Changeset 214329 in webkit

Timestamp:

Mar 23, 2017, 6:36:06 PM (8 years ago)

Author:

Michael Catanzaro

Message:

window.crypto.getRandomValues() uses the insecure RC4 RNG
​https://bugs.webkit.org/show_bug.cgi?id=169623

Reviewed by Alex Christensen.

Source/WebCore:

• PlatformMac.cmake:
• WebCore.xcodeproj/project.pbxproj:
• crypto/CryptoKey.cpp:

(WebCore::CryptoKey::randomData): Use this on Mac now.

• crypto/mac/CryptoKeyMac.cpp: Removed.
• page/Crypto.cpp:

(WebCore::Crypto::getRandomValues): Rollout r214188.

Source/WTF:

Remove the RC4 random generator in favor of using OS randomness for now. This is basically
a merge of ​https://codereview.chromium.org/1431233002 from Blink, original author "eroman".

• wtf/CryptographicallyRandomNumber.cpp:

(WTF::cryptographicallyRandomNumber):
(WTF::cryptographicallyRandomValues):
(): Deleted.

Location:

trunk/Source

Files:

• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/CryptographicallyRandomNumber.cpp (modified) (2 diffs)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/PlatformMac.cmake (modified) (1 diff)
• WebCore/WebCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• WebCore/crypto/CryptoKey.cpp (modified) (2 diffs)
• WebCore/crypto/mac/CryptoKeyMac.cpp (deleted)
• WebCore/page/Crypto.cpp (modified) (2 diffs)

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2017-03-23  Michael Catanzaro  <mcatanzaro@igalia.com>
+
+        window.crypto.getRandomValues() uses the insecure RC4 RNG
+        https://bugs.webkit.org/show_bug.cgi?id=169623
+
+        Reviewed by Alex Christensen.
+
+        Remove the RC4 random generator in favor of using OS randomness for now. This is basically
+        a merge of https://codereview.chromium.org/1431233002 from Blink, original author "eroman".
+
+        * wtf/CryptographicallyRandomNumber.cpp:
+        (WTF::cryptographicallyRandomNumber):
+        (WTF::cryptographicallyRandomValues):
+        (): Deleted.
+
 2017-03-23  Tomas Popela  <tpopela@redhat.com>
 

trunk/Source/WTF/wtf/CryptographicallyRandomNumber.cpp

@@ -1 +1 @@
 /*
- * Copyright (c) 1996, David Mazieres <dm@uun.org>
- * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
+ * Copyright (C) 2017 Igalia S.L.
  *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Arc4 random number generator for OpenBSD.
- *
- * This code is derived from section 17.1 of Applied Cryptography,
- * second edition, which describes a stream cipher allegedly
- * compatible with RSA Labs "RC4" cipher (the actual description of
- * which is a trade secret).  The same algorithm is used as a stream
- * cipher called "arcfour" in Tatu Ylonen's ssh package.
- *
- * RC4 is a registered trademark of RSA Laboratories.
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
  */
 
@@ -31 +27 @@
 #include "CryptographicallyRandomNumber.h"
 
-#include "NeverDestroyed.h"
 #include "OSRandomSource.h"
-#include <mutex>
-#include <wtf/Lock.h>
 
 namespace WTF {
 
-namespace {
-
-class ARC4Stream {
-public:
-    ARC4Stream();
-
-    uint8_t i;
-    uint8_t j;
-    uint8_t s[256];
-};
-
-class ARC4RandomNumberGenerator {
-    WTF_MAKE_FAST_ALLOCATED;
-public:
-    ARC4RandomNumberGenerator();
-
-    uint32_t randomNumber();
-    void randomValues(void* buffer, size_t length);
-
-private:
-    inline void addRandomData(unsigned char *data, int length);
-    void stir();
-    void stirIfNeeded();
-    inline uint8_t getByte();
-    inline uint32_t getWord();
-
-    ARC4Stream m_stream;
-    int m_count;
-    Lock m_mutex;
-};
-
-ARC4Stream::ARC4Stream()
+uint32_t cryptographicallyRandomNumber()
 {
-    for (int n = 0; n < 256; n++)
-        s[n] = n;
-    i = 0;
-    j = 0;
+    uint32_t result;
+    cryptographicallyRandomValues(&result, sizeof(result));
+    return result;
 }
 
-ARC4RandomNumberGenerator::ARC4RandomNumberGenerator()
-    : m_count(0)
+// FIXME: It is slow to always get the values directly from the OS.
+void cryptographicallyRandomValues(void* buffer, size_t length)
 {
-}
-
-void ARC4RandomNumberGenerator::addRandomData(unsigned char* data, int length)
-{
-    m_stream.i--;
-    for (int n = 0; n < 256; n++) {
-        m_stream.i++;
-        uint8_t si = m_stream.s[m_stream.i];
-        m_stream.j += si + data[n % length];
-        m_stream.s[m_stream.i] = m_stream.s[m_stream.j];
-        m_stream.s[m_stream.j] = si;
-    }
-    m_stream.j = m_stream.i;
-}
-
-void ARC4RandomNumberGenerator::stir()
-{
-    unsigned char randomness[128];
-    size_t length = sizeof(randomness);
-    cryptographicallyRandomValuesFromOS(randomness, length);
-    addRandomData(randomness, length);
-
-    // Discard early keystream, as per recommendations in:
-    // http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
-    for (int i = 0; i < 256; i++)
-        getByte();
-    m_count = 1600000;
-}
-
-void ARC4RandomNumberGenerator::stirIfNeeded()
-{
-    if (m_count <= 0)
-        stir();
-}
-
-uint8_t ARC4RandomNumberGenerator::getByte()
-{
-    m_stream.i++;
-    uint8_t si = m_stream.s[m_stream.i];
-    m_stream.j += si;
-    uint8_t sj = m_stream.s[m_stream.j];
-    m_stream.s[m_stream.i] = sj;
-    m_stream.s[m_stream.j] = si;
-    return (m_stream.s[(si + sj) & 0xff]);
-}
-
-uint32_t ARC4RandomNumberGenerator::getWord()
-{
-    uint32_t val;
-    val = getByte() << 24;
-    val |= getByte() << 16;
-    val |= getByte() << 8;
-    val |= getByte();
-    return val;
-}
-
-uint32_t ARC4RandomNumberGenerator::randomNumber()
-{
-    std::lock_guard<Lock> lock(m_mutex);
-
-    m_count -= 4;
-    stirIfNeeded();
-    return getWord();
-}
-
-void ARC4RandomNumberGenerator::randomValues(void* buffer, size_t length)
-{
-    std::lock_guard<Lock> lock(m_mutex);
-
-    unsigned char* result = reinterpret_cast<unsigned char*>(buffer);
-    stirIfNeeded();
-    while (length--) {
-        m_count--;
-        stirIfNeeded();
-        result[length] = getByte();
-    }
-}
-
-ARC4RandomNumberGenerator& sharedRandomNumberGenerator()
-{
-    static NeverDestroyed<ARC4RandomNumberGenerator> randomNumberGenerator;
-
-    return randomNumberGenerator;
+    cryptographicallyRandomValuesFromOS(static_cast<unsigned char*>(buffer), length);
 }
 
 }
-
-uint32_t cryptographicallyRandomNumber()
-{
-    return sharedRandomNumberGenerator().randomNumber();
-}
-
-void cryptographicallyRandomValues(void* buffer, size_t length)
-{
-    sharedRandomNumberGenerator().randomValues(buffer, length);
-}
-
-}

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-03-23  Michael Catanzaro  <mcatanzaro@igalia.com>
+
+        window.crypto.getRandomValues() uses the insecure RC4 RNG
+        https://bugs.webkit.org/show_bug.cgi?id=169623
+
+        Reviewed by Alex Christensen.
+
+        * PlatformMac.cmake:
+        * WebCore.xcodeproj/project.pbxproj:
+        * crypto/CryptoKey.cpp:
+        (WebCore::CryptoKey::randomData): Use this on Mac now.
+        * crypto/mac/CryptoKeyMac.cpp: Removed.
+        * page/Crypto.cpp:
+        (WebCore::Crypto::getRandomValues): Rollout r214188.
+
 2017-03-23  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/PlatformMac.cmake

@@ -219 +219 @@
     crypto/mac/CryptoAlgorithmRegistryMac.cpp
     crypto/mac/CryptoKeyECMac.cpp
-    crypto/mac/CryptoKeyMac.cpp
     crypto/mac/CryptoKeyRSAMac.cpp
     crypto/mac/SerializedCryptoKeyWrapMac.mm

trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -6511 +6511 @@
                 E19AC3F51824DC7900349426 /* CryptoAlgorithmSHA512.h in Headers */ = {isa = PBXBuildFile; fileRef = E19AC3ED1824DC7900349426 /* CryptoAlgorithmSHA512.h */; };
                 E19AC3F71824E5D100349426 /* CryptoAlgorithmAesKeyGenParamsDeprecated.h in Headers */ = {isa = PBXBuildFile; fileRef = E19AC3F61824E5D100349426 /* CryptoAlgorithmAesKeyGenParamsDeprecated.h */; };
-                E19AC3F9182566F700349426 /* CryptoKeyMac.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E19AC3F8182566F700349426 /* CryptoKeyMac.cpp */; };
                 E19DA29C18189ADD00088BC8 /* CryptoAlgorithmHmacKeyParamsDeprecated.h in Headers */ = {isa = PBXBuildFile; fileRef = E19DA29B18189ADD00088BC8 /* CryptoAlgorithmHmacKeyParamsDeprecated.h */; };
                 E1A1470811102B1500EEC0F3 /* ContainerNodeAlgorithms.h in Headers */ = {isa = PBXBuildFile; fileRef = E1A1470711102B1500EEC0F3 /* ContainerNodeAlgorithms.h */; };
@@ -14974 +14973 @@
                 E19AC3ED1824DC7900349426 /* CryptoAlgorithmSHA512.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CryptoAlgorithmSHA512.h; sourceTree = "<group>"; };
                 E19AC3F61824E5D100349426 /* CryptoAlgorithmAesKeyGenParamsDeprecated.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CryptoAlgorithmAesKeyGenParamsDeprecated.h; sourceTree = "<group>"; };
-                E19AC3F8182566F700349426 /* CryptoKeyMac.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CryptoKeyMac.cpp; sourceTree = "<group>"; };
                 E19DA29B18189ADD00088BC8 /* CryptoAlgorithmHmacKeyParamsDeprecated.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CryptoAlgorithmHmacKeyParamsDeprecated.h; sourceTree = "<group>"; };
                 E1A1470711102B1500EEC0F3 /* ContainerNodeAlgorithms.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ContainerNodeAlgorithms.h; sourceTree = "<group>"; };
@@ -24238 +24236 @@
                                 E1C266D618317AB4003F8B33 /* CryptoAlgorithmRSASSA_PKCS1_v1_5Mac.cpp */,
                                 5750A97A1E69161600705C4A /* CryptoKeyECMac.cpp */,
-                                E19AC3F8182566F700349426 /* CryptoKeyMac.cpp */,
                                 E164FAA418315E1A00DB4E61 /* CryptoKeyRSAMac.cpp */,
                                 E18DF33618AAF14D00773E59 /* SerializedCryptoKeyWrapMac.mm */,
@@ -30569 +30566 @@
                                 5750A97B1E69161600705C4A /* CryptoKeyECMac.cpp in Sources */,
                                 E125F8351822F18A00D84CD9 /* CryptoKeyHMAC.cpp in Sources */,
-                                E19AC3F9182566F700349426 /* CryptoKeyMac.cpp in Sources */,
                                 57E657E01E71397800F941CA /* CryptoKeyRaw.cpp in Sources */,
                                 57E2336B1DCC262400F28D01 /* CryptoKeyRSA.cpp in Sources */,

trunk/Source/WebCore/crypto/CryptoKey.cpp

@@ -69 +69 @@
 }
 
-#if !OS(DARWIN) || PLATFORM(GTK)
 Vector<uint8_t> CryptoKey::randomData(size_t size)
 {
@@ -76 +75 @@
     return result;
 }
-#endif
 
 } // namespace WebCore

trunk/Source/WebCore/page/Crypto.cpp

@@ -32 +32 @@
 #include "Crypto.h"
 
-#if OS(DARWIN)
-#include "CommonCryptoUtilities.h"
-#endif
 #include "Document.h"
 #include "ExceptionCode.h"
@@ -62 +59 @@
     if (array.byteLength() > 65536)
         return Exception { QUOTA_EXCEEDED_ERR };
-#if OS(DARWIN)
-    int rc = CCRandomCopyBytes(kCCRandomDefault, array.baseAddress(), array.byteLength());
-    RELEASE_ASSERT(rc == kCCSuccess);
-#else
     cryptographicallyRandomValues(array.baseAddress(), array.byteLength());
-#endif
     return { };
 }