Botan 3.12.0
Crypto and TLS for C&
system_rng.cpp
Go to the documentation of this file.
1/*
2* System RNG
3* (C) 2014,2015,2017,2018,2022 Jack Lloyd
4* (C) 2021 Tom Crowley
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/system_rng.h>
10
11#include <botan/assert.h>
12#include <botan/exceptn.h>
13#include <botan/internal/target_info.h>
14
15#if defined(BOTAN_TARGET_OS_HAS_WIN32)
16 #define NOMINMAX 1
17 #define _WINSOCKAPI_ // stop windows.h including winsock.h
18 #include <windows.h>
19#endif
20
21#if defined(BOTAN_TARGET_OS_HAS_RTLGENRANDOM)
22 #include <botan/internal/dyn_load.h>
23 #include <limits>
24#elif defined(BOTAN_TARGET_OS_HAS_CRYPTO_NG)
25 #include <bcrypt.h>
26 #include <windows.h>
27#elif defined(BOTAN_TARGET_OS_HAS_CCRANDOM)
28 #include <CommonCrypto/CommonRandom.h>
29#elif defined(BOTAN_TARGET_OS_HAS_ARC4RANDOM)
30 #include <stdlib.h>
31#elif defined(BOTAN_TARGET_OS_HAS_GETRANDOM)
32 #include <errno.h>
33 #include <sys/random.h>
34 #include <sys/syscall.h>
35 #include <unistd.h>
36#elif defined(BOTAN_TARGET_OS_HAS_DEV_RANDOM)
37 #include <errno.h>
38 #include <fcntl.h>
39 #include <unistd.h>
40#endif
41
42namespace Botan {
43
44namespace {
45
46#if defined(BOTAN_TARGET_OS_HAS_RTLGENRANDOM)
47
48class System_RNG_Impl final : public RandomNumberGenerator {
49 public:
50 System_RNG_Impl() : m_advapi("advapi32.dll") {
51 // This throws if the function is not found
52 m_rtlgenrandom = m_advapi.resolve<RtlGenRandom_fptr>("SystemFunction036");
53 }
54
55 System_RNG_Impl(const System_RNG_Impl& other) = delete;
56 System_RNG_Impl(System_RNG_Impl&& other) = delete;
57 System_RNG_Impl& operator=(const System_RNG_Impl& other) = delete;
58 System_RNG_Impl& operator=(System_RNG_Impl&& other) = delete;
59
60 bool is_seeded() const override { return true; }
61
62 bool accepts_input() const override { return false; }
63
64 void clear() override { /* not possible */
65 }
66
67 std::string name() const override { return "RtlGenRandom"; }
68
69 private:
70 void fill_bytes_with_input(std::span<uint8_t> output, std::span<const uint8_t> /* ignored */) override {
71 const size_t limit = std::numeric_limits<ULONG>::max();
72
73 uint8_t* pData = output.data();
74 size_t bytesLeft = output.size();
75 while(bytesLeft > 0) {
76 const ULONG blockSize = static_cast<ULONG>(std::min(bytesLeft, limit));
77
78 const bool success = m_rtlgenrandom(pData, blockSize) == TRUE;
79 if(!success) {
80 throw System_Error("RtlGenRandom failed");
81 }
82
83 BOTAN_ASSERT(bytesLeft >= blockSize, "Block is oversized");
84 bytesLeft -= blockSize;
85 pData += blockSize;
86 }
87 }
88
89 private:
90 using RtlGenRandom_fptr = BOOLEAN(NTAPI*)(PVOID, ULONG);
91
92 Dynamically_Loaded_Library m_advapi;
93 RtlGenRandom_fptr m_rtlgenrandom;
94};
95
96#elif defined(BOTAN_TARGET_OS_HAS_CRYPTO_NG)
97
98class System_RNG_Impl final : public RandomNumberGenerator {
99 public:
100 System_RNG_Impl() {
101 auto ret = ::BCryptOpenAlgorithmProvider(&m_prov, BCRYPT_RNG_ALGORITHM, MS_PRIMITIVE_PROVIDER, 0);
102 if(!BCRYPT_SUCCESS(ret)) {
103 throw System_Error("System_RNG failed to acquire crypto provider", ret);
104 }
105 }
106
107 System_RNG_Impl(const System_RNG_Impl& other) = delete;
108 System_RNG_Impl(System_RNG_Impl&& other) = delete;
109 System_RNG_Impl& operator=(const System_RNG_Impl& other) = delete;
110 System_RNG_Impl& operator=(System_RNG_Impl&& other) = delete;
111
112 ~System_RNG_Impl() override { ::BCryptCloseAlgorithmProvider(m_prov, 0); }
113
114 bool is_seeded() const override { return true; }
115
116 bool accepts_input() const override { return false; }
117
118 void clear() override { /* not possible */
119 }
120
121 std::string name() const override { return "crypto_ng"; }
122
123 private:
124 void fill_bytes_with_input(std::span<uint8_t> output, std::span<const uint8_t> /* ignored */) override {
125 /*
126 There is a flag BCRYPT_RNG_USE_ENTROPY_IN_BUFFER to provide
127 entropy inputs, but it is ignored in Windows 8 and later.
128 */
129
130 const size_t limit = std::numeric_limits<ULONG>::max();
131
132 uint8_t* pData = output.data();
133 size_t bytesLeft = output.size();
134 while(bytesLeft > 0) {
135 const ULONG blockSize = static_cast<ULONG>(std::min(bytesLeft, limit));
136
137 auto ret = BCryptGenRandom(m_prov, static_cast<PUCHAR>(pData), blockSize, 0);
138 if(!BCRYPT_SUCCESS(ret)) {
139 throw System_Error("System_RNG call to BCryptGenRandom failed", ret);
140 }
141
142 BOTAN_ASSERT(bytesLeft >= blockSize, "Block is oversized");
143 bytesLeft -= blockSize;
144 pData += blockSize;
145 }
146 }
147
148 private:
149 BCRYPT_ALG_HANDLE m_prov;
150};
151
152#elif defined(BOTAN_TARGET_OS_HAS_CCRANDOM)
153
154class System_RNG_Impl final : public RandomNumberGenerator {
155 public:
156 bool accepts_input() const override { return false; }
157
158 bool is_seeded() const override { return true; }
159
160 void clear() override { /* not possible */
161 }
162
163 std::string name() const override { return "CCRandomGenerateBytes"; }
164
165 private:
166 void fill_bytes_with_input(std::span<uint8_t> output, std::span<const uint8_t> /* ignored */) override {
167 if(::CCRandomGenerateBytes(output.data(), output.size()) != kCCSuccess) {
168 throw System_Error("System_RNG CCRandomGenerateBytes failed", errno);
169 }
170 }
171};
172
173#elif defined(BOTAN_TARGET_OS_HAS_ARC4RANDOM)
174
175class System_RNG_Impl final : public RandomNumberGenerator {
176 public:
177 // No constructor or destructor needed as no userland state maintained
178
179 bool accepts_input() const override { return false; }
180
181 bool is_seeded() const override { return true; }
182
183 void clear() override { /* not possible */
184 }
185
186 std::string name() const override { return "arc4random"; }
187
188 private:
189 void fill_bytes_with_input(std::span<uint8_t> output, std::span<const uint8_t> /* ignored */) override {
190 // macOS 10.15 arc4random crashes if called with buf == nullptr && len == 0
191 // however it uses ccrng_generate internally which returns a status, ignored
192 // to respect arc4random "no-fail" interface contract
193 if(!output.empty()) {
194 ::arc4random_buf(output.data(), output.size());
195 }
196 }
197};
198
199#elif defined(BOTAN_TARGET_OS_HAS_GETRANDOM)
200
201class System_RNG_Impl final : public RandomNumberGenerator {
202 public:
203 // No constructor or destructor needed as no userland state maintained
204
205 bool accepts_input() const override { return false; }
206
207 bool is_seeded() const override { return true; }
208
209 void clear() override { /* not possible */
210 }
211
212 std::string name() const override { return "getrandom"; }
213
214 private:
215 void fill_bytes_with_input(std::span<uint8_t> output, std::span<const uint8_t> /* ignored */) override {
216 const unsigned int flags = 0;
217
218 uint8_t* buf = output.data();
219 size_t len = output.size();
220 while(len > 0) {
221 #if defined(__GLIBC__) && __GLIBC__ == 2 && __GLIBC_MINOR__ < 25
222 const ssize_t got = ::syscall(SYS_getrandom, buf, len, flags);
223 #else
224 const ssize_t got = ::getrandom(buf, len, flags);
225 #endif
226
227 if(got < 0) {
228 if(errno == EINTR) {
229 continue;
230 }
231 throw System_Error("System_RNG getrandom failed", errno);
232 }
233
234 if(got == 0) {
235 throw System_Error("System_RNG getrandom unexpectedly returned 0");
236 }
237
238 buf += got;
239 len -= got;
240 }
241 }
242};
243
244#elif defined(BOTAN_TARGET_OS_HAS_DEV_RANDOM)
245
246// Read a random device
247
248class System_RNG_Impl final : public RandomNumberGenerator {
249 public:
250 System_RNG_Impl() {
251 #ifndef O_NOCTTY
252 #define O_NOCTTY 0
253 #endif
254
255 /*
256 * First open /dev/random and read one byte. On old Linux kernels
257 * this blocks the RNG until we have been actually seeded.
258 */
259 m_fd = ::open("/dev/random", O_RDONLY | O_NOCTTY);
260 if(m_fd < 0)
261 throw System_Error("System_RNG failed to open RNG device", errno);
262
263 uint8_t b;
264 const size_t got = ::read(m_fd, &b, 1);
265 ::close(m_fd);
266
267 if(got != 1)
268 throw System_Error("System_RNG failed to read blocking RNG device");
269
270 m_fd = ::open("/dev/urandom", O_RDWR | O_NOCTTY);
271
272 if(m_fd >= 0) {
273 m_writable = true;
274 } else {
275 /*
276 Cannot open in read-write mode. Fall back to read-only,
277 calls to add_entropy will fail, but randomize will work
278 */
279 m_fd = ::open("/dev/urandom", O_RDONLY | O_NOCTTY);
280 m_writable = false;
281 }
282
283 if(m_fd < 0)
284 throw System_Error("System_RNG failed to open RNG device", errno);
285 }
286
287 System_RNG_Impl(const System_RNG_Impl& other) = delete;
288 System_RNG_Impl(System_RNG_Impl&& other) = delete;
289 System_RNG_Impl& operator=(const System_RNG_Impl& other) = delete;
290 System_RNG_Impl& operator=(System_RNG_Impl&& other) = delete;
291
292 ~System_RNG_Impl() override {
293 ::close(m_fd);
294 m_fd = -1;
295 }
296
297 bool is_seeded() const override { return true; }
298
299 bool accepts_input() const override { return m_writable; }
300
301 void clear() override { /* not possible */
302 }
303
304 std::string name() const override { return "urandom"; }
305
306 private:
307 void fill_bytes_with_input(std::span<uint8_t> output, std::span<const uint8_t> /* ignored */) override;
308 void maybe_write_entropy(std::span<const uint8_t> input);
309
310 private:
311 int m_fd;
312 bool m_writable;
313};
314
315void System_RNG_Impl::fill_bytes_with_input(std::span<uint8_t> output, std::span<const uint8_t> input) {
316 maybe_write_entropy(input);
317
318 uint8_t* buf = output.data();
319 size_t len = output.size();
320 while(len) {
321 ssize_t got = ::read(m_fd, buf, len);
322
323 if(got < 0) {
324 if(errno == EINTR)
325 continue;
326 throw System_Error("System_RNG read failed", errno);
327 }
328 if(got == 0)
329 throw System_Error("System_RNG EOF on device"); // ?!?
330
331 buf += got;
332 len -= got;
333 }
334}
335
336void System_RNG_Impl::maybe_write_entropy(std::span<const uint8_t> entropy_input) {
337 if(!m_writable || entropy_input.empty())
338 return;
339
340 const uint8_t* input = entropy_input.data();
341 size_t len = entropy_input.size();
342 while(len) {
343 ssize_t got = ::write(m_fd, input, len);
344
345 if(got < 0) {
346 if(errno == EINTR)
347 continue;
348
349 /*
350 * This is seen on OS X CI, despite the fact that the man page
351 * for macOS urandom explicitly states that writing to it is
352 * supported, and write(2) does not document EPERM at all.
353 * But in any case EPERM seems indicative of a policy decision
354 * by the OS or sysadmin that additional entropy is not wanted
355 * in the system pool, so we accept that and return here,
356 * since there is no corrective action possible.
357 *
358 * In Linux EBADF or EPERM is returned if m_fd is not opened for
359 * writing.
360 */
361 if(errno == EPERM || errno == EBADF)
362 return;
363
364 // maybe just ignore any failure here and return?
365 throw System_Error("System_RNG write failed", errno);
366 }
367
368 input += got;
369 len -= got;
370 }
371}
372
373#endif
374
375} // namespace
376
377RandomNumberGenerator& system_rng() {
378 static System_RNG_Impl g_system_rng;
379 return g_system_rng;
380}
381
382} // namespace Botan
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62
bcrypt.h
Public Header.
Botan::System_Error
Definition exceptn.h:305
Botan::PKCS11::flags
Flags flags(Flag flags)
Definition p11.h:1227
Botan::system_rng
RandomNumberGenerator & system_rng()
Definition system_rng.cpp:377
Generated by doxygen 1.16.1