2017-11-01 12:32:13 -07:00
|
|
|
pub fn hashmap_random_keys() -> (u64, u64) {
|
2022-08-08 18:49:12 -07:00
|
|
|
const KEY_LEN: usize = core::mem::size_of::<u64>();
|
|
|
|
|
|
|
|
|
|
let mut v = [0u8; KEY_LEN * 2];
|
|
|
|
|
imp::fill_bytes(&mut v);
|
|
|
|
|
|
|
|
|
|
let key1 = v[0..KEY_LEN].try_into().unwrap();
|
|
|
|
|
let key2 = v[KEY_LEN..].try_into().unwrap();
|
|
|
|
|
|
|
|
|
|
(u64::from_ne_bytes(key1), u64::from_ne_bytes(key2))
|
2016-07-29 07:48:52 +00:00
|
|
|
}
|
|
|
|
|
|
2019-11-27 10:28:39 -08:00
|
|
|
#[cfg(all(
|
|
|
|
|
unix,
|
2020-03-21 13:47:01 +09:00
|
|
|
not(target_os = "macos"),
|
2019-11-27 10:28:39 -08:00
|
|
|
not(target_os = "ios"),
|
2022-03-23 16:05:01 +00:00
|
|
|
not(target_os = "watchos"),
|
2019-11-27 10:28:39 -08:00
|
|
|
not(target_os = "openbsd"),
|
|
|
|
|
not(target_os = "freebsd"),
|
|
|
|
|
not(target_os = "netbsd"),
|
|
|
|
|
not(target_os = "fuchsia"),
|
2021-04-12 05:58:30 +02:00
|
|
|
not(target_os = "redox"),
|
|
|
|
|
not(target_os = "vxworks")
|
2019-11-27 10:28:39 -08:00
|
|
|
))]
|
2014-03-19 17:53:57 -07:00
|
|
|
mod imp {
|
2019-02-11 04:23:21 +09:00
|
|
|
use crate::fs::File;
|
|
|
|
|
use crate::io::Read;
|
2018-08-26 21:13:44 +02:00
|
|
|
|
2021-07-05 20:28:10 -07:00
|
|
|
#[cfg(any(target_os = "linux", target_os = "android"))]
|
|
|
|
|
use crate::sys::weak::syscall;
|
|
|
|
|
|
2017-11-09 18:49:29 -02:00
|
|
|
#[cfg(any(target_os = "linux", target_os = "android"))]
|
2020-11-05 12:38:09 -08:00
|
|
|
fn getrandom(buf: &mut [u8]) -> libc::ssize_t {
|
Use GRND_INSECURE instead of /dev/urandom when possible
From reading the source code, it appears like the desired semantic of
std::unix::rand is to always provide some bytes and never block. For
that reason GRND_NONBLOCK is checked before calling getrandom(0), so
that getrandom(0) won't block. If it would block, then the function
falls back to using /dev/urandom, which for the time being doesn't
block. There are some drawbacks to using /dev/urandom, however, and so
getrandom(GRND_INSECURE) was created as a replacement for this exact
circumstance.
getrandom(GRND_INSECURE) is the same as /dev/urandom, except:
- It won't leave a warning in dmesg if used at early boot time, which is
a common occurance (and the reason why I found this issue);
- It won't introduce a tiny delay at early boot on newer kernels when
/dev/urandom tries to opportunistically create jitter entropy;
- It only requires 1 syscall, rather than 3.
Other than that, it returns the same "quality" of randomness as
/dev/urandom, and never blocks.
It's only available on kernels ≥5.6, so we try to use it, cache the
result of that attempt, and fall back to to the previous code if it
didn't work.
2022-04-08 22:09:44 +02:00
|
|
|
use crate::sync::atomic::{AtomicBool, Ordering};
|
|
|
|
|
use crate::sys::os::errno;
|
|
|
|
|
|
2020-11-05 12:38:09 -08:00
|
|
|
// A weak symbol allows interposition, e.g. for perf measurements that want to
|
|
|
|
|
// disable randomness for consistency. Otherwise, we'll try a raw syscall.
|
|
|
|
|
// (`getrandom` was added in glibc 2.25, musl 1.1.20, android API level 28)
|
2020-11-05 14:08:42 -08:00
|
|
|
syscall! {
|
2020-11-05 12:38:09 -08:00
|
|
|
fn getrandom(
|
|
|
|
|
buffer: *mut libc::c_void,
|
|
|
|
|
length: libc::size_t,
|
|
|
|
|
flags: libc::c_uint
|
|
|
|
|
) -> libc::ssize_t
|
2014-11-06 03:53:27 +09:00
|
|
|
}
|
2020-11-05 12:38:09 -08:00
|
|
|
|
Use GRND_INSECURE instead of /dev/urandom when possible
From reading the source code, it appears like the desired semantic of
std::unix::rand is to always provide some bytes and never block. For
that reason GRND_NONBLOCK is checked before calling getrandom(0), so
that getrandom(0) won't block. If it would block, then the function
falls back to using /dev/urandom, which for the time being doesn't
block. There are some drawbacks to using /dev/urandom, however, and so
getrandom(GRND_INSECURE) was created as a replacement for this exact
circumstance.
getrandom(GRND_INSECURE) is the same as /dev/urandom, except:
- It won't leave a warning in dmesg if used at early boot time, which is
a common occurance (and the reason why I found this issue);
- It won't introduce a tiny delay at early boot on newer kernels when
/dev/urandom tries to opportunistically create jitter entropy;
- It only requires 1 syscall, rather than 3.
Other than that, it returns the same "quality" of randomness as
/dev/urandom, and never blocks.
It's only available on kernels ≥5.6, so we try to use it, cache the
result of that attempt, and fall back to to the previous code if it
didn't work.
2022-04-08 22:09:44 +02:00
|
|
|
// This provides the best quality random numbers available at the given moment
|
|
|
|
|
// without ever blocking, and is preferable to falling back to /dev/urandom.
|
|
|
|
|
static GRND_INSECURE_AVAILABLE: AtomicBool = AtomicBool::new(true);
|
|
|
|
|
if GRND_INSECURE_AVAILABLE.load(Ordering::Relaxed) {
|
|
|
|
|
let ret = unsafe { getrandom(buf.as_mut_ptr().cast(), buf.len(), libc::GRND_INSECURE) };
|
|
|
|
|
if ret == -1 && errno() as libc::c_int == libc::EINVAL {
|
|
|
|
|
GRND_INSECURE_AVAILABLE.store(false, Ordering::Relaxed);
|
|
|
|
|
} else {
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-05 12:38:09 -08:00
|
|
|
unsafe { getrandom(buf.as_mut_ptr().cast(), buf.len(), libc::GRND_NONBLOCK) }
|
2014-11-06 03:53:27 +09:00
|
|
|
}
|
|
|
|
|
|
2021-10-19 17:59:59 +02:00
|
|
|
#[cfg(any(target_os = "espidf", target_os = "horizon"))]
|
2021-07-29 20:18:22 +03:00
|
|
|
fn getrandom(buf: &mut [u8]) -> libc::ssize_t {
|
|
|
|
|
unsafe { libc::getrandom(buf.as_mut_ptr().cast(), buf.len(), 0) }
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-19 17:59:59 +02:00
|
|
|
#[cfg(not(any(
|
|
|
|
|
target_os = "linux",
|
|
|
|
|
target_os = "android",
|
|
|
|
|
target_os = "espidf",
|
|
|
|
|
target_os = "horizon"
|
|
|
|
|
)))]
|
2019-11-27 10:28:39 -08:00
|
|
|
fn getrandom_fill_bytes(_buf: &mut [u8]) -> bool {
|
|
|
|
|
false
|
|
|
|
|
}
|
2014-11-06 03:53:27 +09:00
|
|
|
|
2021-10-19 17:59:59 +02:00
|
|
|
#[cfg(any(
|
|
|
|
|
target_os = "linux",
|
|
|
|
|
target_os = "android",
|
|
|
|
|
target_os = "espidf",
|
|
|
|
|
target_os = "horizon"
|
|
|
|
|
))]
|
2017-11-01 12:32:13 -07:00
|
|
|
fn getrandom_fill_bytes(v: &mut [u8]) -> bool {
|
2019-02-11 04:23:21 +09:00
|
|
|
use crate::sync::atomic::{AtomicBool, Ordering};
|
|
|
|
|
use crate::sys::os::errno;
|
2018-08-29 22:30:29 +02:00
|
|
|
|
|
|
|
|
static GETRANDOM_UNAVAILABLE: AtomicBool = AtomicBool::new(false);
|
|
|
|
|
if GETRANDOM_UNAVAILABLE.load(Ordering::Relaxed) {
|
2018-08-26 21:13:44 +02:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2014-11-06 03:53:27 +09:00
|
|
|
let mut read = 0;
|
2015-12-17 00:36:31 -05:00
|
|
|
while read < v.len() {
|
2015-01-17 16:15:52 -08:00
|
|
|
let result = getrandom(&mut v[read..]);
|
2014-11-06 03:53:27 +09:00
|
|
|
if result == -1 {
|
|
|
|
|
let err = errno() as libc::c_int;
|
|
|
|
|
if err == libc::EINTR {
|
|
|
|
|
continue;
|
2019-05-01 22:23:07 +02:00
|
|
|
} else if err == libc::ENOSYS || err == libc::EPERM {
|
|
|
|
|
// Fall back to reading /dev/urandom if `getrandom` is not
|
|
|
|
|
// supported on the current kernel.
|
|
|
|
|
//
|
|
|
|
|
// Also fall back in case it is disabled by something like
|
|
|
|
|
// seccomp or inside of virtual machines.
|
2018-08-26 21:13:44 +02:00
|
|
|
GETRANDOM_UNAVAILABLE.store(true, Ordering::Relaxed);
|
2018-09-02 00:19:11 +02:00
|
|
|
return false;
|
2016-04-16 15:25:56 -05:00
|
|
|
} else if err == libc::EAGAIN {
|
2018-08-26 21:13:44 +02:00
|
|
|
return false;
|
2014-11-06 03:53:27 +09:00
|
|
|
} else {
|
2022-02-12 23:16:17 +04:00
|
|
|
panic!("unexpected getrandom error: {err}");
|
2014-11-06 03:53:27 +09:00
|
|
|
}
|
|
|
|
|
} else {
|
2015-01-26 19:48:29 -05:00
|
|
|
read += result as usize;
|
2014-11-06 03:53:27 +09:00
|
|
|
}
|
|
|
|
|
}
|
2018-08-26 21:13:44 +02:00
|
|
|
true
|
2014-11-06 03:53:27 +09:00
|
|
|
}
|
|
|
|
|
|
2017-11-01 12:32:13 -07:00
|
|
|
pub fn fill_bytes(v: &mut [u8]) {
|
|
|
|
|
// getrandom_fill_bytes here can fail if getrandom() returns EAGAIN,
|
|
|
|
|
// meaning it would have blocked because the non-blocking pool (urandom)
|
2018-08-26 21:13:44 +02:00
|
|
|
// has not initialized in the kernel yet due to a lack of entropy. The
|
2017-11-01 12:32:13 -07:00
|
|
|
// fallback we do here is to avoid blocking applications which could
|
|
|
|
|
// depend on this call without ever knowing they do and don't have a
|
2018-08-26 21:13:44 +02:00
|
|
|
// work around. The PRNG of /dev/urandom will still be used but over a
|
|
|
|
|
// possibly predictable entropy pool.
|
|
|
|
|
if getrandom_fill_bytes(v) {
|
|
|
|
|
return;
|
2014-03-19 17:53:57 -07:00
|
|
|
}
|
2013-09-22 20:51:57 +10:00
|
|
|
|
2018-08-29 22:30:29 +02:00
|
|
|
// getrandom failed because it is permanently or temporarily (because
|
|
|
|
|
// of missing entropy) unavailable. Open /dev/urandom, read from it,
|
|
|
|
|
// and close it again.
|
|
|
|
|
let mut file = File::open("/dev/urandom").expect("failed to open /dev/urandom");
|
|
|
|
|
file.read_exact(v).expect("failed to read /dev/urandom")
|
2020-03-21 13:47:01 +09:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[cfg(target_os = "macos")]
|
|
|
|
|
mod imp {
|
|
|
|
|
use crate::fs::File;
|
|
|
|
|
use crate::io::Read;
|
|
|
|
|
use crate::sys::os::errno;
|
2021-07-05 20:28:10 -07:00
|
|
|
use crate::sys::weak::weak;
|
2020-03-21 13:47:01 +09:00
|
|
|
use libc::{c_int, c_void, size_t};
|
|
|
|
|
|
|
|
|
|
fn getentropy_fill_bytes(v: &mut [u8]) -> bool {
|
|
|
|
|
weak!(fn getentropy(*mut c_void, size_t) -> c_int);
|
|
|
|
|
|
|
|
|
|
getentropy
|
|
|
|
|
.get()
|
|
|
|
|
.map(|f| {
|
|
|
|
|
// getentropy(2) permits a maximum buffer size of 256 bytes
|
|
|
|
|
for s in v.chunks_mut(256) {
|
|
|
|
|
let ret = unsafe { f(s.as_mut_ptr() as *mut c_void, s.len()) };
|
|
|
|
|
if ret == -1 {
|
|
|
|
|
panic!("unexpected getentropy error: {}", errno());
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
true
|
|
|
|
|
})
|
|
|
|
|
.unwrap_or(false)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub fn fill_bytes(v: &mut [u8]) {
|
|
|
|
|
if getentropy_fill_bytes(v) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// for older macos which doesn't support getentropy
|
|
|
|
|
let mut file = File::open("/dev/urandom").expect("failed to open /dev/urandom");
|
|
|
|
|
file.read_exact(v).expect("failed to read /dev/urandom")
|
2013-09-22 20:51:57 +10:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-12-16 21:54:16 -05:00
|
|
|
#[cfg(target_os = "openbsd")]
|
|
|
|
|
mod imp {
|
2019-02-11 04:23:21 +09:00
|
|
|
use crate::sys::os::errno;
|
2015-12-16 21:54:16 -05:00
|
|
|
|
2017-11-01 12:32:13 -07:00
|
|
|
pub fn fill_bytes(v: &mut [u8]) {
|
|
|
|
|
// getentropy(2) permits a maximum buffer size of 256 bytes
|
|
|
|
|
for s in v.chunks_mut(256) {
|
2019-11-27 10:28:39 -08:00
|
|
|
let ret = unsafe { libc::getentropy(s.as_mut_ptr() as *mut libc::c_void, s.len()) };
|
2017-11-01 12:32:13 -07:00
|
|
|
if ret == -1 {
|
|
|
|
|
panic!("unexpected getentropy error: {}", errno());
|
2015-12-16 21:54:16 -05:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-11 13:47:27 +01:00
|
|
|
// On iOS and MacOS `SecRandomCopyBytes` calls `CCRandomCopyBytes` with
|
|
|
|
|
// `kCCRandomDefault`. `CCRandomCopyBytes` manages a CSPRNG which is seeded
|
|
|
|
|
// from `/dev/random` and which runs on its own thread accessed via GCD.
|
|
|
|
|
// This seems needlessly heavyweight for the purposes of generating two u64s
|
|
|
|
|
// once per thread in `hashmap_random_keys`. Therefore `SecRandomCopyBytes` is
|
|
|
|
|
// only used on iOS where direct access to `/dev/urandom` is blocked by the
|
|
|
|
|
// sandbox.
|
2022-03-23 16:05:01 +00:00
|
|
|
#[cfg(any(target_os = "ios", target_os = "watchos"))]
|
2014-05-05 10:07:49 +03:00
|
|
|
mod imp {
|
2019-02-11 04:23:21 +09:00
|
|
|
use crate::io;
|
|
|
|
|
use crate::ptr;
|
2015-08-11 14:52:22 -05:00
|
|
|
use libc::{c_int, size_t};
|
2014-05-05 10:07:49 +03:00
|
|
|
|
2015-08-05 17:50:18 -04:00
|
|
|
enum SecRandom {}
|
2014-05-05 10:07:49 +03:00
|
|
|
|
2014-10-27 15:37:07 -07:00
|
|
|
#[allow(non_upper_case_globals)]
|
2015-09-03 09:49:50 +03:00
|
|
|
const kSecRandomDefault: *const SecRandom = ptr::null();
|
2014-05-05 10:07:49 +03:00
|
|
|
|
2019-11-27 10:28:39 -08:00
|
|
|
extern "C" {
|
|
|
|
|
fn SecRandomCopyBytes(rnd: *const SecRandom, count: size_t, bytes: *mut u8) -> c_int;
|
2014-05-05 10:07:49 +03:00
|
|
|
}
|
|
|
|
|
|
2017-11-01 12:32:13 -07:00
|
|
|
pub fn fill_bytes(v: &mut [u8]) {
|
2019-11-27 10:28:39 -08:00
|
|
|
let ret = unsafe { SecRandomCopyBytes(kSecRandomDefault, v.len(), v.as_mut_ptr()) };
|
2017-11-01 12:32:13 -07:00
|
|
|
if ret == -1 {
|
2019-11-27 10:28:39 -08:00
|
|
|
panic!("couldn't generate random bytes: {}", io::Error::last_os_error());
|
2014-05-05 10:07:49 +03:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-08-14 08:27:11 +00:00
|
|
|
|
2019-11-04 17:34:29 +00:00
|
|
|
#[cfg(any(target_os = "freebsd", target_os = "netbsd"))]
|
2016-08-14 08:27:11 +00:00
|
|
|
mod imp {
|
2019-02-11 04:23:21 +09:00
|
|
|
use crate::ptr;
|
2016-08-14 08:27:11 +00:00
|
|
|
|
2017-11-01 12:32:13 -07:00
|
|
|
pub fn fill_bytes(v: &mut [u8]) {
|
|
|
|
|
let mib = [libc::CTL_KERN, libc::KERN_ARND];
|
|
|
|
|
// kern.arandom permits a maximum buffer size of 256 bytes
|
|
|
|
|
for s in v.chunks_mut(256) {
|
|
|
|
|
let mut s_len = s.len();
|
|
|
|
|
let ret = unsafe {
|
2019-11-27 10:28:39 -08:00
|
|
|
libc::sysctl(
|
|
|
|
|
mib.as_ptr(),
|
|
|
|
|
mib.len() as libc::c_uint,
|
|
|
|
|
s.as_mut_ptr() as *mut _,
|
|
|
|
|
&mut s_len,
|
|
|
|
|
ptr::null(),
|
|
|
|
|
0,
|
|
|
|
|
)
|
2017-11-01 12:32:13 -07:00
|
|
|
};
|
|
|
|
|
if ret == -1 || s_len != s.len() {
|
2019-11-27 10:28:39 -08:00
|
|
|
panic!(
|
|
|
|
|
"kern.arandom sysctl failed! (returned {}, s.len() {}, oldlenp {})",
|
|
|
|
|
ret,
|
|
|
|
|
s.len(),
|
|
|
|
|
s_len
|
|
|
|
|
);
|
2016-08-14 08:27:11 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-10-24 16:42:57 -07:00
|
|
|
|
|
|
|
|
#[cfg(target_os = "fuchsia")]
|
|
|
|
|
mod imp {
|
2017-09-15 12:38:08 -07:00
|
|
|
#[link(name = "zircon")]
|
2019-11-27 10:28:39 -08:00
|
|
|
extern "C" {
|
2018-06-27 08:56:19 -07:00
|
|
|
fn zx_cprng_draw(buffer: *mut u8, len: usize);
|
2016-10-24 16:42:57 -07:00
|
|
|
}
|
|
|
|
|
|
2017-11-01 12:32:13 -07:00
|
|
|
pub fn fill_bytes(v: &mut [u8]) {
|
2018-06-27 08:56:19 -07:00
|
|
|
unsafe { zx_cprng_draw(v.as_mut_ptr(), v.len()) }
|
2016-10-24 16:42:57 -07:00
|
|
|
}
|
|
|
|
|
}
|
2019-04-07 08:39:54 -06:00
|
|
|
|
|
|
|
|
#[cfg(target_os = "redox")]
|
|
|
|
|
mod imp {
|
|
|
|
|
use crate::fs::File;
|
|
|
|
|
use crate::io::Read;
|
|
|
|
|
|
|
|
|
|
pub fn fill_bytes(v: &mut [u8]) {
|
|
|
|
|
// Open rand:, read from it, and close it again.
|
|
|
|
|
let mut file = File::open("rand:").expect("failed to open rand:");
|
|
|
|
|
file.read_exact(v).expect("failed to read rand:")
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-04-12 05:58:30 +02:00
|
|
|
|
|
|
|
|
#[cfg(target_os = "vxworks")]
|
|
|
|
|
mod imp {
|
|
|
|
|
use crate::io;
|
|
|
|
|
use core::sync::atomic::{AtomicBool, Ordering::Relaxed};
|
|
|
|
|
|
|
|
|
|
pub fn fill_bytes(v: &mut [u8]) {
|
|
|
|
|
static RNG_INIT: AtomicBool = AtomicBool::new(false);
|
|
|
|
|
while !RNG_INIT.load(Relaxed) {
|
|
|
|
|
let ret = unsafe { libc::randSecure() };
|
|
|
|
|
if ret < 0 {
|
|
|
|
|
panic!("couldn't generate random bytes: {}", io::Error::last_os_error());
|
|
|
|
|
} else if ret > 0 {
|
|
|
|
|
RNG_INIT.store(true, Relaxed);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
unsafe { libc::usleep(10) };
|
|
|
|
|
}
|
|
|
|
|
let ret = unsafe {
|
|
|
|
|
libc::randABytes(v.as_mut_ptr() as *mut libc::c_uchar, v.len() as libc::c_int)
|
|
|
|
|
};
|
|
|
|
|
if ret < 0 {
|
|
|
|
|
panic!("couldn't generate random bytes: {}", io::Error::last_os_error());
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|