1 /* Copyright 2014 The BoringSSL Authors
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #if !defined(_GNU_SOURCE)
16 #define _GNU_SOURCE // needed for syscall() on Linux.
17 #endif
18
19 #include <openssl/rand.h>
20
21 #include "../bcm_support.h"
22 #include "sysrand_internal.h"
23
24 #if defined(OPENSSL_RAND_URANDOM)
25
26 #include <assert.h>
27 #include <errno.h>
28 #include <fcntl.h>
29 #include <stdio.h>
30 #include <string.h>
31 #include <unistd.h>
32
33 #if defined(OPENSSL_LINUX)
34 #if defined(BORINGSSL_FIPS)
35 #include <linux/random.h>
36 #include <sys/ioctl.h>
37 #endif
38 #include <sys/syscall.h>
39
40 #if defined(OPENSSL_ANDROID)
41 #include <sys/system_properties.h>
42 #endif
43
44 #if !defined(OPENSSL_ANDROID)
45 #define OPENSSL_HAS_GETAUXVAL
46 #endif
47 // glibc prior to 2.16 does not have getauxval and sys/auxv.h. Android has some
48 // host builds (i.e. not building for Android itself, so |OPENSSL_ANDROID| is
49 // unset) which are still using a 2.15 sysroot.
50 //
51 // TODO(davidben): Remove this once Android updates their sysroot.
52 #if defined(__GLIBC_PREREQ)
53 #if !__GLIBC_PREREQ(2, 16)
54 #undef OPENSSL_HAS_GETAUXVAL
55 #endif
56 #endif
57 #if defined(OPENSSL_HAS_GETAUXVAL)
58 #include <sys/auxv.h>
59 #endif
60 #endif // OPENSSL_LINUX
61
62 #include <openssl/mem.h>
63 #include <openssl/thread.h>
64
65 #include "../internal.h"
66 #include "getrandom_fillin.h"
67
68
69 #if defined(USE_NR_getrandom)
70
71 #if defined(OPENSSL_MSAN)
72 extern "C" {
73 void __msan_unpoison(void *, size_t);
74 }
75 #endif
76
boringssl_getrandom(void * buf,size_t buf_len,unsigned flags)77 static ssize_t boringssl_getrandom(void *buf, size_t buf_len, unsigned flags) {
78 ssize_t ret;
79 do {
80 ret = syscall(__NR_getrandom, buf, buf_len, flags);
81 } while (ret == -1 && errno == EINTR);
82
83 #if defined(OPENSSL_MSAN)
84 if (ret > 0) {
85 // MSAN doesn't recognise |syscall| and thus doesn't notice that we have
86 // initialised the output buffer.
87 __msan_unpoison(buf, ret);
88 }
89 #endif // OPENSSL_MSAN
90
91 return ret;
92 }
93
94 #endif // USE_NR_getrandom
95
96 // kHaveGetrandom in |urandom_fd| signals that |getrandom| or |getentropy| is
97 // available and should be used instead.
98 static const int kHaveGetrandom = -3;
99
100 // urandom_fd is a file descriptor to /dev/urandom. It's protected by |once|.
101 static int urandom_fd;
102
103 #if defined(USE_NR_getrandom)
104
105 // getrandom_ready is one if |getrandom| had been initialized by the time
106 // |init_once| was called and zero otherwise.
107 static int getrandom_ready;
108
109 // extra_getrandom_flags_for_seed contains a value that is ORed into the flags
110 // for getrandom() when reading entropy for a seed.
111 static int extra_getrandom_flags_for_seed;
112
113 // On Android, check a system property to decide whether to set
114 // |extra_getrandom_flags_for_seed| otherwise they will default to zero. If
115 // ro.oem_boringcrypto_hwrand is true then |extra_getrandom_flags_for_seed| will
116 // be set to GRND_RANDOM, causing all random data to be drawn from the same
117 // source as /dev/random.
maybe_set_extra_getrandom_flags(void)118 static void maybe_set_extra_getrandom_flags(void) {
119 #if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID)
120 char value[PROP_VALUE_MAX + 1];
121 int length = __system_property_get("ro.boringcrypto.hwrand", value);
122 if (length < 0 || length > PROP_VALUE_MAX) {
123 return;
124 }
125
126 value[length] = 0;
127 if (OPENSSL_strcasecmp(value, "true") == 0) {
128 extra_getrandom_flags_for_seed = GRND_RANDOM;
129 }
130 #endif
131 }
132
133 #endif // USE_NR_getrandom
134
135 static CRYPTO_once_t rand_once = CRYPTO_ONCE_INIT;
136
137 // init_once initializes the state of this module to values previously
138 // requested. This is the only function that modifies |urandom_fd|, which may be
139 // read safely after calling the once.
init_once(void)140 static void init_once(void) {
141 #if defined(USE_NR_getrandom)
142 int have_getrandom;
143 uint8_t dummy;
144 ssize_t getrandom_ret =
145 boringssl_getrandom(&dummy, sizeof(dummy), GRND_NONBLOCK);
146 if (getrandom_ret == 1) {
147 getrandom_ready = 1;
148 have_getrandom = 1;
149 } else if (getrandom_ret == -1 && errno == EAGAIN) {
150 // We have getrandom, but the entropy pool has not been initialized yet.
151 have_getrandom = 1;
152 } else if (getrandom_ret == -1 && errno == ENOSYS) {
153 // Fallthrough to using /dev/urandom, below.
154 have_getrandom = 0;
155 } else {
156 // Other errors are fatal.
157 perror("getrandom");
158 abort();
159 }
160
161 if (have_getrandom) {
162 urandom_fd = kHaveGetrandom;
163 maybe_set_extra_getrandom_flags();
164 return;
165 }
166 #endif // USE_NR_getrandom
167
168 // FIPS builds must support getrandom.
169 //
170 // Historically, only Android FIPS builds required getrandom, while Linux FIPS
171 // builds had a /dev/urandom fallback which used RNDGETENTCNT as a poor
172 // approximation for getrandom's blocking behavior. This is now removed, but
173 // avoid making assumptions on this removal until March 2023, in case it needs
174 // to be restored. This comment can be deleted after March 2023.
175 #if defined(BORINGSSL_FIPS)
176 perror("getrandom not found");
177 abort();
178 #endif
179
180 int fd;
181 do {
182 fd = open("/dev/urandom", O_RDONLY | O_CLOEXEC);
183 } while (fd == -1 && errno == EINTR);
184
185 if (fd < 0) {
186 perror("failed to open /dev/urandom");
187 abort();
188 }
189
190 urandom_fd = fd;
191 }
192
193 static CRYPTO_once_t wait_for_entropy_once = CRYPTO_ONCE_INIT;
194
wait_for_entropy(void)195 static void wait_for_entropy(void) {
196 int fd = urandom_fd;
197 if (fd == kHaveGetrandom) {
198 // |getrandom| and |getentropy| support blocking in |fill_with_entropy|
199 // directly. For |getrandom|, we first probe with a non-blocking call to aid
200 // debugging.
201 #if defined(USE_NR_getrandom)
202 if (getrandom_ready) {
203 // The entropy pool was already initialized in |init_once|.
204 return;
205 }
206
207 uint8_t dummy;
208 ssize_t getrandom_ret =
209 boringssl_getrandom(&dummy, sizeof(dummy), GRND_NONBLOCK);
210 if (getrandom_ret == -1 && errno == EAGAIN) {
211 // Attempt to get the path of the current process to aid in debugging when
212 // something blocks.
213 const char *current_process = "<unknown>";
214 #if defined(OPENSSL_HAS_GETAUXVAL)
215 const unsigned long getauxval_ret = getauxval(AT_EXECFN);
216 if (getauxval_ret != 0) {
217 current_process = (const char *)getauxval_ret;
218 }
219 #endif
220
221 fprintf(
222 stderr,
223 "%s: getrandom indicates that the entropy pool has not been "
224 "initialized. Rather than continue with poor entropy, this process "
225 "will block until entropy is available.\n",
226 current_process);
227
228 getrandom_ret =
229 boringssl_getrandom(&dummy, sizeof(dummy), 0 /* no flags */);
230 }
231
232 if (getrandom_ret != 1) {
233 perror("getrandom");
234 abort();
235 }
236 #endif // USE_NR_getrandom
237 return;
238 }
239 }
240
241 // fill_with_entropy writes |len| bytes of entropy into |out|. It returns one
242 // on success and zero on error. If |block| is one, this function will block
243 // until the entropy pool is initialized. Otherwise, this function may fail,
244 // setting |errno| to |EAGAIN| if the entropy pool has not yet been initialized.
245 // If |seed| is one, this function will OR in the value of
246 // |*extra_getrandom_flags_for_seed()| when using |getrandom|.
fill_with_entropy(uint8_t * out,size_t len,int block,int seed)247 static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {
248 if (len == 0) {
249 return 1;
250 }
251
252 #if defined(USE_NR_getrandom) || defined(FREEBSD_GETRANDOM)
253 int getrandom_flags = 0;
254 if (!block) {
255 getrandom_flags |= GRND_NONBLOCK;
256 }
257 #endif
258
259 #if defined(USE_NR_getrandom)
260 if (seed) {
261 getrandom_flags |= extra_getrandom_flags_for_seed;
262 }
263 #endif
264
265 CRYPTO_init_sysrand();
266 if (block) {
267 CRYPTO_once(&wait_for_entropy_once, wait_for_entropy);
268 }
269
270 // Clear |errno| so it has defined value if |read| or |getrandom|
271 // "successfully" returns zero.
272 errno = 0;
273 while (len > 0) {
274 ssize_t r;
275
276 if (urandom_fd == kHaveGetrandom) {
277 #if defined(USE_NR_getrandom)
278 r = boringssl_getrandom(out, len, getrandom_flags);
279 #else // USE_NR_getrandom
280 fprintf(stderr, "urandom fd corrupt.\n");
281 abort();
282 #endif
283 } else {
284 do {
285 r = read(urandom_fd, out, len);
286 } while (r == -1 && errno == EINTR);
287 }
288
289 if (r <= 0) {
290 return 0;
291 }
292 out += r;
293 len -= r;
294 }
295
296 return 1;
297 }
298
CRYPTO_init_sysrand(void)299 void CRYPTO_init_sysrand(void) { CRYPTO_once(&rand_once, init_once); }
300
301 // CRYPTO_sysrand puts |requested| random bytes into |out|.
CRYPTO_sysrand(uint8_t * out,size_t requested)302 void CRYPTO_sysrand(uint8_t *out, size_t requested) {
303 if (!fill_with_entropy(out, requested, /*block=*/1, /*seed=*/0)) {
304 perror("entropy fill failed");
305 abort();
306 }
307 }
308
CRYPTO_sysrand_for_seed(uint8_t * out,size_t requested)309 void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {
310 if (!fill_with_entropy(out, requested, /*block=*/1, /*seed=*/1)) {
311 perror("entropy fill failed");
312 abort();
313 }
314 }
315
CRYPTO_sysrand_if_available(uint8_t * out,size_t requested)316 int CRYPTO_sysrand_if_available(uint8_t *out, size_t requested) {
317 if (fill_with_entropy(out, requested, /*block=*/0, /*seed=*/0)) {
318 return 1;
319 } else if (errno == EAGAIN) {
320 OPENSSL_memset(out, 0, requested);
321 return 0;
322 } else {
323 perror("opportunistic entropy fill failed");
324 abort();
325 }
326 }
327
328 #endif // OPENSSL_RAND_URANDOM
329