1 /* Copyright 2024 The BoringSSL Authors 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #ifndef OPENSSL_HEADER_CRYPTO_BCM_SUPPORT_H 16 #define OPENSSL_HEADER_CRYPTO_BCM_SUPPORT_H 17 18 #include <openssl/base.h> 19 20 #include <stdio.h> 21 22 // Provided by libcrypto, called from BCM 23 24 #if defined(__cplusplus) 25 extern "C" { 26 #endif 27 28 #if defined(OPENSSL_LINUX) 29 // On linux we use MADVISE instead of pthread_atfork(), due 30 // to concerns about clone() being used for address space 31 // duplication. 32 #define OPENSSL_FORK_DETECTION 33 #define OPENSSL_FORK_DETECTION_MADVISE 34 #elif defined(OPENSSL_MACOS) || defined(OPENSSL_IOS) || \ 35 defined(OPENSSL_OPENBSD) || defined(OPENSSL_FREEBSD) 36 // These platforms may detect address space duplication with pthread_atfork. 37 // iOS doesn't normally allow fork in apps, but it's there. 38 #define OPENSSL_FORK_DETECTION 39 #define OPENSSL_FORK_DETECTION_PTHREAD_ATFORK 40 #elif defined(OPENSSL_WINDOWS) || defined(OPENSSL_TRUSTY) || \ 41 defined(__ZEPHYR__) || defined(CROS_EC) 42 // These platforms do not fork. 43 #define OPENSSL_DOES_NOT_FORK 44 #endif 45 46 #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) 47 #define OPENSSL_RAND_DETERMINISTIC 48 #elif defined(OPENSSL_TRUSTY) 49 #define OPENSSL_RAND_TRUSTY 50 #elif defined(OPENSSL_WINDOWS) 51 #define OPENSSL_RAND_WINDOWS 52 #elif defined(OPENSSL_LINUX) 53 #define OPENSSL_RAND_URANDOM 54 #elif defined(OPENSSL_APPLE) && !defined(OPENSSL_MACOS) 55 // Unlike macOS, iOS and similar hide away getentropy(). 56 #define OPENSSL_RAND_IOS 57 #else 58 // By default if you are integrating BoringSSL we expect you to 59 // provide getentropy from the <unistd.h> header file. 60 #define OPENSSL_RAND_GETENTROPY 61 #endif 62 63 // Provided by libcrypto, called from BCM 64 65 // CRYPTO_init_sysrand initializes long-lived resources needed to draw entropy 66 // from the operating system, if the operating system requires initialization. 67 void CRYPTO_init_sysrand(void); 68 69 // CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating 70 // system. 71 void CRYPTO_sysrand(uint8_t *buf, size_t len); 72 73 // CRYPTO_sysrand_if_available fills |len| bytes at |buf| with entropy from the 74 // operating system, or early /dev/urandom data, and returns 1, _if_ the entropy 75 // pool is initialized or if getrandom() is not available and not in FIPS mode. 76 // Otherwise it will not block and will instead fill |buf| with all zeros and 77 // return 0. 78 int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len); 79 80 // CRYPTO_sysrand_for_seed fills |len| bytes at |buf| with entropy from the 81 // operating system. It may draw from the |GRND_RANDOM| pool on Android, 82 // depending on the vendor's configuration. 83 void CRYPTO_sysrand_for_seed(uint8_t *buf, size_t len); 84 85 // RAND_need_entropy is called whenever the BCM module has stopped because it 86 // has run out of entropy. 87 void RAND_need_entropy(size_t bytes_needed); 88 89 // crypto_get_fork_generation returns the fork generation number for the current 90 // process, or zero if not supported on the platform. The fork generation number 91 // is a non-zero, strictly-monotonic counter with the property that, if queried 92 // in an address space and then again in a subsequently forked copy, the forked 93 // address space will observe a greater value. 94 // 95 // This function may be used to clear cached values across a fork. When 96 // initializing a cache, record the fork generation. Before using the cache, 97 // check if the fork generation has changed. If so, drop the cache and update 98 // the save fork generation. Note this logic transparently handles platforms 99 // which always return zero. 100 // 101 // This is not reliably supported on all platforms which implement |fork|, so it 102 // should only be used as a hardening measure. 103 OPENSSL_EXPORT uint64_t CRYPTO_get_fork_generation(void); 104 105 // CRYPTO_fork_detect_force_madv_wipeonfork_for_testing is an internal detail 106 // used for testing purposes. 107 OPENSSL_EXPORT void CRYPTO_fork_detect_force_madv_wipeonfork_for_testing( 108 int on); 109 110 // CRYPTO_get_stderr returns stderr. This function exists to avoid BCM needing 111 // a data dependency on libc. 112 FILE *CRYPTO_get_stderr(void); 113 114 115 #if defined(__cplusplus) 116 } // extern C 117 #endif 118 119 #endif // OPENSSL_HEADER_CRYPTO_BCM_SUPPORT_H 120