Use getrandom on Linux when available.

briansmith · briansmith · commit 04622479188d · 2016-05-19T08:58:02.000-10:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -30,6 +30,7 @@ features = ["bigint"]
 
 [features]
 # These features are documented in the top-level module's documentation.
+disable_dev_urandom_fallback = []
 no_heap = []
 test_logging = []
 
diff --git a/crypto/rand/internal.h b/crypto/rand/internal.h
diff --git a/crypto/rand/sysrand.c b/crypto/rand/sysrand.c
@@ -12,8 +12,35 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
+/* Copyright 2016 Brian Smith.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#if defined(__linux__)
+#define _GNU_SOURCE
+#endif
+
 #include <openssl/rand.h>
 
+#include <assert.h>
+#include <stddef.h>
+
+/* CRYPTO_sysrand_chunk fills |len| bytes at |buf| with entropy from the
+ * operating system. |len| must be no more than |CRYPTO_sysrand_chunk_max_le|.
+ * It returns one on success, -1 if it failed because the operating system
+ * doesn't offer such an API, or zero otherwise. */
+int CRYPTO_sysrand_chunk(void *buf, size_t len);
+
 #if defined(OPENSSL_WINDOWS)
 
 #include <limits.h>
@@ -32,23 +59,51 @@
 
 #pragma warning(pop)
 
-#include "internal.h"
+const size_t CRYPTO_sysrand_chunk_max_len = ULONG_MAX;
 
+int CRYPTO_sysrand_chunk(void *out, size_t requested) {
+  assert(requested <= CRYPTO_sysrand_chunk_max_len);
+  return RtlGenRandom(out, (ULONG)requested) ? 1 : 0;
+}
 
-int CRYPTO_sysrand(void *out, size_t requested) {
-  while (requested > 0) {
-    ULONG output_bytes_this_pass = ULONG_MAX;
-    if (requested < output_bytes_this_pass) {
-      output_bytes_this_pass = requested;
-    }
-    if (!RtlGenRandom(out, output_bytes_this_pass)) {
-      return 0;
+#elif defined(__linux__)
+
+#include <errno.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+
+/* The getrandom syscall was added in Linux 3.17. For some important platforms,
+ * we also support building against older kernels' headers. For other
+ * platforms, the newer kernel's headers are required. */
+#if !defined(SYS_getrandom)
+#if defined(OPENSSL_AARCH64)
+#define SYS_getrandom 278
+#elif defined(OPENSSL_ARM)
+#define SYS_getrandom 384
+#elif defined(OPENSSL_X86)
+#define SYS_getrandom 355
+#elif defined(OPENSSL_X86_64)
+#define SYS_getrandom 318
+#else
+#error "Error: Kernel headers are too old; SYS_getrandom not defined."
+#endif
+#endif
+
+
+/* http://man7.org/linux/man-pages/man2/getrandom.2.html: "Calling
+ * getrandom() to read /dev/urandom for small values (<= 256) of buflen is
+ * the preferred mode of usage." */
+const size_t CRYPTO_sysrand_chunk_max_len = 256;
+
+int CRYPTO_sysrand_chunk(void *out, size_t requested) {
+  assert(requested <= CRYPTO_sysrand_chunk_max_len);
+  if (syscall(SYS_getrandom, out, requested, 0u) < 0) {
+    if (errno == ENOSYS) {
+      return -1;
     }
-    requested -= output_bytes_this_pass;
-    out = (uint8_t *)out + output_bytes_this_pass;
+    return 0;
   }
-
   return 1;
 }
 
-#endif  /* OPENSSL_WINDOWS */
+#endif
diff --git a/mk/ring.mk b/mk/ring.mk
@@ -52,6 +52,7 @@ RING_SRCS = $(addprefix $(RING_PREFIX), \
   crypto/mem.c \
   crypto/modes/gcm.c \
   crypto/poly1305/poly1305.c \
+  crypto/rand/sysrand.c \
   crypto/rsa/blinding.c \
   crypto/rsa/padding.c \
   crypto/rsa/rsa.c \
diff --git a/src/lib.rs b/src/lib.rs
@@ -19,6 +19,12 @@
 //! <table>
 //! <tr><th>Feature
 //!     <th>Description
+//! <tr><td><code>disable_dev_urandom_fallback</code>
+//!     <td><p>On Linux, by default, `ring::rand::SystemRandom` will fall back
+//!         to reading from `/dev/urandom` if the `getrandom()` syscall isn't
+//!         supported at runtime. When the `disable_dev_urandom_fallback`
+//!         feature is enabled, such fallback will not occur. See the
+//!         documentation for `rand::SystemRandom` for more details.
 //! <tr><td><code>no_heap</code>
 //!     <td>Disable all functionality that uses the heap. This is useful for
 //!         code running in kernel space and some embedded applications. The
diff --git a/src/rand.rs b/src/rand.rs
@@ -16,9 +16,6 @@
 
 #![allow(unsafe_code)]
 
-#[cfg(unix)]
-extern crate std;
-
 use c;
 use core;
 
@@ -31,16 +28,27 @@ pub trait SecureRandom {
 /// A secure random number generator where the random values come directly
 /// from the operating system.
 ///
-/// On "unix"-ish platforms, this is currently done by reading from
-/// `/dev/urandom`. A new file handle for `/dev/urandom/` is opened each time a
-/// `SystemRandom` is constructed and the file handle is closed each time.
+/// On non-Linux Unix-/Posix-ish platforms, `fill()` is currently always
+/// implemented by reading from `/dev/urandom`. (This is something that should
+/// be improved, at least for platforms that offer something better.)
+///
+/// On Linux, `fill()` will use the
+/// [`getrandom`](man7.org/linux/man-pages/man2/getrandom.2.html) syscall. If
+/// the kernel is too old to support `getrandom` then by default `fill()` falls
+/// back to reading from `/dev/urandom`. This decision is made the first time
+/// `fill` *succeeds*. The fallback to `/dev/urandom` can be disabled by
+/// disabling by enabling the *ring* crate's `disable_dev_urandom_fallback`
+/// feature; this should be done whenever the target system is known to support
+/// `getrandom`. Note that only application (binary) crates, and not library
+/// crates, should enable the `disable_dev_urandom_fallback` feature.
 ///
-/// On other platforms, this is done using the platform's API for secure random
-/// number generation.
+/// On Windows, `fill` is implemented done using the platform's API for secure
+/// random number generation.
 ///
-/// For efficiency's sake, it is recommend to create a single SystemRandom and
-/// then use it for all randomness generation, especially if the
-/// /dev/urandom-based `SystemRandom` implementation may be used.
+/// On Linux, to properly implement seccomp filtering when the
+/// `disable_dev_urandom_fallback` feature is enabled, allow `getrandom`
+/// through. Otherwise, allow file opening, `getrandom`, and `read` up until
+/// `fill()` succeeds. After that, allow `getrandom` and `read`.
 pub struct SystemRandom {
     impl_: Impl,
 }
@@ -60,13 +68,19 @@ impl SecureRandom for SystemRandom {
     }
 }
 
-#[cfg(unix)]
+#[cfg(not(any(target_os = "linux", windows)))]
 type Impl = self::urandom::DevURandom;
 
-#[cfg(windows)]
+#[cfg(any(all(target_os = "linux", feature = "disable_dev_urandom_fallback"),
+          windows))]
 type Impl = self::sysrand::Sysrand;
 
-#[cfg(unix)]
+#[cfg(all(target_os = "linux", not(feature = "disable_dev_urandom_fallback")))]
+type Impl = self::sysrand_or_urandom::SysRandOrDevURandom;
+
+#[cfg(all(unix,
+          not(all(target_os = "linux",
+                  feature = "disable_dev_urandom_fallback"))))]
 mod urandom {
     extern crate std;
 
@@ -92,9 +106,9 @@ mod urandom {
     }
 }
 
-#[cfg(windows)]
+#[cfg(any(target_os = "linux", windows))]
 mod sysrand {
-    use {bssl, c};
+    use bssl;
 
     pub struct Sysrand;
 
@@ -107,14 +121,70 @@ mod sysrand {
     impl super::SecureRandom for Sysrand {
         #[allow(unsafe_code)]
         fn fill(&mut self, dest: &mut [u8]) -> Result<(), ()> {
-            bssl::map_result(unsafe {
-                CRYPTO_sysrand(dest.as_mut_ptr(), dest.len())
-            })
+            for mut chunk in
+                    dest.chunks_mut(super::CRYPTO_sysrand_chunk_max_len) {
+                try!(bssl::map_result(unsafe {
+                    super::CRYPTO_sysrand_chunk(chunk.as_mut_ptr(), chunk.len())
+                }));
+            }
+            Ok(())
+        }
+    }
+}
+
+#[cfg(all(target_os = "linux", not(feature = "disable_dev_urandom_fallback")))]
+mod sysrand_or_urandom {
+    use core;
+    use super::{sysrand, urandom};
+
+    pub enum SysRandOrDevURandom {
+        Undecided,
+        Sysrand(sysrand::Sysrand),
+        DevURandom(urandom::DevURandom),
+    }
+
+    impl SysRandOrDevURandom {
+        pub fn new() -> Result<SysRandOrDevURandom, ()> {
+            Ok(SysRandOrDevURandom::Undecided)
         }
     }
 
-    extern {
-        fn CRYPTO_sysrand(buf: *mut u8, len: c::size_t) -> c::int;
+    impl super::SecureRandom for SysRandOrDevURandom {
+        fn fill(&mut self, dest: &mut [u8]) -> Result<(), ()> {
+            match self {
+                &mut SysRandOrDevURandom::Sysrand(ref mut i) => i.fill(dest),
+                &mut SysRandOrDevURandom::DevURandom(ref mut i) => i.fill(dest),
+                &mut SysRandOrDevURandom::Undecided => {
+                    let first_chunk_len =
+                        core::cmp::min(dest.len(),
+                                       super::CRYPTO_sysrand_chunk_max_len);
+                    match unsafe {
+                        super::CRYPTO_sysrand_chunk(dest.as_mut_ptr(),
+                                                    first_chunk_len)
+                    } {
+                        1 => {
+                            let _ = core::mem::replace(self,
+                                SysRandOrDevURandom::Sysrand(
+                                    try!(sysrand::Sysrand::new())));
+                            if first_chunk_len < dest.len() {
+                                self.fill(&mut dest[first_chunk_len..])
+                            } else {
+                                Ok(())
+                            }
+                        },
+                        -1 => {
+                            let _ = core::mem::replace(self,
+                                SysRandOrDevURandom::DevURandom(
+                                    try!(urandom::DevURandom::new())));
+                            self.fill(dest)
+                        },
+                        _ => {
+                            Err(())
+                        }
+                    }
+                }
+            }
+        }
     }
 }
 
@@ -138,3 +208,10 @@ pub unsafe extern fn RAND_bytes(rng: *mut RAND, dest: *mut u8,
         _ => 0
     }
 }
+
+
+#[cfg(any(target_os = "linux", windows))]
+extern {
+    pub static CRYPTO_sysrand_chunk_max_len: c::size_t;
+    pub fn CRYPTO_sysrand_chunk(buf: *mut u8, len: c::size_t) -> c::int;
+}
