[BlueZ PATCH 0/5] Replace random number generation function

[BlueZ PATCH 0/5] Replace random number generation function

[Tedd Ho-Jeong An]

From: Tedd Ho-Jeong An <tedd.an@intel.com>

This series of patch replaces the standard random number generation
function, rand() to the l_getrandom() from the ELL, which is based on
getrandom() system call.

The Coverity scan reported (CWE-676):
  rand() should not be used for security-related applications, because
  linear congruential algorithms are too easy to break.

This patches replaces the rand() to l_getrandom() from ELL. It is based
on the getrandom() syscall, which provides more secure random number
than the standard rand().

Tedd Ho-Jeong An (5):
  emulator: Replace random number generation function
  peripheral: Replace random number generation function
  tools/btgatt-server: Replace random number generation function
  plugins: Replace random number generation function
  profiles/health: Replace random number generation function

 Makefile.plugins      |  2 ++
 Makefile.tools        | 10 ++++++----
 emulator/le.c         |  4 ++--
 emulator/phy.c        |  6 ++++--
 peripheral/main.c     |  8 +++-----
 plugins/autopair.c    |  3 ++-
 profiles/health/hdp.c |  8 ++++----
 tools/btgatt-server.c |  3 ++-
 8 files changed, 25 insertions(+), 19 deletions(-)

-- 
2.25.1

[BlueZ PATCH 1/5] emulator: Replace random number generation function

[Tedd Ho-Jeong An]

From: Tedd Ho-Jeong An <tedd.an@intel.com>

This patch replaces the rand() function to the l_getrandom() from ELL,
which uses the getrandom() system call.

It was reported by the Coverity scan
  rand() should not be used for security-related applications, because
  linear congruential algorithms are too easy to break
---
 Makefile.tools | 3 ++-
 emulator/le.c  | 4 ++--
 emulator/phy.c | 6 ++++--
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/Makefile.tools b/Makefile.tools
index c7bdff83f..8312d4d27 100644
--- a/Makefile.tools
+++ b/Makefile.tools
@@ -93,7 +93,8 @@ emulator_btvirt_SOURCES = emulator/main.c monitor/bt.h \
 				emulator/phy.h emulator/phy.c \
 				emulator/amp.h emulator/amp.c \
 				emulator/le.h emulator/le.c
-emulator_btvirt_LDADD = lib/libbluetooth-internal.la src/libshared-mainloop.la
+emulator_btvirt_LDADD = lib/libbluetooth-internal.la src/libshared-mainloop.la \
+				src/libshared-ell.la $(ell_ldadd)
 
 emulator_b1ee_SOURCES = emulator/b1ee.c
 emulator_b1ee_LDADD = src/libshared-mainloop.la
diff --git a/emulator/le.c b/emulator/le.c
index 07a44c5f1..fed3a7815 100644
--- a/emulator/le.c
+++ b/emulator/le.c
@@ -21,6 +21,7 @@
 #include <sys/un.h>
 #include <sys/uio.h>
 #include <time.h>
+#include <ell/ell.h>
 
 #include "lib/bluetooth.h"
 #include "lib/hci.h"
@@ -506,8 +507,7 @@ static unsigned int get_adv_delay(void)
 	/* The advertising delay is a pseudo-random value with a range
 	 * of 0 ms to 10 ms generated for each advertising event.
 	 */
-	srand(time(NULL));
-	return (rand() % 11);
+	return (l_getrandom_uint32() % 11);
 }
 
 static void adv_timeout_callback(int id, void *user_data)
diff --git a/emulator/phy.c b/emulator/phy.c
index 2ae6ad3a2..570a9c975 100644
--- a/emulator/phy.c
+++ b/emulator/phy.c
@@ -22,6 +22,7 @@
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <time.h>
+#include <ell/ell.h>
 
 #include "src/shared/util.h"
 #include "src/shared/mainloop.h"
@@ -152,6 +153,7 @@ static int create_tx_socket(void)
 struct bt_phy *bt_phy_new(void)
 {
 	struct bt_phy *phy;
+	uint64_t phy_id;
 
 	phy = calloc(1, sizeof(*phy));
 	if (!phy)
@@ -173,8 +175,8 @@ struct bt_phy *bt_phy_new(void)
 	mainloop_add_fd(phy->rx_fd, EPOLLIN, phy_rx_callback, phy, NULL);
 
 	if (!get_random_bytes(&phy->id, sizeof(phy->id))) {
-		srandom(time(NULL));
-		phy->id = random();
+		l_getrandom(&phy_id, sizeof(phy_id));
+		phy->id = phy_id;
 	}
 
 	bt_phy_send(phy, BT_PHY_PKT_NULL, NULL, 0);
-- 
2.25.1

[BlueZ PATCH 2/5] peripheral: Replace random number generation function

[Tedd Ho-Jeong An]

From: Tedd Ho-Jeong An <tedd.an@intel.com>

This patch replaces the rand() function to the l_getrandom() from ELL,
which uses the getrandom() system call.

It was reported by the Coverity scan
  rand() should not be used for security-related applications, because
  linear congruential algorithms are too easy to break
---
 Makefile.tools    | 3 ++-
 peripheral/main.c | 8 +++-----
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/Makefile.tools b/Makefile.tools
index 8312d4d27..63b52c386 100644
--- a/Makefile.tools
+++ b/Makefile.tools
@@ -109,7 +109,8 @@ peripheral_btsensor_SOURCES = peripheral/main.c \
 				peripheral/gap.h peripheral/gap.c \
 				peripheral/gatt.h peripheral/gatt.c
 peripheral_btsensor_LDADD = src/libshared-mainloop.la \
-				lib/libbluetooth-internal.la
+				lib/libbluetooth-internal.la \
+				src/libshared-ell.la $(ell_ldadd)
 
 tools_3dsp_SOURCES = tools/3dsp.c monitor/bt.h
 tools_3dsp_LDADD = src/libshared-mainloop.la
diff --git a/peripheral/main.c b/peripheral/main.c
index 86b52236e..f7ac043a0 100644
--- a/peripheral/main.c
+++ b/peripheral/main.c
@@ -25,6 +25,7 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/mount.h>
+#include <ell/ell.h>
 
 #ifndef WAIT_ANY
 #define WAIT_ANY (-1)
@@ -191,11 +192,8 @@ int main(int argc, char *argv[])
 							addr, 6) < 0) {
 			printf("Generating new persistent static address\n");
 
-			addr[0] = rand();
-			addr[1] = rand();
-			addr[2] = rand();
-			addr[3] = 0x34;
-			addr[4] = 0x12;
+			l_getrandom(addr, 6);
+			/* Update the MSB to make it a static address */
 			addr[5] = 0xc0;
 
 			efivars_write("BluetoothStaticAddress",
-- 
2.25.1

[BlueZ PATCH 3/5] tools/btgatt-server: Replace random number generation function

[Tedd Ho-Jeong An]

From: Tedd Ho-Jeong An <tedd.an@intel.com>

This patch replaces the rand() function to the l_getrandom() from ELL,
which uses the getrandom() system call.

It was reported by the Coverity scan
  rand() should not be used for security-related applications, because
  linear congruential algorithms are too easy to break
---
 Makefile.tools        | 4 ++--
 tools/btgatt-server.c | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/Makefile.tools b/Makefile.tools
index 63b52c386..45470b767 100644
--- a/Makefile.tools
+++ b/Makefile.tools
@@ -287,8 +287,8 @@ tools_btgatt_client_LDADD = src/libshared-mainloop.la \
 
 tools_btgatt_server_SOURCES = tools/btgatt-server.c src/uuid-helper.c
 tools_btgatt_server_LDADD = src/libshared-mainloop.la \
-						lib/libbluetooth-internal.la
-
+				lib/libbluetooth-internal.la \
+				src/libshared-ell.la $(ell_ldadd)
 tools_rctest_LDADD = lib/libbluetooth-internal.la
 
 tools_l2test_LDADD = lib/libbluetooth-internal.la
diff --git a/tools/btgatt-server.c b/tools/btgatt-server.c
index 000145a3d..d2a877275 100644
--- a/tools/btgatt-server.c
+++ b/tools/btgatt-server.c
@@ -20,6 +20,7 @@
 #include <getopt.h>
 #include <unistd.h>
 #include <errno.h>
+#include <ell/ell.h>
 
 #include "lib/bluetooth.h"
 #include "lib/hci.h"
@@ -286,7 +287,7 @@ static bool hr_msrmt_cb(void *user_data)
 	uint32_t cur_ee;
 
 	pdu[0] = 0x06;
-	pdu[1] = 90 + (rand() % 40);
+	pdu[1] = 90 + (l_getrandom_uint32() % 40);
 
 	if (expended_present) {
 		pdu[0] |= 0x08;
-- 
2.25.1

[BlueZ PATCH 4/5] plugins: Replace random number generation function

[Tedd Ho-Jeong An]

From: Tedd Ho-Jeong An <tedd.an@intel.com>

This patch replaces the rand() function to the l_getrandom() from ELL,
which uses the getrandom() system call.

It was reported by the Coverity scan
  rand() should not be used for security-related applications, because
  linear congruential algorithms are too easy to break
---
 Makefile.plugins   | 1 +
 plugins/autopair.c | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/Makefile.plugins b/Makefile.plugins
index 7693c767f..c771b2dfb 100644
--- a/Makefile.plugins
+++ b/Makefile.plugins
@@ -7,6 +7,7 @@ builtin_sources += plugins/wiimote.c
 
 builtin_modules += autopair
 builtin_sources += plugins/autopair.c
+builtin_ldadd += src/libshared-ell.la $(ell_ldadd)
 
 builtin_modules += policy
 builtin_sources += plugins/policy.c
diff --git a/plugins/autopair.c b/plugins/autopair.c
index 665a4f4a6..474209fd2 100644
--- a/plugins/autopair.c
+++ b/plugins/autopair.c
@@ -17,6 +17,7 @@
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
+#include <ell/ell.h>
 
 #include <glib.h>
 
@@ -130,7 +131,7 @@ static ssize_t autopair_pincb(struct btd_adapter *adapter,
 				return 0;
 
 			snprintf(pinstr, sizeof(pinstr), "%06u",
-						rand() % 1000000);
+						l_getrandom_uint32() % 1000000);
 			*display = true;
 			memcpy(pinbuf, pinstr, 6);
 			return 6;
-- 
2.25.1

[BlueZ PATCH 5/5] profiles/health: Replace random number generation function

[Tedd Ho-Jeong An]

From: Tedd Ho-Jeong An <tedd.an@intel.com>

This patch replaces the rand() function to the l_getrandom() from ELL,
which uses the getrandom() system call.

It was reported by the Coverity scan
  rand() should not be used for security-related applications, because
  linear congruential algorithms are too easy to break
---
 Makefile.plugins      | 1 +
 profiles/health/hdp.c | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/Makefile.plugins b/Makefile.plugins
index c771b2dfb..7817035c6 100644
--- a/Makefile.plugins
+++ b/Makefile.plugins
@@ -87,6 +87,7 @@ builtin_sources += profiles/health/mcap.h profiles/health/mcap.c \
 			profiles/health/hdp_manager.c \
 			profiles/health/hdp.h profiles/health/hdp.c \
 			profiles/health/hdp_util.h profiles/health/hdp_util.c
+builtin_ldadd += src/libshared-ell.la $(ell_ldadd)
 endif
 
 builtin_modules += gap
diff --git a/profiles/health/hdp.c b/profiles/health/hdp.c
index 6bc41946f..e77f963a4 100644
--- a/profiles/health/hdp.c
+++ b/profiles/health/hdp.c
@@ -16,6 +16,7 @@
 #include <stdint.h>
 #include <stdbool.h>
 #include <unistd.h>
+#include <ell/ell.h>
 
 #include <glib.h>
 
@@ -1484,13 +1485,12 @@ static void destroy_create_dc_data(gpointer data)
 static void *generate_echo_packet(void)
 {
 	uint8_t *buf;
-	int i;
 
 	buf = g_malloc(HDP_ECHO_LEN);
-	srand(time(NULL));
+	if (buf == NULL)
+		return NULL;
 
-	for(i = 0; i < HDP_ECHO_LEN; i++)
-		buf[i] = rand() % UINT8_MAX;
+	l_getrandom(buf, HDP_ECHO_LEN);
 
 	return buf;
 }
-- 
2.25.1

RE: Replace random number generation function

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 884 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=591967

---Test result---

Test Summary:
CheckPatch                    PASS      6.41 seconds
GitLint                       PASS      4.35 seconds
Prep - Setup ELL              PASS      43.18 seconds
Build - Prep                  PASS      0.47 seconds
Build - Configure             PASS      8.22 seconds
Build - Make                  PASS      186.52 seconds
Make Check                    PASS      9.53 seconds
Make Distcheck                PASS      222.57 seconds
Build w/ext ELL - Configure   PASS      8.31 seconds
Build w/ext ELL - Make        PASS      176.44 seconds



---
Regards,
Linux Bluetooth