libc/bionic/arc4random.c - platform/bionic - Git at Google

 /*	$OpenBSD: arc4random.c,v 1.33 2014/06/13 18:58:58 deraadt Exp $	*/

 /*
  * Copyright (c) 1996, David Mazieres <dm@uun.org>
  * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
  * Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */

 /*
  * ChaCha based random number generator for OpenBSD.
  */

 #include <fcntl.h>
 #include <limits.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/time.h>
 #include <sys/mman.h>

 #if defined(__ANDROID__)
 #include <sys/stat.h>
 #include <linux/random.h>
 #include "private/libc_logging.h"
 #include "private/thread_private.h"

 #define explicit_bzero(p, s) memset(p, 0, s)

 #undef MAP_ANON
 #define MAP_ANON (MAP_PRIVATE | MAP_ANONYMOUS)

 /*
  * XXX Should be replaced with a proper entropy measure.
  */
 static int
 gotdata(u_char *buf, size_t len)
 {
 	char	any_set = 0;
 	size_t	i;

 	for (i = 0; i < len; ++i)
 		any_set |= buf[i];
 	if (any_set == 0)
 		return -1;
 	return 0;
 }

 static int
 getentropy/*_urandom*/(u_char *buf, size_t len)
 {
 	int save_errno = errno;

 	int fd = TEMP_FAILURE_RETRY(open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOFOLLOW, 0));
 	if (fd == -1) {
 		__libc_fatal("getentropy_urandom failed to open \"/dev/urandom\": %s",
 				strerror(errno));
 	}

 	/* Lightly verify that the device node looks sane */
 	struct stat st;
 	if (fstat(fd, &st) == -1 || !S_ISCHR(st.st_mode)) {
 		__libc_fatal("getentropy_urandom failed to fstat \"/dev/urandom\": %s",
 				strerror(errno));
 	}
 	int cnt;
 	if (ioctl(fd, RNDGETENTCNT, &cnt) == -1) {
 		__libc_fatal("getentropy_urandom failed to ioctl \"/dev/urandom\": %s",
 				strerror(errno));
 	}
 	for (size_t i = 0; i < len; ) {
 		size_t wanted = len - i;
 		ssize_t ret = TEMP_FAILURE_RETRY(read(fd, buf + i, wanted));

 		if (ret == -1) {
 			__libc_fatal("getentropy_urandom failed to read \"/dev/urandom\": %s",
 					strerror(errno));
 		}
 		i += ret;
 	}
 	close(fd);
 	if (gotdata(buf, len) == -1) {
 		__libc_fatal("getentropy_urandom failed to get enough entropy: %s",
 				strerror(errno));
 	}

 	errno = save_errno;
 	return 0;
 }
 #endif /* __ANDROID__ */

 #define KEYSTREAM_ONLY
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wunused-parameter"
 #include "../upstream-openbsd/lib/libc/crypt/chacha_private.h"
 #pragma GCC diagnostic pop

 #ifdef __GNUC__
 #define inline __inline
 #else				/* !__GNUC__ */
 #define inline
 #endif				/* !__GNUC__ */

 #define KEYSZ	32
 #define IVSZ	8
 #define BLOCKSZ	64
 #define RSBUFSZ	(16*BLOCKSZ)
 static int rs_initialized;
 static pid_t rs_stir_pid;
 static chacha_ctx *rs;		/* chacha context for random keystream */
 static u_char *rs_buf;		/* keystream blocks */
 static size_t rs_have;		/* valid bytes at end of rs_buf */
 static size_t rs_count;		/* bytes till reseed */

 static inline void _rs_rekey(u_char *dat, size_t datlen);

 static inline void
 _rs_init(u_char *buf, size_t n)
 {
 	if (n < KEYSZ + IVSZ)
 		return;

 	if (rs == NULL && (rs = mmap(NULL, sizeof(*rs), PROT_READ|PROT_WRITE,
 	    MAP_ANON, -1, 0)) == MAP_FAILED)
 		abort();
 	if (rs_buf == NULL && (rs_buf = mmap(NULL, RSBUFSZ, PROT_READ|PROT_WRITE,
 	    MAP_ANON, -1, 0)) == MAP_FAILED)
 		abort();

 	chacha_keysetup(rs, buf, KEYSZ * 8, 0);
 	chacha_ivsetup(rs, buf + KEYSZ);
 }

 static void
 _rs_stir(void)
 {
 	u_char rnd[KEYSZ + IVSZ];

 	/* XXX */
 	(void) getentropy(rnd, sizeof rnd);

 	if (!rs_initialized) {
 		rs_initialized = 1;
 		_rs_init(rnd, sizeof(rnd));
 	} else
 		_rs_rekey(rnd, sizeof(rnd));
 	explicit_bzero(rnd, sizeof(rnd));

 	/* invalidate rs_buf */
 	rs_have = 0;
 	memset(rs_buf, 0, RSBUFSZ);

 	rs_count = 1600000;
 }

 static inline void
 _rs_stir_if_needed(size_t len)
 {
 	pid_t pid = getpid();

 	if (rs_count <= len || !rs_initialized || rs_stir_pid != pid) {
 		rs_stir_pid = pid;
 		_rs_stir();
 	} else
 		rs_count -= len;
 }

 static inline void
 _rs_rekey(u_char *dat, size_t datlen)
 {
 #ifndef KEYSTREAM_ONLY
 	memset(rs_buf, 0,RSBUFSZ);
 #endif
 	/* fill rs_buf with the keystream */
 	chacha_encrypt_bytes(rs, rs_buf, rs_buf, RSBUFSZ);
 	/* mix in optional user provided data */
 	if (dat) {
 		size_t i, m;

 		m = MIN(datlen, KEYSZ + IVSZ);
 		for (i = 0; i < m; i++)
 			rs_buf[i] ^= dat[i];
 	}
 	/* immediately reinit for backtracking resistance */
 	_rs_init(rs_buf, KEYSZ + IVSZ);
 	memset(rs_buf, 0, KEYSZ + IVSZ);
 	rs_have = RSBUFSZ - KEYSZ - IVSZ;
 }

 static inline void
 _rs_random_buf(void *_buf, size_t n)
 {
 	u_char *buf = (u_char *)_buf;
 	size_t m;

 	_rs_stir_if_needed(n);
 	while (n > 0) {
 		if (rs_have > 0) {
 			m = MIN(n, rs_have);
 			memcpy(buf, rs_buf + RSBUFSZ - rs_have, m);
 			memset(rs_buf + RSBUFSZ - rs_have, 0, m);
 			buf += m;
 			n -= m;
 			rs_have -= m;
 		}
 		if (rs_have == 0)
 			_rs_rekey(NULL, 0);
 	}
 }

 static inline void
 _rs_random_u32(u_int32_t *val)
 {
 	_rs_stir_if_needed(sizeof(*val));
 	if (rs_have < sizeof(*val))
 		_rs_rekey(NULL, 0);
 	memcpy(val, rs_buf + RSBUFSZ - rs_have, sizeof(*val));
 	memset(rs_buf + RSBUFSZ - rs_have, 0, sizeof(*val));
 	rs_have -= sizeof(*val);
 }

 u_int32_t
 arc4random(void)
 {
 	u_int32_t val;

 	_ARC4_LOCK();
 	_rs_random_u32(&val);
 	_ARC4_UNLOCK();
 	return val;
 }

 void
 arc4random_buf(void *buf, size_t n)
 {
 	_ARC4_LOCK();
 	_rs_random_buf(buf, n);
 	_ARC4_UNLOCK();
 }

 /*
  * Calculate a uniformly distributed random number less than upper_bound
  * avoiding "modulo bias".
  *
  * Uniformity is achieved by generating new random numbers until the one
  * returned is outside the range [0, 2**32 % upper_bound).  This
  * guarantees the selected random number will be inside
  * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound)
  * after reduction modulo upper_bound.
  */
 u_int32_t
 arc4random_uniform(u_int32_t upper_bound)
 {
 	u_int32_t r, min;

 	if (upper_bound < 2)
 		return 0;

 	/* 2**32 % x == (2**32 - x) % x */
 	min = -upper_bound % upper_bound;

 	/*
 	 * This could theoretically loop forever but each retry has
 	 * p > 0.5 (worst case, usually far better) of selecting a
 	 * number inside the range we need, so it should rarely need
 	 * to re-roll.
 	 */
 	for (;;) {
 		r = arc4random();
 		if (r >= min)
 			break;
 	}

 	return r % upper_bound;
 }
	/* $OpenBSD: arc4random.c,v 1.33 2014/06/13 18:58:58 deraadt Exp $ */

	/*
	* Copyright (c) 1996, David Mazieres <dm@uun.org>
	* Copyright (c) 2008, Damien Miller <djm@openbsd.org>
	* Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
	*
	* Permission to use, copy, modify, and distribute this software for any
	* purpose with or without fee is hereby granted, provided that the above
	* copyright notice and this permission notice appear in all copies.
	*
	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	*/

	/*
	* ChaCha based random number generator for OpenBSD.
	*/

	#include <fcntl.h>
	#include <limits.h>
	#include <stdlib.h>
	#include <string.h>
	#include <unistd.h>
	#include <sys/types.h>
	#include <sys/param.h>
	#include <sys/time.h>
	#include <sys/mman.h>

	#if defined(__ANDROID__)
	#include <sys/stat.h>
	#include <linux/random.h>
	#include "private/libc_logging.h"
	#include "private/thread_private.h"

	#define explicit_bzero(p, s) memset(p, 0, s)

	#undef MAP_ANON
	#define MAP_ANON (MAP_PRIVATE \| MAP_ANONYMOUS)

	/*
	* XXX Should be replaced with a proper entropy measure.
	*/
	static int
	gotdata(u_char *buf, size_t len)
	{
	char any_set = 0;
	size_t i;

	for (i = 0; i < len; ++i)
	any_set \|= buf[i];
	if (any_set == 0)
	return -1;
	return 0;
	}

	static int
	getentropy/_urandom/(u_char *buf, size_t len)
	{
	int save_errno = errno;

	int fd = TEMP_FAILURE_RETRY(open("/dev/urandom", O_RDONLY\|O_CLOEXEC\|O_NOFOLLOW, 0));
	if (fd == -1) {
	__libc_fatal("getentropy_urandom failed to open \"/dev/urandom\": %s",
	strerror(errno));
	}

	/* Lightly verify that the device node looks sane */
	struct stat st;
	if (fstat(fd, &st) == -1 \|\| !S_ISCHR(st.st_mode)) {
	__libc_fatal("getentropy_urandom failed to fstat \"/dev/urandom\": %s",
	strerror(errno));
	}
	int cnt;
	if (ioctl(fd, RNDGETENTCNT, &cnt) == -1) {
	__libc_fatal("getentropy_urandom failed to ioctl \"/dev/urandom\": %s",
	strerror(errno));
	}
	for (size_t i = 0; i < len; ) {
	size_t wanted = len - i;
	ssize_t ret = TEMP_FAILURE_RETRY(read(fd, buf + i, wanted));

	if (ret == -1) {
	__libc_fatal("getentropy_urandom failed to read \"/dev/urandom\": %s",
	strerror(errno));
	}
	i += ret;
	}
	close(fd);
	if (gotdata(buf, len) == -1) {
	__libc_fatal("getentropy_urandom failed to get enough entropy: %s",
	strerror(errno));
	}

	errno = save_errno;
	return 0;
	}
	#endif /* __ANDROID__ */

	#define KEYSTREAM_ONLY
	#pragma GCC diagnostic push
	#pragma GCC diagnostic ignored "-Wunused-parameter"
	#include "../upstream-openbsd/lib/libc/crypt/chacha_private.h"
	#pragma GCC diagnostic pop

	#ifdef __GNUC__
	#define inline __inline
	#else /* !__GNUC__ */
	#define inline
	#endif /* !__GNUC__ */

	#define KEYSZ 32
	#define IVSZ 8
	#define BLOCKSZ 64
	#define RSBUFSZ (16*BLOCKSZ)
	static int rs_initialized;
	static pid_t rs_stir_pid;
	static chacha_ctx rs; / chacha context for random keystream */
	static u_char rs_buf; / keystream blocks */
	static size_t rs_have; /* valid bytes at end of rs_buf */
	static size_t rs_count; /* bytes till reseed */

	static inline void _rs_rekey(u_char *dat, size_t datlen);

	static inline void
	_rs_init(u_char *buf, size_t n)
	{
	if (n < KEYSZ + IVSZ)
	return;

	if (rs == NULL && (rs = mmap(NULL, sizeof(*rs), PROT_READ\|PROT_WRITE,
	MAP_ANON, -1, 0)) == MAP_FAILED)
	abort();
	if (rs_buf == NULL && (rs_buf = mmap(NULL, RSBUFSZ, PROT_READ\|PROT_WRITE,
	MAP_ANON, -1, 0)) == MAP_FAILED)
	abort();

	chacha_keysetup(rs, buf, KEYSZ * 8, 0);
	chacha_ivsetup(rs, buf + KEYSZ);
	}

	static void
	_rs_stir(void)
	{
	u_char rnd[KEYSZ + IVSZ];

	/* XXX */
	(void) getentropy(rnd, sizeof rnd);

	if (!rs_initialized) {
	rs_initialized = 1;
	_rs_init(rnd, sizeof(rnd));
	} else
	_rs_rekey(rnd, sizeof(rnd));
	explicit_bzero(rnd, sizeof(rnd));

	/* invalidate rs_buf */
	rs_have = 0;
	memset(rs_buf, 0, RSBUFSZ);

	rs_count = 1600000;
	}

	static inline void
	_rs_stir_if_needed(size_t len)
	{
	pid_t pid = getpid();

	if (rs_count <= len \|\| !rs_initialized \|\| rs_stir_pid != pid) {
	rs_stir_pid = pid;
	_rs_stir();
	} else
	rs_count -= len;
	}

	static inline void
	_rs_rekey(u_char *dat, size_t datlen)
	{
	#ifndef KEYSTREAM_ONLY
	memset(rs_buf, 0,RSBUFSZ);
	#endif
	/* fill rs_buf with the keystream */
	chacha_encrypt_bytes(rs, rs_buf, rs_buf, RSBUFSZ);
	/* mix in optional user provided data */
	if (dat) {
	size_t i, m;

	m = MIN(datlen, KEYSZ + IVSZ);
	for (i = 0; i < m; i++)
	rs_buf[i] ^= dat[i];
	}
	/* immediately reinit for backtracking resistance */
	_rs_init(rs_buf, KEYSZ + IVSZ);
	memset(rs_buf, 0, KEYSZ + IVSZ);
	rs_have = RSBUFSZ - KEYSZ - IVSZ;
	}

	static inline void
	_rs_random_buf(void *_buf, size_t n)
	{
	u_char buf = (u_char )_buf;
	size_t m;

	_rs_stir_if_needed(n);
	while (n > 0) {
	if (rs_have > 0) {
	m = MIN(n, rs_have);
	memcpy(buf, rs_buf + RSBUFSZ - rs_have, m);
	memset(rs_buf + RSBUFSZ - rs_have, 0, m);
	buf += m;
	n -= m;
	rs_have -= m;
	}
	if (rs_have == 0)
	_rs_rekey(NULL, 0);
	}
	}

	static inline void
	_rs_random_u32(u_int32_t *val)
	{
	_rs_stir_if_needed(sizeof(*val));
	if (rs_have < sizeof(*val))
	_rs_rekey(NULL, 0);
	memcpy(val, rs_buf + RSBUFSZ - rs_have, sizeof(*val));
	memset(rs_buf + RSBUFSZ - rs_have, 0, sizeof(*val));
	rs_have -= sizeof(*val);
	}

	u_int32_t
	arc4random(void)
	{
	u_int32_t val;

	_ARC4_LOCK();
	_rs_random_u32(&val);
	_ARC4_UNLOCK();
	return val;
	}

	void
	arc4random_buf(void *buf, size_t n)
	{
	_ARC4_LOCK();
	_rs_random_buf(buf, n);
	_ARC4_UNLOCK();
	}

	/*
	* Calculate a uniformly distributed random number less than upper_bound
	* avoiding "modulo bias".
	*
	* Uniformity is achieved by generating new random numbers until the one
	* returned is outside the range [0, 2**32 % upper_bound). This
	* guarantees the selected random number will be inside
	* [232 % upper_bound, 232) which maps back to [0, upper_bound)
	* after reduction modulo upper_bound.
	*/
	u_int32_t
	arc4random_uniform(u_int32_t upper_bound)
	{
	u_int32_t r, min;

	if (upper_bound < 2)
	return 0;

	/* 232 % x == (232 - x) % x */
	min = -upper_bound % upper_bound;

	/*
	* This could theoretically loop forever but each retry has
	* p > 0.5 (worst case, usually far better) of selecting a
	* number inside the range we need, so it should rarely need
	* to re-roll.
	*/
	for (;;) {
	r = arc4random();
	if (r >= min)
	break;
	}

	return r % upper_bound;
	}