2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
28 using NC = System.Security.Cryptography;
36 public sealed class RNG {
39 * To ensure efficient generation of random numbers, we use
40 * our own PRNG, seeded with a strong value (from the operating
41 * system), and based on AES-CTR. We obtain a random 128-bit
42 * key from the OS (RNGCryptoServiceProvider); then we use it
43 * to encrypt successive values for a 128-bit counter (also
44 * initialized from RNGCryptoServiceProvider). This is AES-CTR
45 * mode and thus provably as strong as AES-128 encryption as it
46 * is practiced in SSL/TLS.
48 * A mutex is used to ensure safe access in a multi-threaded
49 * context. Once initialized, random generation proceeds at
50 * the same speed as AES encryption, i.e. fast enough for
53 * As a special action for debugging, it is possible to reset
54 * the state to an explicit seed value. Of course, this tends
55 * to kill security, so it should be used only to make actions
56 * reproducible, as part of systematic tests.
59 static object rngMutex = new object();
60 static IBlockCipher rngAES = null;
61 static byte[] counter, rblock;
66 NC.RNGCryptoServiceProvider srng =
67 new NC.RNGCryptoServiceProvider();
68 byte[] key = new byte[16];
69 byte[] iv = new byte[16];
76 static void Init(byte[] key, byte[] iv)
80 counter = new byte[16];
81 rblock = new byte[16];
84 Array.Copy(iv, 0, rblock, 0, 16);
87 static void NextBlock()
89 int len = counter.Length;
91 for (int i = 0; i < len; i ++) {
92 int v = counter[i] + carry;
96 Array.Copy(counter, 0, rblock, 0, len);
97 rngAES.BlockEncrypt(rblock);
101 * Set or reset the state to the provided seed. All subsequent
102 * output will depend only on that seed value. This function shall
103 * be used ONLY for debug/test purposes, since it replaces the
104 * automatic seeding that uses OS-provided entropy.
106 public static void SetSeed(byte[] seed)
108 byte[] s32 = new SHA256().Hash(seed);
109 byte[] key = new byte[16];
110 byte[] iv = new byte[16];
111 Array.Copy(s32, 0, key, 0, 16);
112 Array.Copy(s32, 16, iv, 0, 16);
119 * Fill the provided array with random bytes.
121 public static void GetBytes(byte[] buf)
123 GetBytes(buf, 0, buf.Length);
127 * Fill the provided array chunk with random bytes.
129 public static void GetBytes(byte[] buf, int off, int len)
135 int clen = Math.Min(len, rblock.Length);
136 Array.Copy(rblock, 0, buf, off, clen);
144 * Get a new random 32-bit integer (uniform generation).
146 public static uint U32()
151 return (uint)rblock[0]
152 | ((uint)rblock[1] << 8)
153 | ((uint)rblock[2] << 16)
154 | ((uint)rblock[3] << 24);
159 * Convert integer value x (0 to 15) to an hexadecimal character
162 static char ToHex(int x)
164 int hi = -(((x + 6) >> 4) & 1);
165 return (char)(x + 48 + (hi & 39));
169 * Get a string of random hexadecimal characters. The 'len'
170 * parameter specifies the string length in characters (it
173 public static string GetHex(int len)
175 byte[] buf = new byte[(len + 1) >> 1];
177 StringBuilder sb = new StringBuilder();
178 foreach (byte b in buf) {
182 string s = sb.ToString();
183 if (s.Length > len) {
184 s = s.Substring(0, len);
190 * Get a sequence of random non-zero bytes.
192 public static void GetBytesNonZero(byte[] buf)
194 GetBytesNonZero(buf, 0, buf.Length);
198 * Get a sequence of random non-zero bytes.
200 public static void GetBytesNonZero(byte[] buf, int off, int len)
209 for (int i = 0; i < rblock.Length; i ++) {