runtime/lib/math_patch.dart - Issue 1398453004: Add a 'secure' constructor to Random in dart:math returning a cryptographically

Side by Side Diff: runtime/lib/math_patch.dart

Issue 1398453004: Add a 'secure' constructor to Random in dart:math returning a cryptographically (Closed) Base URL: git@github.com:dart-lang/sdk.git@master

Patch Set: fix comments Created 5 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012, the Dart project authors. Please see the AUTHORS file	1 // Copyright (c) 2012, the Dart project authors. Please see the AUTHORS file

2 // for details. All rights reserved. Use of this source code is governed by a	2 // for details. All rights reserved. Use of this source code is governed by a

3 // BSD-style license that can be found in the LICENSE file.	3 // BSD-style license that can be found in the LICENSE file.

4	4

5 import "dart:typed_data";	5 import "dart:typed_data";

6	6

7 // A VM patch of the dart:math library.	7 // A VM patch of the dart:math library.

8	8

9 // If [x] is an [int] and [exponent] is a non-negative [int], the result is	9 // If [x] is an [int] and [exponent] is a non-negative [int], the result is

10 // an [int], otherwise the result is a [double].	10 // an [int], otherwise the result is a [double].

(...skipping 72 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
83 patch class Random {	83 patch class Random {

84	84

85 /patch/ factory Random([int seed]) {	85 /patch/ factory Random([int seed]) {

86 var state = _Random._setupSeed((seed == null) ? _Random._nextSeed() : seed);	86 var state = _Random._setupSeed((seed == null) ? _Random._nextSeed() : seed);

87 // Crank a couple of times to distribute the seed bits a bit further.	87 // Crank a couple of times to distribute the seed bits a bit further.

88 return new _Random._withState(state).._nextState()	88 return new _Random._withState(state).._nextState()

89 .._nextState()	89 .._nextState()

90 .._nextState()	90 .._nextState()

91 .._nextState();	91 .._nextState();

92 }	92 }

	93

	94 /patch/ factory Random.secure() {

	95 return new _SecureRandom();

	96 }

93 }	97 }

94	98

95	99

96 class _Random implements Random {	100 class _Random implements Random {

97 // Internal state of the random number generator.	101 // Internal state of the random number generator.

98 final _state;	102 final _state;

99 static const kSTATE_LO = 0;	103 static const _kSTATE_LO = 0;

100 static const kSTATE_HI = 1;	104 static const _kSTATE_HI = 1; // Unused in Dart code.

101	105

102 _Random._withState(Uint32List this._state);	106 _Random._withState(Uint32List this._state);

103	107

104 // The algorithm used here is Multiply with Carry (MWC) with a Base b = 2^32.	108 // The algorithm used here is Multiply with Carry (MWC) with a Base b = 2^32.

105 // http://en.wikipedia.org/wiki/Multiply-with-carry	109 // http://en.wikipedia.org/wiki/Multiply-with-carry

106 // The constant A is selected from "Numerical Recipes 3rd Edition" p.348 B1.	110 // The constant A is selected from "Numerical Recipes 3rd Edition" p.348 B1.

107	111

108 // Implements:	112 // Implements:

109 // var state = ((_A * (_state[kSTATE_LO])) + _state[kSTATE_HI]) & _MASK_64;	113 // var state =

110 // _state[kSTATE_LO] = state & _MASK_32;	114 // ((_A * (_state[_kSTATE_LO])) + _state[_kSTATE_HI]) & ((1 << 64) - 1);

111 // _state[kSTATE_HI] = state >> 32;	115 // _state[_kSTATE_LO] = state & ((1 << 32) - 1);

	116 // _state[_kSTATE_HI] = state >> 32;

112 // This is a native to prevent 64-bit operations in Dart, which	117 // This is a native to prevent 64-bit operations in Dart, which

113 // fail with --throw_on_javascript_int_overflow.	118 // fail with --throw_on_javascript_int_overflow.

114 void _nextState() native "Random_nextState";	119 void _nextState() native "Random_nextState";

115	120

116 int nextInt(int max) {	121 int nextInt(int max) {

117 const limit = 0x3FFFFFFF;	122 const limit = 0x3FFFFFFF;

118 if (max <= 0 \|\| ((max > limit) && (max > _POW2_32))) {	123 if ((max <= 0) \|\| ((max > limit) && (max > _POW2_32))) {

119 throw new ArgumentError("max must be positive and < 2^32:"	124 throw new ArgumentError("max must be positive and < 2^32: $max");

120 " $max");

121 }	125 }

122 if ((max & -max) == max) {	126 if ((max & -max) == max) {

123 // Fast case for powers of two.	127 // Fast case for powers of two.

124 _nextState();	128 _nextState();

125 return _state[kSTATE_LO] & (max - 1);	129 return _state[_kSTATE_LO] & (max - 1);

126 }	130 }

127	131

128 var rnd32;	132 var rnd32;

129 var result;	133 var result;

130 do {	134 do {

131 _nextState();	135 _nextState();

132 rnd32 = _state[kSTATE_LO];	136 rnd32 = _state[_kSTATE_LO];

133 result = rnd32 % max;	137 result = rnd32 % max;

134 } while ((rnd32 - result + max) >= _POW2_32);	138 } while ((rnd32 - result + max) >= _POW2_32);

135 return result;	139 return result;

136 }	140 }

137	141

138 double nextDouble() {	142 double nextDouble() {

139 return ((nextInt(1 << 26) * _POW2_27_D) + nextInt(1 << 27)) / _POW2_53_D;	143 return ((nextInt(1 << 26) * _POW2_27_D) + nextInt(1 << 27)) / _POW2_53_D;

140 }	144 }

141	145

142 bool nextBool() {	146 bool nextBool() {

143 return nextInt(2) == 0;	147 return nextInt(2) == 0;

144 }	148 }

145	149

146 // Constants used by the algorithm or masking.	150 // Constants used by the algorithm.

147 static const _MASK_32 = (1 << 32) - 1;

148 static const _MASK_64 = (1 << 64) - 1;

149 static const _POW2_32 = 1 << 32;	151 static const _POW2_32 = 1 << 32;

150 static const _POW2_53_D = 1.0 * (1 << 53);	152 static const _POW2_53_D = 1.0 * (1 << 53);

151 static const _POW2_27_D = 1.0 * (1 << 27);	153 static const _POW2_27_D = 1.0 * (1 << 27);

152	154

153 static const _A = 0xffffda61;	155 static const _A = 0xffffda61;

154	156

155 // Use a singleton Random object to get a new seed if no seed was passed.	157 // Use a singleton Random object to get a new seed if no seed was passed.

156 static var _prng = new _Random._withState(_initialSeed());	158 static var _prng = new _Random._withState(_initialSeed());

157	159

158 // This is a native to prevent 64-bit operations in Dart, which	160 // This is a native to prevent 64-bit operations in Dart, which

159 // fail with --throw_on_javascript_int_overflow.	161 // fail with --throw_on_javascript_int_overflow.

160 static Uint32List _setupSeed(int seed) native "Random_setupSeed";	162 static Uint32List _setupSeed(int seed) native "Random_setupSeed";

161 // Get a seed from the VM's random number provider.	163 // Get a seed from the VM's random number provider.

162 static Uint32List _initialSeed() native "Random_initialSeed";	164 static Uint32List _initialSeed() native "Random_initialSeed";

163	165

164 static int _nextSeed() {	166 static int _nextSeed() {

165 // Trigger the PRNG once to change the internal state.	167 // Trigger the PRNG once to change the internal state.

166 _prng._nextState();	168 _prng._nextState();

167 return _prng._state[kSTATE_LO];	169 return _prng._state[_kSTATE_LO];

168 }	170 }

169 }	171 }

	172

	173

	174 class _SecureRandom implements Random {

	175 _SecureRandom() {

	176 // Throw early in constructor if entropy source is not hooked up.

	177 _getBytes(1);

	178 }

	179

	180 // Return count bytes of entropy as a positive integer; count <= 8.

	181 static int _getBytes(int count) native "SecureRandom_getBytes";

	182

	183 int nextInt(int max) {

	184 // No local optimizations needed for this rather slow call.
	Lasse Reichstein Nielsen 2015/10/14 11:08:45 Really? How about only asking for the number of b Really? How about only asking for the number of bytes you need, so for nextInt(2), you don't have to waste three bytes of entropy. (Would it make sense to save unused entropy in the class, so eight consecutive nextBool calls wouldn't need to use more than one byte of entropy?) regis 2015/10/14 20:22:35 By "slow", I meant it is a call to the runtime, so Show quoted text On 2015/10/14 11:08:45, Lasse Reichstein Nielsen wrote: > Really? > > How about only asking for the number of bytes you need, so for nextInt(2), you > don't have to waste three bytes of entropy. > > (Would it make sense to save unused entropy in the class, so eight consecutive > nextBool calls wouldn't need to use more than one byte of entropy?) By "slow", I meant it is a call to the runtime, so the local optimization done in class _Random is not worth doing here. I removed the comment. Good point about only asking for the minimum number of bytes needed. Done.
	185 if ((max <= 0) \|\| (max > _POW2_32)) {

	186 throw new ArgumentError("max must be positive and < 2^32: $max");
	Lasse Reichstein Nielsen 2015/10/14 11:08:45 < 2^32 should be <= 2^32 Use a range error for th < 2^32 should be <= 2^32 Use a range error for this.: throw new RangeError.range(max, 0, _POW2_32, "max", "Must be positive and <= 2^32"); regis 2015/10/14 20:22:35 Done here and in class _Random above. The inclusiv Show quoted text On 2015/10/14 11:08:45, Lasse Reichstein Nielsen wrote: > < 2^32 should be <= 2^32 > > Use a range error for this.: > > throw new RangeError.range(max, 0, _POW2_32, "max", "Must be positive and <= > 2^32"); Done here and in class _Random above. The inclusive lower bound is actually 1.
	187 }

	188 var rnd32;

	189 var result;

	190 do {

	191 rnd32 = _getBytes(4);

	192 result = rnd32 % max;

	193 } while ((rnd32 - result + max) >= _POW2_32);
	Lasse Reichstein Nielsen 2015/10/14 11:08:45 Should >= be > ? If max is a power of 2 and rnd32 Should >= be > ? If max is a power of 2 and rnd32 is (2^32 - max) then the result should be fine, but this test rejects it and loops. It's safe but slower than necessary. regis 2015/10/14 20:22:35 Agreed. Actually, it made it impossible to use a m Show quoted text On 2015/10/14 11:08:45, Lasse Reichstein Nielsen wrote: > Should >= be > ? > If max is a power of 2 and rnd32 is (2^32 - max) then the result should be fine, > but this test rejects it and loops. > It's safe but slower than necessary. Agreed. Actually, it made it impossible to use a max of 1 << 32. I am surprised that no one complained about it (same bug in class _Random). I fixed it and also updated the wrong comment about the range of max in the API.
	194 return result;

	195 }

	196

	197 double nextDouble() {

	198 return (_getBytes(7) >> 3) / _POW2_53_D;

	199 }

	200

	201 bool nextBool() {

	202 return _getBytes(1).isEven;

	203 }

	204

	205 // Constants used by the algorithm.

	206 static const _POW2_32 = 1 << 32;

	207 static const _POW2_53_D = 1.0 * (1 << 53);

	208 }

	209

OLD	NEW

« runtime/lib/math.cc ('K') | « runtime/lib/math.cc ('k') | runtime/vm/bootstrap_natives.h » ('j') | sdk/lib/_internal/js_runtime/lib/math_patch.dart » ('J')