| 1 | //! Implementations that just need to read from a file | 
| 2 | use crate::Error; | 
|---|
| 3 | use core::{ | 
|---|
| 4 | ffi::c_void, | 
|---|
| 5 | mem::MaybeUninit, | 
|---|
| 6 | sync::atomic::{AtomicI32, Ordering}, | 
|---|
| 7 | }; | 
|---|
| 8 |  | 
|---|
| 9 | #[ cfg(not(any(target_os = "android", target_os = "linux")))] | 
|---|
| 10 | pub use crate::util::{inner_u32, inner_u64}; | 
|---|
| 11 |  | 
|---|
| 12 | #[ path= "../util_libc.rs"] | 
|---|
| 13 | pub(super) mod util_libc; | 
|---|
| 14 |  | 
|---|
| 15 | /// For all platforms, we use `/dev/urandom` rather than `/dev/random`. | 
|---|
| 16 | /// For more information see the linked man pages in lib.rs. | 
|---|
| 17 | ///   - On Linux, "/dev/urandom is preferred and sufficient in all use cases". | 
|---|
| 18 | ///   - On Redox, only /dev/urandom is provided. | 
|---|
| 19 | ///   - On AIX, /dev/urandom will "provide cryptographically secure output". | 
|---|
| 20 | ///   - On Haiku and QNX Neutrino they are identical. | 
|---|
| 21 | const FILE_PATH: &[u8] = b"/dev/urandom\0 "; | 
|---|
| 22 |  | 
|---|
| 23 | // File descriptor is a "nonnegative integer", so we can safely use negative sentinel values. | 
|---|
| 24 | const FD_UNINIT: libc::c_int = -1; | 
|---|
| 25 | const FD_ONGOING_INIT: libc::c_int = -2; | 
|---|
| 26 |  | 
|---|
| 27 | // In theory `libc::c_int` could be something other than `i32`, but for the | 
|---|
| 28 | // targets we currently support that use `use_file`, it is always `i32`. | 
|---|
| 29 | // If/when we add support for a target where that isn't the case, we may | 
|---|
| 30 | // need to use a different atomic type or make other accomodations. The | 
|---|
| 31 | // compiler will let us know if/when that is the case, because the | 
|---|
| 32 | // `FD.store(fd)` would fail to compile. | 
|---|
| 33 | // | 
|---|
| 34 | // The opening of the file, by libc/libstd/etc. may write some unknown | 
|---|
| 35 | // state into in-process memory. (Such state may include some sanitizer | 
|---|
| 36 | // bookkeeping, or we might be operating in a unikernal-like environment | 
|---|
| 37 | // where all the "kernel" file descriptor bookkeeping is done in our | 
|---|
| 38 | // process.) `get_fd_locked` stores into FD using `Ordering::Release` to | 
|---|
| 39 | // ensure any such state is synchronized. `get_fd` loads from `FD` with | 
|---|
| 40 | // `Ordering::Acquire` to synchronize with it. | 
|---|
| 41 | static FD: AtomicI32 = AtomicI32::new(FD_UNINIT); | 
|---|
| 42 |  | 
|---|
| 43 | pub fn fill_inner(dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> { | 
|---|
| 44 | let mut fd: i32 = FD.load(order:Ordering::Acquire); | 
|---|
| 45 | if fd == FD_UNINIT || fd == FD_ONGOING_INIT { | 
|---|
| 46 | fd = open_or_wait()?; | 
|---|
| 47 | } | 
|---|
| 48 | util_libc::sys_fill_exact(buf:dest, |buf: &mut [MaybeUninit]| unsafe { | 
|---|
| 49 | libc::read(fd, buf.as_mut_ptr().cast::<c_void>(), count:buf.len()) | 
|---|
| 50 | }) | 
|---|
| 51 | } | 
|---|
| 52 |  | 
|---|
| 53 | /// Open a file in read-only mode. | 
|---|
| 54 | /// | 
|---|
| 55 | /// # Panics | 
|---|
| 56 | /// If `path` does not contain any zeros. | 
|---|
| 57 | // TODO: Move `path` to `CStr` and use `CStr::from_bytes_until_nul` (MSRV 1.69) | 
|---|
| 58 | // or C-string literals (MSRV 1.77) for statics | 
|---|
| 59 | fn open_readonly(path: &[u8]) -> Result<libc::c_int, Error> { | 
|---|
| 60 | assert!(path.iter().any(|&b| b == 0)); | 
|---|
| 61 | loop { | 
|---|
| 62 | let fd: i32 = unsafe { | 
|---|
| 63 | libc::open( | 
|---|
| 64 | path.as_ptr().cast::<libc::c_char>(), | 
|---|
| 65 | oflag:libc::O_RDONLY | libc::O_CLOEXEC, | 
|---|
| 66 | ) | 
|---|
| 67 | }; | 
|---|
| 68 | if fd >= 0 { | 
|---|
| 69 | return Ok(fd); | 
|---|
| 70 | } | 
|---|
| 71 | let err: Error = util_libc::last_os_error(); | 
|---|
| 72 | // We should try again if open() was interrupted. | 
|---|
| 73 | if err.raw_os_error() != Some(libc::EINTR) { | 
|---|
| 74 | return Err(err); | 
|---|
| 75 | } | 
|---|
| 76 | } | 
|---|
| 77 | } | 
|---|
| 78 |  | 
|---|
| 79 | #[ cold] | 
|---|
| 80 | fn open_or_wait() -> Result<libc::c_int, Error> { | 
|---|
| 81 | loop { | 
|---|
| 82 | match FD.load(Ordering::Acquire) { | 
|---|
| 83 | FD_UNINIT => { | 
|---|
| 84 | let res = FD.compare_exchange_weak( | 
|---|
| 85 | FD_UNINIT, | 
|---|
| 86 | FD_ONGOING_INIT, | 
|---|
| 87 | Ordering::AcqRel, | 
|---|
| 88 | Ordering::Relaxed, | 
|---|
| 89 | ); | 
|---|
| 90 | if res.is_ok() { | 
|---|
| 91 | break; | 
|---|
| 92 | } | 
|---|
| 93 | } | 
|---|
| 94 | FD_ONGOING_INIT => sync::wait(), | 
|---|
| 95 | fd => return Ok(fd), | 
|---|
| 96 | } | 
|---|
| 97 | } | 
|---|
| 98 |  | 
|---|
| 99 | let res = open_fd(); | 
|---|
| 100 | let val = match res { | 
|---|
| 101 | Ok(fd) => fd, | 
|---|
| 102 | Err(_) => FD_UNINIT, | 
|---|
| 103 | }; | 
|---|
| 104 | FD.store(val, Ordering::Release); | 
|---|
| 105 |  | 
|---|
| 106 | // On non-Linux targets `wait` is just 1 ms sleep, | 
|---|
| 107 | // so we don't need any explicit wake up in addition | 
|---|
| 108 | // to updating value of `FD`. | 
|---|
| 109 | #[ cfg(any(target_os = "android", target_os = "linux"))] | 
|---|
| 110 | sync::wake(); | 
|---|
| 111 |  | 
|---|
| 112 | res | 
|---|
| 113 | } | 
|---|
| 114 |  | 
|---|
| 115 | fn open_fd() -> Result<libc::c_int, Error> { | 
|---|
| 116 | #[ cfg(any(target_os = "android", target_os = "linux"))] | 
|---|
| 117 | sync::wait_until_rng_ready()?; | 
|---|
| 118 | let fd: i32 = open_readonly(FILE_PATH)?; | 
|---|
| 119 | debug_assert!(fd >= 0); | 
|---|
| 120 | Ok(fd) | 
|---|
| 121 | } | 
|---|
| 122 |  | 
|---|
| 123 | #[ cfg(not(any(target_os = "android", target_os = "linux")))] | 
|---|
| 124 | mod sync { | 
|---|
| 125 | /// Sleep 1 ms before checking `FD` again. | 
|---|
| 126 | /// | 
|---|
| 127 | /// On non-Linux targets the critical section only opens file, | 
|---|
| 128 | /// which should not block, so in the unlikely contended case, | 
|---|
| 129 | /// we can sleep-wait for the opening operation to finish. | 
|---|
| 130 | pub(super) fn wait() { | 
|---|
| 131 | let rqtp = libc::timespec { | 
|---|
| 132 | tv_sec: 0, | 
|---|
| 133 | tv_nsec: 1_000_000, | 
|---|
| 134 | }; | 
|---|
| 135 | let mut rmtp = libc::timespec { | 
|---|
| 136 | tv_sec: 0, | 
|---|
| 137 | tv_nsec: 0, | 
|---|
| 138 | }; | 
|---|
| 139 | // We do not care if sleep gets interrupted, so the return value is ignored | 
|---|
| 140 | unsafe { | 
|---|
| 141 | libc::nanosleep(&rqtp, &mut rmtp); | 
|---|
| 142 | } | 
|---|
| 143 | } | 
|---|
| 144 | } | 
|---|
| 145 |  | 
|---|
| 146 | #[ cfg(any(target_os = "android", target_os = "linux"))] | 
|---|
| 147 | mod sync { | 
|---|
| 148 | use super::{open_readonly, util_libc::last_os_error, Error, FD, FD_ONGOING_INIT}; | 
|---|
| 149 |  | 
|---|
| 150 | /// Wait for atomic `FD` to change value from `FD_ONGOING_INIT` to something else. | 
|---|
| 151 | /// | 
|---|
| 152 | /// Futex syscall with `FUTEX_WAIT` op puts the current thread to sleep | 
|---|
| 153 | /// until futex syscall with `FUTEX_WAKE` op gets executed for `FD`. | 
|---|
| 154 | /// | 
|---|
| 155 | /// For more information read: https://www.man7.org/linux/man-pages/man2/futex.2.html | 
|---|
| 156 | pub(super) fn wait() { | 
|---|
| 157 | let op = libc::FUTEX_WAIT | libc::FUTEX_PRIVATE_FLAG; | 
|---|
| 158 | let timeout_ptr = core::ptr::null::<libc::timespec>(); | 
|---|
| 159 | let ret = unsafe { libc::syscall(libc::SYS_futex, &FD, op, FD_ONGOING_INIT, timeout_ptr) }; | 
|---|
| 160 | // FUTEX_WAIT should return either 0 or EAGAIN error | 
|---|
| 161 | debug_assert!({ | 
|---|
| 162 | match ret { | 
|---|
| 163 | 0 => true, | 
|---|
| 164 | -1 => last_os_error().raw_os_error() == Some(libc::EAGAIN), | 
|---|
| 165 | _ => false, | 
|---|
| 166 | } | 
|---|
| 167 | }); | 
|---|
| 168 | } | 
|---|
| 169 |  | 
|---|
| 170 | /// Wake up all threads which wait for value of atomic `FD` to change. | 
|---|
| 171 | pub(super) fn wake() { | 
|---|
| 172 | let op = libc::FUTEX_WAKE | libc::FUTEX_PRIVATE_FLAG; | 
|---|
| 173 | let ret = unsafe { libc::syscall(libc::SYS_futex, &FD, op, libc::INT_MAX) }; | 
|---|
| 174 | debug_assert!(ret >= 0); | 
|---|
| 175 | } | 
|---|
| 176 |  | 
|---|
| 177 | // Polls /dev/random to make sure it is ok to read from /dev/urandom. | 
|---|
| 178 | // | 
|---|
| 179 | // Polling avoids draining the estimated entropy from /dev/random; | 
|---|
| 180 | // short-lived processes reading even a single byte from /dev/random could | 
|---|
| 181 | // be problematic if they are being executed faster than entropy is being | 
|---|
| 182 | // collected. | 
|---|
| 183 | // | 
|---|
| 184 | // OTOH, reading a byte instead of polling is more compatible with | 
|---|
| 185 | // sandboxes that disallow `poll()` but which allow reading /dev/random, | 
|---|
| 186 | // e.g. sandboxes that assume that `poll()` is for network I/O. This way, | 
|---|
| 187 | // fewer applications will have to insert pre-sandbox-initialization logic. | 
|---|
| 188 | // Often (blocking) file I/O is not allowed in such early phases of an | 
|---|
| 189 | // application for performance and/or security reasons. | 
|---|
| 190 | // | 
|---|
| 191 | // It is hard to write a sandbox policy to support `libc::poll()` because | 
|---|
| 192 | // it may invoke the `poll`, `ppoll`, `ppoll_time64` (since Linux 5.1, with | 
|---|
| 193 | // newer versions of glibc), and/or (rarely, and probably only on ancient | 
|---|
| 194 | // systems) `select`. depending on the libc implementation (e.g. glibc vs | 
|---|
| 195 | // musl), libc version, potentially the kernel version at runtime, and/or | 
|---|
| 196 | // the target architecture. | 
|---|
| 197 | // | 
|---|
| 198 | // BoringSSL and libstd don't try to protect against insecure output from | 
|---|
| 199 | // `/dev/urandom'; they don't open `/dev/random` at all. | 
|---|
| 200 | // | 
|---|
| 201 | // OpenSSL uses `libc::select()` unless the `dev/random` file descriptor | 
|---|
| 202 | // is too large; if it is too large then it does what we do here. | 
|---|
| 203 | // | 
|---|
| 204 | // libsodium uses `libc::poll` similarly to this. | 
|---|
| 205 | pub(super) fn wait_until_rng_ready() -> Result<(), Error> { | 
|---|
| 206 | let fd = open_readonly( b"/dev/random\0 ")?; | 
|---|
| 207 | let mut pfd = libc::pollfd { | 
|---|
| 208 | fd, | 
|---|
| 209 | events: libc::POLLIN, | 
|---|
| 210 | revents: 0, | 
|---|
| 211 | }; | 
|---|
| 212 |  | 
|---|
| 213 | let res = loop { | 
|---|
| 214 | // A negative timeout means an infinite timeout. | 
|---|
| 215 | let res = unsafe { libc::poll(&mut pfd, 1, -1) }; | 
|---|
| 216 | if res >= 0 { | 
|---|
| 217 | // We only used one fd, and cannot timeout. | 
|---|
| 218 | debug_assert_eq!(res, 1); | 
|---|
| 219 | break Ok(()); | 
|---|
| 220 | } | 
|---|
| 221 | let err = last_os_error(); | 
|---|
| 222 | // Assuming that `poll` is called correctly, | 
|---|
| 223 | // on Linux it can return only EINTR and ENOMEM errors. | 
|---|
| 224 | match err.raw_os_error() { | 
|---|
| 225 | Some(libc::EINTR) => continue, | 
|---|
| 226 | _ => break Err(err), | 
|---|
| 227 | } | 
|---|
| 228 | }; | 
|---|
| 229 | unsafe { libc::close(fd) }; | 
|---|
| 230 | res | 
|---|
| 231 | } | 
|---|
| 232 | } | 
|---|
| 233 |  | 
|---|