Use secure random generator on macOS

jserv · jserv · commit 078ecc905882 · 2023-02-05T17:43:44.000+08:00
The implementation of arc4random_buf differs from its documentation. It is documented as "always successful, and no return value is reserved to indicate an error" for the sake of FreeBSD compatibility [1]. However, the actual implementation on macOS invokes function "ccrng_generate" [2] without validating the error cases. It might fail silently[3], which leads to unexpected source of entropy. The original arc4random used the RC4 a.k.a. ARC4 algorithm, and ChaCha20 based implementation was introduced in FreeBSD 12.0. Since macOS 10.12, it was replaced with the NIST-approved AES cipher, and it may be replaced again in the future as cryptographic techniques advance. Therefore, we should not assume that arc4random never fails. On the contrary, CCRandomGenerateBytes(), part of Cryptographic Services [4], returns cryptographically strong random bits with explicit status code. This patch properly calls CCRandomGenerateBytes() and checks the status. [1] https://www.freebsd.org/cgi/man.cgi?query=arc4random_buf [2] https://opensource.apple.com/source/CommonCrypto/CommonCrypto-60178.40.2/lib/CommonRandom.c.auto.html [3] https://opensource.apple.com/source/Libc/Libc-1439.40.11/gen/FreeBSD/arc4random.c.auto.html [4] https://developer.apple.com/documentation/security
diff --git a/random.c b/random.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2023 National Cheng Kung University, Taiwan.
  * Copyright (c) 2017 Daan Sprenkels <daan@dsprenkels.com>
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -253,10 +254,27 @@ static int randombytes_linux_randombytes_urandom(void *buf, size_t n)
 #endif /* defined(__linux__) && !defined(SYS_getrandom) */
 
 #if defined(BSD)
+#if defined(__APPLE__)
+#include <AvailabilityMacros.h>
+#if defined(MAC_OS_X_VERSION_10_10) && \
+    MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_10
+#include <CommonCrypto/CommonCryptoError.h>
+#include <CommonCrypto/CommonRandom.h>
+#endif
+#endif
 static int randombytes_bsd_randombytes(void *buf, size_t n)
 {
+#if defined(MAC_OS_X_VERSION_10_15) && \
+    MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_15
+    /* We prefere CCRandomGenerateBytes as it returns an error code while
+     * arc4random_buf may fail silently on macOS. See PR #390, and
+     * <https://opensource.apple.com/source/Libc/Libc-1439.40.11/gen/FreeBSD/arc4random.c.auto.html>
+     */
+    return (CCRandomGenerateBytes(buf, n) == kCCSuccess);
+#else
     arc4random_buf(buf, n);
     return 0;
+#endif
 }
 #endif
 
@@ -274,7 +292,6 @@ int randombytes(uint8_t *buf, size_t n)
     return randombytes_linux_randombytes_urandom(buf, n);
 #endif
 #elif defined(BSD)
-    /* Use arc4random system call */
     return randombytes_bsd_randombytes(buf, n);
 #else
 #error "randombytes(...) is not supported on this platform"
