xref: /freebsd/contrib/bc/src/rand.c (revision 95eb4b873b6a8b527c5bd78d7191975dfca38998)
1 /*
2  * *****************************************************************************
3  *
4  * Parts of this code are adapted from the following:
5  *
6  * PCG, A Family of Better Random Number Generators.
7  *
8  * You can find the original source code at:
9  *   https://github.com/imneme/pcg-c
10  *
11  * -----------------------------------------------------------------------------
12  *
13  * This code is under the following license:
14  *
15  * Copyright (c) 2014-2017 Melissa O'Neill and PCG Project contributors
16  * Copyright (c) 2018-2024 Gavin D. Howard and contributors.
17  *
18  * Permission is hereby granted, free of charge, to any person obtaining a copy
19  * of this software and associated documentation files (the "Software"), to deal
20  * in the Software without restriction, including without limitation the rights
21  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
22  * copies of the Software, and to permit persons to whom the Software is
23  * furnished to do so, subject to the following conditions:
24  *
25  * The above copyright notice and this permission notice shall be included in
26  * all copies or substantial portions of the Software.
27  *
28  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
29  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
30  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
31  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
32  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
33  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
34  * SOFTWARE.
35  *
36  * *****************************************************************************
37  *
38  * Code for the RNG.
39  *
40  */
41 
42 #include <assert.h>
43 #include <stdlib.h>
44 #include <string.h>
45 #include <time.h>
46 #include <fcntl.h>
47 
48 #ifndef _WIN32
49 #include <unistd.h>
50 #else // _WIN32
51 #include <Windows.h>
52 #include <bcrypt.h>
53 #endif // _WIN32
54 
55 #include <status.h>
56 #include <rand.h>
57 #include <vm.h>
58 
59 #if BC_ENABLE_EXTRA_MATH
60 
61 #if !BC_RAND_BUILTIN
62 
63 /**
64  * Adds two 64-bit values and preserves the overflow.
65  * @param a  The first operand.
66  * @param b  The second operand.
67  * @return   The sum, including overflow.
68  */
69 static BcRandState
70 bc_rand_addition(uint_fast64_t a, uint_fast64_t b)
71 {
72 	BcRandState res;
73 
74 	res.lo = a + b;
75 	res.hi = (res.lo < a);
76 
77 	return res;
78 }
79 
80 /**
81  * Adds two 128-bit values and discards the overflow.
82  * @param a  The first operand.
83  * @param b  The second operand.
84  * @return   The sum, without overflow.
85  */
86 static BcRandState
87 bc_rand_addition2(BcRandState a, BcRandState b)
88 {
89 	BcRandState temp, res;
90 
91 	res = bc_rand_addition(a.lo, b.lo);
92 	temp = bc_rand_addition(a.hi, b.hi);
93 	res.hi += temp.lo;
94 
95 	return res;
96 }
97 
98 /**
99  * Multiplies two 64-bit values and preserves the overflow.
100  * @param a  The first operand.
101  * @param b  The second operand.
102  * @return   The product, including overflow.
103  */
104 static BcRandState
105 bc_rand_multiply(uint_fast64_t a, uint_fast64_t b)
106 {
107 	uint_fast64_t al, ah, bl, bh, c0, c1, c2, c3;
108 	BcRandState carry, res;
109 
110 	al = BC_RAND_TRUNC32(a);
111 	ah = BC_RAND_CHOP32(a);
112 	bl = BC_RAND_TRUNC32(b);
113 	bh = BC_RAND_CHOP32(b);
114 
115 	c0 = al * bl;
116 	c1 = al * bh;
117 	c2 = ah * bl;
118 	c3 = ah * bh;
119 
120 	carry = bc_rand_addition(c1, c2);
121 
122 	res = bc_rand_addition(c0, (BC_RAND_TRUNC32(carry.lo)) << 32);
123 	res.hi += BC_RAND_CHOP32(carry.lo) + c3 + (carry.hi << 32);
124 
125 	return res;
126 }
127 
128 /**
129  * Multiplies two 128-bit values and discards the overflow.
130  * @param a  The first operand.
131  * @param b  The second operand.
132  * @return   The product, without overflow.
133  */
134 static BcRandState
135 bc_rand_multiply2(BcRandState a, BcRandState b)
136 {
137 	BcRandState c0, c1, c2, carry;
138 
139 	c0 = bc_rand_multiply(a.lo, b.lo);
140 	c1 = bc_rand_multiply(a.lo, b.hi);
141 	c2 = bc_rand_multiply(a.hi, b.lo);
142 
143 	carry = bc_rand_addition2(c1, c2);
144 	carry.hi = carry.lo;
145 	carry.lo = 0;
146 
147 	return bc_rand_addition2(c0, carry);
148 }
149 
150 #endif // BC_RAND_BUILTIN
151 
152 /**
153  * Marks a PRNG as modified. This is important for properly maintaining the
154  * stack of PRNG's.
155  * @param r  The PRNG to mark as modified.
156  */
157 static void
158 bc_rand_setModified(BcRNGData* r)
159 {
160 #if BC_RAND_BUILTIN
161 	r->inc |= (BcRandState) 1UL;
162 #else // BC_RAND_BUILTIN
163 	r->inc.lo |= (uint_fast64_t) 1UL;
164 #endif // BC_RAND_BUILTIN
165 }
166 
167 /**
168  * Marks a PRNG as not modified. This is important for properly maintaining the
169  * stack of PRNG's.
170  * @param r  The PRNG to mark as not modified.
171  */
172 static void
173 bc_rand_clearModified(BcRNGData* r)
174 {
175 #if BC_RAND_BUILTIN
176 	r->inc &= ~((BcRandState) 1UL);
177 #else // BC_RAND_BUILTIN
178 	r->inc.lo &= ~(1UL);
179 #endif // BC_RAND_BUILTIN
180 }
181 
182 /**
183  * Copies a PRNG to another and marks the copy as modified if it already was or
184  * marks it modified if it already was.
185  * @param d  The destination PRNG.
186  * @param s  The source PRNG.
187  */
188 static void
189 bc_rand_copy(BcRNGData* d, BcRNGData* s)
190 {
191 	bool unmod = BC_RAND_NOTMODIFIED(d);
192 
193 	// NOLINTNEXTLINE
194 	memcpy(d, s, sizeof(BcRNGData));
195 
196 	if (!unmod) bc_rand_setModified(d);
197 	else if (!BC_RAND_NOTMODIFIED(s)) bc_rand_clearModified(d);
198 }
199 
200 #ifndef _WIN32
201 
202 /**
203  * Reads random data from a file.
204  * @param ptr  A pointer to the file, as a void pointer.
205  * @return     The random data as an unsigned long.
206  */
207 static ulong
208 bc_rand_frand(void* ptr)
209 {
210 	ulong buf[1];
211 	int fd;
212 	ssize_t nread;
213 
214 	assert(ptr != NULL);
215 
216 	fd = *((int*) ptr);
217 
218 	nread = read(fd, buf, sizeof(ulong));
219 
220 	if (BC_ERR(nread != sizeof(ulong))) bc_vm_fatalError(BC_ERR_FATAL_IO_ERR);
221 
222 	return *((ulong*) buf);
223 }
224 #else // _WIN32
225 
226 /**
227  * Reads random data from BCryptGenRandom().
228  * @param ptr  An unused parameter.
229  * @return     The random data as an unsigned long.
230  */
231 static ulong
232 bc_rand_winrand(void* ptr)
233 {
234 	ulong buf[1];
235 	NTSTATUS s;
236 
237 	BC_UNUSED(ptr);
238 
239 	buf[0] = 0;
240 
241 	s = BCryptGenRandom(NULL, (char*) buf, sizeof(ulong),
242 	                    BCRYPT_USE_SYSTEM_PREFERRED_RNG);
243 
244 	if (BC_ERR(!BCRYPT_SUCCESS(s))) buf[0] = 0;
245 
246 	return buf[0];
247 }
248 #endif // _WIN32
249 
250 /**
251  * Reads random data from rand(), byte-by-byte because rand() is only guaranteed
252  * to return 15 bits of random data. This is the final fallback and is not
253  * preferred as it is possible to access cryptographically-secure PRNG's on most
254  * systems.
255  * @param ptr  An unused parameter.
256  * @return     The random data as an unsigned long.
257  */
258 static ulong
259 bc_rand_rand(void* ptr)
260 {
261 	size_t i;
262 	ulong res = 0;
263 
264 	BC_UNUSED(ptr);
265 
266 	// Fill up the unsigned long byte-by-byte.
267 	for (i = 0; i < sizeof(ulong); ++i)
268 	{
269 		res |= ((ulong) (rand() & BC_RAND_SRAND_BITS)) << (i * CHAR_BIT);
270 	}
271 
272 	return res;
273 }
274 
275 /**
276  * Returns the actual increment of the PRNG, including the required last odd
277  * bit.
278  * @param r  The PRNG.
279  * @return   The increment of the PRNG, including the last odd bit.
280  */
281 static BcRandState
282 bc_rand_inc(BcRNGData* r)
283 {
284 	BcRandState inc;
285 
286 #if BC_RAND_BUILTIN
287 	inc = r->inc | 1;
288 #else // BC_RAND_BUILTIN
289 	inc.lo = r->inc.lo | 1;
290 	inc.hi = r->inc.hi;
291 #endif // BC_RAND_BUILTIN
292 
293 	return inc;
294 }
295 
296 /**
297  * Sets up the increment for the PRNG.
298  * @param r  The PRNG whose increment will be set up.
299  */
300 static void
301 bc_rand_setupInc(BcRNGData* r)
302 {
303 #if BC_RAND_BUILTIN
304 	r->inc <<= 1UL;
305 #else // BC_RAND_BUILTIN
306 	r->inc.hi <<= 1UL;
307 	r->inc.hi |= (r->inc.lo & (1UL << (BC_LONG_BIT - 1))) >> (BC_LONG_BIT - 1);
308 	r->inc.lo <<= 1UL;
309 #endif // BC_RAND_BUILTIN
310 }
311 
312 /**
313  * Seeds the state of a PRNG.
314  * @param state  The return parameter; the state to seed.
315  * @param val1   The lower half of the state.
316  * @param val2   The upper half of the state.
317  */
318 static void
319 bc_rand_seedState(BcRandState* state, ulong val1, ulong val2)
320 {
321 #if BC_RAND_BUILTIN
322 	*state = ((BcRandState) val1) | ((BcRandState) val2) << (BC_LONG_BIT);
323 #else // BC_RAND_BUILTIN
324 	state->lo = val1;
325 	state->hi = val2;
326 #endif // BC_RAND_BUILTIN
327 }
328 
329 /**
330  * Seeds a PRNG.
331  * @param r       The return parameter; the PRNG to seed.
332  * @param state1  The lower half of the state.
333  * @param state2  The upper half of the state.
334  * @param inc1    The lower half of the increment.
335  * @param inc2    The upper half of the increment.
336  */
337 static void
338 bc_rand_seedRNG(BcRNGData* r, ulong state1, ulong state2, ulong inc1,
339                 ulong inc2)
340 {
341 	bc_rand_seedState(&r->state, state1, state2);
342 	bc_rand_seedState(&r->inc, inc1, inc2);
343 	bc_rand_setupInc(r);
344 }
345 
346 /**
347  * Fills a PRNG with random data to seed it.
348  * @param r       The PRNG.
349  * @param fulong  The function to fill an unsigned long.
350  * @param ptr     The parameter to pass to @a fulong.
351  */
352 static void
353 bc_rand_fill(BcRNGData* r, BcRandUlong fulong, void* ptr)
354 {
355 	ulong state1, state2, inc1, inc2;
356 
357 	state1 = fulong(ptr);
358 	state2 = fulong(ptr);
359 
360 	inc1 = fulong(ptr);
361 	inc2 = fulong(ptr);
362 
363 	bc_rand_seedRNG(r, state1, state2, inc1, inc2);
364 }
365 
366 /**
367  * Executes the "step" portion of a PCG udpate.
368  * @param r  The PRNG.
369  */
370 static void
371 bc_rand_step(BcRNGData* r)
372 {
373 	BcRandState temp = bc_rand_mul2(r->state, bc_rand_multiplier);
374 	r->state = bc_rand_add2(temp, bc_rand_inc(r));
375 }
376 
377 /**
378  * Returns the new output of PCG.
379  * @param r  The PRNG.
380  * @return   The new output from the PRNG.
381  */
382 static BcRand
383 bc_rand_output(BcRNGData* r)
384 {
385 	return BC_RAND_ROT(BC_RAND_FOLD(r->state), BC_RAND_ROTAMT(r->state));
386 }
387 
388 /**
389  * Seeds every PRNG on the PRNG stack between the top and @a idx that has not
390  * been seeded.
391  * @param r    The PRNG stack.
392  * @param rng  The PRNG on the top of the stack. Must have been seeded.
393  */
394 static void
395 bc_rand_seedZeroes(BcRNG* r, BcRNGData* rng, size_t idx)
396 {
397 	BcRNGData* rng2;
398 
399 	// Just return if there are none to do.
400 	if (r->v.len <= idx) return;
401 
402 	// Get the first PRNG that might need to be seeded.
403 	rng2 = bc_vec_item_rev(&r->v, idx);
404 
405 	// Does it need seeding? Then it, and maybe more, do.
406 	if (BC_RAND_ZERO(rng2))
407 	{
408 		size_t i;
409 
410 		// Seed the ones that need seeding.
411 		for (i = 1; i < r->v.len; ++i)
412 		{
413 			bc_rand_copy(bc_vec_item_rev(&r->v, i), rng);
414 		}
415 	}
416 }
417 
418 void
419 bc_rand_srand(BcRNGData* rng)
420 {
421 	int fd = 0;
422 
423 	BC_SIG_LOCK;
424 
425 #ifndef _WIN32
426 
427 	// Try /dev/urandom first.
428 	fd = open("/dev/urandom", O_RDONLY);
429 
430 	if (BC_NO_ERR(fd >= 0))
431 	{
432 		bc_rand_fill(rng, bc_rand_frand, &fd);
433 		close(fd);
434 	}
435 	else
436 	{
437 		// Try /dev/random second.
438 		fd = open("/dev/random", O_RDONLY);
439 
440 		if (BC_NO_ERR(fd >= 0))
441 		{
442 			bc_rand_fill(rng, bc_rand_frand, &fd);
443 			close(fd);
444 		}
445 	}
446 #else // _WIN32
447 	// Try BCryptGenRandom first.
448 	bc_rand_fill(rng, bc_rand_winrand, NULL);
449 #endif // _WIN32
450 
451 	// Fallback to rand() until the thing is seeded.
452 	while (BC_ERR(BC_RAND_ZERO(rng)))
453 	{
454 		bc_rand_fill(rng, bc_rand_rand, NULL);
455 	}
456 
457 	BC_SIG_UNLOCK;
458 }
459 
460 /**
461  * Propagates a change to the PRNG to all PRNG's in the stack that should have
462  * it. The ones that should have it are laid out in the manpages.
463  * @param r    The PRNG stack.
464  * @param rng  The PRNG that will be used to seed the others.
465  */
466 static void
467 bc_rand_propagate(BcRNG* r, BcRNGData* rng)
468 {
469 	// Just return if there are none to do.
470 	if (r->v.len <= 1) return;
471 
472 	// If the PRNG has not been modified...
473 	if (BC_RAND_NOTMODIFIED(rng))
474 	{
475 		size_t i;
476 		bool go = true;
477 
478 		// Find the first PRNG that is modified and seed the others.
479 		for (i = 1; go && i < r->v.len; ++i)
480 		{
481 			BcRNGData* rng2 = bc_vec_item_rev(&r->v, i);
482 
483 			go = BC_RAND_NOTMODIFIED(rng2);
484 
485 			bc_rand_copy(rng2, rng);
486 		}
487 
488 		// Seed everything else.
489 		bc_rand_seedZeroes(r, rng, i);
490 	}
491 	// Seed everything.
492 	else bc_rand_seedZeroes(r, rng, 1);
493 }
494 
495 BcRand
496 bc_rand_int(BcRNG* r)
497 {
498 	// Get the actual PRNG.
499 	BcRNGData* rng = bc_vec_top(&r->v);
500 	BcRand res;
501 
502 	// Make sure the PRNG is seeded.
503 	if (BC_ERR(BC_RAND_ZERO(rng))) bc_rand_srand(rng);
504 
505 	BC_SIG_LOCK;
506 
507 	// This is the important part of the PRNG. This is the stuff from PCG.
508 	bc_rand_step(rng);
509 	bc_rand_propagate(r, rng);
510 	res = bc_rand_output(rng);
511 
512 	BC_SIG_UNLOCK;
513 
514 	return res;
515 }
516 
517 BcRand
518 bc_rand_bounded(BcRNG* r, BcRand bound)
519 {
520 	BcRand rand;
521 	BcRand threshold;
522 
523 	// Calculate the threshold below which we have to try again.
524 	threshold = (0 - bound) % bound;
525 
526 	do
527 	{
528 		rand = bc_rand_int(r);
529 	}
530 	while (rand < threshold);
531 
532 	return rand % bound;
533 }
534 
535 void
536 bc_rand_seed(BcRNG* r, ulong state1, ulong state2, ulong inc1, ulong inc2)
537 {
538 	// Get the actual PRNG.
539 	BcRNGData* rng = bc_vec_top(&r->v);
540 
541 	// Seed and set up the PRNG's increment.
542 	bc_rand_seedState(&rng->inc, inc1, inc2);
543 	bc_rand_setupInc(rng);
544 	bc_rand_setModified(rng);
545 
546 	// If the state is 0, use the increment as the state. Otherwise, seed it
547 	// with the state.
548 	if (!state1 && !state2)
549 	{
550 		// NOLINTNEXTLINE
551 		memcpy(&rng->state, &rng->inc, sizeof(BcRandState));
552 		bc_rand_step(rng);
553 	}
554 	else bc_rand_seedState(&rng->state, state1, state2);
555 
556 	// Propagate the change to PRNG's that need it.
557 	bc_rand_propagate(r, rng);
558 }
559 
560 /**
561  * Returns the increment in the PRNG *without* the odd bit and also with being
562  * shifted one bit down.
563  * @param r  The PRNG.
564  * @return   The increment without the odd bit and with being shifted one bit
565  *           down.
566  */
567 static BcRandState
568 bc_rand_getInc(BcRNGData* r)
569 {
570 	BcRandState res;
571 
572 #if BC_RAND_BUILTIN
573 	res = r->inc >> 1;
574 #else // BC_RAND_BUILTIN
575 	res = r->inc;
576 	res.lo >>= 1;
577 	res.lo |= (res.hi & 1) << (BC_LONG_BIT - 1);
578 	res.hi >>= 1;
579 #endif // BC_RAND_BUILTIN
580 
581 	return res;
582 }
583 
584 void
585 bc_rand_getRands(BcRNG* r, BcRand* s1, BcRand* s2, BcRand* i1, BcRand* i2)
586 {
587 	BcRandState inc;
588 	BcRNGData* rng = bc_vec_top(&r->v);
589 
590 	if (BC_ERR(BC_RAND_ZERO(rng))) bc_rand_srand(rng);
591 
592 	// Get the increment.
593 	inc = bc_rand_getInc(rng);
594 
595 	// Chop the state.
596 	*s1 = BC_RAND_TRUNC(rng->state);
597 	*s2 = BC_RAND_CHOP(rng->state);
598 
599 	// Chop the increment.
600 	*i1 = BC_RAND_TRUNC(inc);
601 	*i2 = BC_RAND_CHOP(inc);
602 }
603 
604 void
605 bc_rand_push(BcRNG* r)
606 {
607 	BcRNGData* rng = bc_vec_pushEmpty(&r->v);
608 
609 	// Make sure the PRNG is properly zeroed because that marks it as needing to
610 	// be seeded.
611 	// NOLINTNEXTLINE
612 	memset(rng, 0, sizeof(BcRNGData));
613 
614 	// If there is another item, copy it too.
615 	if (r->v.len > 1) bc_rand_copy(rng, bc_vec_item_rev(&r->v, 1));
616 }
617 
618 void
619 bc_rand_pop(BcRNG* r, bool reset)
620 {
621 	bc_vec_npop(&r->v, reset ? r->v.len - 1 : 1);
622 }
623 
624 void
625 bc_rand_init(BcRNG* r)
626 {
627 	BC_SIG_ASSERT_LOCKED;
628 	bc_vec_init(&r->v, sizeof(BcRNGData), BC_DTOR_NONE);
629 	bc_rand_push(r);
630 }
631 
632 #if BC_RAND_USE_FREE
633 void
634 bc_rand_free(BcRNG* r)
635 {
636 	BC_SIG_ASSERT_LOCKED;
637 	bc_vec_free(&r->v);
638 }
639 #endif // BC_RAND_USE_FREE
640 
641 #endif // BC_ENABLE_EXTRA_MATH
642