Merge pull request #100 from tendermint/internal-randSource

common: no more relying on math/rand.DefaultSource

common/bit_array.go

@@ -3,7 +3,6 @@ package common
 import (
 	"encoding/binary"
 	"fmt"
-	"math/rand"
 	"strings"
 	"sync"
 )
@@ -212,12 +211,12 @@ func (bA *BitArray) PickRandom() (int, bool) {
 	if length == 0 {
 		return 0, false
 	}
-	randElemStart := rand.Intn(length)
+	randElemStart := RandIntn(length)
 	for i := 0; i < length; i++ {
 		elemIdx := ((i + randElemStart) % length)
 		if elemIdx < length-1 {
 			if bA.Elems[elemIdx] > 0 {
-				randBitStart := rand.Intn(64)
+				randBitStart := RandIntn(64)
 				for j := 0; j < 64; j++ {
 					bitIdx := ((j + randBitStart) % 64)
 					if (bA.Elems[elemIdx] & (uint64(1) << uint(bitIdx))) > 0 {
@@ -232,7 +231,7 @@ func (bA *BitArray) PickRandom() (int, bool) {
 			if elemBits == 0 {
 				elemBits = 64
 			}
-			randBitStart := rand.Intn(elemBits)
+			randBitStart := RandIntn(elemBits)
 			for j := 0; j < elemBits; j++ {
 				bitIdx := ((j + randBitStart) % elemBits)
 				if (bA.Elems[elemIdx] & (uint64(1) << uint(bitIdx))) > 0 {

common/random.go

@@ -2,7 +2,8 @@ package common
 
 import (
 	crand "crypto/rand"
-	"math/rand"
+	mrand "math/rand"
+	"sync"
 	"time"
 )
 
@@ -10,22 +11,36 @@ const (
 	strChars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" // 62 characters
 )
 
-func init() {
+// pseudo random number generator.
+// seeded with OS randomness (crand)
+var prng struct {
+	sync.Mutex
+	*mrand.Rand
+}
+
+func reset() {
 	b := cRandBytes(8)
 	var seed uint64
 	for i := 0; i < 8; i++ {
 		seed |= uint64(b[i])
 		seed <<= 8
 	}
-	rand.Seed(int64(seed))
+	prng.Lock()
+	prng.Rand = mrand.New(mrand.NewSource(int64(seed)))
+	prng.Unlock()
+}
+
+func init() {
+	reset()
 }
 
 // Constructs an alphanumeric string of given length.
+// It is not safe for cryptographic usage.
 func RandStr(length int) string {
 	chars := []byte{}
 MAIN_LOOP:
 	for {
-		val := rand.Int63()
+		val := prng.Int63()
 		for i := 0; i < 10; i++ {
 			v := int(val & 0x3f) // rightmost 6 bits
 			if v >= 62 {         // only 62 characters in strChars
@@ -44,87 +59,151 @@ MAIN_LOOP:
 	return string(chars)
 }
 
+// It is not safe for cryptographic usage.
 func RandUint16() uint16 {
-	return uint16(rand.Uint32() & (1<<16 - 1))
+	return uint16(RandUint32() & (1<<16 - 1))
 }
 
+// It is not safe for cryptographic usage.
 func RandUint32() uint32 {
-	return rand.Uint32()
+	prng.Lock()
+	u32 := prng.Uint32()
+	prng.Unlock()
+	return u32
 }
 
+// It is not safe for cryptographic usage.
 func RandUint64() uint64 {
-	return uint64(rand.Uint32())<<32 + uint64(rand.Uint32())
+	return uint64(RandUint32())<<32 + uint64(RandUint32())
 }
 
+// It is not safe for cryptographic usage.
 func RandUint() uint {
-	return uint(rand.Int())
+	prng.Lock()
+	i := prng.Int()
+	prng.Unlock()
+	return uint(i)
 }
 
+// It is not safe for cryptographic usage.
 func RandInt16() int16 {
-	return int16(rand.Uint32() & (1<<16 - 1))
+	return int16(RandUint32() & (1<<16 - 1))
 }
 
+// It is not safe for cryptographic usage.
 func RandInt32() int32 {
-	return int32(rand.Uint32())
+	return int32(RandUint32())
 }
 
+// It is not safe for cryptographic usage.
 func RandInt64() int64 {
-	return int64(rand.Uint32())<<32 + int64(rand.Uint32())
+	return int64(RandUint64())
 }
 
+// It is not safe for cryptographic usage.
 func RandInt() int {
-	return rand.Int()
+	prng.Lock()
+	i := prng.Int()
+	prng.Unlock()
+	return i
+}
+
+// It is not safe for cryptographic usage.
+func RandInt31() int32 {
+	prng.Lock()
+	i31 := prng.Int31()
+	prng.Unlock()
+	return i31
+}
+
+// It is not safe for cryptographic usage.
+func RandInt63() int64 {
+	prng.Lock()
+	i63 := prng.Int63()
+	prng.Unlock()
+	return i63
 }
 
 // Distributed pseudo-exponentially to test for various cases
+// It is not safe for cryptographic usage.
 func RandUint16Exp() uint16 {
-	bits := rand.Uint32() % 16
+	bits := RandUint32() % 16
 	if bits == 0 {
 		return 0
 	}
 	n := uint16(1 << (bits - 1))
-	n += uint16(rand.Int31()) & ((1 << (bits - 1)) - 1)
+	n += uint16(RandInt31()) & ((1 << (bits - 1)) - 1)
 	return n
 }
 
 // Distributed pseudo-exponentially to test for various cases
+// It is not safe for cryptographic usage.
 func RandUint32Exp() uint32 {
-	bits := rand.Uint32() % 32
+	bits := RandUint32() % 32
 	if bits == 0 {
 		return 0
 	}
 	n := uint32(1 << (bits - 1))
-	n += uint32(rand.Int31()) & ((1 << (bits - 1)) - 1)
+	n += uint32(RandInt31()) & ((1 << (bits - 1)) - 1)
 	return n
 }
 
 // Distributed pseudo-exponentially to test for various cases
+// It is not safe for cryptographic usage.
 func RandUint64Exp() uint64 {
-	bits := rand.Uint32() % 64
+	bits := RandUint32() % 64
 	if bits == 0 {
 		return 0
 	}
 	n := uint64(1 << (bits - 1))
-	n += uint64(rand.Int63()) & ((1 << (bits - 1)) - 1)
+	n += uint64(RandInt63()) & ((1 << (bits - 1)) - 1)
 	return n
 }
 
+// It is not safe for cryptographic usage.
 func RandFloat32() float32 {
-	return rand.Float32()
+	prng.Lock()
+	f32 := prng.Float32()
+	prng.Unlock()
+	return f32
 }
 
+// It is not safe for cryptographic usage.
 func RandTime() time.Time {
 	return time.Unix(int64(RandUint64Exp()), 0)
 }
 
+// RandBytes returns n random bytes from the OS's source of entropy ie. via crypto/rand.
+// It is not safe for cryptographic usage.
 func RandBytes(n int) []byte {
+	// cRandBytes isn't guaranteed to be fast so instead
+	// use random bytes generated from the internal PRNG
 	bs := make([]byte, n)
-	for i := 0; i < n; i++ {
-		bs[i] = byte(rand.Intn(256))
+	for i := 0; i < len(bs); i++ {
+		bs[i] = byte(RandInt() & 0xFF)
 	}
 	return bs
 }
 
+// RandIntn returns, as an int, a non-negative pseudo-random number in [0, n).
+// It panics if n <= 0.
+// It is not safe for cryptographic usage.
+func RandIntn(n int) int {
+	prng.Lock()
+	i := prng.Intn(n)
+	prng.Unlock()
+	return i
+}
+
+// RandPerm returns a pseudo-random permutation of n integers in [0, n).
+// It is not safe for cryptographic usage.
+func RandPerm(n int) []int {
+	prng.Lock()
+	perm := prng.Perm(n)
+	prng.Unlock()
+	return perm
+}
+
 // NOTE: This relies on the os's random number generator.
 // For real security, we should salt that with some seed.
 // See github.com/tendermint/go-crypto for a more secure reader.

common/random_test.go

@@ -0,0 +1,120 @@
+package common
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	mrand "math/rand"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRandStr(t *testing.T) {
+	l := 243
+	s := RandStr(l)
+	assert.Equal(t, l, len(s))
+}
+
+func TestRandBytes(t *testing.T) {
+	l := 243
+	b := RandBytes(l)
+	assert.Equal(t, l, len(b))
+}
+
+func TestRandIntn(t *testing.T) {
+	n := 243
+	for i := 0; i < 100; i++ {
+		x := RandIntn(n)
+		assert.True(t, x < n)
+	}
+}
+
+// It is essential that these tests run and never repeat their outputs
+// lest we've been pwned and the behavior of our randomness is controlled.
+// See Issues:
+//  * https://github.com/tendermint/tmlibs/issues/99
+//  * https://github.com/tendermint/tendermint/issues/973
+func TestUniqueRng(t *testing.T) {
+	buf := new(bytes.Buffer)
+	outputs := make(map[string][]int)
+	for i := 0; i < 100; i++ {
+		testThemAll(buf)
+		output := buf.String()
+		buf.Reset()
+		runs, seen := outputs[output]
+		if seen {
+			t.Errorf("Run #%d's output was already seen in previous runs: %v", i, runs)
+		}
+		outputs[output] = append(outputs[output], i)
+	}
+}
+
+func testThemAll(out io.Writer) {
+	// Reset the internal PRNG
+	reset()
+
+	// Set math/rand's Seed so that any direct invocations
+	// of math/rand will reveal themselves.
+	mrand.Seed(1)
+	perm := RandPerm(10)
+	blob, _ := json.Marshal(perm)
+	fmt.Fprintf(out, "perm: %s\n", blob)
+
+	fmt.Fprintf(out, "randInt: %d\n", RandInt())
+	fmt.Fprintf(out, "randUint: %d\n", RandUint())
+	fmt.Fprintf(out, "randIntn: %d\n", RandIntn(97))
+	fmt.Fprintf(out, "randInt31: %d\n", RandInt31())
+	fmt.Fprintf(out, "randInt32: %d\n", RandInt32())
+	fmt.Fprintf(out, "randInt63: %d\n", RandInt63())
+	fmt.Fprintf(out, "randInt64: %d\n", RandInt64())
+	fmt.Fprintf(out, "randUint32: %d\n", RandUint32())
+	fmt.Fprintf(out, "randUint64: %d\n", RandUint64())
+	fmt.Fprintf(out, "randUint16Exp: %d\n", RandUint16Exp())
+	fmt.Fprintf(out, "randUint32Exp: %d\n", RandUint32Exp())
+	fmt.Fprintf(out, "randUint64Exp: %d\n", RandUint64Exp())
+}
+
+func TestRngConcurrencySafety(t *testing.T) {
+	var wg sync.WaitGroup
+	for i := 0; i < 100; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+
+			_ = RandUint64()
+			<-time.After(time.Millisecond * time.Duration(RandIntn(100)))
+			_ = RandPerm(3)
+		}()
+	}
+	wg.Wait()
+}
+
+func BenchmarkRandBytes10B(b *testing.B) {
+	benchmarkRandBytes(b, 10)
+}
+func BenchmarkRandBytes100B(b *testing.B) {
+	benchmarkRandBytes(b, 100)
+}
+func BenchmarkRandBytes1KiB(b *testing.B) {
+	benchmarkRandBytes(b, 1024)
+}
+func BenchmarkRandBytes10KiB(b *testing.B) {
+	benchmarkRandBytes(b, 10*1024)
+}
+func BenchmarkRandBytes100KiB(b *testing.B) {
+	benchmarkRandBytes(b, 100*1024)
+}
+func BenchmarkRandBytes1MiB(b *testing.B) {
+	benchmarkRandBytes(b, 1024*1024)
+}
+
+func benchmarkRandBytes(b *testing.B, n int) {
+	for i := 0; i < b.N; i++ {
+		_ = RandBytes(n)
+	}
+	b.ReportAllocs()
+}