This is an archive of the discontinued LLVM Phabricator instance.

Differential D6442

libc++: add NaCl and PNaCl support for std::random_device
ClosedPublic

Authored by jfb on Nov 27 2014, 1:20 PM.

Details

Reviewers
dschuff
mclow.lists
danalbert
Commits
rG57148cbcbdad: libc++: add NaCl and PNaCl support for std::random_device
rCXX223068: libc++: add NaCl and PNaCl support for std::random_device
rL223068: libc++: add NaCl and PNaCl support for std::random_device
Summary

The NaCl sandbox doesn't allow opening files under /dev, but it offers an API which provides the same capabilities. This is the same random device emulation that nacl_io performs for POSIX support, but nacl_io is an optional library so libc++ can't assume that device emulation will be performed. Note that NaCl only supports /dev/urandom, not /dev/random.

This patch also cleans up some of the preprocessor #endif, and fixes the test for Win32 (it accepts any token, and would therefore never throw regardless of the token provided).

Diff Detail

Event Timeline

jfb updated this revision to Diff 16707.Nov 27 2014, 1:20 PM
jfb retitled this revision from to libc++: add NaCl and PNaCl support for std::random_device.
jfb updated this object.
jfb edited the test plan for this revision. (Show Details)
jfb added reviewers: dschuff, mclow.lists, danalbert.
jfb added a subscriber: Unknown Object (MLST).
Herald added a subscriber: jfb. · View Herald TranscriptNov 27 2014, 1:20 PM
EricWF added a subscriber: EricWF.Nov 27 2014, 1:30 PM
majnemer added a subscriber: majnemer.Nov 27 2014, 2:42 PM

The purpose of the token is to permit different sources of randomness. Seeing as how you don't allow anything other than nacl_secure_random_init, perhaps you should just make the default token be the empty string in the <random> header.

Checking for an invalid token would just be a simple !__token.empty().

src/random.cpp
79

This read a little funny to me, maybe:

random_device failed to obtain enough bytes

jfb added a comment.EditedNov 27 2014, 3:34 PM

The purpose of the token is to permit different sources of randomness. Seeing as how you don't allow anything other than nacl_secure_random_init, perhaps you should just make the default token be the empty string in the <random> header.

That would be a breaking change if we do decide to support other sources of
randomness. What we have now emulates the token it accepts (its POSIX
meaning), so it's the right thing IMO.

mclow.lists edited edge metadata.Nov 28 2014, 11:55 AM

I'd really prefer a different identifier other than __native_client__.
IMHO, that's too "generic".

Something that mentioned NaCl and/or PNaCl.
_LIBCPP_USING_NACL_RANDOM, maybe?

jfb updated this revision to Diff 16748.EditedNov 29 2014, 11:06 AM
jfb edited edge metadata.

Rephrase error message.

jfb updated this revision to Diff 16749.EditedNov 29 2014, 11:59 AM

Add _LIBCPP_USING_NACL_RANDOM to __config, and use that instead of __native_client__.

jfb added a comment.Nov 29 2014, 12:00 PM
In D6442#9, @mclow.lists wrote:

I'd really prefer a different identifier other than __native_client__.
IMHO, that's too "generic".

Something that mentioned NaCl and/or PNaCl.
_LIBCPP_USING_NACL_RANDOM, maybe?

Done, let me know if what I implemented was what you were suggesting.

src/random.cpp
79

Changed.

jfb updated this revision to Diff 16750.Nov 29 2014, 12:05 PM

Fix missing parens.

mclow.lists added a comment.Dec 1 2014, 8:57 AM

Your changes look good; but now I'm wondering if you want to accept both "/dev/random" and "/dev/urandom" as valid tokens.

Now I'm wondering what bozo checked in the windows implementation w/o noticing that it broke this test on Windows. Oh - that was me.

Should the windows implementation also accept only "/dev/random" and "/dev/urandom" as valid tokens?

That would enable us to make the test portable; and help people to write cross-platform code.

include/__config
118

I don't think you need to actually set _LIBCPP_USING_NACL_RANDOM to a value.

#define _LIBCPP_USING_NACL_RANDOM

is sufficient.

test/numerics/rand/rand.device/ctor.pass.cpp
34

I don't really like this; it's leaking implementation information into the test framework.

jfb updated this revision to Diff 16768.Dec 1 2014, 9:11 AM

Define macro without setting a value.

jfb added a comment.Dec 1 2014, 9:18 AM
In D6442#17, @mclow.lists wrote:

Your changes look good; but now I'm wondering if you want to accept both "/dev/random" and "/dev/urandom" as valid tokens.

I don't want /dev/random because the NaCl interface I'm using doesn't guarantee "very high quality randomness" and doesn't block when such randomness isn't available. User code that expects such randomness should hard-fail (and fall back as makes sense for them), instead of getting lower quality randomness. NaCl has, for example, SSH clients that rely on similar (non-C++) random device interfaces, and knowing that the source of randomness is bad is pretty important to them (not that OpenSSL and friends have a great track record).

Should the windows implementation also accept only "/dev/random" and "/dev/urandom" as valid tokens?

I wouldn't offer /dev/random unless the implementation actually meets the expectations of users.

That would enable us to make the test portable; and help people to write cross-platform code.

I think the lack of platform portability should go back to WG21 LEWG ;-)

Agreed that the test is now ugly... but hey it's correct!

include/__config
118

Done.

jfb updated this revision to Diff 16773.Dec 1 2014, 9:53 AM

Return ENOENT instead of ENODEV as suggested by @majnemer.

mclow.lists accepted this revision.Dec 1 2014, 10:27 AM
mclow.lists edited edge metadata.
This revision is now accepted and ready to land.Dec 1 2014, 10:27 AM
jfb closed this revision.Dec 1 2014, 11:20 AM
jfb updated this revision to Diff 16776.

Closed by commit rL223068 (authored by @jfb).

Revision Contents

PathSize
include/
7 lines
4 lines
src/
49 lines
test/
numerics/
rand/
rand.device/
96 lines

Diff 16773

include/__config

Show First 20 LinesShow All 105 Lines▼ Show 20 Lines
# define _LIBCPP_LITTLE_ENDIAN 1 # define _LIBCPP_LITTLE_ENDIAN 1
# define _LIBCPP_BIG_ENDIAN 0 # define _LIBCPP_BIG_ENDIAN 0
# else # else
# define _LIBCPP_LITTLE_ENDIAN 0 # define _LIBCPP_LITTLE_ENDIAN 0
# define _LIBCPP_BIG_ENDIAN 1 # define _LIBCPP_BIG_ENDIAN 1
# endif # endif
#endif // __sun__ #endif // __sun__
#if defined(__native_client__)
// NaCl's sandbox (which PNaCl also runs in) doesn't allow filesystem access,
// including accesses to the special files under /dev. C++11's
// std::random_device is instead exposed through a NaCl syscall.
# define _LIBCPP_USING_NACL_RANDOM
mclow.listsUnsubmitted
Not Done
ReplyInline Actions

I don't think you need to actually set _LIBCPP_USING_NACL_RANDOM to a value.

#define _LIBCPP_USING_NACL_RANDOM

is sufficient.

mclow.lists: I don't think you need to actually set `_LIBCPP_USING_NACL_RANDOM` to a value. #define…
jfbAuthorUnsubmitted
Not Done
ReplyInline Actions

Done.

jfb: Done.
#endif // defined(__native_client__)
#if !defined(_LIBCPP_LITTLE_ENDIAN) || !defined(_LIBCPP_BIG_ENDIAN) #if !defined(_LIBCPP_LITTLE_ENDIAN) || !defined(_LIBCPP_BIG_ENDIAN)
# include <endian.h> # include <endian.h>
# if __BYTE_ORDER == __LITTLE_ENDIAN # if __BYTE_ORDER == __LITTLE_ENDIAN
# define _LIBCPP_LITTLE_ENDIAN 1 # define _LIBCPP_LITTLE_ENDIAN 1
# define _LIBCPP_BIG_ENDIAN 0 # define _LIBCPP_BIG_ENDIAN 0
# elif __BYTE_ORDER == __BIG_ENDIAN # elif __BYTE_ORDER == __BIG_ENDIAN
# define _LIBCPP_LITTLE_ENDIAN 0 # define _LIBCPP_LITTLE_ENDIAN 0
# define _LIBCPP_BIG_ENDIAN 1 # define _LIBCPP_BIG_ENDIAN 1
▲ Show 20 LinesShow All 588 LinesShow Last 20 Lines

include/random

Show First 20 LinesShow All 3,469 Lines▼ Show 20 Lines
} }
typedef shuffle_order_engine<minstd_rand0, 256> knuth_b; typedef shuffle_order_engine<minstd_rand0, 256> knuth_b;
// random_device // random_device
class _LIBCPP_TYPE_VIS random_device class _LIBCPP_TYPE_VIS random_device
{ {
#if !defined(_WIN32) #if !(defined(_WIN32) || defined(_LIBCPP_USING_NACL_RANDOM))
int __f_; int __f_;
#endif // defined(_WIN32) #endif // !(defined(_WIN32) || defined(_LIBCPP_USING_NACL_RANDOM))
public: public:
// types // types
typedef unsigned result_type; typedef unsigned result_type;
// generator characteristics // generator characteristics
static _LIBCPP_CONSTEXPR const result_type _Min = 0; static _LIBCPP_CONSTEXPR const result_type _Min = 0;
static _LIBCPP_CONSTEXPR const result_type _Max = 0xFFFFFFFFu; static _LIBCPP_CONSTEXPR const result_type _Max = 0xFFFFFFFFu;
▲ Show 20 LinesShow All 3,240 LinesShow Last 20 Lines

src/random.cpp

//===-------------------------- random.cpp --------------------------------===// //===-------------------------- random.cpp --------------------------------===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is dual licensed under the MIT and the University of Illinois Open // This file is dual licensed under the MIT and the University of Illinois Open
// Source Licenses. See LICENSE.TXT for details. // Source Licenses. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#if defined(_WIN32) #if defined(_WIN32)
// Must be defined before including stdlib.h to enable rand_s(). // Must be defined before including stdlib.h to enable rand_s().
#define _CRT_RAND_S #define _CRT_RAND_S
#include <stdio.h> #include <stdio.h>
#endif #endif // defined(_WIN32)
#include "random" #include "random"
#include "system_error" #include "system_error"
#ifdef __sun__ #if defined(__sun__)
#define rename solaris_headers_are_broken #define rename solaris_headers_are_broken
#endif #endif // defined(__sun__)
#if !defined(_WIN32) #if !defined(_WIN32)
#include <fcntl.h> #include <fcntl.h>
#include <unistd.h> #include <unistd.h>
#endif // defined(_WIN32) #endif // !defined(_WIN32)
#include <errno.h> #include <errno.h>
#if defined(_LIBCPP_USING_NACL_RANDOM)
#include <nacl/nacl_random.h>
#endif // defined(_LIBCPP_USING_NACL_RANDOM)
_LIBCPP_BEGIN_NAMESPACE_STD _LIBCPP_BEGIN_NAMESPACE_STD
#if defined(_WIN32) #if defined(_WIN32)
random_device::random_device(const string&) random_device::random_device(const string&)
{ {
} }
random_device::~random_device() random_device::~random_device()
{ {
} }
unsigned unsigned
random_device::operator()() random_device::operator()()
{ {
unsigned r; unsigned r;
errno_t err = rand_s(&r); errno_t err = rand_s(&r);
if (err) if (err)
__throw_system_error(err, "random_device rand_s failed."); __throw_system_error(err, "random_device rand_s failed.");
return r; return r;
} }
#else
#elif defined(_LIBCPP_USING_NACL_RANDOM)
random_device::random_device(const string& __token)
{
if (__token != "/dev/urandom")
__throw_system_error(ENOENT, ("random device not supported " + __token).c_str());
int error = nacl_secure_random_init();
if (error)
__throw_system_error(error, ("random device failed to open " + __token).c_str());
}
random_device::~random_device()
{
}
unsigned
random_device::operator()()
{
unsigned r;
size_t n = sizeof(r);
char* p = reinterpret_cast<char*>(&r);
size_t bytes_written;
int error = nacl_secure_random(&r, n, &bytes_written);
if (error != 0)
__throw_system_error(error, "random_device failed getting bytes");
else if (bytes_written != n)
__throw_runtime_error("random_device failed to obtain enough bytes");
majnemerUnsubmitted
Not Done
ReplyInline Actions

This read a little funny to me, maybe:

random_device failed to obtain enough bytes

majnemer: This read a little funny to me, maybe: > random_device failed to obtain enough bytes
jfbAuthorUnsubmitted
Not Done
ReplyInline Actions

Changed.

jfb: Changed.
return r;
}
#else // !defined(_WIN32) && !defined(_LIBCPP_USING_NACL_RANDOM)
random_device::random_device(const string& __token) random_device::random_device(const string& __token)
: __f_(open(__token.c_str(), O_RDONLY)) : __f_(open(__token.c_str(), O_RDONLY))
{ {
if (__f_ < 0) if (__f_ < 0)
__throw_system_error(errno, ("random_device failed to open " + __token).c_str()); __throw_system_error(errno, ("random_device failed to open " + __token).c_str());
} }
random_device::~random_device() random_device::~random_device()
Show All 18 Lines while (n > 0)
__throw_system_error(errno, "random_device got an unexpected error"); __throw_system_error(errno, "random_device got an unexpected error");
continue; continue;
} }
n -= static_cast<size_t>(s); n -= static_cast<size_t>(s);
p += static_cast<size_t>(s); p += static_cast<size_t>(s);
} }
return r; return r;
} }
#endif // defined(_WIN32)
#endif // defined(_WIN32) || defined(_LIBCPP_USING_NACL_RANDOM)
double double
random_device::entropy() const _NOEXCEPT random_device::entropy() const _NOEXCEPT
{ {
return 0; return 0;
} }
_LIBCPP_END_NAMESPACE_STD _LIBCPP_END_NAMESPACE_STD

test/numerics/rand/rand.device/ctor.pass.cpp

//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is dual licensed under the MIT and the University of Illinois Open // This file is dual licensed under the MIT and the University of Illinois Open
// Source Licenses. See LICENSE.TXT for details. // Source Licenses. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// <random> // <random>
// class random_device; // class random_device;
// explicit random_device(const string& token = "/dev/urandom"); // explicit random_device(const string& token = implementation-defined);
// For the following ctors, the standard states: "The semantics and default
// value of the token parameter are implementation-defined". Implementations
// therefore aren't required to accept any string, but the default shouldn't
// throw.
#include <random> #include <random>
#include <cassert> #include <cassert>
#include <unistd.h> #include <unistd.h>
int main() bool is_valid_random_device(const std::string &token) {
{ #if defined(_WIN32)
try return true;
{ #elif defined(_LIBCPP_USING_NACL_RANDOM)
std::random_device r("wrong file"); return token == "/dev/urandom";
assert(false); #else // !defined(_WIN32) && !defined(_LIBCPP_USING_NACL_RANDOM)
// Not an exhaustive list: they're the only tokens that are tested below.
return token == "/dev/urandom" || token == "/dev/random";
#endif // defined(_WIN32) || defined(_LIBCPP_USING_NACL_RANDOM)
} }
mclow.listsUnsubmitted
Not Done
ReplyInline Actions

I don't really like this; it's leaking implementation information into the test framework.

mclow.lists: I don't really like this; it's leaking implementation information into the test framework.
catch (const std::system_error& e)
{ void check_random_device_valid(const std::string &token) {
std::random_device r(token);
}
void check_random_device_invalid(const std::string &token) {
try {
std::random_device r(token);
assert(false);
} catch (const std::system_error &e) {
} }
{
std::random_device r;
} }
int main() {
{ std::random_device r; }
{ {
int ec; int ec;
ec = close(STDIN_FILENO); ec = close(STDIN_FILENO);
assert(!ec); assert(!ec);
ec = close(STDOUT_FILENO); ec = close(STDOUT_FILENO);
assert(!ec); assert(!ec);
ec = close(STDERR_FILENO); ec = close(STDERR_FILENO);
assert(!ec); assert(!ec);
std::random_device r; std::random_device r;
} }
{ {
std::random_device r("/dev/urandom");; std::string token = "wrong file";
if (is_valid_random_device(token))
check_random_device_valid(token);
else
check_random_device_invalid(token);
} }
{
std::string token = "/dev/urandom";
if (is_valid_random_device(token))
check_random_device_valid(token);
else
check_random_device_invalid(token);
}
{ {
std::random_device r("/dev/random");; std::string token = "/dev/random";
if (is_valid_random_device(token))
check_random_device_valid(token);
else
check_random_device_invalid(token);
} }
} }