search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[mod_cgi] fix pipe_cloexec() when no O_CLOEXEC
[lighttpd.git] / src / rand.c
blobc7924444b2629a5dab6cbc174a9c847352dbf67d
1 #include "first.h"
2
3 #include "rand.h"
4 #include "base.h"
5 #include "fdevent.h"
6 #include "safe_memclear.h"
7
8 #include <sys/types.h>
9 #include <sys/stat.h>
10 #include <errno.h>
11 #include <fcntl.h>
12 #include <stdio.h>
13 #include <stdlib.h>
14 #include <string.h>
15 #include <time.h>
16 #include <unistd.h>
17
18 #ifdef USE_OPENSSL
19 #include <openssl/rand.h>
20 #endif
21 #ifdef HAVE_LINUX_RANDOM_H
22 #include <sys/syscall.h>
23 #include <linux/random.h>
24 #endif
25 #ifdef RNDGETENTCNT
26 #include <sys/ioctl.h>
27 #endif
28
29 /* Take some reasonable steps to attempt to *seed* random number generators with
30 * cryptographically random data. Some of these initialization routines may
31 * block, and are intended to be called only at startup in lighttpd, or
32 * immediately after fork() to start lighttpd workers.
33 *
34 * Note: results from li_rand() are not necessarily cryptographically random.
35 *
36 * https://wiki.openssl.org/index.php/Random_Numbers
37 * https://wiki.openssl.org/index.php/Random_fork-safety
38 *
39 * openssl random number generators are not thread-safe by default
40 * https://wiki.openssl.org/index.php/Manual:Threads(3)
41 *
42 * RFE: add more paranoid checks from the following to improve confidence:
43 * http://insanecoding.blogspot.co.uk/2014/05/a-good-idea-with-bad-usage-devurandom.html
44 * RFE: retry on EINTR
45 * RFE: check RAND_status()
46 */
47
48 static int li_getentropy (void *buf, size_t buflen)
49 {
50 #ifdef HAVE_GETENTROPY
51 return getentropy(buf, buflen);
52 #else
53 /*(see NOTES section in 'man getrandom' on Linux)*/
54 #if defined(HAVE_GETRANDOM) || defined(SYS_getrandom)
55 if (buflen <= 256) {
56 #ifdef HAVE_GETRANDOM /*(not implemented in glibc yet)*/
57 int num = getrandom(buf, buflen, 0);
58 #elif defined(SYS_getrandom)
59 /* https://lwn.net/Articles/605828/ */
60 /* https://bbs.archlinux.org/viewtopic.php?id=200039 */
61 int num = (int)syscall(SYS_getrandom, buf, buflen, 0);
62 #endif
63 if (num == (int)buflen) return 0;
64 if (num < 0) return num; /* -1 */
65 }
66 #else
67 UNUSED(buf);
68 UNUSED(buflen);
69 #endif
70 errno = EIO;
71 return -1;
72 #endif
73 }
74
75 static int li_rand_device_bytes (unsigned char *buf, int num)
76 {
77 /* randomness from these devices is cryptographically strong,
78 * unless /dev/urandom is low on entropy */
79
80 static const char * const devices[] = {
81 #ifdef __OpenBSD__
82 "/dev/arandom",
83 #endif
84 "/dev/urandom",
85 "/dev/random"
86 };
87
88 /* device files might not be available in chroot environment,
89 * so prefer syscall, if available */
90 if (0 == li_getentropy(buf, (size_t)num)) return 1;
91
92 for (unsigned int u = 0; u < sizeof(devices)/sizeof(devices[0]); ++u) {
93 /*(some systems might have symlink to another device; omit O_NOFOLLOW)*/
94 int fd = fdevent_open_cloexec(devices[u], O_RDONLY, 0);
95 if (fd >= 0) {
96 ssize_t rd = 0;
97 #ifdef RNDGETENTCNT
98 int entropy;
99 if (0 == ioctl(fd, RNDGETENTCNT, &entropy) && entropy >= num*8)
100 #endif
101 rd = read(fd, buf, (size_t)num);
102 close(fd);
103 if (rd == num) {
104 return 1;
105 }
106 }
107 }
108
109 return 0;
110 }
111
112 static unsigned short xsubi[3];
113
114 void li_rand_reseed (void)
115 {
116 /* (intended to be called at init and after fork() in order to re-seed PRNG
117 * so that forked children, grandchildren, etc do not share PRNG seed)
118 * https://github.com/ramsey/uuid/issues/80
119 * https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux
120 * (issue in early version of libressl has since been fixed)
121 * https://github.com/libressl-portable/portable/commit/32d9eeeecf4e951e1566d5f4a42b36ea37b60f35
122 */
123 unsigned int u;
124 if (1 == li_rand_device_bytes((unsigned char *)xsubi, (int)sizeof(xsubi))) {
125 u = ((unsigned int)xsubi[0] << 16) | xsubi[1];
126 srand(u); /*(initialize just in case rand() used elsewhere)*/
127 }
128 else {
129 #ifdef HAVE_ARC4RANDOM
130 srand(arc4random()); /*(initialize just in case rand() used elsewhere)*/
131 arc4random_buf(xsubi, sizeof(xsubi));
132 #else
133 /* NOTE: not cryptographically random !!! */
134 srand((unsigned int)(time(NULL) ^ getpid()));
135 for (u = 0; u < sizeof(unsigned short); ++u)
136 xsubi[u] = (unsigned short)(rand() & 0xFFFF);
137 #endif
138 }
139 #ifdef USE_OPENSSL
140 RAND_poll();
141 RAND_seed(xsubi, (int)sizeof(xsubi));
142 #endif
143 }
144
145 int li_rand (void)
146 {
147 /* randomness *is not* cryptographically strong */
148 /* (attempt to use better mechanisms to replace the more portable rand()) */
149 #ifdef USE_OPENSSL
150 int i;
151 if (-1 != RAND_pseudo_bytes((unsigned char *)&i, sizeof(i))) return i;
152 #endif
153 #ifdef HAVE_ARC4RANDOM
154 return (int)arc4random();
155 #endif
156 #ifdef HAVE_JRAND48
157 /*(FYI: jrand48() reentrant, but use of file-scoped static xsubi[] is not)*/
158 return (int)jrand48(xsubi);
159 #else
160 return rand();
161 #endif
162 }
163
164 int li_rand_bytes (unsigned char *buf, int num)
165 {
166 #ifdef USE_OPENSSL
167 int rc = RAND_bytes(buf, num);
168 if (-1 != rc) {
169 return rc;
170 }
171 #endif
172 if (1 == li_rand_device_bytes(buf, num)) {
173 return 1;
174 }
175 else {
176 /* NOTE: not cryptographically random !!! */
177 for (int i = 0; i < num; ++i)
178 buf[i] = li_rand() & 0xFF;
179 /*(openssl RAND_pseudo_bytes rc for non-cryptographically random data)*/
180 return 0;
181 }
182 }
183
184 void li_rand_cleanup (void)
185 {
186 #ifdef USE_OPENSSL
187 RAND_cleanup();
188 #endif
189 safe_memclear(xsubi, sizeof(xsubi));
190 }
A fast webserver with minimal memory-footprint (lighttpd)