/* Copyright (c) 2002-2018 Dovecot authors, see the included COPYING file */ #include "lib.h" #include "randgen.h" #include #include #ifdef DEBUG /* For reproducing tests, fall back onto using a simple deterministic PRNG */ /* Marsaglia's 1999 KISS, de-macro-ified, and with the fixed KISS11 SHR3, which is clearly what was intended given the "cycle length 2^123" claim. */ static bool kiss_in_use; static unsigned int kiss_seed; static uint32_t kiss_z, kiss_w, kiss_jsr, kiss_jcong; static void kiss_init(unsigned int seed) { i_info("Random numbers are PRNG using kiss, as per DOVECOT_SRAND=%u", seed); kiss_seed = seed; kiss_jsr = 0x5eed5eed; /* simply musn't be 0 */ kiss_z = 1 ^ (kiss_w = kiss_jcong = seed); /* w=z=0 is bad, see Rose */ kiss_in_use = TRUE; } static unsigned int kiss_rand(void) { kiss_z = 36969 * (kiss_z&65535) + (kiss_z>>16); kiss_w = 18000 * (kiss_w&65535) + (kiss_w>>16); kiss_jcong = 69069 * kiss_jcong + 1234567; kiss_jsr^=(kiss_jsr<<13); /* <<17, >>13 gives cycle length 2^28.2 max */ kiss_jsr^=(kiss_jsr>>17); /* <<13, >>17 gives maximal cycle length */ kiss_jsr^=(kiss_jsr<<5); return (((kiss_z<<16) + kiss_w) ^ kiss_jcong) + kiss_jsr; } int rand_get_last_seed(unsigned int *seed_r) { if (!kiss_in_use) return -1; /* not using a deterministic PRNG, seed is irrelevant */ *seed_r = kiss_seed; return 0; } #endif /* get randomness from either getrandom, arc4random or /dev/urandom */ #if defined(HAVE_GETRANDOM) && HAVE_DECL_GETRANDOM != 0 # include # define USE_GETRANDOM static bool getrandom_present = TRUE; #elif defined(HAVE_ARC4RANDOM) # if defined(HAVE_LIBBSD) # include # endif # define USE_ARC4RANDOM #else static bool getrandom_present = FALSE; # define USE_RANDOM_DEV #endif static int init_refcount = 0; static int urandom_fd = -1; #if defined(USE_GETRANDOM) || defined(USE_RANDOM_DEV) /* Use a small buffer when reading randomness. This is mainly to make small random reads more efficient, such as i_rand*(). When reading larger amount of randomness this buffer is bypassed. There doesn't seem to be a big difference in Linux system CPU usage when buffer size is above 16 bytes. Double it just to be safe. Avoid it being too large anyway so we don't unnecessarily waste CPU and memory. */ #define RANDOM_READ_BUFFER_SIZE 32 static unsigned char random_next[RANDOM_READ_BUFFER_SIZE]; static size_t random_next_pos = 0; static size_t random_next_size = 0; static void random_open_urandom(void) { urandom_fd = open(DEV_URANDOM_PATH, O_RDONLY); if (urandom_fd == -1) { if (errno == ENOENT) { i_fatal("open("DEV_URANDOM_PATH") failed: doesn't exist," "currently we require it"); } else { i_fatal("open("DEV_URANDOM_PATH") failed: %m"); } } fd_close_on_exec(urandom_fd, TRUE); } static inline int random_read(unsigned char *buf, size_t size) { ssize_t ret = 0; # if defined(USE_GETRANDOM) if (getrandom_present) { ret = getrandom(buf, size, 0); if (ret < 0 && errno == ENOSYS) { getrandom_present = FALSE; /* It gets complicated here... While the libc (and its headers) indicated that getrandom() was available when we were compiled, the kernel disagreed just now at runtime. Fall back to reading /dev/urandom. */ random_open_urandom(); } } /* this is here to avoid clang complain, because getrandom_present will be always FALSE if USE_GETRANDOM is not defined */ if (!getrandom_present) # endif ret = read(urandom_fd, buf, size); if (unlikely(ret <= 0)) { if (ret == 0) { i_fatal("read("DEV_URANDOM_PATH") failed: EOF"); } else if (errno != EINTR) { if (getrandom_present) { i_fatal("getrandom() failed: %m"); } else { i_fatal("read("DEV_URANDOM_PATH") failed: %m"); } } } i_assert(ret > 0 || errno == EINTR); return ret; } #endif void random_fill(void *buf, size_t size) { i_assert(init_refcount > 0); i_assert(size < SSIZE_T_MAX); #ifdef DEBUG if (kiss_in_use) { for (size_t pos = 0; pos < size; pos++) ((unsigned char*)buf)[pos] = kiss_rand(); return; } #endif #if defined(USE_ARC4RANDOM) arc4random_buf(buf, size); #else size_t pos; ssize_t ret; for (pos = 0; pos < size; ) { if (size >= sizeof(random_next) && random_next_size == 0) { /* Asking for lots of randomness. Read directly to the destination buffer. */ ret = random_read(PTR_OFFSET(buf, pos), size - pos); if (ret > -1) pos += ret; } else { /* Asking for a little randomness. Read via a larger buffer to reduce the number of syscalls. */ if (random_next_size > random_next_pos) ret = random_next_size - random_next_pos; else { random_next_pos = 0; ret = random_read(random_next, sizeof(random_next)); random_next_size = ret < 0 ? 0 : ret; } if (ret > 0) { size_t used = I_MIN(size - pos, (size_t)ret); memcpy(PTR_OFFSET(buf, pos), random_next + random_next_pos, used); random_next_pos += used; pos += used; } } } #endif /* defined(USE_ARC4RANDOM) */ } void random_init(void) { /* static analyzer seems to require this */ unsigned int seed = 0; const char *env_seed; if (init_refcount++ > 0) return; env_seed = getenv("DOVECOT_SRAND"); #ifdef DEBUG if (env_seed != NULL && str_to_uint(env_seed, &seed) >= 0) { kiss_init(seed); /* getrandom_present = FALSE; not needed, only used in random_read() */ goto normal_exit; } #else if (env_seed != NULL && *env_seed != '\0') i_warning("DOVECOT_SRAND is not available in non-debug builds"); #endif /* DEBUG */ #if defined(USE_RANDOM_DEV) random_open_urandom(); #endif /* DO NOT REMOVE THIS - It is also needed to make sure getrandom really works. */ random_fill(&seed, sizeof(seed)); #ifdef DEBUG if (env_seed != NULL) { if (strcmp(env_seed, "kiss") != 0) i_fatal("DOVECOT_SRAND not a number or 'kiss'"); kiss_init(seed); i_close_fd(&urandom_fd); } normal_exit: #endif srand(seed); } void random_deinit(void) { if (--init_refcount > 0) return; i_close_fd(&urandom_fd); }