7b668a873e
This change will cause getrandom to be used in preference to /dev/urandom when supported by the kernel. This will also cause BoringSSL-using processes to block until the entropy pool is initialised on systems that support getrandom(2). Change-Id: I2d3a17891502c85884c77138ef0f3a719d7ecfe6 Reviewed-on: https://boringssl-review.googlesource.com/12421 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
315 lines
8.0 KiB
C
315 lines
8.0 KiB
C
/* Copyright (c) 2014, Google Inc.
|
|
*
|
|
* Permission to use, copy, modify, and/or distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
|
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
|
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
|
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
|
|
|
#define _GNU_SOURCE /* needed for syscall() on Linux. */
|
|
|
|
#include <openssl/rand.h>
|
|
|
|
#if !defined(OPENSSL_WINDOWS) && !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
|
|
|
|
#include <assert.h>
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
|
|
#if defined(OPENSSL_LINUX)
|
|
#include <sys/syscall.h>
|
|
#endif
|
|
|
|
#include <openssl/thread.h>
|
|
#include <openssl/mem.h>
|
|
|
|
#include "internal.h"
|
|
#include "../internal.h"
|
|
|
|
|
|
#if defined(OPENSSL_LINUX)
|
|
|
|
#if defined(OPENSSL_X86_64)
|
|
#define EXPECTED_SYS_getrandom 318
|
|
#elif defined(OPENSSL_X86)
|
|
#define EXPECTED_SYS_getrandom 355
|
|
#elif defined(OPENSSL_AARCH64)
|
|
#define EXPECTED_SYS_getrandom 278
|
|
#elif defined(OPENSSL_ARM)
|
|
#define EXPECTED_SYS_getrandom 384
|
|
#elif defined(OPENSSL_PPC64LE)
|
|
#define EXPECTED_SYS_getrandom 359
|
|
#endif
|
|
|
|
#if defined(EXPECTED_SYS_getrandom)
|
|
#define USE_SYS_getrandom
|
|
|
|
#if defined(SYS_getrandom)
|
|
|
|
#if SYS_getrandom != EXPECTED_SYS_getrandom
|
|
#error "system call number for getrandom is not the expected value"
|
|
#endif
|
|
|
|
#else /* SYS_getrandom */
|
|
|
|
#define SYS_getrandom EXPECTED_SYS_getrandom
|
|
|
|
#endif /* SYS_getrandom */
|
|
|
|
#endif /* EXPECTED_SYS_getrandom */
|
|
|
|
#if !defined(GRND_NONBLOCK)
|
|
#define GRND_NONBLOCK 1
|
|
#endif
|
|
|
|
#endif /* OPENSSL_LINUX */
|
|
|
|
/* This file implements a PRNG by reading from /dev/urandom, optionally with a
|
|
* buffer, which is unsafe across |fork|. */
|
|
|
|
#define BUF_SIZE 4096
|
|
|
|
/* rand_buffer contains unused, random bytes, some of which may have been
|
|
* consumed already. */
|
|
struct rand_buffer {
|
|
size_t used;
|
|
uint8_t rand[BUF_SIZE];
|
|
};
|
|
|
|
/* requested_lock is used to protect the |*_requested| variables. */
|
|
static struct CRYPTO_STATIC_MUTEX requested_lock = CRYPTO_STATIC_MUTEX_INIT;
|
|
|
|
/* The following constants are magic values of |urandom_fd|. */
|
|
static const int kUnset = -2;
|
|
static const int kHaveGetrandom = -3;
|
|
|
|
/* urandom_fd_requested is set by |RAND_set_urandom_fd|. It's protected by
|
|
* |requested_lock|. */
|
|
static int urandom_fd_requested = -2 /* kUnset */;
|
|
|
|
/* urandom_fd is a file descriptor to /dev/urandom. It's protected by |once|. */
|
|
static int urandom_fd = -2 /* kUnset */;
|
|
|
|
/* urandom_buffering_requested is set by |RAND_enable_fork_unsafe_buffering|.
|
|
* It's protected by |requested_lock|. */
|
|
static int urandom_buffering_requested = 0;
|
|
|
|
/* urandom_buffering controls whether buffering is enabled (1) or not (0). This
|
|
* is protected by |once|. */
|
|
static int urandom_buffering = 0;
|
|
|
|
static CRYPTO_once_t once = CRYPTO_ONCE_INIT;
|
|
|
|
/* init_once initializes the state of this module to values previously
|
|
* requested. This is the only function that modifies |urandom_fd| and
|
|
* |urandom_buffering|, whose values may be read safely after calling the
|
|
* once. */
|
|
static void init_once(void) {
|
|
CRYPTO_STATIC_MUTEX_lock_read(&requested_lock);
|
|
urandom_buffering = urandom_buffering_requested;
|
|
int fd = urandom_fd_requested;
|
|
CRYPTO_STATIC_MUTEX_unlock_read(&requested_lock);
|
|
|
|
#if defined(USE_SYS_getrandom)
|
|
uint8_t dummy;
|
|
long getrandom_ret =
|
|
syscall(SYS_getrandom, &dummy, sizeof(dummy), GRND_NONBLOCK);
|
|
|
|
if (getrandom_ret == 1) {
|
|
urandom_fd = kHaveGetrandom;
|
|
return;
|
|
} else if (getrandom_ret == -1 && errno == EAGAIN) {
|
|
fprintf(stderr,
|
|
"getrandom indicates that the entropy pool has not been "
|
|
"initialized. Rather than continue with poor entropy, this process "
|
|
"will block until entropy is available.\n");
|
|
do {
|
|
getrandom_ret =
|
|
syscall(SYS_getrandom, &dummy, sizeof(dummy), 0 /* no flags */);
|
|
} while (getrandom_ret == -1 && errno == EINTR);
|
|
|
|
if (getrandom_ret == 1) {
|
|
urandom_fd = kHaveGetrandom;
|
|
return;
|
|
}
|
|
}
|
|
#endif /* USE_SYS_getrandom */
|
|
|
|
if (fd == kUnset) {
|
|
do {
|
|
fd = open("/dev/urandom", O_RDONLY);
|
|
} while (fd == -1 && errno == EINTR);
|
|
}
|
|
|
|
if (fd < 0) {
|
|
abort();
|
|
}
|
|
|
|
int flags = fcntl(fd, F_GETFD);
|
|
if (flags == -1) {
|
|
/* Native Client doesn't implement |fcntl|. */
|
|
if (errno != ENOSYS) {
|
|
abort();
|
|
}
|
|
} else {
|
|
flags |= FD_CLOEXEC;
|
|
if (fcntl(fd, F_SETFD, flags) == -1) {
|
|
abort();
|
|
}
|
|
}
|
|
urandom_fd = fd;
|
|
}
|
|
|
|
void RAND_set_urandom_fd(int fd) {
|
|
fd = dup(fd);
|
|
if (fd < 0) {
|
|
abort();
|
|
}
|
|
|
|
CRYPTO_STATIC_MUTEX_lock_write(&requested_lock);
|
|
urandom_fd_requested = fd;
|
|
CRYPTO_STATIC_MUTEX_unlock_write(&requested_lock);
|
|
|
|
CRYPTO_once(&once, init_once);
|
|
if (urandom_fd == kHaveGetrandom) {
|
|
close(fd);
|
|
} else if (urandom_fd != fd) {
|
|
abort(); // Already initialized.
|
|
}
|
|
}
|
|
|
|
void RAND_enable_fork_unsafe_buffering(int fd) {
|
|
if (fd >= 0) {
|
|
fd = dup(fd);
|
|
if (fd < 0) {
|
|
abort();
|
|
}
|
|
} else {
|
|
fd = kUnset;
|
|
}
|
|
|
|
CRYPTO_STATIC_MUTEX_lock_write(&requested_lock);
|
|
urandom_buffering_requested = 1;
|
|
urandom_fd_requested = fd;
|
|
CRYPTO_STATIC_MUTEX_unlock_write(&requested_lock);
|
|
|
|
CRYPTO_once(&once, init_once);
|
|
if (urandom_buffering != 1) {
|
|
abort(); // Already initialized
|
|
}
|
|
|
|
if (urandom_fd == kHaveGetrandom) {
|
|
if (fd >= 0) {
|
|
close(fd);
|
|
}
|
|
} else if (urandom_fd != fd) {
|
|
abort(); // Already initialized.
|
|
}
|
|
}
|
|
|
|
static struct rand_buffer *get_thread_local_buffer(void) {
|
|
struct rand_buffer *buf =
|
|
CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_URANDOM_BUF);
|
|
if (buf != NULL) {
|
|
return buf;
|
|
}
|
|
|
|
buf = OPENSSL_malloc(sizeof(struct rand_buffer));
|
|
if (buf == NULL) {
|
|
return NULL;
|
|
}
|
|
buf->used = BUF_SIZE; /* To trigger a |fill_with_entropy| on first use. */
|
|
if (!CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_URANDOM_BUF, buf,
|
|
OPENSSL_free)) {
|
|
OPENSSL_free(buf);
|
|
return NULL;
|
|
}
|
|
|
|
return buf;
|
|
}
|
|
|
|
/* fill_with_entropy writes |len| bytes of entropy into |out|. It returns one
|
|
* on success and zero on error. */
|
|
static char fill_with_entropy(uint8_t *out, size_t len) {
|
|
ssize_t r;
|
|
|
|
while (len > 0) {
|
|
if (urandom_fd == kHaveGetrandom) {
|
|
#if defined(USE_SYS_getrandom)
|
|
do {
|
|
r = syscall(SYS_getrandom, out, len, 0 /* no flags */);
|
|
} while (r == -1 && errno == EINTR);
|
|
#else
|
|
abort();
|
|
#endif
|
|
} else {
|
|
do {
|
|
r = read(urandom_fd, out, len);
|
|
} while (r == -1 && errno == EINTR);
|
|
}
|
|
|
|
if (r <= 0) {
|
|
return 0;
|
|
}
|
|
out += r;
|
|
len -= r;
|
|
}
|
|
|
|
return 1;
|
|
}
|
|
|
|
/* read_from_buffer reads |requested| random bytes from the buffer into |out|,
|
|
* refilling it if necessary to satisfy the request. */
|
|
static void read_from_buffer(struct rand_buffer *buf,
|
|
uint8_t *out, size_t requested) {
|
|
size_t remaining = BUF_SIZE - buf->used;
|
|
|
|
while (requested > remaining) {
|
|
memcpy(out, &buf->rand[buf->used], remaining);
|
|
buf->used += remaining;
|
|
out += remaining;
|
|
requested -= remaining;
|
|
|
|
if (!fill_with_entropy(buf->rand, BUF_SIZE)) {
|
|
abort();
|
|
return;
|
|
}
|
|
buf->used = 0;
|
|
remaining = BUF_SIZE;
|
|
}
|
|
|
|
memcpy(out, &buf->rand[buf->used], requested);
|
|
buf->used += requested;
|
|
}
|
|
|
|
/* CRYPTO_sysrand puts |requested| random bytes into |out|. */
|
|
void CRYPTO_sysrand(uint8_t *out, size_t requested) {
|
|
if (requested == 0) {
|
|
return;
|
|
}
|
|
|
|
CRYPTO_once(&once, init_once);
|
|
if (urandom_buffering && requested < BUF_SIZE) {
|
|
struct rand_buffer *buf = get_thread_local_buffer();
|
|
if (buf != NULL) {
|
|
read_from_buffer(buf, out, requested);
|
|
return;
|
|
}
|
|
}
|
|
|
|
if (!fill_with_entropy(out, requested)) {
|
|
abort();
|
|
}
|
|
}
|
|
|
|
#endif /* !OPENSSL_WINDOWS && !BORINGSSL_UNSAFE_DETERMINISTIC_MODE */
|