crypto/rand: move OS interaction to crypto/internal/sysrand

We're going to use that package as the passive entropy source for the
FIPS module, and we need to import it from a package that will be
imported by crypto/rand.

Since there is no overridable Reader now, introduced a mechanism to test
the otherwise impossible failure of the OS entropy source.

For #69536

Change-Id: I558687ed1ec896dba05b99b937970bb809de3fe7
Reviewed-on: https://go-review.googlesource.com/c/go/+/624976
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

Author: FiloSottile

src/crypto/rand/internal/seccomp/seccomp_linux.go renamed to src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go

@@ -0,0 +1,77 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package rand provides cryptographically secure random bytes from the
+// operating system.
+package sysrand
+
+import (
+	"os"
+	"sync"
+	"sync/atomic"
+	"time"
+	_ "unsafe"
+)
+
+var firstUse atomic.Bool
+
+func warnBlocked() {
+	println("crypto/rand: blocked for 60 seconds waiting to read random data from the kernel")
+}
+
+// fatal is [runtime.fatal], pushed via linkname.
+//
+//go:linkname fatal
+func fatal(string)
+
+var testingOnlyFailRead bool
+
+// Read fills b with cryptographically secure random bytes from the operating
+// system. It always fills b entirely and crashes the program irrecoverably if
+// an error is encountered. The operating system APIs are documented to never
+// return an error on all but legacy Linux systems.
+func Read(b []byte) {
+	if firstUse.CompareAndSwap(false, true) {
+		// First use of randomness. Start timer to warn about
+		// being blocked on entropy not being available.
+		t := time.AfterFunc(time.Minute, warnBlocked)
+		defer t.Stop()
+	}
+	if err := read(b); err != nil || testingOnlyFailRead {
+		var errStr string
+		if !testingOnlyFailRead {
+			errStr = err.Error()
+		} else {
+			errStr = "testing simulated failure"
+		}
+		fatal("crypto/rand: failed to read random data (see https://go.dev/issue/66821): " + errStr)
+		panic("unreachable") // To be sure.
+	}
+}
+
+// The urandom fallback is only used on Linux kernels before 3.17 and on AIX.
+
+var urandomOnce sync.Once
+var urandomFile *os.File
+var urandomErr error
+
+func urandomRead(b []byte) error {
+	urandomOnce.Do(func() {
+		urandomFile, urandomErr = os.Open("/dev/urandom")
+	})
+	if urandomErr != nil {
+		return urandomErr
+	}
+	for len(b) > 0 {
+		n, err := urandomFile.Read(b)
+		// Note that we don't ignore EAGAIN because it should not be possible to
+		// hit for a blocking read from urandom, although there were
+		// unreproducible reports of it at https://go.dev/issue/9205.
+		if err != nil {
+			return err
+		}
+		b = b[n:]
+	}
+	return nil
+}

src/crypto/rand/internal/seccomp/seccomp_unsupported.go renamed to src/crypto/internal/sysrand/internal/seccomp/seccomp_unsupported.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package rand
+package sysrand
 
 func read(b []byte) error {
 	return urandomRead(b)

src/crypto/internal/sysrand/rand.go

@@ -4,7 +4,7 @@
 
 //go:build darwin || openbsd
 
-package rand
+package sysrand
 
 import "internal/syscall/unix"
 

src/crypto/rand/rand_aix.go renamed to src/crypto/internal/sysrand/rand_aix.go

@@ -4,7 +4,7 @@
 
 //go:build dragonfly || freebsd || linux || solaris
 
-package rand
+package sysrand
 
 import (
 	"errors"

src/crypto/rand/rand_arc4random.go renamed to src/crypto/internal/sysrand/rand_arc4random.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package rand
+package sysrand
 
 // The maximum buffer size for crypto.getRandomValues is 65536 bytes.
 // https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues#exceptions

src/crypto/rand/rand_getrandom.go renamed to src/crypto/internal/sysrand/rand_getrandom.go

@@ -2,11 +2,11 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package rand_test
+package sysrand_test
 
 import (
 	"bytes"
-	"crypto/rand/internal/seccomp"
+	"crypto/internal/sysrand/internal/seccomp"
 	"internal/syscall/unix"
 	"internal/testenv"
 	"os"
@@ -33,7 +33,6 @@ func TestNoGetrandom(t *testing.T) {
 		t.Skip("skipping test in short mode")
 	}
 	testenv.MustHaveExec(t)
-	testenv.MustHaveCGO(t)
 
 	done := make(chan struct{})
 	go func() {

src/crypto/rand/rand_js.go renamed to src/crypto/internal/sysrand/rand_js.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package rand
+package sysrand
 
 import "internal/syscall/unix"
 

src/crypto/rand/rand_linux_test.go renamed to src/crypto/internal/sysrand/rand_linux_test.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package rand
+package sysrand
 
 import (
 	"internal/byteorder"