/* Copyright (c) 2014, Google Inc. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #if !defined(_GNU_SOURCE) #define _GNU_SOURCE // needed for syscall() on Linux. #endif #include <openssl/rand.h> #if !defined(OPENSSL_WINDOWS) && !defined(OPENSSL_FUCHSIA) && \ !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) && !defined(OPENSSL_TRUSTY) #include <assert.h> #include <errno.h> #include <fcntl.h> #include <stdio.h> #include <string.h> #include <unistd.h> #if defined(OPENSSL_LINUX) #if defined(BORINGSSL_FIPS) #include <linux/random.h> #include <sys/ioctl.h> #endif #include <sys/syscall.h> #endif #include <openssl/thread.h> #include <openssl/mem.h> #include "internal.h" #include "../delocate.h" #include "../../internal.h" #if defined(OPENSSL_LINUX) #if defined(OPENSSL_X86_64) #define EXPECTED_NR_getrandom 318 #elif defined(OPENSSL_X86) #define EXPECTED_NR_getrandom 355 #elif defined(OPENSSL_AARCH64) #define EXPECTED_NR_getrandom 278 #elif defined(OPENSSL_ARM) #define EXPECTED_NR_getrandom 384 #elif defined(OPENSSL_PPC64LE) #define EXPECTED_NR_getrandom 359 #endif #if defined(EXPECTED_NR_getrandom) #define USE_NR_getrandom #if defined(__NR_getrandom) #if __NR_getrandom != EXPECTED_NR_getrandom #error "system call number for getrandom is not the expected value" #endif #else // __NR_getrandom #define __NR_getrandom EXPECTED_NR_getrandom #endif // __NR_getrandom #endif // EXPECTED_NR_getrandom #if !defined(GRND_NONBLOCK) #define GRND_NONBLOCK 1 #endif #endif // OPENSSL_LINUX // rand_lock is used to protect the |*_requested| variables. DEFINE_STATIC_MUTEX(rand_lock); // The following constants are magic values of |urandom_fd|. static const int kUnset = 0; static const int kHaveGetrandom = -3; // urandom_fd_requested is set by |RAND_set_urandom_fd|. It's protected by // |rand_lock|. DEFINE_BSS_GET(int, urandom_fd_requested); // urandom_fd is a file descriptor to /dev/urandom. It's protected by |once|. DEFINE_BSS_GET(int, urandom_fd); DEFINE_STATIC_ONCE(rand_once); #if defined(USE_NR_getrandom) || defined(BORINGSSL_FIPS) // message writes |msg| to stderr. We use this because referencing |stderr| // with |fprintf| generates relocations, which is a problem inside the FIPS // module. static void message(const char *msg) { ssize_t r; do { r = write(2, msg, strlen(msg)); } while (r == -1 && errno == EINTR); } #endif // init_once initializes the state of this module to values previously // requested. This is the only function that modifies |urandom_fd| and // |urandom_buffering|, whose values may be read safely after calling the // once. static void init_once(void) { CRYPTO_STATIC_MUTEX_lock_read(rand_lock_bss_get()); int fd = *urandom_fd_requested_bss_get(); CRYPTO_STATIC_MUTEX_unlock_read(rand_lock_bss_get()); #if defined(USE_NR_getrandom) uint8_t dummy; long getrandom_ret = syscall(__NR_getrandom, &dummy, sizeof(dummy), GRND_NONBLOCK); if (getrandom_ret == 1) { *urandom_fd_bss_get() = kHaveGetrandom; return; } else if (getrandom_ret == -1 && errno == EAGAIN) { message( "getrandom indicates that the entropy pool has not been initialized. " "Rather than continue with poor entropy, this process will block until " "entropy is available.\n"); do { getrandom_ret = syscall(__NR_getrandom, &dummy, sizeof(dummy), 0 /* no flags */); } while (getrandom_ret == -1 && errno == EINTR); if (getrandom_ret == 1) { *urandom_fd_bss_get() = kHaveGetrandom; return; } } #endif // USE_NR_getrandom if (fd == kUnset) { do { fd = open("/dev/urandom", O_RDONLY); } while (fd == -1 && errno == EINTR); } if (fd < 0) { abort(); } assert(kUnset == 0); if (fd == kUnset) { // Because we want to keep |urandom_fd| in the BSS, we have to initialise // it to zero. But zero is a valid file descriptor too. Thus if open // returns zero for /dev/urandom, we dup it to get a non-zero number. fd = dup(fd); close(kUnset); if (fd <= 0) { abort(); } } #if defined(BORINGSSL_FIPS) // In FIPS mode we ensure that the kernel has sufficient entropy before // continuing. This is automatically handled by getrandom, which requires // that the entropy pool has been initialised, but for urandom we have to // poll. for (;;) { int entropy_bits; if (ioctl(fd, RNDGETENTCNT, &entropy_bits)) { message( "RNDGETENTCNT on /dev/urandom failed. We cannot continue in this " "case when in FIPS mode.\n"); abort(); } static const int kBitsNeeded = 256; if (entropy_bits >= kBitsNeeded) { break; } usleep(250000); } #endif int flags = fcntl(fd, F_GETFD); if (flags == -1) { // Native Client doesn't implement |fcntl|. if (errno != ENOSYS) { abort(); } } else { flags |= FD_CLOEXEC; if (fcntl(fd, F_SETFD, flags) == -1) { abort(); } } *urandom_fd_bss_get() = fd; } void RAND_set_urandom_fd(int fd) { fd = dup(fd); if (fd < 0) { abort(); } assert(kUnset == 0); if (fd == kUnset) { // Because we want to keep |urandom_fd| in the BSS, we have to initialise // it to zero. But zero is a valid file descriptor too. Thus if dup // returned zero we dup it again to get a non-zero number. fd = dup(fd); close(kUnset); if (fd <= 0) { abort(); } } CRYPTO_STATIC_MUTEX_lock_write(rand_lock_bss_get()); *urandom_fd_requested_bss_get() = fd; CRYPTO_STATIC_MUTEX_unlock_write(rand_lock_bss_get()); CRYPTO_once(rand_once_bss_get(), init_once); if (*urandom_fd_bss_get() == kHaveGetrandom) { close(fd); } else if (*urandom_fd_bss_get() != fd) { abort(); // Already initialized. } } #if defined(USE_NR_getrandom) && defined(OPENSSL_MSAN) void __msan_unpoison(void *, size_t); #endif // fill_with_entropy writes |len| bytes of entropy into |out|. It returns one // on success and zero on error. static char fill_with_entropy(uint8_t *out, size_t len) { while (len > 0) { ssize_t r; if (*urandom_fd_bss_get() == kHaveGetrandom) { #if defined(USE_NR_getrandom) do { r = syscall(__NR_getrandom, out, len, 0 /* no flags */); } while (r == -1 && errno == EINTR); #if defined(OPENSSL_MSAN) if (r > 0) { // MSAN doesn't recognise |syscall| and thus doesn't notice that we // have initialised the output buffer. __msan_unpoison(out, r); } #endif // OPENSSL_MSAN #else // USE_NR_getrandom abort(); #endif } else { do { r = read(*urandom_fd_bss_get(), out, len); } while (r == -1 && errno == EINTR); } if (r <= 0) { return 0; } out += r; len -= r; } return 1; } // CRYPTO_sysrand puts |requested| random bytes into |out|. void CRYPTO_sysrand(uint8_t *out, size_t requested) { if (requested == 0) { return; } CRYPTO_once(rand_once_bss_get(), init_once); if (!fill_with_entropy(out, requested)) { abort(); } #if defined(BORINGSSL_FIPS_BREAK_CRNG) // This breaks the "continuous random number generator test" defined in FIPS // 140-2, section 4.9.2, and implemented in rand_get_seed(). OPENSSL_memset(out, 0, requested); #endif } #endif /* !OPENSSL_WINDOWS && !defined(OPENSSL_FUCHSIA) && \ !BORINGSSL_UNSAFE_DETERMINISTIC_MODE && !OPENSSL_TRUSTY */