lokinet/crypto/csrng/randombytes_salsa20_random.c
2018-11-08 07:31:50 -05:00

636 lines
14 KiB
C

#include <assert.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <stdint.h>
#include <stdlib.h>
#include <stdlib.h>
#include <string.h>
#if !defined(_MSC_VER) && !defined(__BORLANDC__)
#include <unistd.h>
#endif
#include <sys/types.h>
#ifndef _WIN32
#include <sys/stat.h>
#include <sys/time.h>
#endif
#ifdef __linux__
#ifdef __dietlibc__
#define _LINUX_SOURCE
#else
#include <sys/syscall.h>
#endif
#include <poll.h>
#endif
#ifdef HAVE_RDRAND
#pragma GCC target("rdrnd")
#include <immintrin.h>
#endif
#include <sodium/core.h>
#include <sodium/crypto_core_salsa20.h>
#include <sodium/crypto_stream_salsa20.h>
#include <sodium/private/common.h>
#include <sodium/randombytes.h>
#include <sodium/randombytes_salsa20_random.h>
#include <sodium/runtime.h>
#include <sodium/utils.h>
#ifdef _WIN32
#include <windows.h>
#include <sys/timeb.h>
#include <wincrypt.h>
#include <bcrypt.h>
typedef NTSTATUS(FAR PASCAL *CNGAPI_DRBG)(BCRYPT_ALG_HANDLE, UCHAR *, ULONG,
ULONG);
#ifdef __BORLANDC__
#define _ftime ftime
#define _timeb timeb
#endif
#endif
#define SALSA20_RANDOM_BLOCK_SIZE crypto_core_salsa20_OUTPUTBYTES
#if defined(__OpenBSD__) || defined(__CloudABI__)
#define HAVE_SAFE_ARC4RANDOM 1
#endif
#ifndef SSIZE_MAX
#define SSIZE_MAX (SIZE_MAX / 2 - 1)
#endif
#ifndef S_ISNAM
#ifdef __COMPCERT__
#define S_ISNAM(X) 1
#else
#define S_ISNAM(X) 0
#endif
#endif
#ifndef TLS
#ifdef _WIN32
#define TLS __thread
#else
#define TLS
#endif
#endif
typedef struct Salsa20RandomGlobal_
{
int initialized;
int random_data_source_fd;
int getrandom_available;
int rdrand_available;
#ifdef HAVE_GETPID
pid_t pid;
#endif
} Salsa20RandomGlobal;
typedef struct Salsa20Random_
{
int initialized;
size_t rnd32_outleft;
unsigned char key[crypto_stream_salsa20_KEYBYTES];
unsigned char rnd32[16U * SALSA20_RANDOM_BLOCK_SIZE];
uint64_t nonce;
} Salsa20Random;
static Salsa20RandomGlobal global = {
SODIUM_C99(.initialized =) 0,
SODIUM_C99(.random_data_source_fd =) - 1,
SODIUM_C99(.getrandom_available =) 0,
SODIUM_C99(.rdrand_available =) 0,
};
static TLS Salsa20Random stream = {
SODIUM_C99(.initialized =) 0, SODIUM_C99(.rnd32_outleft =)(size_t) 0U,
SODIUM_C99(.key =){0}, SODIUM_C99(.rnd32 =){0},
SODIUM_C99(.nonce =) 1,
};
/*
* Get a high-resolution timestamp, as a uint64_t value
*/
#ifdef _WIN32
static uint64_t
sodium_hrtime(void)
{
struct _timeb tb;
_ftime(&tb);
return ((uint64_t)tb.time) * 1000000U + ((uint64_t)tb.millitm) * 1000U;
}
#else /* _WIN32 */
static uint64_t
sodium_hrtime(void)
{
struct timeval tv;
if(gettimeofday(&tv, NULL) != 0)
{
sodium_misuse(); /* LCOV_EXCL_LINE */
}
return ((uint64_t)tv.tv_sec) * 1000000U + (uint64_t)tv.tv_usec;
}
#endif
/*
* Initialize the entropy source
*/
#ifdef _WIN32
static void
randombytes_salsa20_random_init(void)
{
stream.nonce = sodium_hrtime();
assert(stream.nonce != (uint64_t)0U);
global.rdrand_available = sodium_runtime_has_rdrand();
}
#else /* _WIN32 */
static ssize_t
safe_read(const int fd, void *const buf_, size_t size)
{
unsigned char *buf = (unsigned char *)buf_;
ssize_t readnb;
assert(size > (size_t)0U);
assert(size <= SSIZE_MAX);
do
{
while((readnb = read(fd, buf, size)) < (ssize_t)0
&& (errno == EINTR || errno == EAGAIN))
; /* LCOV_EXCL_LINE */
if(readnb < (ssize_t)0)
{
return readnb; /* LCOV_EXCL_LINE */
}
if(readnb == (ssize_t)0)
{
break; /* LCOV_EXCL_LINE */
}
size -= (size_t)readnb;
buf += readnb;
} while(size > (ssize_t)0);
return (ssize_t)(buf - (unsigned char *)buf_);
}
#if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) \
&& !defined(NO_BLOCKING_RANDOM_POLL)
static int
randombytes_block_on_dev_random(void)
{
struct pollfd pfd;
int fd;
int pret;
fd = open("/dev/random", O_RDONLY);
if(fd == -1)
{
return 0;
}
pfd.fd = fd;
pfd.events = POLLIN;
pfd.revents = 0;
do
{
pret = poll(&pfd, 1, -1);
} while(pret < 0 && (errno == EINTR || errno == EAGAIN));
if(pret != 1)
{
(void)close(fd);
errno = EIO;
return -1;
}
return close(fd);
}
#endif
#ifndef HAVE_SAFE_ARC4RANDOM
static int
randombytes_salsa20_random_random_dev_open(void)
{
/* LCOV_EXCL_START */
struct stat st;
static const char *devices[] = {
#ifndef USE_BLOCKING_RANDOM
"/dev/urandom",
#endif
"/dev/random", NULL};
const char **device = devices;
int fd;
#if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) \
&& !defined(NO_BLOCKING_RANDOM_POLL)
if(randombytes_block_on_dev_random() != 0)
{
return -1;
}
#endif
do
{
fd = open(*device, O_RDONLY);
if(fd != -1)
{
if(fstat(fd, &st) == 0 && (S_ISNAM(st.st_mode) || S_ISCHR(st.st_mode)))
{
#if defined(F_SETFD) && defined(FD_CLOEXEC)
(void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
#endif
return fd;
}
(void)close(fd);
}
else if(errno == EINTR)
{
continue;
}
device++;
} while(*device != NULL);
errno = EIO;
return -1;
/* LCOV_EXCL_STOP */
}
#endif
#if defined(__dietlibc__) || (defined(SYS_getrandom) && defined(__NR_getrandom))
static int
_randombytes_linux_getrandom(void *const buf, const size_t size)
{
int readnb;
assert(size <= 256U);
do
{
#ifdef __dietlibc__
readnb = getrandom(buf, size, 0);
#else
readnb = syscall(SYS_getrandom, buf, (int)size, 0);
#endif
} while(readnb < 0 && (errno == EINTR || errno == EAGAIN));
return (readnb == (int)size) - 1;
}
static int
randombytes_linux_getrandom(void *const buf_, size_t size)
{
unsigned char *buf = (unsigned char *)buf_;
size_t chunk_size = 256U;
do
{
if(size < chunk_size)
{
chunk_size = size;
assert(chunk_size > (size_t)0U);
}
if(_randombytes_linux_getrandom(buf, chunk_size) != 0)
{
return -1;
}
size -= chunk_size;
buf += chunk_size;
} while(size > (size_t)0U);
return 0;
}
#endif
static void
randombytes_salsa20_random_init(void)
{
const int errno_save = errno;
stream.nonce = sodium_hrtime();
global.rdrand_available = sodium_runtime_has_rdrand();
assert(stream.nonce != (uint64_t)0U);
#ifdef HAVE_SAFE_ARC4RANDOM
errno = errno_save;
#else
#if defined(SYS_getrandom) && defined(__NR_getrandom)
{
unsigned char fodder[16];
if(randombytes_linux_getrandom(fodder, sizeof fodder) == 0)
{
global.getrandom_available = 1;
errno = errno_save;
return;
}
global.getrandom_available = 0;
}
#endif /* SYS_getrandom */
if((global.random_data_source_fd =
randombytes_salsa20_random_random_dev_open())
== -1)
{
sodium_misuse(); /* LCOV_EXCL_LINE */
}
errno = errno_save;
#endif /* HAVE_SAFE_ARC4RANDOM */
}
#endif /* _WIN32 */
/*
* (Re)seed the generator using the entropy source
*/
static void
randombytes_salsa20_random_stir(void)
{
unsigned char
m0[crypto_stream_salsa20_KEYBYTES + crypto_stream_salsa20_NONCEBYTES];
memset(stream.rnd32, 0, sizeof stream.rnd32);
stream.rnd32_outleft = (size_t)0U;
if(global.initialized == 0)
{
randombytes_salsa20_random_init();
global.initialized = 1;
}
#ifdef HAVE_GETPID
global.pid = getpid();
#endif
#ifndef _WIN32
#ifdef HAVE_SAFE_ARC4RANDOM
arc4random_buf(m0, sizeof m0);
#elif defined(SYS_getrandom) && defined(__NR_getrandom)
if(global.getrandom_available != 0)
{
if(randombytes_linux_getrandom(m0, sizeof m0) != 0)
{
sodium_misuse(); /* LCOV_EXCL_LINE */
}
}
else if(global.random_data_source_fd == -1
|| safe_read(global.random_data_source_fd, m0, sizeof m0)
!= (ssize_t)sizeof m0)
{
sodium_misuse(); /* LCOV_EXCL_LINE */
}
#else
if(global.random_data_source_fd == -1
|| safe_read(global.random_data_source_fd, m0, sizeof m0)
!= (ssize_t)sizeof m0)
{
sodium_misuse(); /* LCOV_EXCL_LINE */
}
#endif
#else /* _WIN32 */
HANDLE hCAPINg;
BOOL rtld;
CNGAPI_DRBG getrandom;
HCRYPTPROV hProv;
/* load bcrypt dynamically, see if we're already loaded */
rtld = FALSE;
hCAPINg = GetModuleHandle("bcrypt.dll");
/* otherwise, load CNG manually */
if(!hCAPINg)
{
hCAPINg = LoadLibraryEx("bcrypt.dll", NULL, LOAD_LIBRARY_SEARCH_SYSTEM32);
rtld = TRUE;
}
if(hCAPINg)
{
/* call BCryptGenRandom(2) */
getrandom = (CNGAPI_DRBG)GetProcAddress(hCAPINg, "BCryptGenRandom");
if(!BCRYPT_SUCCESS(
getrandom(NULL, m0, sizeof m0, BCRYPT_USE_SYSTEM_PREFERRED_RNG)))
{
sodium_misuse();
}
/* don't leak lib refs */
if(rtld)
FreeLibrary(hCAPINg);
}
/* if that fails use the regular ARC4-SHA1 RNG (!!!) *cringes* */
else
{
CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT | CRYPT_SILENT);
if(!CryptGenRandom(hProv, sizeof m0, m0))
{
sodium_misuse(); /* LCOV_EXCL_LINE */
}
CryptReleaseContext(hProv, 0);
}
#endif
crypto_stream_salsa20(stream.key, sizeof stream.key,
m0 + crypto_stream_salsa20_KEYBYTES, m0);
sodium_memzero(m0, sizeof m0);
stream.initialized = 1;
}
/*
* Reseed the generator if it hasn't been initialized yet
*/
static void
randombytes_salsa20_random_stir_if_needed(void)
{
#ifdef HAVE_GETPID
if(stream.initialized == 0)
{
randombytes_salsa20_random_stir();
}
else if(global.pid != getpid())
{
sodium_misuse(); /* LCOV_EXCL_LINE */
}
#else
if(stream.initialized == 0)
{
randombytes_salsa20_random_stir();
}
#endif
}
/*
* Close the stream, free global resources
*/
#ifdef _WIN32
static int
randombytes_salsa20_random_close(void)
{
int ret = -1;
if(global.initialized != 0)
{
global.initialized = 0;
ret = 0;
}
sodium_memzero(&stream, sizeof stream);
return ret;
}
#else
static int
randombytes_salsa20_random_close(void)
{
int ret = -1;
if(global.random_data_source_fd != -1
&& close(global.random_data_source_fd) == 0)
{
global.random_data_source_fd = -1;
global.initialized = 0;
#ifdef HAVE_GETPID
global.pid = (pid_t)0;
#endif
ret = 0;
}
#ifdef HAVE_SAFE_ARC4RANDOM
ret = 0;
#endif
#if defined(SYS_getrandom) && defined(__NR_getrandom)
if(global.getrandom_available != 0)
{
ret = 0;
}
#endif
sodium_memzero(&stream, sizeof stream);
return ret;
}
#endif
/*
* RDRAND is only used to mitigate prediction if a key is compromised
*/
static void
randombytes_salsa20_random_xorhwrand(void)
{
/* LCOV_EXCL_START */
#ifdef HAVE_RDRAND
unsigned int r;
if(global.rdrand_available == 0)
{
return;
}
(void)_rdrand32_step(&r);
*(uint32_t *)(void *)&stream.key[crypto_stream_salsa20_KEYBYTES - 4] ^=
(uint32_t)r;
#endif
/* LCOV_EXCL_STOP */
}
/*
* XOR the key with another same-length secret
*/
static inline void
randombytes_salsa20_random_xorkey(const unsigned char *const mix)
{
unsigned char *key = stream.key;
size_t i;
for(i = (size_t)0U; i < sizeof stream.key; i++)
{
key[i] ^= mix[i];
}
}
/*
* Put `size` random bytes into `buf` and overwrite the key
*/
static void
randombytes_salsa20_random_buf(void *const buf, const size_t size)
{
size_t i;
int ret;
randombytes_salsa20_random_stir_if_needed();
COMPILER_ASSERT(sizeof stream.nonce == crypto_stream_salsa20_NONCEBYTES);
#if defined(ULONG_LONG_MAX) && defined(SIZE_MAX)
#if SIZE_MAX > ULONG_LONG_MAX
/* coverity[result_independent_of_operands] */
assert(size <= ULONG_LONG_MAX);
#endif
#endif
ret = crypto_stream_salsa20((unsigned char *)buf, (unsigned long long)size,
(unsigned char *)&stream.nonce, stream.key);
assert(ret == 0);
for(i = 0U; i < sizeof size; i++)
{
stream.key[i] ^= ((const unsigned char *)(const void *)&size)[i];
}
randombytes_salsa20_random_xorhwrand();
stream.nonce++;
crypto_stream_salsa20_xor(stream.key, stream.key, sizeof stream.key,
(unsigned char *)&stream.nonce, stream.key);
}
/*
* Pop a 32-bit value from the random pool
*
* Overwrite the key after the pool gets refilled.
*/
static uint32_t
randombytes_salsa20_random(void)
{
uint32_t val;
int ret;
COMPILER_ASSERT(sizeof stream.rnd32 >= (sizeof stream.key) + (sizeof val));
COMPILER_ASSERT(((sizeof stream.rnd32) - (sizeof stream.key)) % sizeof val
== (size_t)0U);
if(stream.rnd32_outleft <= (size_t)0U)
{
randombytes_salsa20_random_stir_if_needed();
COMPILER_ASSERT(sizeof stream.nonce == crypto_stream_salsa20_NONCEBYTES);
ret = crypto_stream_salsa20((unsigned char *)stream.rnd32,
(unsigned long long)sizeof stream.rnd32,
(unsigned char *)&stream.nonce, stream.key);
assert(ret == 0);
stream.rnd32_outleft = (sizeof stream.rnd32) - (sizeof stream.key);
randombytes_salsa20_random_xorhwrand();
randombytes_salsa20_random_xorkey(&stream.rnd32[stream.rnd32_outleft]);
memset(&stream.rnd32[stream.rnd32_outleft], 0, sizeof stream.key);
stream.nonce++;
}
stream.rnd32_outleft -= sizeof val;
memcpy(&val, &stream.rnd32[stream.rnd32_outleft], sizeof val);
memset(&stream.rnd32[stream.rnd32_outleft], 0, sizeof val);
return val;
}
static const char *
randombytes_salsa20_implementation_name(void)
{
return "salsa20";
}
struct randombytes_implementation randombytes_salsa20_implementation = {
SODIUM_C99(.implementation_name =) randombytes_salsa20_implementation_name,
SODIUM_C99(.random =) randombytes_salsa20_random,
SODIUM_C99(.stir =) randombytes_salsa20_random_stir,
SODIUM_C99(.uniform =) NULL,
SODIUM_C99(.buf =) randombytes_salsa20_random_buf,
SODIUM_C99(.close =) randombytes_salsa20_random_close};