Python/random.c - Issue 13703: Hash collision security issue

Side by Side Diff: Python/random.c

Issue 13703: Hash collision security issue

Patch Set: Created 1 year, 3 months ago

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 #include "Python.h"

	2 #ifdef MS_WINDOWS

	3 #include <windows.h>

	4 #else

	5 #include <fcntl.h>

	6 #endif

	7

	8 static int random_initialized = 0;

	9

	10 #ifdef MS_WINDOWS

	11 typedef BOOL (WINAPI CRYPTACQUIRECONTEXTA)(HCRYPTPROV phProv,\

	12 LPCSTR pszContainer, LPCSTR pszProvider, DWORD dwProvType,\

	13 DWORD dwFlags );

	14 typedef BOOL (WINAPI *CRYPTGENRANDOM)(HCRYPTPROV hProv, DWORD dwLen,\

	15 BYTE *pbBuffer );

	16

	17 static CRYPTGENRANDOM pCryptGenRandom = NULL;

	18 /* This handle is never explicitly released. Instead, the operating

	19 system will release it when the process terminates. */

	20 static HCRYPTPROV hCryptProv = 0;

	21

	22 static int

	23 win32_urandom_init(int raise)

	24 {

	25 HINSTANCE hAdvAPI32 = NULL;

	26 CRYPTACQUIRECONTEXTA pCryptAcquireContext = NULL;

	27

	28 /* Obtain handle to the DLL containing CryptoAPI. This should not fail. */

	29 hAdvAPI32 = GetModuleHandle("advapi32.dll");

	30 if(hAdvAPI32 == NULL)

	31 goto error;

	32

	33 /* Obtain pointers to the CryptoAPI functions. This will fail on some early

	34 versions of Win95. */

	35 pCryptAcquireContext = (CRYPTACQUIRECONTEXTA)GetProcAddress(

	36 hAdvAPI32, "CryptAcquireContextA");

	37 if (pCryptAcquireContext == NULL)

	38 goto error;

	39

	40 pCryptGenRandom = (CRYPTGENRANDOM)GetProcAddress(hAdvAPI32,

	41 "CryptGenRandom");

	42 if (pCryptGenRandom == NULL)

	43 goto error;

	44

	45 /* Acquire context */

	46 if (! pCryptAcquireContext(&hCryptProv, NULL, NULL,

	47 PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))

	48 goto error;

	49

	50 return 0;

	51

	52 error:

	53 if (raise)

	54 PyErr_SetFromWindowsErr(0);

	55 else

	56 Py_FatalError("Failed to initialize Windows random API (CryptoGen)");

	57 return -1;

	58 }

	59

	60 /* Fill buffer with size pseudo-random bytes generated by the Windows CryptoGen

	61 API. Return 0 on success, or -1 on error. */

	62 static int

	63 win32_urandom(unsigned char *buffer, Py_ssize_t size, int raise)

	64 {

	65 Py_ssize_t orig_size = size;

	66 Py_ssize_t chunk;

	67

	68 if (hCryptProv == 0)

	69 {

	70 if (win32_urandom_init(raise) == -1)

	71 return -1;

	72 }

	73

	74 while (size > 0)

	75 {

	76 chunk = Py_MIN(size, INT_MAX);

	77 if (!pCryptGenRandom(hCryptProv, chunk, buffer))

	78 {

	79 /* CryptGenRandom() failed */

	80 if (raise)

	81 PyErr_SetFromWindowsErr(0);

	82 else

	83 Py_FatalError("Failed to initialized the randomized hash "

	84 "secret using CryptoGen)");

	85 return -1;

	86 }

	87 buffer += chunk;

	88 size -= chunk;

	89 }

	90 return 0;

	91 }

	92

	93 #else

	94

	95 /* Read size bytes from /dev/urandom into buffer.

	96 Call Py_FatalError() on error. */

	97 static void

	98 dev_urandom_noraise(char *buffer, Py_ssize_t size)

	99 {

	100 int fd;

	101 Py_ssize_t n;

	102

	103 assert (0 < size);

	104

	105 fd = open("/dev/urandom", O_RDONLY);

	106 if (fd < 0)

	107 Py_FatalError("Failed to open /dev/urandom");

	108

	109 while (0 < size)

	110 {

	111 do {

	112 n = read(fd, buffer, (size_t)size);

	113 } while (n < 0 && errno == EINTR);

	114 if (n <= 0)

	115 {

	116 /* stop on error or if read(size) returned 0 */

	117 Py_FatalError("Failed to read bytes from /dev/urandom");

	118 break;

	119 }

	120 buffer += n;

	121 size -= (Py_ssize_t)n;

	122 }

	123 close(fd);

	124 }

	125

	126 /* Read size bytes from /dev/urandom into buffer.

	127 Return 0 on success, raise an exception and return -1 on error. */

	128 static int

	129 dev_urandom_python(char *buffer, Py_ssize_t size)

	130 {

	131 int fd;

	132 Py_ssize_t n;

	133

	134 if (size <= 0)

	135 return 0;

	136

	137 Py_BEGIN_ALLOW_THREADS

	138 fd = open("/dev/urandom", O_RDONLY);

	139 Py_END_ALLOW_THREADS

	140 if (fd < 0)

	141 {

	142 PyErr_SetFromErrnoWithFilename(PyExc_OSError, "/dev/urandom");

	143 return -1;

	144 }

	145

	146 Py_BEGIN_ALLOW_THREADS

	147 do {

	148 do {

	149 n = read(fd, buffer, (size_t)size);

	150 } while (n < 0 && errno == EINTR);

	151 if (n <= 0)

	152 break;

	153 buffer += n;

	154 size -= (Py_ssize_t)n;

	155 } while (0 < size);

	156 Py_END_ALLOW_THREADS

	157

	158 if (n <= 0)

	159 {

	160 /* stop on error or if read(size) returned 0 */

	161 if (n < 0)

	162 PyErr_SetFromErrno(PyExc_OSError);

	163 else

	164 PyErr_Format(PyExc_RuntimeError,

	165 "Failed to read %zi bytes from /dev/urandom",

	166 size);

	167 close(fd);

	168 return -1;

	169 }

	170 close(fd);

	171 return 0;

	172 }

	173 #endif

	174

	175 /* Fill buffer with pseudo-random bytes generated by a linear congruent

	176 generator (LCG):

	177

	178 x(n+1) = (x(n) * 214013 + 2531011) % 2^32

	179

	180 Use bits 23..16 of x(n) to generate a byte. */

	181 static void

	182 lcg_urandom(unsigned int x0, unsigned char *buffer, size_t size)

	183 {

	184 size_t index;

	185 unsigned int x;

	186

	187 x = x0;

	188 for (index=0; index < size; index++) {

	189 x *= 214013;

	190 x += 2531011;

	191 /* modulo 2 ^ (8 * sizeof(int)) */

	192 buffer[index] = (x >> 16) & 0xff;

	193 }

	194 }

	195

	196 /* Fill buffer with size pseudo-random bytes, not suitable for cryptographic

	197 use, from the operating random number generator (RNG).

	198

	199 Return 0 on success, raise an exception and return -1 on error. */

	200 int

	201 _PyOS_URandom(void *buffer, Py_ssize_t size)

	202 {

	203 if (size < 0) {

	204 PyErr_Format(PyExc_ValueError,

	205 "negative argument not allowed");

	206 return -1;

	207 }

	208 if (size == 0)

	209 return 0;

	210

	211 #ifdef MS_WINDOWS

	212 return win32_urandom((unsigned char *)buffer, size, 1);

	213 #else

	214 return dev_urandom_python((char*)buffer, size);

	215 #endif

	216 }

	217

	218 void

	219 _PyRandom_Init(void)

	220 {

	221 char *env;

	222 void *secret = &_Py_HashSecret;

	223 Py_ssize_t secret_size = sizeof(_Py_HashSecret);

	224

	225 if (random_initialized)

	226 return;

	227 random_initialized = 1;

	228

	229 /*

	230 By default, hash randomization is disabled, and only

	231 enabled if PYTHONHASHRANDOMIZATION is set to non-empty

	232 */

	233 env = Py_GETENV("PYTHONHASHRANDOMIZATION");

	234 if (!env \|\| *env == '\0') {

	235 /* Not found: disable the randomized hash: */

	236 memset(secret, 0, secret_size);

	237 return;

	238 }

	239

	240 /*

	241 PYTHONHASHRANDOMIZATION was found; generate a per-process secret,

	242 using PYTHONHASHSEED if provided.

	243 */

	244

	245 env = Py_GETENV("PYTHONHASHSEED");

	246 if (env && *env != '\0') {

	247 char *endptr = env;

	248 unsigned long seed;

	249 seed = strtoul(env, &endptr, 10);

	250 if (*endptr != '\0'

	251 \|\| seed > 4294967295UL

	252 \|\| (errno == ERANGE && seed == ULONG_MAX))

	253 {

	254 Py_FatalError("PYTHONHASHSEED must be an integer "

	255 "in range [0; 4294967295]");

	256 }

	257 if (seed == 0) {

	258 /* disable the randomized hash */

	259 memset(secret, 0, secret_size);

	260 }

	261 else {

	262 lcg_urandom(seed, (unsigned char*)secret, secret_size);

	263 }

	264 }

	265 else {

	266 #ifdef MS_WINDOWS

	267 #if 1

	268 (void)win32_urandom((unsigned char *)secret, secret_size, 0);

	269 #else

	270 /* fast but weak RNG (fast initialization, weak seed) */

	271 _PyTime_timeval t;

	272 unsigned int seed;

	273 _PyTime_gettimeofday(&t);

	274 seed = (unsigned int)t.tv_sec;

	275 seed ^= t.tv_usec;

	276 seed ^= getpid();

	277 lcg_urandom(seed, (unsigned char*)secret, secret_size);

	278 #endif

	279 #else /* #ifdef MS_WINDOWS */

	280 dev_urandom_noraise((char*)secret, secret_size);

	281 #endif

	282 }

	283 }

	284

OLD	NEW

« Modules/posixmodule.c ('K') | « Python/pythonrun.c ('k') | no next file » | no next file with comments »