kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1256 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 160f4ef14c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '160f4ef14c'
${ noResults }
boringssl/crypto/rand/rand.c

161 lines
5.2 KiB
Raw Blame History 

  1. /* Copyright (c) 2014, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/rand.h>

  16. 

  17. #include <string.h>

  18. 

  19. #include <openssl/mem.h>

  20. 

  21. #include "internal.h"

  22. #include "../internal.h"

  23. 

  24. 

  25. /* It's assumed that the operating system always has an unfailing source of

  26.  * entropy which is accessed via |CRYPTO_sysrand|. (If the operating system

  27.  * entropy source fails, it's up to |CRYPTO_sysrand| to abort the process—we

  28.  * don't try to handle it.)

  29.  *

  30.  * In addition, the hardware may provide a low-latency RNG. Intel's rdrand

  31.  * instruction is the canonical example of this. When a hardware RNG is

  32.  * available we don't need to worry about an RNG failure arising from fork()ing

  33.  * the process or moving a VM, so we can keep thread-local RNG state and XOR

  34.  * the hardware entropy in.

  35.  *

  36.  * (We assume that the OS entropy is safe from fork()ing and VM duplication.

  37.  * This might be a bit of a leap of faith, esp on Windows, but there's nothing

  38.  * that we can do about it.) */

  39. 

  40. /* rand_thread_state contains the per-thread state for the RNG. This is only

  41.  * used if the system has support for a hardware RNG. */

  42. struct rand_thread_state {

  43.   uint8_t key[32];

  44.   uint64_t calls_used;

  45.   size_t bytes_used;

  46.   uint8_t partial_block[64];

  47.   unsigned partial_block_used;

  48. };

  49. 

  50. /* kMaxCallsPerRefresh is the maximum number of |RAND_bytes| calls that we'll

  51.  * serve before reading a new key from the operating system. This only applies

  52.  * if we have a hardware RNG. */

  53. static const unsigned kMaxCallsPerRefresh = 1024;

  54. 

  55. /* kMaxBytesPerRefresh is the maximum number of bytes that we'll return from

  56.  * |RAND_bytes| before reading a new key from the operating system. This only

  57.  * applies if we have a hardware RNG. */

  58. static const uint64_t kMaxBytesPerRefresh = 1024 * 1024;

  59. 

  60. /* rand_thread_state_free frees a |rand_thread_state|. This is called when a

  61.  * thread exits. */

  62. static void rand_thread_state_free(void *state) {

  63.   if (state == NULL) {

  64.     return;

  65.   }

  66. 

  67.   OPENSSL_cleanse(state, sizeof(struct rand_thread_state));

  68.   OPENSSL_free(state);

  69. }

  70. 

  71. extern void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,

  72.                              const uint8_t key[32], const uint8_t nonce[8],

  73.                              size_t counter);

  74. 

  75. int RAND_bytes(uint8_t *buf, size_t len) {

  76.   if (len == 0) {

  77.     return 1;

  78.   }

  79. 

  80.   if (!CRYPTO_have_hwrand()) {

  81.     /* Without a hardware RNG to save us from address-space duplication, the OS

  82.      * entropy is used directly. */

  83.     CRYPTO_sysrand(buf, len);

  84.     return 1;

  85.   }

  86. 

  87.   struct rand_thread_state *state =

  88.       CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_RAND);

  89.   if (state == NULL) {

  90.     state = OPENSSL_malloc(sizeof(struct rand_thread_state));

  91.     if (state == NULL ||

  92.         !CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_RAND, state,

  93.                                  rand_thread_state_free)) {

  94.       CRYPTO_sysrand(buf, len);

  95.       return 1;

  96.     }

  97. 

  98.     state->calls_used = kMaxCallsPerRefresh;

  99.   }

  100. 

  101.   if (state->calls_used >= kMaxCallsPerRefresh ||

  102.       state->bytes_used >= kMaxBytesPerRefresh) {

  103.     CRYPTO_sysrand(state->key, sizeof(state->key));

  104.     state->calls_used = 0;

  105.     state->bytes_used = 0;

  106.     state->partial_block_used = sizeof(state->partial_block);

  107.   }

  108. 

  109.   CRYPTO_hwrand(buf, len);

  110. 

  111.   if (len >= sizeof(state->partial_block)) {

  112.     size_t remaining = len;

  113.     while (remaining > 0) {

  114.       // kMaxBytesPerCall is only 2GB, while ChaCha can handle 256GB. But this

  115.       // is sufficient and easier on 32-bit.

  116.       static const size_t kMaxBytesPerCall = 0x80000000;

  117.       size_t todo = remaining;

  118.       if (todo > kMaxBytesPerCall) {

  119.         todo = kMaxBytesPerCall;

  120.       }

  121.       CRYPTO_chacha_20(buf, buf, todo, state->key,

  122.                        (uint8_t *)&state->calls_used, 0);

  123.       buf += todo;

  124.       remaining -= todo;

  125.       state->calls_used++;

  126.     }

  127.   } else {

  128.     if (sizeof(state->partial_block) - state->partial_block_used < len) {

  129.       CRYPTO_chacha_20(state->partial_block, state->partial_block,

  130.                        sizeof(state->partial_block), state->key,

  131.                        (uint8_t *)&state->calls_used, 0);

  132.       state->partial_block_used = 0;

  133.     }

  134. 

  135.     unsigned i;

  136.     for (i = 0; i < len; i++) {

  137.       buf[i] ^= state->partial_block[state->partial_block_used++];

  138.     }

  139.     state->calls_used++;

  140.   }

  141.   state->bytes_used += len;

  142. 

  143.   return 1;

  144. }

  145. 

  146. int RAND_pseudo_bytes(uint8_t *buf, size_t len) {

  147.   return RAND_bytes(buf, len);

  148. }

  149. 

  150. void RAND_seed(const void *buf, int num) {}

  151. 

  152. void RAND_add(const void *buf, int num, double entropy) {}

  153. 

  154. int RAND_poll(void) {

  155.   return 1;

  156. }

  157. 

  158. int RAND_status(void) {

  159.   return 1;

  160. }