[thirdparty/systemd.git] / src / basic / random-util.c

/* SPDX-License-Identifier: LGPL-2.1+ */

#if defined(__i386__) || defined(__x86_64__)
#include <cpuid.h>
#endif

#include <elf.h>
#include <errno.h>
#include <fcntl.h>
#include <linux/random.h>
#include <pthread.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/time.h>

#if HAVE_SYS_AUXV_H
#  include <sys/auxv.h>
#endif

#include "alloc-util.h"
#include "errno-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "io-util.h"
#include "missing_random.h"
#include "missing_syscall.h"
#include "parse-util.h"
#include "random-util.h"
#include "siphash24.h"
#include "time-util.h"

static bool srand_called = false;

int rdrand(unsigned long *ret) {

        /* So, you are a "security researcher", and you wonder why we bother with using raw RDRAND here,
         * instead of sticking to /dev/urandom or getrandom()?
         *
         * Here's why: early boot. On Linux, during early boot the random pool that backs /dev/urandom and
         * getrandom() is generally not initialized yet. It is very common that initialization of the random
         * pool takes a longer time (up to many minutes), in particular on embedded devices that have no
         * explicit hardware random generator, as well as in virtualized environments such as major cloud
         * installations that do not provide virtio-rng or a similar mechanism.
         *
         * In such an environment using getrandom() synchronously means we'd block the entire system boot-up
         * until the pool is initialized, i.e. *very* long. Using getrandom() asynchronously (GRND_NONBLOCK)
         * would mean acquiring randomness during early boot would simply fail. Using /dev/urandom would mean
         * generating many kmsg log messages about our use of it before the random pool is properly
         * initialized. Neither of these outcomes is desirable.
         *
         * Thus, for very specific purposes we use RDRAND instead of either of these three options. RDRAND
         * provides us quickly and relatively reliably with random values, without having to delay boot,
         * without triggering warning messages in kmsg.
         *
         * Note that we use RDRAND only under very specific circumstances, when the requirements on the
         * quality of the returned entropy permit it. Specifically, here are some cases where we *do* use
         * RDRAND:
         *
         *         • UUID generation: UUIDs are supposed to be universally unique but are not cryptographic
         *           key material. The quality and trust level of RDRAND should hence be OK: UUIDs should be
         *           generated in a way that is reliably unique, but they do not require ultimate trust into
         *           the entropy generator. systemd generates a number of UUIDs during early boot, including
         *           'invocation IDs' for every unit spawned that identify the specific invocation of the
         *           service globally, and a number of others. Other alternatives for generating these UUIDs
         *           have been considered, but don't really work: for example, hashing uuids from a local
         *           system identifier combined with a counter falls flat because during early boot disk
         *           storage is not yet available (think: initrd) and thus a system-specific ID cannot be
         *           stored or retrieved yet.
         *
         *         • Hash table seed generation: systemd uses many hash tables internally. Hash tables are
         *           generally assumed to have O(1) access complexity, but can deteriorate to prohibitive
         *           O(n) access complexity if an attacker manages to trigger a large number of hash
         *           collisions. Thus, systemd (as any software employing hash tables should) uses seeded
         *           hash functions for its hash tables, with a seed generated randomly. The hash tables
         *           systemd employs watch the fill level closely and reseed if necessary. This allows use of
         *           a low quality RNG initially, as long as it improves should a hash table be under attack:
         *           the attacker after all needs to trigger many collisions to exploit it for the purpose
         *           of DoS, but if doing so improves the seed the attack surface is reduced as the attack
         *           takes place.
         *
         * Some cases where we do NOT use RDRAND are:
         *
         *         • Generation of cryptographic key material 🔑
         *
         *         • Generation of cryptographic salt values 🧂
         *
         * This function returns:
         *
         *         -EOPNOTSUPP → RDRAND is not available on this system 😔
         *         -EAGAIN     → The operation failed this time, but is likely to work if you try again a few
         *                       times ♻
         *         -EUCLEAN    → We got some random value, but it looked strange, so we refused using it.
         *                       This failure might or might not be temporary. 😕
         */

#if defined(__i386__) || defined(__x86_64__)
        static int have_rdrand = -1;
        unsigned long v;
        uint8_t success;

        if (have_rdrand < 0) {
                uint32_t eax, ebx, ecx, edx;

                /* Check if RDRAND is supported by the CPU */
                if (__get_cpuid(1, &eax, &ebx, &ecx, &edx) == 0) {
                        have_rdrand = false;
                        return -EOPNOTSUPP;
                }

/* Compat with old gcc where bit_RDRND didn't exist yet */
#ifndef bit_RDRND
#define bit_RDRND (1U << 30)
#endif

                have_rdrand = !!(ecx & bit_RDRND);
        }

        if (have_rdrand == 0)
                return -EOPNOTSUPP;

        asm volatile("rdrand %0;"
                     "setc %1"
                     : "=r" (v),
                       "=qm" (success));
        msan_unpoison(&success, sizeof(success));
        if (!success)
                return -EAGAIN;

        /* Apparently on some AMD CPUs RDRAND will sometimes (after a suspend/resume cycle?) report success
         * via the carry flag but nonetheless return the same fixed value -1 in all cases. This appears to be
         * a bad bug in the CPU or firmware. Let's deal with that and work-around this by explicitly checking
         * for this special value (and also 0, just to be sure) and filtering it out. This is a work-around
         * only however and something AMD really should fix properly. The Linux kernel should probably work
         * around this issue by turning off RDRAND altogether on those CPUs. See:
         * https://github.com/systemd/systemd/issues/11810 */
        if (v == 0 || v == ULONG_MAX)
                return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN),
                                       "RDRAND returned suspicious value %lx, assuming bad hardware RNG, not using value.", v);

        *ret = v;
        return 0;
#else
        return -EOPNOTSUPP;
#endif
}

int genuine_random_bytes(void *p, size_t n, RandomFlags flags) {
        static int have_syscall = -1;
        _cleanup_close_ int fd = -1;
        bool got_some = false;
        int r;

        /* Gathers some high-quality randomness from the kernel (or potentially mid-quality randomness from
         * the CPU if the RANDOM_ALLOW_RDRAND flag is set). This call won't block, unless the RANDOM_BLOCK
         * flag is set. If RANDOM_MAY_FAIL is set, an error is returned if the random pool is not
         * initialized. Otherwise it will always return some data from the kernel, regardless of whether the
         * random pool is fully initialized or not. If RANDOM_EXTEND_WITH_PSEUDO is set, and some but not
         * enough better quality randomness could be acquired, the rest is filled up with low quality
         * randomness.
         *
         * Of course, when creating cryptographic key material you really shouldn't use RANDOM_ALLOW_DRDRAND
         * or even RANDOM_EXTEND_WITH_PSEUDO.
         *
         * When generating UUIDs it's fine to use RANDOM_ALLOW_RDRAND but not OK to use
         * RANDOM_EXTEND_WITH_PSEUDO. In fact RANDOM_EXTEND_WITH_PSEUDO is only really fine when invoked via
         * an "all bets are off" wrapper, such as random_bytes(), see below. */

        if (n == 0)
                return 0;

        if (FLAGS_SET(flags, RANDOM_ALLOW_RDRAND))
                /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is
                 * not required, as we don't trust it (who does?). Note that we only do a single iteration of
                 * RDRAND here, even though the Intel docs suggest calling this in a tight loop of 10
                 * invocations or so. That's because we don't really care about the quality here. We
                 * generally prefer using RDRAND if the caller allows us to, since this way we won't upset
                 * the kernel's random subsystem by accessing it before the pool is initialized (after all it
                 * will kmsg log about every attempt to do so)..*/
                for (;;) {
                        unsigned long u;
                        size_t m;

                        if (rdrand(&u) < 0) {
                                if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
                                        /* Fill in the remaining bytes using pseudo-random values */
                                        pseudo_random_bytes(p, n);
                                        return 0;
                                }

                                /* OK, this didn't work, let's go to getrandom() + /dev/urandom instead */
                                break;
                        }

                        m = MIN(sizeof(u), n);
                        memcpy(p, &u, m);

                        p = (uint8_t*) p + m;
                        n -= m;

                        if (n == 0)
                                return 0; /* Yay, success! */

                        got_some = true;
                }

        /* Use the getrandom() syscall unless we know we don't have it. */
        if (have_syscall != 0 && !HAS_FEATURE_MEMORY_SANITIZER) {

                for (;;) {
                        r = getrandom(p, n,
                                      (FLAGS_SET(flags, RANDOM_BLOCK) ? 0 : GRND_NONBLOCK) |
                                      (FLAGS_SET(flags, RANDOM_ALLOW_INSECURE) ? GRND_INSECURE : 0));
                        if (r > 0) {
                                have_syscall = true;

                                if ((size_t) r == n)
                                        return 0; /* Yay, success! */

                                assert((size_t) r < n);
                                p = (uint8_t*) p + r;
                                n -= r;

                                if (FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
                                        /* Fill in the remaining bytes using pseudo-random values */
                                        pseudo_random_bytes(p, n);
                                        return 0;
                                }

                                got_some = true;

                                /* Hmm, we didn't get enough good data but the caller insists on good data? Then try again */
                                if (FLAGS_SET(flags, RANDOM_BLOCK))
                                        continue;

                                /* Fill in the rest with /dev/urandom */
                                break;

                        } else if (r == 0) {
                                have_syscall = true;
                                return -EIO;

                        } else if (ERRNO_IS_NOT_SUPPORTED(errno)) {
                                /* We lack the syscall, continue with reading from /dev/urandom. */
                                have_syscall = false;
                                break;

                        } else if (errno == EAGAIN) {
                                /* The kernel has no entropy whatsoever. Let's remember to use the syscall
                                 * the next time again though.
                                 *
                                 * If RANDOM_MAY_FAIL is set, return an error so that random_bytes() can
                                 * produce some pseudo-random bytes instead. Otherwise, fall back to
                                 * /dev/urandom, which we know is empty, but the kernel will produce some
                                 * bytes for us on a best-effort basis. */
                                have_syscall = true;

                                if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
                                        /* Fill in the remaining bytes using pseudorandom values */
                                        pseudo_random_bytes(p, n);
                                        return 0;
                                }

                                if (FLAGS_SET(flags, RANDOM_MAY_FAIL))
                                        return -ENODATA;

                                /* Use /dev/urandom instead */
                                break;

                        } else if (errno == EINVAL) {

                                /* Most likely: unknown flag. We know that GRND_INSECURE might cause this,
                                 * hence try without. */

                                if (FLAGS_SET(flags, RANDOM_ALLOW_INSECURE)) {
                                        flags = flags &~ RANDOM_ALLOW_INSECURE;
                                        continue;
                                }

                                return -errno;
                        } else
                                return -errno;
                }
        }

        fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
        if (fd < 0)
                return errno == ENOENT ? -ENOSYS : -errno;

        return loop_read_exact(fd, p, n, true);
}

static void clear_srand_initialization(void) {
        srand_called = false;
}

void initialize_srand(void) {
        static bool pthread_atfork_registered = false;
        unsigned x;
#if HAVE_SYS_AUXV_H
        const void *auxv;
#endif
        unsigned long k;

        if (srand_called)
                return;

#if HAVE_SYS_AUXV_H
        /* The kernel provides us with 16 bytes of entropy in auxv, so let's try to make use of that to seed
         * the pseudo-random generator. It's better than nothing... But let's first hash it to make it harder
         * to recover the original value by watching any pseudo-random bits we generate. After all the
         * AT_RANDOM data might be used by other stuff too (in particular: ASLR), and we probably shouldn't
         * leak the seed for that. */

        auxv = ULONG_TO_PTR(getauxval(AT_RANDOM));
        if (auxv) {
                static const uint8_t auxval_hash_key[16] = {
                        0x92, 0x6e, 0xfe, 0x1b, 0xcf, 0x00, 0x52, 0x9c, 0xcc, 0x42, 0xcf, 0xdc, 0x94, 0x1f, 0x81, 0x0f
                };

                x = (unsigned) siphash24(auxv, 16, auxval_hash_key);
        } else
#endif
                x = 0;

        x ^= (unsigned) now(CLOCK_REALTIME);
        x ^= (unsigned) gettid();

        if (rdrand(&k) >= 0)
                x ^= (unsigned) k;

        srand(x);
        srand_called = true;

        if (!pthread_atfork_registered) {
                (void) pthread_atfork(NULL, NULL, clear_srand_initialization);
                pthread_atfork_registered = true;
        }
}

/* INT_MAX gives us only 31 bits, so use 24 out of that. */
#if RAND_MAX >= INT_MAX
assert_cc(RAND_MAX >= 16777215);
#  define RAND_STEP 3
#else
/* SHORT_INT_MAX or lower gives at most 15 bits, we just use 8 out of that. */
assert_cc(RAND_MAX >= 255);
#  define RAND_STEP 1
#endif

void pseudo_random_bytes(void *p, size_t n) {
        uint8_t *q;

        /* This returns pseudo-random data using libc's rand() function. You probably never want to call this
         * directly, because why would you use this if you can get better stuff cheaply? Use random_bytes()
         * instead, see below: it will fall back to this function if there's nothing better to get, but only
         * then. */

        initialize_srand();

        for (q = p; q < (uint8_t*) p + n; q += RAND_STEP) {
                unsigned rr;

                rr = (unsigned) rand();

#if RAND_STEP >= 3
                if ((size_t) (q - (uint8_t*) p + 2) < n)
                        q[2] = rr >> 16;
#endif
#if RAND_STEP >= 2
                if ((size_t) (q - (uint8_t*) p + 1) < n)
                        q[1] = rr >> 8;
#endif
                q[0] = rr;
        }
}

void random_bytes(void *p, size_t n) {

        /* This returns high quality randomness if we can get it cheaply. If we can't because for some reason
         * it is not available we'll try some crappy fallbacks.
         *
         * What this function will do:
         *
         *         • This function will preferably use the CPU's RDRAND operation, if it is available, in
         *           order to return "mid-quality" random values cheaply.
         *
         *         • Use getrandom() with GRND_NONBLOCK, to return high-quality random values if they are
         *           cheaply available.
         *
         *         • This function will return pseudo-random data, generated via libc rand() if nothing
         *           better is available.
         *
         *         • This function will work fine in early boot
         *
         *         • This function will always succeed
         *
         * What this function won't do:
         *
         *         • This function will never fail: it will give you randomness no matter what. It might not
         *           be high quality, but it will return some, possibly generated via libc's rand() call.
         *
         *         • This function will never block: if the only way to get good randomness is a blocking,
         *           synchronous getrandom() we'll instead provide you with pseudo-random data.
         *
         * This function is hence great for things like seeding hash tables, generating random numeric UNIX
         * user IDs (that are checked for collisions before use) and such.
         *
         * This function is hence not useful for generating UUIDs or cryptographic key material.
         */

        if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO|RANDOM_MAY_FAIL|RANDOM_ALLOW_RDRAND|RANDOM_ALLOW_INSECURE) >= 0)
                return;

        /* If for some reason some user made /dev/urandom unavailable to us, or the kernel has no entropy, use a PRNG instead. */
        pseudo_random_bytes(p, n);
}

size_t random_pool_size(void) {
        _cleanup_free_ char *s = NULL;
        int r;

        /* Read pool size, if possible */
        r = read_one_line_file("/proc/sys/kernel/random/poolsize", &s);
        if (r < 0)
                log_debug_errno(r, "Failed to read pool size from kernel: %m");
        else {
                unsigned sz;

                r = safe_atou(s, &sz);
                if (r < 0)
                        log_debug_errno(r, "Failed to parse pool size: %s", s);
                else
                        /* poolsize is in bits on 2.6, but we want bytes */
                        return CLAMP(sz / 8, RANDOM_POOL_SIZE_MIN, RANDOM_POOL_SIZE_MAX);
        }

        /* Use the minimum as default, if we can't retrieve the correct value */
        return RANDOM_POOL_SIZE_MIN;
}

int random_write_entropy(int fd, const void *seed, size_t size, bool credit) {
        int r;

        assert(fd >= 0);
        assert(seed && size > 0);

        if (credit) {
                _cleanup_free_ struct rand_pool_info *info = NULL;

                /* The kernel API only accepts "int" as entropy count (which is in bits), let's avoid any
                 * chance for confusion here. */
                if (size > INT_MAX / 8)
                        return -EOVERFLOW;

                info = malloc(offsetof(struct rand_pool_info, buf) + size);
                if (!info)
                        return -ENOMEM;

                info->entropy_count = size * 8;
                info->buf_size = size;
                memcpy(info->buf, seed, size);

                if (ioctl(fd, RNDADDENTROPY, info) < 0)
                        return -errno;
        } else {
                r = loop_write(fd, seed, size, false);
                if (r < 0)
                        return r;
        }

        return 0;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
3df3e884	2
33dbab6f	3	#if defined(__i386__) \|\| defined(__x86_64__)
97fa202a LP	4	#include <cpuid.h>
	5	#endif
	6
11c3a366	7	#include <elf.h>
3df3e884	8	#include <errno.h>
3df3e884	9	#include <fcntl.h>
4dd055f9	10	#include <linux/random.h>
a0f11d1d	11	#include <pthread.h>
11c3a366	12	#include <stdbool.h>
dccca82b	13	#include <stdint.h>
11c3a366	14	#include <stdlib.h>
dccca82b	15	#include <string.h>
4dd055f9	16	#include <sys/ioctl.h>
11c3a366	17	#include <sys/time.h>
11c3a366	18
349cc4a5	19	#if HAVE_SYS_AUXV_H
5224c2c7 ZJS	20	# include <sys/auxv.h>
	21	#endif
	22
c322f379	23	#include "alloc-util.h"
e2b55464	24	#include "errno-util.h"
3ffd4af2	25	#include "fd-util.h"
3e155eba	26	#include "fileio.h"
c004493c	27	#include "io-util.h"
f5947a5e YW	28	#include "missing_random.h"
f5947a5e YW	29	#include "missing_syscall.h"
3e155eba	30	#include "parse-util.h"
3df3e884	31	#include "random-util.h"
80eb560a	32	#include "siphash24.h"
3df3e884	33	#include "time-util.h"
3df3e884	34
a0f11d1d YW	35	static bool srand_called = false;
a0f11d1d YW	36
33dbab6f	37	int rdrand(unsigned long *ret) {
97fa202a	38
85505064 LP	39	/* So, you are a "security researcher", and you wonder why we bother with using raw RDRAND here,
	40	* instead of sticking to /dev/urandom or getrandom()?
	41	*
	42	* Here's why: early boot. On Linux, during early boot the random pool that backs /dev/urandom and
	43	* getrandom() is generally not initialized yet. It is very common that initialization of the random
	44	* pool takes a longer time (up to many minutes), in particular on embedded devices that have no
	45	* explicit hardware random generator, as well as in virtualized environments such as major cloud
	46	* installations that do not provide virtio-rng or a similar mechanism.
	47	*
	48	* In such an environment using getrandom() synchronously means we'd block the entire system boot-up
	49	* until the pool is initialized, i.e. very long. Using getrandom() asynchronously (GRND_NONBLOCK)
	50	* would mean acquiring randomness during early boot would simply fail. Using /dev/urandom would mean
	51	* generating many kmsg log messages about our use of it before the random pool is properly
	52	* initialized. Neither of these outcomes is desirable.
	53	*
	54	* Thus, for very specific purposes we use RDRAND instead of either of these three options. RDRAND
	55	* provides us quickly and relatively reliably with random values, without having to delay boot,
	56	* without triggering warning messages in kmsg.
	57	*
	58	* Note that we use RDRAND only under very specific circumstances, when the requirements on the
	59	* quality of the returned entropy permit it. Specifically, here are some cases where we do use
	60	* RDRAND:
	61	*
	62	* • UUID generation: UUIDs are supposed to be universally unique but are not cryptographic
	63	* key material. The quality and trust level of RDRAND should hence be OK: UUIDs should be
	64	* generated in a way that is reliably unique, but they do not require ultimate trust into
	65	* the entropy generator. systemd generates a number of UUIDs during early boot, including
	66	* 'invocation IDs' for every unit spawned that identify the specific invocation of the
	67	* service globally, and a number of others. Other alternatives for generating these UUIDs
	68	* have been considered, but don't really work: for example, hashing uuids from a local
	69	* system identifier combined with a counter falls flat because during early boot disk
	70	* storage is not yet available (think: initrd) and thus a system-specific ID cannot be
	71	* stored or retrieved yet.
	72	*
	73	* • Hash table seed generation: systemd uses many hash tables internally. Hash tables are
	74	* generally assumed to have O(1) access complexity, but can deteriorate to prohibitive
	75	* O(n) access complexity if an attacker manages to trigger a large number of hash
	76	* collisions. Thus, systemd (as any software employing hash tables should) uses seeded
	77	* hash functions for its hash tables, with a seed generated randomly. The hash tables
	78	* systemd employs watch the fill level closely and reseed if necessary. This allows use of
	79	* a low quality RNG initially, as long as it improves should a hash table be under attack:
d7b34e38	80	* the attacker after all needs to trigger many collisions to exploit it for the purpose
85505064 LP	81	* of DoS, but if doing so improves the seed the attack surface is reduced as the attack
	82	* takes place.
	83	*
	84	* Some cases where we do NOT use RDRAND are:
	85	*
	86	* • Generation of cryptographic key material 🔑
	87	*
	88	* • Generation of cryptographic salt values 🧂
	89	*
	90	* This function returns:
	91	*
	92	* -EOPNOTSUPP → RDRAND is not available on this system 😔
	93	* -EAGAIN → The operation failed this time, but is likely to work if you try again a few
	94	* times ♻
	95	* -EUCLEAN → We got some random value, but it looked strange, so we refused using it.
	96	* This failure might or might not be temporary. 😕
	97	*/
	98
33dbab6f	99	#if defined(__i386__) \|\| defined(__x86_64__)
97fa202a	100	static int have_rdrand = -1;
1c53d4a0	101	unsigned long v;
328f850e	102	uint8_t success;
97fa202a LP	103
	104	if (have_rdrand < 0) {
	105	uint32_t eax, ebx, ecx, edx;
	106
	107	/* Check if RDRAND is supported by the CPU */
	108	if (__get_cpuid(1, &eax, &ebx, &ecx, &edx) == 0) {
	109	have_rdrand = false;
	110	return -EOPNOTSUPP;
	111	}
	112
cc28145d LP	113	/* Compat with old gcc where bit_RDRND didn't exist yet */
	114	#ifndef bit_RDRND
	115	#define bit_RDRND (1U << 30)
	116	#endif
	117
	118	have_rdrand = !!(ecx & bit_RDRND);
97fa202a LP	119	}
	120
	121	if (have_rdrand == 0)
	122	return -EOPNOTSUPP;
	123
	124	asm volatile("rdrand %0;"
	125	"setc %1"
1c53d4a0	126	: "=r" (v),
328f850e	127	"=qm" (success));
7f2cdcea	128	msan_unpoison(&success, sizeof(success));
328f850e	129	if (!success)
97fa202a LP	130	return -EAGAIN;
97fa202a LP	131
1c53d4a0 LP	132	/* Apparently on some AMD CPUs RDRAND will sometimes (after a suspend/resume cycle?) report success
	133	* via the carry flag but nonetheless return the same fixed value -1 in all cases. This appears to be
	134	* a bad bug in the CPU or firmware. Let's deal with that and work-around this by explicitly checking
	135	* for this special value (and also 0, just to be sure) and filtering it out. This is a work-around
	136	* only however and something AMD really should fix properly. The Linux kernel should probably work
	137	* around this issue by turning off RDRAND altogether on those CPUs. See:
	138	* https://github.com/systemd/systemd/issues/11810 */
	139	if (v == 0 \|\| v == ULONG_MAX)
	140	return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN),
	141	"RDRAND returned suspicious value %lx, assuming bad hardware RNG, not using value.", v);
	142
	143	*ret = v;
97fa202a LP	144	return 0;
	145	#else
	146	return -EOPNOTSUPP;
	147	#endif
	148	}
	149
94d457e8	150	int genuine_random_bytes(void *p, size_t n, RandomFlags flags) {
3df3e884	151	static int have_syscall = -1;
3df3e884	152	_cleanup_close_ int fd = -1;
cc83d519	153	bool got_some = false;
7b54715d	154	int r;
3df3e884	155
85505064 LP	156	/* Gathers some high-quality randomness from the kernel (or potentially mid-quality randomness from
	157	* the CPU if the RANDOM_ALLOW_RDRAND flag is set). This call won't block, unless the RANDOM_BLOCK
	158	* flag is set. If RANDOM_MAY_FAIL is set, an error is returned if the random pool is not
	159	* initialized. Otherwise it will always return some data from the kernel, regardless of whether the
	160	* random pool is fully initialized or not. If RANDOM_EXTEND_WITH_PSEUDO is set, and some but not
	161	* enough better quality randomness could be acquired, the rest is filled up with low quality
	162	* randomness.
	163	*
	164	* Of course, when creating cryptographic key material you really shouldn't use RANDOM_ALLOW_DRDRAND
	165	* or even RANDOM_EXTEND_WITH_PSEUDO.
	166	*
	167	* When generating UUIDs it's fine to use RANDOM_ALLOW_RDRAND but not OK to use
	168	* RANDOM_EXTEND_WITH_PSEUDO. In fact RANDOM_EXTEND_WITH_PSEUDO is only really fine when invoked via
	169	* an "all bets are off" wrapper, such as random_bytes(), see below. */
3df3e884	170
776cf746 LP	171	if (n == 0)
	172	return 0;
	173
cc83d519	174	if (FLAGS_SET(flags, RANDOM_ALLOW_RDRAND))
1a0ffa1e LP	175	/* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is
	176	* not required, as we don't trust it (who does?). Note that we only do a single iteration of
	177	* RDRAND here, even though the Intel docs suggest calling this in a tight loop of 10
	178	* invocations or so. That's because we don't really care about the quality here. We
	179	* generally prefer using RDRAND if the caller allows us to, since this way we won't upset
	180	* the kernel's random subsystem by accessing it before the pool is initialized (after all it
	181	* will kmsg log about every attempt to do so)..*/
cc83d519	182	for (;;) {
33dbab6f	183	unsigned long u;
cc83d519 LP	184	size_t m;
cc83d519 LP	185
33dbab6f	186	if (rdrand(&u) < 0) {
cc83d519 LP	187	if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
	188	/* Fill in the remaining bytes using pseudo-random values */
	189	pseudo_random_bytes(p, n);
	190	return 0;
	191	}
	192
	193	/* OK, this didn't work, let's go to getrandom() + /dev/urandom instead */
	194	break;
	195	}
	196
	197	m = MIN(sizeof(u), n);
	198	memcpy(p, &u, m);
	199
	200	p = (uint8_t*) p + m;
	201	n -= m;
	202
	203	if (n == 0)
	204	return 0; /* Yay, success! */
	205
	206	got_some = true;
	207	}
	208
f0d09059	209	/* Use the getrandom() syscall unless we know we don't have it. */
2e69f411	210	if (have_syscall != 0 && !HAS_FEATURE_MEMORY_SANITIZER) {
68534345 LP	211
68534345 LP	212	for (;;) {
0497c4c2 LP	213	r = getrandom(p, n,
	214	(FLAGS_SET(flags, RANDOM_BLOCK) ? 0 : GRND_NONBLOCK) \|
	215	(FLAGS_SET(flags, RANDOM_ALLOW_INSECURE) ? GRND_INSECURE : 0));
68534345 LP	216	if (r > 0) {
	217	have_syscall = true;
	218
	219	if ((size_t) r == n)
	220	return 0; /* Yay, success! */
	221
	222	assert((size_t) r < n);
	223	p = (uint8_t*) p + r;
	224	n -= r;
	225
	226	if (FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
	227	/* Fill in the remaining bytes using pseudo-random values */
	228	pseudo_random_bytes(p, n);
	229	return 0;
	230	}
	231
cc83d519 LP	232	got_some = true;
cc83d519 LP	233
68534345 LP	234	/* Hmm, we didn't get enough good data but the caller insists on good data? Then try again */
	235	if (FLAGS_SET(flags, RANDOM_BLOCK))
	236	continue;
	237
	238	/* Fill in the rest with /dev/urandom */
	239	break;
	240
	241	} else if (r == 0) {
	242	have_syscall = true;
	243	return -EIO;
	244
e2b55464	245	} else if (ERRNO_IS_NOT_SUPPORTED(errno)) {
68534345 LP	246	/* We lack the syscall, continue with reading from /dev/urandom. */
	247	have_syscall = false;
	248	break;
	249
	250	} else if (errno == EAGAIN) {
1a0ffa1e LP	251	/* The kernel has no entropy whatsoever. Let's remember to use the syscall
1a0ffa1e LP	252	* the next time again though.
68534345	253	*
1a0ffa1e LP	254	* If RANDOM_MAY_FAIL is set, return an error so that random_bytes() can
	255	* produce some pseudo-random bytes instead. Otherwise, fall back to
	256	* /dev/urandom, which we know is empty, but the kernel will produce some
	257	* bytes for us on a best-effort basis. */
68534345 LP	258	have_syscall = true;
68534345 LP	259
cc83d519 LP	260	if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
	261	/* Fill in the remaining bytes using pseudorandom values */
	262	pseudo_random_bytes(p, n);
68534345 LP	263	return 0;
	264	}
	265
1a0ffa1e	266	if (FLAGS_SET(flags, RANDOM_MAY_FAIL))
cc83d519 LP	267	return -ENODATA;
cc83d519 LP	268
68534345 LP	269	/* Use /dev/urandom instead */
68534345 LP	270	break;
0497c4c2 LP	271
	272	} else if (errno == EINVAL) {
	273
	274	/* Most likely: unknown flag. We know that GRND_INSECURE might cause this,
	275	* hence try without. */
	276
	277	if (FLAGS_SET(flags, RANDOM_ALLOW_INSECURE)) {
	278	flags = flags &~ RANDOM_ALLOW_INSECURE;
	279	continue;
	280	}
	281
	282	return -errno;
68534345 LP	283	} else
	284	return -errno;
	285	}
3df3e884 RC	286	}
	287
	288	fd = open("/dev/urandom", O_RDONLY\|O_CLOEXEC\|O_NOCTTY);
	289	if (fd < 0)
	290	return errno == ENOENT ? -ENOSYS : -errno;
	291
68534345	292	return loop_read_exact(fd, p, n, true);
3df3e884 RC	293	}
3df3e884 RC	294
a0f11d1d YW	295	static void clear_srand_initialization(void) {
	296	srand_called = false;
	297	}
	298
3df3e884	299	void initialize_srand(void) {
a0f11d1d	300	static bool pthread_atfork_registered = false;
3df3e884	301	unsigned x;
349cc4a5	302	#if HAVE_SYS_AUXV_H
54bf2315	303	const void *auxv;
3df3e884	304	#endif
33dbab6f	305	unsigned long k;
3df3e884 RC	306
	307	if (srand_called)
	308	return;
	309
349cc4a5	310	#if HAVE_SYS_AUXV_H
80eb560a LP	311	/* The kernel provides us with 16 bytes of entropy in auxv, so let's try to make use of that to seed
	312	* the pseudo-random generator. It's better than nothing... But let's first hash it to make it harder
	313	* to recover the original value by watching any pseudo-random bits we generate. After all the
	314	* AT_RANDOM data might be used by other stuff too (in particular: ASLR), and we probably shouldn't
	315	* leak the seed for that. */
3df3e884	316
80eb560a	317	auxv = ULONG_TO_PTR(getauxval(AT_RANDOM));
ad6b1fa2	318	if (auxv) {
80eb560a LP	319	static const uint8_t auxval_hash_key[16] = {
	320	0x92, 0x6e, 0xfe, 0x1b, 0xcf, 0x00, 0x52, 0x9c, 0xcc, 0x42, 0xcf, 0xdc, 0x94, 0x1f, 0x81, 0x0f
	321	};
	322
	323	x = (unsigned) siphash24(auxv, 16, auxval_hash_key);
ad6b1fa2	324	} else
3df3e884	325	#endif
ad6b1fa2 LP	326	x = 0;
ad6b1fa2 LP	327
3df3e884 RC	328	x ^= (unsigned) now(CLOCK_REALTIME);
	329	x ^= (unsigned) gettid();
	330
33dbab6f	331	if (rdrand(&k) >= 0)
92025e8f LP	332	x ^= (unsigned) k;
92025e8f LP	333
3df3e884 RC	334	srand(x);
3df3e884 RC	335	srand_called = true;
a0f11d1d YW	336
	337	if (!pthread_atfork_registered) {
	338	(void) pthread_atfork(NULL, NULL, clear_srand_initialization);
	339	pthread_atfork_registered = true;
	340	}
3df3e884 RC	341	}
3df3e884 RC	342
6a06b1a5 ZJS	343	/* INT_MAX gives us only 31 bits, so use 24 out of that. */
6a06b1a5 ZJS	344	#if RAND_MAX >= INT_MAX
57ee010f	345	assert_cc(RAND_MAX >= 16777215);
6a06b1a5 ZJS	346	# define RAND_STEP 3
6a06b1a5 ZJS	347	#else
57ee010f LP	348	/* SHORT_INT_MAX or lower gives at most 15 bits, we just use 8 out of that. */
57ee010f LP	349	assert_cc(RAND_MAX >= 255);
6a06b1a5 ZJS	350	# define RAND_STEP 1
	351	#endif
	352
3335dc2d	353	void pseudo_random_bytes(void *p, size_t n) {
3df3e884	354	uint8_t *q;
6a06b1a5	355
85505064 LP	356	/* This returns pseudo-random data using libc's rand() function. You probably never want to call this
	357	* directly, because why would you use this if you can get better stuff cheaply? Use random_bytes()
	358	* instead, see below: it will fall back to this function if there's nothing better to get, but only
	359	* then. */
	360
6a06b1a5 ZJS	361	initialize_srand();
	362
	363	for (q = p; q < (uint8_t*) p + n; q += RAND_STEP) {
	364	unsigned rr;
	365
	366	rr = (unsigned) rand();
	367
	368	#if RAND_STEP >= 3
7b54715d	369	if ((size_t) (q - (uint8_t*) p + 2) < n)
6a06b1a5 ZJS	370	q[2] = rr >> 16;
	371	#endif
	372	#if RAND_STEP >= 2
7b54715d	373	if ((size_t) (q - (uint8_t*) p + 1) < n)
6a06b1a5 ZJS	374	q[1] = rr >> 8;
	375	#endif
	376	q[0] = rr;
	377	}
	378	}
	379
	380	void random_bytes(void *p, size_t n) {
3df3e884	381
85505064 LP	382	/* This returns high quality randomness if we can get it cheaply. If we can't because for some reason
	383	* it is not available we'll try some crappy fallbacks.
	384	*
	385	* What this function will do:
	386	*
	387	* • This function will preferably use the CPU's RDRAND operation, if it is available, in
	388	* order to return "mid-quality" random values cheaply.
	389	*
	390	* • Use getrandom() with GRND_NONBLOCK, to return high-quality random values if they are
	391	* cheaply available.
	392	*
	393	* • This function will return pseudo-random data, generated via libc rand() if nothing
	394	* better is available.
	395	*
	396	* • This function will work fine in early boot
	397	*
	398	* • This function will always succeed
	399	*
	400	* What this function won't do:
	401	*
	402	* • This function will never fail: it will give you randomness no matter what. It might not
	403	* be high quality, but it will return some, possibly generated via libc's rand() call.
	404	*
	405	* • This function will never block: if the only way to get good randomness is a blocking,
	406	* synchronous getrandom() we'll instead provide you with pseudo-random data.
	407	*
	408	* This function is hence great for things like seeding hash tables, generating random numeric UNIX
	409	* user IDs (that are checked for collisions before use) and such.
	410	*
	411	* This function is hence not useful for generating UUIDs or cryptographic key material.
	412	*/
	413
0497c4c2	414	if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO\|RANDOM_MAY_FAIL\|RANDOM_ALLOW_RDRAND\|RANDOM_ALLOW_INSECURE) >= 0)
3df3e884 RC	415	return;
3df3e884 RC	416
3335dc2d LP	417	/* If for some reason some user made /dev/urandom unavailable to us, or the kernel has no entropy, use a PRNG instead. */
3335dc2d LP	418	pseudo_random_bytes(p, n);
3df3e884	419	}
3e155eba LP	420
	421	size_t random_pool_size(void) {
	422	_cleanup_free_ char *s = NULL;
	423	int r;
	424
	425	/* Read pool size, if possible */
	426	r = read_one_line_file("/proc/sys/kernel/random/poolsize", &s);
	427	if (r < 0)
	428	log_debug_errno(r, "Failed to read pool size from kernel: %m");
	429	else {
	430	unsigned sz;
	431
	432	r = safe_atou(s, &sz);
	433	if (r < 0)
	434	log_debug_errno(r, "Failed to parse pool size: %s", s);
	435	else
	436	/* poolsize is in bits on 2.6, but we want bytes */
	437	return CLAMP(sz / 8, RANDOM_POOL_SIZE_MIN, RANDOM_POOL_SIZE_MAX);
	438	}
	439
	440	/* Use the minimum as default, if we can't retrieve the correct value */
	441	return RANDOM_POOL_SIZE_MIN;
	442	}
4dd055f9 LP	443
	444	int random_write_entropy(int fd, const void *seed, size_t size, bool credit) {
	445	int r;
	446
	447	assert(fd >= 0);
	448	assert(seed && size > 0);
	449
	450	if (credit) {
	451	_cleanup_free_ struct rand_pool_info *info = NULL;
	452
	453	/* The kernel API only accepts "int" as entropy count (which is in bits), let's avoid any
	454	* chance for confusion here. */
	455	if (size > INT_MAX / 8)
	456	return -EOVERFLOW;
	457
	458	info = malloc(offsetof(struct rand_pool_info, buf) + size);
	459	if (!info)
	460	return -ENOMEM;
	461
	462	info->entropy_count = size * 8;
	463	info->buf_size = size;
	464	memcpy(info->buf, seed, size);
	465
	466	if (ioctl(fd, RNDADDENTROPY, info) < 0)
	467	return -errno;
	468	} else {
	469	r = loop_write(fd, seed, size, false);
	470	if (r < 0)
	471	return r;
	472	}
	473
	474	return 0;
	475	}