From bd9957e6e28506c4431ce8d3cadbc0a04905b15e Mon Sep 17 00:00:00 2001
From: Adam Langley <agl@google.com>
Date: Tue, 23 Jun 2015 16:28:07 -0700
Subject: Handle RDRAND failures.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I mistakenly believed that only RDSEED could fail. However, the Intel
manuals state that RDRAND can fail too.

This change cherry-picks the following BoringSSL changes:

2cac3506 – Handle RDRAND failures.
248abbd7 – Add missing comma in .type pragma for rdrand code.

Change-Id: Icdc56a50ce36e9c525063583882c676a5312d313
---
 src/crypto/rand/asm/rdrand-x86_64.pl | 52 +++++++++++++++++++++++++++++++++++-
 1 file changed, 51 insertions(+), 1 deletion(-)

(limited to 'src/crypto/rand/asm/rdrand-x86_64.pl')

diff --git a/src/crypto/rand/asm/rdrand-x86_64.pl b/src/crypto/rand/asm/rdrand-x86_64.pl
index a917611..c32a55c 100644
--- a/src/crypto/rand/asm/rdrand-x86_64.pl
+++ b/src/crypto/rand/asm/rdrand-x86_64.pl
@@ -1,5 +1,19 @@
 #!/usr/bin/env perl
 
+# Copyright (c) 2015, Google Inc.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
 $flavour = shift;
 $output  = shift;
 if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
@@ -14,11 +28,47 @@ open OUT,"| \"$^X\" $xlate $flavour $output";
 print<<___;
 .text
 
+# CRYPTO_rdrand writes eight bytes of random data from the hardware RNG to
+# |out|. It returns one on success or zero on hardware failure.
+# int CRYPTO_rdrand(uint8_t out[8]);
 .globl	CRYPTO_rdrand
 .type	CRYPTO_rdrand,\@function,1
 .align	16
 CRYPTO_rdrand:
-	.byte 0x48, 0x0f, 0xc7, 0xf0
+	xorq %rax, %rax
+	# This is rdrand %rcx. It sets rcx to a random value and sets the carry
+	# flag on success.
+	.byte 0x48, 0x0f, 0xc7, 0xf1
+	# An add-with-carry of zero effectively sets %rax to the carry flag.
+	adcq %rax, %rax
+	movq %rcx, 0(%rdi)
+	retq
+
+# CRYPTO_rdrand_multiple8_buf fills |len| bytes at |buf| with random data from
+# the hardware RNG. The |len| argument must be a multiple of eight. It returns
+# one on success and zero on hardware failure.
+# int CRYPTO_rdrand_multiple8_buf(uint8_t *buf, size_t len);
+.globl CRYPTO_rdrand_multiple8_buf
+.type CRYPTO_rdrand_multiple8_buf,\@function,2
+.align 16
+CRYPTO_rdrand_multiple8_buf:
+	test %rsi, %rsi
+	jz .Lout
+	movq \$8, %rdx
+.Lloop:
+	# This is rdrand %rcx. It sets rcx to a random value and sets the carry
+	# flag on success.
+	.byte 0x48, 0x0f, 0xc7, 0xf1
+	jnc .Lerr
+	movq %rcx, 0(%rdi)
+	addq %rdx, %rdi
+	subq %rdx, %rsi
+	jnz .Lloop
+.Lout:
+	movq \$1, %rax
+	retq
+.Lerr:
+	xorq %rax, %rax
 	retq
 ___
 
-- 
cgit v1.1