/src/boringssl/crypto/rand_extra/urandom.c

Source (jump to first uncovered line)
/* Copyright (c) 2014, Google Inc.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

#if !defined(_GNU_SOURCE)
#define _GNU_SOURCE  // needed for syscall() on Linux.
#endif

#include <openssl/rand.h>

#include "../bcm_support.h"
#include "sysrand_internal.h"

#if defined(OPENSSL_RAND_URANDOM)

#include <assert.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>

#if defined(OPENSSL_LINUX)
#if defined(BORINGSSL_FIPS)
#include <linux/random.h>
#include <sys/ioctl.h>
#endif
#include <sys/syscall.h>

#if defined(OPENSSL_ANDROID)
#include <sys/system_properties.h>
#endif

#if !defined(OPENSSL_ANDROID)
#define OPENSSL_HAS_GETAUXVAL
#endif
// glibc prior to 2.16 does not have getauxval and sys/auxv.h. Android has some
// host builds (i.e. not building for Android itself, so |OPENSSL_ANDROID| is
// unset) which are still using a 2.15 sysroot.
//
// TODO(davidben): Remove this once Android updates their sysroot.
#if defined(__GLIBC_PREREQ)
#if !__GLIBC_PREREQ(2, 16)
#undef OPENSSL_HAS_GETAUXVAL
#endif
#endif
#if defined(OPENSSL_HAS_GETAUXVAL)
#include <sys/auxv.h>
#endif
#endif  // OPENSSL_LINUX

#include <openssl/thread.h>
#include <openssl/mem.h>

#include "getrandom_fillin.h"
#include "../internal.h"


#if defined(USE_NR_getrandom)

#if defined(OPENSSL_MSAN)
void __msan_unpoison(void *, size_t);
#endif

static ssize_t boringssl_getrandom(void *buf, size_t buf_len, unsigned flags) {
  ssize_t ret;
  do {
    ret = syscall(__NR_getrandom, buf, buf_len, flags);
  } while (ret == -1 && errno == EINTR);

#if defined(OPENSSL_MSAN)
  if (ret > 0) {
    // MSAN doesn't recognise |syscall| and thus doesn't notice that we have
    // initialised the output buffer.
    __msan_unpoison(buf, ret);
  }
#endif  // OPENSSL_MSAN

  return ret;
}

#endif  // USE_NR_getrandom

// kHaveGetrandom in |urandom_fd| signals that |getrandom| or |getentropy| is
// available and should be used instead.
static const int kHaveGetrandom = -3;

// urandom_fd is a file descriptor to /dev/urandom. It's protected by |once|.
static int urandom_fd;

#if defined(USE_NR_getrandom)

// getrandom_ready is one if |getrandom| had been initialized by the time
// |init_once| was called and zero otherwise.
static int getrandom_ready;

// extra_getrandom_flags_for_seed contains a value that is ORed into the flags
// for getrandom() when reading entropy for a seed.
static int extra_getrandom_flags_for_seed;

// On Android, check a system property to decide whether to set
// |extra_getrandom_flags_for_seed| otherwise they will default to zero.  If
// ro.oem_boringcrypto_hwrand is true then |extra_getrandom_flags_for_seed| will
// be set to GRND_RANDOM, causing all random data to be drawn from the same
// source as /dev/random.
static void maybe_set_extra_getrandom_flags(void) {
#if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID)
  char value[PROP_VALUE_MAX + 1];
  int length = __system_property_get("ro.boringcrypto.hwrand", value);
  if (length < 0 || length > PROP_VALUE_MAX) {
    return;
  }

  value[length] = 0;
  if (OPENSSL_strcasecmp(value, "true") == 0) {
    extra_getrandom_flags_for_seed = GRND_RANDOM;
  }
#endif
}

#endif  // USE_NR_getrandom

static CRYPTO_once_t rand_once = CRYPTO_ONCE_INIT;

// init_once initializes the state of this module to values previously
// requested. This is the only function that modifies |urandom_fd|, which may be
// read safely after calling the once.
static void init_once(void) {
#if defined(USE_NR_getrandom)
  int have_getrandom;
  uint8_t dummy;
  ssize_t getrandom_ret =
      boringssl_getrandom(&dummy, sizeof(dummy), GRND_NONBLOCK);
  if (getrandom_ret == 1) {
    getrandom_ready = 1;
    have_getrandom = 1;
  } else if (getrandom_ret == -1 && errno == EAGAIN) {
    // We have getrandom, but the entropy pool has not been initialized yet.
    have_getrandom = 1;
  } else if (getrandom_ret == -1 && errno == ENOSYS) {
    // Fallthrough to using /dev/urandom, below.
    have_getrandom = 0;
  } else {
    // Other errors are fatal.
    perror("getrandom");
    abort();
  }

  if (have_getrandom) {
    urandom_fd = kHaveGetrandom;
    maybe_set_extra_getrandom_flags();
    return;
  }
#endif  // USE_NR_getrandom

  // FIPS builds must support getrandom.
  //
  // Historically, only Android FIPS builds required getrandom, while Linux FIPS
  // builds had a /dev/urandom fallback which used RNDGETENTCNT as a poor
  // approximation for getrandom's blocking behavior. This is now removed, but
  // avoid making assumptions on this removal until March 2023, in case it needs
  // to be restored. This comment can be deleted after March 2023.
#if defined(BORINGSSL_FIPS)
  perror("getrandom not found");
  abort();
#endif

  int fd;
  do {
    fd = open("/dev/urandom", O_RDONLY | O_CLOEXEC);
  } while (fd == -1 && errno == EINTR);

  if (fd < 0) {
    perror("failed to open /dev/urandom");
    abort();
  }

  urandom_fd = fd;
}

static CRYPTO_once_t wait_for_entropy_once = CRYPTO_ONCE_INIT;

static void wait_for_entropy(void) {
  int fd = urandom_fd;
  if (fd == kHaveGetrandom) {
    // |getrandom| and |getentropy| support blocking in |fill_with_entropy|
    // directly. For |getrandom|, we first probe with a non-blocking call to aid
    // debugging.
#if defined(USE_NR_getrandom)
    if (getrandom_ready) {
      // The entropy pool was already initialized in |init_once|.
      return;
    }

    uint8_t dummy;
    ssize_t getrandom_ret =
        boringssl_getrandom(&dummy, sizeof(dummy), GRND_NONBLOCK);
    if (getrandom_ret == -1 && errno == EAGAIN) {
      // Attempt to get the path of the current process to aid in debugging when
      // something blocks.
      const char *current_process = "<unknown>";
#if defined(OPENSSL_HAS_GETAUXVAL)
      const unsigned long getauxval_ret = getauxval(AT_EXECFN);
      if (getauxval_ret != 0) {
        current_process = (const char *)getauxval_ret;
      }
#endif

      fprintf(
          stderr,
          "%s: getrandom indicates that the entropy pool has not been "
          "initialized. Rather than continue with poor entropy, this process "
          "will block until entropy is available.\n",
          current_process);

      getrandom_ret =
          boringssl_getrandom(&dummy, sizeof(dummy), 0 /* no flags */);
    }

    if (getrandom_ret != 1) {
      perror("getrandom");
      abort();
    }
#endif  // USE_NR_getrandom
    return;
  }
}

// fill_with_entropy writes |len| bytes of entropy into |out|. It returns one
// on success and zero on error. If |block| is one, this function will block
// until the entropy pool is initialized. Otherwise, this function may fail,
// setting |errno| to |EAGAIN| if the entropy pool has not yet been initialized.
// If |seed| is one, this function will OR in the value of
// |*extra_getrandom_flags_for_seed()| when using |getrandom|.
static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {
  if (len == 0) {
    return 1;
  }

#if defined(USE_NR_getrandom) || defined(FREEBSD_GETRANDOM)
  int getrandom_flags = 0;
  if (!block) {
    getrandom_flags |= GRND_NONBLOCK;
  }
#endif

#if defined (USE_NR_getrandom)
  if (seed) {
    getrandom_flags |= extra_getrandom_flags_for_seed;
  }
#endif

  CRYPTO_init_sysrand();
  if (block) {
    CRYPTO_once(&wait_for_entropy_once, wait_for_entropy);
  }

  // Clear |errno| so it has defined value if |read| or |getrandom|
  // "successfully" returns zero.
  errno = 0;
  while (len > 0) {
    ssize_t r;

    if (urandom_fd == kHaveGetrandom) {
#if defined(USE_NR_getrandom)
      r = boringssl_getrandom(out, len, getrandom_flags);
#else  // USE_NR_getrandom
      fprintf(stderr, "urandom fd corrupt.\n");
      abort();
#endif
    } else {
      do {
        r = read(urandom_fd, out, len);
      } while (r == -1 && errno == EINTR);
    }

    if (r <= 0) {
      return 0;
    }
    out += r;
    len -= r;
  }

  return 1;
}

void CRYPTO_init_sysrand(void) {
  CRYPTO_once(&rand_once, init_once);
}

// CRYPTO_sysrand puts |requested| random bytes into |out|.
void CRYPTO_sysrand(uint8_t *out, size_t requested) {
  if (!fill_with_entropy(out, requested, /*block=*/1, /*seed=*/0)) {
    perror("entropy fill failed");
    abort();
  }
}

void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {
  if (!fill_with_entropy(out, requested, /*block=*/1, /*seed=*/1)) {
    perror("entropy fill failed");
    abort();
  }
}

int CRYPTO_sysrand_if_available(uint8_t *out, size_t requested) {
  if (fill_with_entropy(out, requested, /*block=*/0, /*seed=*/0)) {
    return 1;
  } else if (errno == EAGAIN) {
    OPENSSL_memset(out, 0, requested);
    return 0;
  } else {
    perror("opportunistic entropy fill failed");
    abort();
  }
}

#endif  // OPENSSL_RAND_URANDOM

Coverage Report

Created: 2024-11-21 07:03

Line	Count	Source (jump to first uncovered line)
1		/* Copyright (c) 2014, Google Inc.
2		*
3		* Permission to use, copy, modify, and/or distribute this software for any
4		* purpose with or without fee is hereby granted, provided that the above
5		* copyright notice and this permission notice appear in all copies.
6		*
7		* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8		* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9		* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10		* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11		* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12		* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13		* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15		#if !defined(_GNU_SOURCE)
16		#define _GNU_SOURCE // needed for syscall() on Linux.
17		#endif
18
19		#include <openssl/rand.h>
20
21		#include "../bcm_support.h"
22		#include "sysrand_internal.h"
23
24		#if defined(OPENSSL_RAND_URANDOM)
25
26		#include <assert.h>
27		#include <errno.h>
28		#include <fcntl.h>
29		#include <stdio.h>
30		#include <string.h>
31		#include <unistd.h>
32
33		#if defined(OPENSSL_LINUX)
34		#if defined(BORINGSSL_FIPS)
35		#include <linux/random.h>
36		#include <sys/ioctl.h>
37		#endif
38		#include <sys/syscall.h>
39
40		#if defined(OPENSSL_ANDROID)
41		#include <sys/system_properties.h>
42		#endif
43
44		#if !defined(OPENSSL_ANDROID)
45		#define OPENSSL_HAS_GETAUXVAL
46		#endif
47		// glibc prior to 2.16 does not have getauxval and sys/auxv.h. Android has some
48		// host builds (i.e. not building for Android itself, so \|OPENSSL_ANDROID\| is
49		// unset) which are still using a 2.15 sysroot.
50		//
51		// TODO(davidben): Remove this once Android updates their sysroot.
52		#if defined(__GLIBC_PREREQ)
53		#if !__GLIBC_PREREQ(2, 16)
54		#undef OPENSSL_HAS_GETAUXVAL
55		#endif
56		#endif
57		#if defined(OPENSSL_HAS_GETAUXVAL)
58		#include <sys/auxv.h>
59		#endif
60		#endif // OPENSSL_LINUX
61
62		#include <openssl/thread.h>
63		#include <openssl/mem.h>
64
65		#include "getrandom_fillin.h"
66		#include "../internal.h"
67
68
69		#if defined(USE_NR_getrandom)
70
71		#if defined(OPENSSL_MSAN)
72		void __msan_unpoison(void *, size_t);
73		#endif
74
75	4	static ssize_t boringssl_getrandom(void *buf, size_t buf_len, unsigned flags) {
76	4	ssize_t ret;
77	4	do {
78	4	ret = syscall(__NR_getrandom, buf, buf_len, flags);
79	4	} while (ret == -1 && errno == EINTR);
80
81		#if defined(OPENSSL_MSAN)
82		if (ret > 0) {
83		// MSAN doesn't recognise \|syscall\| and thus doesn't notice that we have
84		// initialised the output buffer.
85		__msan_unpoison(buf, ret);
86		}
87		#endif // OPENSSL_MSAN
88
89	4	return ret;
90	4	}
91
92		#endif // USE_NR_getrandom
93
94		// kHaveGetrandom in \|urandom_fd\| signals that \|getrandom\| or \|getentropy\| is
95		// available and should be used instead.
96		static const int kHaveGetrandom = -3;
97
98		// urandom_fd is a file descriptor to /dev/urandom. It's protected by \|once\|.
99		static int urandom_fd;
100
101		#if defined(USE_NR_getrandom)
102
103		// getrandom_ready is one if \|getrandom\| had been initialized by the time
104		// \|init_once\| was called and zero otherwise.
105		static int getrandom_ready;
106
107		// extra_getrandom_flags_for_seed contains a value that is ORed into the flags
108		// for getrandom() when reading entropy for a seed.
109		static int extra_getrandom_flags_for_seed;
110
111		// On Android, check a system property to decide whether to set
112		// \|extra_getrandom_flags_for_seed\| otherwise they will default to zero. If
113		// ro.oem_boringcrypto_hwrand is true then \|extra_getrandom_flags_for_seed\| will
114		// be set to GRND_RANDOM, causing all random data to be drawn from the same
115		// source as /dev/random.
116	2	static void maybe_set_extra_getrandom_flags(void) {
117		#if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID)
118		char value[PROP_VALUE_MAX + 1];
119		int length = __system_property_get("ro.boringcrypto.hwrand", value);
120		if (length < 0 \|\| length > PROP_VALUE_MAX) {
121		return;
122		}
123
124		value[length] = 0;
125		if (OPENSSL_strcasecmp(value, "true") == 0) {
126		extra_getrandom_flags_for_seed = GRND_RANDOM;
127		}
128		#endif
129	2	}
130
131		#endif // USE_NR_getrandom
132
133		static CRYPTO_once_t rand_once = CRYPTO_ONCE_INIT;
134
135		// init_once initializes the state of this module to values previously
136		// requested. This is the only function that modifies \|urandom_fd\|, which may be
137		// read safely after calling the once.
138	2	static void init_once(void) {
139	2	#if defined(USE_NR_getrandom)
140	2	int have_getrandom;
141	2	uint8_t dummy;
142	2	ssize_t getrandom_ret =
143	2	boringssl_getrandom(&dummy, sizeof(dummy), GRND_NONBLOCK);
144	2	if (getrandom_ret == 1) {
145	2	getrandom_ready = 1;
146	2	have_getrandom = 1;
147	2	} else if (getrandom_ret == -1 && errno == EAGAIN) {
148		// We have getrandom, but the entropy pool has not been initialized yet.
149	0	have_getrandom = 1;
150	0	} else if (getrandom_ret == -1 && errno == ENOSYS) {
151		// Fallthrough to using /dev/urandom, below.
152	0	have_getrandom = 0;
153	0	} else {
154		// Other errors are fatal.
155	0	perror("getrandom");
156	0	abort();
157	0	}
158
159	2	if (have_getrandom) {
160	2	urandom_fd = kHaveGetrandom;
161	2	maybe_set_extra_getrandom_flags();
162	2	return;
163	2	}
164	0	#endif // USE_NR_getrandom
165
166		// FIPS builds must support getrandom.
167		//
168		// Historically, only Android FIPS builds required getrandom, while Linux FIPS
169		// builds had a /dev/urandom fallback which used RNDGETENTCNT as a poor
170		// approximation for getrandom's blocking behavior. This is now removed, but
171		// avoid making assumptions on this removal until March 2023, in case it needs
172		// to be restored. This comment can be deleted after March 2023.
173		#if defined(BORINGSSL_FIPS)
174		perror("getrandom not found");
175		abort();
176		#endif
177
178	0	int fd;
179	0	do {
180	0	fd = open("/dev/urandom", O_RDONLY \| O_CLOEXEC);
181	0	} while (fd == -1 && errno == EINTR);
182
183	0	if (fd < 0) {
184	0	perror("failed to open /dev/urandom");
185	0	abort();
186	0	}
187
188	0	urandom_fd = fd;
189	0	}
190
191		static CRYPTO_once_t wait_for_entropy_once = CRYPTO_ONCE_INIT;
192
193	2	static void wait_for_entropy(void) {
194	2	int fd = urandom_fd;
195	2	if (fd == kHaveGetrandom) {
196		// \|getrandom\| and \|getentropy\| support blocking in \|fill_with_entropy\|
197		// directly. For \|getrandom\|, we first probe with a non-blocking call to aid
198		// debugging.
199	2	#if defined(USE_NR_getrandom)
200	2	if (getrandom_ready) {
201		// The entropy pool was already initialized in \|init_once\|.
202	2	return;
203	2	}
204
205	0	uint8_t dummy;
206	0	ssize_t getrandom_ret =
207	0	boringssl_getrandom(&dummy, sizeof(dummy), GRND_NONBLOCK);
208	0	if (getrandom_ret == -1 && errno == EAGAIN) {
209		// Attempt to get the path of the current process to aid in debugging when
210		// something blocks.
211	0	const char *current_process = "<unknown>";
212	0	#if defined(OPENSSL_HAS_GETAUXVAL)
213	0	const unsigned long getauxval_ret = getauxval(AT_EXECFN);
214	0	if (getauxval_ret != 0) {
215	0	current_process = (const char *)getauxval_ret;
216	0	}
217	0	#endif
218
219	0	fprintf(
220	0	stderr,
221	0	"%s: getrandom indicates that the entropy pool has not been "
222	0	"initialized. Rather than continue with poor entropy, this process "
223	0	"will block until entropy is available.\n",
224	0	current_process);
225
226	0	getrandom_ret =
227	0	boringssl_getrandom(&dummy, sizeof(dummy), 0 /* no flags */);
228	0	}
229
230	0	if (getrandom_ret != 1) {
231	0	perror("getrandom");
232	0	abort();
233	0	}
234	0	#endif // USE_NR_getrandom
235	0	return;
236	0	}
237	2	}
238
239		// fill_with_entropy writes \|len\| bytes of entropy into \|out\|. It returns one
240		// on success and zero on error. If \|block\| is one, this function will block
241		// until the entropy pool is initialized. Otherwise, this function may fail,
242		// setting \|errno\| to \|EAGAIN\| if the entropy pool has not yet been initialized.
243		// If \|seed\| is one, this function will OR in the value of
244		// \|*extra_getrandom_flags_for_seed()\| when using \|getrandom\|.
245	2	static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {
246	2	if (len == 0) {
247	0	return 1;
248	0	}
249
250	2	#if defined(USE_NR_getrandom) \|\| defined(FREEBSD_GETRANDOM)
251	2	int getrandom_flags = 0;
252	2	if (!block) {
253	0	getrandom_flags \|= GRND_NONBLOCK;
254	0	}
255	2	#endif
256
257	2	#if defined (USE_NR_getrandom)
258	2	if (seed) {
259	2	getrandom_flags \|= extra_getrandom_flags_for_seed;
260	2	}
261	2	#endif
262
263	2	CRYPTO_init_sysrand();
264	2	if (block) {
265	2	CRYPTO_once(&wait_for_entropy_once, wait_for_entropy);
266	2	}
267
268		// Clear \|errno\| so it has defined value if \|read\| or \|getrandom\|
269		// "successfully" returns zero.
270	2	errno = 0;
271	4	while (len > 0) {
272	2	ssize_t r;
273
274	2	if (urandom_fd == kHaveGetrandom) {
275	2	#if defined(USE_NR_getrandom)
276	2	r = boringssl_getrandom(out, len, getrandom_flags);
277		#else // USE_NR_getrandom
278		fprintf(stderr, "urandom fd corrupt.\n");
279		abort();
280		#endif
281	2	} else {
282	0	do {
283	0	r = read(urandom_fd, out, len);
284	0	} while (r == -1 && errno == EINTR);
285	0	}
286
287	2	if (r <= 0) {
288	0	return 0;
289	0	}
290	2	out += r;
291	2	len -= r;
292	2	}
293
294	2	return 1;
295	2	}
296
297	2	void CRYPTO_init_sysrand(void) {
298	2	CRYPTO_once(&rand_once, init_once);
299	2	}
300
301		// CRYPTO_sysrand puts \|requested\| random bytes into \|out\|.
302	0	void CRYPTO_sysrand(uint8_t *out, size_t requested) {
303	0	if (!fill_with_entropy(out, requested, /block=/1, /seed=/0)) {
304	0	perror("entropy fill failed");
305	0	abort();
306	0	}
307	0	}
308
309	2	void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {
310	2	if (!fill_with_entropy(out, requested, /block=/1, /seed=/1)) {
311	0	perror("entropy fill failed");
312	0	abort();
313	0	}
314	2	}
315
316	0	int CRYPTO_sysrand_if_available(uint8_t *out, size_t requested) {
317	0	if (fill_with_entropy(out, requested, /block=/0, /seed=/0)) {
318	0	return 1;
319	0	} else if (errno == EAGAIN) {
320	0	OPENSSL_memset(out, 0, requested);
321	0	return 0;
322	0	} else {
323	0	perror("opportunistic entropy fill failed");
324	0	abort();
325	0	}
326	0	}
327
328		#endif // OPENSSL_RAND_URANDOM