]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/random-util.c
tree-wide: drop 'This file is part of systemd' blurb
[thirdparty/systemd.git] / src / basic / random-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 Copyright 2010 Lennart Poettering
4 ***/
5
6 #include <elf.h>
7 #include <errno.h>
8 #include <fcntl.h>
9 #include <linux/random.h>
10 #include <stdbool.h>
11 #include <stdint.h>
12 #include <stdlib.h>
13 #include <string.h>
14 #include <sys/time.h>
15
16 #if HAVE_SYS_AUXV_H
17 # include <sys/auxv.h>
18 #endif
19
20 #if USE_SYS_RANDOM_H
21 # include <sys/random.h>
22 #else
23 # include <linux/random.h>
24 #endif
25
26 #include "fd-util.h"
27 #include "io-util.h"
28 #include "missing.h"
29 #include "random-util.h"
30 #include "time-util.h"
31
32 int acquire_random_bytes(void *p, size_t n, bool high_quality_required) {
33 static int have_syscall = -1;
34
35 _cleanup_close_ int fd = -1;
36 size_t already_done = 0;
37 int r;
38
39 /* Gathers some randomness from the kernel. This call will never block. If
40 * high_quality_required, it will always return some data from the kernel,
41 * regardless of whether the random pool is fully initialized or not.
42 * Otherwise, it will return success if at least some random bytes were
43 * successfully acquired, and an error if the kernel has no entropy whatsover
44 * for us. */
45
46 /* Use the getrandom() syscall unless we know we don't have it. */
47 if (have_syscall != 0 && !HAS_FEATURE_MEMORY_SANITIZER) {
48 r = getrandom(p, n, GRND_NONBLOCK);
49 if (r > 0) {
50 have_syscall = true;
51 if ((size_t) r == n)
52 return 0;
53 if (!high_quality_required) {
54 /* Fill in the remaining bytes using pseudorandom values */
55 pseudorandom_bytes((uint8_t*) p + r, n - r);
56 return 0;
57 }
58
59 already_done = r;
60 } else if (errno == ENOSYS)
61 /* We lack the syscall, continue with reading from /dev/urandom. */
62 have_syscall = false;
63 else if (errno == EAGAIN) {
64 /* The kernel has no entropy whatsoever. Let's remember to
65 * use the syscall the next time again though.
66 *
67 * If high_quality_required is false, return an error so that
68 * random_bytes() can produce some pseudorandom
69 * bytes. Otherwise, fall back to /dev/urandom, which we know
70 * is empty, but the kernel will produce some bytes for us on
71 * a best-effort basis. */
72 have_syscall = true;
73
74 if (!high_quality_required)
75 return -ENODATA;
76 } else
77 return -errno;
78 }
79
80 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
81 if (fd < 0)
82 return errno == ENOENT ? -ENOSYS : -errno;
83
84 return loop_read_exact(fd, (uint8_t*) p + already_done, n - already_done, true);
85 }
86
87 void initialize_srand(void) {
88 static bool srand_called = false;
89 unsigned x;
90 #if HAVE_SYS_AUXV_H
91 void *auxv;
92 #endif
93
94 if (srand_called)
95 return;
96
97 #if HAVE_SYS_AUXV_H
98 /* The kernel provides us with 16 bytes of entropy in auxv, so let's
99 * try to make use of that to seed the pseudo-random generator. It's
100 * better than nothing... */
101
102 auxv = (void*) getauxval(AT_RANDOM);
103 if (auxv) {
104 assert_cc(sizeof(x) <= 16);
105 memcpy(&x, auxv, sizeof(x));
106 } else
107 #endif
108 x = 0;
109
110 x ^= (unsigned) now(CLOCK_REALTIME);
111 x ^= (unsigned) gettid();
112
113 srand(x);
114 srand_called = true;
115 }
116
117 /* INT_MAX gives us only 31 bits, so use 24 out of that. */
118 #if RAND_MAX >= INT_MAX
119 # define RAND_STEP 3
120 #else
121 /* SHORT_INT_MAX or lower gives at most 15 bits, we just just 8 out of that. */
122 # define RAND_STEP 1
123 #endif
124
125 void pseudorandom_bytes(void *p, size_t n) {
126 uint8_t *q;
127
128 initialize_srand();
129
130 for (q = p; q < (uint8_t*) p + n; q += RAND_STEP) {
131 unsigned rr;
132
133 rr = (unsigned) rand();
134
135 #if RAND_STEP >= 3
136 if ((size_t) (q - (uint8_t*) p + 2) < n)
137 q[2] = rr >> 16;
138 #endif
139 #if RAND_STEP >= 2
140 if ((size_t) (q - (uint8_t*) p + 1) < n)
141 q[1] = rr >> 8;
142 #endif
143 q[0] = rr;
144 }
145 }
146
147 void random_bytes(void *p, size_t n) {
148 int r;
149
150 r = acquire_random_bytes(p, n, false);
151 if (r >= 0)
152 return;
153
154 /* If some idiot made /dev/urandom unavailable to us, or the
155 * kernel has no entropy, use a PRNG instead. */
156 return pseudorandom_bytes(p, n);
157 }