From bd85f61a40260a166d113e7a82a2705a0f56f8e0 Mon Sep 17 00:00:00 2001
From: Patric Stout <truebrain@openttd.org>
Date: Thu, 18 Jan 2024 23:52:53 +0100
Subject: [PATCH] Change: use a stronger hash and actual random information to
 generate Uids

---
 CMakeLists.txt           |  1 +
 src/core/random_func.cpp | 60 ++++++++++++++++++++++++++++++++++++++++
 src/core/random_func.hpp |  2 ++
 src/misc.cpp             | 31 ++++++++++-----------
 4 files changed, 78 insertions(+), 16 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6cc0880f5d..f0f0b33e65 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -448,6 +448,7 @@ if(WIN32)
         usp10
         psapi
         winhttp
+        bcrypt
     )
 endif()
 
diff --git a/src/core/random_func.cpp b/src/core/random_func.cpp
index 2221af0be2..0a18360953 100644
--- a/src/core/random_func.cpp
+++ b/src/core/random_func.cpp
@@ -10,6 +10,7 @@
 #include "../stdafx.h"
 #include "random_func.hpp"
 #include "bitmath_func.hpp"
+#include "../debug.h"
 
 #ifdef RANDOM_DEBUG
 #include "../network/network.h"
@@ -20,6 +21,15 @@
 #include "../timer/timer_game_calendar.h"
 #endif /* RANDOM_DEBUG */
 
+#if defined(_WIN32)
+#	include <windows.h>
+#	include <bcrypt.h>
+#elif defined(__EMSCRIPTEN__)
+#	include <emscripten.h>
+#elif !defined(__APPLE__) && !defined(__NetBSD__) && !defined(__FreeBSD__)
+#	include <sys/random.h>
+#endif
+
 #include "../safeguards.h"
 
 Randomizer _random, _interactive_random;
@@ -83,3 +93,53 @@ uint32_t DoRandomRange(uint32_t limit, int line, const char *file)
 	return ((uint64_t)DoRandom(line, file) * (uint64_t)limit) >> 32;
 }
 #endif /* RANDOM_DEBUG */
+
+/**
+ * Fill the given buffer with random bytes.
+ *
+ * This function will attempt to use a cryptographically-strong random
+ * generator, but will fall back to a weaker random generator if none is
+ * available.
+ *
+ * In the end, the buffer will always be filled with some form of random
+ * bytes when this function returns.
+ *
+ * @param buf The buffer to fill with random bytes.
+ */
+void RandomBytesWithFallback(std::span<uint8_t> buf)
+{
+#if defined(_WIN32)
+	auto res = BCryptGenRandom(nullptr, static_cast<PUCHAR>(buf.data()), static_cast<ULONG>(buf.size()), BCRYPT_USE_SYSTEM_PREFERRED_RNG);
+	if (res >= 0) return;
+#elif defined(__APPLE__) || defined(__NetBSD__) || defined(__FreeBSD__)
+	arc4random_buf(buf.data(), buf.size());
+	return;
+#elif defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25)))
+	auto res = getrandom(buf.data(), buf.size(), 0);
+	if (res > 0 && static_cast<size_t>(res) == buf.size()) return;
+#elif defined(__EMSCRIPTEN__)
+	auto res = EM_ASM_INT({
+		var buf = $0;
+		var bytes = $1;
+
+		var crypto = window.crypto;
+		if (crypto === undefined || crypto.getRandomValues === undefined) {
+			return -1;
+		}
+
+		crypto.getRandomValues(Module.HEAPU8.subarray(buf, buf + bytes));
+		return 1;
+	}, buf.data(), buf.size());
+	if (res > 0) return;
+#else
+#	warning "No cryptographically-strong random generator available; using a fallback instead"
+#endif
+
+	static bool warned_once = false;
+	Debug(misc, warned_once ? 1 : 0, "Cryptographically-strong random generator unavailable; using fallback");
+	warned_once = true;
+
+	for (uint i = 0; i < buf.size(); i++) {
+		buf[i] = static_cast<uint8_t>(InteractiveRandom());
+	}
+}
diff --git a/src/core/random_func.hpp b/src/core/random_func.hpp
index 65f13f3bc1..ef3f4569b2 100644
--- a/src/core/random_func.hpp
+++ b/src/core/random_func.hpp
@@ -159,4 +159,6 @@ inline bool Chance16R(const uint a, const uint b, uint32_t &r)
 }
 #endif /* RANDOM_DEBUG */
 
+void RandomBytesWithFallback(std::span<uint8_t> buf);
+
 #endif /* RANDOM_FUNC_HPP */
diff --git a/src/misc.cpp b/src/misc.cpp
index a22abe3121..76e4ed4cfc 100644
--- a/src/misc.cpp
+++ b/src/misc.cpp
@@ -31,7 +31,7 @@
 #include "town_kdtree.h"
 #include "viewport_kdtree.h"
 #include "newgrf_profiling.h"
-#include "3rdparty/md5/md5.h"
+#include "3rdparty/monocypher/monocypher.h"
 
 #include "safeguards.h"
 
@@ -61,25 +61,24 @@ void InitializeOldNames();
 /**
  * Generate an unique ID.
  *
- * It isn't as much of an unique ID as we would like, but our random generator
- * can only produce 32bit random numbers.
- * That is why we combine InteractiveRandom with the current (steady) clock.
- * The first to add a bit of randomness, the second to ensure you can't get
- * the same unique ID when you run it twice from the same state at different
- * times.
- *
- * This makes it unlikely that two users generate the same ID for different
- * subjects. But as this is not an UUID, so it can't be ruled out either.
+ * It isn't as much of an unique ID but more a hashed digest of a random
+ * string and a time. It is very likely to be unique, but it does not follow
+ * any UUID standard.
  */
 std::string GenerateUid(std::string_view subject)
 {
-	auto current_time = std::chrono::duration_cast<std::chrono::nanoseconds>(std::chrono::steady_clock::now().time_since_epoch()).count();
-	std::string coding_string = fmt::format("{}{}{}", InteractiveRandom(), current_time, subject);
+	std::array<uint8_t, 32> random_bytes;
+	RandomBytesWithFallback(random_bytes);
 
-	Md5 checksum;
-	MD5Hash digest;
-	checksum.Append(coding_string.c_str(), coding_string.length());
-	checksum.Finish(digest);
+	auto current_time = std::chrono::duration_cast<std::chrono::nanoseconds>(std::chrono::steady_clock::now().time_since_epoch()).count();
+	std::string coding_string = fmt::format("{}{}", current_time, subject);
+
+	std::array<uint8_t, 16> digest;
+	crypto_blake2b_ctx ctx;
+	crypto_blake2b_init(&ctx, digest.size());
+	crypto_blake2b_update(&ctx, random_bytes.data(), random_bytes.size());
+	crypto_blake2b_update(&ctx, reinterpret_cast<const uint8_t *>(coding_string.data()), coding_string.size());
+	crypto_blake2b_final(&ctx, digest.data());
 
 	return FormatArrayAsHex(digest);
 }