// Copyright 2016 The Fuchsia Authors
//
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file or at
// https://opensource.org/licenses/MIT

#include <assert.h>
#include <ctype.h>
#include <lib/boot-options/boot-options.h>
#include <lib/crypto/entropy/collector.h>
#include <lib/crypto/entropy/hw_rng_collector.h>
#include <lib/crypto/entropy/jitterentropy_collector.h>
#include <lib/crypto/entropy/quality_test.h>
#include <lib/crypto/global_prng.h>
#include <lib/crypto/prng.h>
#include <string.h>
#include <trace.h>
#include <zircon/errors.h>
#include <zircon/types.h>

#include <explicit-memory/bytes.h>
#include <fbl/algorithm.h>
#include <kernel/auto_lock.h>
#include <kernel/mutex.h>
#include <kernel/thread.h>
#include <ktl/algorithm.h>
#include <ktl/byte.h>
#include <ktl/move.h>
#include <ktl/span.h>
#include <ktl/string_view.h>
#include <lk/init.h>
#include <openssl/sha.h>
#include <phys/handoff.h>

#include <ktl/enforce.h>

#define LOCAL_TRACE 0

namespace crypto {
namespace global_prng {
namespace {

Prng* g_prng_instance = nullptr;

// Returns true on success, false on failure.
bool SeedFrom(entropy::Collector* collector) {
  uint8_t buf[Prng::kMinEntropy] = {0};
  size_t remaining = collector->BytesNeeded(8 * Prng::kMinEntropy);
#if LOCAL_TRACE
  {
    char name[ZX_MAX_NAME_LEN];
    collector->get_name(name, sizeof(name));
    LTRACEF("About to collect %zu bytes of entropy from '%s'.\n", remaining, name);
  }
#endif
  while (remaining > 0) {
    size_t result = collector->DrawEntropy(buf, ktl::min(sizeof(buf), remaining));
    if (result == 0) {
      LTRACEF(
          "Collected 0 bytes; aborting. "
          "There were %zu bytes remaining to collect.\n",
          remaining);
      return false;
    }

    g_prng_instance->AddEntropy(buf, result);
    mandatory_memset(buf, 0, sizeof(buf));
    remaining -= result;
  }
  LTRACEF("Successfully collected entropy.\n");
  return true;
}

// Instantiates the global PRNG (in non-thread-safe mode) and seeds it.
void EarlyBootSeed(uint level) {
  ASSERT(g_prng_instance == nullptr);

  // Before doing anything else, test our entropy collector. This is
  // explicitly called here rather than in another init hook to ensure
  // ordering (at level LK_INIT_LEVEL_PLATFORM_EARLY + 1, but before the rest
  // of EarlyBootSeed).
  entropy::EarlyBootTest();

  // Statically allocate an array of bytes to put the PRNG into.  We do this
  // to control when the PRNG constructor is called.
  // TODO(security): This causes the PRNG state to be in a fairly predictable
  // place.  Some aspects of KASLR will help with this, but we may
  // additionally want to remap where this is later.
  alignas(alignof(Prng)) static uint8_t prng_space[sizeof(Prng)];

  // number of successful entropy sources
  unsigned int successful = 0;

  g_prng_instance = new (&prng_space) Prng(nullptr, 0, crypto::Prng::NonThreadSafeTag{});

  // All validation from zbi item and commandline item is performed on phys, so
  // this instance of entropy pool, is guaranteed to meet the minimum requirements
  // for the current boot options, or we would have panic'd already.
  ZX_ASSERT(!gBootOptions->cprng_seed_require_cmdline || gPhysHandoff->entropy_pool.has_value());
  if (gPhysHandoff->entropy_pool) {
    // |pool|'s destructor will wipe the stack.
    auto pool = ktl::move(gPhysHandoff->entropy_pool.value());
    g_prng_instance->AddEntropy(pool.contents().data(), pool.contents().size());
    successful++;
  }
  entropy::Collector* collector = nullptr;
  if (!gBootOptions->cprng_disable_hw_rng &&
      entropy::HwRngCollector::GetInstance(&collector) == ZX_OK && SeedFrom(collector)) {
    successful++;
  } else if (gBootOptions->cprng_seed_require_hw_rng) {
    panic("Failed to seed PRNG from required entropy source: hw-rng\n");
  }
  if (!gBootOptions->cprng_disable_jitterentropy &&
      entropy::JitterentropyCollector::GetInstance(&collector) == ZX_OK && SeedFrom(collector)) {
    successful++;
  } else if (gBootOptions->cprng_seed_require_jitterentropy) {
    panic("Failed to seed PRNG from required entropy source: jitterentropy\n");
  }

  if (successful == 0) {
    printf(
        "WARNING: System has insufficient randomness.  It is completely "
        "unsafe to use this system for any cryptographic applications."
        "\n");
    // TODO(security): *CRITICAL* This is a fallback for systems without RNG
    // hardware that we should remove and attempt to do better.  If this
    // fallback is used, it breaks all cryptography used on the system.
    // *CRITICAL*
    uint8_t buf[Prng::kMinEntropy] = {0};
    g_prng_instance->AddEntropy(buf, sizeof(buf));
    return;
  } else {
    LTRACEF("Successfully collected entropy from %u sources.\n", successful);
  }
}

// Migrate the global PRNG to enter thread-safe mode.
void BecomeThreadSafe(uint level) { GetInstance()->BecomeThreadSafe(); }

// Collect entropy and add it to the cprng.
void ReseedPRNG() {
  unsigned int successful = 0;  // number of successful entropy sources
  entropy::Collector* collector = nullptr;
  // Reseed using HW RNG and jitterentropy;
  if (!gBootOptions->cprng_disable_hw_rng &&
      entropy::HwRngCollector::GetInstance(&collector) == ZX_OK && SeedFrom(collector)) {
    successful++;
  } else if (gBootOptions->cprng_reseed_require_hw_rng) {
    panic("Failed to reseed PRNG from required entropy source: hw-rng\n");
  }
  if (!gBootOptions->cprng_disable_jitterentropy &&
      entropy::JitterentropyCollector::GetInstance(&collector) == ZX_OK && SeedFrom(collector)) {
    successful++;
  } else if (gBootOptions->cprng_reseed_require_jitterentropy) {
    panic("Failed to reseed PRNG from required entropy source: jitterentropy\n");
  }

  if (successful == 0) {
    g_prng_instance->SelfReseed();
    LTRACEF("Reseed PRNG with no new entropy source\n");
  } else {
    LTRACEF("Successfully reseed PRNG from %u sources.\n", successful);
  }
}

int ReseedLoop(void* arg) {
  for (;;) {
    Thread::Current::SleepRelative(ZX_SEC(30));
    ReseedPRNG();
  }
  return 0;
}

// Start a thread to reseed PRNG.
void StartReseedThread(uint level) {
  // Force a reseed before returning from the init hook.
  // We have no guarantees when the thread will be scheduled and run.
  // TODO(fxbug.dev/82810): Make this synchronous reseed faster by removing
  // JitterEntropy reseed, as we already seeded from it in EarlyBoot.
  ReseedPRNG();
  Thread* t = Thread::Create("prng-reseed", ReseedLoop, nullptr, HIGHEST_PRIORITY);
  t->DetachAndResume();
}

}  // namespace

Prng* GetInstance() {
  ASSERT(g_prng_instance);
  return g_prng_instance;
}

}  // namespace global_prng
}  // namespace crypto

// intel hw_rng init hook is at PLATFORM_EARLY+1
// make sure we start after that so we can use it for the early seed.
LK_INIT_HOOK(global_prng_seed, crypto::global_prng::EarlyBootSeed, LK_INIT_LEVEL_PLATFORM_EARLY + 2)

LK_INIT_HOOK(global_prng_thread_safe, crypto::global_prng::BecomeThreadSafe,
             LK_INIT_LEVEL_THREADING - 1)

// Reseed the CPRNG right before entering userspace.
LK_INIT_HOOK(global_prng_reseed, crypto::global_prng::StartReseedThread, LK_INIT_LEVEL_USER - 1)