vibe.crypto.cryptorand 0/65(0%) line coverage

      
10
20
30
40
50
60
70
80
90
100
110
120
130
140
150
160
170
180
190
200
210
220
230
240
250
260
270
280
290
300
310
320
330
340
350
360
370
380
390
400
410
420
430
440
450
460
470
480
490
500
510
520
530
540
550
560
570
580
590
600
610
620
630
640
650
660
670
680
690
700
710
720
730
740
750
760
770
780
790
800
810
820
830
840
850
860
870
880
890
900
910
920
930
940
950
960
970
980
990
1000
1010
1020
1030
1040
1050
1060
1070
1080
1090
1100
1110
1120
1130
1140
1150
1160
1170
1180
1190
1200
1210
1220
1230
1240
1250
1260
1270
1280
1290
1300
1310
1320
1330
1340
1350
1360
1370
1380
1390
1400
1410
1420
1430
1440
1450
1460
1470
1480
1490
1500
1510
1520
1530
1540
1550
1560
1570
1580
1590
1600
1610
1620
1630
1640
1650
1660
1670
1680
1690
1700
1710
1720
1730
1740
1750
1760
1770
1780
1790
1800
1810
1820
1830
1840
1850
1860
1870
1880
1890
1900
1910
1920
1930
1940
1950
1960
1970
1980
1990
2000
2010
2020
2030
2040
2050
2060
2070
2080
2090
2100
2110
2120
2130
2140
2150
2160
2170
2180
2190
2200
2210
2220
2230
2240
2250
2260
2270
2280
2290
2300
2310
2320
2330
2340
2350
2360
2370
2380
2390
2400
2410
2420
2430
2440
2450
2460
2470
2480
2490
2500
2510
2520
2530
2540
2550
2560
2570
2580
2590
2600
2610
2620
2630
2640
2650
2660
2670
2680
2690
2700
2710
2720
2730
2740
2750
2760
2770
2780
2790
2800
2810
2820
2830
2840
2850
2860
2870
2880
2890
2900
2910
2920
2930
2940
2950
2960
2970
2980
2990
3000
3010
3020
3030
3040
3050
3060
3070
3080
3090
3100
3110
3120
3130
3140
3150
3160
3170
3180
3190
3200
3210
3220
3230
3240
3250
3260
3270
3280
3290
3300
3310
3320
3330
3340
3350
3360
3370
3380
3390
3400
3410
3420
3430
3440
3450
3460
3470
3480
3490
3500
3510
3520
3530
3540
3550
3560
3570
3580
3590
3600
3610
3620
3630
3640
3650
3660
3670
3680
3690
3700
3710
3720
3730
3740
3750
3760
3770
3780
3790
3800
3810
3820
3830
3840
3850
3860
3870
3880
3890
3900
3910
3920
3930
3940
3950
3960
3970
3980
3990
4000
4010
4020
4030
4040
4050
4060
4070
4080
4090
4100
4110
4120
4130
4140
4150
4160
4170
4180
4190
4200
4210
4220
4230
4240
4250
4260
4270
4280
4290
4300
4310
4320
4330
4340
4350
4360
4370
4380
4390
4400
4410
4420
4430
4440
4450
4460
4470
4480
4490
4500
4510
4520
4530
4540
4550
4560
4570
4580
4590
4600
4610
4620
4630
4640
4650
4660
4670
4680
4690
4700
4710
4720
4730
4740
4750
4760
4770
4780
4790
4800
4810
4820
4830
4840
4850
4860
4870
4880
4890
4900
4910
4920
4930
4940
4950
4960
4970
4980
4990
5000
5010
5020
5030
5040
5050
5060
5070
5080
5090
5100
5110
5120
5130
5140
5150
5160
5170
5180
5190
5200
5210
5220
5230
5240
5250
5260
5270
5280
5290
5300
5310
5320
5330
5340
5350
5360
5370
5380
5390
5400
5410
5420
5430
5440
5450
5460
5470
5480
5490
5500
5510
5520
5530
5540
5550
5560
5570
5580
5590
5600
5610
5620
5630
5640
5650
5660
5670
5680
5690
5700
5710
5720
5730
5740
5750
5760
5770
5780
5790
5800
5810
5820
5830
5840
5850
5860
5870
5880
5890
5900
5910
5920
5930
5940
5950
5960
5970
5980
5990
6000
6010
6020
6030
6040
6050
6060
6070
6080
6090
6100
6110
6120
6130
6140
6150
6160
6170
6180
/** Implements cryptographically secure random number generators. Copyright: © 2013 RejectedSoftware e.K. License: Subject to the terms of the MIT license, as written in the included LICENSE.txt file. Authors: Ilya Shipunov */ module vibe.crypto.cryptorand; import std.conv : text; import std.digest.sha; import vibe.core.stream; /** Creates a cryptographically secure random number generator. Note that the returned RNG will operate in a non-blocking mode, which means that if no sufficient entropy has been generated, new random numbers will be generated from previous state. */ RandomNumberStream secureRNG() @safe { static SystemRNG m_rng; if (!m_rng) m_rng = new SystemRNG; return m_rng; } /** Base interface for all cryptographically secure RNGs. */ interface RandomNumberStream : InputStream { /** Fills the buffer new random numbers. Params: dst = The buffer that will be filled with random numbers. It will contain buffer.length random ubytes. Supportes both heap-based and stack-based arrays. Throws: CryptoException on error. */ override size_t read(scope ubyte[] dst, IOMode mode) @safe; alias read = InputStream.read; } version(linux) enum bool LinuxMaybeHasGetrandom = __traits(compiles, {import mir.linux._asm.unistd : NR_getrandom;}); else enum bool LinuxMaybeHasGetrandom = false; static if (LinuxMaybeHasGetrandom) { // getrandom was introduced in Linux 3.17 private enum GET_RANDOM { UNINITIALIZED, NOT_AVAILABLE, AVAILABLE, } private __gshared GET_RANDOM hasGetRandom = GET_RANDOM.UNINITIALIZED; private import core.sys.posix.sys.utsname : utsname; // druntime might not be properly annotated private extern(C) int uname(scope utsname* __name) @nogc nothrow; // checks whether the Linux kernel supports getRandom by looking at the // reported version private bool initHasGetRandom() @nogc @trusted nothrow { import core.stdc.string : strtok; import core.stdc.stdlib : atoi; utsname uts; uname(&uts); char* p = uts.release.ptr; // poor man's version check auto token = strtok(p, "."); int major = atoi(token); if (major > 3) return true; if (major == 3) { token = strtok(p, "."); if (atoi(token) >= 17) return true; } return false; } private extern(C) int syscall(size_t ident, size_t n, size_t arg1, size_t arg2) @nogc nothrow; } version (CRuntime_Bionic) version = secure_arc4random;//ChaCha20 version (OSX) version = secure_arc4random;//AES version (OpenBSD) version = secure_arc4random;//ChaCha20 version (NetBSD) version = secure_arc4random;//ChaCha20 version (secure_arc4random) extern(C) @nogc nothrow private @system { void arc4random_buf(scope void* buf, size_t nbytes); } /** Operating system specific cryptography secure random number generator. It uses the "CryptGenRandom" function for Windows; the "arc4random_buf" function (not based on RC4 but on a modern and cryptographically secure cipher) for macOS/OpenBSD/NetBSD; the "getrandom" syscall for Linux 3.17 and later; and "/dev/urandom" for other Posix platforms. It's recommended to combine the output use additional processing generated random numbers via provided functions for systems where security matters. Remarks: Windows "CryptGenRandom" RNG has known security vulnerabilities on Windows 2000 and Windows XP (assuming the attacker has control of the machine). Fixed for Windows XP Service Pack 3 and Windows Vista. See_Also: $(LINK http://en.wikipedia.org/wiki/CryptGenRandom) */ final class SystemRNG : RandomNumberStream { @safe: import std.exception; version(Windows) { //cryptographic service provider private HCRYPTPROV hCryptProv; } else version(secure_arc4random) { //Using arc4random does not involve any extra fields. } else version(Posix) { import core.stdc.errno : errno, EINTR; import core.stdc.stdio : FILE, _IONBF, fopen, fclose, fread, setvbuf; //cryptographic file stream private FILE* m_file; } else { static assert(0, "OS is not supported"); } /** Creates new system random generator */ this() @trusted { version(Windows) { //init cryptographic service provider enforce!CryptoException(CryptAcquireContext(&this.hCryptProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT) != 0, text("Cannot init SystemRNG: Error id is ", GetLastError())); } else version(secure_arc4random) { //arc4random requires no setup or cleanup. } else version(Posix) { version (linux) static if (LinuxMaybeHasGetrandom) { import core.atomic : atomicLoad, atomicStore; auto p = atomicLoad(*cast(const shared GET_RANDOM*) &hasGetRandom); if (p == GET_RANDOM.UNINITIALIZED) { p = initHasGetRandom() ? GET_RANDOM.AVAILABLE : GET_RANDOM.NOT_AVAILABLE; // Benign race condition. atomicStore(*cast(shared GET_RANDOM*) &hasGetRandom, p); } if (p == GET_RANDOM.AVAILABLE) return; } //open file m_file = fopen("/dev/urandom", "rb"); enforce!CryptoException(m_file !is null, "Failed to open /dev/urandom"); scope (failure) fclose(m_file); //do not use buffering stream to avoid possible attacks enforce!CryptoException(setvbuf(m_file, null, 0, _IONBF) == 0, "Failed to disable buffering for random number file handle"); } } ~this() @trusted { version(Windows) { CryptReleaseContext(this.hCryptProv, 0); } else version (secure_arc4random) { //arc4random requires no setup or cleanup. } else version (Posix) { version (linux) static if (LinuxMaybeHasGetrandom) { if (m_file is null) return; } fclose(m_file); } } @property bool empty() { return false; } @property ulong leastSize() { return ulong.max; } @property bool dataAvailableForRead() { return true; } const(ubyte)[] peek() { return null; } size_t read(scope ubyte[] buffer, IOMode mode) @trusted in { assert(buffer.length, "buffer length must be larger than 0"); assert(buffer.length <= uint.max, "buffer length must be smaller or equal uint.max"); } body { version (Windows) { if(0 == CryptGenRandom(this.hCryptProv, cast(DWORD)buffer.length, buffer.ptr)) { throw new CryptoException(text("Cannot get next random number: Error id is ", GetLastError())); } } else version (secure_arc4random) { arc4random_buf(buffer.ptr, buffer.length);//Cannot fail. } else version (Posix) { version (linux) static if (LinuxMaybeHasGetrandom) { if (hasGetRandom == GET_RANDOM.AVAILABLE) { /* http://man7.org/linux/man-pages/man2/getrandom.2.html If the urandom source has been initialized, reads of up to 256 bytes will always return as many bytes as requested and will not be interrupted by signals. No such guarantees apply for larger buffer sizes. */ import mir.linux._asm.unistd : NR_getrandom; size_t len = buffer.length; size_t ptr = cast(size_t) buffer.ptr; while (len > 0) { auto res = syscall(NR_getrandom, ptr, len, 0); if (res >= 0) { len -= res; ptr += res; } else if (errno != EINTR) { throw new CryptoException( text("Failed to read next random number: ", errno)); } } return buffer.length; } } enforce!CryptoException(fread(buffer.ptr, buffer.length, 1, m_file) == 1, text("Failed to read next random number: ", errno)); } return buffer.length; } alias read = RandomNumberStream.read; } //test heap-based arrays unittest { import std.algorithm; import std.range; //number random bytes in the buffer enum uint bufferSize = 20; //number of iteration counts enum iterationCount = 10; auto rng = new SystemRNG(); //holds the random number ubyte[] rand = new ubyte[bufferSize]; //holds the previous random number after the creation of the next one ubyte[] prevRadn = new ubyte[bufferSize]; //create the next random number rng.read(prevRadn); assert(!equal(prevRadn, take(repeat(0), bufferSize)), "it's almost unbelievable - all random bytes is zero"); //take "iterationCount" arrays with random bytes foreach(i; 0..iterationCount) { //create the next random number rng.read(rand); assert(!equal(rand, take(repeat(0), bufferSize)), "it's almost unbelievable - all random bytes is zero"); assert(!equal(rand, prevRadn), "it's almost unbelievable - current and previous random bytes are equal"); //copy current random bytes for next iteration prevRadn[] = rand[]; } } //test stack-based arrays unittest { import std.algorithm; import std.range; import std.array; //number random bytes in the buffer enum uint bufferSize = 20; //number of iteration counts enum iterationCount = 10; //array that contains only zeros ubyte[bufferSize] zeroArray; zeroArray[] = take(repeat(cast(ubyte)0), bufferSize).array()[]; auto rng = new SystemRNG(); //holds the random number ubyte[bufferSize] rand; //holds the previous random number after the creation of the next one ubyte[bufferSize] prevRadn; //create the next random number rng.read(prevRadn); assert(prevRadn != zeroArray, "it's almost unbelievable - all random bytes is zero"); //take "iterationCount" arrays with random bytes foreach(i; 0..iterationCount) { //create the next random number rng.read(rand); assert(prevRadn != zeroArray, "it's almost unbelievable - all random bytes is zero"); assert(rand != prevRadn, "it's almost unbelievable - current and previous random bytes are equal"); //copy current random bytes for next iteration prevRadn[] = rand[]; } } /** Hash-based cryptographically secure random number mixer. This RNG uses a hash function to mix a specific amount of random bytes from the input RNG. Use only cryptographically secure hash functions like SHA-512, Whirlpool or SHA-256, but not MD5. Params: Hash: The hash function used, for example SHA1 factor: Determines how many times the hash digest length of input data is used as input to the hash function. Increase factor value if you need more security because it increases entropy level or decrease the factor value if you need more speed. */ final class HashMixerRNG(Hash, uint factor) : RandomNumberStream if(isDigest!Hash) { static assert(factor, "factor must be larger than 0"); //random number generator SystemRNG rng; /** Creates new hash-based mixer random generator. */ this() { //create random number generator this.rng = new SystemRNG(); } @property bool empty() { return false; } @property ulong leastSize() { return ulong.max; } @property bool dataAvailableForRead() { return true; } const(ubyte)[] peek() { return null; } size_t read(scope ubyte[] buffer, IOMode mode) in { assert(buffer.length, "buffer length must be larger than 0"); assert(buffer.length <= uint.max, "buffer length must be smaller or equal uint.max"); } body { auto len = buffer.length; //use stack to allocate internal buffer ubyte[factor * digestLength!Hash] internalBuffer = void; //init internal buffer this.rng.read(internalBuffer); //create new random number on stack ubyte[digestLength!Hash] randomNumber = digest!Hash(internalBuffer); //allows to fill buffers longer than hash digest length while(buffer.length > digestLength!Hash) { //fill the buffer's beginning buffer[0..digestLength!Hash] = randomNumber[0..$]; //receive the buffer's end buffer = buffer[digestLength!Hash..$]; //re-init internal buffer this.rng.read(internalBuffer); //create next random number randomNumber = digest!Hash(internalBuffer); } //fill the buffer's end buffer[0..$] = randomNumber[0..buffer.length]; return len; } alias read = RandomNumberStream.read; } /// A SHA-1 based mixing RNG. Alias for HashMixerRNG!(SHA1, 5). alias SHA1HashMixerRNG = HashMixerRNG!(SHA1, 5); //test heap-based arrays unittest { import std.algorithm; import std.range; import std.typetuple; import std.digest.md; //number of iteration counts enum iterationCount = 10; enum uint factor = 5; //tested hash functions foreach(Hash; TypeTuple!(SHA1, MD5)) { //test for different number random bytes in the buffer from 10 to 80 inclusive foreach(bufferSize; iota(10, 81)) { auto rng = new HashMixerRNG!(Hash, factor)(); //holds the random number ubyte[] rand = new ubyte[bufferSize]; //holds the previous random number after the creation of the next one ubyte[] prevRadn = new ubyte[bufferSize]; //create the next random number rng.read(prevRadn); assert(!equal(prevRadn, take(repeat(0), bufferSize)), "it's almost unbelievable - all random bytes is zero"); //take "iterationCount" arrays with random bytes foreach(i; 0..iterationCount) { //create the next random number rng.read(rand); assert(!equal(rand, take(repeat(0), bufferSize)), "it's almost unbelievable - all random bytes is zero"); assert(!equal(rand, prevRadn), "it's almost unbelievable - current and previous random bytes are equal"); //make sure that we have different random bytes in different hash digests if(bufferSize > digestLength!Hash) { //begin and end of random number array ubyte[] begin = rand[0..digestLength!Hash]; ubyte[] end = rand[digestLength!Hash..$]; //compare all nearby hash digests while(end.length >= digestLength!Hash) { assert(!equal(begin, end[0..digestLength!Hash]), "it's almost unbelievable - random bytes in different hash digests are equal"); //go to the next hash digests begin = end[0..digestLength!Hash]; end = end[digestLength!Hash..$]; } } //copy current random bytes for next iteration prevRadn[] = rand[]; } } } } //test stack-based arrays unittest { import std.algorithm; import std.range; import std.array; import std.typetuple; import std.digest.md; //number of iteration counts enum iterationCount = 10; enum uint factor = 5; //tested hash functions foreach(Hash; TypeTuple!(SHA1, MD5)) { //test for different number random bytes in the buffer foreach(bufferSize; TypeTuple!(10, 15, 20, 25, 30, 35, 40, 45, 50, 55, 60, 65, 70, 75, 80)) { //array that contains only zeros ubyte[bufferSize] zeroArray; zeroArray[] = take(repeat(cast(ubyte)0), bufferSize).array()[]; auto rng = new HashMixerRNG!(Hash, factor)(); //holds the random number ubyte[bufferSize] rand; //holds the previous random number after the creation of the next one ubyte[bufferSize] prevRadn; //create the next random number rng.read(prevRadn); assert(prevRadn != zeroArray, "it's almost unbelievable - all random bytes is zero"); //take "iterationCount" arrays with random bytes foreach(i; 0..iterationCount) { //create the next random number rng.read(rand); assert(prevRadn != zeroArray, "it's almost unbelievable - all random bytes is zero"); assert(rand != prevRadn, "it's almost unbelievable - current and previous random bytes are equal"); //make sure that we have different random bytes in different hash digests if(bufferSize > digestLength!Hash) { //begin and end of random number array ubyte[] begin = rand[0..digestLength!Hash]; ubyte[] end = rand[digestLength!Hash..$]; //compare all nearby hash digests while(end.length >= digestLength!Hash) { assert(!equal(begin, end[0..digestLength!Hash]), "it's almost unbelievable - random bytes in different hash digests are equal"); //go to the next hash digests begin = end[0..digestLength!Hash]; end = end[digestLength!Hash..$]; } } //copy current random bytes for next iteration prevRadn[] = rand[]; } } } } /** Thrown when an error occurs during random number generation. */ class CryptoException : Exception { this(string msg, string file = __FILE__, size_t line = __LINE__, Throwable next = null) @safe pure nothrow { super(msg, file, line, next); } } version(Windows) { import core.sys.windows.windows; private extern(Windows) nothrow { alias HCRYPTPROV = size_t; enum LPCTSTR NULL = cast(LPCTSTR)0; enum DWORD PROV_RSA_FULL = 1; enum DWORD CRYPT_VERIFYCONTEXT = 0xF0000000; BOOL CryptAcquireContextA(HCRYPTPROV *phProv, LPCTSTR pszContainer, LPCTSTR pszProvider, DWORD dwProvType, DWORD dwFlags); alias CryptAcquireContext = CryptAcquireContextA; BOOL CryptReleaseContext(HCRYPTPROV hProv, DWORD dwFlags); BOOL CryptGenRandom(HCRYPTPROV hProv, DWORD dwLen, BYTE *pbBuffer); } }