1 | //! Implementations that just need to read from a file |
2 | use crate::Error; |
3 | use core::{ |
4 | ffi::c_void, |
5 | mem::MaybeUninit, |
6 | sync::atomic::{AtomicI32, Ordering}, |
7 | }; |
8 | |
9 | #[cfg (not(any(target_os = "android" , target_os = "linux" )))] |
10 | pub use crate::util::{inner_u32, inner_u64}; |
11 | |
12 | #[path = "../util_libc.rs" ] |
13 | pub(super) mod util_libc; |
14 | |
15 | /// For all platforms, we use `/dev/urandom` rather than `/dev/random`. |
16 | /// For more information see the linked man pages in lib.rs. |
17 | /// - On Linux, "/dev/urandom is preferred and sufficient in all use cases". |
18 | /// - On Redox, only /dev/urandom is provided. |
19 | /// - On AIX, /dev/urandom will "provide cryptographically secure output". |
20 | /// - On Haiku and QNX Neutrino they are identical. |
21 | const FILE_PATH: &[u8] = b"/dev/urandom \0" ; |
22 | |
23 | // File descriptor is a "nonnegative integer", so we can safely use negative sentinel values. |
24 | const FD_UNINIT: libc::c_int = -1; |
25 | const FD_ONGOING_INIT: libc::c_int = -2; |
26 | |
27 | // In theory `libc::c_int` could be something other than `i32`, but for the |
28 | // targets we currently support that use `use_file`, it is always `i32`. |
29 | // If/when we add support for a target where that isn't the case, we may |
30 | // need to use a different atomic type or make other accomodations. The |
31 | // compiler will let us know if/when that is the case, because the |
32 | // `FD.store(fd)` would fail to compile. |
33 | // |
34 | // The opening of the file, by libc/libstd/etc. may write some unknown |
35 | // state into in-process memory. (Such state may include some sanitizer |
36 | // bookkeeping, or we might be operating in a unikernal-like environment |
37 | // where all the "kernel" file descriptor bookkeeping is done in our |
38 | // process.) `get_fd_locked` stores into FD using `Ordering::Release` to |
39 | // ensure any such state is synchronized. `get_fd` loads from `FD` with |
40 | // `Ordering::Acquire` to synchronize with it. |
41 | static FD: AtomicI32 = AtomicI32::new(FD_UNINIT); |
42 | |
43 | pub fn fill_inner(dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> { |
44 | let mut fd: i32 = FD.load(order:Ordering::Acquire); |
45 | if fd == FD_UNINIT || fd == FD_ONGOING_INIT { |
46 | fd = open_or_wait()?; |
47 | } |
48 | util_libc::sys_fill_exact(buf:dest, |buf: &mut [MaybeUninit]| unsafe { |
49 | libc::read(fd, buf.as_mut_ptr().cast::<c_void>(), count:buf.len()) |
50 | }) |
51 | } |
52 | |
53 | /// Open a file in read-only mode. |
54 | /// |
55 | /// # Panics |
56 | /// If `path` does not contain any zeros. |
57 | // TODO: Move `path` to `CStr` and use `CStr::from_bytes_until_nul` (MSRV 1.69) |
58 | // or C-string literals (MSRV 1.77) for statics |
59 | fn open_readonly(path: &[u8]) -> Result<libc::c_int, Error> { |
60 | assert!(path.iter().any(|&b| b == 0)); |
61 | loop { |
62 | let fd: i32 = unsafe { |
63 | libc::open( |
64 | path.as_ptr().cast::<libc::c_char>(), |
65 | oflag:libc::O_RDONLY | libc::O_CLOEXEC, |
66 | ) |
67 | }; |
68 | if fd >= 0 { |
69 | return Ok(fd); |
70 | } |
71 | let err: Error = util_libc::last_os_error(); |
72 | // We should try again if open() was interrupted. |
73 | if err.raw_os_error() != Some(libc::EINTR) { |
74 | return Err(err); |
75 | } |
76 | } |
77 | } |
78 | |
79 | #[cold ] |
80 | fn open_or_wait() -> Result<libc::c_int, Error> { |
81 | loop { |
82 | match FD.load(Ordering::Acquire) { |
83 | FD_UNINIT => { |
84 | let res = FD.compare_exchange_weak( |
85 | FD_UNINIT, |
86 | FD_ONGOING_INIT, |
87 | Ordering::AcqRel, |
88 | Ordering::Relaxed, |
89 | ); |
90 | if res.is_ok() { |
91 | break; |
92 | } |
93 | } |
94 | FD_ONGOING_INIT => sync::wait(), |
95 | fd => return Ok(fd), |
96 | } |
97 | } |
98 | |
99 | let res = open_fd(); |
100 | let val = match res { |
101 | Ok(fd) => fd, |
102 | Err(_) => FD_UNINIT, |
103 | }; |
104 | FD.store(val, Ordering::Release); |
105 | |
106 | // On non-Linux targets `wait` is just 1 ms sleep, |
107 | // so we don't need any explicit wake up in addition |
108 | // to updating value of `FD`. |
109 | #[cfg (any(target_os = "android" , target_os = "linux" ))] |
110 | sync::wake(); |
111 | |
112 | res |
113 | } |
114 | |
115 | fn open_fd() -> Result<libc::c_int, Error> { |
116 | #[cfg (any(target_os = "android" , target_os = "linux" ))] |
117 | sync::wait_until_rng_ready()?; |
118 | let fd: i32 = open_readonly(FILE_PATH)?; |
119 | debug_assert!(fd >= 0); |
120 | Ok(fd) |
121 | } |
122 | |
123 | #[cfg (not(any(target_os = "android" , target_os = "linux" )))] |
124 | mod sync { |
125 | /// Sleep 1 ms before checking `FD` again. |
126 | /// |
127 | /// On non-Linux targets the critical section only opens file, |
128 | /// which should not block, so in the unlikely contended case, |
129 | /// we can sleep-wait for the opening operation to finish. |
130 | pub(super) fn wait() { |
131 | let rqtp = libc::timespec { |
132 | tv_sec: 0, |
133 | tv_nsec: 1_000_000, |
134 | }; |
135 | let mut rmtp = libc::timespec { |
136 | tv_sec: 0, |
137 | tv_nsec: 0, |
138 | }; |
139 | // We do not care if sleep gets interrupted, so the return value is ignored |
140 | unsafe { |
141 | libc::nanosleep(&rqtp, &mut rmtp); |
142 | } |
143 | } |
144 | } |
145 | |
146 | #[cfg (any(target_os = "android" , target_os = "linux" ))] |
147 | mod sync { |
148 | use super::{open_readonly, util_libc::last_os_error, Error, FD, FD_ONGOING_INIT}; |
149 | |
150 | /// Wait for atomic `FD` to change value from `FD_ONGOING_INIT` to something else. |
151 | /// |
152 | /// Futex syscall with `FUTEX_WAIT` op puts the current thread to sleep |
153 | /// until futex syscall with `FUTEX_WAKE` op gets executed for `FD`. |
154 | /// |
155 | /// For more information read: https://www.man7.org/linux/man-pages/man2/futex.2.html |
156 | pub(super) fn wait() { |
157 | let op = libc::FUTEX_WAIT | libc::FUTEX_PRIVATE_FLAG; |
158 | let timeout_ptr = core::ptr::null::<libc::timespec>(); |
159 | let ret = unsafe { libc::syscall(libc::SYS_futex, &FD, op, FD_ONGOING_INIT, timeout_ptr) }; |
160 | // FUTEX_WAIT should return either 0 or EAGAIN error |
161 | debug_assert!({ |
162 | match ret { |
163 | 0 => true, |
164 | -1 => last_os_error().raw_os_error() == Some(libc::EAGAIN), |
165 | _ => false, |
166 | } |
167 | }); |
168 | } |
169 | |
170 | /// Wake up all threads which wait for value of atomic `FD` to change. |
171 | pub(super) fn wake() { |
172 | let op = libc::FUTEX_WAKE | libc::FUTEX_PRIVATE_FLAG; |
173 | let ret = unsafe { libc::syscall(libc::SYS_futex, &FD, op, libc::INT_MAX) }; |
174 | debug_assert!(ret >= 0); |
175 | } |
176 | |
177 | // Polls /dev/random to make sure it is ok to read from /dev/urandom. |
178 | // |
179 | // Polling avoids draining the estimated entropy from /dev/random; |
180 | // short-lived processes reading even a single byte from /dev/random could |
181 | // be problematic if they are being executed faster than entropy is being |
182 | // collected. |
183 | // |
184 | // OTOH, reading a byte instead of polling is more compatible with |
185 | // sandboxes that disallow `poll()` but which allow reading /dev/random, |
186 | // e.g. sandboxes that assume that `poll()` is for network I/O. This way, |
187 | // fewer applications will have to insert pre-sandbox-initialization logic. |
188 | // Often (blocking) file I/O is not allowed in such early phases of an |
189 | // application for performance and/or security reasons. |
190 | // |
191 | // It is hard to write a sandbox policy to support `libc::poll()` because |
192 | // it may invoke the `poll`, `ppoll`, `ppoll_time64` (since Linux 5.1, with |
193 | // newer versions of glibc), and/or (rarely, and probably only on ancient |
194 | // systems) `select`. depending on the libc implementation (e.g. glibc vs |
195 | // musl), libc version, potentially the kernel version at runtime, and/or |
196 | // the target architecture. |
197 | // |
198 | // BoringSSL and libstd don't try to protect against insecure output from |
199 | // `/dev/urandom'; they don't open `/dev/random` at all. |
200 | // |
201 | // OpenSSL uses `libc::select()` unless the `dev/random` file descriptor |
202 | // is too large; if it is too large then it does what we do here. |
203 | // |
204 | // libsodium uses `libc::poll` similarly to this. |
205 | pub(super) fn wait_until_rng_ready() -> Result<(), Error> { |
206 | let fd = open_readonly(b"/dev/random \0" )?; |
207 | let mut pfd = libc::pollfd { |
208 | fd, |
209 | events: libc::POLLIN, |
210 | revents: 0, |
211 | }; |
212 | |
213 | let res = loop { |
214 | // A negative timeout means an infinite timeout. |
215 | let res = unsafe { libc::poll(&mut pfd, 1, -1) }; |
216 | if res >= 0 { |
217 | // We only used one fd, and cannot timeout. |
218 | debug_assert_eq!(res, 1); |
219 | break Ok(()); |
220 | } |
221 | let err = last_os_error(); |
222 | // Assuming that `poll` is called correctly, |
223 | // on Linux it can return only EINTR and ENOMEM errors. |
224 | match err.raw_os_error() { |
225 | Some(libc::EINTR) => continue, |
226 | _ => break Err(err), |
227 | } |
228 | }; |
229 | unsafe { libc::close(fd) }; |
230 | res |
231 | } |
232 | } |
233 | |