kris
/
boringssl
1
0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
1641 Révisions
12 Branches
38 MiB
Aborescence: 6de0e53919
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '6de0e53919'
${ noResults }
boringssl/crypto/rand/rand.c

rand.c 5.6 KiB
Brut Vue normale Historique

Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
il y a 10 ans
Add no-op |RAND_load_file| function for compatibility. Change-Id: I9493a1509a75d3f0d99ce2b699d8781ad9b1bafa Reviewed-on: https://boringssl-review.googlesource.com/4540 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
rand: new-style locking and support rdrand. Pure /dev/urandom, no buffering (previous behaviour): Did 2320000 RNG (16 bytes) operations in 3000082us (773312.2 ops/sec): 12.4 MB/s Did 209000 RNG (256 bytes) operations in 3011984us (69389.5 ops/sec): 17.8 MB/s Did 6851 RNG (8192 bytes) operations in 3052027us (2244.7 ops/sec): 18.4 MB/s Pure rdrand speed: Did 34930500 RNG (16 bytes) operations in 3000021us (11643418.5 ops/sec): 186.3 MB/s Did 2444000 RNG (256 bytes) operations in 3000164us (814622.1 ops/sec): 208.5 MB/s Did 80000 RNG (8192 bytes) operations in 3020968us (26481.6 ops/sec): 216.9 MB/s rdrand + ChaCha (as in this change): Did 19498000 RNG (16 bytes) operations in 3000086us (6499147.0 ops/sec): 104.0 MB/s Did 1964000 RNG (256 bytes) operations in 3000566us (654543.2 ops/sec): 167.6 MB/s Did 62000 RNG (8192 bytes) operations in 3034090us (20434.5 ops/sec): 167.4 MB/s Change-Id: Ie17045650cfe75858e4498ac28dbc4dcf8338376 Reviewed-on: https://boringssl-review.googlesource.com/4328 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
Include openssl/chacha.h rather than duplicate the prototype. Less chance of problems should the prototype ever change. This doesn't make it any more or less a circular dependency. (It actually isn't; crypto/chacha doesn't use crypto/rand and CMakeLists.txt actually puts rand above chacha anyway.) Change-Id: Ia80289f801f76551737233f158755aac99ddd74a Reviewed-on: https://boringssl-review.googlesource.com/5262 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
rand: new-style locking and support rdrand. Pure /dev/urandom, no buffering (previous behaviour): Did 2320000 RNG (16 bytes) operations in 3000082us (773312.2 ops/sec): 12.4 MB/s Did 209000 RNG (256 bytes) operations in 3011984us (69389.5 ops/sec): 17.8 MB/s Did 6851 RNG (8192 bytes) operations in 3052027us (2244.7 ops/sec): 18.4 MB/s Pure rdrand speed: Did 34930500 RNG (16 bytes) operations in 3000021us (11643418.5 ops/sec): 186.3 MB/s Did 2444000 RNG (256 bytes) operations in 3000164us (814622.1 ops/sec): 208.5 MB/s Did 80000 RNG (8192 bytes) operations in 3020968us (26481.6 ops/sec): 216.9 MB/s rdrand + ChaCha (as in this change): Did 19498000 RNG (16 bytes) operations in 3000086us (6499147.0 ops/sec): 104.0 MB/s Did 1964000 RNG (256 bytes) operations in 3000566us (654543.2 ops/sec): 167.6 MB/s Did 62000 RNG (8192 bytes) operations in 3034090us (20434.5 ops/sec): 167.4 MB/s Change-Id: Ie17045650cfe75858e4498ac28dbc4dcf8338376 Reviewed-on: https://boringssl-review.googlesource.com/4328 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
Fix Windows build failures caused by 310d4dd. MSVC doesn't like |const size_t len| in a function definition where the declaration was just |size_t len| without the |const|. Also, MSVC needs declarations of parameterless functions to have a |void| parameter list. Change-Id: I91e01a12aca657b2ee1d653926f09cc52da2faed Reviewed-on: https://boringssl-review.googlesource.com/4329 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
rand: new-style locking and support rdrand. Pure /dev/urandom, no buffering (previous behaviour): Did 2320000 RNG (16 bytes) operations in 3000082us (773312.2 ops/sec): 12.4 MB/s Did 209000 RNG (256 bytes) operations in 3011984us (69389.5 ops/sec): 17.8 MB/s Did 6851 RNG (8192 bytes) operations in 3052027us (2244.7 ops/sec): 18.4 MB/s Pure rdrand speed: Did 34930500 RNG (16 bytes) operations in 3000021us (11643418.5 ops/sec): 186.3 MB/s Did 2444000 RNG (256 bytes) operations in 3000164us (814622.1 ops/sec): 208.5 MB/s Did 80000 RNG (8192 bytes) operations in 3020968us (26481.6 ops/sec): 216.9 MB/s rdrand + ChaCha (as in this change): Did 19498000 RNG (16 bytes) operations in 3000086us (6499147.0 ops/sec): 104.0 MB/s Did 1964000 RNG (256 bytes) operations in 3000566us (654543.2 ops/sec): 167.6 MB/s Did 62000 RNG (8192 bytes) operations in 3034090us (20434.5 ops/sec): 167.4 MB/s Change-Id: Ie17045650cfe75858e4498ac28dbc4dcf8338376 Reviewed-on: https://boringssl-review.googlesource.com/4328 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
Handle RDRAND failures. I mistakenly believed that only RDSEED could fail. However, the Intel manuals state that RDRAND can fail too. I can't actually observe it failing, even with all cores running RDRAND in a tight loop. In any case, the ChaCha20 masking means that it wouldn't be a big deal anyway. Still, this change tests the carry flag after RDRAND and the code falls back to |CRYPTO_sysrand| if RDRAND has a hiccup. (The Intel manuals suggest[1] calling RDRAND in a loop, ten times, before considering it to have failed. But a single failure appears to be such a rare event that the complexity in the asm code doesn't seem worth it.) This change also adds an asm function to fill a buffer with random data. Otherwise the overhead of calling |CRYPTO_rdrand|, and bouncing the data in and out of memory starts to add up. Thanks to W. Mark Kubacki, who may have reported this. (There's some confusion in the bug report.) Before: Did 6148000 RNG (16 bytes) operations in 1000080us: 98.4 MB/s Did 649000 RNG (256 bytes) operations in 1000281us: 166.1 MB/s Did 22000 RNG (8192 bytes) operations in 1033538us: 174.4 MB/s After: Did 6573000 RNG (16 bytes) operations in 1000002us: 105.2 MB/s Did 693000 RNG (256 bytes) operations in 1000127us: 177.4 MB/s Did 24000 RNG (8192 bytes) operations in 1028466us: 191.2 MB/s [1] Intel Reference Manual, section 7.3.17.1. Change-Id: Iba7f82e844ebacef535472a31f2dd749aad1190a Reviewed-on: https://boringssl-review.googlesource.com/5180 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
rand: new-style locking and support rdrand. Pure /dev/urandom, no buffering (previous behaviour): Did 2320000 RNG (16 bytes) operations in 3000082us (773312.2 ops/sec): 12.4 MB/s Did 209000 RNG (256 bytes) operations in 3011984us (69389.5 ops/sec): 17.8 MB/s Did 6851 RNG (8192 bytes) operations in 3052027us (2244.7 ops/sec): 18.4 MB/s Pure rdrand speed: Did 34930500 RNG (16 bytes) operations in 3000021us (11643418.5 ops/sec): 186.3 MB/s Did 2444000 RNG (256 bytes) operations in 3000164us (814622.1 ops/sec): 208.5 MB/s Did 80000 RNG (8192 bytes) operations in 3020968us (26481.6 ops/sec): 216.9 MB/s rdrand + ChaCha (as in this change): Did 19498000 RNG (16 bytes) operations in 3000086us (6499147.0 ops/sec): 104.0 MB/s Did 1964000 RNG (256 bytes) operations in 3000566us (654543.2 ops/sec): 167.6 MB/s Did 62000 RNG (8192 bytes) operations in 3034090us (20434.5 ops/sec): 167.4 MB/s Change-Id: Ie17045650cfe75858e4498ac28dbc4dcf8338376 Reviewed-on: https://boringssl-review.googlesource.com/4328 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
Don't use uninitialized memory in RAND_bytes. We can't actually catch this with MSan because it requires all code be instrumented, so it needs a NO_ASM build which no disables that code. valgrind doesn't notice either, possibly because there's some computation being done on it. Still, we shouldn't use uninitialized memory. Also get us closer to being instrumentable by MSan, but the runner tests will need to build against an instrumented STL and I haven't tried that yet. Change-Id: I2d65697a3269b5b022899f361730a85c51ecaa12 Reviewed-on: https://boringssl-review.googlesource.com/4760 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
rand: new-style locking and support rdrand. Pure /dev/urandom, no buffering (previous behaviour): Did 2320000 RNG (16 bytes) operations in 3000082us (773312.2 ops/sec): 12.4 MB/s Did 209000 RNG (256 bytes) operations in 3011984us (69389.5 ops/sec): 17.8 MB/s Did 6851 RNG (8192 bytes) operations in 3052027us (2244.7 ops/sec): 18.4 MB/s Pure rdrand speed: Did 34930500 RNG (16 bytes) operations in 3000021us (11643418.5 ops/sec): 186.3 MB/s Did 2444000 RNG (256 bytes) operations in 3000164us (814622.1 ops/sec): 208.5 MB/s Did 80000 RNG (8192 bytes) operations in 3020968us (26481.6 ops/sec): 216.9 MB/s rdrand + ChaCha (as in this change): Did 19498000 RNG (16 bytes) operations in 3000086us (6499147.0 ops/sec): 104.0 MB/s Did 1964000 RNG (256 bytes) operations in 3000566us (654543.2 ops/sec): 167.6 MB/s Did 62000 RNG (8192 bytes) operations in 3034090us (20434.5 ops/sec): 167.4 MB/s Change-Id: Ie17045650cfe75858e4498ac28dbc4dcf8338376 Reviewed-on: https://boringssl-review.googlesource.com/4328 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
il y a 10 ans
Add no-op |RAND_load_file| function for compatibility. Change-Id: I9493a1509a75d3f0d99ce2b699d8781ad9b1bafa Reviewed-on: https://boringssl-review.googlesource.com/4540 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
il y a 10 ans
Dummy |RAND_set_rand_method|, |RAND_egd|, and |RAND_SSLeay|. Change-Id: Ide555c77748b4ba8106f69b037e5ff78d81a56dc Reviewed-on: https://boringssl-review.googlesource.com/5220 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
il y a 10 ans
Compatibility changes for wpa_supplicant and OpenSSH. OpenSSH, especially, does some terrible things that mean that it needs the EVP_CIPHER structure to be exposed ☹. Damian is open to a better API to replace this, but only if OpenSSL agree too. Either way, it won't be happening soon. Change-Id: I393b7a6af6694d4d2fe9ebcccd40286eff4029bd Reviewed-on: https://boringssl-review.googlesource.com/4330 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
Dummy |RAND_set_rand_method|, |RAND_egd|, and |RAND_SSLeay|. Change-Id: Ide555c77748b4ba8106f69b037e5ff78d81a56dc Reviewed-on: https://boringssl-review.googlesource.com/5220 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
Make methods of |RAND_SSLEay| do reasonable things. This means e.g. that a caller can say: RAND_SSLEay()->bytes(...) and so on. But in exchange for this convenience, I've changed the signatures to be more BoringSSL-ish (|size_t| instead of |int|). That's fine; |RAND_set_rand_method(SSLEay())| still works. And by works I mean "does nothing". Change-Id: I35479b5efb759da910ce46e22298168b78c9edcf Reviewed-on: https://boringssl-review.googlesource.com/5472 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
Dummy |RAND_set_rand_method|, |RAND_egd|, and |RAND_SSLeay|. Change-Id: Ide555c77748b4ba8106f69b037e5ff78d81a56dc Reviewed-on: https://boringssl-review.googlesource.com/5220 Reviewed-by: Adam Langley <agl@google.com>
il y a 9 ans
RAND_set_rand_method takes a const parameter. Change-Id: I37e7c00deeb74aa0b71ee0d3a242d33d4d413cf0
il y a 9 ans
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187 
  1. /* Copyright (c) 2014, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/rand.h>

  16. 

  17. #include <limits.h>

  18. #include <string.h>

  19. 

  20. #include <openssl/chacha.h>

  21. #include <openssl/mem.h>

  22. 

  23. #include "internal.h"

  24. #include "../internal.h"

  25. 

  26. 

  27. /* It's assumed that the operating system always has an unfailing source of

  28.  * entropy which is accessed via |CRYPTO_sysrand|. (If the operating system

  29.  * entropy source fails, it's up to |CRYPTO_sysrand| to abort the process—we

  30.  * don't try to handle it.)

  31.  *

  32.  * In addition, the hardware may provide a low-latency RNG. Intel's rdrand

  33.  * instruction is the canonical example of this. When a hardware RNG is

  34.  * available we don't need to worry about an RNG failure arising from fork()ing

  35.  * the process or moving a VM, so we can keep thread-local RNG state and XOR

  36.  * the hardware entropy in.

  37.  *

  38.  * (We assume that the OS entropy is safe from fork()ing and VM duplication.

  39.  * This might be a bit of a leap of faith, esp on Windows, but there's nothing

  40.  * that we can do about it.) */

  41. 

  42. /* rand_thread_state contains the per-thread state for the RNG. This is only

  43.  * used if the system has support for a hardware RNG. */

  44. struct rand_thread_state {

  45.   uint8_t key[32];

  46.   uint64_t calls_used;

  47.   size_t bytes_used;

  48.   uint8_t partial_block[64];

  49.   unsigned partial_block_used;

  50. };

  51. 

  52. /* kMaxCallsPerRefresh is the maximum number of |RAND_bytes| calls that we'll

  53.  * serve before reading a new key from the operating system. This only applies

  54.  * if we have a hardware RNG. */

  55. static const unsigned kMaxCallsPerRefresh = 1024;

  56. 

  57. /* kMaxBytesPerRefresh is the maximum number of bytes that we'll return from

  58.  * |RAND_bytes| before reading a new key from the operating system. This only

  59.  * applies if we have a hardware RNG. */

  60. static const uint64_t kMaxBytesPerRefresh = 1024 * 1024;

  61. 

  62. /* rand_thread_state_free frees a |rand_thread_state|. This is called when a

  63.  * thread exits. */

  64. static void rand_thread_state_free(void *state) {

  65.   if (state == NULL) {

  66.     return;

  67.   }

  68. 

  69.   OPENSSL_cleanse(state, sizeof(struct rand_thread_state));

  70.   OPENSSL_free(state);

  71. }

  72. 

  73. int RAND_bytes(uint8_t *buf, size_t len) {

  74.   if (len == 0) {

  75.     return 1;

  76.   }

  77. 

  78.   if (!CRYPTO_have_hwrand() ||

  79.       !CRYPTO_hwrand(buf, len)) {

  80.     /* Without a hardware RNG to save us from address-space duplication, the OS

  81.      * entropy is used directly. */

  82.     CRYPTO_sysrand(buf, len);

  83.     return 1;

  84.   }

  85. 

  86.   struct rand_thread_state *state =

  87.       CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_RAND);

  88.   if (state == NULL) {

  89.     state = OPENSSL_malloc(sizeof(struct rand_thread_state));

  90.     if (state == NULL ||

  91.         !CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_RAND, state,

  92.                                  rand_thread_state_free)) {

  93.       CRYPTO_sysrand(buf, len);

  94.       return 1;

  95.     }

  96. 

  97.     memset(state->partial_block, 0, sizeof(state->partial_block));

  98.     state->calls_used = kMaxCallsPerRefresh;

  99.   }

  100. 

  101.   if (state->calls_used >= kMaxCallsPerRefresh ||

  102.       state->bytes_used >= kMaxBytesPerRefresh) {

  103.     CRYPTO_sysrand(state->key, sizeof(state->key));

  104.     state->calls_used = 0;

  105.     state->bytes_used = 0;

  106.     state->partial_block_used = sizeof(state->partial_block);

  107.   }

  108. 

  109.   if (len >= sizeof(state->partial_block)) {

  110.     size_t remaining = len;

  111.     while (remaining > 0) {

  112.       // kMaxBytesPerCall is only 2GB, while ChaCha can handle 256GB. But this

  113.       // is sufficient and easier on 32-bit.

  114.       static const size_t kMaxBytesPerCall = 0x80000000;

  115.       size_t todo = remaining;

  116.       if (todo > kMaxBytesPerCall) {

  117.         todo = kMaxBytesPerCall;

  118.       }

  119.       CRYPTO_chacha_20(buf, buf, todo, state->key,

  120.                        (uint8_t *)&state->calls_used, 0);

  121.       buf += todo;

  122.       remaining -= todo;

  123.       state->calls_used++;

  124.     }

  125.   } else {

  126.     if (sizeof(state->partial_block) - state->partial_block_used < len) {

  127.       CRYPTO_chacha_20(state->partial_block, state->partial_block,

  128.                        sizeof(state->partial_block), state->key,

  129.                        (uint8_t *)&state->calls_used, 0);

  130.       state->partial_block_used = 0;

  131.     }

  132. 

  133.     unsigned i;

  134.     for (i = 0; i < len; i++) {

  135.       buf[i] ^= state->partial_block[state->partial_block_used++];

  136.     }

  137.     state->calls_used++;

  138.   }

  139.   state->bytes_used += len;

  140. 

  141.   return 1;

  142. }

  143. 

  144. int RAND_pseudo_bytes(uint8_t *buf, size_t len) {

  145.   return RAND_bytes(buf, len);

  146. }

  147. 

  148. void RAND_seed(const void *buf, int num) {}

  149. 

  150. int RAND_load_file(const char *path, long num) {

  151.   if (num < 0) {  /* read the "whole file" */

  152.     return 1;

  153.   } else if (num <= INT_MAX) {

  154.     return (int) num;

  155.   } else {

  156.     return INT_MAX;

  157.   }

  158. }

  159. 

  160. void RAND_add(const void *buf, int num, double entropy) {}

  161. 

  162. int RAND_egd(const char *path) {

  163.   return 255;

  164. }

  165. 

  166. int RAND_poll(void) {

  167.   return 1;

  168. }

  169. 

  170. int RAND_status(void) {

  171.   return 1;

  172. }

  173. 

  174. static const struct rand_meth_st kSSLeayMethod = {

  175.   RAND_seed,

  176.   RAND_bytes,

  177.   RAND_cleanup,

  178.   RAND_add,

  179.   RAND_pseudo_bytes,

  180.   RAND_status,

  181. };

  182. 

  183. RAND_METHOD *RAND_SSLeay(void) {

  184.   return (RAND_METHOD*) &kSSLeayMethod;

  185. }

  186. 

  187. void RAND_set_rand_method(const RAND_METHOD *method) {}