getrandom is not used on FreeBSD >= 12

[ONya]

Problem:

This commit added support RNG for FreeBSD c953ee4
FreeBSD version check isn't working. It always returns /dev/urandom in crypto/fipsmodule/rand/urandom.c;
During build my projects with crate rustls and aws-lc I found that the value __FreeBSD__ is 8 and I don't know why.

FreeBSD 14.0
predefined version looks OK:

$ > cc -dM -E -</dev/null | grep -i freebsd
#define __FreeBSD__ 14
...

A simple code to check what is actually used urandom or getrandom:

use std::sync::Arc;

  fn main() {
      let host = "www.rust-lang.org".try_into().unwrap();

      let roots = rustls::RootCertStore::empty();
      let config = rustls::ClientConfig::builder()
          .with_root_certificates(roots)
          .with_no_client_auth();

      // Enter capability mode
      // see https://man.freebsd.org/cgi/man.cgi?capsicum
      unsafe {
          libc::cap_enter();
      }

      // Fail, because we can't open /dev/urandom in capability mode,
      // but this must works with getrandom.
      rustls::ClientConnection::new(Arc::new(config), host).unwrap();
  }

Output:

 ...
failed to open /dev/urandom: Not permitted in capability mode
...

Solution:

something like that solves my problem:

--- a/crypto/fipsmodule/rand/urandom.c
+++ b/crypto/fipsmodule/rand/urandom.c
@@ -71,7 +71,8 @@

 #if defined(OPENSSL_FREEBSD)
 #define URANDOM_BLOCKS_FOR_ENTROPY
-#if __FreeBSD__ >= 12
+#include "sys/param.h"
+#if __FreeBSD_version >= 1200000
 // getrandom is supported in FreeBSD 12 and up.
 #define FREEBSD_GETRANDOM
 #include <sys/random.h>

[andrewhop]

Thanks for bringing this to our attention. Internal tracking CryptoAlg-2205.

The documentation is a little lacking for __FreeBSD__ but it claims it should exist. However, it links to __FreeBSD_version which seems to be used more, or at least more well documented to exist and be accurate. Your suggestion seems to be the best path forward.