6 #include "safe_memclear.h"
17 #if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H
18 #define USE_OPENSSL_CRYPTO
20 #ifdef USE_OPENSSL_CRYPTO
21 #include <openssl/opensslv.h> /* OPENSSL_VERSION_NUMBER */
22 #include <openssl/rand.h>
24 #ifdef HAVE_GETENTROPY
25 #include <sys/random.h>
27 #ifdef HAVE_LINUX_RANDOM_H
28 #include <sys/syscall.h>
29 #include <linux/random.h>
32 #include <sys/ioctl.h>
35 /* Take some reasonable steps to attempt to *seed* random number generators with
36 * cryptographically random data. Some of these initialization routines may
37 * block, and are intended to be called only at startup in lighttpd, or
38 * immediately after fork() to start lighttpd workers.
40 * Update: li_rand_init() is now deferred until first use so that installations
41 * that do not use modules which use these routines do need to potentially block
42 * at startup. Current use by core lighttpd modules is in mod_auth HTTP Digest
43 * auth and in mod_usertrack. Deferring collection of random data until first
44 * use may allow sufficient entropy to be collected by kernel before first use,
45 * helping reduce or avoid situations in low-entropy-generating embedded devices
46 * which might otherwise block lighttpd for minutes at device startup.
47 * Further discussion in https://redmine.lighttpd.net/boards/2/topics/6981
49 * Note: results from li_rand_pseudo_bytes() are not necessarily
50 * cryptographically random and must not be used for purposes such
51 * as key generation which require cryptographic randomness.
53 * https://wiki.openssl.org/index.php/Random_Numbers
54 * https://wiki.openssl.org/index.php/Random_fork-safety
56 * openssl random number generators are not thread-safe by default
57 * https://wiki.openssl.org/index.php/Manual:Threads(3)
59 * RFE: add more paranoid checks from the following to improve confidence:
60 * http://insanecoding.blogspot.co.uk/2014/05/a-good-idea-with-bad-usage-devurandom.html
62 * RFE: check RAND_status()
65 static int li_getentropy (void *buf
, size_t buflen
)
67 #ifdef HAVE_GETENTROPY
68 return getentropy(buf
, buflen
);
70 /*(see NOTES section in 'man getrandom' on Linux)*/
71 #if defined(HAVE_GETRANDOM) || defined(SYS_getrandom)
73 #ifdef HAVE_GETRANDOM /*(not implemented in glibc yet)*/
74 int num
= getrandom(buf
, buflen
, 0);
75 #elif defined(SYS_getrandom)
76 /* https://lwn.net/Articles/605828/ */
77 /* https://bbs.archlinux.org/viewtopic.php?id=200039 */
78 int num
= (int)syscall(SYS_getrandom
, buf
, buflen
, 0);
80 if (num
== (int)buflen
) return 0;
81 if (num
< 0) return num
; /* -1 */
92 static int li_rand_device_bytes (unsigned char *buf
, int num
)
94 /* randomness from these devices is cryptographically strong,
95 * unless /dev/urandom is low on entropy */
97 static const char * const devices
[] = {
105 /* device files might not be available in chroot environment,
106 * so prefer syscall, if available */
107 if (0 == li_getentropy(buf
, (size_t)num
)) return 1;
109 for (unsigned int u
= 0; u
< sizeof(devices
)/sizeof(devices
[0]); ++u
) {
110 /*(some systems might have symlink to another device; omit O_NOFOLLOW)*/
111 int fd
= fdevent_open_cloexec(devices
[u
], O_RDONLY
, 0);
116 if (0 == ioctl(fd
, RNDGETENTCNT
, &entropy
) && entropy
>= num
*8)
118 rd
= read(fd
, buf
, (size_t)num
);
129 static int li_rand_inited
;
130 static unsigned short xsubi
[3];
132 static void li_rand_init (void)
134 /* (intended to be called at init and after fork() in order to re-seed PRNG
135 * so that forked children, grandchildren, etc do not share PRNG seed)
136 * https://github.com/ramsey/uuid/issues/80
137 * https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux
138 * (issue in early version of libressl has since been fixed)
139 * https://github.com/libressl-portable/portable/commit/32d9eeeecf4e951e1566d5f4a42b36ea37b60f35
143 if (1 == li_rand_device_bytes((unsigned char *)xsubi
, (int)sizeof(xsubi
))) {
144 u
= ((unsigned int)xsubi
[0] << 16) | xsubi
[1];
147 #ifdef HAVE_ARC4RANDOM_BUF
149 arc4random_buf(xsubi
, sizeof(xsubi
));
151 /* NOTE: not cryptographically random !!! */
152 srand((unsigned int)(time(NULL
) ^ getpid()));
153 for (u
= 0; u
< sizeof(unsigned short); ++u
)
154 /* coverity[dont_call : FALSE] */
155 xsubi
[u
] = (unsigned short)(rand() & 0xFFFF);
156 u
= ((unsigned int)xsubi
[0] << 16) | xsubi
[1];
159 srand(u
); /*(initialize just in case rand() used elsewhere)*/
161 srandom(u
); /*(initialize just in case random() used elsewhere)*/
163 #ifdef USE_OPENSSL_CRYPTO
165 RAND_seed(xsubi
, (int)sizeof(xsubi
));
169 void li_rand_reseed (void)
171 if (li_rand_inited
) li_rand_init();
174 int li_rand_pseudo_bytes (void)
176 /* randomness *is not* cryptographically strong */
177 /* (attempt to use better mechanisms to replace the more portable rand()) */
178 #ifdef USE_OPENSSL_CRYPTO /* (openssl 1.1.0 deprecates RAND_pseudo_bytes()) */
179 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
181 if (-1 != RAND_pseudo_bytes((unsigned char *)&i
, sizeof(i
))) return i
;
184 if (!li_rand_inited
) li_rand_init();
185 #ifdef HAVE_ARC4RANDOM_BUF
186 return (int)arc4random();
187 #elif defined(HAVE_SRANDOM)
188 /* coverity[dont_call : FALSE] */
189 return (int)random();
190 #elif defined(HAVE_JRAND48)
191 /*(FYI: jrand48() reentrant, but use of file-scoped static xsubi[] is not)*/
192 /* coverity[dont_call : FALSE] */
193 return (int)jrand48(xsubi
);
195 /* coverity[dont_call : FALSE] */
200 int li_rand_bytes (unsigned char *buf
, int num
)
202 #ifdef USE_OPENSSL_CRYPTO
203 int rc
= RAND_bytes(buf
, num
);
208 if (1 == li_rand_device_bytes(buf
, num
)) {
212 /* NOTE: not cryptographically random !!! */
213 for (int i
= 0; i
< num
; ++i
)
214 buf
[i
] = li_rand_pseudo_bytes() & 0xFF;
215 /*(openssl RAND_pseudo_bytes rc for non-cryptographically random data)*/
220 void li_rand_cleanup (void)
222 #ifdef USE_OPENSSL_CRYPTO
225 safe_memclear(xsubi
, sizeof(xsubi
));