crypto/bcm_support.h - boringssl - Git at Google

 /* Copyright (c) 2024, Google Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

 #ifndef OPENSSL_HEADER_CRYPTO_BCM_SUPPORT_H
 #define OPENSSL_HEADER_CRYPTO_BCM_SUPPORT_H

 #include <openssl/base.h>

 // Provided by libcrypto, called from BCM

 #if defined(__cplusplus)
 extern "C" {
 #endif

 #if defined(OPENSSL_LINUX)
 // On linux we use MADVISE instead of pthread_atfork(), due
 // to concerns about clone() being used for address space
 // duplication.
 #define OPENSSL_FORK_DETECTION
 #define OPENSSL_FORK_DETECTION_MADVISE
 #elif defined(OPENSSL_MACOS) || defined(OPENSSL_IOS) || \
     defined(OPENSSL_OPENBSD) || defined(OPENSSL_FREEBSD)
 // These platforms may detect address space duplication with pthread_atfork.
 // iOS doesn't normally allow fork in apps, but it's there.
 #define OPENSSL_FORK_DETECTION
 #define OPENSSL_FORK_DETECTION_PTHREAD_ATFORK
 #elif defined(OPENSSL_WINDOWS) || defined(OPENSSL_TRUSTY) || \
     defined(__ZEPHYR__) || defined(CROS_EC)
 // These platforms do not fork.
 #define OPENSSL_DOES_NOT_FORK
 #endif

 #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
 #define OPENSSL_RAND_DETERMINISTIC
 #elif defined(OPENSSL_TRUSTY)
 #define OPENSSL_RAND_TRUSTY
 #elif defined(OPENSSL_WINDOWS)
 #define OPENSSL_RAND_WINDOWS
 #elif defined(OPENSSL_LINUX)
 #define OPENSSL_RAND_URANDOM
 #elif defined(OPENSSL_APPLE) && !defined(OPENSSL_MACOS)
 // Unlike macOS, iOS and similar hide away getentropy().
 #define OPENSSL_RAND_IOS
 #else
 // By default if you are integrating BoringSSL we expect you to
 // provide getentropy from the <unistd.h> header file.
 #define OPENSSL_RAND_GETENTROPY
 #endif

 // Provided by libcrypto, called from BCM

 // CRYPTO_init_sysrand initializes long-lived resources needed to draw entropy
 // from the operating system, if the operating system requires initialization.
 void CRYPTO_init_sysrand(void);

 // CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating
 // system.
 void CRYPTO_sysrand(uint8_t *buf, size_t len);

 // CRYPTO_sysrand_if_available fills |len| bytes at |buf| with entropy from the
 // operating system, or early /dev/urandom data, and returns 1, _if_ the entropy
 // pool is initialized or if getrandom() is not available and not in FIPS mode.
 // Otherwise it will not block and will instead fill |buf| with all zeros and
 // return 0.
 int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len);

 // CRYPTO_sysrand_for_seed fills |len| bytes at |buf| with entropy from the
 // operating system. It may draw from the |GRND_RANDOM| pool on Android,
 // depending on the vendor's configuration.
 void CRYPTO_sysrand_for_seed(uint8_t *buf, size_t len);

 // RAND_need_entropy is called whenever the BCM module has stopped because it
 // has run out of entropy.
 void RAND_need_entropy(size_t bytes_needed);

 // crypto_get_fork_generation returns the fork generation number for the current
 // process, or zero if not supported on the platform. The fork generation number
 // is a non-zero, strictly-monotonic counter with the property that, if queried
 // in an address space and then again in a subsequently forked copy, the forked
 // address space will observe a greater value.
 //
 // This function may be used to clear cached values across a fork. When
 // initializing a cache, record the fork generation. Before using the cache,
 // check if the fork generation has changed. If so, drop the cache and update
 // the save fork generation. Note this logic transparently handles platforms
 // which always return zero.
 //
 // This is not reliably supported on all platforms which implement |fork|, so it
 // should only be used as a hardening measure.
 OPENSSL_EXPORT uint64_t CRYPTO_get_fork_generation(void);

 // CRYPTO_fork_detect_force_madv_wipeonfork_for_testing is an internal detail
 // used for testing purposes.
 OPENSSL_EXPORT void CRYPTO_fork_detect_force_madv_wipeonfork_for_testing(
     int on);


 #if defined(__cplusplus)
 }  // extern C
 #endif

 #endif  // OPENSSL_HEADER_CRYPTO_BCM_SUPPORT_H
	/* Copyright (c) 2024, Google Inc.
	*
	* Permission to use, copy, modify, and/or distribute this software for any
	* purpose with or without fee is hereby granted, provided that the above
	* copyright notice and this permission notice appear in all copies.
	*
	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

	#ifndef OPENSSL_HEADER_CRYPTO_BCM_SUPPORT_H
	#define OPENSSL_HEADER_CRYPTO_BCM_SUPPORT_H

	#include <openssl/base.h>

	// Provided by libcrypto, called from BCM

	#if defined(__cplusplus)
	extern "C" {
	#endif

	#if defined(OPENSSL_LINUX)
	// On linux we use MADVISE instead of pthread_atfork(), due
	// to concerns about clone() being used for address space
	// duplication.
	#define OPENSSL_FORK_DETECTION
	#define OPENSSL_FORK_DETECTION_MADVISE
	#elif defined(OPENSSL_MACOS) \|\| defined(OPENSSL_IOS) \|\| \
	defined(OPENSSL_OPENBSD) \|\| defined(OPENSSL_FREEBSD)
	// These platforms may detect address space duplication with pthread_atfork.
	// iOS doesn't normally allow fork in apps, but it's there.
	#define OPENSSL_FORK_DETECTION
	#define OPENSSL_FORK_DETECTION_PTHREAD_ATFORK
	#elif defined(OPENSSL_WINDOWS) \|\| defined(OPENSSL_TRUSTY) \|\| \
	defined(__ZEPHYR__) \|\| defined(CROS_EC)
	// These platforms do not fork.
	#define OPENSSL_DOES_NOT_FORK
	#endif

	#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
	#define OPENSSL_RAND_DETERMINISTIC
	#elif defined(OPENSSL_TRUSTY)
	#define OPENSSL_RAND_TRUSTY
	#elif defined(OPENSSL_WINDOWS)
	#define OPENSSL_RAND_WINDOWS
	#elif defined(OPENSSL_LINUX)
	#define OPENSSL_RAND_URANDOM
	#elif defined(OPENSSL_APPLE) && !defined(OPENSSL_MACOS)
	// Unlike macOS, iOS and similar hide away getentropy().
	#define OPENSSL_RAND_IOS
	#else
	// By default if you are integrating BoringSSL we expect you to
	// provide getentropy from the <unistd.h> header file.
	#define OPENSSL_RAND_GETENTROPY
	#endif

	// Provided by libcrypto, called from BCM

	// CRYPTO_init_sysrand initializes long-lived resources needed to draw entropy
	// from the operating system, if the operating system requires initialization.
	void CRYPTO_init_sysrand(void);

	// CRYPTO_sysrand fills \|len\| bytes at \|buf\| with entropy from the operating
	// system.
	void CRYPTO_sysrand(uint8_t *buf, size_t len);

	// CRYPTO_sysrand_if_available fills \|len\| bytes at \|buf\| with entropy from the
	// operating system, or early /dev/urandom data, and returns 1, _if_ the entropy
	// pool is initialized or if getrandom() is not available and not in FIPS mode.
	// Otherwise it will not block and will instead fill \|buf\| with all zeros and
	// return 0.
	int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len);

	// CRYPTO_sysrand_for_seed fills \|len\| bytes at \|buf\| with entropy from the
	// operating system. It may draw from the \|GRND_RANDOM\| pool on Android,
	// depending on the vendor's configuration.
	void CRYPTO_sysrand_for_seed(uint8_t *buf, size_t len);

	// RAND_need_entropy is called whenever the BCM module has stopped because it
	// has run out of entropy.
	void RAND_need_entropy(size_t bytes_needed);

	// crypto_get_fork_generation returns the fork generation number for the current
	// process, or zero if not supported on the platform. The fork generation number
	// is a non-zero, strictly-monotonic counter with the property that, if queried
	// in an address space and then again in a subsequently forked copy, the forked
	// address space will observe a greater value.
	//
	// This function may be used to clear cached values across a fork. When
	// initializing a cache, record the fork generation. Before using the cache,
	// check if the fork generation has changed. If so, drop the cache and update
	// the save fork generation. Note this logic transparently handles platforms
	// which always return zero.
	//
	// This is not reliably supported on all platforms which implement \|fork\|, so it
	// should only be used as a hardening measure.
	OPENSSL_EXPORT uint64_t CRYPTO_get_fork_generation(void);

	// CRYPTO_fork_detect_force_madv_wipeonfork_for_testing is an internal detail
	// used for testing purposes.
	OPENSSL_EXPORT void CRYPTO_fork_detect_force_madv_wipeonfork_for_testing(
	int on);


	#if defined(__cplusplus)
	} // extern C
	#endif

	#endif // OPENSSL_HEADER_CRYPTO_BCM_SUPPORT_H