xref: /freebsd/contrib/bc/src/rand.c (revision e9e8876a4d6afc1ad5315faaa191b25121a813d7)
1 /*
2  * *****************************************************************************
3  *
4  * Parts of this code are adapted from the following:
5  *
6  * PCG, A Family of Better Random Number Generators.
7  *
8  * You can find the original source code at:
9  *   https://github.com/imneme/pcg-c
10  *
11  * -----------------------------------------------------------------------------
12  *
13  * This code is under the following license:
14  *
15  * Copyright (c) 2014-2017 Melissa O'Neill and PCG Project contributors
16  * Copyright (c) 2018-2021 Gavin D. Howard and contributors.
17  *
18  * Permission is hereby granted, free of charge, to any person obtaining a copy
19  * of this software and associated documentation files (the "Software"), to deal
20  * in the Software without restriction, including without limitation the rights
21  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
22  * copies of the Software, and to permit persons to whom the Software is
23  * furnished to do so, subject to the following conditions:
24  *
25  * The above copyright notice and this permission notice shall be included in
26  * all copies or substantial portions of the Software.
27  *
28  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
29  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
30  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
31  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
32  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
33  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
34  * SOFTWARE.
35  *
36  * *****************************************************************************
37  *
38  * Code for the RNG.
39  *
40  */
41 
42 #include <assert.h>
43 #include <stdlib.h>
44 #include <string.h>
45 #include <time.h>
46 #include <fcntl.h>
47 
48 #ifndef _WIN32
49 #include <unistd.h>
50 #else // _WIN32
51 #include <Windows.h>
52 #include <bcrypt.h>
53 #endif // _WIN32
54 
55 #include <status.h>
56 #include <rand.h>
57 #include <vm.h>
58 
59 #if BC_ENABLE_EXTRA_MATH
60 
61 #if !BC_RAND_BUILTIN
62 
63 /**
64  * Adds two 64-bit values and preserves the overflow.
65  * @param a  The first operand.
66  * @param b  The second operand.
67  * @return   The sum, including overflow.
68  */
69 static BcRandState bc_rand_addition(uint_fast64_t a, uint_fast64_t b) {
70 
71 	BcRandState res;
72 
73 	res.lo = a + b;
74 	res.hi = (res.lo < a);
75 
76 	return res;
77 }
78 
79 /**
80  * Adds two 128-bit values and discards the overflow.
81  * @param a  The first operand.
82  * @param b  The second operand.
83  * @return   The sum, without overflow.
84  */
85 static BcRandState bc_rand_addition2(BcRandState a, BcRandState b) {
86 
87 	BcRandState temp, res;
88 
89 	res = bc_rand_addition(a.lo, b.lo);
90 	temp = bc_rand_addition(a.hi, b.hi);
91 	res.hi += temp.lo;
92 
93 	return res;
94 }
95 
96 /**
97  * Multiplies two 64-bit values and preserves the overflow.
98  * @param a  The first operand.
99  * @param b  The second operand.
100  * @return   The product, including overflow.
101  */
102 static BcRandState bc_rand_multiply(uint_fast64_t a, uint_fast64_t b) {
103 
104 	uint_fast64_t al, ah, bl, bh, c0, c1, c2, c3;
105 	BcRandState carry, res;
106 
107 	al = BC_RAND_TRUNC32(a);
108 	ah = BC_RAND_CHOP32(a);
109 	bl = BC_RAND_TRUNC32(b);
110 	bh = BC_RAND_CHOP32(b);
111 
112 	c0 = al * bl;
113 	c1 = al * bh;
114 	c2 = ah * bl;
115 	c3 = ah * bh;
116 
117 	carry = bc_rand_addition(c1, c2);
118 
119 	res = bc_rand_addition(c0, (BC_RAND_TRUNC32(carry.lo)) << 32);
120 	res.hi += BC_RAND_CHOP32(carry.lo) + c3 + (carry.hi << 32);
121 
122 	return res;
123 }
124 
125 /**
126  * Multiplies two 128-bit values and discards the overflow.
127  * @param a  The first operand.
128  * @param b  The second operand.
129  * @return   The product, without overflow.
130  */
131 static BcRandState bc_rand_multiply2(BcRandState a, BcRandState b) {
132 
133 	BcRandState c0, c1, c2, carry;
134 
135 	c0 = bc_rand_multiply(a.lo, b.lo);
136 	c1 = bc_rand_multiply(a.lo, b.hi);
137 	c2 = bc_rand_multiply(a.hi, b.lo);
138 
139 	carry = bc_rand_addition2(c1, c2);
140 	carry.hi = carry.lo;
141 	carry.lo = 0;
142 
143 	return bc_rand_addition2(c0, carry);
144 }
145 
146 #endif // BC_RAND_BUILTIN
147 
148 /**
149  * Marks a PRNG as modified. This is important for properly maintaining the
150  * stack of PRNG's.
151  * @param r  The PRNG to mark as modified.
152  */
153 static void bc_rand_setModified(BcRNGData *r) {
154 
155 #if BC_RAND_BUILTIN
156 	r->inc |= (BcRandState) 1UL;
157 #else // BC_RAND_BUILTIN
158 	r->inc.lo |= (uint_fast64_t) 1UL;
159 #endif // BC_RAND_BUILTIN
160 }
161 
162 /**
163  * Marks a PRNG as not modified. This is important for properly maintaining the
164  * stack of PRNG's.
165  * @param r  The PRNG to mark as not modified.
166  */
167 static void bc_rand_clearModified(BcRNGData *r) {
168 
169 #if BC_RAND_BUILTIN
170 	r->inc &= ~((BcRandState) 1UL);
171 #else // BC_RAND_BUILTIN
172 	r->inc.lo &= ~(1UL);
173 #endif // BC_RAND_BUILTIN
174 }
175 
176 /**
177  * Copies a PRNG to another and marks the copy as modified if it already was or
178  * marks it modified if it already was.
179  * @param d  The destination PRNG.
180  * @param s  The source PRNG.
181  */
182 static void bc_rand_copy(BcRNGData *d, BcRNGData *s) {
183 	bool unmod = BC_RAND_NOTMODIFIED(d);
184 	memcpy(d, s, sizeof(BcRNGData));
185 	if (!unmod) bc_rand_setModified(d);
186 	else if (!BC_RAND_NOTMODIFIED(s)) bc_rand_clearModified(d);
187 }
188 
189 #ifndef _WIN32
190 
191 /**
192  * Reads random data from a file.
193  * @param ptr  A pointer to the file, as a void pointer.
194  * @return     The random data as an unsigned long.
195  */
196 static ulong bc_rand_frand(void* ptr) {
197 
198 	ulong buf[1];
199 	int fd;
200 	ssize_t nread;
201 
202 	assert(ptr != NULL);
203 
204 	fd = *((int*)ptr);
205 
206 	nread = read(fd, buf, sizeof(ulong));
207 
208 	if (BC_ERR(nread != sizeof(ulong))) bc_vm_fatalError(BC_ERR_FATAL_IO_ERR);
209 
210 	return *((ulong*)buf);
211 }
212 #else // _WIN32
213 
214 /**
215  * Reads random data from BCryptGenRandom().
216  * @param ptr  An unused parameter.
217  * @return     The random data as an unsigned long.
218  */
219 static ulong bc_rand_winrand(void *ptr) {
220 
221 	ulong buf[1];
222 	NTSTATUS s;
223 
224 	BC_UNUSED(ptr);
225 
226 	buf[0] = 0;
227 
228 	s = BCryptGenRandom(NULL, (char*) buf, sizeof(ulong),
229 	                    BCRYPT_USE_SYSTEM_PREFERRED_RNG);
230 
231 	if (BC_ERR(!BCRYPT_SUCCESS(s))) buf[0] = 0;
232 
233 	return buf[0];
234 }
235 #endif // _WIN32
236 
237 /**
238  * Reads random data from rand(), byte-by-byte because rand() is only guaranteed
239  * to return 15 bits of random data. This is the final fallback and is not
240  * preferred as it is possible to access cryptographically-secure PRNG's on most
241  * systems.
242  * @param ptr  An unused parameter.
243  * @return     The random data as an unsigned long.
244  */
245 static ulong bc_rand_rand(void *ptr) {
246 
247 	size_t i;
248 	ulong res = 0;
249 
250 	BC_UNUSED(ptr);
251 
252 	// Fill up the unsigned long byte-by-byte.
253 	for (i = 0; i < sizeof(ulong); ++i)
254 		res |= ((ulong) (rand() & BC_RAND_SRAND_BITS)) << (i * CHAR_BIT);
255 
256 	return res;
257 }
258 
259 /**
260  * Returns the actual increment of the PRNG, including the required last odd
261  * bit.
262  * @param r  The PRNG.
263  * @return   The increment of the PRNG, including the last odd bit.
264  */
265 static BcRandState bc_rand_inc(BcRNGData *r) {
266 
267 	BcRandState inc;
268 
269 #if BC_RAND_BUILTIN
270 	inc = r->inc | 1;
271 #else // BC_RAND_BUILTIN
272 	inc.lo = r->inc.lo | 1;
273 	inc.hi = r->inc.hi;
274 #endif // BC_RAND_BUILTIN
275 
276 	return inc;
277 }
278 
279 /**
280  * Sets up the increment for the PRNG.
281  * @param r  The PRNG whose increment will be set up.
282  */
283 static void bc_rand_setupInc(BcRNGData *r) {
284 
285 #if BC_RAND_BUILTIN
286 	r->inc <<= 1UL;
287 #else // BC_RAND_BUILTIN
288 	r->inc.hi <<= 1UL;
289 	r->inc.hi |= (r->inc.lo & (1UL << (BC_LONG_BIT - 1))) >> (BC_LONG_BIT - 1);
290 	r->inc.lo <<= 1UL;
291 #endif // BC_RAND_BUILTIN
292 }
293 
294 /**
295  * Seeds the state of a PRNG.
296  * @param state  The return parameter; the state to seed.
297  * @param val1   The lower half of the state.
298  * @param val2   The upper half of the state.
299  */
300 static void bc_rand_seedState(BcRandState *state, ulong val1, ulong val2) {
301 
302 #if BC_RAND_BUILTIN
303 	*state = ((BcRandState) val1) | ((BcRandState) val2) << (BC_LONG_BIT);
304 #else // BC_RAND_BUILTIN
305 	state->lo = val1;
306 	state->hi = val2;
307 #endif // BC_RAND_BUILTIN
308 }
309 
310 /**
311  * Seeds a PRNG.
312  * @param r       The return parameter; the PRNG to seed.
313  * @param state1  The lower half of the state.
314  * @param state2  The upper half of the state.
315  * @param inc1    The lower half of the increment.
316  * @param inc2    The upper half of the increment.
317  */
318 static void bc_rand_seedRNG(BcRNGData *r, ulong state1, ulong state2,
319                             ulong inc1, ulong inc2)
320 {
321 	bc_rand_seedState(&r->state, state1, state2);
322 	bc_rand_seedState(&r->inc, inc1, inc2);
323 	bc_rand_setupInc(r);
324 }
325 
326 /**
327  * Fills a PRNG with random data to seed it.
328  * @param r       The PRNG.
329  * @param fulong  The function to fill an unsigned long.
330  * @param ptr     The parameter to pass to @a fulong.
331  */
332 static void bc_rand_fill(BcRNGData *r, BcRandUlong fulong, void *ptr) {
333 
334 	ulong state1, state2, inc1, inc2;
335 
336 	state1 = fulong(ptr);
337 	state2 = fulong(ptr);
338 
339 	inc1 = fulong(ptr);
340 	inc2 = fulong(ptr);
341 
342 	bc_rand_seedRNG(r, state1, state2, inc1, inc2);
343 }
344 
345 /**
346  * Executes the "step" portion of a PCG udpate.
347  * @param r  The PRNG.
348  */
349 static void bc_rand_step(BcRNGData *r) {
350 	BcRandState temp = bc_rand_mul2(r->state, bc_rand_multiplier);
351 	r->state = bc_rand_add2(temp, bc_rand_inc(r));
352 }
353 
354 /**
355  * Returns the new output of PCG.
356  * @param r  The PRNG.
357  * @return   The new output from the PRNG.
358  */
359 static BcRand bc_rand_output(BcRNGData *r) {
360 	return BC_RAND_ROT(BC_RAND_FOLD(r->state), BC_RAND_ROTAMT(r->state));
361 }
362 
363 /**
364  * Seeds every PRNG on the PRNG stack between the top and @a idx that has not
365  * been seeded.
366  * @param r    The PRNG stack.
367  * @param rng  The PRNG on the top of the stack. Must have been seeded.
368  */
369 static void bc_rand_seedZeroes(BcRNG *r, BcRNGData *rng, size_t idx) {
370 
371 	BcRNGData *rng2;
372 
373 	// Just return if there are none to do.
374 	if (r->v.len <= idx) return;
375 
376 	// Get the first PRNG that might need to be seeded.
377 	rng2 = bc_vec_item_rev(&r->v, idx);
378 
379 	// Does it need seeding? Then it, and maybe more, do.
380 	if (BC_RAND_ZERO(rng2)) {
381 
382 		size_t i;
383 
384 		// Seed the ones that need seeding.
385 		for (i = 1; i < r->v.len; ++i)
386 			bc_rand_copy(bc_vec_item_rev(&r->v, i), rng);
387 	}
388 }
389 
390 void bc_rand_srand(BcRNGData *rng) {
391 
392 	int fd = 0;
393 
394 	BC_SIG_LOCK;
395 
396 #ifndef _WIN32
397 
398 	// Try /dev/urandom first.
399 	fd = open("/dev/urandom", O_RDONLY);
400 
401 	if (BC_NO_ERR(fd >= 0)) {
402 		bc_rand_fill(rng, bc_rand_frand, &fd);
403 		close(fd);
404 	}
405 	else {
406 
407 		// Try /dev/random second.
408 		fd = open("/dev/random", O_RDONLY);
409 
410 		if (BC_NO_ERR(fd >= 0)) {
411 			bc_rand_fill(rng, bc_rand_frand, &fd);
412 			close(fd);
413 		}
414 	}
415 #else // _WIN32
416 	// Try BCryptGenRandom first.
417 	bc_rand_fill(rng, bc_rand_winrand, NULL);
418 #endif // _WIN32
419 
420 	// Fallback to rand() until the thing is seeded.
421 	while (BC_ERR(BC_RAND_ZERO(rng))) bc_rand_fill(rng, bc_rand_rand, NULL);
422 
423 	BC_SIG_UNLOCK;
424 }
425 
426 /**
427  * Propagates a change to the PRNG to all PRNG's in the stack that should have
428  * it. The ones that should have it are laid out in the manpages.
429  * @param r    The PRNG stack.
430  * @param rng  The PRNG that will be used to seed the others.
431  */
432 static void bc_rand_propagate(BcRNG *r, BcRNGData *rng) {
433 
434 	// Just return if there are none to do.
435 	if (r->v.len <= 1) return;
436 
437 	// If the PRNG has not been modified...
438 	if (BC_RAND_NOTMODIFIED(rng)) {
439 
440 		size_t i;
441 		bool go = true;
442 
443 		// Find the first PRNG that is modified and seed the others.
444 		for (i = 1; go && i < r->v.len; ++i) {
445 
446 			BcRNGData *rng2 = bc_vec_item_rev(&r->v, i);
447 
448 			go = BC_RAND_NOTMODIFIED(rng2);
449 
450 			bc_rand_copy(rng2, rng);
451 		}
452 
453 		// Seed everything else.
454 		bc_rand_seedZeroes(r, rng, i);
455 	}
456 	// Seed everything.
457 	else bc_rand_seedZeroes(r, rng, 1);
458 }
459 
460 BcRand bc_rand_int(BcRNG *r) {
461 
462 	// Get the actual PRNG.
463 	BcRNGData *rng = bc_vec_top(&r->v);
464 	BcRand res;
465 
466 	// Make sure the PRNG is seeded.
467 	if (BC_ERR(BC_RAND_ZERO(rng))) bc_rand_srand(rng);
468 
469 	BC_SIG_LOCK;
470 
471 	// This is the important part of the PRNG. This is the stuff from PCG.
472 	bc_rand_step(rng);
473 	bc_rand_propagate(r, rng);
474 	res = bc_rand_output(rng);
475 
476 	BC_SIG_UNLOCK;
477 
478 	return res;
479 }
480 
481 BcRand bc_rand_bounded(BcRNG *r, BcRand bound) {
482 
483 	// Calculate the threshold below which we have to try again.
484 	BcRand rand, threshold = (0 - bound) % bound;
485 
486 	do {
487 		rand = bc_rand_int(r);
488 	} while (rand < threshold);
489 
490 	return rand % bound;
491 }
492 
493 void bc_rand_seed(BcRNG *r, ulong state1, ulong state2, ulong inc1, ulong inc2)
494 {
495 	// Get the actual PRNG.
496 	BcRNGData *rng = bc_vec_top(&r->v);
497 
498 	// Seed and set up the PRNG's increment.
499 	bc_rand_seedState(&rng->inc, inc1, inc2);
500 	bc_rand_setupInc(rng);
501 	bc_rand_setModified(rng);
502 
503 	// If the state is 0, use the increment as the state. Otherwise, seed it
504 	// with the state.
505 	if (!state1 && !state2) {
506 		memcpy(&rng->state, &rng->inc, sizeof(BcRandState));
507 		bc_rand_step(rng);
508 	}
509 	else bc_rand_seedState(&rng->state, state1, state2);
510 
511 	// Propagate the change to PRNG's that need it.
512 	bc_rand_propagate(r, rng);
513 }
514 
515 /**
516  * Returns the increment in the PRNG *without* the odd bit and also with being
517  * shifted one bit down.
518  * @param r  The PRNG.
519  * @return   The increment without the odd bit and with being shifted one bit
520  *           down.
521  */
522 static BcRandState bc_rand_getInc(BcRNGData *r) {
523 
524 	BcRandState res;
525 
526 #if BC_RAND_BUILTIN
527 	res = r->inc >> 1;
528 #else // BC_RAND_BUILTIN
529 	res = r->inc;
530 	res.lo >>= 1;
531 	res.lo |= (res.hi & 1) << (BC_LONG_BIT - 1);
532 	res.hi >>= 1;
533 #endif // BC_RAND_BUILTIN
534 
535 	return res;
536 }
537 
538 void bc_rand_getRands(BcRNG *r, BcRand *s1, BcRand *s2, BcRand *i1, BcRand *i2)
539 {
540 	BcRandState inc;
541 	BcRNGData *rng = bc_vec_top(&r->v);
542 
543 	if (BC_ERR(BC_RAND_ZERO(rng))) bc_rand_srand(rng);
544 
545 	// Get the increment.
546 	inc = bc_rand_getInc(rng);
547 
548 	// Chop the state.
549 	*s1 = BC_RAND_TRUNC(rng->state);
550 	*s2 = BC_RAND_CHOP(rng->state);
551 
552 	// Chop the increment.
553 	*i1 = BC_RAND_TRUNC(inc);
554 	*i2 = BC_RAND_CHOP(inc);
555 }
556 
557 void bc_rand_push(BcRNG *r) {
558 
559 	BcRNGData *rng = bc_vec_pushEmpty(&r->v);
560 
561 	// Make sure the PRNG is properly zeroed because that marks it as needing to
562 	// be seeded.
563 	memset(rng, 0, sizeof(BcRNGData));
564 
565 	// If there is another item, copy it too.
566 	if (r->v.len > 1) bc_rand_copy(rng, bc_vec_item_rev(&r->v, 1));
567 }
568 
569 void bc_rand_pop(BcRNG *r, bool reset) {
570 	bc_vec_npop(&r->v, reset ? r->v.len - 1 : 1);
571 }
572 
573 void bc_rand_init(BcRNG *r) {
574 	BC_SIG_ASSERT_LOCKED;
575 	bc_vec_init(&r->v, sizeof(BcRNGData), BC_DTOR_NONE);
576 	bc_rand_push(r);
577 }
578 
579 #if BC_RAND_USE_FREE
580 void bc_rand_free(BcRNG *r) {
581 	BC_SIG_ASSERT_LOCKED;
582 	bc_vec_free(&r->v);
583 }
584 #endif // BC_RAND_USE_FREE
585 
586 #endif // BC_ENABLE_EXTRA_MATH
587