Merge use_file code back, use sleep-based waiting on non-Linux targets

newpavlov · newpavlov · commit dd1030698db9 · 2024-06-21T14:51:04.000+03:00
diff --git a/src/lib.rs b/src/lib.rs
@@ -298,6 +298,7 @@ cfg_if! {
         ),
     ))] {
         mod util_libc;
+        mod use_file;
         mod linux_android;
         #[path = "linux_android_with_fallback.rs"] mod imp;
     } else if #[cfg(any(target_os = "android", target_os = "linux"))] {
diff --git a/src/linux_android_with_fallback.rs b/src/linux_android_with_fallback.rs
@@ -1,22 +1,20 @@
 //! Implementation for Linux / Android with `/dev/urandom` fallback
-use crate::{
-    lazy::LazyBool,
-    linux_android,
-    util_libc::{last_os_error, open_readonly, sys_fill_exact},
-    Error,
-};
-use core::{
-    mem::MaybeUninit,
-    sync::atomic::{AtomicI32, Ordering},
-};
+use crate::{lazy::LazyBool, linux_android, use_file, util_libc::last_os_error, Error};
+use core::mem::MaybeUninit;
 
 pub fn getrandom_inner(dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> {
     // getrandom(2) was introduced in Linux 3.17
     static HAS_GETRANDOM: LazyBool = LazyBool::new();
     if HAS_GETRANDOM.unsync_init(is_getrandom_available) {
         linux_android::getrandom_inner(dest)
     } else {
-        use_file(dest)
+        // prevent inlining of the fallback implementation
+        #[inline(never)]
+        fn inner(dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> {
+            use_file::getrandom_inner(dest)
+        }
+
+        inner(dest)
     }
 }
 
@@ -35,132 +33,3 @@ fn is_getrandom_available() -> bool {
         true
     }
 }
-
-// File descriptor is a "nonnegative integer" as per `open` man.
-const FD_UNINIT: libc::c_int = -1;
-const FD_ONGOING_INIT: libc::c_int = -2;
-
-// See comment for `FD` in use_file.rs
-static FD: AtomicI32 = AtomicI32::new(FD_UNINIT);
-
-pub fn use_file(dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> {
-    let mut fd = FD.load(Ordering::Acquire);
-    if fd == FD_UNINIT || fd == FD_ONGOING_INIT {
-        fd = open_or_wait()?;
-    }
-    sys_fill_exact(dest, |buf| unsafe {
-        libc::read(fd, buf.as_mut_ptr().cast(), buf.len())
-    })
-}
-
-#[cold]
-pub(super) fn open_or_wait() -> Result<libc::c_int, Error> {
-    loop {
-        match FD.load(Ordering::Acquire) {
-            FD_UNINIT => {
-                let res = FD.compare_exchange_weak(
-                    FD_UNINIT,
-                    FD_ONGOING_INIT,
-                    Ordering::AcqRel,
-                    Ordering::Relaxed,
-                );
-                if res.is_ok() {
-                    break;
-                }
-            }
-            FD_ONGOING_INIT => futex_wait(),
-            fd => return Ok(fd),
-        }
-    }
-
-    let res = open_fd();
-    let val = match res {
-        Ok(fd) => fd,
-        Err(_) => FD_UNINIT,
-    };
-    FD.store(val, Ordering::Release);
-    futex_wake();
-    res
-}
-
-fn futex_wait() {
-    let op = libc::FUTEX_WAIT | libc::FUTEX_PRIVATE_FLAG;
-    let timeout_ptr = core::ptr::null::<libc::timespec>();
-    let ret = unsafe { libc::syscall(libc::SYS_futex, &FD, op, FD_ONGOING_INIT, timeout_ptr) };
-    // FUTEX_WAIT should return either 0 or EAGAIN error
-    debug_assert!({
-        match ret {
-            0 => true,
-            -1 => last_os_error().raw_os_error() == Some(libc::EAGAIN),
-            _ => false,
-        }
-    });
-}
-
-fn futex_wake() {
-    let op = libc::FUTEX_WAKE | libc::FUTEX_PRIVATE_FLAG;
-    let ret = unsafe { libc::syscall(libc::SYS_futex, &FD, op, libc::INT_MAX) };
-    debug_assert!(ret >= 0);
-}
-
-fn open_fd() -> Result<libc::c_int, Error> {
-    wait_until_rng_ready()?;
-    // "/dev/urandom is preferred and sufficient in all use cases"
-    let fd = open_readonly(b"/dev/urandom\0")?;
-    debug_assert!(fd >= 0);
-    Ok(fd)
-}
-
-// Polls /dev/random to make sure it is ok to read from /dev/urandom.
-//
-// Polling avoids draining the estimated entropy from /dev/random;
-// short-lived processes reading even a single byte from /dev/random could
-// be problematic if they are being executed faster than entropy is being
-// collected.
-//
-// OTOH, reading a byte instead of polling is more compatible with
-// sandboxes that disallow `poll()` but which allow reading /dev/random,
-// e.g. sandboxes that assume that `poll()` is for network I/O. This way,
-// fewer applications will have to insert pre-sandbox-initialization logic.
-// Often (blocking) file I/O is not allowed in such early phases of an
-// application for performance and/or security reasons.
-//
-// It is hard to write a sandbox policy to support `libc::poll()` because
-// it may invoke the `poll`, `ppoll`, `ppoll_time64` (since Linux 5.1, with
-// newer versions of glibc), and/or (rarely, and probably only on ancient
-// systems) `select`. depending on the libc implementation (e.g. glibc vs
-// musl), libc version, potentially the kernel version at runtime, and/or
-// the target architecture.
-//
-// BoringSSL and libstd don't try to protect against insecure output from
-// `/dev/urandom'; they don't open `/dev/random` at all.
-//
-// OpenSSL uses `libc::select()` unless the `dev/random` file descriptor
-// is too large; if it is too large then it does what we do here.
-//
-// libsodium uses `libc::poll` similarly to this.
-fn wait_until_rng_ready() -> Result<(), Error> {
-    let fd = open_readonly(b"/dev/random\0")?;
-    let mut pfd = libc::pollfd {
-        fd,
-        events: libc::POLLIN,
-        revents: 0,
-    };
-
-    let res = loop {
-        // A negative timeout means an infinite timeout.
-        let res = unsafe { libc::poll(&mut pfd, 1, -1) };
-        if res >= 0 {
-            // We only used one fd, and cannot timeout.
-            debug_assert_eq!(res, 1);
-            break Ok(());
-        }
-        let err = last_os_error();
-        match err.raw_os_error() {
-            Some(libc::EINTR) | Some(libc::EAGAIN) => continue,
-            _ => break Err(err),
-        }
-    };
-    unsafe { libc::close(fd) };
-    res
-}
diff --git a/src/use_file.rs b/src/use_file.rs
@@ -4,21 +4,22 @@ use crate::{
     Error,
 };
 use core::{
-    cell::UnsafeCell,
     ffi::c_void,
     mem::MaybeUninit,
     sync::atomic::{AtomicI32, Ordering},
 };
 
 /// For all platforms, we use `/dev/urandom` rather than `/dev/random`.
 /// For more information see the linked man pages in lib.rs.
+///   - On Linux, "/dev/urandom is preferred and sufficient in all use cases".
 ///   - On Redox, only /dev/urandom is provided.
 ///   - On AIX, /dev/urandom will "provide cryptographically secure output".
 ///   - On Haiku and QNX Neutrino they are identical.
 const FILE_PATH: &[u8] = b"/dev/urandom\0";
 
-// std::os::fd::{BorrowedFd, OwnedFd} guarantee that -1 is not a valid file descriptor.
+// File descriptor is a "nonnegative integer", so we can safely use negative sentinel values.
 const FD_UNINIT: libc::c_int = -1;
+const FD_ONGOING_INIT: libc::c_int = -2;
 
 // In theory `libc::c_int` could be something other than `i32`, but for the
 // targets we currently support that use `use_file`, it is always `i32`.
@@ -36,11 +37,9 @@ const FD_UNINIT: libc::c_int = -1;
 // `Ordering::Acquire` to synchronize with it.
 static FD: AtomicI32 = AtomicI32::new(FD_UNINIT);
 
-static FD_MUTEX: Mutex = Mutex::new();
-
 pub fn getrandom_inner(dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> {
     let mut fd = FD.load(Ordering::Acquire);
-    if fd == FD_UNINIT {
+    if fd == FD_UNINIT || fd == FD_ONGOING_INIT {
         fd = open_or_wait()?;
     }
     sys_fill_exact(dest, |buf| unsafe {
@@ -50,40 +49,142 @@ pub fn getrandom_inner(dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> {
 
 #[cold]
 fn open_or_wait() -> Result<libc::c_int, Error> {
-    let _guard = FD_MUTEX.lock();
-    let fd = match FD.load(Ordering::Acquire) {
-        FD_UNINIT => {
-            let fd = open_readonly(FILE_PATH)?;
-            FD.store(fd, Ordering::Release);
-            fd
+    loop {
+        match FD.load(Ordering::Acquire) {
+            FD_UNINIT => {
+                let res = FD.compare_exchange_weak(
+                    FD_UNINIT,
+                    FD_ONGOING_INIT,
+                    Ordering::AcqRel,
+                    Ordering::Relaxed,
+                );
+                if res.is_ok() {
+                    break;
+                }
+            }
+            FD_ONGOING_INIT => sync::wait(),
+            fd => return Ok(fd),
         }
-        fd => fd,
+    }
+
+    let res = open_fd();
+    let val = match res {
+        Ok(fd) => fd,
+        Err(_) => FD_UNINIT,
     };
+    FD.store(val, Ordering::Release);
+    sync::wake();
+    res
+}
+
+fn open_fd() -> Result<libc::c_int, Error> {
+    #[cfg(any(target_os = "android", target_os = "linux"))]
+    sync::wait_until_rng_ready()?;
+    let fd = open_readonly(FILE_PATH)?;
     debug_assert!(fd >= 0);
     Ok(fd)
 }
 
-struct Mutex(UnsafeCell<libc::pthread_mutex_t>);
-
-impl Mutex {
-    const fn new() -> Self {
-        Self(UnsafeCell::new(libc::PTHREAD_MUTEX_INITIALIZER))
+#[cfg(not(any(target_os = "android", target_os = "linux")))]
+mod sync {
+    // On non-Linux targets the critical section only opens file,
+    // which should not block, so in the unlikely contended case,
+    // we can sleep-wait for the opening operation to finish.
+    pub(super) fn wait() {
+        let rqtp = libc::timespec {
+            tv_sec: 0,
+            tv_nsec: 1_000_000,
+        };
+        let mut rmtp = libc::timespec {
+            tv_sec: 0,
+            tv_nsec: 0,
+        };
+        // We ignore return value since we do not care
+        // if sleep is interrupted
+        unsafe {
+            libc::nanosleep(&rqtp, &mut rmtp);
+        }
     }
 
-    fn lock(&self) -> MutexGuard<'_> {
-        let r = unsafe { libc::pthread_mutex_lock(self.0.get()) };
-        debug_assert_eq!(r, 0);
-        MutexGuard(self)
-    }
+    pub(super) fn wake() {}
 }
 
-unsafe impl Sync for Mutex {}
+#[cfg(any(target_os = "android", target_os = "linux"))]
+mod sync {
+    use super::{Error, FD, FD_ONGOING_INIT};
+    use crate::util_libc::{last_os_error, open_readonly};
+
+    pub(super) fn wait() {
+        let op = libc::FUTEX_WAIT | libc::FUTEX_PRIVATE_FLAG;
+        let timeout_ptr = core::ptr::null::<libc::timespec>();
+        let ret = unsafe { libc::syscall(libc::SYS_futex, &FD, op, FD_ONGOING_INIT, timeout_ptr) };
+        // FUTEX_WAIT should return either 0 or EAGAIN error
+        debug_assert!({
+            match ret {
+                0 => true,
+                -1 => last_os_error().raw_os_error() == Some(libc::EAGAIN),
+                _ => false,
+            }
+        });
+    }
+
+    pub(super) fn wake() {
+        let op = libc::FUTEX_WAKE | libc::FUTEX_PRIVATE_FLAG;
+        let ret = unsafe { libc::syscall(libc::SYS_futex, &FD, op, libc::INT_MAX) };
+        debug_assert!(ret >= 0);
+    }
 
-struct MutexGuard<'a>(&'a Mutex);
+    // Polls /dev/random to make sure it is ok to read from /dev/urandom.
+    //
+    // Polling avoids draining the estimated entropy from /dev/random;
+    // short-lived processes reading even a single byte from /dev/random could
+    // be problematic if they are being executed faster than entropy is being
+    // collected.
+    //
+    // OTOH, reading a byte instead of polling is more compatible with
+    // sandboxes that disallow `poll()` but which allow reading /dev/random,
+    // e.g. sandboxes that assume that `poll()` is for network I/O. This way,
+    // fewer applications will have to insert pre-sandbox-initialization logic.
+    // Often (blocking) file I/O is not allowed in such early phases of an
+    // application for performance and/or security reasons.
+    //
+    // It is hard to write a sandbox policy to support `libc::poll()` because
+    // it may invoke the `poll`, `ppoll`, `ppoll_time64` (since Linux 5.1, with
+    // newer versions of glibc), and/or (rarely, and probably only on ancient
+    // systems) `select`. depending on the libc implementation (e.g. glibc vs
+    // musl), libc version, potentially the kernel version at runtime, and/or
+    // the target architecture.
+    //
+    // BoringSSL and libstd don't try to protect against insecure output from
+    // `/dev/urandom'; they don't open `/dev/random` at all.
+    //
+    // OpenSSL uses `libc::select()` unless the `dev/random` file descriptor
+    // is too large; if it is too large then it does what we do here.
+    //
+    // libsodium uses `libc::poll` similarly to this.
+    pub(super) fn wait_until_rng_ready() -> Result<(), Error> {
+        let fd = open_readonly(b"/dev/random\0")?;
+        let mut pfd = libc::pollfd {
+            fd,
+            events: libc::POLLIN,
+            revents: 0,
+        };
 
-impl<'a> Drop for MutexGuard<'a> {
-    fn drop(&mut self) {
-        let r = unsafe { libc::pthread_mutex_unlock(self.0 .0.get()) };
-        debug_assert_eq!(r, 0);
+        let res = loop {
+            // A negative timeout means an infinite timeout.
+            let res = unsafe { libc::poll(&mut pfd, 1, -1) };
+            if res >= 0 {
+                // We only used one fd, and cannot timeout.
+                debug_assert_eq!(res, 1);
+                break Ok(());
+            }
+            let err = last_os_error();
+            match err.raw_os_error() {
+                Some(libc::EINTR) | Some(libc::EAGAIN) => continue,
+                _ => break Err(err),
+            }
+        };
+        unsafe { libc::close(fd) };
+        res
     }
 }
