ref: c6a9cbb0713c3ede52cf6822dcfc0589e5b9b8fe
parent: 809522e80f4011925e8d92aa480fad04c7ff9e10
author: cinap_lenrek <[email protected]>
date: Fri Aug 21 18:46:26 EDT 2015
cmd/auth: remove private /dev/random reading routines, use genrandom()
--- a/sys/src/cmd/auth/as.c
+++ b/sys/src/cmd/auth/as.c
@@ -52,7 +52,6 @@
}ARGEND
initcap();
- srand(getpid()*time(0));
if(argc >= 2)
runas(argv[0], argv[1]);
else
@@ -96,15 +95,6 @@
exits("usage");
}
-void
-memrandom(void *p, int n)
-{
- uchar *cp;
-
- for(cp = (uchar*)p; n > 0; n--)
- *cp++ = fastrand();
-}
-
/*
* keep caphash fd open since opens of it could be disabled
*/
@@ -138,7 +128,7 @@
nfrom = strlen(from);
cap = emalloc(nfrom+1+nto+1+sizeof(rand)*3+1);
sprint(cap, "%s@%s", from, to);
- memrandom(rand, sizeof(rand));
+ genrandom(rand, sizeof(rand));
key = cap+nfrom+1+nto+1;
enc64(key, sizeof(rand)*3, rand, sizeof(rand));
--- a/sys/src/cmd/auth/authsrv.c
+++ b/sys/src/cmd/auth/authsrv.c
@@ -33,7 +33,6 @@
void getraddr(char*);
void mkkey(Authkey*);
void mkticket(Ticketreq*, Ticket*);
-void randombytes(uchar*, int);
void nthash(uchar hash[MShashlen], char *passwd);
void lmhash(uchar hash[MShashlen], char *passwd);
void ntv2hash(uchar hash[MShashlen], char *passwd, char *user, char *dom);
@@ -64,7 +63,6 @@
if(db == 0)
syslog(0, AUTHLOG, "no /lib/ndb/auth");
- srand(time(0)*getpid());
for(;;){
n = readn(0, buf, sizeof(buf));
if(n <= 0 || convM2TR(buf, n, &tr) <= 0)
@@ -167,7 +165,7 @@
netkey = finddeskey(NETKEYDB, tr->uid, nkbuf);
if(key == nil && netkey == nil){
/* make one up so caller doesn't know it was wrong */
- randombytes((uchar*)nkbuf, DESKEYLEN);
+ genrandom((uchar*)nkbuf, DESKEYLEN);
netkey = nkbuf;
if(debug)
syslog(0, AUTHLOG, "cr-fail uid %s@%s", tr->uid, raddr);
@@ -185,7 +183,7 @@
*/
memset(buf, 0, sizeof(buf));
buf[0] = AuthOK;
- chal = lnrand(MAXNETCHAL);
+ chal = nfastrand(MAXNETCHAL);
sprint(buf+1, "%lud", chal);
if(write(1, buf, NETCHLEN+1) < 0)
exits(0);
@@ -322,7 +320,7 @@
/* send back a ticket encrypted with the key */
mkticket(tr, &t);
- randombytes((uchar*)t.chal, CHALLEN);
+ genrandom((uchar*)t.chal, CHALLEN);
t.num = AuthHr;
n = 0;
tbuf[n++] = AuthOK;
@@ -388,7 +386,7 @@
/*
* Create a challenge and send it.
*/
- randombytes((uchar*)rb, sizeof(rb));
+ genrandom((uchar*)rb, sizeof(rb));
p = chal;
p += snprint(p, sizeof(chal), "<%lux%lux.%lux%lux@%s>",
rb[0], rb[1], rb[2], rb[3], domainname());
@@ -502,7 +500,7 @@
/*
* Create a challenge and send it.
*/
- randombytes(chal+6, VNCchallen);
+ genrandom(chal+6, VNCchallen);
chal[0] = AuthOKvar;
sprint((char*)chal+1, "%-5d", VNCchallen);
if(write(1, chal, sizeof(chal)) != sizeof(chal))
@@ -514,7 +512,7 @@
memset(sbuf, 0, sizeof(sbuf));
secret = findsecret(KEYDB, tr->uid, sbuf);
if(secret == nil){
- randombytes((uchar*)sbuf, sizeof(sbuf));
+ genrandom((uchar*)sbuf, sizeof(sbuf));
secret = sbuf;
}
for(i = 0; i < 8; i++)
@@ -565,7 +563,7 @@
/*
* Create a challenge and send it.
*/
- randombytes((uchar*)chal, sizeof(chal));
+ genrandom((uchar*)chal, sizeof(chal));
write(1, chal, sizeof(chal));
/*
@@ -682,7 +680,7 @@
/*
* Create a challenge and send it.
*/
- randombytes((uchar*)chal, sizeof(chal));
+ genrandom(chal, sizeof(chal));
write(1, chal, sizeof(chal));
/*
@@ -1001,8 +999,8 @@
void
mkkey(Authkey *k)
{
- randombytes((uchar*)k->des, DESKEYLEN);
- randombytes((uchar*)k->aes, AESKEYLEN);
+ genrandom((uchar*)k->des, DESKEYLEN);
+ genrandom((uchar*)k->aes, AESKEYLEN);
}
void
@@ -1012,19 +1010,7 @@
memmove(t->chal, tr->chal, CHALLEN);
safecpy(t->cuid, tr->uid, sizeof(t->cuid));
safecpy(t->suid, tr->uid, sizeof(t->suid));
- randombytes((uchar*)t->key, DESKEYLEN);
-}
-
-void
-randombytes(uchar *buf, int len)
-{
- int i;
-
- if(readfile("/dev/random", (char*)buf, len) >= 0)
- return;
-
- for(i = 0; i < len; i++)
- buf[i] = rand();
+ genrandom((uchar*)t->key, DESKEYLEN);
}
/*
--- a/sys/src/cmd/auth/changeuser.c
+++ b/sys/src/cmd/auth/changeuser.c
@@ -1,5 +1,6 @@
#include <u.h>
#include <libc.h>
+#include <libsec.h>
#include <authsrv.h>
#include <ctype.h>
#include <bio.h>
@@ -19,13 +20,12 @@
main(int argc, char *argv[])
{
char *u, answer[32], p9pass[32];
- int which, i, newkey, newbio, dosecret;
+ int which, newkey, newbio, dosecret;
long t;
Authkey key;
Acctbio a;
Fs *f;
- srand(getpid()*time(0));
fmtinstall('K', deskeyfmt);
which = 0;
@@ -84,8 +84,7 @@
}
if(newkey){
memset(&key, 0, sizeof(key));
- for(i=0; i<DESKEYLEN; i++)
- key.des[i] = nrand(256);
+ genrandom((uchar*)key.des, DESKEYLEN);
}
if(a.user == 0){
t = getexpiration(f->keys, u);
--- a/sys/src/cmd/auth/convkeys.c
+++ b/sys/src/cmd/auth/convkeys.c
@@ -74,23 +74,6 @@
exits(nil);
}
-void
-randombytes(uchar *p, int len)
-{
- int i, fd;
-
- fd = open("/dev/random", OREAD);
- if(fd < 0){
- fprint(2, "%s: can't open /dev/random, using rand()\n", argv0);
- srand(time(0));
- for(i = 0; i < len; i++)
- p[i] = rand();
- return;
- }
- read(fd, p, len);
- close(fd);
-}
-
int
badname(char *s)
{
@@ -181,7 +164,7 @@
keydbaes = 1;
}
- randombytes((uchar*)p, keydboff);
+ genrandom((uchar*)p, keydboff);
if(keydbaes){
AESstate s;
--- a/sys/src/cmd/auth/convkeys2.c
+++ b/sys/src/cmd/auth/convkeys2.c
@@ -12,7 +12,6 @@
int convert(char*, char*, Authkey*, int);
void usage(void);
-void randombytes(uchar*, int);
void
main(int argc, char *argv[])
@@ -101,7 +100,7 @@
if(verb)
print("%s\n", &p[off]);
}
- randombytes((uchar*)np, KEYDBOFF);
+ genrandom((uchar*)np, KEYDBOFF);
len = (len*KEYDBLEN) + KEYDBOFF;
oldCBCencrypt(key->des, np, len);
return len;
@@ -112,21 +111,4 @@
{
fprint(2, "usage: convkeys2 keyfile\n");
exits("usage");
-}
-
-void
-randombytes(uchar *p, int len)
-{
- int i, fd;
-
- fd = open("/dev/random", OREAD);
- if(fd < 0){
- fprint(2, "convkeys2: can't open /dev/random, using rand()\n");
- srand(time(0));
- for(i = 0; i < len; i++)
- p[i] = rand();
- return;
- }
- read(fd, p, len);
- close(fd);
}
--- a/sys/src/cmd/auth/cron.c
+++ b/sys/src/cmd/auth/cron.c
@@ -191,7 +191,6 @@
fatal("cron already running: %r");
argv0 = "cron";
- srand(getpid()*time(0));
last = time(0);
for(;;){
readalljobs();
@@ -656,15 +655,6 @@
return(a.path != b.path || a.vers != b.vers);
}
-void
-memrandom(void *p, int n)
-{
- uchar *cp;
-
- for(cp = (uchar*)p; n > 0; n--)
- *cp++ = fastrand();
-}
-
/*
* keep caphash fd open since opens of it could be disabled
*/
@@ -699,7 +689,7 @@
ncap = nfrom + 1 + nto + 1 + sizeof(rand)*3 + 1;
cap = emalloc(ncap);
snprint(cap, ncap, "%s@%s", from, to);
- memrandom(rand, sizeof(rand));
+ genrandom(rand, sizeof(rand));
key = cap+nfrom+1+nto+1;
enc64(key, sizeof(rand)*3, rand, sizeof(rand));
--- a/sys/src/cmd/auth/factotum/apop.c
+++ b/sys/src/cmd/auth/factotum/apop.c
@@ -261,7 +261,7 @@
goto err;
}
- memrandom(s->tr.chal, CHALLEN);
+ genrandom((uchar*)s->tr.chal, CHALLEN);
safecpy(s->tr.uid, user, sizeof(s->tr.uid));
alarm(30*1000);
if(_asrequest(s->asfd, &s->tr) < 0){
--- a/sys/src/cmd/auth/factotum/chap.c
+++ b/sys/src/cmd/auth/factotum/chap.c
@@ -188,7 +188,7 @@
if(user == nil)
break;
- memrandom(pchal, MSchallenv2);
+ genrandom((uchar*)pchal, MSchallenv2);
/* ChallengeHash() */
ds = sha1(pchal, MSchallenv2, nil, nil);
@@ -579,7 +579,7 @@
*p++ = t >> 48;
*p++ = t >> 56;
- memrandom(p, 8);
+ genrandom(p, 8);
p += 8; /* 64bit: client nonce */
*p++ = 0; /* 32bit: unknown data */
@@ -617,7 +617,7 @@
* LmResponse = Cat(HMAC_MD5(LmHash, Cat(SC, CC)), CC)
*/
s = hmac_md5(chal, 8, hash, MShashlen, nil, nil);
- memrandom((uchar*)r->LMresp+16, 8);
+ genrandom((uchar*)r->LMresp+16, 8);
hmac_md5((uchar*)r->LMresp+16, 8, hash, MShashlen, (uchar*)r->LMresp, s);
/*
--- a/sys/src/cmd/auth/factotum/dat.h
+++ b/sys/src/cmd/auth/factotum/dat.h
@@ -203,7 +203,6 @@
void initcap(void);
int isclient(char*);
int matchattr(Attr*, Attr*, Attr*);
-void memrandom(void*, int);
char *mkcap(char*, char*);
int phaseerror(Fsstate*, char*);
char *phasename(Fsstate*, int, char*);
--- a/sys/src/cmd/auth/factotum/p9sk1.c
+++ b/sys/src/cmd/auth/factotum/p9sk1.c
@@ -88,7 +88,7 @@
switch(s->vers){
case 1:
fss->phase = CHaveChal;
- memrandom(s->cchal, CHALLEN);
+ genrandom((uchar*)s->cchal, CHALLEN);
break;
case 2:
fss->phase = CNeedTreq;
@@ -108,7 +108,7 @@
safecpy(s->tr.authid, _strfindattr(k->attr, "user"), sizeof(s->tr.authid));
safecpy(s->tr.authdom, _strfindattr(k->attr, "dom"), sizeof(s->tr.authdom));
s->key = k;
- memrandom(s->tr.chal, sizeof s->tr.chal);
+ genrandom((uchar*)s->tr.chal, sizeof s->tr.chal);
switch(s->vers){
case 1:
fss->phase = SNeedChal;
@@ -449,7 +449,7 @@
memmove(t.chal, tr->chal, CHALLEN);
strcpy(t.cuid, tr->uid);
strcpy(t.suid, tr->uid);
- memrandom(t.key, DESKEYLEN);
+ genrandom((uchar*)t.key, DESKEYLEN);
t.num = AuthTc;
ret = convT2M(&t, tbuf, tbuflen, (Authkey*)s->key->priv);
t.num = AuthTs;
--- a/sys/src/cmd/auth/factotum/util.c
+++ b/sys/src/cmd/auth/factotum/util.c
@@ -566,15 +566,6 @@
return 1;
}
-void
-memrandom(void *p, int n)
-{
- uchar *cp;
-
- for(cp = (uchar*)p; n > 0; n--)
- *cp++ = fastrand();
-}
-
/*
* keep caphash fd open since opens of it could be disabled
*/
@@ -608,7 +599,7 @@
nfrom = strlen(from);
cap = emalloc(nfrom+1+nto+1+sizeof(rand)*3+1);
sprint(cap, "%s@%s", from, to);
- memrandom(rand, sizeof(rand));
+ genrandom(rand, sizeof(rand));
key = cap+nfrom+1+nto+1;
enc64(key, sizeof(rand)*3, rand, sizeof(rand));
--- a/sys/src/cmd/auth/guard.srv.c
+++ b/sys/src/cmd/auth/guard.srv.c
@@ -6,6 +6,7 @@
#include <fcall.h>
#include <bio.h>
#include <ndb.h>
+#include <libsec.h>
#include <authsrv.h>
#include "authcmdlib.h"
@@ -57,7 +58,6 @@
getraddr(argv[argc-1]);
argv0 = "guard";
- srand((getpid()*1103515245)^time(0));
notify(catchalarm);
/*
@@ -69,7 +69,7 @@
/*
* challenge-response
*/
- chal = lnrand(MAXNETCHAL);
+ chal = nfastrand(MAXNETCHAL);
sprint(buf, "challenge: %lud\nresponse: ", chal);
n = strlen(buf) + 1;
if(write(1, buf, n) != n){
--- a/sys/src/cmd/auth/keyfs.c
+++ b/sys/src/cmd/auth/keyfs.c
@@ -696,25 +696,7 @@
return convD2M(&d, p, n);
}
-
void
-randombytes(uchar *p, int len)
-{
- int i, fd;
-
- fd = open("/dev/random", OREAD);
- if(fd < 0){
- fprint(2, "keyfs: can't open /dev/random, using rand()\n");
- srand(time(0));
- for(i = 0; i < len; i++)
- p[i] = rand();
- return;
- }
- read(fd, p, len);
- close(fd);
-}
-
-void
writeusers(void)
{
int keydblen, keydboff;
@@ -740,7 +722,7 @@
/* pack into buffer */
buf = emalloc(keydboff + nu*keydblen);
p = buf;
- randombytes(p, keydboff);
+ genrandom(p, keydboff);
p += keydboff;
for(i = 0; i < Nuser; i++)
for(u = users[i]; u != nil; u = u->link){
--- a/sys/src/cmd/auth/secstore/secstore.c
+++ b/sys/src/cmd/auth/secstore/secstore.c
@@ -148,7 +148,7 @@
static int
putfile(SConn *conn, char *pf, uchar *buf, ulong len, uchar *key, int nkey)
{
- int i, n, fd, ivo, bufi, done;
+ int n, fd, ivo, bufi, done;
char s[Maxmsg];
uchar skey[SHA1dlen], b[CHK+Maxmsg], IV[AESbsize];
AESstate aes;
@@ -155,9 +155,7 @@
DigestState *sha;
/* create initialization vector */
- srand(time(0)); /* doesn't need to be unpredictable */
- for(i=0; i<AESbsize; i++)
- IV[i] = 0xff & rand();
+ genrandom(IV, AESbsize);
sha = sha1((uchar*)"aescbc file", 11, nil, nil);
sha1(key, nkey, skey, sha);
setupAESstate(&aes, skey, AESbsize, IV);