// Copyright (c) 2016 Ryan Prichard
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to
// deal in the Software without restriction, including without limitation the
// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
// sell copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in
// all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
// FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
// IN THE SOFTWARE.

#include "GenRandom.h"

#include <stdint.h>
#include <string.h>

#include "DebugClient.h"
#include "StringBuilder.h"

static volatile LONG g_pipeCounter;

GenRandom::GenRandom() : m_advapi32(L"advapi32.dll") {
    // First try to use the pseudo-documented RtlGenRandom function from
    // advapi32.dll.  Creating a CryptoAPI context is slow, and RtlGenRandom
    // avoids the overhead.  It's documented in this blog post[1] and on
    // MSDN[2] with a disclaimer about future breakage.  This technique is
    // apparently built-in into the MSVC CRT, though, for the rand_s function,
    // so perhaps it is stable enough.
    //
    // [1] http://blogs.msdn.com/b/michael_howard/archive/2005/01/14/353379.aspx
    // [2] https://msdn.microsoft.com/en-us/library/windows/desktop/aa387694(v=vs.85).aspx
    //
    // Both RtlGenRandom and the Crypto API functions exist in XP and up.
    m_rtlGenRandom = reinterpret_cast<RtlGenRandom_t*>(
        m_advapi32.proc("SystemFunction036"));
    // The OsModule class logs an error message if the proc is nullptr.
    if (m_rtlGenRandom != nullptr) {
        return;
    }

    // Fall back to the crypto API.
    m_cryptProvIsValid =
        CryptAcquireContext(&m_cryptProv, nullptr, nullptr,
                            PROV_RSA_FULL, CRYPT_VERIFYCONTEXT) != 0;
    if (!m_cryptProvIsValid) {
        trace("GenRandom: CryptAcquireContext failed: %u",
            static_cast<unsigned>(GetLastError()));
    }
}

GenRandom::~GenRandom() {
    if (m_cryptProvIsValid) {
        CryptReleaseContext(m_cryptProv, 0);
    }
}

// Returns false if the context is invalid or the generation fails.
bool GenRandom::fillBuffer(void *buffer, size_t size) {
    memset(buffer, 0, size);
    bool success = false;
    if (m_rtlGenRandom != nullptr) {
        success = m_rtlGenRandom(buffer, size) != 0;
        if (!success) {
            trace("GenRandom: RtlGenRandom/SystemFunction036 failed: %u",
                static_cast<unsigned>(GetLastError()));
        }
    } else if (m_cryptProvIsValid) {
        success =
            CryptGenRandom(m_cryptProv, size,
                           reinterpret_cast<BYTE*>(buffer)) != 0;
        if (!success) {
            trace("GenRandom: CryptGenRandom failed, size=%d, lasterror=%u",
                static_cast<int>(size),
                static_cast<unsigned>(GetLastError()));
        }
    }
    return success;
}

// Returns an empty string if either of CryptAcquireContext or CryptGenRandom
// fail.
std::string GenRandom::randomBytes(size_t numBytes) {
    std::string ret(numBytes, '\0');
    if (!fillBuffer(&ret[0], numBytes)) {
        return std::string();
    }
    return ret;
}

std::wstring GenRandom::randomHexString(size_t numBytes) {
    const std::string bytes = randomBytes(numBytes);
    std::wstring ret(bytes.size() * 2, L'\0');
    for (size_t i = 0; i < bytes.size(); ++i) {
        static const wchar_t hex[] = L"0123456789abcdef";
        ret[i * 2]     = hex[static_cast<uint8_t>(bytes[i]) >> 4];
        ret[i * 2 + 1] = hex[static_cast<uint8_t>(bytes[i]) & 0xF];
    }
    return ret;
}

// Returns a 64-bit value representing the number of 100-nanosecond intervals
// since January 1, 1601.
static uint64_t systemTimeAsUInt64() {
    FILETIME monotonicTime = {};
    GetSystemTimeAsFileTime(&monotonicTime);
    return (static_cast<uint64_t>(monotonicTime.dwHighDateTime) << 32) |
            static_cast<uint64_t>(monotonicTime.dwLowDateTime);
}

// Generates a unique and hard-to-guess case-insensitive string suitable for
// use in a pipe filename or a Windows object name.
std::wstring GenRandom::uniqueName() {
    // First include enough information to avoid collisions assuming
    // cooperative software.  This code assumes that a process won't die and
    // be replaced with a recycled PID within a single GetSystemTimeAsFileTime
    // interval.
    WStringBuilder sb(64);
    sb << GetCurrentProcessId()
       << L'-' << InterlockedIncrement(&g_pipeCounter)
       << L'-' << whexOfInt(systemTimeAsUInt64());
    // It isn't clear to me how the crypto APIs would fail.  It *probably*
    // doesn't matter that much anyway?  In principle, a predictable pipe name
    // is subject to a local denial-of-service attack.
    auto random = randomHexString(16);
    if (!random.empty()) {
        sb << L'-' << random;
    }
    return sb.str_moved();
}