1238106Sdes/* 2238106Sdes * util/random.c - thread safe random generator, which is reasonably secure. 3238106Sdes * 4238106Sdes * Copyright (c) 2007, NLnet Labs. All rights reserved. 5238106Sdes * 6238106Sdes * This software is open source. 7238106Sdes * 8238106Sdes * Redistribution and use in source and binary forms, with or without 9238106Sdes * modification, are permitted provided that the following conditions 10238106Sdes * are met: 11238106Sdes * 12238106Sdes * Redistributions of source code must retain the above copyright notice, 13238106Sdes * this list of conditions and the following disclaimer. 14238106Sdes * 15238106Sdes * Redistributions in binary form must reproduce the above copyright notice, 16238106Sdes * this list of conditions and the following disclaimer in the documentation 17238106Sdes * and/or other materials provided with the distribution. 18238106Sdes * 19238106Sdes * Neither the name of the NLNET LABS nor the names of its contributors may 20238106Sdes * be used to endorse or promote products derived from this software without 21238106Sdes * specific prior written permission. 22238106Sdes * 23238106Sdes * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24266114Sdes * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25266114Sdes * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26266114Sdes * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27266114Sdes * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28266114Sdes * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29266114Sdes * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30266114Sdes * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31266114Sdes * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32266114Sdes * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33266114Sdes * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34238106Sdes */ 35238106Sdes 36238106Sdes/** 37238106Sdes * \file 38238106Sdes * Thread safe random functions. Similar to arc4random() with an explicit 39238106Sdes * initialisation routine. 40238106Sdes * 41238106Sdes * The code in this file is based on arc4random from 42238106Sdes * openssh-4.0p1/openbsd-compat/bsd-arc4random.c 43238106Sdes * That code is also BSD licensed. Here is their statement: 44238106Sdes * 45238106Sdes * Copyright (c) 1996, David Mazieres <dm@uun.org> 46238106Sdes * Copyright (c) 2008, Damien Miller <djm@openbsd.org> 47238106Sdes * 48238106Sdes * Permission to use, copy, modify, and distribute this software for any 49238106Sdes * purpose with or without fee is hereby granted, provided that the above 50238106Sdes * copyright notice and this permission notice appear in all copies. 51238106Sdes * 52238106Sdes * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 53238106Sdes * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 54238106Sdes * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 55238106Sdes * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 56238106Sdes * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 57238106Sdes * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 58238106Sdes * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 59238106Sdes */ 60238106Sdes#include "config.h" 61238106Sdes#include "util/random.h" 62238106Sdes#include "util/log.h" 63266114Sdes#include <time.h> 64276605Sdes 65276605Sdes#ifdef HAVE_NSS 66249141Sdes/* nspr4 */ 67249141Sdes#include "prerror.h" 68249141Sdes/* nss3 */ 69249141Sdes#include "secport.h" 70249141Sdes#include "pk11pub.h" 71292206Sdes#elif defined(HAVE_NETTLE) 72292206Sdes#include "yarrow.h" 73249141Sdes#endif 74238106Sdes 75249141Sdes/** 76249141Sdes * Max random value. Similar to RAND_MAX, but more portable 77249141Sdes * (mingw uses only 15 bits random). 78249141Sdes */ 79249141Sdes#define MAX_VALUE 0x7fffffff 80249141Sdes 81361435Scy#if defined(HAVE_SSL) || defined(HAVE_LIBBSD) 82238106Sdesstruct ub_randstate* 83356345Scyub_initstate(struct ub_randstate* ATTR_UNUSED(from)) 84238106Sdes{ 85276605Sdes struct ub_randstate* s = (struct ub_randstate*)malloc(1); 86238106Sdes if(!s) { 87238106Sdes log_err("malloc failure in random init"); 88238106Sdes return NULL; 89238106Sdes } 90238106Sdes return s; 91238106Sdes} 92238106Sdes 93238106Sdeslong int 94276605Sdesub_random(struct ub_randstate* ATTR_UNUSED(s)) 95238106Sdes{ 96276605Sdes /* This relies on MAX_VALUE being 0x7fffffff. */ 97276605Sdes return (long)arc4random() & MAX_VALUE; 98276605Sdes} 99238106Sdes 100276605Sdeslong int 101276605Sdesub_random_max(struct ub_randstate* state, long int x) 102276605Sdes{ 103276605Sdes (void)state; 104276605Sdes /* on OpenBSD, this does not need _seed(), or _stir() calls */ 105276605Sdes return (long)arc4random_uniform((uint32_t)x); 106238106Sdes} 107238106Sdes 108292206Sdes#elif defined(HAVE_NSS) 109249141Sdes 110249141Sdes/* not much to remember for NSS since we use its pk11_random, placeholder */ 111249141Sdesstruct ub_randstate { 112249141Sdes int ready; 113249141Sdes}; 114249141Sdes 115356345Scystruct ub_randstate* ub_initstate(struct ub_randstate* ATTR_UNUSED(from)) 116249141Sdes{ 117249141Sdes struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s)); 118249141Sdes if(!s) { 119249141Sdes log_err("malloc failure in random init"); 120249141Sdes return NULL; 121249141Sdes } 122249141Sdes return s; 123249141Sdes} 124249141Sdes 125249141Sdeslong int ub_random(struct ub_randstate* ATTR_UNUSED(state)) 126249141Sdes{ 127249141Sdes long int x; 128249141Sdes /* random 31 bit value. */ 129249141Sdes SECStatus s = PK11_GenerateRandom((unsigned char*)&x, (int)sizeof(x)); 130249141Sdes if(s != SECSuccess) { 131356345Scy /* unbound needs secure randomness for randomized 132356345Scy * ID bits and port numbers in packets to upstream servers */ 133356345Scy fatal_exit("PK11_GenerateRandom error: %s", 134249141Sdes PORT_ErrorToString(PORT_GetError())); 135249141Sdes } 136249141Sdes return x & MAX_VALUE; 137249141Sdes} 138249141Sdes 139292206Sdes#elif defined(HAVE_NETTLE) 140292206Sdes 141292206Sdes/** 142292206Sdes * libnettle implements a Yarrow-256 generator (SHA256 + AES), 143292206Sdes * and we have to ensure it is seeded before use. 144292206Sdes */ 145292206Sdesstruct ub_randstate { 146292206Sdes struct yarrow256_ctx ctx; 147292206Sdes int seeded; 148292206Sdes}; 149292206Sdes 150356345Scystruct ub_randstate* ub_initstate(struct ub_randstate* ATTR_UNUSED(from)) 151292206Sdes{ 152292206Sdes struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s)); 153292206Sdes uint8_t buf[YARROW256_SEED_FILE_SIZE]; 154292206Sdes if(!s) { 155292206Sdes log_err("malloc failure in random init"); 156292206Sdes return NULL; 157292206Sdes } 158292206Sdes /* Setup Yarrow context */ 159292206Sdes yarrow256_init(&s->ctx, 0, NULL); 160292206Sdes 161292206Sdes if(getentropy(buf, sizeof(buf)) != -1) { 162292206Sdes /* got entropy */ 163292206Sdes yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf); 164292206Sdes s->seeded = yarrow256_is_seeded(&s->ctx); 165292206Sdes } else { 166356345Scy log_err("nettle random(yarrow) cannot initialize, " 167356345Scy "getentropy failed: %s", strerror(errno)); 168356345Scy free(s); 169356345Scy return NULL; 170292206Sdes } 171292206Sdes 172292206Sdes return s; 173292206Sdes} 174292206Sdes 175292206Sdeslong int ub_random(struct ub_randstate* s) 176292206Sdes{ 177292206Sdes /* random 31 bit value. */ 178292206Sdes long int x = 0; 179292206Sdes if (!s || !s->seeded) { 180292206Sdes log_err("Couldn't generate randomness, Yarrow-256 generator not yet seeded"); 181292206Sdes } else { 182292206Sdes yarrow256_random(&s->ctx, sizeof(x), (uint8_t *)&x); 183292206Sdes } 184292206Sdes return x & MAX_VALUE; 185292206Sdes} 186361435Scy#endif /* HAVE_SSL or HAVE_LIBBSD or HAVE_NSS or HAVE_NETTLE */ 187292206Sdes 188292206Sdes 189361435Scy#if defined(HAVE_NSS) || defined(HAVE_NETTLE) && !defined(HAVE_LIBBSD) 190238106Sdeslong int 191238106Sdesub_random_max(struct ub_randstate* state, long int x) 192238106Sdes{ 193238106Sdes /* make sure we fetch in a range that is divisible by x. ignore 194238106Sdes * values from d .. MAX_VALUE, instead draw a new number */ 195238106Sdes long int d = MAX_VALUE - (MAX_VALUE % x); /* d is divisible by x */ 196238106Sdes long int v = ub_random(state); 197238106Sdes while(d <= v) 198238106Sdes v = ub_random(state); 199238106Sdes return (v % x); 200238106Sdes} 201361435Scy#endif /* HAVE_NSS or HAVE_NETTLE and !HAVE_LIBBSD */ 202238106Sdes 203238106Sdesvoid 204238106Sdesub_randfree(struct ub_randstate* s) 205238106Sdes{ 206296415Sdes free(s); 207238106Sdes /* user app must do RAND_cleanup(); */ 208238106Sdes} 209