Commit 3c53796cbe4e8c8425b4b41598913bb5cbc1f5a1
2022-02-07T19:38:32
rand: introduce git_rand PRNG Introduce `git_rand`, a PRNG based on xoroshiro256**, a fast, all-purpose pseudo-random number generator: https://prng.di.unimi.it The PRNG will be seeded by the system's entropy store when possible, falling back to current time and system data (pid, uptime, etc). Inspiration for this was taken from libressl, but since our PRNG is not used for cryptographic purposes (and indeed currently only generates a unique temp file name that is written in a protected directory), this should be more than sufficient. Our implementation of xoroshiro256** was taken almost strictly from the original author's sources, but was tested against PractRand to ensure that there were no foolish mistranslations: ``` RNG_test using PractRand version 0.94 RNG = RNG_stdin64, seed = unknown test set = core, folding = standard (64 bit) rng=RNG_stdin64, seed=unknown length= 256 megabytes (2^28 bytes), time= 2.9 seconds no anomalies in 210 test result(s) rng=RNG_stdin64, seed=unknown length= 512 megabytes (2^29 bytes), time= 6.2 seconds no anomalies in 226 test result(s) rng=RNG_stdin64, seed=unknown length= 1 gigabyte (2^30 bytes), time= 12.7 seconds no anomalies in 243 test result(s) rng=RNG_stdin64, seed=unknown length= 2 gigabytes (2^31 bytes), time= 25.4 seconds no anomalies in 261 test result(s) rng=RNG_stdin64, seed=unknown length= 4 gigabytes (2^32 bytes), time= 50.6 seconds no anomalies in 277 test result(s) rng=RNG_stdin64, seed=unknown length= 8 gigabytes (2^33 bytes), time= 104 seconds no anomalies in 294 test result(s) ```
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339
diff --git a/COPYING b/COPYING
index efeff14..ccfb7db 100644
--- a/COPYING
+++ b/COPYING
@@ -1132,3 +1132,15 @@ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
+----------------------------------------------------------------------
+
+The xoroshiro256** implementation is licensed in the public domain:
+
+Written in 2018 by David Blackman and Sebastiano Vigna (vigna@acm.org)
+
+To the extent possible under law, the author has dedicated all copyright
+and related and neighboring rights to this software to the public domain
+worldwide. This software is distributed without any warranty.
+
+See <http://creativecommons.org/publicdomain/zero/1.0/>.
+
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index e2da4bc..e7b54d0 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -55,6 +55,8 @@ check_prototype_definition(qsort_r
check_function_exists(qsort_s GIT_QSORT_S)
+check_function_exists(getentropy GIT_RAND_GETENTROPY)
+
# Find required dependencies
if(WIN32)
diff --git a/src/features.h.in b/src/features.h.in
index 81a8ae0..f920135 100644
--- a/src/features.h.in
+++ b/src/features.h.in
@@ -48,4 +48,6 @@
#cmakedefine GIT_SHA1_OPENSSL 1
#cmakedefine GIT_SHA1_MBEDTLS 1
+#cmakedefine GIT_RAND_GETENTROPY 1
+
#endif
diff --git a/src/libgit2.c b/src/libgit2.c
index b3a72de..b17485d 100644
--- a/src/libgit2.c
+++ b/src/libgit2.c
@@ -20,6 +20,7 @@
#include "mwindow.h"
#include "object.h"
#include "odb.h"
+#include "rand.h"
#include "refs.h"
#include "runtime.h"
#include "sysdir.h"
@@ -70,6 +71,7 @@ int git_libgit2_init(void)
git_allocator_global_init,
git_threadstate_global_init,
git_threads_global_init,
+ git_rand_global_init,
git_hash_global_init,
git_sysdir_global_init,
git_filter_global_init,
diff --git a/src/rand.c b/src/rand.c
new file mode 100644
index 0000000..0a20813
--- /dev/null
+++ b/src/rand.c
@@ -0,0 +1,226 @@
+/* Written in 2018 by David Blackman and Sebastiano Vigna (vigna@acm.org)
+
+To the extent possible under law, the author has dedicated all copyright
+and related and neighboring rights to this software to the public domain
+worldwide. This software is distributed without any warranty.
+
+See <http://creativecommons.org/publicdomain/zero/1.0/>. */
+
+#include "common.h"
+#include "rand.h"
+#include "runtime.h"
+
+#if defined(GIT_RAND_GETENTROPY)
+# include <sys/random.h>
+#endif
+
+static uint64_t state[4];
+static git_mutex state_lock;
+
+typedef union {
+ double f;
+ uint64_t d;
+} bits;
+
+#if defined(GIT_WIN32)
+GIT_INLINE(int) getseed(uint64_t *seed)
+{
+ HCRYPTPROV provider;
+ SYSTEMTIME systemtime;
+ FILETIME filetime, idletime, kerneltime, usertime;
+ bits convert;
+
+ if (CryptAcquireContext(&provider, 0, 0, PROV_RSA_FULL,
+ CRYPT_VERIFYCONTEXT|CRYPT_SILENT)) {
+ BOOL success = CryptGenRandom(provider, sizeof(uint64_t), (void *)seed);
+ CryptReleaseContext(provider, 0);
+
+ if (success)
+ return 0;
+ }
+
+ GetSystemTime(&systemtime);
+ if (!SystemTimeToFileTime(&systemtime, &filetime)) {
+ git_error_set(GIT_ERROR_OS, "could not get time for random seed");
+ return -1;
+ }
+
+ /* Fall-through: generate a seed from the time and system state */
+ *seed = 0;
+ *seed |= ((uint64_t)filetime.dwLowDateTime << 32);
+ *seed |= ((uint64_t)filetime.dwHighDateTime);
+
+ GetSystemTimes(&idletime, &kerneltime, &usertime);
+
+ *seed ^= ((uint64_t)idletime.dwLowDateTime << 32);
+ *seed ^= ((uint64_t)kerneltime.dwLowDateTime);
+ *seed ^= ((uint64_t)usertime.dwLowDateTime << 32);
+
+ *seed ^= ((uint64_t)idletime.dwHighDateTime);
+ *seed ^= ((uint64_t)kerneltime.dwHighDateTime << 12);
+ *seed ^= ((uint64_t)usertime.dwHighDateTime << 24);
+
+ *seed ^= ((uint64_t)GetCurrentProcessId() << 32);
+ *seed ^= ((uint64_t)GetCurrentThreadId() << 48);
+
+ convert.f = git__timer(); *seed ^= (convert.d);
+
+ /* Mix in the addresses of some functions and variables */
+ *seed ^= (((uint64_t)((uintptr_t)seed) << 32));
+ *seed ^= (((uint64_t)((uintptr_t)&errno)));
+
+ return 0;
+}
+
+#else
+
+GIT_INLINE(int) getseed(uint64_t *seed)
+{
+ struct timeval tv;
+ double loadavg[3];
+ bits convert;
+ int fd;
+
+# if defined(GIT_RAND_GETENTROPY)
+ GIT_UNUSED((fd = 0));
+
+ if (getentropy(seed, sizeof(uint64_t)) == 0)
+ return 0;
+# else
+ /*
+ * Try to read from /dev/urandom; most modern systems will have
+ * this, but we may be chrooted, etc, so it's not a fatal error
+ */
+ if ((fd = open("/dev/urandom", O_RDONLY)) >= 0) {
+ ssize_t ret = read(fd, seed, sizeof(uint64_t));
+ close(fd);
+
+ if (ret == (ssize_t)sizeof(uint64_t))
+ return 0;
+ }
+# endif
+
+ /* Fall-through: generate a seed from the time and system state */
+ if (gettimeofday(&tv, NULL) < 0) {
+ git_error_set(GIT_ERROR_OS, "could get time for random seed");
+ return -1;
+ }
+
+ getloadavg(loadavg, 3);
+
+ *seed = 0;
+ *seed |= ((uint64_t)tv.tv_usec << 40);
+ *seed |= ((uint64_t)tv.tv_sec);
+
+ *seed ^= ((uint64_t)getpid() << 48);
+ *seed ^= ((uint64_t)getppid() << 32);
+ *seed ^= ((uint64_t)getpgid(0) << 28);
+ *seed ^= ((uint64_t)getsid(0) << 16);
+ *seed ^= ((uint64_t)getuid() << 8);
+ *seed ^= ((uint64_t)getgid());
+
+ convert.f = loadavg[0]; *seed ^= (convert.d >> 36);
+ convert.f = loadavg[1]; *seed ^= (convert.d);
+ convert.f = loadavg[2]; *seed ^= (convert.d >> 16);
+
+ convert.f = git__timer(); *seed ^= (convert.d);
+
+ /* Mix in the addresses of some variables */
+ *seed ^= ((uint64_t)((size_t)((void *)seed)) << 32);
+ *seed ^= ((uint64_t)((size_t)((void *)&errno)));
+
+ return 0;
+}
+#endif
+
+static void git_rand_global_shutdown(void)
+{
+ git_mutex_free(&state_lock);
+}
+
+int git_rand_global_init(void)
+{
+ uint64_t seed = 0;
+
+ if (git_mutex_init(&state_lock) < 0 || getseed(&seed) < 0)
+ return -1;
+
+ if (!seed) {
+ git_error_set(GIT_ERROR_INTERNAL, "failed to generate random seed");
+ return -1;
+ }
+
+ git_rand_seed(seed);
+ git_runtime_shutdown_register(git_rand_global_shutdown);
+
+ return 0;
+}
+
+/*
+ * This is splitmix64. xoroshiro256** uses 256 bit seed; this is used
+ * to generate 256 bits of seed from the given 64, per the author's
+ * recommendation.
+ */
+GIT_INLINE(uint64_t) splitmix64(uint64_t *in)
+{
+ uint64_t z;
+
+ *in += 0x9e3779b97f4a7c15;
+
+ z = *in;
+ z = (z ^ (z >> 30)) * 0xbf58476d1ce4e5b9;
+ z = (z ^ (z >> 27)) * 0x94d049bb133111eb;
+ return z ^ (z >> 31);
+}
+
+void git_rand_seed(uint64_t seed)
+{
+ uint64_t mixer;
+
+ mixer = seed;
+
+ git_mutex_lock(&state_lock);
+ state[0] = splitmix64(&mixer);
+ state[1] = splitmix64(&mixer);
+ state[2] = splitmix64(&mixer);
+ state[3] = splitmix64(&mixer);
+ git_mutex_unlock(&state_lock);
+}
+
+/* This is xoshiro256** 1.0, one of our all-purpose, rock-solid
+ generators. It has excellent (sub-ns) speed, a state (256 bits) that is
+ large enough for any parallel application, and it passes all tests we
+ are aware of.
+
+ For generating just floating-point numbers, xoshiro256+ is even faster.
+
+ The state must be seeded so that it is not everywhere zero. If you have
+ a 64-bit seed, we suggest to seed a splitmix64 generator and use its
+ output to fill s. */
+
+GIT_INLINE(uint64_t) rotl(const uint64_t x, int k) {
+ return (x << k) | (x >> (64 - k));
+}
+
+uint64_t git_rand_next(void) {
+ uint64_t t, result;
+
+ git_mutex_lock(&state_lock);
+
+ result = rotl(state[1] * 5, 7) * 9;
+
+ t = state[1] << 17;
+
+ state[2] ^= state[0];
+ state[3] ^= state[1];
+ state[1] ^= state[2];
+ state[0] ^= state[3];
+
+ state[2] ^= t;
+
+ state[3] = rotl(state[3], 45);
+
+ git_mutex_unlock(&state_lock);
+
+ return result;
+}
diff --git a/src/rand.h b/src/rand.h
new file mode 100644
index 0000000..2e60561
--- /dev/null
+++ b/src/rand.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) the libgit2 contributors. All rights reserved.
+ *
+ * This file is part of libgit2, distributed under the GNU GPL v2 with
+ * a Linking Exception. For full terms see the included COPYING file.
+ */
+#ifndef INCLUDE_rand_h__
+#define INCLUDE_rand_h__
+
+#include "common.h"
+
+/**
+ * Initialize the random number generation subsystem. This will
+ * seed the random number generator with the system's entropy pool,
+ * if available, and will fall back to the current time and
+ * system information if not.
+ */
+int git_rand_global_init(void);
+
+/**
+ * Seed the pseudo-random number generator. This is not needed to be
+ * called; the PRNG is seeded by `git_rand_global_init`, but it may
+ * be useful for testing. When the same seed is specified, the same
+ * sequence of random numbers from `git_rand_next` is emitted.
+ *
+ * @param seed the seed to use
+ */
+void git_rand_seed(uint64_t seed);
+
+/**
+ * Get the next pseudo-random number in the sequence.
+ *
+ * @return a 64-bit pseudo-random number
+ */
+uint64_t git_rand_next(void);
+
+#endif