github.com/psiphon-Labs/psiphon-tunnel-core@v2.0.28+incompatible/psiphon/common/prng/prng.go (about)

     1  /*
     2   * Copyright (c) 2018, Psiphon Inc.
     3   * All rights reserved.
     4   *
     5   * This program is free software: you can redistribute it and/or modify
     6   * it under the terms of the GNU General Public License as published by
     7   * the Free Software Foundation, either version 3 of the License, or
     8   * (at your option) any later version.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  /*
    21  Package prng implements a seeded, unbiased PRNG that is suitable for use
    22  cases including obfuscation, network jitter, load balancing.
    23  
    24  Seeding is based on crypto/rand.Read and the PRNG stream is provided by
    25  chacha20. As such, this PRNG is suitable for high volume cases such as
    26  generating random bytes per IP packet as it avoids the syscall overhead
    27  (context switch/spinlock) of crypto/rand.Read.
    28  
    29  This PRNG also supports replay use cases, where its intended to reproduce the
    30  same traffic shape or protocol attributes there were previously produced.
    31  
    32  This PRNG is _not_ for security use cases including production cryptographic
    33  key generation.
    34  
    35  Limitations: there is a cycle in the PRNG stream, after roughly 2^64 * 2^38-64
    36  bytes; and the global instance initialized in init() ignores seeding errors.
    37  
    38  It is safe to make concurrent calls to a PRNG instance, including the global
    39  instance, but the caller is responsible for serializing multiple calls as
    40  required for replay.
    41  
    42  PRNG conforms to io.Reader and math/rand.Source, with additional helper
    43  functions.
    44  */
    45  package prng
    46  
    47  import (
    48  	crypto_rand "crypto/rand"
    49  	"crypto/sha256"
    50  	"encoding/base64"
    51  	"encoding/binary"
    52  	"encoding/hex"
    53  	"io"
    54  	"math"
    55  	"math/rand"
    56  	"sync"
    57  	"time"
    58  
    59  	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/crypto/Yawning/chacha20"
    60  	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/errors"
    61  	"golang.org/x/crypto/hkdf"
    62  )
    63  
    64  const (
    65  	SEED_LENGTH = 32
    66  )
    67  
    68  // Seed is a PRNG seed.
    69  type Seed [SEED_LENGTH]byte
    70  
    71  // NewSeed creates a new PRNG seed using crypto/rand.Read.
    72  func NewSeed() (*Seed, error) {
    73  	seed := new(Seed)
    74  	_, err := crypto_rand.Read(seed[:])
    75  	if err != nil {
    76  		return nil, errors.Trace(err)
    77  	}
    78  	return seed, nil
    79  }
    80  
    81  // NewSaltedSeed creates a new seed derived from an existing seed and a salt.
    82  // A HKDF is applied to the seed and salt.
    83  //
    84  // NewSaltedSeed is intended for use cases where a single seed needs to be
    85  // used in distinct contexts to produce independent random streams.
    86  func NewSaltedSeed(seed *Seed, salt string) (*Seed, error) {
    87  	saltedSeed := new(Seed)
    88  	_, err := io.ReadFull(
    89  		hkdf.New(sha256.New, seed[:], []byte(salt), nil), saltedSeed[:])
    90  	if err != nil {
    91  		return nil, errors.Trace(err)
    92  	}
    93  	return saltedSeed, nil
    94  }
    95  
    96  // PRNG is a seeded, unbiased PRNG based on chacha20.
    97  type PRNG struct {
    98  	rand                   *rand.Rand
    99  	randomStreamMutex      sync.Mutex
   100  	randomStreamSeed       *Seed
   101  	randomStream           *chacha20.Cipher
   102  	randomStreamUsed       uint64
   103  	randomStreamRekeyCount uint64
   104  }
   105  
   106  // NewPRNG generates a seed and creates a PRNG with that seed.
   107  func NewPRNG() (*PRNG, error) {
   108  	seed, err := NewSeed()
   109  	if err != nil {
   110  		return nil, errors.Trace(err)
   111  	}
   112  	return NewPRNGWithSeed(seed), nil
   113  }
   114  
   115  // NewPRNGWithSeed initializes a new PRNG using an existing seed.
   116  func NewPRNGWithSeed(seed *Seed) *PRNG {
   117  	p := &PRNG{
   118  		randomStreamSeed: seed,
   119  	}
   120  	p.rekey()
   121  	p.rand = rand.New(p)
   122  	return p
   123  }
   124  
   125  // NewPRNGWithSaltedSeed initializes a new PRNG using a seed derived from an
   126  // existing seed and a salt with NewSaltedSeed.
   127  func NewPRNGWithSaltedSeed(seed *Seed, salt string) (*PRNG, error) {
   128  	saltedSeed, err := NewSaltedSeed(seed, salt)
   129  	if err != nil {
   130  		return nil, errors.Trace(err)
   131  	}
   132  	return NewPRNGWithSeed(saltedSeed), nil
   133  }
   134  
   135  // GetSeed returns the seed for the PRNG. The returned value must not be mutated.
   136  func (p *PRNG) GetSeed() *Seed {
   137  	// Concurrency note: p.randomStreamSeed is not mutated after creationg, and
   138  	// is safe for concurrent reads. p.randomStreamSeed is reread internally, and
   139  	// so must not be mutated.
   140  	return p.randomStreamSeed
   141  }
   142  
   143  // Read reads random bytes from the PRNG stream into b. Read conforms to
   144  // io.Reader and always returns len(p), nil.
   145  func (p *PRNG) Read(b []byte) (int, error) {
   146  
   147  	p.randomStreamMutex.Lock()
   148  	defer p.randomStreamMutex.Unlock()
   149  
   150  	// Re-key before reaching the 2^38-64 chacha20 key stream limit.
   151  	if p.randomStreamUsed+uint64(len(b)) >= uint64(1<<38-64) {
   152  		p.rekey()
   153  	}
   154  
   155  	p.randomStream.KeyStream(b)
   156  
   157  	p.randomStreamUsed += uint64(len(b))
   158  
   159  	return len(b), nil
   160  }
   161  
   162  func (p *PRNG) rekey() {
   163  
   164  	// chacha20 has a stream limit of 2^38-64. Before that limit is reached,
   165  	// the cipher must be rekeyed. To rekey without changing the seed, we use
   166  	// a counter for the nonce.
   167  	//
   168  	// Limitation: the counter wraps at 2^64, which produces a cycle in the
   169  	// PRNG after 2^64 * 2^38-64 bytes.
   170  	//
   171  	// TODO: this could be extended by using all 2^96 bits of the nonce for
   172  	// the counter; and even further by using the 24 byte XChaCha20 nonce.
   173  	var randomKeyNonce [12]byte
   174  	binary.BigEndian.PutUint64(randomKeyNonce[0:8], p.randomStreamRekeyCount)
   175  
   176  	var err error
   177  	p.randomStream, err = chacha20.NewCipher(
   178  		p.randomStreamSeed[:], randomKeyNonce[:])
   179  	if err != nil {
   180  		// Functions returning random values, which may call rekey, don't
   181  		// return an error. As of github.com/Yawning/chacha20 rev. e3b1f968,
   182  		// the only possible errors from chacha20.NewCipher invalid key or
   183  		// nonce size, and since we use the correct sizes, there should never
   184  		// be an error here. So panic in this unexpected case.
   185  		panic(errors.Trace(err))
   186  	}
   187  
   188  	p.randomStreamRekeyCount += 1
   189  	p.randomStreamUsed = 0
   190  }
   191  
   192  // Int63 is equivilent to math/rand.Int63.
   193  func (p *PRNG) Int63() int64 {
   194  	i := p.Uint64()
   195  	return int64(i & (1<<63 - 1))
   196  }
   197  
   198  // Int63 is equivilent to math/rand.Uint64.
   199  func (p *PRNG) Uint64() uint64 {
   200  	var b [8]byte
   201  	p.Read(b[:])
   202  	return binary.BigEndian.Uint64(b[:])
   203  }
   204  
   205  // Seed must exist in order to use a PRNG as a math/rand.Source. This call is
   206  // not supported and ignored.
   207  func (p *PRNG) Seed(_ int64) {
   208  }
   209  
   210  // FlipCoin randomly returns true or false.
   211  func (p *PRNG) FlipCoin() bool {
   212  	return p.rand.Int31n(2) == 1
   213  }
   214  
   215  // FlipWeightedCoin returns the result of a weighted
   216  // random coin flip. If the weight is 0.5, the outcome
   217  // is equally likely to be true or false. If the weight
   218  // is 1.0, the outcome is always true, and if the
   219  // weight is 0.0, the outcome is always false.
   220  //
   221  // Input weights > 1.0 are treated as 1.0.
   222  func (p *PRNG) FlipWeightedCoin(weight float64) bool {
   223  	if weight > 1.0 {
   224  		weight = 1.0
   225  	}
   226  	f := float64(p.Int63()) / float64(math.MaxInt64)
   227  	return f > 1.0-weight
   228  }
   229  
   230  // Intn is equivilent to math/rand.Intn, except it returns 0 if n <= 0
   231  // instead of panicking.
   232  func (p *PRNG) Intn(n int) int {
   233  	if n <= 0 {
   234  		return 0
   235  	}
   236  	return p.rand.Intn(n)
   237  }
   238  
   239  // Int63n is equivilent to math/rand.Int63n, except it returns 0 if n <= 0
   240  // instead of panicking.
   241  func (p *PRNG) Int63n(n int64) int64 {
   242  	if n <= 0 {
   243  		return 0
   244  	}
   245  	return p.rand.Int63n(n)
   246  }
   247  
   248  // ExpFloat64Range returns a pseudo-exponentially distributed float64 in the
   249  // range [min, max] with the specified lambda. Numbers are selected using
   250  // math/rand.ExpFloat64 and discarding values that exceed max.
   251  //
   252  // If max < min or lambda is <= 0, min is returned.
   253  func (p *PRNG) ExpFloat64Range(min, max, lambda float64) float64 {
   254  	if max <= min || lambda <= 0.0 {
   255  		return min
   256  	}
   257  	var value float64
   258  	for {
   259  		value = min + (rand.ExpFloat64()/lambda)*(max-min)
   260  		if value <= max {
   261  			break
   262  		}
   263  	}
   264  	return value
   265  }
   266  
   267  // Perm is equivilent to math/rand.Perm.
   268  func (p *PRNG) Perm(n int) []int {
   269  	return p.rand.Perm(n)
   270  }
   271  
   272  // Range selects a random integer in [min, max].
   273  // If min < 0, min is set to 0. If max < min, min is returned.
   274  func (p *PRNG) Range(min, max int) int {
   275  	if min < 0 {
   276  		min = 0
   277  	}
   278  	if max < min {
   279  		return min
   280  	}
   281  	n := p.Intn(max - min + 1)
   282  	n += min
   283  	return n
   284  }
   285  
   286  // Bytes returns a new slice containing length random bytes.
   287  func (p *PRNG) Bytes(length int) []byte {
   288  	b := make([]byte, length)
   289  	p.Read(b)
   290  	return b
   291  }
   292  
   293  // Padding selects a random padding length in the indicated
   294  // range and returns a random byte slice of the selected length.
   295  // If maxLength <= minLength, the padding is minLength.
   296  func (p *PRNG) Padding(minLength, maxLength int) []byte {
   297  	return p.Bytes(p.Range(minLength, maxLength))
   298  }
   299  
   300  // Period returns a random duration, within a given range.
   301  // If max <= min, the duration is min.
   302  func (p *PRNG) Period(min, max time.Duration) time.Duration {
   303  	duration := p.Int63n(max.Nanoseconds() - min.Nanoseconds())
   304  	return min + time.Duration(duration)
   305  }
   306  
   307  // Jitter returns n +/- the given factor.
   308  // For example, for n = 100 and factor = 0.1, the
   309  // return value will be in the range [90, 110].
   310  func (p *PRNG) Jitter(n int64, factor float64) int64 {
   311  	a := int64(math.Ceil(float64(n) * factor))
   312  	r := p.Int63n(2*a + 1)
   313  	return n + r - a
   314  }
   315  
   316  // JitterDuration invokes Jitter for time.Duration.
   317  func (p *PRNG) JitterDuration(d time.Duration, factor float64) time.Duration {
   318  	return time.Duration(p.Jitter(int64(d), factor))
   319  }
   320  
   321  // HexString returns a hex encoded random string.
   322  // byteLength specifies the pre-encoded data length.
   323  func (p *PRNG) HexString(byteLength int) string {
   324  	return hex.EncodeToString(p.Bytes(byteLength))
   325  }
   326  
   327  // Base64String returns a base64 encoded random string.
   328  // byteLength specifies the pre-encoded data length.
   329  func (p *PRNG) Base64String(byteLength int) string {
   330  	return base64.StdEncoding.EncodeToString(p.Bytes(byteLength))
   331  }
   332  
   333  var p *PRNG
   334  
   335  func DefaultPRNG() *PRNG {
   336  	return p
   337  }
   338  
   339  func Read(b []byte) (int, error) {
   340  	return p.Read(b)
   341  }
   342  
   343  func Int63() int64 {
   344  	return p.Int63()
   345  }
   346  
   347  func Uint64() uint64 {
   348  	return p.Uint64()
   349  }
   350  
   351  func FlipCoin() bool {
   352  	return p.FlipCoin()
   353  }
   354  
   355  func FlipWeightedCoin(weight float64) bool {
   356  	return p.FlipWeightedCoin(weight)
   357  }
   358  
   359  func Intn(n int) int {
   360  	return p.Intn(n)
   361  }
   362  
   363  func Int63n(n int64) int64 {
   364  	return p.Int63n(n)
   365  }
   366  
   367  func ExpFloat64Range(min, max, lambda float64) float64 {
   368  	return p.ExpFloat64Range(min, max, lambda)
   369  }
   370  
   371  func Perm(n int) []int {
   372  	return p.Perm(n)
   373  }
   374  
   375  func Range(min, max int) int {
   376  	return p.Range(min, max)
   377  }
   378  
   379  func Bytes(length int) []byte {
   380  	return p.Bytes(length)
   381  }
   382  
   383  func Padding(minLength, maxLength int) []byte {
   384  	return p.Padding(minLength, maxLength)
   385  }
   386  
   387  func Period(min, max time.Duration) time.Duration {
   388  	return p.Period(min, max)
   389  }
   390  
   391  func Jitter(n int64, factor float64) int64 {
   392  	return p.Jitter(n, factor)
   393  }
   394  
   395  func JitterDuration(d time.Duration, factor float64) time.Duration {
   396  	return p.JitterDuration(d, factor)
   397  }
   398  
   399  func HexString(byteLength int) string {
   400  	return p.HexString(byteLength)
   401  }
   402  
   403  func Base64String(byteLength int) string {
   404  	return p.Base64String(byteLength)
   405  }
   406  
   407  func init() {
   408  
   409  	// Limitation: if crypto/rand.Read fails, the global PRNG will be
   410  	// initialized with a zero-byte seed. This ensures that non-security-
   411  	// critical use of the global PRNG can proceed.
   412  	//
   413  	// As of Go 1.9, with https://github.com/golang/go/issues/19274, on Linux
   414  	// kernels v3.17+, cryto/rand.Read should now block instead of failing or
   415  	// returning predictable bytes.
   416  	var err error
   417  	p, err = NewPRNG()
   418  	if err != nil {
   419  		p = NewPRNGWithSeed(new(Seed))
   420  	}
   421  }