1238106Sdes/* 2238106Sdes * util/random.c - thread safe random generator, which is reasonably secure. 3238106Sdes * 4238106Sdes * Copyright (c) 2007, NLnet Labs. All rights reserved. 5238106Sdes * 6238106Sdes * This software is open source. 7238106Sdes * 8238106Sdes * Redistribution and use in source and binary forms, with or without 9238106Sdes * modification, are permitted provided that the following conditions 10238106Sdes * are met: 11238106Sdes * 12238106Sdes * Redistributions of source code must retain the above copyright notice, 13238106Sdes * this list of conditions and the following disclaimer. 14238106Sdes * 15238106Sdes * Redistributions in binary form must reproduce the above copyright notice, 16238106Sdes * this list of conditions and the following disclaimer in the documentation 17238106Sdes * and/or other materials provided with the distribution. 18238106Sdes * 19238106Sdes * Neither the name of the NLNET LABS nor the names of its contributors may 20238106Sdes * be used to endorse or promote products derived from this software without 21238106Sdes * specific prior written permission. 22238106Sdes * 23238106Sdes * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24269257Sdes * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25269257Sdes * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26269257Sdes * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27269257Sdes * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28269257Sdes * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29269257Sdes * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30269257Sdes * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31269257Sdes * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32269257Sdes * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33269257Sdes * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34238106Sdes */ 35238106Sdes 36238106Sdes/** 37238106Sdes * \file 38238106Sdes * Thread safe random functions. Similar to arc4random() with an explicit 39238106Sdes * initialisation routine. 40238106Sdes * 41238106Sdes * The code in this file is based on arc4random from 42238106Sdes * openssh-4.0p1/openbsd-compat/bsd-arc4random.c 43238106Sdes * That code is also BSD licensed. Here is their statement: 44238106Sdes * 45238106Sdes * Copyright (c) 1996, David Mazieres <dm@uun.org> 46238106Sdes * Copyright (c) 2008, Damien Miller <djm@openbsd.org> 47238106Sdes * 48238106Sdes * Permission to use, copy, modify, and distribute this software for any 49238106Sdes * purpose with or without fee is hereby granted, provided that the above 50238106Sdes * copyright notice and this permission notice appear in all copies. 51238106Sdes * 52238106Sdes * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 53238106Sdes * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 54238106Sdes * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 55238106Sdes * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 56238106Sdes * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 57238106Sdes * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 58238106Sdes * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 59238106Sdes */ 60238106Sdes#include "config.h" 61238106Sdes#include "util/random.h" 62238106Sdes#include "util/log.h" 63269257Sdes#include <time.h> 64285206Sdes 65285206Sdes#ifdef HAVE_NSS 66249141Sdes/* nspr4 */ 67249141Sdes#include "prerror.h" 68249141Sdes/* nss3 */ 69249141Sdes#include "secport.h" 70249141Sdes#include "pk11pub.h" 71294190Sdes#elif defined(HAVE_NETTLE) 72294190Sdes#include "yarrow.h" 73249141Sdes#endif 74238106Sdes 75249141Sdes/** 76249141Sdes * Max random value. Similar to RAND_MAX, but more portable 77249141Sdes * (mingw uses only 15 bits random). 78249141Sdes */ 79249141Sdes#define MAX_VALUE 0x7fffffff 80249141Sdes 81294190Sdes#if defined(HAVE_SSL) 82238106Sdesvoid 83285206Sdesub_systemseed(unsigned int ATTR_UNUSED(seed)) 84238106Sdes{ 85285206Sdes /* arc4random_uniform does not need seeds, it gets kernel entropy */ 86238106Sdes} 87238106Sdes 88238106Sdesstruct ub_randstate* 89285206Sdesub_initstate(unsigned int ATTR_UNUSED(seed), 90285206Sdes struct ub_randstate* ATTR_UNUSED(from)) 91238106Sdes{ 92285206Sdes struct ub_randstate* s = (struct ub_randstate*)malloc(1); 93238106Sdes if(!s) { 94238106Sdes log_err("malloc failure in random init"); 95238106Sdes return NULL; 96238106Sdes } 97238106Sdes return s; 98238106Sdes} 99238106Sdes 100238106Sdeslong int 101285206Sdesub_random(struct ub_randstate* ATTR_UNUSED(s)) 102238106Sdes{ 103285206Sdes /* This relies on MAX_VALUE being 0x7fffffff. */ 104285206Sdes return (long)arc4random() & MAX_VALUE; 105285206Sdes} 106238106Sdes 107285206Sdeslong int 108285206Sdesub_random_max(struct ub_randstate* state, long int x) 109285206Sdes{ 110285206Sdes (void)state; 111285206Sdes /* on OpenBSD, this does not need _seed(), or _stir() calls */ 112285206Sdes return (long)arc4random_uniform((uint32_t)x); 113238106Sdes} 114238106Sdes 115294190Sdes#elif defined(HAVE_NSS) 116249141Sdes 117249141Sdes/* not much to remember for NSS since we use its pk11_random, placeholder */ 118249141Sdesstruct ub_randstate { 119249141Sdes int ready; 120249141Sdes}; 121249141Sdes 122249141Sdesvoid ub_systemseed(unsigned int ATTR_UNUSED(seed)) 123249141Sdes{ 124249141Sdes} 125249141Sdes 126249141Sdesstruct ub_randstate* ub_initstate(unsigned int ATTR_UNUSED(seed), 127249141Sdes struct ub_randstate* ATTR_UNUSED(from)) 128249141Sdes{ 129249141Sdes struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s)); 130249141Sdes if(!s) { 131249141Sdes log_err("malloc failure in random init"); 132249141Sdes return NULL; 133249141Sdes } 134249141Sdes return s; 135249141Sdes} 136249141Sdes 137249141Sdeslong int ub_random(struct ub_randstate* ATTR_UNUSED(state)) 138249141Sdes{ 139249141Sdes long int x; 140249141Sdes /* random 31 bit value. */ 141249141Sdes SECStatus s = PK11_GenerateRandom((unsigned char*)&x, (int)sizeof(x)); 142249141Sdes if(s != SECSuccess) { 143249141Sdes log_err("PK11_GenerateRandom error: %s", 144249141Sdes PORT_ErrorToString(PORT_GetError())); 145249141Sdes } 146249141Sdes return x & MAX_VALUE; 147249141Sdes} 148249141Sdes 149294190Sdes#elif defined(HAVE_NETTLE) 150294190Sdes 151294190Sdes/** 152294190Sdes * libnettle implements a Yarrow-256 generator (SHA256 + AES), 153294190Sdes * and we have to ensure it is seeded before use. 154294190Sdes */ 155294190Sdesstruct ub_randstate { 156294190Sdes struct yarrow256_ctx ctx; 157294190Sdes int seeded; 158294190Sdes}; 159294190Sdes 160294190Sdesvoid ub_systemseed(unsigned int ATTR_UNUSED(seed)) 161294190Sdes{ 162294190Sdes/** 163294190Sdes * We seed on init and not here, as we need the ctx to re-seed. 164294190Sdes * This also means that re-seeding is not supported. 165294190Sdes */ 166294190Sdes log_err("Re-seeding not supported, generator untouched"); 167294190Sdes} 168294190Sdes 169294190Sdesstruct ub_randstate* ub_initstate(unsigned int seed, 170294190Sdes struct ub_randstate* ATTR_UNUSED(from)) 171294190Sdes{ 172294190Sdes struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s)); 173294190Sdes uint8_t buf[YARROW256_SEED_FILE_SIZE]; 174294190Sdes if(!s) { 175294190Sdes log_err("malloc failure in random init"); 176294190Sdes return NULL; 177294190Sdes } 178294190Sdes /* Setup Yarrow context */ 179294190Sdes yarrow256_init(&s->ctx, 0, NULL); 180294190Sdes 181294190Sdes if(getentropy(buf, sizeof(buf)) != -1) { 182294190Sdes /* got entropy */ 183294190Sdes yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf); 184294190Sdes s->seeded = yarrow256_is_seeded(&s->ctx); 185294190Sdes } else { 186294190Sdes /* Stretch the uint32 input seed and feed it to Yarrow */ 187294190Sdes uint32_t v = seed; 188294190Sdes size_t i; 189294190Sdes for(i=0; i < (YARROW256_SEED_FILE_SIZE/sizeof(seed)); i++) { 190294190Sdes memmove(buf+i*sizeof(seed), &v, sizeof(seed)); 191294190Sdes v = v*seed + (uint32_t)i; 192294190Sdes } 193294190Sdes yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf); 194294190Sdes s->seeded = yarrow256_is_seeded(&s->ctx); 195294190Sdes } 196294190Sdes 197294190Sdes return s; 198294190Sdes} 199294190Sdes 200294190Sdeslong int ub_random(struct ub_randstate* s) 201294190Sdes{ 202294190Sdes /* random 31 bit value. */ 203294190Sdes long int x = 0; 204294190Sdes if (!s || !s->seeded) { 205294190Sdes log_err("Couldn't generate randomness, Yarrow-256 generator not yet seeded"); 206294190Sdes } else { 207294190Sdes yarrow256_random(&s->ctx, sizeof(x), (uint8_t *)&x); 208294190Sdes } 209294190Sdes return x & MAX_VALUE; 210294190Sdes} 211294190Sdes#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */ 212294190Sdes 213294190Sdes 214294190Sdes#if defined(HAVE_NSS) || defined(HAVE_NETTLE) 215238106Sdeslong int 216238106Sdesub_random_max(struct ub_randstate* state, long int x) 217238106Sdes{ 218238106Sdes /* make sure we fetch in a range that is divisible by x. ignore 219238106Sdes * values from d .. MAX_VALUE, instead draw a new number */ 220238106Sdes long int d = MAX_VALUE - (MAX_VALUE % x); /* d is divisible by x */ 221238106Sdes long int v = ub_random(state); 222238106Sdes while(d <= v) 223238106Sdes v = ub_random(state); 224238106Sdes return (v % x); 225238106Sdes} 226294190Sdes#endif /* HAVE_NSS or HAVE_NETTLE */ 227238106Sdes 228238106Sdesvoid 229238106Sdesub_randfree(struct ub_randstate* s) 230238106Sdes{ 231238106Sdes if(s) 232238106Sdes free(s); 233238106Sdes /* user app must do RAND_cleanup(); */ 234238106Sdes} 235