src/basic/random-util.c

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2 /***
   3   This file is part of systemd.
   4
   5   Copyright 2010 Lennart Poettering
   6 ***/
   7
   8 #include <elf.h>
   9 #include <errno.h>
  10 #include <fcntl.h>
  11 #include <linux/random.h>
  12 #include <stdbool.h>
  13 #include <stdint.h>
  14 #include <stdlib.h>
  15 #include <string.h>
  16 #include <sys/time.h>
  17
  18 #if HAVE_SYS_AUXV_H
  19 #  include <sys/auxv.h>
  20 #endif
  21
  22 #if USE_SYS_RANDOM_H
  23 #  include <sys/random.h>
  24 #else
  25 #  include <linux/random.h>
  26 #endif
  27
  28 #include "fd-util.h"
  29 #include "io-util.h"
  30 #include "missing.h"
  31 #include "random-util.h"
  32 #include "time-util.h"
  33
  34 int acquire_random_bytes(void *p, size_t n, bool high_quality_required) {
  35         static int have_syscall = -1;
  36
  37         _cleanup_close_ int fd = -1;
  38         size_t already_done = 0;
  39         int r;
  40
  41         /* Gathers some randomness from the kernel. This call will never block. If
  42          * high_quality_required, it will always return some data from the kernel,
  43          * regardless of whether the random pool is fully initialized or not.
  44          * Otherwise, it will return success if at least some random bytes were
  45          * successfully acquired, and an error if the kernel has no entropy whatsover
  46          * for us. */
  47
  48         /* Use the getrandom() syscall unless we know we don't have it. */
  49         if (have_syscall != 0 && !HAS_FEATURE_MEMORY_SANITIZER) {
  50                 r = getrandom(p, n, GRND_NONBLOCK);
  51                 if (r > 0) {
  52                         have_syscall = true;
  53                         if ((size_t) r == n)
  54                                 return 0;
  55                         if (!high_quality_required) {
  56                                 /* Fill in the remaining bytes using pseudorandom values */
  57                                 pseudorandom_bytes((uint8_t*) p + r, n - r);
  58                                 return 0;
  59                         }
  60
  61                         already_done = r;
  62                 } else if (errno == ENOSYS)
  63                           /* We lack the syscall, continue with reading from /dev/urandom. */
  64                           have_syscall = false;
  65                 else if (errno == EAGAIN) {
  66                         /* The kernel has no entropy whatsoever. Let's remember to
  67                          * use the syscall the next time again though.
  68                          *
  69                          * If high_quality_required is false, return an error so that
  70                          * random_bytes() can produce some pseudorandom
  71                          * bytes. Otherwise, fall back to /dev/urandom, which we know
  72                          * is empty, but the kernel will produce some bytes for us on
  73                          * a best-effort basis. */
  74                         have_syscall = true;
  75
  76                         if (!high_quality_required)
  77                                 return -ENODATA;
  78                 } else
  79                         return -errno;
  80         }
  81
  82         fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
  83         if (fd < 0)
  84                 return errno == ENOENT ? -ENOSYS : -errno;
  85
  86         return loop_read_exact(fd, (uint8_t*) p + already_done, n - already_done, true);
  87 }
  88
  89 void initialize_srand(void) {
  90         static bool srand_called = false;
  91         unsigned x;
  92 #if HAVE_SYS_AUXV_H
  93         void *auxv;
  94 #endif
  95
  96         if (srand_called)
  97                 return;
  98
  99 #if HAVE_SYS_AUXV_H
 100         /* The kernel provides us with 16 bytes of entropy in auxv, so let's
 101          * try to make use of that to seed the pseudo-random generator. It's
 102          * better than nothing... */
 103
 104         auxv = (void*) getauxval(AT_RANDOM);
 105         if (auxv) {
 106                 assert_cc(sizeof(x) <= 16);
 107                 memcpy(&x, auxv, sizeof(x));
 108         } else
 109 #endif
 110                 x = 0;
 111
 112         x ^= (unsigned) now(CLOCK_REALTIME);
 113         x ^= (unsigned) gettid();
 114
 115         srand(x);
 116         srand_called = true;
 117 }
 118
 119 /* INT_MAX gives us only 31 bits, so use 24 out of that. */
 120 #if RAND_MAX >= INT_MAX
 121 #  define RAND_STEP 3
 122 #else
 123 /* SHORT_INT_MAX or lower gives at most 15 bits, we just just 8 out of that. */
 124 #  define RAND_STEP 1
 125 #endif
 126
 127 void pseudorandom_bytes(void *p, size_t n) {
 128         uint8_t *q;
 129
 130         initialize_srand();
 131
 132         for (q = p; q < (uint8_t*) p + n; q += RAND_STEP) {
 133                 unsigned rr;
 134
 135                 rr = (unsigned) rand();
 136
 137 #if RAND_STEP >= 3
 138                 if ((size_t) (q - (uint8_t*) p + 2) < n)
 139                         q[2] = rr >> 16;
 140 #endif
 141 #if RAND_STEP >= 2
 142                 if ((size_t) (q - (uint8_t*) p + 1) < n)
 143                         q[1] = rr >> 8;
 144 #endif
 145                 q[0] = rr;
 146         }
 147 }
 148
 149 void random_bytes(void *p, size_t n) {
 150         int r;
 151
 152         r = acquire_random_bytes(p, n, false);
 153         if (r >= 0)
 154                 return;
 155
 156         /* If some idiot made /dev/urandom unavailable to us, or the
 157          * kernel has no entropy, use a PRNG instead. */
 158         return pseudorandom_bytes(p, n);
 159 }