src/rand.c

   1 #include "first.h"
   2
   3 #include "rand.h"
   4 #include "base.h"
   5 #include "fdevent.h"
   6 #include "safe_memclear.h"
   7
   8 #include <sys/types.h>
   9 #include <sys/stat.h>
  10 #include <errno.h>
  11 #include <fcntl.h>
  12 #include <stdio.h>
  13 #include <stdlib.h>
  14 #include <string.h>
  15 #include <time.h>
  16 #include <unistd.h>
  17
  18 #ifdef USE_OPENSSL
  19 #include <openssl/rand.h>
  20 #endif
  21 #ifdef HAVE_LINUX_RANDOM_H
  22 #include <sys/syscall.h>
  23 #include <linux/random.h>
  24 #endif
  25 #ifdef RNDGETENTCNT
  26 #include <sys/ioctl.h>
  27 #endif
  28
  29 /* Take some reasonable steps to attempt to *seed* random number generators with
  30  * cryptographically random data.  Some of these initialization routines may
  31  * block, and are intended to be called only at startup in lighttpd, or
  32  * immediately after fork() to start lighttpd workers.
  33  *
  34  * Note: results from li_rand_pseudo_bytes() are not necessarily
  35  * cryptographically random and must not be used for purposes such
  36  * as key generation which require cryptographic randomness.
  37  *
  38  * https://wiki.openssl.org/index.php/Random_Numbers
  39  * https://wiki.openssl.org/index.php/Random_fork-safety
  40  *
  41  * openssl random number generators are not thread-safe by default
  42  * https://wiki.openssl.org/index.php/Manual:Threads(3)
  43  *
  44  * RFE: add more paranoid checks from the following to improve confidence:
  45  * http://insanecoding.blogspot.co.uk/2014/05/a-good-idea-with-bad-usage-devurandom.html
  46  * RFE: retry on EINTR
  47  * RFE: check RAND_status()
  48  */
  49
  50 static int li_getentropy (void *buf, size_t buflen)
  51 {
  52   #ifdef HAVE_GETENTROPY
  53     return getentropy(buf, buflen);
  54   #else
  55     /*(see NOTES section in 'man getrandom' on Linux)*/
  56    #if defined(HAVE_GETRANDOM) || defined(SYS_getrandom)
  57     if (buflen <= 256) {
  58       #ifdef HAVE_GETRANDOM /*(not implemented in glibc yet)*/
  59         int num = getrandom(buf, buflen, 0);
  60       #elif defined(SYS_getrandom)
  61         /* https://lwn.net/Articles/605828/ */
  62         /* https://bbs.archlinux.org/viewtopic.php?id=200039 */
  63         int num = (int)syscall(SYS_getrandom, buf, buflen, 0);
  64       #endif
  65         if (num == (int)buflen) return 0;
  66         if (num < 0)            return num; /* -1 */
  67     }
  68    #else
  69     UNUSED(buf);
  70     UNUSED(buflen);
  71    #endif
  72     errno = EIO;
  73     return -1;
  74   #endif
  75 }
  76
  77 static int li_rand_device_bytes (unsigned char *buf, int num)
  78 {
  79     /* randomness from these devices is cryptographically strong,
  80      * unless /dev/urandom is low on entropy */
  81
  82     static const char * const devices[] = {
  83       #ifdef __OpenBSD__
  84         "/dev/arandom",
  85       #endif
  86         "/dev/urandom",
  87         "/dev/random"
  88     };
  89
  90     /* device files might not be available in chroot environment,
  91      * so prefer syscall, if available */
  92     if (0 == li_getentropy(buf, (size_t)num)) return 1;
  93
  94     for (unsigned int u = 0; u < sizeof(devices)/sizeof(devices[0]); ++u) {
  95         /*(some systems might have symlink to another device; omit O_NOFOLLOW)*/
  96         int fd = fdevent_open_cloexec(devices[u], O_RDONLY, 0);
  97         if (fd >= 0) {
  98             ssize_t rd = 0;
  99           #ifdef RNDGETENTCNT
 100             int entropy;
 101             if (0 == ioctl(fd, RNDGETENTCNT, &entropy) && entropy >= num*8)
 102           #endif
 103                 rd = read(fd, buf, (size_t)num);
 104             close(fd);
 105             if (rd == num) {
 106                 return 1;
 107             }
 108         }
 109     }
 110
 111     return 0;
 112 }
 113
 114 static unsigned short xsubi[3];
 115
 116 void li_rand_reseed (void)
 117 {
 118     /* (intended to be called at init and after fork() in order to re-seed PRNG
 119      *  so that forked children, grandchildren, etc do not share PRNG seed)
 120      * https://github.com/ramsey/uuid/issues/80
 121      * https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux
 122      *   (issue in early version of libressl has since been fixed)
 123      * https://github.com/libressl-portable/portable/commit/32d9eeeecf4e951e1566d5f4a42b36ea37b60f35
 124      */
 125     unsigned int u;
 126     if (1 == li_rand_device_bytes((unsigned char *)xsubi, (int)sizeof(xsubi))) {
 127         u = ((unsigned int)xsubi[0] << 16) | xsubi[1];
 128     }
 129     else {
 130       #ifdef HAVE_ARC4RANDOM_BUF
 131         u = arc4random();
 132         arc4random_buf(xsubi, sizeof(xsubi));
 133       #else
 134         /* NOTE: not cryptographically random !!! */
 135         srand((unsigned int)(time(NULL) ^ getpid()));
 136         for (u = 0; u < sizeof(unsigned short); ++u)
 137             /* coverity[dont_call : FALSE] */
 138             xsubi[u] = (unsigned short)(rand() & 0xFFFF);
 139         u = ((unsigned int)xsubi[0] << 16) | xsubi[1];
 140       #endif
 141     }
 142     srand(u);   /*(initialize just in case rand() used elsewhere)*/
 143   #ifdef HAVE_SRANDOM
 144     srandom(u); /*(initialize just in case random() used elsewhere)*/
 145   #endif
 146   #ifdef USE_OPENSSL
 147     RAND_poll();
 148     RAND_seed(xsubi, (int)sizeof(xsubi));
 149   #endif
 150 }
 151
 152 int li_rand_pseudo_bytes (void)
 153 {
 154     /* randomness *is not* cryptographically strong */
 155     /* (attempt to use better mechanisms to replace the more portable rand()) */
 156   #ifdef USE_OPENSSL  /* (RAND_pseudo_bytes() is deprecated in openssl 1.1.0) */
 157   #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 158     int i;
 159     if (-1 != RAND_pseudo_bytes((unsigned char *)&i, sizeof(i))) return i;
 160   #endif
 161   #endif
 162   #ifdef HAVE_ARC4RANDOM_BUF
 163     return (int)arc4random();
 164   #elif defined(HAVE_SRANDOM)
 165     /* coverity[dont_call : FALSE] */
 166     return (int)random();
 167   #elif defined(HAVE_JRAND48)
 168     /*(FYI: jrand48() reentrant, but use of file-scoped static xsubi[] is not)*/
 169     /* coverity[dont_call : FALSE] */
 170     return (int)jrand48(xsubi);
 171   #else
 172     /* coverity[dont_call : FALSE] */
 173     return rand();
 174   #endif
 175 }
 176
 177 int li_rand_bytes (unsigned char *buf, int num)
 178 {
 179   #ifdef USE_OPENSSL
 180     int rc = RAND_bytes(buf, num);
 181     if (-1 != rc) {
 182         return rc;
 183     }
 184   #endif
 185     if (1 == li_rand_device_bytes(buf, num)) {
 186         return 1;
 187     }
 188     else {
 189         /* NOTE: not cryptographically random !!! */
 190         for (int i = 0; i < num; ++i)
 191             buf[i] = li_rand_pseudo_bytes() & 0xFF;
 192         /*(openssl RAND_pseudo_bytes rc for non-cryptographically random data)*/
 193         return 0;
 194     }
 195 }
 196
 197 void li_rand_cleanup (void)
 198 {
 199   #ifdef USE_OPENSSL
 200     RAND_cleanup();
 201   #endif
 202     safe_memclear(xsubi, sizeof(xsubi));
 203 }