Change isc_random() to be just PRNG, and add isc_nonce_buf() that uses CSPRNG

This commit reverts the previous change to use system provided entropy, as (SYS_)getrandom is very slow on Linux because it is a syscall. The change introduced in this commit adds a new call isc_nonce_buf that uses CSPRNG from cryptographic library provider to generate secure data that can be and must be used for generating nonces. Example usage would be DNS cookies. The isc_random() API has been changed to use fast PRNG that is not cryptographically secure, but runs entirely in user space. Two contestants have been considered xoroshiro family of the functions by Villa&Blackman and PCG by O'Neill. After a consideration the xoshiro128starstar function has been used as uint32_t random number provider because it is very fast and has good enough properties for our usage pattern. The other change introduced in the commit is the more extensive usage of isc_random_uniform in places where the usage pattern was isc_random() % n to prevent modulo bias. For usage patterns where only 16 or 8 bits are needed (DNS Message ID), the isc_random() functions has been renamed to isc_random32(), and isc_random16() and isc_random8() functions have been introduced by &-ing the isc_random32() output with 0xffff and 0xff. Please note that the functions that uses stripped down bit count doesn't pass our NIST SP 800-22 based random test.
2025-09-03 16:15:27 +00:00 · 2018-05-28 15:22:23 +02:00
parent 1a9a1b48d7
commit 99ba29bc52
37 changed files with 542 additions and 267 deletions
--- a/lib/isc/random.c
+++ b/lib/isc/random.c
@@ -32,162 +32,95 @@

 #include <stdint.h>
 #include <stdlib.h>
+#include <string.h>
 #include <unistd.h>

-#if HAVE_OPENSSL
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#endif /* ifdef HAVE_OPENSSL */
-
-#if HAVE_PKCS11
-#include <pk11/pk11.h>
-#endif /* if HAVE_PKCS11 */
-
-#if defined(__linux__)
-# include <errno.h>
-# ifdef HAVE_GETRANDOM
-#  include <sys/random.h>
-# else  /* HAVE_GETRANDOM */
-#  include <sys/syscall.h>
-# endif /* HAVE_GETRANDOM */
-#endif /* defined(__linux__) */
-
 #include <isc/random.h>
 #include <isc/result.h>
 #include <isc/types.h>
 #include <isc/util.h>

-#if defined(_WIN32) || defined(_WIN64)
 #include <isc/once.h>
-#endif

-#if defined(__linux__)
-# ifdef HAVE_GETRANDOM
-#  define have_getrandom() 1
-# else  /* ifdef HAVE_GETRANDOM */
-#  undef getrandom
-#  if defined(SYS_getrandom)
-#   define getrandom(dst,s,flags) syscall(SYS_getrandom, \
-					  (void*)dst, \
-					  (size_t)s, \
-					  (unsigned int)flags)
+#include "entropy_private.h"

-static unsigned
-have_getrandom(void) {
-	uint16_t buf;
-	ssize_t ret;
-	ret = getrandom(&buf, sizeof(buf), 1 /*GRND_NONBLOCK*/);
-	return (ret == sizeof(buf) ||
-		(ret == -1 && errno == EAGAIN));
-}
+/*
+ * The specific implementation for PRNG is included as a C file
+ * that has to provide a static variable named seed, and a function
+ * uint32_t next(void) that provides next random number.
+ *
+ * The implementation must be thread-safe.
+ */

-#  else  /* defined(SYS_getrandom) */
-#   define have_getrandom() 0
-#   define getrandom(dst,s,flags) -1
-#  endif /* defined(SYS_getrandom) */
-# endif /* ifdef HAVE_GETRANDOM */
-
-static int
-getrandom_buf(void *buf, size_t buflen) {
-	size_t left = buflen;
-	ssize_t ret;
-	uint8_t *p = buf;
-
-	while (left > 0) {
-		ret = getrandom(p, left, 0);
-		if (ret == -1 && errno == EINTR) {
-			continue;
-		}
-
-		RUNTIME_CHECK(ret >= 0);
-
-		if (ret > 0) {
-			left -= ret;
-			p += ret;
-		}
-	}
-
-	return(0);
-}
-#endif /* __linux__ */
-
-#if defined(_WIN32) || defined(_WIN64)
+/*
+ * Two contestants have been considered: the xoroshiro family of the
+ * functions by Villa&Blackman, and PCG by O'Neill.  After
+ * consideration, the xoshiro128starstar function has been chosen as
+ * the uint32_t random number provider because it is very fast and has
+ * good enough properties for our usage pattern.
+ */
+#include "xoshiro128starstar.c"

 static isc_once_t isc_random_once = ISC_ONCE_INIT;

-static HCRYPTPROV isc_random_hcryptprov;
-
-static void isc_random_initialize(void) {
-	RUNTIME_CHECK(CryptAcquireContext(&isc_random_hcryptprov,
-					  NULL, NULL, PROV_RSA_FULL,
-					  CRYPT_VERIFYCONTEXT|CRYPT_SILENT));
+static void
+isc_random_initialize(void) {
+	isc_entropy_get(seed, sizeof(seed));
 }

-#endif /* defined(_WIN32) || defined(_WIN64) */
+uint8_t
+isc_random8(void) {
+	RUNTIME_CHECK(isc_once_do(&isc_random_once,
+				  isc_random_initialize) == ISC_R_SUCCESS);
+	return (next() & 0xff);
+}
+
+uint16_t
+isc_random16(void) {
+	RUNTIME_CHECK(isc_once_do(&isc_random_once,
+				  isc_random_initialize) == ISC_R_SUCCESS);
+	return (next() & 0xffff);
+}

 uint32_t
-isc_random(void) {
-#if defined(HAVE_ARC4RANDOM)
-	return(arc4random());
-#else /* HAVE_ARC4RANDOM */
-	uint32_t ret;
-	isc_random_buf(&ret, sizeof(ret));
-	return (ret);
-#endif /* HAVE_ARC4RANDOM */
+isc_random32(void) {
+	RUNTIME_CHECK(isc_once_do(&isc_random_once,
+				  isc_random_initialize) == ISC_R_SUCCESS);
+	return (next());
 }

-/*
- * Fill the region buf of length buflen with random data.
- */
 void
 isc_random_buf(void *buf, size_t buflen) {
 	REQUIRE(buf);
 	REQUIRE(buflen > 0);

-#if defined(_WIN32) || defined(_WIN64)
 	RUNTIME_CHECK(isc_once_do(&isc_random_once,
 				  isc_random_initialize) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(CryptGenRandom(isc_random_hcryptprov,
-				     (DWORD)buflen, buf));
-	return;
-#elif defined(HAVE_ARC4RANDOM_BUF)
-	arc4random_buf(buf, buflen);
-	return;
-#else

-# if defined(__linux__)
-	/*
-	 * We need to check the availability of the SYS_getrandom
-	 * syscall at runtime and fall back to crypto library provider
-	 * if not available
-	 */
-	if (have_getrandom()) {
-		getrandom_buf(buf, buflen);
-		return;
+	int i;
+	uint32_t r;
+
+	for (i = 0; i + sizeof(r) <= buflen; i += sizeof(r)) {
+		r = next();
+		memmove((uint8_t *)buf + i, &r, sizeof(r)); /* Buffers cannot
+		                                            * really overlap
+		                                            * here */
 	}
-
-# endif  /* defined(__linux__) */
-
-/* Use crypto library as fallback when no other CSPRNG is available */
-# if HAVE_OPENSSL
-	if (RAND_bytes(buf, buflen) < 1) {
-		FATAL_ERROR(__FILE__, __LINE__, "RAND_bytes(): %s", ERR_error_string(ERR_get_error(), NULL));
-	}
-# elif HAVE_PKCS11
-	RUNTIME_CHECK(pk11_rand_bytes(buf, buflen) == ISC_R_SUCCESS);
-# endif /* if defined(HAVE_ARC4RANDOM_BUF) */
-
-#endif
+	r = next();
+	memmove((uint8_t *)buf + i, &r, buflen % sizeof(r)); /* Buffer cannot
+	                                                     * really overlap
+	                                                     * here */
+	return;
 }

 uint32_t
 isc_random_uniform(uint32_t upper_bound) {
-#if defined(HAVE_ARC4RANDOM_UNIFORM)
-	return(arc4random_uniform(upper_bound));
-#else  /* if defined(HAVE_ARC4RANDOM_UNIFORM) */
 	/* Copy of arc4random_uniform from OpenBSD */
 	uint32_t r, min;

+	RUNTIME_CHECK(isc_once_do(&isc_random_once,
+				  isc_random_initialize) == ISC_R_SUCCESS);
+
 	if (upper_bound < 2) {
 		return (0);
 	}
@@ -211,12 +144,11 @@ isc_random_uniform(uint32_t upper_bound) {
 	 * to re-roll.
 	 */
 	for (;;) {
-		r = isc_random();
+		r = next();
 		if (r >= min) {
 			break;
 		}
 	}

 	return (r % upper_bound);
-#endif /* if defined(HAVE_ARC4RANDOM_UNIFORM) */
 }