| blob | f39ee6c24f093955f6c3e6f93608d1098ac3dc14 |
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file crypto_rand.c
9 *
10 * \brief Functions for initialising and seeding (pseudo-)random
11 * number generators, and working with randomness.
12 **/
14 #define CRYPTO_RAND_PRIVATE
18 #ifdef _WIN32
19 #include <windows.h>
20 #include <wincrypt.h>
41 #ifdef ENABLE_NSS
43 #endif
45 #ifdef ENABLE_OPENSSL
47 #include <openssl/rand.h>
48 #include <openssl/sha.h>
52 #ifdef ENABLE_NSS
54 #include <pk11pub.h>
55 #include <secerr.h>
56 #include <prerror.h>
58 #endif
60 #if __GNUC__ && GCC_VERSION >= 402
61 #if GCC_VERSION >= 406
62 #pragma GCC diagnostic pop
63 #else
65 #endif
68 #ifdef HAVE_FCNTL_H
69 #include <fcntl.h>
70 #endif
71 #ifdef HAVE_SYS_FCNTL_H
72 #include <sys/fcntl.h>
73 #endif
74 #ifdef HAVE_SYS_STAT_H
75 #include <sys/stat.h>
76 #endif
77 #ifdef HAVE_UNISTD_H
78 #include <unistd.h>
79 #endif
80 #ifdef HAVE_SYS_SYSCALL_H
81 #include <sys/syscall.h>
82 #endif
83 #ifdef HAVE_SYS_RANDOM_H
84 #include <sys/random.h>
85 #endif
87 #include <string.h>
88 #include <errno.h>
90 /**
91 * How many bytes of entropy we add at once.
92 *
93 * This is how much entropy OpenSSL likes to add right now, so maybe it will
94 * work for us too.
95 **/
96 #define ADD_ENTROPY 32
98 /**
99 * Longest recognized DNS query.
100 **/
101 #define MAX_DNS_LABEL_SIZE 63
103 /**
104 * Largest strong entropy request permitted.
105 **/
106 #define MAX_STRONGEST_RAND_SIZE 256
108 /**
109 * Set the seed of the weak RNG to a random value.
110 **/
111 void
113 {
117 }
119 #ifdef TOR_UNIT_TESTS
122 #endif
124 /**
125 * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
126 * via system calls, storing it into <b>out</b>. Return 0 on success, -1 on
127 * failure. A maximum request size of 256 bytes is imposed.
128 **/
129 static int
131 {
134 /* We only log at notice-level here because in the case that this function
135 * fails the crypto_strongest_rand_raw() caller will log with a warning-level
136 * message and let crypto_strongest_rand() error out and finally terminating
137 * Tor with an assertion error.
138 */
140 #ifdef TOR_UNIT_TESTS
143 #endif
145 #if defined(_WIN32)
151 CRYPT_VERIFYCONTEXT)) {
154 }
156 }
160 }
163 #elif defined(__linux__) && defined(SYS_getrandom)
166 /* getrandom() isn't as straightforward as getentropy(), and has
167 * no glibc wrapper.
168 *
169 * As far as I can tell from getrandom(2) and the source code, the
170 * requests we issue will always succeed (though it will block on the
171 * call if /dev/urandom isn't seeded yet), since we are NOT specifying
172 * GRND_NONBLOCK and the request is <= 256 bytes.
173 *
174 * The manpage is unclear on what happens if a signal interrupts the call
175 * while the request is blocked due to lack of entropy....
176 *
177 * We optimistically assume that getrandom() is available and functional
178 * because it is the way of the future, and 2 branch mispredicts pale in
179 * comparison to the overheads involved with failing to open
180 * /dev/srandom followed by opening and reading from /dev/urandom.
181 */
184 /* A flag of '0' here means to read from '/dev/urandom', and to
185 * block if insufficient entropy is available to service the
186 * request.
187 */
194 /* LCOV_EXCL_START we can't actually make the syscall fail in testing. */
198 /* Useful log message for errno. */
201 " You are running a version of Tor built to support"
202 " getrandom(), but the kernel doesn't implement this"
203 " function--probably because it is too old?"
209 }
213 /* LCOV_EXCL_STOP */
214 }
218 }
221 #elif defined(HAVE_GETENTROPY)
222 /* getentropy() is what Linux's getrandom() wants to be when it grows up.
223 * the only gotcha is that requests are limited to 256 bytes.
224 */
226 #else
230 /* This platform doesn't have a supported syscall based random. */
232 }
234 /**
235 * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
236 * via the per-platform fallback mechanism, storing it into <b>out</b>.
237 * Return 0 on success, -1 on failure. A maximum request size of 256 bytes
238 * is imposed.
239 **/
240 static int
242 {
243 #ifdef TOR_UNIT_TESTS
246 #endif
248 #ifdef _WIN32
249 /* Windows exclusively uses crypto_strongest_rand_syscall(). */
256 };
268 /* LCOV_EXCL_START
269 * We can't make /dev/foorandom actually fail. */
275 /* LCOV_EXCL_STOP */
276 }
279 }
283 }
285 /**
286 * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
287 * storing it into <b>out</b>. Return 0 on success, -1 on failure. A maximum
288 * request size of 256 bytes is imposed.
289 **/
290 STATIC int
292 {
297 /* For buffers >= 16 bytes (128 bits), we sanity check the output by
298 * zero filling the buffer and ensuring that it actually was at least
299 * partially modified.
300 *
301 * Checking that any individual byte is non-zero seems like it would
302 * fail too often (p = out_len * 1/256) for comfort, but this is an
303 * "adjust according to taste" sort of check.
304 */
307 /* Try to use the syscall/OS favored mechanism to get strong entropy. */
309 /* Try to use the less-favored mechanism to get strong entropy. */
311 /* Welp, we tried. Hopefully the calling code terminates the process
312 * since we're basically boned without good entropy.
313 */
317 }
318 }
322 }
324 /* LCOV_EXCL_START
325 *
326 * We tried max_attempts times to fill a buffer >= 128 bits long,
327 * and each time it returned all '0's. Either the system entropy
328 * source is busted, or the user should go out and buy a ticket to
329 * every lottery on the planet.
330 */
334 /* LCOV_EXCL_STOP */
335 }
337 /**
338 * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
339 * storing it into <b>out</b>.
340 **/
341 void
343 {
345 }
347 /**
348 * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
349 * storing it into <b>out</b>. (Mockable version.)
350 **/
353 {
354 #define DLEN DIGEST512_LEN
356 /* We're going to hash DLEN bytes from the system RNG together with some
357 * bytes from the PRNGs from our crypto librar(y/ies), in order to yield
358 * DLEN bytes.
359 */
365 #ifdef ENABLE_OPENSSL
367 #endif
368 #ifdef ENABLE_NSS
370 #endif
372 // LCOV_EXCL_START
375 /* Die with an assertion so we get a stack trace. */
377 // LCOV_EXCL_STOP
378 }
387 }
388 }
391 #undef DLEN
392 }
394 #ifdef ENABLE_OPENSSL
395 /**
396 * Seed OpenSSL's random number generator with bytes from the operating
397 * system. Return 0 on success, -1 on failure.
398 **/
399 static int
401 {
405 /* OpenSSL has a RAND_poll function that knows about more kinds of
406 * entropy than we do. We'll try calling that, *and* calling our own entropy
407 * functions. If one succeeds, we'll accept the RNG as seeded. */
415 }
421 else
423 }
426 #ifdef ENABLE_NSS
427 /**
428 * Seed OpenSSL's random number generator with bytes from the operating
429 * system. Return 0 on success, -1 on failure.
430 **/
431 static int
433 {
440 }
441 }
446 }
449 /**
450 * Seed the RNG for any and all crypto libraries that we're using with bytes
451 * from the operating system. Return 0 on success, -1 on failure.
452 */
453 int
455 {
457 #ifdef ENABLE_NSS
461 #endif
462 #ifdef ENABLE_OPENSSL
466 #endif
469 }
471 /**
472 * Write <b>n</b> bytes of strong random data to <b>to</b>. Supports mocking
473 * for unit tests.
474 *
475 * This function is not allowed to fail; if it would fail to generate strong
476 * entropy, it must terminate the process instead.
477 **/
480 {
482 }
484 /**
485 * Write <b>n</b> bytes of strong random data to <b>to</b>. Most callers
486 * will want crypto_rand instead.
487 *
488 * This function is not allowed to fail; if it would fail to generate strong
489 * entropy, it must terminate the process instead.
490 **/
491 void
493 {
500 #ifdef ENABLE_NSS
503 /* NSS rather sensibly might refuse to generate huge amounts of random
504 * data at once. Unfortunately, our unit test do this in a couple of
505 * places. To solve this issue, we use our XOF to stretch a shorter
506 * output when a longer one is needed.
507 *
508 * Yes, this is secure. */
510 /* This is longer than it needs to be; 1600 bits == 200 bytes is the
511 * state-size of SHA3. */
512 #define BUFLEN 512
523 #undef BUFLEN
524 }
527 /* We consider a PRNG failure non-survivable. Let's assert so that we get a
528 * stack trace about where it happened.
529 */
531 #endif
532 }
534 /**
535 * Draw an unsigned 32-bit integer uniformly at random.
536 */
537 uint32_t
539 {
543 }
545 /**
546 * Generate and return a new random hostname starting with <b>prefix</b>,
547 * ending with <b>suffix</b>, and containing no fewer than
548 * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
549 * characters. Does not check for failure.
550 *
551 * Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
552 **/
556 {
571 /* (x+(n-1))/n is an idiom for dividing x by n, rounding up to the nearest
572 * integer and thus why this construction. */
587 }
589 /**
590 * Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
591 * is empty.
592 **/
595 {
600 }
602 /**
603 * Scramble the elements of <b>sl</b> into a random order.
604 **/
605 void
607 {
609 /* From the end of the list to the front, choose at random from the
610 positions we haven't looked at yet, and swap that position into the
611 current position. Remember to give "no swap" the same probability as
612 any other swap. */
616 }
617 }
619 /** Make sure that openssl is using its default PRNG. Return 1 if we had to
620 * adjust it; 0 otherwise. */
621 int
623 {
624 #ifdef ENABLE_OPENSSL
629 "a replacement the OpenSSL RNG. Resetting it to the default "
633 }
636 }