boringssl/crypto/rand_extra/deterministic.c

/* Copyright (c) 2016, Google Inc.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

#include <openssl/rand.h>

#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)

#include <string.h>

#include <openssl/chacha.h>

#include "../internal.h"
#include "../fipsmodule/rand/internal.h"


/* g_num_calls is the number of calls to |CRYPTO_sysrand| that have occurred.
 *
 * This is intentionally not thread-safe. If the fuzzer mode is ever used in a
 * multi-threaded program, replace this with a thread-local. (A mutex would not
 * be deterministic.) */
static uint64_t g_num_calls = 0;

void RAND_reset_for_fuzzing(void) { g_num_calls = 0; }

void CRYPTO_sysrand(uint8_t *out, size_t requested) {
  static const uint8_t kZeroKey[32];

  uint8_t nonce[12];
  OPENSSL_memset(nonce, 0, sizeof(nonce));
  OPENSSL_memcpy(nonce, &g_num_calls, sizeof(g_num_calls));

  OPENSSL_memset(out, 0, requested);
  CRYPTO_chacha_20(out, out, requested, kZeroKey, nonce, 0);
  g_num_calls++;
}

#endif  /* BORINGSSL_UNSAFE_DETERMINISTIC_MODE */
Add a deterministic PRNG for fuzzing. If running the stack through a fuzzer, we would like execution to be completely deterministic. This is gated on a BORINGSSL_UNSAFE_FUZZER_MODE #ifdef. For now, this just uses the zero ChaCha20 key and a global counter. As needed, we can extend this to a thread-local counter and a separate ChaCha20 stream and counter per input length. Change-Id: Ic6c9d8a25e70d68e5dc6804e2c234faf48e51395 Reviewed-on: https://boringssl-review.googlesource.com/7286 Reviewed-by: Adam Langley <agl@google.com> 2016-03-02 03:57:32 +00:00			`/* Copyright (c) 2016, Google Inc.`
			`*`
			`* Permission to use, copy, modify, and/or distribute this software for any`
			`* purpose with or without fee is hereby granted, provided that the above`
			`* copyright notice and this permission notice appear in all copies.`
			`*`
			`* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES`
			`* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF`
			`* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY`
			`* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES`
			`* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION`
			`* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN`
			`* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */`

			`#include <openssl/rand.h>`

Add corpora for fuzzers with fuzzer mode disabled. Fuzzer mode explores the handshake, but at the cost of losing coverage on the record layer. Add a separate build flag and client/server corpora for this mode. Note this requires tweaks in consumers' fuzzer build definitions. BUG=111 Change-Id: I1026dc7301645e165a761068a1daad6eedc9271e Reviewed-on: https://boringssl-review.googlesource.com/12108 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> 2016-11-04 22:59:33 +00:00			`#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)`
Add a deterministic PRNG for fuzzing. If running the stack through a fuzzer, we would like execution to be completely deterministic. This is gated on a BORINGSSL_UNSAFE_FUZZER_MODE #ifdef. For now, this just uses the zero ChaCha20 key and a global counter. As needed, we can extend this to a thread-local counter and a separate ChaCha20 stream and counter per input length. Change-Id: Ic6c9d8a25e70d68e5dc6804e2c234faf48e51395 Reviewed-on: https://boringssl-review.googlesource.com/7286 Reviewed-by: Adam Langley <agl@google.com> 2016-03-02 03:57:32 +00:00
			`#include <string.h>`

			`#include <openssl/chacha.h>`

Fix fuzzer mode build. Change-Id: If565a5fdfa0f314422aa26c2e8f869965ca08c1b Reviewed-on: https://boringssl-review.googlesource.com/12969 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <alangley@gmail.com> 2016-12-21 22:01:08 +00:00			`#include "../internal.h"`
Move much of rand/ into the FIPS module. Support for platforms that we don't support FIPS on doesn't need to be in the module. Also, functions for dealing with whether fork-unsafe buffering is enabled are left out because they aren't implementing any cryptography and they use global r/w state, making their inclusion painful. Change-Id: I71a0123db6f5449e9dfc7ec7dea0944428e661aa Reviewed-on: https://boringssl-review.googlesource.com/15084 Reviewed-by: Adam Langley <agl@google.com> 2017-04-14 19:16:20 +01:00			`#include "../fipsmodule/rand/internal.h"`
Add a deterministic PRNG for fuzzing. If running the stack through a fuzzer, we would like execution to be completely deterministic. This is gated on a BORINGSSL_UNSAFE_FUZZER_MODE #ifdef. For now, this just uses the zero ChaCha20 key and a global counter. As needed, we can extend this to a thread-local counter and a separate ChaCha20 stream and counter per input length. Change-Id: Ic6c9d8a25e70d68e5dc6804e2c234faf48e51395 Reviewed-on: https://boringssl-review.googlesource.com/7286 Reviewed-by: Adam Langley <agl@google.com> 2016-03-02 03:57:32 +00:00

Remove TODO. This isn't something we need to fix, just an explanatory comment. Change-Id: I284e6580d176f981c6b161e9951f367fef1b1be6 Reviewed-on: https://boringssl-review.googlesource.com/14264 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> 2017-03-14 19:22:49 +00:00			`/* g_num_calls is the number of calls to \|CRYPTO_sysrand\| that have occurred.`
Add a deterministic PRNG for fuzzing. If running the stack through a fuzzer, we would like execution to be completely deterministic. This is gated on a BORINGSSL_UNSAFE_FUZZER_MODE #ifdef. For now, this just uses the zero ChaCha20 key and a global counter. As needed, we can extend this to a thread-local counter and a separate ChaCha20 stream and counter per input length. Change-Id: Ic6c9d8a25e70d68e5dc6804e2c234faf48e51395 Reviewed-on: https://boringssl-review.googlesource.com/7286 Reviewed-by: Adam Langley <agl@google.com> 2016-03-02 03:57:32 +00:00			`*`
Remove TODO. This isn't something we need to fix, just an explanatory comment. Change-Id: I284e6580d176f981c6b161e9951f367fef1b1be6 Reviewed-on: https://boringssl-review.googlesource.com/14264 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> 2017-03-14 19:22:49 +00:00			`* This is intentionally not thread-safe. If the fuzzer mode is ever used in a`
			`* multi-threaded program, replace this with a thread-local. (A mutex would not`
			`* be deterministic.) */`
Add a deterministic PRNG for fuzzing. If running the stack through a fuzzer, we would like execution to be completely deterministic. This is gated on a BORINGSSL_UNSAFE_FUZZER_MODE #ifdef. For now, this just uses the zero ChaCha20 key and a global counter. As needed, we can extend this to a thread-local counter and a separate ChaCha20 stream and counter per input length. Change-Id: Ic6c9d8a25e70d68e5dc6804e2c234faf48e51395 Reviewed-on: https://boringssl-review.googlesource.com/7286 Reviewed-by: Adam Langley <agl@google.com> 2016-03-02 03:57:32 +00:00			`static uint64_t g_num_calls = 0;`

			`void RAND_reset_for_fuzzing(void) { g_num_calls = 0; }`

			`void CRYPTO_sysrand(uint8_t *out, size_t requested) {`
			`static const uint8_t kZeroKey[32];`

			`uint8_t nonce[12];`
Work around language and compiler bug in memcpy, etc. Most C standard library functions are undefined if passed NULL, even when the corresponding length is zero. This gives them (and, in turn, all functions which call them) surprising behavior on empty arrays. Some compilers will miscompile code due to this rule. See also https://www.imperialviolet.org/2016/06/26/nonnull.html Add OPENSSL_memcpy, etc., wrappers which avoid this problem. BUG=23 Change-Id: I95f42b23e92945af0e681264fffaf578e7f8465e Reviewed-on: https://boringssl-review.googlesource.com/12928 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> 2016-12-13 06:07:13 +00:00			`OPENSSL_memset(nonce, 0, sizeof(nonce));`
			`OPENSSL_memcpy(nonce, &g_num_calls, sizeof(g_num_calls));`
Add a deterministic PRNG for fuzzing. If running the stack through a fuzzer, we would like execution to be completely deterministic. This is gated on a BORINGSSL_UNSAFE_FUZZER_MODE #ifdef. For now, this just uses the zero ChaCha20 key and a global counter. As needed, we can extend this to a thread-local counter and a separate ChaCha20 stream and counter per input length. Change-Id: Ic6c9d8a25e70d68e5dc6804e2c234faf48e51395 Reviewed-on: https://boringssl-review.googlesource.com/7286 Reviewed-by: Adam Langley <agl@google.com> 2016-03-02 03:57:32 +00:00
Work around language and compiler bug in memcpy, etc. Most C standard library functions are undefined if passed NULL, even when the corresponding length is zero. This gives them (and, in turn, all functions which call them) surprising behavior on empty arrays. Some compilers will miscompile code due to this rule. See also https://www.imperialviolet.org/2016/06/26/nonnull.html Add OPENSSL_memcpy, etc., wrappers which avoid this problem. BUG=23 Change-Id: I95f42b23e92945af0e681264fffaf578e7f8465e Reviewed-on: https://boringssl-review.googlesource.com/12928 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> 2016-12-13 06:07:13 +00:00			`OPENSSL_memset(out, 0, requested);`
Add a deterministic PRNG for fuzzing. If running the stack through a fuzzer, we would like execution to be completely deterministic. This is gated on a BORINGSSL_UNSAFE_FUZZER_MODE #ifdef. For now, this just uses the zero ChaCha20 key and a global counter. As needed, we can extend this to a thread-local counter and a separate ChaCha20 stream and counter per input length. Change-Id: Ic6c9d8a25e70d68e5dc6804e2c234faf48e51395 Reviewed-on: https://boringssl-review.googlesource.com/7286 Reviewed-by: Adam Langley <agl@google.com> 2016-03-02 03:57:32 +00:00			`CRYPTO_chacha_20(out, out, requested, kZeroKey, nonce, 0);`
			`g_num_calls++;`
			`}`

Add corpora for fuzzers with fuzzer mode disabled. Fuzzer mode explores the handshake, but at the cost of losing coverage on the record layer. Add a separate build flag and client/server corpora for this mode. Note this requires tweaks in consumers' fuzzer build definitions. BUG=111 Change-Id: I1026dc7301645e165a761068a1daad6eedc9271e Reviewed-on: https://boringssl-review.googlesource.com/12108 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> 2016-11-04 22:59:33 +00:00			`#endif /* BORINGSSL_UNSAFE_DETERMINISTIC_MODE */`