1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115
// Copyright 2018 The Fuchsia Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//! Type-safe bindings for the Zircon kernel's CPRNG.
//!
use crate::{ok, Status};
use std::mem::MaybeUninit;
/// Draw random bytes from the kernel's CPRNG to fill the provided buffer. This function always
/// fills the buffer.
///
/// # Safety
///
/// The provided pointer must be valid to write to for the provided number of bytes.
///
/// Wraps the
/// [zx_cprng_draw](https://fuchsia.dev/fuchsia-src/reference/syscalls/cprng_draw.md)
/// syscall.
pub use crate::sys::zx_cprng_draw as cprng_draw_raw;
/// Draw random bytes from the kernel's CPRNG to fill `buffer`. This function
/// always fills the buffer.
///
/// Wraps the
/// [zx_cprng_draw](https://fuchsia.dev/fuchsia-src/reference/syscalls/cprng_draw.md)
/// syscall.
pub fn cprng_draw(buffer: &mut [u8]) {
// SAFETY: &[u8] and &[MaybeUninit<u8>] have the same layout.
let buffer = unsafe {
std::slice::from_raw_parts_mut(buffer.as_mut_ptr().cast::<MaybeUninit<u8>>(), buffer.len())
};
cprng_draw_uninit(buffer);
}
/// Draw random bytes from the kernel's CPRNG to fill `buffer`. This function
/// always fills the buffer.
///
/// Wraps the
/// [zx_cprng_draw](https://fuchsia.dev/fuchsia-src/reference/syscalls/cprng_draw.md)
/// syscall.
///
/// Returns the filled buffer.
pub fn cprng_draw_uninit(buffer: &mut [MaybeUninit<u8>]) -> &mut [u8] {
// SAFETY: `buffer` is a well formed slice of (maybe) uninitialized `u8`s.
// `MaybeUninit<T>` and `T` have the same layout.
unsafe { cprng_draw_raw(buffer.as_mut_ptr().cast::<u8>(), buffer.len()) };
// SAFETY: We're converting &mut [MaybeUninit<u8>] back to &mut [u8], which is only
// valid to do if all elements of `buffer` have actually been initialized. Here we
// have to trust that the kernel didn't lie when it said it wrote to the entire
// buffer, but as long as that assumption is valid them it's safe to assume this
// slice is init.
//
// TODO(https://fxbug.dev/42079723) use MaybeUninit::slice_assume_init_mut when stable
unsafe { std::slice::from_raw_parts_mut(buffer.as_mut_ptr().cast::<u8>(), buffer.len()) }
}
/// Mix the given entropy into the kernel CPRNG.
///
/// The buffer must have length less than `ZX_CPRNG_ADD_ENTROPY_MAX_LEN`.
///
/// Wraps the
/// [zx_cprng_add_entropy](https://fuchsia.dev/fuchsia-src/reference/syscalls/cprng_add_entropy.md)
/// syscall.
pub fn cprng_add_entropy(buffer: &[u8]) -> Result<(), Status> {
let status = unsafe { crate::sys::zx_cprng_add_entropy(buffer.as_ptr(), buffer.len()) };
ok(status)
}
#[cfg(test)]
mod tests {
use super::*;
fn check_buffer(buffer: &mut [u8]) {
let mut first_zero = 0;
let mut last_zero = 0;
for _ in 0..30 {
cprng_draw(buffer);
if buffer[0] == 0 {
first_zero += 1;
}
if buffer.len() > 1 && buffer[buffer.len() - 1] == 0 {
last_zero += 1;
}
}
assert_ne!(first_zero, 30);
assert_ne!(last_zero, 30);
}
#[test]
fn cprng() {
let mut buffer = [0; 20];
check_buffer(&mut buffer);
}
#[test]
fn cprng_large() {
// The kernel currently chunks the buffer if it's larger than 256.
const SIZE: usize = 257;
let mut buffer = [0; SIZE];
check_buffer(&mut buffer);
for mut s in buffer.chunks_mut(SIZE / 3) {
check_buffer(&mut s);
}
}
#[test]
fn cprng_add() {
let buffer = [0, 1, 2];
assert_eq!(cprng_add_entropy(&buffer), Ok(()));
}
}