random.c revision 296415
1238106Sdes/* 2238106Sdes * util/random.c - thread safe random generator, which is reasonably secure. 3238106Sdes * 4238106Sdes * Copyright (c) 2007, NLnet Labs. All rights reserved. 5238106Sdes * 6238106Sdes * This software is open source. 7238106Sdes * 8238106Sdes * Redistribution and use in source and binary forms, with or without 9238106Sdes * modification, are permitted provided that the following conditions 10238106Sdes * are met: 11238106Sdes * 12238106Sdes * Redistributions of source code must retain the above copyright notice, 13238106Sdes * this list of conditions and the following disclaimer. 14238106Sdes * 15238106Sdes * Redistributions in binary form must reproduce the above copyright notice, 16238106Sdes * this list of conditions and the following disclaimer in the documentation 17238106Sdes * and/or other materials provided with the distribution. 18238106Sdes * 19238106Sdes * Neither the name of the NLNET LABS nor the names of its contributors may 20238106Sdes * be used to endorse or promote products derived from this software without 21238106Sdes * specific prior written permission. 22238106Sdes * 23238106Sdes * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24266114Sdes * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25266114Sdes * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26266114Sdes * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27266114Sdes * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28266114Sdes * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29266114Sdes * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30266114Sdes * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31266114Sdes * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32266114Sdes * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33266114Sdes * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34238106Sdes */ 35238106Sdes 36238106Sdes/** 37238106Sdes * \file 38238106Sdes * Thread safe random functions. Similar to arc4random() with an explicit 39238106Sdes * initialisation routine. 40238106Sdes * 41238106Sdes * The code in this file is based on arc4random from 42238106Sdes * openssh-4.0p1/openbsd-compat/bsd-arc4random.c 43238106Sdes * That code is also BSD licensed. Here is their statement: 44238106Sdes * 45238106Sdes * Copyright (c) 1996, David Mazieres <dm@uun.org> 46238106Sdes * Copyright (c) 2008, Damien Miller <djm@openbsd.org> 47238106Sdes * 48238106Sdes * Permission to use, copy, modify, and distribute this software for any 49238106Sdes * purpose with or without fee is hereby granted, provided that the above 50238106Sdes * copyright notice and this permission notice appear in all copies. 51238106Sdes * 52238106Sdes * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 53238106Sdes * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 54238106Sdes * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 55238106Sdes * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 56238106Sdes * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 57238106Sdes * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 58238106Sdes * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 59238106Sdes */ 60238106Sdes#include "config.h" 61238106Sdes#include "util/random.h" 62238106Sdes#include "util/log.h" 63266114Sdes#include <time.h> 64276605Sdes 65276605Sdes#ifdef HAVE_NSS 66249141Sdes/* nspr4 */ 67249141Sdes#include "prerror.h" 68249141Sdes/* nss3 */ 69249141Sdes#include "secport.h" 70249141Sdes#include "pk11pub.h" 71292206Sdes#elif defined(HAVE_NETTLE) 72292206Sdes#include "yarrow.h" 73249141Sdes#endif 74238106Sdes 75249141Sdes/** 76249141Sdes * Max random value. Similar to RAND_MAX, but more portable 77249141Sdes * (mingw uses only 15 bits random). 78249141Sdes */ 79249141Sdes#define MAX_VALUE 0x7fffffff 80249141Sdes 81292206Sdes#if defined(HAVE_SSL) 82238106Sdesvoid 83276605Sdesub_systemseed(unsigned int ATTR_UNUSED(seed)) 84238106Sdes{ 85276605Sdes /* arc4random_uniform does not need seeds, it gets kernel entropy */ 86238106Sdes} 87238106Sdes 88238106Sdesstruct ub_randstate* 89276605Sdesub_initstate(unsigned int ATTR_UNUSED(seed), 90276605Sdes struct ub_randstate* ATTR_UNUSED(from)) 91238106Sdes{ 92276605Sdes struct ub_randstate* s = (struct ub_randstate*)malloc(1); 93238106Sdes if(!s) { 94238106Sdes log_err("malloc failure in random init"); 95238106Sdes return NULL; 96238106Sdes } 97238106Sdes return s; 98238106Sdes} 99238106Sdes 100238106Sdeslong int 101276605Sdesub_random(struct ub_randstate* ATTR_UNUSED(s)) 102238106Sdes{ 103276605Sdes /* This relies on MAX_VALUE being 0x7fffffff. */ 104276605Sdes return (long)arc4random() & MAX_VALUE; 105276605Sdes} 106238106Sdes 107276605Sdeslong int 108276605Sdesub_random_max(struct ub_randstate* state, long int x) 109276605Sdes{ 110276605Sdes (void)state; 111276605Sdes /* on OpenBSD, this does not need _seed(), or _stir() calls */ 112276605Sdes return (long)arc4random_uniform((uint32_t)x); 113238106Sdes} 114238106Sdes 115292206Sdes#elif defined(HAVE_NSS) 116249141Sdes 117249141Sdes/* not much to remember for NSS since we use its pk11_random, placeholder */ 118249141Sdesstruct ub_randstate { 119249141Sdes int ready; 120249141Sdes}; 121249141Sdes 122249141Sdesvoid ub_systemseed(unsigned int ATTR_UNUSED(seed)) 123249141Sdes{ 124249141Sdes} 125249141Sdes 126249141Sdesstruct ub_randstate* ub_initstate(unsigned int ATTR_UNUSED(seed), 127249141Sdes struct ub_randstate* ATTR_UNUSED(from)) 128249141Sdes{ 129249141Sdes struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s)); 130249141Sdes if(!s) { 131249141Sdes log_err("malloc failure in random init"); 132249141Sdes return NULL; 133249141Sdes } 134249141Sdes return s; 135249141Sdes} 136249141Sdes 137249141Sdeslong int ub_random(struct ub_randstate* ATTR_UNUSED(state)) 138249141Sdes{ 139249141Sdes long int x; 140249141Sdes /* random 31 bit value. */ 141249141Sdes SECStatus s = PK11_GenerateRandom((unsigned char*)&x, (int)sizeof(x)); 142249141Sdes if(s != SECSuccess) { 143249141Sdes log_err("PK11_GenerateRandom error: %s", 144249141Sdes PORT_ErrorToString(PORT_GetError())); 145249141Sdes } 146249141Sdes return x & MAX_VALUE; 147249141Sdes} 148249141Sdes 149292206Sdes#elif defined(HAVE_NETTLE) 150292206Sdes 151292206Sdes/** 152292206Sdes * libnettle implements a Yarrow-256 generator (SHA256 + AES), 153292206Sdes * and we have to ensure it is seeded before use. 154292206Sdes */ 155292206Sdesstruct ub_randstate { 156292206Sdes struct yarrow256_ctx ctx; 157292206Sdes int seeded; 158292206Sdes}; 159292206Sdes 160292206Sdesvoid ub_systemseed(unsigned int ATTR_UNUSED(seed)) 161292206Sdes{ 162292206Sdes/** 163292206Sdes * We seed on init and not here, as we need the ctx to re-seed. 164292206Sdes * This also means that re-seeding is not supported. 165292206Sdes */ 166292206Sdes log_err("Re-seeding not supported, generator untouched"); 167292206Sdes} 168292206Sdes 169292206Sdesstruct ub_randstate* ub_initstate(unsigned int seed, 170292206Sdes struct ub_randstate* ATTR_UNUSED(from)) 171292206Sdes{ 172292206Sdes struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s)); 173292206Sdes uint8_t buf[YARROW256_SEED_FILE_SIZE]; 174292206Sdes if(!s) { 175292206Sdes log_err("malloc failure in random init"); 176292206Sdes return NULL; 177292206Sdes } 178292206Sdes /* Setup Yarrow context */ 179292206Sdes yarrow256_init(&s->ctx, 0, NULL); 180292206Sdes 181292206Sdes if(getentropy(buf, sizeof(buf)) != -1) { 182292206Sdes /* got entropy */ 183292206Sdes yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf); 184292206Sdes s->seeded = yarrow256_is_seeded(&s->ctx); 185292206Sdes } else { 186292206Sdes /* Stretch the uint32 input seed and feed it to Yarrow */ 187292206Sdes uint32_t v = seed; 188292206Sdes size_t i; 189292206Sdes for(i=0; i < (YARROW256_SEED_FILE_SIZE/sizeof(seed)); i++) { 190292206Sdes memmove(buf+i*sizeof(seed), &v, sizeof(seed)); 191292206Sdes v = v*seed + (uint32_t)i; 192292206Sdes } 193292206Sdes yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf); 194292206Sdes s->seeded = yarrow256_is_seeded(&s->ctx); 195292206Sdes } 196292206Sdes 197292206Sdes return s; 198292206Sdes} 199292206Sdes 200292206Sdeslong int ub_random(struct ub_randstate* s) 201292206Sdes{ 202292206Sdes /* random 31 bit value. */ 203292206Sdes long int x = 0; 204292206Sdes if (!s || !s->seeded) { 205292206Sdes log_err("Couldn't generate randomness, Yarrow-256 generator not yet seeded"); 206292206Sdes } else { 207292206Sdes yarrow256_random(&s->ctx, sizeof(x), (uint8_t *)&x); 208292206Sdes } 209292206Sdes return x & MAX_VALUE; 210292206Sdes} 211292206Sdes#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */ 212292206Sdes 213292206Sdes 214292206Sdes#if defined(HAVE_NSS) || defined(HAVE_NETTLE) 215238106Sdeslong int 216238106Sdesub_random_max(struct ub_randstate* state, long int x) 217238106Sdes{ 218238106Sdes /* make sure we fetch in a range that is divisible by x. ignore 219238106Sdes * values from d .. MAX_VALUE, instead draw a new number */ 220238106Sdes long int d = MAX_VALUE - (MAX_VALUE % x); /* d is divisible by x */ 221238106Sdes long int v = ub_random(state); 222238106Sdes while(d <= v) 223238106Sdes v = ub_random(state); 224238106Sdes return (v % x); 225238106Sdes} 226292206Sdes#endif /* HAVE_NSS or HAVE_NETTLE */ 227238106Sdes 228238106Sdesvoid 229238106Sdesub_randfree(struct ub_randstate* s) 230238106Sdes{ 231296415Sdes free(s); 232238106Sdes /* user app must do RAND_cleanup(); */ 233238106Sdes} 234