1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
|
#include "first.h"
#include "rand.h"
#include "base.h"
#include "fdevent.h"
#include "safe_memclear.h"
#include <sys/types.h>
#include <sys/stat.h>
#include <errno.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H
#define USE_OPENSSL_CRYPTO
#endif
#ifdef USE_OPENSSL_CRYPTO
#include <openssl/opensslv.h> /* OPENSSL_VERSION_NUMBER */
#include <openssl/rand.h>
#endif
#ifdef HAVE_GETENTROPY
#include <sys/random.h>
#endif
#ifdef HAVE_LINUX_RANDOM_H
#include <sys/syscall.h>
#include <linux/random.h>
#endif
#ifdef RNDGETENTCNT
#include <sys/ioctl.h>
#endif
/* Take some reasonable steps to attempt to *seed* random number generators with
* cryptographically random data. Some of these initialization routines may
* block, and are intended to be called only at startup in lighttpd, or
* immediately after fork() to start lighttpd workers.
*
* Update: li_rand_init() is now deferred until first use so that installations
* that do not use modules which use these routines do need to potentially block
* at startup. Current use by core lighttpd modules is in mod_auth HTTP Digest
* auth and in mod_usertrack. Deferring collection of random data until first
* use may allow sufficient entropy to be collected by kernel before first use,
* helping reduce or avoid situations in low-entropy-generating embedded devices
* which might otherwise block lighttpd for minutes at device startup.
* Further discussion in https://redmine.lighttpd.net/boards/2/topics/6981
*
* Note: results from li_rand_pseudo_bytes() are not necessarily
* cryptographically random and must not be used for purposes such
* as key generation which require cryptographic randomness.
*
* https://wiki.openssl.org/index.php/Random_Numbers
* https://wiki.openssl.org/index.php/Random_fork-safety
*
* openssl random number generators are not thread-safe by default
* https://wiki.openssl.org/index.php/Manual:Threads(3)
*
* RFE: add more paranoid checks from the following to improve confidence:
* http://insanecoding.blogspot.co.uk/2014/05/a-good-idea-with-bad-usage-devurandom.html
* RFE: retry on EINTR
* RFE: check RAND_status()
*/
static int li_getentropy (void *buf, size_t buflen)
{
#ifdef HAVE_GETENTROPY
return getentropy(buf, buflen);
#else
/*(see NOTES section in 'man getrandom' on Linux)*/
#if defined(HAVE_GETRANDOM) || defined(SYS_getrandom)
if (buflen <= 256) {
#ifdef HAVE_GETRANDOM /*(not implemented in glibc yet)*/
int num = getrandom(buf, buflen, 0);
#elif defined(SYS_getrandom)
/* https://lwn.net/Articles/605828/ */
/* https://bbs.archlinux.org/viewtopic.php?id=200039 */
int num = (int)syscall(SYS_getrandom, buf, buflen, 0);
#endif
if (num == (int)buflen) return 0;
if (num < 0) return num; /* -1 */
}
#else
UNUSED(buf);
UNUSED(buflen);
#endif
errno = EIO;
return -1;
#endif
}
static int li_rand_device_bytes (unsigned char *buf, int num)
{
/* randomness from these devices is cryptographically strong,
* unless /dev/urandom is low on entropy */
static const char * const devices[] = {
#ifdef __OpenBSD__
"/dev/arandom",
#endif
"/dev/urandom",
"/dev/random"
};
/* device files might not be available in chroot environment,
* so prefer syscall, if available */
if (0 == li_getentropy(buf, (size_t)num)) return 1;
for (unsigned int u = 0; u < sizeof(devices)/sizeof(devices[0]); ++u) {
/*(some systems might have symlink to another device; omit O_NOFOLLOW)*/
int fd = fdevent_open_cloexec(devices[u], O_RDONLY, 0);
if (fd >= 0) {
ssize_t rd = 0;
#ifdef RNDGETENTCNT
int entropy;
if (0 == ioctl(fd, (unsigned long)(RNDGETENTCNT), &entropy)
&& entropy >= num*8)
#endif
rd = read(fd, buf, (size_t)num);
close(fd);
if (rd == num) {
return 1;
}
}
}
return 0;
}
static int li_rand_inited;
static unsigned short xsubi[3];
static void li_rand_init (void)
{
/* (intended to be called at init and after fork() in order to re-seed PRNG
* so that forked children, grandchildren, etc do not share PRNG seed)
* https://github.com/ramsey/uuid/issues/80
* https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux
* (issue in early version of libressl has since been fixed)
* https://github.com/libressl-portable/portable/commit/32d9eeeecf4e951e1566d5f4a42b36ea37b60f35
*/
unsigned int u;
li_rand_inited = 1;
if (1 == li_rand_device_bytes((unsigned char *)xsubi, (int)sizeof(xsubi))) {
u = ((unsigned int)xsubi[0] << 16) | xsubi[1];
}
else {
#ifdef HAVE_ARC4RANDOM_BUF
u = arc4random();
arc4random_buf(xsubi, sizeof(xsubi));
#else
/* NOTE: not cryptographically random !!! */
srand((unsigned int)(time(NULL) ^ getpid()));
for (u = 0; u < sizeof(unsigned short); ++u)
/* coverity[dont_call : FALSE] */
xsubi[u] = (unsigned short)(rand() & 0xFFFF);
u = ((unsigned int)xsubi[0] << 16) | xsubi[1];
#endif
}
srand(u); /*(initialize just in case rand() used elsewhere)*/
#ifdef HAVE_SRANDOM
srandom(u); /*(initialize just in case random() used elsewhere)*/
#endif
#ifdef USE_OPENSSL_CRYPTO
RAND_poll();
RAND_seed(xsubi, (int)sizeof(xsubi));
#endif
}
void li_rand_reseed (void)
{
if (li_rand_inited) li_rand_init();
}
int li_rand_pseudo (void)
{
/* randomness *is not* cryptographically strong */
/* (attempt to use better mechanisms to replace the more portable rand()) */
#ifdef USE_OPENSSL_CRYPTO /* (openssl 1.1.0 deprecates RAND_pseudo_bytes()) */
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
int i;
if (-1 != RAND_pseudo_bytes((unsigned char *)&i, sizeof(i))) return i;
#endif
#endif
if (!li_rand_inited) li_rand_init();
#ifdef HAVE_ARC4RANDOM_BUF
return (int)arc4random();
#elif defined(HAVE_SRANDOM)
/* coverity[dont_call : FALSE] */
return (int)random();
#elif defined(HAVE_JRAND48)
/*(FYI: jrand48() reentrant, but use of file-scoped static xsubi[] is not)*/
/* coverity[dont_call : FALSE] */
return (int)jrand48(xsubi);
#else
/* coverity[dont_call : FALSE] */
return rand();
#endif
}
void li_rand_pseudo_bytes (unsigned char *buf, int num)
{
for (int i = 0; i < num; ++i)
buf[i] = li_rand_pseudo() & 0xFF;
}
int li_rand_bytes (unsigned char *buf, int num)
{
#ifdef USE_OPENSSL_CRYPTO
int rc = RAND_bytes(buf, num);
if (-1 != rc) {
return rc;
}
#endif
if (1 == li_rand_device_bytes(buf, num)) {
return 1;
}
else {
/* NOTE: not cryptographically random !!! */
li_rand_pseudo_bytes(buf, num);
/*(openssl RAND_pseudo_bytes rc for non-cryptographically random data)*/
return 0;
}
}
void li_rand_cleanup (void)
{
#ifdef USE_OPENSSL_CRYPTO
RAND_cleanup();
#endif
safe_memclear(xsubi, sizeof(xsubi));
}
|