Get random data from OS APIs

[wilzbach]

So I managed to find the issue in the Windows API. It was due to wrong API headers in druntime - for 64-bit pointers need to have 8 bytes.

Let me summarize:

Current Behavior

• Windows -> CryptGenRandom
• Linux
  • >= 3.17 -> getrandom system call, intro article
  • otherwise: /dev/(u)?random (see e.g. /dev/random vs. /dev/urandom)
• MacOS/OpenBSD/Solaris: /dev/(u)?random (see e.g. /dev/random vs. /dev/urandom)

Todo

• decide on an API
• write more documentation
• add support for D attributes
• add tests

Future work

• OpenBSD -> getentropy (Not implemented as I don't have a OpenBSD atm - anyone?)

References

C++ API: http://en.cppreference.com/w/cpp/numeric/random/random_device
LLVM stdcxx: https://github.com/llvm-mirror/libcxx/blob/master/src/random.cpp
G++: https://github.com/gcc-mirror/gcc/blob/master/libstdc%2B%2B-v3/src/c%2B%2B11/random.cc
Python urandom: https://github.com/python/cpython/blob/master/Python/random.c
Vibe.d cryptorand: https://github.com/rejectedsoftware/vibe.d/blob/master/crypto/vibe/crypto/cryptorand.d
pycrypto: https://github.com/dlitz/pycrypto/blob/master/src/winrand.c

[wilzbach]

@9il Is dmd guaranteed to execute the asm block in one go?

[9il]

What do you mean?

[wilzbach]

I got the inspiration to use this syscall style from here: https://github.com/kubo39/syscall-d/blob/master/source/syscalld/arch/syscall_x86_64.d
Hence also the synchronized statements, but afaict we don't need it - e.g.:
https://wiki.dlang.org/LDC_inline_assembly_expressions#X86-64

[wilzbach]

I accidentally came by two other implementation in the D ecosystem:

https://github.com/LightBender/SecureD/blob/master/source/random.d
https://github.com/etcimon/botan/blob/master/source/botan/libstate/libstate.d#L190

(the latter is interesting as it uses quite a bunch of entropy sources)

[9il]

I accidentally came by two other implementation in the D ecosystem:

Awesome!

[9il]

But do not spent much time on deprecated targets ;)

[9il]

@wilzbach do you need help with this PR?

[wilzbach]

@wilzbach do you need help with this PR?

Oh sorry for letting this get stalled.

As discussed this exposes two different functions with C-style like interface, but with D-guarantees in terms of @safe nothrow @nogc:

• getRandomBlocking
• getRandomNonBlocking

The difference between these two functions is that the Blocking one will loop until the buffer is filled (i.e. until enough entropy is generated), while the NonBlocking one will yield an error code.
If initialization needs to be done, it's done on the first call.

@9il please let me know if there's sth. missing for this PR.

About Blocking behavior:

tl;dr: only useful on Linux.

• Linux docs state:

The /dev/random device is a legacy interface which dates back to a
time where the cryptographic primitives used in the implementation of
/dev/urandom were not widely trusted. It will return random bytes
only within the estimated number of bits of fresh noise in the
entropy pool, blocking if necessary. /dev/random is suitable for
applications that need high quality randomness, and can afford
indeterminate delays.

When the entropy pool is empty, reads from /dev/random will block
until additional environmental noise is gathered.

And for the newer getRandom:

GRND_NONBLOCK
By default, when reading from the random source, getrandom()
blocks if no random bytes are available, and when reading from
the urandom source, it blocks if the entropy pool has not yet
been initialized. If the GRND_NONBLOCK flag is set, then
getrandom() does not block in these cases, but instead
immediately returns -1 with errno set to EAGAIN.

• Windows doesn't support blocking behavior (the documentation doesn't even state how CryptGenRandom behaves if the entropy pool is empty)
• macOS doesn't support blocking either (according to the docs it isn't necessary to block as a special SecurityServer takes care of ensuring that there's always enough entropy)

[9il]

Each public function should be extern(C) and starts with mir_random_. mir_random_genRandomBlocking. An alias can be added: genRandomBlocking = mir_random_genRandomBlocking. Please replace get* with gen*.

[9il]

1. Lets preserve old version if getRandomBlocking returns -1
2. and uncomment this line)

[9il]

private

[9il]

private

[9il]

bug.
Just move ptr and reduce length, instead of genBytes variable

[9il]

__gshared

[9il]

private

[9il]

extern(C)

[9il]

private

[9il]

extern(C)

[9il]

__gshared

[wilzbach]

Each public function should be extern(C) and starts with mir_random_. mir_random_genRandomBlocking

Ok - questions:

• It's currently in the mir.random.engine - so shouldn't it be mir_random_engine_genRandomBlocking?
• This will look ugly on the documentation pages. Any trick for this? Can't we use extern(C) on an alias?
• What about the module deconstructor? Should we expose sth. like mir_random_engine_dtor?

__gshared

I assume I can't use any locking in betterC?
There are four __gshared variables then. In case of a race:

• hasGetRandom: Linux kernel version will be calculated twice (will always yield the same) -> not a problem
• hProvider: we could acquire two Windows Crypto contexts (leak)
• fdRandom / fdURandom: we could open the file twice and leak a file handle

We could provide a special init method which inits the handles and ensures that no leaks can occur. On the D side it could automatically be called with the shared module constructor

[wilzbach]

For Windows all error codes of CryptGenRandom seem unrecoverable, so the loop here doesn't seem very useful. I think we should directly yield the error here.

[9il]

ok

[9il]

It's currently in the mir.random.engine - so shouldn't it be mir_random_engine_genRandomBlocking?

no

This will look ugly on the documentation pages. Any trick for this? Can't we use extern(C) on an alias?

This should be a part of documentation.

What about the module deconstructor? Should we expose sth. like mir_random_engine_dtor?

Yes, but extern(C) should be added to the D's module destructor.

[9il]

We could provide a special init method which inits the handles and ensures that no leaks can occur. On the D side it could automatically be called with the shared module constructor

mir_random_engine_ctor and the extern(C) D's module constructor

[9il]

Hey @wilzbach , could you please finalise this PR?

[wilzbach]

Hey @wilzbach , could you please finalise this PR?

Sorry that I left this pending for such a long time.

mir_random_engine_ctor and the extern(C) D's module constructor

Added :)

[9il]

@wilzbach please convert all private functions to templates and add version(LDC) pragma(inline, true); for them. This will make object files clearer.