diff options
Diffstat (limited to 'src/crypto/fipsmodule/rand/rand.c')
| -rw-r--r-- | src/crypto/fipsmodule/rand/rand.c | 122 |
1 files changed, 61 insertions, 61 deletions
diff --git a/src/crypto/fipsmodule/rand/rand.c b/src/crypto/fipsmodule/rand/rand.c index 9480ddbb..dafc91f7 100644 --- a/src/crypto/fipsmodule/rand/rand.c +++ b/src/crypto/fipsmodule/rand/rand.c @@ -31,53 +31,53 @@ #include "../delocate.h" -/* It's assumed that the operating system always has an unfailing source of - * entropy which is accessed via |CRYPTO_sysrand|. (If the operating system - * entropy source fails, it's up to |CRYPTO_sysrand| to abort the process—we - * don't try to handle it.) - * - * In addition, the hardware may provide a low-latency RNG. Intel's rdrand - * instruction is the canonical example of this. When a hardware RNG is - * available we don't need to worry about an RNG failure arising from fork()ing - * the process or moving a VM, so we can keep thread-local RNG state and use it - * as an additional-data input to CTR-DRBG. - * - * (We assume that the OS entropy is safe from fork()ing and VM duplication. - * This might be a bit of a leap of faith, esp on Windows, but there's nothing - * that we can do about it.) */ - -/* kReseedInterval is the number of generate calls made to CTR-DRBG before - * reseeding. */ +// It's assumed that the operating system always has an unfailing source of +// entropy which is accessed via |CRYPTO_sysrand|. (If the operating system +// entropy source fails, it's up to |CRYPTO_sysrand| to abort the process—we +// don't try to handle it.) +// +// In addition, the hardware may provide a low-latency RNG. Intel's rdrand +// instruction is the canonical example of this. When a hardware RNG is +// available we don't need to worry about an RNG failure arising from fork()ing +// the process or moving a VM, so we can keep thread-local RNG state and use it +// as an additional-data input to CTR-DRBG. +// +// (We assume that the OS entropy is safe from fork()ing and VM duplication. +// This might be a bit of a leap of faith, esp on Windows, but there's nothing +// that we can do about it.) + +// kReseedInterval is the number of generate calls made to CTR-DRBG before +// reseeding. static const unsigned kReseedInterval = 4096; -/* CRNGT_BLOCK_SIZE is the number of bytes in a “block” for the purposes of the - * continuous random number generator test in FIPS 140-2, section 4.9.2. */ +// CRNGT_BLOCK_SIZE is the number of bytes in a “block” for the purposes of the +// continuous random number generator test in FIPS 140-2, section 4.9.2. #define CRNGT_BLOCK_SIZE 16 -/* rand_thread_state contains the per-thread state for the RNG. */ +// rand_thread_state contains the per-thread state for the RNG. struct rand_thread_state { CTR_DRBG_STATE drbg; - /* calls is the number of generate calls made on |drbg| since it was last - * (re)seeded. This is bound by |kReseedInterval|. */ + // calls is the number of generate calls made on |drbg| since it was last + // (re)seeded. This is bound by |kReseedInterval|. unsigned calls; - /* last_block_valid is non-zero iff |last_block| contains data from - * |CRYPTO_sysrand|. */ + // last_block_valid is non-zero iff |last_block| contains data from + // |CRYPTO_sysrand|. int last_block_valid; #if defined(BORINGSSL_FIPS) - /* last_block contains the previous block from |CRYPTO_sysrand|. */ + // last_block contains the previous block from |CRYPTO_sysrand|. uint8_t last_block[CRNGT_BLOCK_SIZE]; - /* next and prev form a NULL-terminated, double-linked list of all states in - * a process. */ + // next and prev form a NULL-terminated, double-linked list of all states in + // a process. struct rand_thread_state *next, *prev; #endif }; #if defined(BORINGSSL_FIPS) -/* thread_states_list is the head of a linked-list of all |rand_thread_state| - * objects in the process, one per thread. This is needed because FIPS requires - * that they be zeroed on process exit, but thread-local destructors aren't - * called when the whole process is exiting. */ +// thread_states_list is the head of a linked-list of all |rand_thread_state| +// objects in the process, one per thread. This is needed because FIPS requires +// that they be zeroed on process exit, but thread-local destructors aren't +// called when the whole process is exiting. DEFINE_BSS_GET(struct rand_thread_state *, thread_states_list); DEFINE_STATIC_MUTEX(thread_states_list_lock); @@ -88,13 +88,13 @@ static void rand_thread_state_clear_all(void) { cur != NULL; cur = cur->next) { CTR_DRBG_clear(&cur->drbg); } - /* |thread_states_list_lock is deliberately left locked so that any threads - * that are still running will hang if they try to call |RAND_bytes|. */ + // |thread_states_list_lock is deliberately left locked so that any threads + // that are still running will hang if they try to call |RAND_bytes|. } #endif -/* rand_thread_state_free frees a |rand_thread_state|. This is called when a - * thread exits. */ +// rand_thread_state_free frees a |rand_thread_state|. This is called when a +// thread exits. static void rand_thread_state_free(void *state_in) { struct rand_thread_state *state = state_in; @@ -126,7 +126,7 @@ static void rand_thread_state_free(void *state_in) { #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) && \ !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) -/* These functions are defined in asm/rdrand-x86_64.pl */ +// These functions are defined in asm/rdrand-x86_64.pl extern int CRYPTO_rdrand(uint8_t out[8]); extern int CRYPTO_rdrand_multiple8_buf(uint8_t *buf, size_t len); @@ -183,8 +183,8 @@ static void rand_get_seed(struct rand_thread_state *state, state->last_block_valid = 1; } - /* We overread from /dev/urandom or RDRAND by a factor of 10 and XOR to - * whiten. */ + // We overread from /dev/urandom or RDRAND by a factor of 10 and XOR to + // whiten. #define FIPS_OVERREAD 10 uint8_t entropy[CTR_DRBG_ENTROPY_LEN * FIPS_OVERREAD]; @@ -192,9 +192,9 @@ static void rand_get_seed(struct rand_thread_state *state, CRYPTO_sysrand(entropy, sizeof(entropy)); } - /* See FIPS 140-2, section 4.9.2. This is the “continuous random number - * generator test” which causes the program to randomly abort. Hopefully the - * rate of failure is small enough not to be a problem in practice. */ + // See FIPS 140-2, section 4.9.2. This is the “continuous random number + // generator test” which causes the program to randomly abort. Hopefully the + // rate of failure is small enough not to be a problem in practice. if (CRYPTO_memcmp(state->last_block, entropy, CRNGT_BLOCK_SIZE) == 0) { printf("CRNGT failed.\n"); BORINGSSL_FIPS_abort(); @@ -225,8 +225,8 @@ static void rand_get_seed(struct rand_thread_state *state, static void rand_get_seed(struct rand_thread_state *state, uint8_t seed[CTR_DRBG_ENTROPY_LEN]) { - /* If not in FIPS mode, we don't overread from the system entropy source and - * we don't depend only on the hardware RDRAND. */ + // If not in FIPS mode, we don't overread from the system entropy source and + // we don't depend only on the hardware RDRAND. CRYPTO_sysrand(seed, CTR_DRBG_ENTROPY_LEN); } @@ -238,16 +238,16 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, return; } - /* Additional data is mixed into every CTR-DRBG call to protect, as best we - * can, against forks & VM clones. We do not over-read this information and - * don't reseed with it so, from the point of view of FIPS, this doesn't - * provide “prediction resistance”. But, in practice, it does. */ + // Additional data is mixed into every CTR-DRBG call to protect, as best we + // can, against forks & VM clones. We do not over-read this information and + // don't reseed with it so, from the point of view of FIPS, this doesn't + // provide “prediction resistance”. But, in practice, it does. uint8_t additional_data[32]; if (!hwrand(additional_data, sizeof(additional_data))) { - /* Without a hardware RNG to save us from address-space duplication, the OS - * entropy is used. This can be expensive (one read per |RAND_bytes| call) - * and so can be disabled by applications that we have ensured don't fork - * and aren't at risk of VM cloning. */ + // Without a hardware RNG to save us from address-space duplication, the OS + // entropy is used. This can be expensive (one read per |RAND_bytes| call) + // and so can be disabled by applications that we have ensured don't fork + // and aren't at risk of VM cloning. if (!rand_fork_unsafe_buffering_enabled()) { CRYPTO_sysrand(additional_data, sizeof(additional_data)); } else { @@ -268,8 +268,8 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, if (state == NULL || !CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_RAND, state, rand_thread_state_free)) { - /* If the system is out of memory, use an ephemeral state on the - * stack. */ + // If the system is out of memory, use an ephemeral state on the + // stack. state = &stack_state; } @@ -300,14 +300,14 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, uint8_t seed[CTR_DRBG_ENTROPY_LEN]; rand_get_seed(state, seed); #if defined(BORINGSSL_FIPS) - /* Take a read lock around accesses to |state->drbg|. This is needed to - * avoid returning bad entropy if we race with - * |rand_thread_state_clear_all|. - * - * This lock must be taken after any calls to |CRYPTO_sysrand| to avoid a - * bug on ppc64le. glibc may implement pthread locks by wrapping user code - * in a hardware transaction, but, on some older versions of glibc and the - * kernel, syscalls made with |syscall| did not abort the transaction. */ + // Take a read lock around accesses to |state->drbg|. This is needed to + // avoid returning bad entropy if we race with + // |rand_thread_state_clear_all|. + // + // This lock must be taken after any calls to |CRYPTO_sysrand| to avoid a + // bug on ppc64le. glibc may implement pthread locks by wrapping user code + // in a hardware transaction, but, on some older versions of glibc and the + // kernel, syscalls made with |syscall| did not abort the transaction. CRYPTO_STATIC_MUTEX_lock_read(thread_states_list_lock_bss_get()); #endif if (!CTR_DRBG_reseed(&state->drbg, seed, NULL, 0)) { |