From 82539ad8d59729fb45b0bb0edda8f2bddb719eb1 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 28 Apr 2024 15:15:26 +0200 Subject: Adding upstream version 1.17.13. Signed-off-by: Daniel Baumann --- src/crypto/rand/eagain.go | 28 ++++++ src/crypto/rand/example_test.go | 28 ++++++ src/crypto/rand/rand.go | 43 +++++++++ src/crypto/rand/rand_batched.go | 33 +++++++ src/crypto/rand/rand_batched_test.go | 46 ++++++++++ src/crypto/rand/rand_dragonfly.go | 9 ++ src/crypto/rand/rand_freebsd.go | 9 ++ src/crypto/rand/rand_getentropy.go | 31 +++++++ src/crypto/rand/rand_js.go | 29 ++++++ src/crypto/rand/rand_linux.go | 14 +++ src/crypto/rand/rand_solaris.go | 10 +++ src/crypto/rand/rand_test.go | 43 +++++++++ src/crypto/rand/rand_unix.go | 170 +++++++++++++++++++++++++++++++++++ src/crypto/rand/rand_windows.go | 26 ++++++ src/crypto/rand/util.go | 143 +++++++++++++++++++++++++++++ src/crypto/rand/util_test.go | 130 +++++++++++++++++++++++++++ 16 files changed, 792 insertions(+) create mode 100644 src/crypto/rand/eagain.go create mode 100644 src/crypto/rand/example_test.go create mode 100644 src/crypto/rand/rand.go create mode 100644 src/crypto/rand/rand_batched.go create mode 100644 src/crypto/rand/rand_batched_test.go create mode 100644 src/crypto/rand/rand_dragonfly.go create mode 100644 src/crypto/rand/rand_freebsd.go create mode 100644 src/crypto/rand/rand_getentropy.go create mode 100644 src/crypto/rand/rand_js.go create mode 100644 src/crypto/rand/rand_linux.go create mode 100644 src/crypto/rand/rand_solaris.go create mode 100644 src/crypto/rand/rand_test.go create mode 100644 src/crypto/rand/rand_unix.go create mode 100644 src/crypto/rand/rand_windows.go create mode 100644 src/crypto/rand/util.go create mode 100644 src/crypto/rand/util_test.go (limited to 'src/crypto/rand') diff --git a/src/crypto/rand/eagain.go b/src/crypto/rand/eagain.go new file mode 100644 index 0000000..85d4d9d --- /dev/null +++ b/src/crypto/rand/eagain.go @@ -0,0 +1,28 @@ +// Copyright 2014 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris +// +build aix darwin dragonfly freebsd linux netbsd openbsd solaris + +package rand + +import ( + "io/fs" + "syscall" +) + +func init() { + isEAGAIN = unixIsEAGAIN +} + +// unixIsEAGAIN reports whether err is a syscall.EAGAIN wrapped in a PathError. +// See golang.org/issue/9205 +func unixIsEAGAIN(err error) bool { + if pe, ok := err.(*fs.PathError); ok { + if errno, ok := pe.Err.(syscall.Errno); ok && errno == syscall.EAGAIN { + return true + } + } + return false +} diff --git a/src/crypto/rand/example_test.go b/src/crypto/rand/example_test.go new file mode 100644 index 0000000..ed18647 --- /dev/null +++ b/src/crypto/rand/example_test.go @@ -0,0 +1,28 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package rand_test + +import ( + "bytes" + "crypto/rand" + "fmt" +) + +// This example reads 10 cryptographically secure pseudorandom numbers from +// rand.Reader and writes them to a byte slice. +func ExampleRead() { + c := 10 + b := make([]byte, c) + _, err := rand.Read(b) + if err != nil { + fmt.Println("error:", err) + return + } + // The slice should now contain random bytes instead of only zeroes. + fmt.Println(bytes.Equal(b, make([]byte, c))) + + // Output: + // false +} diff --git a/src/crypto/rand/rand.go b/src/crypto/rand/rand.go new file mode 100644 index 0000000..f2c2760 --- /dev/null +++ b/src/crypto/rand/rand.go @@ -0,0 +1,43 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package rand implements a cryptographically secure +// random number generator. +package rand + +import "io" + +// Reader is a global, shared instance of a cryptographically +// secure random number generator. +// +// On Linux and FreeBSD, Reader uses getrandom(2) if available, /dev/urandom otherwise. +// On OpenBSD, Reader uses getentropy(2). +// On other Unix-like systems, Reader reads from /dev/urandom. +// On Windows systems, Reader uses the RtlGenRandom API. +// On Wasm, Reader uses the Web Crypto API. +var Reader io.Reader + +// Read is a helper function that calls Reader.Read using io.ReadFull. +// On return, n == len(b) if and only if err == nil. +func Read(b []byte) (n int, err error) { + return io.ReadFull(Reader, b) +} + +// batched returns a function that calls f to populate a []byte by chunking it +// into subslices of, at most, readMax bytes. +func batched(f func([]byte) error, readMax int) func([]byte) error { + return func(out []byte) error { + for len(out) > 0 { + read := len(out) + if read > readMax { + read = readMax + } + if err := f(out[:read]); err != nil { + return err + } + out = out[read:] + } + return nil + } +} diff --git a/src/crypto/rand/rand_batched.go b/src/crypto/rand/rand_batched.go new file mode 100644 index 0000000..8df715f --- /dev/null +++ b/src/crypto/rand/rand_batched.go @@ -0,0 +1,33 @@ +// Copyright 2014 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build linux || freebsd || dragonfly || solaris +// +build linux freebsd dragonfly solaris + +package rand + +import ( + "errors" + "internal/syscall/unix" +) + +// maxGetRandomRead is platform dependent. +func init() { + altGetRandom = batched(getRandomBatch, maxGetRandomRead) +} + +// If the kernel is too old to support the getrandom syscall(), +// unix.GetRandom will immediately return ENOSYS and we will then fall back to +// reading from /dev/urandom in rand_unix.go. unix.GetRandom caches the ENOSYS +// result so we only suffer the syscall overhead once in this case. +// If the kernel supports the getrandom() syscall, unix.GetRandom will block +// until the kernel has sufficient randomness (as we don't use GRND_NONBLOCK). +// In this case, unix.GetRandom will not return an error. +func getRandomBatch(p []byte) error { + n, err := unix.GetRandom(p, 0) + if n != len(p) { + return errors.New("short read") + } + return err +} diff --git a/src/crypto/rand/rand_batched_test.go b/src/crypto/rand/rand_batched_test.go new file mode 100644 index 0000000..b56345e --- /dev/null +++ b/src/crypto/rand/rand_batched_test.go @@ -0,0 +1,46 @@ +// Copyright 2014 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build linux || freebsd || dragonfly || solaris +// +build linux freebsd dragonfly solaris + +package rand + +import ( + "bytes" + "errors" + "testing" +) + +func TestBatched(t *testing.T) { + fillBatched := batched(func(p []byte) error { + for i := range p { + p[i] = byte(i) + } + return nil + }, 5) + + p := make([]byte, 13) + if err := fillBatched(p); err != nil { + t.Fatalf("batched function returned error: %s", err) + } + expected := []byte{0, 1, 2, 3, 4, 0, 1, 2, 3, 4, 0, 1, 2} + if !bytes.Equal(expected, p) { + t.Errorf("incorrect batch result: got %x, want %x", p, expected) + } +} + +func TestBatchedError(t *testing.T) { + b := batched(func(p []byte) error { return errors.New("") }, 5) + if b(make([]byte, 13)) == nil { + t.Fatal("batched function should have returned an error") + } +} + +func TestBatchedEmpty(t *testing.T) { + b := batched(func(p []byte) error { return errors.New("") }, 5) + if err := b(make([]byte, 0)); err != nil { + t.Fatalf("empty slice should always return nil: %s", err) + } +} diff --git a/src/crypto/rand/rand_dragonfly.go b/src/crypto/rand/rand_dragonfly.go new file mode 100644 index 0000000..8a36fea --- /dev/null +++ b/src/crypto/rand/rand_dragonfly.go @@ -0,0 +1,9 @@ +// Copyright 2021 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package rand + +// maxGetRandomRead is the maximum number of bytes to ask for in one call to the +// getrandom() syscall. In DragonFlyBSD at most 256 bytes will be returned per call. +const maxGetRandomRead = 1 << 8 diff --git a/src/crypto/rand/rand_freebsd.go b/src/crypto/rand/rand_freebsd.go new file mode 100644 index 0000000..75f683c --- /dev/null +++ b/src/crypto/rand/rand_freebsd.go @@ -0,0 +1,9 @@ +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package rand + +// maxGetRandomRead is the maximum number of bytes to ask for in one call to the +// getrandom() syscall. In FreeBSD at most 256 bytes will be returned per call. +const maxGetRandomRead = 1 << 8 diff --git a/src/crypto/rand/rand_getentropy.go b/src/crypto/rand/rand_getentropy.go new file mode 100644 index 0000000..b1c19f3 --- /dev/null +++ b/src/crypto/rand/rand_getentropy.go @@ -0,0 +1,31 @@ +// Copyright 2016 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build (darwin && !ios) || openbsd +// +build darwin,!ios openbsd + +package rand + +import ( + "internal/syscall/unix" +) + +func init() { + altGetRandom = getEntropy +} + +func getEntropy(p []byte) error { + // getentropy(2) returns a maximum of 256 bytes per call + for i := 0; i < len(p); i += 256 { + end := i + 256 + if len(p) < end { + end = len(p) + } + err := unix.GetEntropy(p[i:end]) + if err != nil { + return err + } + } + return nil +} diff --git a/src/crypto/rand/rand_js.go b/src/crypto/rand/rand_js.go new file mode 100644 index 0000000..7ddc2b6 --- /dev/null +++ b/src/crypto/rand/rand_js.go @@ -0,0 +1,29 @@ +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build js && wasm +// +build js,wasm + +package rand + +import "syscall/js" + +func init() { + Reader = &reader{} +} + +var jsCrypto = js.Global().Get("crypto") +var uint8Array = js.Global().Get("Uint8Array") + +// reader implements a pseudorandom generator +// using JavaScript crypto.getRandomValues method. +// See https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues. +type reader struct{} + +func (r *reader) Read(b []byte) (int, error) { + a := uint8Array.New(len(b)) + jsCrypto.Call("getRandomValues", a) + js.CopyBytesToGo(b, a) + return len(b), nil +} diff --git a/src/crypto/rand/rand_linux.go b/src/crypto/rand/rand_linux.go new file mode 100644 index 0000000..26b93c5 --- /dev/null +++ b/src/crypto/rand/rand_linux.go @@ -0,0 +1,14 @@ +// Copyright 2014 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package rand + +// maxGetRandomRead is the maximum number of bytes to ask for in one call to the +// getrandom() syscall. In linux at most 2^25-1 bytes will be returned per call. +// From the manpage +// +// * When reading from the urandom source, a maximum of 33554431 bytes +// is returned by a single call to getrandom() on systems where int +// has a size of 32 bits. +const maxGetRandomRead = (1 << 25) - 1 diff --git a/src/crypto/rand/rand_solaris.go b/src/crypto/rand/rand_solaris.go new file mode 100644 index 0000000..bbad0fe --- /dev/null +++ b/src/crypto/rand/rand_solaris.go @@ -0,0 +1,10 @@ +// Copyright 2021 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package rand + +// maxGetRandomRead is the maximum number of bytes to ask for in one call to the +// getrandom() syscall. Across all the Solaris platforms, 256 bytes is the +// lowest number of bytes returned atomically per call. +const maxGetRandomRead = 1 << 8 diff --git a/src/crypto/rand/rand_test.go b/src/crypto/rand/rand_test.go new file mode 100644 index 0000000..e45f58e --- /dev/null +++ b/src/crypto/rand/rand_test.go @@ -0,0 +1,43 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package rand + +import ( + "bytes" + "compress/flate" + "io" + "testing" +) + +func TestRead(t *testing.T) { + var n int = 4e6 + if testing.Short() { + n = 1e5 + } + b := make([]byte, n) + n, err := io.ReadFull(Reader, b) + if n != len(b) || err != nil { + t.Fatalf("ReadFull(buf) = %d, %s", n, err) + } + + var z bytes.Buffer + f, _ := flate.NewWriter(&z, 5) + f.Write(b) + f.Close() + if z.Len() < len(b)*99/100 { + t.Fatalf("Compressed %d -> %d", len(b), z.Len()) + } +} + +func TestReadEmpty(t *testing.T) { + n, err := Reader.Read(make([]byte, 0)) + if n != 0 || err != nil { + t.Fatalf("Read(make([]byte, 0)) = %d, %v", n, err) + } + n, err = Reader.Read(nil) + if n != 0 || err != nil { + t.Fatalf("Read(nil) = %d, %v", n, err) + } +} diff --git a/src/crypto/rand/rand_unix.go b/src/crypto/rand/rand_unix.go new file mode 100644 index 0000000..3d11159 --- /dev/null +++ b/src/crypto/rand/rand_unix.go @@ -0,0 +1,170 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || plan9 || solaris +// +build aix darwin dragonfly freebsd linux netbsd openbsd plan9 solaris + +// Unix cryptographically secure pseudorandom number +// generator. + +package rand + +import ( + "bufio" + "crypto/aes" + "crypto/cipher" + "encoding/binary" + "io" + "os" + "runtime" + "sync" + "sync/atomic" + "time" +) + +const urandomDevice = "/dev/urandom" + +// Easy implementation: read from /dev/urandom. +// This is sufficient on Linux, OS X, and FreeBSD. + +func init() { + if runtime.GOOS == "plan9" { + Reader = newReader(nil) + } else { + Reader = &devReader{name: urandomDevice} + } +} + +// A devReader satisfies reads by reading the file named name. +type devReader struct { + name string + f io.Reader + mu sync.Mutex + used int32 // atomic; whether this devReader has been used +} + +// altGetRandom if non-nil specifies an OS-specific function to get +// urandom-style randomness. +var altGetRandom func([]byte) (err error) + +func warnBlocked() { + println("crypto/rand: blocked for 60 seconds waiting to read random data from the kernel") +} + +func (r *devReader) Read(b []byte) (n int, err error) { + if atomic.CompareAndSwapInt32(&r.used, 0, 1) { + // First use of randomness. Start timer to warn about + // being blocked on entropy not being available. + t := time.AfterFunc(60*time.Second, warnBlocked) + defer t.Stop() + } + if altGetRandom != nil && r.name == urandomDevice && altGetRandom(b) == nil { + return len(b), nil + } + r.mu.Lock() + defer r.mu.Unlock() + if r.f == nil { + f, err := os.Open(r.name) + if f == nil { + return 0, err + } + if runtime.GOOS == "plan9" { + r.f = f + } else { + r.f = bufio.NewReader(hideAgainReader{f}) + } + } + return r.f.Read(b) +} + +var isEAGAIN func(error) bool // set by eagain.go on unix systems + +// hideAgainReader masks EAGAIN reads from /dev/urandom. +// See golang.org/issue/9205 +type hideAgainReader struct { + r io.Reader +} + +func (hr hideAgainReader) Read(p []byte) (n int, err error) { + n, err = hr.r.Read(p) + if err != nil && isEAGAIN != nil && isEAGAIN(err) { + err = nil + } + return +} + +// Alternate pseudo-random implementation for use on +// systems without a reliable /dev/urandom. + +// newReader returns a new pseudorandom generator that +// seeds itself by reading from entropy. If entropy == nil, +// the generator seeds itself by reading from the system's +// random number generator, typically /dev/random. +// The Read method on the returned reader always returns +// the full amount asked for, or else it returns an error. +// +// The generator uses the X9.31 algorithm with AES-128, +// reseeding after every 1 MB of generated data. +func newReader(entropy io.Reader) io.Reader { + if entropy == nil { + entropy = &devReader{name: "/dev/random"} + } + return &reader{entropy: entropy} +} + +type reader struct { + mu sync.Mutex + budget int // number of bytes that can be generated + cipher cipher.Block + entropy io.Reader + time, seed, dst, key [aes.BlockSize]byte +} + +func (r *reader) Read(b []byte) (n int, err error) { + r.mu.Lock() + defer r.mu.Unlock() + n = len(b) + + for len(b) > 0 { + if r.budget == 0 { + _, err := io.ReadFull(r.entropy, r.seed[0:]) + if err != nil { + return n - len(b), err + } + _, err = io.ReadFull(r.entropy, r.key[0:]) + if err != nil { + return n - len(b), err + } + r.cipher, err = aes.NewCipher(r.key[0:]) + if err != nil { + return n - len(b), err + } + r.budget = 1 << 20 // reseed after generating 1MB + } + r.budget -= aes.BlockSize + + // ANSI X9.31 (== X9.17) algorithm, but using AES in place of 3DES. + // + // single block: + // t = encrypt(time) + // dst = encrypt(t^seed) + // seed = encrypt(t^dst) + ns := time.Now().UnixNano() + binary.BigEndian.PutUint64(r.time[:], uint64(ns)) + r.cipher.Encrypt(r.time[0:], r.time[0:]) + for i := 0; i < aes.BlockSize; i++ { + r.dst[i] = r.time[i] ^ r.seed[i] + } + r.cipher.Encrypt(r.dst[0:], r.dst[0:]) + for i := 0; i < aes.BlockSize; i++ { + r.seed[i] = r.time[i] ^ r.dst[i] + } + r.cipher.Encrypt(r.seed[0:], r.seed[0:]) + + m := copy(b, r.dst[0:]) + b = b[m:] + } + + return n, nil +} diff --git a/src/crypto/rand/rand_windows.go b/src/crypto/rand/rand_windows.go new file mode 100644 index 0000000..6c0655c --- /dev/null +++ b/src/crypto/rand/rand_windows.go @@ -0,0 +1,26 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Windows cryptographically secure pseudorandom number +// generator. + +package rand + +import ( + "internal/syscall/windows" +) + +func init() { Reader = &rngReader{} } + +type rngReader struct{} + +func (r *rngReader) Read(b []byte) (n int, err error) { + // RtlGenRandom only returns 1<<32-1 bytes at a time. We only read at + // most 1<<31-1 bytes at a time so that this works the same on 32-bit + // and 64-bit systems. + if err := batched(windows.RtlGenRandom, 1<<31-1)(b); err != nil { + return 0, err + } + return len(b), nil +} diff --git a/src/crypto/rand/util.go b/src/crypto/rand/util.go new file mode 100644 index 0000000..4dd1711 --- /dev/null +++ b/src/crypto/rand/util.go @@ -0,0 +1,143 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package rand + +import ( + "errors" + "io" + "math/big" +) + +// smallPrimes is a list of small, prime numbers that allows us to rapidly +// exclude some fraction of composite candidates when searching for a random +// prime. This list is truncated at the point where smallPrimesProduct exceeds +// a uint64. It does not include two because we ensure that the candidates are +// odd by construction. +var smallPrimes = []uint8{ + 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, +} + +// smallPrimesProduct is the product of the values in smallPrimes and allows us +// to reduce a candidate prime by this number and then determine whether it's +// coprime to all the elements of smallPrimes without further big.Int +// operations. +var smallPrimesProduct = new(big.Int).SetUint64(16294579238595022365) + +// Prime returns a number, p, of the given size, such that p is prime +// with high probability. +// Prime will return error for any error returned by rand.Read or if bits < 2. +func Prime(rand io.Reader, bits int) (p *big.Int, err error) { + if bits < 2 { + err = errors.New("crypto/rand: prime size must be at least 2-bit") + return + } + + b := uint(bits % 8) + if b == 0 { + b = 8 + } + + bytes := make([]byte, (bits+7)/8) + p = new(big.Int) + + bigMod := new(big.Int) + + for { + _, err = io.ReadFull(rand, bytes) + if err != nil { + return nil, err + } + + // Clear bits in the first byte to make sure the candidate has a size <= bits. + bytes[0] &= uint8(int(1<= 2 { + bytes[0] |= 3 << (b - 2) + } else { + // Here b==1, because b cannot be zero. + bytes[0] |= 1 + if len(bytes) > 1 { + bytes[1] |= 0x80 + } + } + // Make the value odd since an even number this large certainly isn't prime. + bytes[len(bytes)-1] |= 1 + + p.SetBytes(bytes) + + // Calculate the value mod the product of smallPrimes. If it's + // a multiple of any of these primes we add two until it isn't. + // The probability of overflowing is minimal and can be ignored + // because we still perform Miller-Rabin tests on the result. + bigMod.Mod(p, smallPrimesProduct) + mod := bigMod.Uint64() + + NextDelta: + for delta := uint64(0); delta < 1<<20; delta += 2 { + m := mod + delta + for _, prime := range smallPrimes { + if m%uint64(prime) == 0 && (bits > 6 || m != uint64(prime)) { + continue NextDelta + } + } + + if delta > 0 { + bigMod.SetUint64(delta) + p.Add(p, bigMod) + } + break + } + + // There is a tiny possibility that, by adding delta, we caused + // the number to be one bit too long. Thus we check BitLen + // here. + if p.ProbablyPrime(20) && p.BitLen() == bits { + return + } + } +} + +// Int returns a uniform random value in [0, max). It panics if max <= 0. +func Int(rand io.Reader, max *big.Int) (n *big.Int, err error) { + if max.Sign() <= 0 { + panic("crypto/rand: argument to Int is <= 0") + } + n = new(big.Int) + n.Sub(max, n.SetUint64(1)) + // bitLen is the maximum bit length needed to encode a value < max. + bitLen := n.BitLen() + if bitLen == 0 { + // the only valid result is 0 + return + } + // k is the maximum byte length needed to encode a value < max. + k := (bitLen + 7) / 8 + // b is the number of bits in the most significant byte of max-1. + b := uint(bitLen % 8) + if b == 0 { + b = 8 + } + + bytes := make([]byte, k) + + for { + _, err = io.ReadFull(rand, bytes) + if err != nil { + return nil, err + } + + // Clear bits in the first byte to increase the probability + // that the candidate is < max. + bytes[0] &= uint8(int(1<