feat(backend-cpu): use Apple secure enclave seeder on M1

2026-05-09 03:00:34 -04:00 · 2023-04-14 15:43:49 +02:00
parent fa0e246613
commit 348fe028cf
1 changed files with 29 additions and 3 deletions
--- a/backends/concrete-cpu/implementation/src/c_api/csprng.rs
+++ b/backends/concrete-cpu/implementation/src/c_api/csprng.rs
@@ -70,24 +70,50 @@ pub unsafe extern "C" fn concrete_cpu_destroy_concrete_csprng(mem: *mut Csprng)
 // Returns 1 if the random is crypto secure, -1 if it not secure, 0 if fail.
 #[no_mangle]
 pub unsafe extern "C" fn concrete_cpu_crypto_secure_random_128(u128: *mut Uint128) -> c_int {
+    let buf = &mut (*u128).little_endian_bytes[0..16];
+
    #[cfg(any(target_arch = "x86_64", target_arch = "x86"))]
    if is_x86_feature_detected!("rdseed") {
        let mut rand: u64 = 0;
        loop {
            if core::arch::x86_64::_rdseed64_step(&mut rand) == 1 {
-                (*u128).little_endian_bytes[0..8].copy_from_slice(&rand.to_ne_bytes());
+                buf[0..8].copy_from_slice(&rand.to_ne_bytes());
                break;
            }
        }
        loop {
            if core::arch::x86_64::_rdseed64_step(&mut rand) == 1 {
-                (*u128).little_endian_bytes[8..16].copy_from_slice(&rand.to_ne_bytes());
+                buf[8..16].copy_from_slice(&rand.to_ne_bytes());
                break;
            }
        }
        return 1;
    }
-    let buf = &mut (*u128).little_endian_bytes[0..16];
+    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
+    {
+        // SecRandomCopyBytes is available starting with Mac OS 10.7
+        // https://developer.apple.com/documentation/security/1399291-secrandomcopybytes?language=objc
+        // M1 processors started with Mac OS Big Sur 11
+        pub enum __SecRandom {}
+        pub type SecRandomRef = *const __SecRandom;
+
+        #[link(name = "Security", kind = "framework")]
+        extern "C" {
+            pub static kSecRandomDefault: SecRandomRef;
+
+            pub fn SecRandomCopyBytes(
+                rnd: SecRandomRef,
+                count: usize,
+                bytes: *mut libc::c_void,
+            ) -> c_int;
+        }
+        unsafe {
+            let err = SecRandomCopyBytes(kSecRandomDefault, 16, buf.as_ptr() as *mut libc::c_void);
+            if err == 0 {
+                return 1;
+            }
+        }
+    }
    if let Ok(mut random) = std::fs::File::open("/dev/random") {
        if let Ok(16) = random.read(buf) {
            return -1;