service_runtime/nacl_secure_random_common.c

   1 /*
   2  * Copyright 2008, Google Inc.
   3  * All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions are
   7  * met:
   8  *
   9  *     * Redistributions of source code must retain the above copyright
  10  * notice, this list of conditions and the following disclaimer.
  11  *     * Redistributions in binary form must reproduce the above
  12  * copyright notice, this list of conditions and the following disclaimer
  13  * in the documentation and/or other materials provided with the
  14  * distribution.
  15  *     * Neither the name of Google Inc. nor the names of its
  16  * contributors may be used to endorse or promote products derived from
  17  * this software without specific prior written permission.
  18  *
  19  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  20  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  21  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  22  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  23  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  24  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  25  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  26  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  27  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  28  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  29  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  30  */
  31
  32 /*
  33  * NaCl Service Runtime.  Secure RNG implementation.
  34  */
  35
  36 #include "native_client/service_runtime/nacl_secure_random.h"
  37
  38 #include "native_client/service_runtime/nacl_log.h"
  39
  40 uint32_t NaClSecureRngGenUint32(struct NaClSecureRng *self)
  41 {
  42   uint32_t rv;
  43
  44   rv = (0xff & NaClSecureRngGenByte(self));
  45   rv <<= 8;
  46   rv |= (0xff & NaClSecureRngGenByte(self));
  47   rv <<= 8;
  48   rv |= (0xff & NaClSecureRngGenByte(self));
  49   rv <<= 8;
  50   rv |= (0xff & NaClSecureRngGenByte(self));
  51   return rv;
  52 }
  53
  54 void NaClSecureRngGenBytes(struct NaClSecureRng *self,
  55                            char                 *buf,
  56                            size_t               nbytes)
  57 {
  58   size_t i;
  59
  60   for (i = 0; i < nbytes; ++i) {
  61     buf[i] = NaClSecureRngGenByte(self);
  62   }
  63 }
  64
  65 uint32_t NaClSecureRngUniform(struct NaClSecureRng  *self,
  66                               uint32_t              range_max)
  67 {
  68   uint32_t bias;
  69   uint32_t v;
  70
  71   /*
  72    * First, is range_max a power of 2?  If so, we can just keep the
  73    * low order bits.
  74    */
  75   if (0 == (range_max & (range_max - 1))) {
  76     return NaClSecureRngGenUint32(self) & (range_max - 1);
  77   }
  78   /* post condition: range_max is not a power of 2 */
  79
  80   /*
  81    * Generator output range is uniform in [0, ~(uint32_t) 0] or [0, 2^{32}).
  82    *
  83    * NB: Number of integer values in the range [0, n) is n,
  84    * and number of integer values in the range [m, n) is n-m,
  85    * (n and m are integers).
  86    */
  87   bias = ((~(uint32_t) 0) % range_max) + 1;
  88   /*
  89    * bias = (2^{32}-1 \bmod range_max) + 1
  90    *
  91    * 1 <= bias <= range_max.
  92    *
  93    * Aside: bias = range_max is impossible.  Here's why:
  94    *
  95    * Suppose bias = range_max.  Then,
  96    *
  97    * 2^{32}-1 \bmod range_max + 1 = range_max
  98    * 2^{32}-1 \bmod range_max = range_max - 1
  99    * 2^{32}-1 = k range_max + range_max - 1 for some k \in Z.
 100    * 2^{32}-1 = (k+1) range_max - 1
 101    * 2^{32} = (k+1) range_max
 102    *
 103    * Since range_max evenly divides the right hand side, it must
 104    * divide the left.  However, the only divisors of 2^{32} are powers
 105    * of 2.  Thus, range_max must also be a power of 2.  =><=
 106    *
 107    * Therefore, bias \ne range_max.  QED.
 108    *
 109    * post condition:  1 <= bias < range_max.
 110    */
 111
 112
 113   do {
 114     v = NaClSecureRngGenUint32(self);
 115     /* v is uniform in [0, 2^{32}) */
 116   } while (v < bias);
 117   /*
 118    * v is uniform in [bias, 2^{32}).
 119    *
 120    * the number of integers in the half-open interval is
 121    *
 122    *   2^{32} - bias = 2^{32} - ((2^{32}-1 \bmod range_max + 1))
 123    *                 = 2^{32}-1 - (2^{32}-1 \bmod range_max)
 124    *                 = range_max * \lfloor (2^{32}-1)/range_max \rfloor
 125    *
 126    * and range_max clearly divides the size of the range.
 127    *
 128    * The mapping v \rightarrow v % range_max takes values from [bias,
 129    * 2^{32}) to [0, range_max).  Each integer in the range interval
 130    * [0, range_max) will have exactly \lfloor (2^{32}-1)/range_max
 131    * \rfloor preimages from the domain interval.
 132    *
 133    * Therefore, v % range_max is uniform over [0, range_max).  QED.
 134    */
 135
 136   return v % range_max;
 137 }