1238106Sdes/*
2238106Sdes * util/random.c - thread safe random generator, which is reasonably secure.
3238106Sdes *
4238106Sdes * Copyright (c) 2007, NLnet Labs. All rights reserved.
5238106Sdes *
6238106Sdes * This software is open source.
7238106Sdes *
8238106Sdes * Redistribution and use in source and binary forms, with or without
9238106Sdes * modification, are permitted provided that the following conditions
10238106Sdes * are met:
11238106Sdes *
12238106Sdes * Redistributions of source code must retain the above copyright notice,
13238106Sdes * this list of conditions and the following disclaimer.
14238106Sdes *
15238106Sdes * Redistributions in binary form must reproduce the above copyright notice,
16238106Sdes * this list of conditions and the following disclaimer in the documentation
17238106Sdes * and/or other materials provided with the distribution.
18238106Sdes *
19238106Sdes * Neither the name of the NLNET LABS nor the names of its contributors may
20238106Sdes * be used to endorse or promote products derived from this software without
21238106Sdes * specific prior written permission.
22238106Sdes *
23238106Sdes * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24266114Sdes * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25266114Sdes * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26266114Sdes * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27266114Sdes * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28266114Sdes * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29266114Sdes * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30266114Sdes * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31266114Sdes * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32266114Sdes * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33266114Sdes * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34238106Sdes */
35238106Sdes
36238106Sdes/**
37238106Sdes * \file
38238106Sdes * Thread safe random functions. Similar to arc4random() with an explicit
39238106Sdes * initialisation routine.
40238106Sdes *
41238106Sdes * The code in this file is based on arc4random from
42238106Sdes * openssh-4.0p1/openbsd-compat/bsd-arc4random.c
43238106Sdes * That code is also BSD licensed. Here is their statement:
44238106Sdes *
45238106Sdes * Copyright (c) 1996, David Mazieres <dm@uun.org>
46238106Sdes * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
47238106Sdes *
48238106Sdes * Permission to use, copy, modify, and distribute this software for any
49238106Sdes * purpose with or without fee is hereby granted, provided that the above
50238106Sdes * copyright notice and this permission notice appear in all copies.
51238106Sdes *
52238106Sdes * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
53238106Sdes * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
54238106Sdes * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
55238106Sdes * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
56238106Sdes * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
57238106Sdes * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
58238106Sdes * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
59238106Sdes */
60238106Sdes#include "config.h"
61238106Sdes#include "util/random.h"
62238106Sdes#include "util/log.h"
63266114Sdes#include <time.h>
64276605Sdes
65276605Sdes#ifdef HAVE_NSS
66249141Sdes/* nspr4 */
67249141Sdes#include "prerror.h"
68249141Sdes/* nss3 */
69249141Sdes#include "secport.h"
70249141Sdes#include "pk11pub.h"
71292206Sdes#elif defined(HAVE_NETTLE)
72292206Sdes#include "yarrow.h"
73249141Sdes#endif
74238106Sdes
75249141Sdes/**
76249141Sdes * Max random value.  Similar to RAND_MAX, but more portable
77249141Sdes * (mingw uses only 15 bits random).
78249141Sdes */
79249141Sdes#define MAX_VALUE 0x7fffffff
80249141Sdes
81361435Scy#if defined(HAVE_SSL) || defined(HAVE_LIBBSD)
82238106Sdesstruct ub_randstate*
83356345Scyub_initstate(struct ub_randstate* ATTR_UNUSED(from))
84238106Sdes{
85276605Sdes	struct ub_randstate* s = (struct ub_randstate*)malloc(1);
86238106Sdes	if(!s) {
87238106Sdes		log_err("malloc failure in random init");
88238106Sdes		return NULL;
89238106Sdes	}
90238106Sdes	return s;
91238106Sdes}
92238106Sdes
93238106Sdeslong int
94276605Sdesub_random(struct ub_randstate* ATTR_UNUSED(s))
95238106Sdes{
96276605Sdes	/* This relies on MAX_VALUE being 0x7fffffff. */
97276605Sdes	return (long)arc4random() & MAX_VALUE;
98276605Sdes}
99238106Sdes
100276605Sdeslong int
101276605Sdesub_random_max(struct ub_randstate* state, long int x)
102276605Sdes{
103276605Sdes	(void)state;
104276605Sdes	/* on OpenBSD, this does not need _seed(), or _stir() calls */
105276605Sdes	return (long)arc4random_uniform((uint32_t)x);
106238106Sdes}
107238106Sdes
108292206Sdes#elif defined(HAVE_NSS)
109249141Sdes
110249141Sdes/* not much to remember for NSS since we use its pk11_random, placeholder */
111249141Sdesstruct ub_randstate {
112249141Sdes	int ready;
113249141Sdes};
114249141Sdes
115356345Scystruct ub_randstate* ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
116249141Sdes{
117249141Sdes	struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
118249141Sdes	if(!s) {
119249141Sdes		log_err("malloc failure in random init");
120249141Sdes		return NULL;
121249141Sdes	}
122249141Sdes	return s;
123249141Sdes}
124249141Sdes
125249141Sdeslong int ub_random(struct ub_randstate* ATTR_UNUSED(state))
126249141Sdes{
127249141Sdes	long int x;
128249141Sdes	/* random 31 bit value. */
129249141Sdes	SECStatus s = PK11_GenerateRandom((unsigned char*)&x, (int)sizeof(x));
130249141Sdes	if(s != SECSuccess) {
131356345Scy		/* unbound needs secure randomness for randomized
132356345Scy		 * ID bits and port numbers in packets to upstream servers */
133356345Scy		fatal_exit("PK11_GenerateRandom error: %s",
134249141Sdes			PORT_ErrorToString(PORT_GetError()));
135249141Sdes	}
136249141Sdes	return x & MAX_VALUE;
137249141Sdes}
138249141Sdes
139292206Sdes#elif defined(HAVE_NETTLE)
140292206Sdes
141292206Sdes/**
142292206Sdes * libnettle implements a Yarrow-256 generator (SHA256 + AES),
143292206Sdes * and we have to ensure it is seeded before use.
144292206Sdes */
145292206Sdesstruct ub_randstate {
146292206Sdes	struct yarrow256_ctx ctx;
147292206Sdes	int seeded;
148292206Sdes};
149292206Sdes
150356345Scystruct ub_randstate* ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
151292206Sdes{
152292206Sdes	struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
153292206Sdes	uint8_t buf[YARROW256_SEED_FILE_SIZE];
154292206Sdes	if(!s) {
155292206Sdes		log_err("malloc failure in random init");
156292206Sdes		return NULL;
157292206Sdes	}
158292206Sdes	/* Setup Yarrow context */
159292206Sdes	yarrow256_init(&s->ctx, 0, NULL);
160292206Sdes
161292206Sdes	if(getentropy(buf, sizeof(buf)) != -1) {
162292206Sdes		/* got entropy */
163292206Sdes		yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
164292206Sdes		s->seeded = yarrow256_is_seeded(&s->ctx);
165292206Sdes	} else {
166356345Scy		log_err("nettle random(yarrow) cannot initialize, "
167356345Scy			"getentropy failed: %s", strerror(errno));
168356345Scy		free(s);
169356345Scy		return NULL;
170292206Sdes	}
171292206Sdes
172292206Sdes	return s;
173292206Sdes}
174292206Sdes
175292206Sdeslong int ub_random(struct ub_randstate* s)
176292206Sdes{
177292206Sdes	/* random 31 bit value. */
178292206Sdes	long int x = 0;
179292206Sdes	if (!s || !s->seeded) {
180292206Sdes		log_err("Couldn't generate randomness, Yarrow-256 generator not yet seeded");
181292206Sdes	} else {
182292206Sdes		yarrow256_random(&s->ctx, sizeof(x), (uint8_t *)&x);
183292206Sdes	}
184292206Sdes	return x & MAX_VALUE;
185292206Sdes}
186361435Scy#endif /* HAVE_SSL or HAVE_LIBBSD or HAVE_NSS or HAVE_NETTLE */
187292206Sdes
188292206Sdes
189361435Scy#if defined(HAVE_NSS) || defined(HAVE_NETTLE) && !defined(HAVE_LIBBSD)
190238106Sdeslong int
191238106Sdesub_random_max(struct ub_randstate* state, long int x)
192238106Sdes{
193238106Sdes	/* make sure we fetch in a range that is divisible by x. ignore
194238106Sdes	 * values from d .. MAX_VALUE, instead draw a new number */
195238106Sdes	long int d = MAX_VALUE - (MAX_VALUE % x); /* d is divisible by x */
196238106Sdes	long int v = ub_random(state);
197238106Sdes	while(d <= v)
198238106Sdes		v = ub_random(state);
199238106Sdes	return (v % x);
200238106Sdes}
201361435Scy#endif /* HAVE_NSS or HAVE_NETTLE and !HAVE_LIBBSD */
202238106Sdes
203238106Sdesvoid
204238106Sdesub_randfree(struct ub_randstate* s)
205238106Sdes{
206296415Sdes	free(s);
207238106Sdes	/* user app must do RAND_cleanup(); */
208238106Sdes}
209