[rng] Replace trusty_rng_secure_rand with the BoringSSL RNG
Replaces the Trusty RNG library with the BoringSSL RNG by forwarding the
existing API to BoringSSL. The add_entropy() API does not add entropy
directly to the BoringSSL RNG entropy pool, but instead adds entropy to
an internal system RNG that BoringSSL uses as a source of additional
randomness.
Concretely, this change forwards the trusty_rng_secure_rand API directly
to BoringSSL and exposes the prior functionality as an internal API just
for BoringSSL to provide fast system randomness.
Test: build.py
Bug: 193674299
Change-Id: I82fabe2e0ad7c3b5cbc92354fb4f436f2afbda0c
diff --git a/lib/openssl-stubs/rand.c b/lib/openssl-stubs/rand.c
index d4d66c9..2a76802 100644
--- a/lib/openssl-stubs/rand.c
+++ b/lib/openssl-stubs/rand.c
@@ -31,14 +31,18 @@
#include <uapi/err.h>
#include <lib/rng/trusty_rng.h>
+#include <lib/rng/trusty_rng_internal.h>
#include <openssl/rand.h>
#if defined(OPENSSL_IS_BORINGSSL)
-/* CRYPTO_sysrand is called by BoringSSL to obtain entropy from the OS. By
- * default, BoringSSL's RNG calls this function without buffering. */
+/*
+ * CRYPTO_sysrand is called by BoringSSL to obtain entropy from the OS on every
+ * query for randomness. This needs to be fast, so we provide our own AES-CTR
+ * PRNG seeded from hardware randomness, if available.
+ */
__WEAK void CRYPTO_sysrand(uint8_t* out, size_t requested) {
- if (trusty_rng_secure_rand(out, requested) != NO_ERROR) {
+ if (trusty_rng_internal_system_rand(out, requested) != NO_ERROR) {
abort();
}
}
diff --git a/lib/rng/include/lib/rng/trusty_rng_internal.h b/lib/rng/include/lib/rng/trusty_rng_internal.h
new file mode 100644
index 0000000..fde0c4c
--- /dev/null
+++ b/lib/rng/include/lib/rng/trusty_rng_internal.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * Trusty fast internal system randomness source
+ *
+ * ***DO NOT USE THIS***
+ *
+ * This API should only be used for the CRYPTO_sysrand implementation used by
+ * BoringSSL as a fast system source of randomness on each call to RAND_bytes.
+ * Users should instead use the BoringSSL RNG directly via RAND_bytes() and
+ * similar APIs.
+ */
+
+#pragma once
+
+#include <stddef.h>
+#include <stdint.h>
+
+/**
+ * trusty_rng_internal_system_rand() - DO NOT USE: You should use RAND_bytes()
+ * in BoringSSL.
+ */
+int trusty_rng_internal_system_rand(uint8_t* data, size_t len);
diff --git a/lib/rng/trusty_rng.c b/lib/rng/trusty_rng.c
index e916d60..7aeeec4 100644
--- a/lib/rng/trusty_rng.c
+++ b/lib/rng/trusty_rng.c
@@ -30,6 +30,7 @@
#include <interface/hwrng/hwrng.h>
#include <openssl/aes.h>
+#include <openssl/rand.h>
/*
* This is the generic part of the trusty app rng service.
@@ -83,6 +84,22 @@
}
int trusty_rng_secure_rand(uint8_t* data, size_t len) {
+ if (!data || !len)
+ return ERR_INVALID_ARGS;
+
+ int ssl_err = RAND_bytes(data, len);
+ if (ssl_err != 1) {
+ /*
+ * BoringSSL never returns anything but success, so we should never hit
+ * this.
+ */
+ return ERR_GENERIC;
+ }
+
+ return NO_ERROR;
+}
+
+int trusty_rng_internal_system_rand(uint8_t* data, size_t len) {
int err = NO_ERROR;
if (!data || !len)