1/*
2** Pseudo-random number generation.
3** Copyright (C) 2005-2021 Mike Pall. See Copyright Notice in luajit.h
4*/
5
6#define lj_prng_c
7#define LUA_CORE
8
9/* To get the syscall prototype. */
10#if defined(__linux__) && !defined(_GNU_SOURCE)
11#define _GNU_SOURCE
12#endif
13
14#include "lj_def.h"
15#include "lj_arch.h"
16#include "lj_prng.h"
17
18/* -- PRNG step function -------------------------------------------------- */
19
20/* This implements a Tausworthe PRNG with period 2^223. Based on:
21** Tables of maximally-equidistributed combined LFSR generators,
22** Pierre L'Ecuyer, 1991, table 3, 1st entry.
23** Full-period ME-CF generator with L=64, J=4, k=223, N1=49.
24**
25** Important note: This PRNG is NOT suitable for cryptographic use!
26**
27** But it works fine for math.random(), which has an API that's not
28** suitable for cryptography, anyway.
29**
30** When used as a securely seeded global PRNG, it substantially raises
31** the difficulty for various attacks on the VM.
32*/
33
34/* Update generator i and compute a running xor of all states. */
35#define TW223_GEN(rs, z, r, i, k, q, s) \
36 z = rs->u[i]; \
37 z = (((z<<q)^z) >> (k-s)) ^ ((z&((uint64_t)(int64_t)-1 << (64-k)))<<s); \
38 r ^= z; rs->u[i] = z;
39
40#define TW223_STEP(rs, z, r) \
41 TW223_GEN(rs, z, r, 0, 63, 31, 18) \
42 TW223_GEN(rs, z, r, 1, 58, 19, 28) \
43 TW223_GEN(rs, z, r, 2, 55, 24, 7) \
44 TW223_GEN(rs, z, r, 3, 47, 21, 8)
45
46/* PRNG step function with uint64_t result. */
47LJ_NOINLINE uint64_t LJ_FASTCALL lj_prng_u64(PRNGState *rs)
48{
49 uint64_t z, r = 0;
50 TW223_STEP(rs, z, r)
51 return r;
52}
53
54/* PRNG step function with double in uint64_t result. */
55LJ_NOINLINE uint64_t LJ_FASTCALL lj_prng_u64d(PRNGState *rs)
56{
57 uint64_t z, r = 0;
58 TW223_STEP(rs, z, r)
59 /* Returns a double bit pattern in the range 1.0 <= d < 2.0. */
60 return (r & U64x(000fffff,ffffffff)) | U64x(3ff00000,00000000);
61}
62
63/* Condition seed: ensure k[i] MSB of u[i] are non-zero. */
64static LJ_AINLINE void lj_prng_condition(PRNGState *rs)
65{
66 if (rs->u[0] < (1u << 1)) rs->u[0] += (1u << 1);
67 if (rs->u[1] < (1u << 6)) rs->u[1] += (1u << 6);
68 if (rs->u[2] < (1u << 9)) rs->u[2] += (1u << 9);
69 if (rs->u[3] < (1u << 17)) rs->u[3] += (1u << 17);
70}
71
72/* -- PRNG seeding from OS ------------------------------------------------ */
73
74#if LUAJIT_SECURITY_PRNG == 0
75
76/* Nothing to define. */
77
78#elif LJ_TARGET_XBOX360
79
80extern int XNetRandom(void *buf, unsigned int len);
81
82#elif LJ_TARGET_PS3
83
84extern int sys_get_random_number(void *buf, uint64_t len);
85
86#elif LJ_TARGET_PS4 || LJ_TARGET_PSVITA
87
88extern int sceRandomGetRandomNumber(void *buf, size_t len);
89
90#elif LJ_TARGET_WINDOWS || LJ_TARGET_XBOXONE
91
92#define WIN32_LEAN_AND_MEAN
93#include <windows.h>
94
95#if LJ_TARGET_UWP || LJ_TARGET_XBOXONE
96/* Must use BCryptGenRandom. */
97#include <bcrypt.h>
98#pragma comment(lib, "bcrypt.lib")
99#else
100/* If you wonder about this mess, then search online for RtlGenRandom. */
101typedef BOOLEAN (WINAPI *PRGR)(void *buf, ULONG len);
102static PRGR libfunc_rgr;
103#endif
104
105#elif LJ_TARGET_POSIX
106
107#if LJ_TARGET_LINUX
108/* Avoid a dependency on glibc 2.25+ and use the getrandom syscall instead. */
109#include <sys/syscall.h>
110#else
111
112#if LJ_TARGET_OSX && !LJ_TARGET_IOS
113/*
114** In their infinite wisdom Apple decided to disallow getentropy() in the
115** iOS App Store. Even though the call is common to all BSD-ish OS, it's
116** recommended by Apple in their own security-related docs, and, to top
117** off the foolery, /dev/urandom is handled by the same kernel code,
118** yet accessing it is actually permitted (but less efficient).
119*/
120#include <Availability.h>
121#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200
122#define LJ_TARGET_HAS_GETENTROPY 1
123#endif
124#elif LJ_TARGET_BSD || LJ_TARGET_SOLARIS || LJ_TARGET_CYGWIN
125#define LJ_TARGET_HAS_GETENTROPY 1
126#endif
127
128#if LJ_TARGET_HAS_GETENTROPY
129extern int getentropy(void *buf, size_t len);
130#ifdef __ELF__
131 __attribute__((weak))
132#endif
133;
134#endif
135
136#endif
137
138/* For the /dev/urandom fallback. */
139#include <fcntl.h>
140#include <unistd.h>
141
142#endif
143
144#if LUAJIT_SECURITY_PRNG == 0
145
146/* If you really don't care about security, then define
147** LUAJIT_SECURITY_PRNG=0. This yields a predictable seed
148** and provides NO SECURITY against various attacks on the VM.
149**
150** BTW: This is NOT the way to get predictable table iteration,
151** predictable trace generation, predictable bytecode generation, etc.
152*/
153int LJ_FASTCALL lj_prng_seed_secure(PRNGState *rs)
154{
155 lj_prng_seed_fixed(rs); /* The fixed seed is already conditioned. */
156 return 1;
157}
158
159#else
160
161/* Securely seed PRNG from system entropy. Returns 0 on failure. */
162int LJ_FASTCALL lj_prng_seed_secure(PRNGState *rs)
163{
164#if LJ_TARGET_XBOX360
165
166 if (XNetRandom(rs->u, (unsigned int)sizeof(rs->u)) == 0)
167 goto ok;
168
169#elif LJ_TARGET_PS3
170
171 if (sys_get_random_number(rs->u, sizeof(rs->u)) == 0)
172 goto ok;
173
174#elif LJ_TARGET_PS4 || LJ_TARGET_PSVITA
175
176 if (sceRandomGetRandomNumber(rs->u, sizeof(rs->u) == 0)
177 goto ok;
178
179#elif LJ_TARGET_UWP || LJ_TARGET_XBOXONE
180
181 if (BCryptGenRandom(NULL, (PUCHAR)(rs->u), (ULONG)sizeof(rs->u),
182 BCRYPT_USE_SYSTEM_PREFERRED_RNG) >= 0)
183 goto ok;
184
185#elif LJ_TARGET_WINDOWS
186
187 /* Keep the library loaded in case multiple VMs are started. */
188 if (!libfunc_rgr) {
189 HMODULE lib = LJ_WIN_LOADLIBA("advapi32.dll");
190 if (!lib) return 0;
191 libfunc_rgr = (PRGR)GetProcAddress(lib, "SystemFunction036");
192 if (!libfunc_rgr) return 0;
193 }
194 if (libfunc_rgr(rs->u, (ULONG)sizeof(rs->u)))
195 goto ok;
196
197#elif LJ_TARGET_POSIX
198
199#if LJ_TARGET_LINUX && defined(SYS_getrandom)
200
201 if (syscall(SYS_getrandom, rs->u, sizeof(rs->u), 0) == (long)sizeof(rs->u))
202 goto ok;
203
204#elif LJ_TARGET_HAS_GETENTROPY
205
206#ifdef __ELF__
207 if (&getentropy && getentropy(rs->u, sizeof(rs->u)) == 0)
208 goto ok;
209#else
210 if (getentropy(rs->u, sizeof(rs->u)) == 0)
211 goto ok;
212#endif
213
214#endif
215
216 /* Fallback to /dev/urandom. This may fail if the device is not
217 ** existent or accessible in a chroot or container, or if the process
218 ** or the OS ran out of file descriptors.
219 */
220 {
221 int fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC);
222 if (fd != -1) {
223 ssize_t n = read(fd, rs->u, sizeof(rs->u));
224 (void)close(fd);
225 if (n == (ssize_t)sizeof(rs->u))
226 goto ok;
227 }
228 }
229
230#else
231
232 /* Add an elif above for your OS with a secure PRNG seed.
233 ** Note that fiddling around with rand(), getpid(), time() or coercing
234 ** ASLR to yield a few bits of randomness is not helpful.
235 ** If you don't want any security, then don't pretend you have any
236 ** and simply define LUAJIT_SECURITY_PRNG=0 for the build.
237 */
238#error "Missing secure PRNG seed for this OS"
239
240#endif
241 return 0; /* Fail. */
242
243ok:
244 lj_prng_condition(rs);
245 (void)lj_prng_u64(rs);
246 return 1; /* Success. */
247}
248
249#endif
250
251