Replace userspace RNG with the OS's CSPRNG round two.

Alternative to monero-project#2621, uses libsodium's randombytes_buf() instead.

src/crypto/crypto.cpp

@@ -78,7 +78,7 @@ namespace crypto {
   /* generate a random 32-byte (256-bit) integer and copy it to res */
   static inline void random_scalar_not_thread_safe(ec_scalar &res) {
     unsigned char tmp[64];
-    generate_random_bytes_not_thread_safe(64, tmp);
+    generate_system_random_bytes(64, tmp);
     sc_reduce(tmp);
     memcpy(&res, tmp, 32);
   }

src/crypto/crypto.h

@@ -147,7 +147,7 @@ namespace crypto {
    */
   inline void rand(size_t N, uint8_t *bytes) {
     boost::lock_guard<boost::mutex> lock(random_lock);
-    generate_random_bytes_not_thread_safe(N, bytes);
+    generate_system_random_bytes(N, bytes);
   }
 
   /* Generate a value filled with random bytes.
@@ -156,7 +156,7 @@ namespace crypto {
   typename std::enable_if<std::is_pod<T>::value, T>::type rand() {
     typename std::remove_cv<T>::type res;
     boost::lock_guard<boost::mutex> lock(random_lock);
-    generate_random_bytes_not_thread_safe(sizeof(T), &res);
+    generate_system_random_bytes(sizeof(T), &res);
     return res;
   }
 

src/crypto/random.c

@@ -1,21 +1,21 @@
 // Copyright (c) 2014-2017, The Monero Project
-// 
+//
 // All rights reserved.
-// 
+//
 // Redistribution and use in source and binary forms, with or without modification, are
 // permitted provided that the following conditions are met:
-// 
+//
 // 1. Redistributions of source code must retain the above copyright notice, this list of
 //    conditions and the following disclaimer.
-// 
+//
 // 2. Redistributions in binary form must reproduce the above copyright notice, this list
 //    of conditions and the following disclaimer in the documentation and/or other
 //    materials provided with the distribution.
-// 
+//
 // 3. Neither the name of the copyright holder nor the names of its contributors may be
 //    used to endorse or promote products derived from this software without specific
 //    prior written permission.
-// 
+//
 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
 // EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 // MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
@@ -25,25 +25,24 @@
 // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
 // THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-// 
+//
 // Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers
 
 #include <assert.h>
 #include <stddef.h>
 #include <string.h>
+#include <sodium.h>
 
 #include "hash-ops.h"
 #include "initializer.h"
 #include "random.h"
 
-static void generate_system_random_bytes(size_t n, void *result);
-
 #if defined(_WIN32)
 
 #include <windows.h>
 #include <wincrypt.h>
 
-static void generate_system_random_bytes(size_t n, void *result) {
+void generate_system_random_bytes(size_t n, void *result) {
   HCRYPTPROV prov;
 #define must_succeed(x) do if (!(x)) abort(); while (0)
   must_succeed(CryptAcquireContext(&prov, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT | CRYPT_SILENT));
@@ -62,82 +61,12 @@ static void generate_system_random_bytes(size_t n, void *result) {
 #include <sys/types.h>
 #include <unistd.h>
 
-static void generate_system_random_bytes(size_t n, void *result) {
-  int fd;
-  if ((fd = open("/dev/urandom", O_RDONLY | O_NOCTTY | O_CLOEXEC)) < 0) {
-    err(EXIT_FAILURE, "open /dev/urandom");
-  }
-  for (;;) {
-    ssize_t res = read(fd, result, n);
-    if ((size_t) res == n) {
-      break;
-    }
-    if (res < 0) {
-      if (errno != EINTR) {
-        err(EXIT_FAILURE, "read /dev/urandom");
-      }
-    } else if (res == 0) {
-      errx(EXIT_FAILURE, "read /dev/urandom: end of file");
-    } else {
-      result = padd(result, (size_t) res);
-      n -= (size_t) res;
-    }
-  }
-  if (close(fd) < 0) {
-    err(EXIT_FAILURE, "close /dev/urandom");
+void generate_system_random_bytes(size_t n, void *result) {
+  if (sodium_init() < 0) {
+    /* It is unsafe to continue operation. */
+    abort();
   }
+  randombytes_buf(result, n);
 }
 
 #endif
-
-static union hash_state state;
-
-#if !defined(NDEBUG)
-static volatile int curstate; /* To catch thread safety problems. */
-#endif
-
-FINALIZER(deinit_random) {
-#if !defined(NDEBUG)
-  assert(curstate == 1);
-  curstate = 0;
-#endif
-  memset(&state, 0, sizeof(union hash_state));
-}
-
-INITIALIZER(init_random) {
-  generate_system_random_bytes(32, &state);
-  REGISTER_FINALIZER(deinit_random);
-#if !defined(NDEBUG)
-  assert(curstate == 0);
-  curstate = 1;
-#endif
-}
-
-void generate_random_bytes_not_thread_safe(size_t n, void *result) {
-#if !defined(NDEBUG)
-  assert(curstate == 1);
-  curstate = 2;
-#endif
-  if (n == 0) {
-#if !defined(NDEBUG)
-    assert(curstate == 2);
-    curstate = 1;
-#endif
-    return;
-  }
-  for (;;) {
-    hash_permutation(&state);
-    if (n <= HASH_DATA_AREA) {
-      memcpy(result, &state, n);
-#if !defined(NDEBUG)
-      assert(curstate == 2);
-      curstate = 1;
-#endif
-      return;
-    } else {
-      memcpy(result, &state, HASH_DATA_AREA);
-      result = padd(result, HASH_DATA_AREA);
-      n -= HASH_DATA_AREA;
-    }
-  }
-}

src/crypto/random.h

@@ -32,4 +32,5 @@
 
 #include <stddef.h>
 
-void generate_random_bytes_not_thread_safe(size_t n, void *result);
+
+void generate_system_random_bytes(size_t n, void *result);