rand: introduce git_rand PRNG

Introduce `git_rand`, a PRNG based on xoroshiro256**, a fast,
all-purpose pseudo-random number generator: https://prng.di.unimi.it

The PRNG will be seeded by the system's entropy store when possible,
falling back to current time and system data (pid, uptime, etc).
Inspiration for this was taken from libressl, but since our PRNG is
not used for cryptographic purposes (and indeed currently only generates
a unique temp file name that is written in a protected directory),
this should be more than sufficient.

Our implementation of xoroshiro256** was taken almost strictly from
the original author's sources, but was tested against PractRand to
ensure that there were no foolish mistranslations:

```
RNG_test using PractRand version 0.94
RNG = RNG_stdin64, seed = unknown
test set = core, folding = standard (64 bit)

rng=RNG_stdin64, seed=unknown
length= 256 megabytes (2^28 bytes), time= 2.9 seconds
  no anomalies in 210 test result(s)

rng=RNG_stdin64, seed=unknown
length= 512 megabytes (2^29 bytes), time= 6.2 seconds
  no anomalies in 226 test result(s)

rng=RNG_stdin64, seed=unknown
length= 1 gigabyte (2^30 bytes), time= 12.7 seconds
  no anomalies in 243 test result(s)

rng=RNG_stdin64, seed=unknown
length= 2 gigabytes (2^31 bytes), time= 25.4 seconds
  no anomalies in 261 test result(s)

rng=RNG_stdin64, seed=unknown
length= 4 gigabytes (2^32 bytes), time= 50.6 seconds
  no anomalies in 277 test result(s)

rng=RNG_stdin64, seed=unknown
length= 8 gigabytes (2^33 bytes), time= 104 seconds
  no anomalies in 294 test result(s)
```

COPYING

@@ -1132,3 +1132,15 @@ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 OF THE POSSIBILITY OF SUCH DAMAGE.
 
+----------------------------------------------------------------------
+
+The xoroshiro256** implementation is licensed in the public domain:
+
+Written in 2018 by David Blackman and Sebastiano Vigna (vigna@acm.org)
+
+To the extent possible under law, the author has dedicated all copyright
+and related and neighboring rights to this software to the public domain
+worldwide. This software is distributed without any warranty.
+
+See <http://creativecommons.org/publicdomain/zero/1.0/>.
+

src/CMakeLists.txt

@@ -55,6 +55,8 @@ check_prototype_definition(qsort_r
 
 check_function_exists(qsort_s GIT_QSORT_S)
 
+check_function_exists(getentropy GIT_RAND_GETENTROPY)
+
 # Find required dependencies
 
 if(WIN32)

src/features.h.in

@@ -48,4 +48,6 @@
 #cmakedefine GIT_SHA1_OPENSSL 1
 #cmakedefine GIT_SHA1_MBEDTLS 1
 
+#cmakedefine GIT_RAND_GETENTROPY 1
+
 #endif

src/libgit2.c

@@ -20,6 +20,7 @@
 #include "mwindow.h"
 #include "object.h"
 #include "odb.h"
+#include "rand.h"
 #include "refs.h"
 #include "runtime.h"
 #include "sysdir.h"
@@ -70,6 +71,7 @@ int git_libgit2_init(void)
 		git_allocator_global_init,
 		git_threadstate_global_init,
 		git_threads_global_init,
+		git_rand_global_init,
 		git_hash_global_init,
 		git_sysdir_global_init,
 		git_filter_global_init,

src/rand.c

+/*  Written in 2018 by David Blackman and Sebastiano Vigna (vigna@acm.org)
+
+To the extent possible under law, the author has dedicated all copyright
+and related and neighboring rights to this software to the public domain
+worldwide. This software is distributed without any warranty.
+
+See <http://creativecommons.org/publicdomain/zero/1.0/>. */
+
+#include "common.h"
+#include "rand.h"
+#include "runtime.h"
+
+#if defined(GIT_RAND_GETENTROPY)
+# include <sys/random.h>
+#endif
+
+static uint64_t state[4];
+static git_mutex state_lock;
+
+typedef union {
+	double f;
+	uint64_t d;
+} bits;
+
+#if defined(GIT_WIN32)
+GIT_INLINE(int) getseed(uint64_t *seed)
+{
+	HCRYPTPROV provider;
+	SYSTEMTIME systemtime;
+	FILETIME filetime, idletime, kerneltime, usertime;
+	bits convert;
+
+	if (CryptAcquireContext(&provider, 0, 0, PROV_RSA_FULL,
+	                        CRYPT_VERIFYCONTEXT|CRYPT_SILENT)) {
+		BOOL success = CryptGenRandom(provider, sizeof(uint64_t), (void *)seed);
+		CryptReleaseContext(provider, 0);
+
+		if (success)
+			return 0;
+	}
+
+	GetSystemTime(&systemtime);
+	if (!SystemTimeToFileTime(&systemtime, &filetime)) {
+		git_error_set(GIT_ERROR_OS, "could not get time for random seed");
+		return -1;
+	}
+
+	/* Fall-through: generate a seed from the time and system state */
+	*seed = 0;
+	*seed |= ((uint64_t)filetime.dwLowDateTime << 32);
+	*seed |= ((uint64_t)filetime.dwHighDateTime);
+
+	GetSystemTimes(&idletime, &kerneltime, &usertime);
+
+	*seed ^= ((uint64_t)idletime.dwLowDateTime << 32);
+	*seed ^= ((uint64_t)kerneltime.dwLowDateTime);
+	*seed ^= ((uint64_t)usertime.dwLowDateTime << 32);
+
+	*seed ^= ((uint64_t)idletime.dwHighDateTime);
+	*seed ^= ((uint64_t)kerneltime.dwHighDateTime << 12);
+	*seed ^= ((uint64_t)usertime.dwHighDateTime << 24);
+
+	*seed ^= ((uint64_t)GetCurrentProcessId() << 32);
+	*seed ^= ((uint64_t)GetCurrentThreadId() << 48);
+
+	convert.f = git__timer(); *seed ^= (convert.d);
+
+	/* Mix in the addresses of some functions and variables */
+	*seed ^= (((uint64_t)((uintptr_t)seed) << 32));
+	*seed ^= (((uint64_t)((uintptr_t)&errno)));
+
+	return 0;
+}
+
+#else
+
+GIT_INLINE(int) getseed(uint64_t *seed)
+{
+	struct timeval tv;
+	double loadavg[3];
+	bits convert;
+	int fd;
+
+# if defined(GIT_RAND_GETENTROPY)
+	GIT_UNUSED((fd = 0));
+
+	if (getentropy(seed, sizeof(uint64_t)) == 0)
+		return 0;
+# else
+	/*
+	 * Try to read from /dev/urandom; most modern systems will have
+	 * this, but we may be chrooted, etc, so it's not a fatal error
+	 */
+	if ((fd = open("/dev/urandom", O_RDONLY)) >= 0) {
+		ssize_t ret = read(fd, seed, sizeof(uint64_t));
+		close(fd);
+
+		if (ret == (ssize_t)sizeof(uint64_t))
+			return 0;
+	}
+# endif
+
+	/* Fall-through: generate a seed from the time and system state */
+	if (gettimeofday(&tv, NULL) < 0) {
+		git_error_set(GIT_ERROR_OS, "could get time for random seed");
+		return -1;
+	}
+
+	getloadavg(loadavg, 3);
+
+	*seed = 0;
+	*seed |= ((uint64_t)tv.tv_usec << 40);
+	*seed |= ((uint64_t)tv.tv_sec);
+
+	*seed ^= ((uint64_t)getpid() << 48);
+	*seed ^= ((uint64_t)getppid() << 32);
+	*seed ^= ((uint64_t)getpgid(0) << 28);
+	*seed ^= ((uint64_t)getsid(0) << 16);
+	*seed ^= ((uint64_t)getuid() << 8);
+	*seed ^= ((uint64_t)getgid());
+
+	convert.f = loadavg[0]; *seed ^= (convert.d >> 36);
+	convert.f = loadavg[1]; *seed ^= (convert.d);
+	convert.f = loadavg[2]; *seed ^= (convert.d >> 16);
+
+	convert.f = git__timer(); *seed ^= (convert.d);
+
+	/* Mix in the addresses of some variables */
+	*seed ^= ((uint64_t)((size_t)((void *)seed)) << 32);
+	*seed ^= ((uint64_t)((size_t)((void *)&errno)));
+
+	return 0;
+}
+#endif
+
+static void git_rand_global_shutdown(void)
+{
+	git_mutex_free(&state_lock);
+}
+
+int git_rand_global_init(void)
+{
+	uint64_t seed = 0;
+
+	if (git_mutex_init(&state_lock) < 0 || getseed(&seed) < 0)
+		return -1;
+
+	if (!seed) {
+		git_error_set(GIT_ERROR_INTERNAL, "failed to generate random seed");
+		return -1;
+	}
+
+	git_rand_seed(seed);
+	git_runtime_shutdown_register(git_rand_global_shutdown);
+
+	return 0;
+}
+
+/*
+ * This is splitmix64. xoroshiro256** uses 256 bit seed; this is used
+ * to generate 256 bits of seed from the given 64, per the author's
+ * recommendation.
+ */
+GIT_INLINE(uint64_t) splitmix64(uint64_t *in)
+{
+	uint64_t z;
+
+	*in += 0x9e3779b97f4a7c15;
+
+	z = *in;
+	z = (z ^ (z >> 30)) * 0xbf58476d1ce4e5b9;
+	z = (z ^ (z >> 27)) * 0x94d049bb133111eb;
+	return z ^ (z >> 31);
+}
+
+void git_rand_seed(uint64_t seed)
+{
+	uint64_t mixer;
+
+	mixer = seed;
+
+	git_mutex_lock(&state_lock);
+	state[0] = splitmix64(&mixer);
+	state[1] = splitmix64(&mixer);
+	state[2] = splitmix64(&mixer);
+	state[3] = splitmix64(&mixer);
+	git_mutex_unlock(&state_lock);
+}
+
+/* This is xoshiro256** 1.0, one of our all-purpose, rock-solid
+   generators. It has excellent (sub-ns) speed, a state (256 bits) that is
+   large enough for any parallel application, and it passes all tests we
+   are aware of.
+
+   For generating just floating-point numbers, xoshiro256+ is even faster.
+
+   The state must be seeded so that it is not everywhere zero. If you have
+   a 64-bit seed, we suggest to seed a splitmix64 generator and use its
+   output to fill s. */
+
+GIT_INLINE(uint64_t) rotl(const uint64_t x, int k) {
+	return (x << k) | (x >> (64 - k));
+}
+
+uint64_t git_rand_next(void) {
+	uint64_t t, result;
+
+	git_mutex_lock(&state_lock);
+
+	result = rotl(state[1] * 5, 7) * 9;
+
+	t = state[1] << 17;
+
+	state[2] ^= state[0];
+	state[3] ^= state[1];
+	state[1] ^= state[2];
+	state[0] ^= state[3];
+
+	state[2] ^= t;
+
+	state[3] = rotl(state[3], 45);
+
+	git_mutex_unlock(&state_lock);
+
+	return result;
+}

src/rand.h

+/*
+ * Copyright (C) the libgit2 contributors. All rights reserved.
+ *
+ * This file is part of libgit2, distributed under the GNU GPL v2 with
+ * a Linking Exception. For full terms see the included COPYING file.
+ */
+#ifndef INCLUDE_rand_h__
+#define INCLUDE_rand_h__
+
+#include "common.h"
+
+/**
+ * Initialize the random number generation subsystem.  This will
+ * seed the random number generator with the system's entropy pool,
+ * if available, and will fall back to the current time and
+ * system information if not.
+ */
+int git_rand_global_init(void);
+
+/**
+ * Seed the pseudo-random number generator.  This is not needed to be
+ * called; the PRNG is seeded by `git_rand_global_init`, but it may
+ * be useful for testing.  When the same seed is specified, the same
+ * sequence of random numbers from `git_rand_next` is emitted.
+ *
+ * @param seed the seed to use
+ */
+void git_rand_seed(uint64_t seed);
+
+/**
+ * Get the next pseudo-random number in the sequence.
+ *
+ * @return a 64-bit pseudo-random number
+ */
+uint64_t git_rand_next(void);
+
+#endif