diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 014797a6..636074a1 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -61,6 +61,7 @@ jobs: - uses: Swatinem/rust-cache@v2 - run: cargo test - run: cargo test --features=std + - run: cargo test --features=disable_urandom_fallback - run: cargo test --features=custom # custom should do nothing here - if: ${{ matrix.toolchain == 'nightly' }} run: cargo test --benches diff --git a/CHANGELOG.md b/CHANGELOG.md index a283d380..ac603814 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## Unreleased +### Added +- `disable_urandom_fallback` crate feature to disable `/dev/urandom`-based fallback on Linux and + Android targets. Enabling this feature bumps minimum supported Linux kernel version to 4.17 and + Android API level to 23 (Marshmallow). [#396] + +### Changed +- Disable `/dev/urandom`-based fallback for Linux targets outside of the following + `target_arch`es: `arm`, `powerpc`, `powerpc64`, `s390x`, `x86`, `x86_64`. [#396] + +[#396]: https://github.com/rust-random/getrandom/pull/396 + ## [0.2.12] - 2024-01-09 ### Fixed - Custom backend for targets without atomics [#385] diff --git a/Cargo.toml b/Cargo.toml index ea57331d..c8642712 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -32,6 +32,9 @@ wasm-bindgen-test = "0.3.18" [features] # Implement std-only traits for getrandom::Error std = [] +# Disable `/dev/urandom` fallback for Linux and Android targets. +# Bumps minimum supported Linux kernel version to 3.17 and Android API level to 23 (Marshmallow). +disable_urandom_fallback = [] # Feature to enable fallback RDRAND-based implementation on x86/x86_64 rdrand = [] # Feature to enable JavaScript bindings on wasm*-unknown-unknown diff --git a/src/lib.rs b/src/lib.rs index c2454d5c..974bd196 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -99,11 +99,14 @@ //! This crate will then use the provided `webcrypto` implementation. //! //! ### Platform Support -//! This crate generally supports the same operating system and platform versions that the Rust standard library does. -//! Additional targets may be supported using pluggable custom implementations. +//! This crate generally supports the same operating system and platform versions +//! that the Rust standard library does. Additional targets may be supported using +//! pluggable custom implementations. //! -//! This means that as Rust drops support for old versions of operating systems (such as old Linux kernel versions, Android API levels, etc) -//! in stable releases, `getrandom` may create new patch releases (`0.N.x`) that remove support for outdated platform versions. +//! This means that as Rust drops support for old versions of operating systems +//! (such as old Linux kernel versions, Android API levels, etc) in stable releases, +//! `getrandom` may create new patch releases (`0.N.x`) that remove support for +//! outdated platform versions. //! //! ### Custom implementations //! @@ -220,10 +223,35 @@ cfg_if! { if #[cfg(any(target_os = "haiku", target_os = "redox", target_os = "nto", target_os = "aix"))] { mod util_libc; #[path = "use_file.rs"] mod imp; - } else if #[cfg(any(target_os = "android", target_os = "linux"))] { + } else if #[cfg(all( + not(feature = "disable_urandom_fallback"), + any( + // Rust supports Android API level 19 (KitKat) [0], while `getrandom(2)` + // was added only in level 23 (Marshmallow). + // [0]: https://blog.rust-lang.org/2023/01/09/android-ndk-update-r25.html + target_os = "android", + all( + target_os = "linux", + // Only on these `target_arch`es Rust supports Linux kernel versions (3.2+) + // that precede the version (3.17) in which `getrandom(2)` was added: + // https://doc.rust-lang.org/stable/rustc/platform-support.html + any( + target_arch = "arm", + target_arch = "powerpc", + target_arch = "powerpc64", + target_arch = "s390x", + target_arch = "x86", + target_arch = "x86_64", + ), + ) + ), + ))] { mod util_libc; mod use_file; mod lazy; + #[path = "linux_with_fallback.rs"] mod imp; + } else if #[cfg(any(target_os = "android", target_os = "linux"))] { + mod util_libc; #[path = "linux_android.rs"] mod imp; } else if #[cfg(any(target_os = "illumos", target_os = "solaris"))] { mod util_libc; diff --git a/src/linux_android.rs b/src/linux_android.rs index 2517159e..93a64945 100644 --- a/src/linux_android.rs +++ b/src/linux_android.rs @@ -1,40 +1,7 @@ -//! Implementation for Linux / Android -use crate::{ - lazy::LazyBool, - util_libc::{last_os_error, sys_fill_exact}, - {use_file, Error}, -}; +//! Implementation for Linux / Android without `/dev/urandom` fallback +use crate::{util_libc, Error}; use core::mem::MaybeUninit; pub fn getrandom_inner(dest: &mut [MaybeUninit]) -> Result<(), Error> { - // getrandom(2) was introduced in Linux 3.17 - static HAS_GETRANDOM: LazyBool = LazyBool::new(); - if HAS_GETRANDOM.unsync_init(is_getrandom_available) { - sys_fill_exact(dest, |buf| unsafe { - getrandom(buf.as_mut_ptr() as *mut libc::c_void, buf.len(), 0) - }) - } else { - use_file::getrandom_inner(dest) - } -} - -fn is_getrandom_available() -> bool { - let res = unsafe { getrandom(core::ptr::null_mut(), 0, libc::GRND_NONBLOCK) }; - if res < 0 { - match last_os_error().raw_os_error() { - Some(libc::ENOSYS) => false, // No kernel support - Some(libc::EPERM) => false, // Blocked by seccomp - _ => true, - } - } else { - true - } -} - -unsafe fn getrandom( - buf: *mut libc::c_void, - buflen: libc::size_t, - flags: libc::c_uint, -) -> libc::ssize_t { - libc::syscall(libc::SYS_getrandom, buf, buflen, flags) as libc::ssize_t + util_libc::sys_fill_exact(dest, util_libc::getrandom_syscall) } diff --git a/src/linux_with_fallback.rs b/src/linux_with_fallback.rs new file mode 100644 index 00000000..447f0458 --- /dev/null +++ b/src/linux_with_fallback.rs @@ -0,0 +1,38 @@ +//! Implementation for Linux / Android with `/dev/urandom` fallback +use crate::{ + lazy::LazyBool, + util_libc::{getrandom_syscall, last_os_error, sys_fill_exact}, + {use_file, Error}, +}; +use core::mem::MaybeUninit; + +pub fn getrandom_inner(dest: &mut [MaybeUninit]) -> Result<(), Error> { + // getrandom(2) was introduced in Linux 3.17 + static HAS_GETRANDOM: LazyBool = LazyBool::new(); + if HAS_GETRANDOM.unsync_init(is_getrandom_available) { + sys_fill_exact(dest, getrandom_syscall) + } else { + use_file::getrandom_inner(dest) + } +} + +fn is_getrandom_available() -> bool { + let res = unsafe { getrandom(core::ptr::null_mut(), 0, libc::GRND_NONBLOCK) }; + if res < 0 { + match last_os_error().raw_os_error() { + Some(libc::ENOSYS) => false, // No kernel support + Some(libc::EPERM) => false, // Blocked by seccomp + _ => true, + } + } else { + true + } +} + +unsafe fn getrandom( + buf: *mut libc::c_void, + buflen: libc::size_t, + flags: libc::c_uint, +) -> libc::ssize_t { + libc::syscall(libc::SYS_getrandom, buf, buflen, flags) as libc::ssize_t +} diff --git a/src/util_libc.rs b/src/util_libc.rs index 0b792c35..e86ef776 100644 --- a/src/util_libc.rs +++ b/src/util_libc.rs @@ -151,3 +151,16 @@ pub unsafe fn open_readonly(path: &str) -> Result { } } } + +/// Thin wrapper around the `getrandom()` Linux system call +#[cfg(any(target_os = "android", target_os = "linux"))] +pub fn getrandom_syscall(buf: &mut [MaybeUninit]) -> libc::ssize_t { + unsafe { + libc::syscall( + libc::SYS_getrandom, + buf.as_mut_ptr() as *mut libc::c_void, + buf.len(), + 0, + ) as libc::ssize_t + } +}