boringssl/crypto/rand/urandom.c
Alessandro Ghedini 5e393fedef Test getrandom(2) on Linux if available
This patch changes the urandom PRNG to read one byte from the
getrandom(2) Linux syscall on initialization in order to find any
unexpected behavior.

Change-Id: I8ef676854dc361e4f77527b53d1a14fd14d449a8
Reviewed-on: https://boringssl-review.googlesource.com/8681
Reviewed-by: Adam Langley <alangley@gmail.com>
Commit-Queue: Adam Langley <alangley@gmail.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-10-27 23:12:10 +00:00

271 lines
6.9 KiB
C

/* Copyright (c) 2014, Google Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#define _GNU_SOURCE /* needed for syscall() on Linux. */
#include <openssl/rand.h>
#if !defined(OPENSSL_WINDOWS) && !defined(BORINGSSL_UNSAFE_FUZZER_MODE)
#include <assert.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#if defined(OPENSSL_LINUX)
#include <sys/syscall.h>
#endif
#include <openssl/thread.h>
#include <openssl/mem.h>
#include "internal.h"
#include "../internal.h"
#if defined(OPENSSL_LINUX)
#if defined(OPENSSL_X86_64)
#define EXPECTED_SYS_getrandom 318
#elif defined(OPENSSL_X86)
#define EXPECTED_SYS_getrandom 355
#elif defined(OPENSSL_AARCH64)
#define EXPECTED_SYS_getrandom 278
#elif defined(OPENSSL_ARM)
#define EXPECTED_SYS_getrandom 384
#elif defined(OPENSSL_PPC64LE)
#define EXPECTED_SYS_getrandom 359
#endif
#if defined(EXPECTED_SYS_getrandom)
#define USE_SYS_getrandom
#if defined(SYS_getrandom)
#if SYS_getrandom != EXPECTED_SYS_getrandom
#error "system call number for getrandom is not the expected value"
#endif
#else /* SYS_getrandom */
#define SYS_getrandom EXPECTED_SYS_getrandom
#endif /* SYS_getrandom */
#endif /* EXPECTED_SYS_getrandom */
#if !defined(GRND_NONBLOCK)
#define GRND_NONBLOCK 1
#endif
#endif /* OPENSSL_LINUX */
/* This file implements a PRNG by reading from /dev/urandom, optionally with a
* buffer, which is unsafe across |fork|. */
#define BUF_SIZE 4096
/* rand_buffer contains unused, random bytes, some of which may have been
* consumed already. */
struct rand_buffer {
size_t used;
uint8_t rand[BUF_SIZE];
};
/* requested_lock is used to protect the |*_requested| variables. */
static struct CRYPTO_STATIC_MUTEX requested_lock = CRYPTO_STATIC_MUTEX_INIT;
/* urandom_fd_requested is set by |RAND_set_urandom_fd|. It's protected by
* |requested_lock|. */
static int urandom_fd_requested = -2;
/* urandom_fd is a file descriptor to /dev/urandom. It's protected by |once|. */
static int urandom_fd = -2;
/* urandom_buffering_requested is set by |RAND_enable_fork_unsafe_buffering|.
* It's protected by |requested_lock|. */
static int urandom_buffering_requested = 0;
/* urandom_buffering controls whether buffering is enabled (1) or not (0). This
* is protected by |once|. */
static int urandom_buffering = 0;
static CRYPTO_once_t once = CRYPTO_ONCE_INIT;
/* init_once initializes the state of this module to values previously
* requested. This is the only function that modifies |urandom_fd| and
* |urandom_buffering|, whose values may be read safely after calling the
* once. */
static void init_once(void) {
CRYPTO_STATIC_MUTEX_lock_read(&requested_lock);
urandom_buffering = urandom_buffering_requested;
int fd = urandom_fd_requested;
CRYPTO_STATIC_MUTEX_unlock_read(&requested_lock);
#if defined(USE_SYS_getrandom)
/* Initial test of getrandom to find any unexpected behavior. */
uint8_t dummy;
syscall(SYS_getrandom, &dummy, sizeof(dummy), GRND_NONBLOCK);
#endif
if (fd == -2) {
do {
fd = open("/dev/urandom", O_RDONLY);
} while (fd == -1 && errno == EINTR);
}
if (fd < 0) {
abort();
}
int flags = fcntl(fd, F_GETFD);
if (flags == -1) {
/* Native Client doesn't implement |fcntl|. */
if (errno != ENOSYS) {
abort();
}
} else {
flags |= FD_CLOEXEC;
if (fcntl(fd, F_SETFD, flags) == -1) {
abort();
}
}
urandom_fd = fd;
}
void RAND_set_urandom_fd(int fd) {
fd = dup(fd);
if (fd < 0) {
abort();
}
CRYPTO_STATIC_MUTEX_lock_write(&requested_lock);
urandom_fd_requested = fd;
CRYPTO_STATIC_MUTEX_unlock_write(&requested_lock);
CRYPTO_once(&once, init_once);
if (urandom_fd != fd) {
abort(); // Already initialized.
}
}
void RAND_enable_fork_unsafe_buffering(int fd) {
if (fd >= 0) {
fd = dup(fd);
if (fd < 0) {
abort();
}
} else {
fd = -2;
}
CRYPTO_STATIC_MUTEX_lock_write(&requested_lock);
urandom_buffering_requested = 1;
urandom_fd_requested = fd;
CRYPTO_STATIC_MUTEX_unlock_write(&requested_lock);
CRYPTO_once(&once, init_once);
if (urandom_buffering != 1 || (fd >= 0 && urandom_fd != fd)) {
abort(); // Already initialized.
}
}
static struct rand_buffer *get_thread_local_buffer(void) {
struct rand_buffer *buf =
CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_URANDOM_BUF);
if (buf != NULL) {
return buf;
}
buf = OPENSSL_malloc(sizeof(struct rand_buffer));
if (buf == NULL) {
return NULL;
}
buf->used = BUF_SIZE; /* To trigger a |fill_with_entropy| on first use. */
if (!CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_URANDOM_BUF, buf,
OPENSSL_free)) {
OPENSSL_free(buf);
return NULL;
}
return buf;
}
/* fill_with_entropy writes |len| bytes of entropy into |out|. It returns one
* on success and zero on error. */
static char fill_with_entropy(uint8_t *out, size_t len) {
ssize_t r;
while (len > 0) {
do {
r = read(urandom_fd, out, len);
} while (r == -1 && errno == EINTR);
if (r <= 0) {
return 0;
}
out += r;
len -= r;
}
return 1;
}
/* read_from_buffer reads |requested| random bytes from the buffer into |out|,
* refilling it if necessary to satisfy the request. */
static void read_from_buffer(struct rand_buffer *buf,
uint8_t *out, size_t requested) {
size_t remaining = BUF_SIZE - buf->used;
while (requested > remaining) {
memcpy(out, &buf->rand[buf->used], remaining);
buf->used += remaining;
out += remaining;
requested -= remaining;
if (!fill_with_entropy(buf->rand, BUF_SIZE)) {
abort();
return;
}
buf->used = 0;
remaining = BUF_SIZE;
}
memcpy(out, &buf->rand[buf->used], requested);
buf->used += requested;
}
/* CRYPTO_sysrand puts |requested| random bytes into |out|. */
void CRYPTO_sysrand(uint8_t *out, size_t requested) {
if (requested == 0) {
return;
}
CRYPTO_once(&once, init_once);
if (urandom_buffering && requested < BUF_SIZE) {
struct rand_buffer *buf = get_thread_local_buffer();
if (buf != NULL) {
read_from_buffer(buf, out, requested);
return;
}
}
if (!fill_with_entropy(out, requested)) {
abort();
}
}
#endif /* !OPENSSL_WINDOWS && !BORINGSSL_UNSAFE_FUZZER_MODE */