release/src/router/libsodium/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c

   1
   2 #include <sys/types.h>
   3 #include <sys/time.h>
   4
   5 #include <assert.h>
   6 #include <errno.h>
   7 #include <fcntl.h>
   8 #include <limits.h>
   9 #include <stdbool.h>
  10 #include <stdint.h>
  11 #include <stdlib.h>
  12 #include <string.h>
  13 #include <unistd.h>
  14
  15 #include "crypto_core_salsa20.h"
  16 #include "crypto_auth_hmacsha512256.h"
  17 #include "crypto_stream_salsa20.h"
  18 #include "randombytes.h"
  19 #include "randombytes_salsa20_random.h"
  20 #include "utils.h"
  21
  22 #ifdef _WIN32
  23 # include <Windows.h>
  24 # include <Wincrypt.h>
  25 # include <sys/timeb.h>
  26 #endif
  27
  28 #define SALSA20_RANDOM_BLOCK_SIZE crypto_core_salsa20_OUTPUTBYTES
  29 #define SHA512_BLOCK_SIZE 128U
  30 #define SHA512_MIN_PAD_SIZE (1U + 16U)
  31 #define COMPILER_ASSERT(X) (void) sizeof(char[(X) ? 1 : -1])
  32
  33 typedef struct Salsa20Random_ {
  34     unsigned char key[crypto_stream_salsa20_KEYBYTES];
  35     unsigned char rnd32[SALSA20_RANDOM_BLOCK_SIZE];
  36     uint64_t      nonce;
  37     size_t        rnd32_outleft;
  38     pid_t         pid;
  39 #ifdef _WIN32
  40     HCRYPTPROV    hcrypt_prov;
  41 #endif
  42     int           random_data_source_fd;
  43     bool          initialized;
  44 } Salsa20Random;
  45
  46 static Salsa20Random stream = {
  47     _SODIUM_C99(.random_data_source_fd =) -1,
  48     _SODIUM_C99(.rnd32_outleft =) (size_t) 0U,
  49     _SODIUM_C99(.initialized =) 0
  50 };
  51
  52 static uint64_t
  53 sodium_hrtime(void)
  54 {
  55     struct timeval tv;
  56     uint64_t       ts = (uint64_t) 0U;
  57     int            ret;
  58
  59 #ifdef _WIN32
  60     struct _timeb tb;
  61
  62     _ftime(&tb);
  63     tv.tv_sec = (long) tb.time;
  64     tv.tv_usec = ((int) tb.millitm) * 1000;
  65     ret = 0;
  66 #else
  67     ret = gettimeofday(&tv, NULL);
  68 #endif
  69     assert(ret == 0);
  70     if (ret == 0) {
  71         ts = (uint64_t) tv.tv_sec * 1000000U + (uint64_t) tv.tv_usec;
  72     }
  73     return ts;
  74 }
  75
  76 #ifndef _WIN32
  77 static ssize_t
  78 safe_read(const int fd, void * const buf_, size_t count)
  79 {
  80     unsigned char *buf = (unsigned char *) buf_;
  81     ssize_t        readnb;
  82
  83     do {
  84         while ((readnb = read(fd, buf, count)) < (ssize_t) 0 &&
  85                errno == EINTR);
  86         if (readnb < (ssize_t) 0) {
  87             return readnb;
  88         }
  89         if (readnb == (ssize_t) 0) {
  90             break;
  91         }
  92         count -= (size_t) readnb;
  93         buf += readnb;
  94     } while (count > (ssize_t) 0);
  95
  96     return (ssize_t) (buf - (unsigned char *) buf_);
  97 }
  98 #endif
  99
 100 #ifndef _WIN32
 101 static int
 102 randombytes_salsa20_random_random_dev_open(void)
 103 {
 104     static const char * const devices[] = {
 105 # ifndef USE_BLOCKING_RANDOM
 106         "/dev/arandom", "/dev/urandom",
 107 # endif
 108         "/dev/random", NULL
 109     };
 110     const char * const *device = devices;
 111
 112     do {
 113         if (access(*device, F_OK | R_OK) == 0) {
 114             return open(*device, O_RDONLY);
 115         }
 116         device++;
 117     } while (*device != NULL);
 118
 119     return -1;
 120 }
 121
 122 static void
 123 randombytes_salsa20_random_init(void)
 124 {
 125     stream.nonce = sodium_hrtime();
 126     assert(stream.nonce != (uint64_t) 0U);
 127
 128     if ((stream.random_data_source_fd =
 129          randombytes_salsa20_random_random_dev_open()) == -1) {
 130         abort();
 131     }
 132 }
 133
 134 #else /* _WIN32 */
 135
 136 static void
 137 randombytes_salsa20_random_init(void)
 138 {
 139     stream.nonce = sodium_hrtime();
 140     assert(stream.nonce != (uint64_t) 0U);
 141
 142     if (! CryptAcquireContext(&stream.hcrypt_prov, NULL, NULL,
 143                               PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
 144         abort();
 145     }
 146 }
 147 #endif
 148
 149 void
 150 randombytes_salsa20_random_stir(void)
 151 {
 152     const unsigned char s[crypto_auth_hmacsha512256_KEYBYTES] = {
 153         'T', 'h', 'i', 's', 'I', 's', 'J', 'u', 's', 't', 'A', 'T',
 154         'h', 'i', 'r', 't', 'y', 'T', 'w', 'o', 'B', 'y', 't', 'e',
 155         's', 'S', 'e', 'e', 'd', '.', '.', '.'
 156     };
 157     unsigned char  m0[crypto_auth_hmacsha512256_BYTES +
 158                       2U * SHA512_BLOCK_SIZE - SHA512_MIN_PAD_SIZE];
 159     unsigned char *k0 = m0 + crypto_auth_hmacsha512256_BYTES;
 160     size_t         i;
 161     size_t         sizeof_k0 = sizeof m0 - crypto_auth_hmacsha512256_BYTES;
 162
 163     memset(stream.rnd32, 0, sizeof stream.rnd32);
 164     stream.rnd32_outleft = (size_t) 0U;
 165     if (stream.initialized == 0) {
 166         randombytes_salsa20_random_init();
 167         stream.initialized = 1;
 168     }
 169 #ifndef _WIN32
 170     if (safe_read(stream.random_data_source_fd, m0,
 171                   sizeof m0) != (ssize_t) sizeof m0) {
 172         abort();
 173     }
 174 #else /* _WIN32 */
 175     if (! CryptGenRandom(stream.hcrypt_prov, sizeof m0, m0)) {
 176         abort();
 177     }
 178 #endif
 179     COMPILER_ASSERT(sizeof stream.key == crypto_auth_hmacsha512256_BYTES);
 180     crypto_auth_hmacsha512256(stream.key, k0, sizeof_k0, s);
 181     COMPILER_ASSERT(sizeof stream.key <= sizeof m0);
 182     for (i = (size_t) 0U; i < sizeof stream.key; i++) {
 183         stream.key[i] ^= m0[i];
 184     }
 185     sodium_memzero(m0, sizeof m0);
 186 }
 187
 188 static void
 189 randombytes_salsa20_random_stir_if_needed(void)
 190 {
 191     const pid_t pid = getpid();
 192
 193     if (stream.initialized == 0 || stream.pid != pid) {
 194         stream.pid = pid;
 195         randombytes_salsa20_random_stir();
 196     }
 197 }
 198
 199 static uint32_t
 200 randombytes_salsa20_random_getword(void)
 201 {
 202     uint32_t val;
 203     int      ret;
 204
 205     COMPILER_ASSERT(sizeof stream.rnd32 >= sizeof val);
 206     COMPILER_ASSERT(sizeof stream.rnd32 % sizeof val == (size_t) 0U);
 207     if (stream.rnd32_outleft <= (size_t) 0U) {
 208         randombytes_salsa20_random_stir_if_needed();
 209         COMPILER_ASSERT(sizeof stream.nonce == crypto_stream_salsa20_NONCEBYTES);
 210         ret = crypto_stream_salsa20((unsigned char *) stream.rnd32,
 211                                     (unsigned long long) sizeof stream.rnd32,
 212                                     (unsigned char *) &stream.nonce,
 213                                     stream.key);
 214         assert(ret == 0);
 215         stream.nonce++;
 216         stream.rnd32_outleft = sizeof stream.rnd32;
 217     }
 218     stream.rnd32_outleft -= sizeof val;
 219     memcpy(&val, &stream.rnd32[stream.rnd32_outleft], sizeof val);
 220
 221     return val;
 222 }
 223
 224 int
 225 randombytes_salsa20_random_close(void)
 226 {
 227     int ret = -1;
 228
 229 #ifndef _WIN32
 230     if (stream.random_data_source_fd != -1 &&
 231         close(stream.random_data_source_fd) == 0) {
 232         stream.random_data_source_fd = -1;
 233         stream.initialized = 0;
 234         ret = 0;
 235     }
 236 #else /* _WIN32 */
 237     if (stream.initialized != 0 &&
 238         CryptReleaseContext(stream.hcrypt_prov, 0)) {
 239         stream.initialized = 0;
 240         ret = 0;
 241     }
 242 #endif
 243     return ret;
 244 }
 245
 246 uint32_t
 247 randombytes_salsa20_random(void)
 248 {
 249     return randombytes_salsa20_random_getword();
 250 }
 251
 252 void
 253 randombytes_salsa20_random_buf(void * const buf, const size_t size)
 254 {
 255     int ret;
 256
 257     randombytes_salsa20_random_stir_if_needed();
 258     COMPILER_ASSERT(sizeof stream.nonce == crypto_stream_salsa20_NONCEBYTES);
 259 #ifdef ULONG_LONG_MAX
 260     assert(size <= ULONG_LONG_MAX);
 261 #endif
 262     ret = crypto_stream_salsa20((unsigned char *) buf, (unsigned long long) size,
 263                                 (unsigned char *) &stream.nonce,
 264                                 stream.key);
 265     assert(ret == 0);
 266     stream.nonce++;
 267 }
 268
 269 /*
 270  * randombytes_salsa20_random_uniform() derives from OpenBSD's arc4random_uniform()
 271  * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
 272  */
 273
 274 uint32_t
 275 randombytes_salsa20_random_uniform(const uint32_t upper_bound)
 276 {
 277     uint32_t min;
 278     uint32_t r;
 279
 280     if (upper_bound < 2) {
 281         return 0;
 282     }
 283     min = (uint32_t) (-upper_bound % upper_bound);
 284     for (;;) {
 285         r = randombytes_salsa20_random();
 286         if (r >= min) {
 287             break;
 288         }
 289     }
 290     return r % upper_bound;
 291 }
 292
 293 const char *
 294 randombytes_salsa20_implementation_name(void)
 295 {
 296     return "salsa20";
 297 }
 298
 299 struct randombytes_implementation randombytes_salsa20_implementation = {
 300     _SODIUM_C99(.implementation_name =) randombytes_salsa20_implementation_name,
 301     _SODIUM_C99(.random =) randombytes_salsa20_random,
 302     _SODIUM_C99(.stir =) randombytes_salsa20_random_stir,
 303     _SODIUM_C99(.uniform =) randombytes_salsa20_random_uniform,
 304     _SODIUM_C99(.buf =) randombytes_salsa20_random_buf,
 305     _SODIUM_C99(.close =) randombytes_salsa20_random_close
 306 };