFile, File nextFile) throws IOException {
@@ -183,22 +189,32 @@ private RandomIO(File seedFile, File nextFile) throws IOException {
             this.nextIn = nextStream;
         }
 
+        // get the SHA1PRNG for mixing
+        // initialize if not yet created
+        private SHA1PRNG getMixRandom() {
+            SHA1PRNG prngObj = mixRandom;
+            if (prngObj == null) {
+                synchronized (LOCK_GET_SEED) {
+                    prngObj = mixRandom;
+                    if (prngObj == null) {
+                        try {
+                            prngObj = SHA1PRNG.seedFrom(seedIn);
+                        } catch (IOException e) {
+                            throw new ProviderException("init failed", e);
+                        }
+                        mixRandom = prngObj;
+                    }
+                }
+            }
+            return prngObj;
+        }
         // Read data.length bytes from in.
         // These are not normal files, so we need to loop the read.
         // Just keep trying as long as we are making progress.
         private static void readFully(InputStream in, byte[] data)
                 throws IOException {
             int len = data.length;
-            int ofs = 0;
-            while (len > 0) {
-                int k = in.read(data, ofs, len);
-                if (k <= 0) {
-                    throw new EOFException("File(s) closed?");
-                }
-                ofs += k;
-                len -= k;
-            }
-            if (len > 0) {
+            if (in.readNBytes(data, 0, len) < len) {
                 throw new IOException("Could not read from file(s)");
             }
         }
@@ -219,30 +235,49 @@ private byte[] implGenerateSeed(int numBytes) {
         // supply random bytes to the OS
         // write to "seed" if possible
         // always add the seed to our mixing random
-        private void implSetSeed(byte[] seed) {
-            synchronized (LOCK_SET_SEED) {
-                if (seedOutInitialized == false) {
-                    seedOutInitialized = true;
-                    seedOut = AccessController.doPrivileged(
-                            new PrivilegedAction<>() {
-                        @Override
-                        public OutputStream run() {
-                            try {
-                                return new FileOutputStream(seedFile, true);
-                            } catch (Exception e) {
-                                return null;
-                            }
-                        }
-                    });
-                }
-                if (seedOut != null) {
-                    try {
-                        seedOut.write(seed);
-                    } catch (IOException e) {
-                        // Ignored. On Mac OS X, /dev/urandom can be opened
-                        // for write, but actual write is not permitted.
-                    }
+        private synchronized void implSetSeed(byte[] seed) {
+           if (seedOutInitialized == false) {
+               seedOutInitialized = true;
+               seedOut = AccessController.doPrivileged(
+                       new PrivilegedAction<>() {
+                   @Override
+                   public OutputStream run() {
+                       try {
+                           return new FileOutputStream(seedFile, true);
+                       } catch (IOException e) {
+                           return null;
+                       }
+                   }
+               });
+           }
+           if (seedOut != null) {
+               try {
+                   seedOut.write(seed);
+               } catch (IOException e) {
+                   // ignored, on Mac OS X, /dev/urandom can be opened
+                   // for write, but actual write is not permitted
+               }
+           }
+           getMixRandom().engineSetSeed(seed);
+        }
+
+        private synchronized void implNextBytes(byte[] data) {
+            getMixRandom().engineNextBytes(data);
+            try {
+                // read random data from non blocking source
+                byte[] rawData = new byte[data.length];
+                readFully(nextIn, rawData);
+                for (int i = 0; i < data.length; i++) {
+                    data[i] ^= rawData[i];
                 }
+            } catch (IOException e) {
+                throw new ProviderException("nextBytes() failed", e);
+            }
+        }
+
+        private void clearRNGState() {
+            if (mixRandom != null) {
+                mixRandom.clearState();
             }
         }
     }

closed/src/java.base/share/classes/openj9/internal/criu/SHA1PRNG.java

@@ -0,0 +1,200 @@
+/*[INCLUDE-IF CRIU_SUPPORT]*/
+/*
+ * Copyright (c) 1998, 2014, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved
+ * ===========================================================================
+ */
+
+package openj9.internal.criu;
+
+import java.io.InputStream;
+import java.io.IOException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.util.Arrays;
+
+/**
+ * <p>This class provides a crytpographically strong pseudo-random number
+ * generator based on the SHA-1 hash algorithm.
+ *
+ * <p>Seed must be provided externally.
+ *
+ * <p>Also note that when a random object is deserialized,
+ * <a href="#engineNextBytes(byte[])">engineNextBytes</a> invoked on the
+ * restored random object will yield the exact same (random) bytes as the
+ * original object.  If this behaviour is not desired, the restored random
+ * object should be seeded, using
+ * <a href="#engineSetSeed(byte[])">engineSetSeed</a>.
+ *
+ * @author Benjamin Renaud
+ * @author Josh Bloch
+ * @author Gadi Guy
+ */
+
+public final class SHA1PRNG implements java.io.Serializable {
+
+    private static final long serialVersionUID = 3581829991155417889L;
+
+    // SHA-1 Digest yields 160-bit hashes which require 20 bytes of space.
+    private static final int DIGEST_SIZE = 20;
+    private transient MessageDigest digest;
+    private byte[] state;
+    private byte[] remainder;
+    private int remCount;
+
+    // This class is a modified version of the SHA1PRNG SecureRandom implementation
+    // that is found at sun.security.provider.SecureRandom.
+    // It was modified to be used by CRIUSEC NativePRNG as a mixing data source.
+    // Auto-seeding was removed, it is always seeded by NativePRNG from a
+    // blocking entropy source.
+
+    private SHA1PRNG(byte[] seed) {
+        init(seed);
+    }
+
+    static SHA1PRNG seedFrom(InputStream in) throws IOException {
+        byte[] seed = new byte[DIGEST_SIZE];
+        if (in.readNBytes(seed, 0, DIGEST_SIZE) != DIGEST_SIZE) {
+            throw new IOException("Could not read seed");
+        }
+        return new SHA1PRNG(seed);
+    }
+
+    /**
+     * This call, used by the constructor, instantiates the SHA digest
+     * and sets the seed.
+     */
+    private void init(byte[] seed) {
+        if (seed == null) {
+            throw new InternalError("internal error: no seed available.");
+        }
+
+        try {
+            digest = MessageDigest.getInstance("SHA-1", "CRIUSEC");
+        } catch (NoSuchProviderException | NoSuchAlgorithmException e) {
+            throw new InternalError("internal error: SHA-1 not available.", e);
+        }
+
+        engineSetSeed(seed);
+    }
+
+
+    /**
+     * Reseeds this random object. The given seed supplements, rather than
+     * replaces, the existing seed. Thus, repeated calls are guaranteed
+     * never to reduce randomness.
+     *
+     * @param seed the seed.
+     */
+    public synchronized void engineSetSeed(byte[] seed) {
+        if (state != null) {
+            digest.update(state);
+            for (int i = 0; i < state.length; i++) {
+                state[i] = 0;
+            }
+        }
+        state = digest.digest(seed);
+        remCount = 0;
+    }
+
+    private static void updateState(byte[] state, byte[] output) {
+        int carry = 1;
+        boolean collision = true;
+
+        // state(n + 1) = (state(n) + output(n) + 1) % 2^160;
+        for (int i = 0; i < state.length; i++) {
+            // Add two bytes.
+            int stateCalc = (state[i] & 0xFF) + (output[i] & 0xFF) + carry;
+            // Result is lower 8 bits.
+            byte newState = (byte)stateCalc;
+            // Store result. Check for state collision.
+            collision &= (state[i] == newState);
+            state[i] = newState;
+            // High 8 bits are carry. Store for next iteration.
+            carry = stateCalc >>> 8;
+        }
+
+        // Make sure at least one bit changes.
+        if (collision) {
+           state[0]++;
+        }
+    }
+
+
+    /**
+     * Generates a user-specified number of random bytes.
+     *
+     * @param result the array to be filled in with random bytes.
+     */
+    public synchronized void engineNextBytes(byte[] result) {
+        int index = 0;
+        byte[] output = remainder;
+
+        // Use remainder from last time.
+        int r = remCount;
+        if (r > 0) {
+            // Compute how many bytes to be copied.
+            int todo = Math.min(result.length - index, DIGEST_SIZE - r);
+            // Copy the bytes, zero the buffer.
+            for (int i = 0; i < todo; i++) {
+                result[i] = output[r];
+                output[r++] = 0;
+            }
+            remCount += todo;
+            index += todo;
+        }
+
+        // If we need more bytes, make them.
+        while (index < result.length) {
+            // Step the state.
+            digest.update(state);
+            output = digest.digest();
+            updateState(state, output);
+
+            // Compute how many bytes to be copied.
+            int todo = Math.min(result.length - index, DIGEST_SIZE);
+            // Copy the bytes, zero the buffer.
+            for (int i = 0; i < todo; i++) {
+                result[index++] = output[i];
+                output[i] = 0;
+            }
+            remCount += todo;
+        }
+
+        // Store remainder for next time.
+        remainder = output;
+        remCount %= DIGEST_SIZE;
+    }
+
+    void clearState() {
+        Arrays.fill(state, (byte) 0x00);
+        Arrays.fill(remainder, (byte) 0x00);
+        remCount = 0;
+    }
+}