plan9fox/sys/src/9/port/random.c

#include	"u.h"
#include	"../port/lib.h"
#include	"mem.h"
#include	"dat.h"
#include	"fns.h"
#include	"../port/error.h"

#include	<libsec.h>

/* machine specific hardware random number generator */
void (*hwrandbuf)(void*, ulong) = nil;

static struct
{
	QLock;
	Chachastate;
} *rs;

typedef struct Seedbuf Seedbuf;
struct Seedbuf
{
	ulong		randomcount;
	uchar		buf[64];
	uchar		nbuf;
	uchar		next;
	ushort		bits;

	SHA2_512state	ds;
};

static void
randomsample(Ureg*, Timer *t)
{
	Seedbuf *s = t->ta;

	if(s->randomcount == 0 || s->nbuf >= sizeof(s->buf))
		return;
	s->bits = (s->bits<<2) ^ s->randomcount;
	s->randomcount = 0;
	if(++s->next < 8/2)
		return;
	s->next = 0;
	s->buf[s->nbuf++] ^= s->bits;
}

static void
randomseed(void*)
{
	Seedbuf *s;

	s = secalloc(sizeof(Seedbuf));

	if(hwrandbuf != nil)
		(*hwrandbuf)(s->buf, sizeof(s->buf));

	/* Frequency close but not equal to HZ */
	up->tns = (vlong)(MS2HZ+3)*1000000LL;
	up->tmode = Tperiodic;
	up->tt = nil;
	up->ta = s;
	up->tf = randomsample;
	timeradd(up);
	while(s->nbuf < sizeof(s->buf)){
		if(++s->randomcount <= 100000)
			continue;
		if(anyhigher())
			sched();
	}
	timerdel(up);

	sha2_512(s->buf, sizeof(s->buf), s->buf, &s->ds);
	setupChachastate(rs, s->buf, 32, s->buf+32, 12, 20);
	qunlock(rs);

	secfree(s);

	pexit("", 1);
}

void
randominit(void)
{
	rs = secalloc(sizeof(*rs));
	qlock(rs);	/* randomseed() unlocks once seeded */
	kproc("randomseed", randomseed, nil);
}

ulong
randomread(void *p, ulong n)
{
	Chachastate c;

	if(n == 0)
		return 0;

	if(hwrandbuf != nil)
		(*hwrandbuf)(p, n);

	/* copy chacha state, rekey and increment iv */
	qlock(rs);
	c = *rs;
	chacha_encrypt((uchar*)&rs->input[4], 32, &c);
	if(++rs->input[13] == 0)
		if(++rs->input[14] == 0)
			++rs->input[15];
	qunlock(rs);

	/* encrypt the buffer, can fault */
	chacha_encrypt((uchar*)p, n, &c);

	/* prevent state leakage */
	memset(&c, 0, sizeof(c));

	return n;
}

/* used by fastrand() */
void
genrandom(uchar *p, int n)
{
	randomread(p, n);
}

/* used by rand(),nrand() */
long
lrand(void)
{
	/* xoroshiro128+ algorithm */
	static int seeded = 0;
	static uvlong s[2];
	static Lock lk;
	ulong r;

	if(seeded == 0){
		randomread(s, sizeof(s));
		seeded = (s[0] | s[1]) != 0;
	}

	lock(&lk);
	r = (s[0] + s[1]) >> 33;
	s[1] ^= s[0];
 	s[0] = (s[0] << 55 | s[0] >> 9) ^ s[1] ^ (s[1] << 14);
 	s[1] = (s[1] << 36 | s[1] >> 28);
	unlock(&lk);

 	return r;
}
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00			`#include "u.h"`
			`#include "../port/lib.h"`
			`#include "mem.h"`
			`#include "dat.h"`
			`#include "fns.h"`
			`#include "../port/error.h"`

kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`#include <libsec.h>`

			`/* machine specific hardware random number generator */`
			`void (hwrandbuf)(void, ulong) = nil;`

			`static struct`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00			`{`
			`QLock;`
kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`Chachastate;`
			`} *rs;`

			`typedef struct Seedbuf Seedbuf;`
			`struct Seedbuf`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00			`{`
kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`ulong randomcount;`
			`uchar buf[64];`
			`uchar nbuf;`
			`uchar next;`
			`ushort bits;`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00
kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`SHA2_512state ds;`
			`};`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00
kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`static void`
			`randomsample(Ureg, Timer t)`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00			`{`
kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`Seedbuf *s = t->ta;`

			`if(s->randomcount == 0 \|\| s->nbuf >= sizeof(s->buf))`
			`return;`
			`s->bits = (s->bits<<2) ^ s->randomcount;`
			`s->randomcount = 0;`
			`if(++s->next < 8/2)`
			`return;`
			`s->next = 0;`
			`s->buf[s->nbuf++] ^= s->bits;`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00			`}`

			`static void`
kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`randomseed(void*)`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00			`{`
kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`Seedbuf *s;`

			`s = secalloc(sizeof(Seedbuf));`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00
kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`if(hwrandbuf != nil)`
			`(*hwrandbuf)(s->buf, sizeof(s->buf));`

			`/* Frequency close but not equal to HZ */`
			`up->tns = (vlong)(MS2HZ+3)*1000000LL;`
			`up->tmode = Tperiodic;`
			`up->tt = nil;`
			`up->ta = s;`
			`up->tf = randomsample;`
			`timeradd(up);`
			`while(s->nbuf < sizeof(s->buf)){`
			`if(++s->randomcount <= 100000)`
kernel: kproc error and exit catch the error() that can be thrown by sleep() and tsleep() in kprocs. add missing pexit() calls. always set the freemem argument to pexit() from kproc otherwise the process gets added to the broken list. 2013-11-22 21:28:20 +00:00			`continue;`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00			`if(anyhigher())`
			`sched();`
			`}`
kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`timerdel(up);`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00
kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`sha2_512(s->buf, sizeof(s->buf), s->buf, &s->ds);`
			`setupChachastate(rs, s->buf, 32, s->buf+32, 12, 20);`
			`qunlock(rs);`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00
kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`secfree(s);`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00
kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`pexit("", 1);`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00			`}`

			`void`
			`randominit(void)`
			`{`
kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`rs = secalloc(sizeof(*rs));`
			`qlock(rs); /* randomseed() unlocks once seeded */`
			`kproc("randomseed", randomseed, nil);`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00			`}`

			`ulong`
kernel: make randomread() fault reentrant we now access the user buffer in randomread() outside of the lock, only copying and advancing the chacha state under the lock. this means we can use randomread() within the fault handling path now without fearing deadlock. this also allows multiple readers to generate random numbers in parallel. 2016-09-11 00:09:07 +00:00			`randomread(void *p, ulong n)`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00			`{`
kernel: make randomread() fault reentrant we now access the user buffer in randomread() outside of the lock, only copying and advancing the chacha state under the lock. this means we can use randomread() within the fault handling path now without fearing deadlock. this also allows multiple readers to generate random numbers in parallel. 2016-09-11 00:09:07 +00:00			`Chachastate c;`

kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`if(n == 0)`
			`return 0;`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00
kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`if(hwrandbuf != nil)`
kernel: make randomread() fault reentrant we now access the user buffer in randomread() outside of the lock, only copying and advancing the chacha state under the lock. this means we can use randomread() within the fault handling path now without fearing deadlock. this also allows multiple readers to generate random numbers in parallel. 2016-09-11 00:09:07 +00:00			`(*hwrandbuf)(p, n);`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00
kernel: rekey chacha state on each randomread() invocation we can encrypt the 256 bit chacha key on each invocation making it hard to reconstruct previous outputs of the generator given the current state (backtracking resiatance). 2016-09-11 17:07:17 +00:00			`/* copy chacha state, rekey and increment iv */`
kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`qlock(rs);`
kernel: make randomread() fault reentrant we now access the user buffer in randomread() outside of the lock, only copying and advancing the chacha state under the lock. this means we can use randomread() within the fault handling path now without fearing deadlock. this also allows multiple readers to generate random numbers in parallel. 2016-09-11 00:09:07 +00:00			`c = *rs;`
kernel: rekey chacha state on each randomread() invocation we can encrypt the 256 bit chacha key on each invocation making it hard to reconstruct previous outputs of the generator given the current state (backtracking resiatance). 2016-09-11 17:07:17 +00:00			`chacha_encrypt((uchar*)&rs->input[4], 32, &c);`
kernel: better nonce partitioning for chacha random number generator leave the block counter to chacha_encrypt() and increment the 96 bit iv instead. 2016-09-11 01:18:48 +00:00			`if(++rs->input[13] == 0)`
			`if(++rs->input[14] == 0)`
			`++rs->input[15];`
kernel: switch to fast portable chacha based seed-once random number generator 2016-08-27 18:42:31 +00:00			`qunlock(rs);`
kernel: make randomread() fault reentrant we now access the user buffer in randomread() outside of the lock, only copying and advancing the chacha state under the lock. this means we can use randomread() within the fault handling path now without fearing deadlock. this also allows multiple readers to generate random numbers in parallel. 2016-09-11 00:09:07 +00:00
			`/* encrypt the buffer, can fault */`
			`chacha_encrypt((uchar*)p, n, &c);`

			`/* prevent state leakage */`
			`memset(&c, 0, sizeof(c));`
Import sources from 2011-03-30 iso image 2011-03-30 12:46:40 +00:00
			`return n;`
			`}`
kernel: make randomread() fault reentrant we now access the user buffer in randomread() outside of the lock, only copying and advancing the chacha state under the lock. this means we can use randomread() within the fault handling path now without fearing deadlock. this also allows multiple readers to generate random numbers in parallel. 2016-09-11 00:09:07 +00:00
			`/* used by fastrand() */`
			`void`
			`genrandom(uchar *p, int n)`
			`{`
			`randomread(p, n);`
			`}`
kernel: xoroshiro128+ generator for rand()/nrand() the kernels custom rand() and nrand() functions where not working as specified in rand(2). now we just use libc's rand() and nrand() functions but provide a custom lrand() impelmenting the xoroshiro128+ algorithm as proposed by aiju. 2016-09-11 00:10:25 +00:00
			`/* used by rand(),nrand() */`
			`long`
			`lrand(void)`
			`{`
			`/* xoroshiro128+ algorithm */`
			`static int seeded = 0;`
			`static uvlong s[2];`
			`static Lock lk;`
			`ulong r;`

			`if(seeded == 0){`
			`randomread(s, sizeof(s));`
			`seeded = (s[0] \| s[1]) != 0;`
			`}`

			`lock(&lk);`
			`r = (s[0] + s[1]) >> 33;`
			`s[1] ^= s[0];`
			`s[0] = (s[0] << 55 \| s[0] >> 9) ^ s[1] ^ (s[1] << 14);`
			`s[1] = (s[1] << 36 \| s[1] >> 28);`
			`unlock(&lk);`

			`return r;`
			`}`