Meta+LibCrypto: Add SecureRandom and replace PRNG usage with it

This adds a thin wrapper to LibCrypto for generating cryptographically secure random values and replaces current usages of PRNG within LibCrypto as well.
2025-12-22 09:19:03 +00:00 · 2024-12-20 10:32:11 -06:00
parent b981e6f7bc
commit f55f507e56
10 changed files with 50 additions and 6 deletions
--- a/Libraries/LibCrypto/CMakeLists.txt
+++ b/Libraries/LibCrypto/CMakeLists.txt
@@ -31,6 +31,7 @@ set(SOURCES
    NumberTheory/ModularFunctions.cpp
    PK/RSA.cpp
    PK/EC.cpp
+    SecureRandom.cpp
 )

 serenity_lib(LibCrypto crypto)
--- a/Libraries/LibCrypto/Curves/Ed25519.cpp
+++ b/Libraries/LibCrypto/Curves/Ed25519.cpp
@@ -8,6 +8,7 @@
 #include <LibCrypto/Curves/Curve25519.h>
 #include <LibCrypto/Curves/Ed25519.h>
 #include <LibCrypto/Hash/SHA2.h>
+#include <LibCrypto/SecureRandom.h>

 namespace Crypto::Curves {

@@ -19,7 +20,7 @@ ErrorOr<ByteBuffer> Ed25519::generate_private_key()
    // about randomness.

    auto buffer = TRY(ByteBuffer::create_uninitialized(key_size()));
-    fill_with_random(buffer);
+    fill_with_secure_random(buffer);
    return buffer;
 }

--- a/Libraries/LibCrypto/Curves/SECPxxxr1.h
+++ b/Libraries/LibCrypto/Curves/SECPxxxr1.h
@@ -18,6 +18,7 @@
 #include <AK/UFixedBigIntDivision.h>
 #include <LibCrypto/ASN1/DER.h>
 #include <LibCrypto/Curves/EllipticCurve.h>
+#include <LibCrypto/SecureRandom.h>

 namespace {
 // Used by ASN1 macros
@@ -230,7 +231,7 @@ public:
    ErrorOr<ByteBuffer> generate_private_key() override
    {
        auto buffer = TRY(ByteBuffer::create_uninitialized(KEY_BYTE_SIZE));
-        fill_with_random(buffer);
+        fill_with_secure_random(buffer);
        return buffer;
    }

--- a/Libraries/LibCrypto/Curves/X25519.cpp
+++ b/Libraries/LibCrypto/Curves/X25519.cpp
@@ -8,6 +8,7 @@
 #include <AK/Random.h>
 #include <LibCrypto/Curves/Curve25519.h>
 #include <LibCrypto/Curves/X25519.h>
+#include <LibCrypto/SecureRandom.h>

 namespace Crypto::Curves {

@@ -29,7 +30,7 @@ static void conditional_swap(u32* first, u32* second, u32 condition)
 ErrorOr<ByteBuffer> X25519::generate_private_key()
 {
    auto buffer = TRY(ByteBuffer::create_uninitialized(BYTES));
-    fill_with_random(buffer);
+    fill_with_secure_random(buffer);
    return buffer;
 }

--- a/Libraries/LibCrypto/Curves/X448.cpp
+++ b/Libraries/LibCrypto/Curves/X448.cpp
@@ -8,6 +8,7 @@
 #include <AK/Endian.h>
 #include <AK/Random.h>
 #include <LibCrypto/Curves/X448.h>
+#include <LibCrypto/SecureRandom.h>

 namespace Crypto::Curves {

@@ -291,7 +292,7 @@ static void modular_multiply_inverse(u32* state, u32* value)
 ErrorOr<ByteBuffer> X448::generate_private_key()
 {
    auto buffer = TRY(ByteBuffer::create_uninitialized(BYTES));
-    fill_with_random(buffer);
+    fill_with_secure_random(buffer);
    return buffer;
 }

--- a/Libraries/LibCrypto/NumberTheory/ModularFunctions.cpp
+++ b/Libraries/LibCrypto/NumberTheory/ModularFunctions.cpp
@@ -8,6 +8,7 @@
 #include <AK/Random.h>
 #include <LibCrypto/BigInt/Algorithms/UnsignedBigIntegerAlgorithms.h>
 #include <LibCrypto/NumberTheory/ModularFunctions.h>
+#include <LibCrypto/SecureRandom.h>

 namespace Crypto::NumberTheory {

@@ -172,7 +173,7 @@ UnsignedBigInteger random_number(UnsignedBigInteger const& min, UnsignedBigInteg
    auto buffer = ByteBuffer::create_uninitialized(size).release_value_but_fixme_should_propagate_errors(); // FIXME: Handle possible OOM situation.
    auto* buf = buffer.data();

-    fill_with_random(buffer);
+    fill_with_secure_random(buffer);
    UnsignedBigInteger random { buf, size };
    // At this point, `random` is a large number, in the range [0, 256^size).
    // To get down to the actual range, we could just compute random % range.
--- a/Libraries/LibCrypto/PK/RSA.cpp
+++ b/Libraries/LibCrypto/PK/RSA.cpp
@@ -12,6 +12,7 @@
 #include <LibCrypto/ASN1/PEM.h>
 #include <LibCrypto/Certificate/Certificate.h>
 #include <LibCrypto/PK/RSA.h>
+#include <LibCrypto/SecureRandom.h>

 namespace Crypto::PK {

@@ -253,7 +254,7 @@ void RSA_PKCS1_EME::encrypt(ReadonlyBytes in, Bytes& out)
    Vector<u8, 8096> ps;
    ps.resize(ps_length);

-    fill_with_random(ps);
+    fill_with_secure_random(ps);
    // since fill_with_random can create zeros (shocking!)
    // we have to go through and un-zero the zeros
    for (size_t i = 0; i < ps_length; ++i) {
--- a/Libraries/LibCrypto/SecureRandom.cpp
+++ b/Libraries/LibCrypto/SecureRandom.cpp
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2024, the Ladybird developers.
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <LibCrypto/SecureRandom.h>
+
+#include <openssl/rand.h>
+
+namespace Crypto {
+
+void fill_with_secure_random(Bytes bytes)
+{
+    auto const size = static_cast<int>(bytes.size());
+
+    if (RAND_bytes(bytes.data(), size) != 1)
+        VERIFY_NOT_REACHED();
+}
+
+}
--- a/Libraries/LibCrypto/SecureRandom.h
+++ b/Libraries/LibCrypto/SecureRandom.h
@@ -0,0 +1,15 @@
+/*
+ * Copyright (c) 2024, the Ladybird developers.
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+#include <AK/Span.h>
+
+namespace Crypto {
+
+void fill_with_secure_random(Bytes);
+
+}
--- a/Meta/gn/secondary/Userland/Libraries/LibCrypto/BUILD.gn
+++ b/Meta/gn/secondary/Userland/Libraries/LibCrypto/BUILD.gn
@@ -39,5 +39,6 @@ shared_library("LibCrypto") {
    "Hash/SHA2.cpp",
    "NumberTheory/ModularFunctions.cpp",
    "PK/RSA.cpp",
+    "SecureRandom.cpp",
  ]
 }