commit a68a8045387e60771e69c53eaa1e4283eab517e4
author James Feist <james.feist@linux.intel.com> Wed Apr 15 15:46:44 2020 -0700
committer James Feist <james.feist@linux.intel.com> Fri Apr 17 11:05:51 2020 -0700
tree 31e7a4534cdadf42d0686687efe698c5e722e1ce
parent 7af9151495a18c805b45764b4bba6302ec214efb

Use CPRNG for session secrets generation

std::random_device is not a cryptographically secure
algorithm. Switch to RAND_bytes instead.

Tested: Login and logout works as expected

Change-Id: If24fa6c3a0652c011bc50ae611b180f342d68433
Signed-off-by: James Feist <james.feist@linux.intel.com>

include/sessions.hpp

diff --git a/include/sessions.hpp b/include/sessions.hpp
index 8ff903a..c2fcf31 100644
--- a/include/sessions.hpp
+++ b/include/sessions.hpp
@@ -1,5 +1,7 @@
 #pragma once
 
+#include <openssl/rand.h>
+
 #include <boost/container/flat_map.hpp>
 #include <boost/uuid/uuid.hpp>
 #include <boost/uuid/uuid_generators.hpp>
@@ -147,6 +149,45 @@
 
 class Middleware;
 
+struct OpenSSLGenerator
+{
+
+    uint8_t operator()(void)
+    {
+        uint8_t index = 0;
+        int rc = RAND_bytes(&index, sizeof(index));
+        if (rc != opensslSuccess)
+        {
+            std::cerr << "Cannot get random number\n";
+            err = true;
+        }
+
+        return index;
+    };
+
+    uint8_t max()
+    {
+        return std::numeric_limits<uint8_t>::max();
+    }
+    uint8_t min()
+    {
+        return std::numeric_limits<uint8_t>::min();
+    }
+
+    bool error()
+    {
+        return err;
+    }
+
+    // all generators require this variable
+    using result_type = uint8_t;
+
+  private:
+    // RAND_bytes() returns 1 on success, 0 otherwise. -1 if bad function
+    static constexpr int opensslSuccess = 1;
+    bool err = false;
+};
+
 class SessionStore
 {
   public:
@@ -166,23 +207,38 @@
         std::string sessionToken;
         sessionToken.resize(sessionTokenSize, '0');
         std::uniform_int_distribution<size_t> dist(0, alphanum.size() - 1);
+
+        OpenSSLGenerator gen;
+
         for (size_t i = 0; i < sessionToken.size(); ++i)
         {
-            sessionToken[i] = alphanum[dist(rd)];
+            sessionToken[i] = alphanum[dist(gen)];
+            if (gen.error())
+            {
+                return nullptr;
+            }
         }
         // Only need csrf tokens for cookie based auth, token doesn't matter
         std::string csrfToken;
         csrfToken.resize(sessionTokenSize, '0');
         for (size_t i = 0; i < csrfToken.size(); ++i)
         {
-            csrfToken[i] = alphanum[dist(rd)];
+            csrfToken[i] = alphanum[dist(gen)];
+            if (gen.error())
+            {
+                return nullptr;
+            }
         }
 
         std::string uniqueId;
         uniqueId.resize(10, '0');
         for (size_t i = 0; i < uniqueId.size(); ++i)
         {
-            uniqueId[i] = alphanum[dist(rd)];
+            uniqueId[i] = alphanum[dist(gen)];
+            if (gen.error())
+            {
+                return nullptr;
+            }
         }
 
         auto session = std::make_shared<UserSession>(UserSession{
@@ -324,7 +380,6 @@
                        std::hash<std::string>,
                        crow::utility::ConstantTimeCompare>
         authTokens;
-    std::random_device rd;
     bool needWrite{false};
     std::chrono::minutes timeoutInMinutes;
     AuthConfigMethods authMethodsConfig;