zx/cprng.rs
1// Copyright 2018 The Fuchsia Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5//! Type-safe bindings for the Zircon kernel's CPRNG.
6//!
7use crate::{ok, Status};
8use std::mem::MaybeUninit;
9
10/// Draw random bytes from the kernel's CPRNG to fill the provided buffer. This function always
11/// fills the buffer.
12///
13/// # Safety
14///
15/// The provided pointer must be valid to write to for the provided number of bytes.
16///
17/// Wraps the
18/// [zx_cprng_draw](https://fuchsia.dev/fuchsia-src/reference/syscalls/cprng_draw.md)
19/// syscall.
20pub use crate::sys::zx_cprng_draw as cprng_draw_raw;
21
22/// Draw random bytes from the kernel's CPRNG to fill `buffer`. This function
23/// always fills the buffer.
24///
25/// Wraps the
26/// [zx_cprng_draw](https://fuchsia.dev/fuchsia-src/reference/syscalls/cprng_draw.md)
27/// syscall.
28pub fn cprng_draw(buffer: &mut [u8]) {
29 // SAFETY: &[u8] and &[MaybeUninit<u8>] have the same layout.
30 let buffer = unsafe {
31 std::slice::from_raw_parts_mut(buffer.as_mut_ptr().cast::<MaybeUninit<u8>>(), buffer.len())
32 };
33
34 cprng_draw_uninit(buffer);
35}
36
37/// Draw random bytes from the kernel's CPRNG to fill `buffer`. This function
38/// always fills the buffer.
39///
40/// Wraps the
41/// [zx_cprng_draw](https://fuchsia.dev/fuchsia-src/reference/syscalls/cprng_draw.md)
42/// syscall.
43///
44/// Returns the filled buffer.
45pub fn cprng_draw_uninit(buffer: &mut [MaybeUninit<u8>]) -> &mut [u8] {
46 // SAFETY: `buffer` is a well formed slice of (maybe) uninitialized `u8`s.
47 // `MaybeUninit<T>` and `T` have the same layout.
48 unsafe { cprng_draw_raw(buffer.as_mut_ptr().cast::<u8>(), buffer.len()) };
49
50 // SAFETY: We're converting &mut [MaybeUninit<u8>] back to &mut [u8], which is only
51 // valid to do if all elements of `buffer` have actually been initialized. Here we
52 // have to trust that the kernel didn't lie when it said it wrote to the entire
53 // buffer, but as long as that assumption is valid them it's safe to assume this
54 // slice is init.
55 //
56 // TODO(https://fxbug.dev/42079723) use MaybeUninit::slice_assume_init_mut when stable
57 unsafe { std::slice::from_raw_parts_mut(buffer.as_mut_ptr().cast::<u8>(), buffer.len()) }
58}
59
60/// Mix the given entropy into the kernel CPRNG.
61///
62/// The buffer must have length less than `ZX_CPRNG_ADD_ENTROPY_MAX_LEN`.
63///
64/// Wraps the
65/// [zx_cprng_add_entropy](https://fuchsia.dev/fuchsia-src/reference/syscalls/cprng_add_entropy.md)
66/// syscall.
67pub fn cprng_add_entropy(buffer: &[u8]) -> Result<(), Status> {
68 let status = unsafe { crate::sys::zx_cprng_add_entropy(buffer.as_ptr(), buffer.len()) };
69 ok(status)
70}
71
72#[cfg(test)]
73mod tests {
74 use super::*;
75
76 fn check_buffer(buffer: &mut [u8]) {
77 let mut first_zero = 0;
78 let mut last_zero = 0;
79 for _ in 0..30 {
80 cprng_draw(buffer);
81 if buffer[0] == 0 {
82 first_zero += 1;
83 }
84 if buffer.len() > 1 && buffer[buffer.len() - 1] == 0 {
85 last_zero += 1;
86 }
87 }
88 assert_ne!(first_zero, 30);
89 assert_ne!(last_zero, 30);
90 }
91
92 #[test]
93 fn cprng() {
94 let mut buffer = [0; 20];
95 check_buffer(&mut buffer);
96 }
97
98 #[test]
99 fn cprng_large() {
100 // The kernel currently chunks the buffer if it's larger than 256.
101 const SIZE: usize = 257;
102 let mut buffer = [0; SIZE];
103 check_buffer(&mut buffer);
104
105 for mut s in buffer.chunks_mut(SIZE / 3) {
106 check_buffer(&mut s);
107 }
108 }
109
110 #[test]
111 fn cprng_add() {
112 let buffer = [0, 1, 2];
113 assert_eq!(cprng_add_entropy(&buffer), Ok(()));
114 }
115}