]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/random-util.c
projects / thirdparty / systemd.git / blob
? search:


2031262389202af45a7187229d807f2b17ba0a1c
[thirdparty/systemd.git] / src / basic / random-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #if defined(__i386__) || defined(__x86_64__)
4 #include <cpuid.h>
5 #endif
6
7 #include <elf.h>
8 #include <errno.h>
9 #include <fcntl.h>
10 #include <linux/random.h>
11 #include <pthread.h>
12 #include <stdbool.h>
13 #include <stdint.h>
14 #include <stdlib.h>
15 #include <string.h>
16 #include <sys/ioctl.h>
17 #include <sys/time.h>
18
19 #if HAVE_SYS_AUXV_H
20 # include <sys/auxv.h>
21 #endif
22
23 #include "alloc-util.h"
24 #include "env-util.h"
25 #include "errno-util.h"
26 #include "fd-util.h"
27 #include "fileio.h"
28 #include "io-util.h"
29 #include "missing_random.h"
30 #include "missing_syscall.h"
31 #include "parse-util.h"
32 #include "random-util.h"
33 #include "siphash24.h"
34 #include "time-util.h"
35
36 static bool srand_called = false;
37
38 int rdrand(unsigned long *ret) {
39
40 /* So, you are a "security researcher", and you wonder why we bother with using raw RDRAND here,
41 * instead of sticking to /dev/urandom or getrandom()?
42 *
43 * Here's why: early boot. On Linux, during early boot the random pool that backs /dev/urandom and
44 * getrandom() is generally not initialized yet. It is very common that initialization of the random
45 * pool takes a longer time (up to many minutes), in particular on embedded devices that have no
46 * explicit hardware random generator, as well as in virtualized environments such as major cloud
47 * installations that do not provide virtio-rng or a similar mechanism.
48 *
49 * In such an environment using getrandom() synchronously means we'd block the entire system boot-up
50 * until the pool is initialized, i.e. *very* long. Using getrandom() asynchronously (GRND_NONBLOCK)
51 * would mean acquiring randomness during early boot would simply fail. Using /dev/urandom would mean
52 * generating many kmsg log messages about our use of it before the random pool is properly
53 * initialized. Neither of these outcomes is desirable.
54 *
55 * Thus, for very specific purposes we use RDRAND instead of either of these three options. RDRAND
56 * provides us quickly and relatively reliably with random values, without having to delay boot,
57 * without triggering warning messages in kmsg.
58 *
59 * Note that we use RDRAND only under very specific circumstances, when the requirements on the
60 * quality of the returned entropy permit it. Specifically, here are some cases where we *do* use
61 * RDRAND:
62 *
63 * • UUID generation: UUIDs are supposed to be universally unique but are not cryptographic
64 * key material. The quality and trust level of RDRAND should hence be OK: UUIDs should be
65 * generated in a way that is reliably unique, but they do not require ultimate trust into
66 * the entropy generator. systemd generates a number of UUIDs during early boot, including
67 * 'invocation IDs' for every unit spawned that identify the specific invocation of the
68 * service globally, and a number of others. Other alternatives for generating these UUIDs
69 * have been considered, but don't really work: for example, hashing uuids from a local
70 * system identifier combined with a counter falls flat because during early boot disk
71 * storage is not yet available (think: initrd) and thus a system-specific ID cannot be
72 * stored or retrieved yet.
73 *
74 * • Hash table seed generation: systemd uses many hash tables internally. Hash tables are
75 * generally assumed to have O(1) access complexity, but can deteriorate to prohibitive
76 * O(n) access complexity if an attacker manages to trigger a large number of hash
77 * collisions. Thus, systemd (as any software employing hash tables should) uses seeded
78 * hash functions for its hash tables, with a seed generated randomly. The hash tables
79 * systemd employs watch the fill level closely and reseed if necessary. This allows use of
80 * a low quality RNG initially, as long as it improves should a hash table be under attack:
81 * the attacker after all needs to trigger many collisions to exploit it for the purpose
82 * of DoS, but if doing so improves the seed the attack surface is reduced as the attack
83 * takes place.
84 *
85 * Some cases where we do NOT use RDRAND are:
86 *
87 * • Generation of cryptographic key material 🔑
88 *
89 * • Generation of cryptographic salt values 🧂
90 *
91 * This function returns:
92 *
93 * -EOPNOTSUPP → RDRAND is not available on this system 😔
94 * -EAGAIN → The operation failed this time, but is likely to work if you try again a few
95 * times ♻
96 * -EUCLEAN → We got some random value, but it looked strange, so we refused using it.
97 * This failure might or might not be temporary. 😕
98 */
99
100 #if defined(__i386__) || defined(__x86_64__)
101 static int have_rdrand = -1;
102 unsigned long v;
103 uint8_t success;
104
105 if (have_rdrand < 0) {
106 uint32_t eax, ebx, ecx, edx;
107
108 /* Check if RDRAND is supported by the CPU */
109 if (__get_cpuid(1, &eax, &ebx, &ecx, &edx) == 0) {
110 have_rdrand = false;
111 return -EOPNOTSUPP;
112 }
113
114 /* Compat with old gcc where bit_RDRND didn't exist yet */
115 #ifndef bit_RDRND
116 #define bit_RDRND (1U << 30)
117 #endif
118
119 have_rdrand = !!(ecx & bit_RDRND);
120
121 if (have_rdrand > 0) {
122 /* Allow disabling use of RDRAND with SYSTEMD_RDRAND=0
123 If it is unset getenv_bool_secure will return a negative value. */
124 if (getenv_bool_secure("SYSTEMD_RDRAND") == 0) {
125 have_rdrand = false;
126 return -EOPNOTSUPP;
127 }
128 }
129 }
130
131 if (have_rdrand == 0)
132 return -EOPNOTSUPP;
133
134 asm volatile("rdrand %0;"
135 "setc %1"
136 : "=r" (v),
137 "=qm" (success));
138 msan_unpoison(&success, sizeof(success));
139 if (!success)
140 return -EAGAIN;
141
142 /* Apparently on some AMD CPUs RDRAND will sometimes (after a suspend/resume cycle?) report success
143 * via the carry flag but nonetheless return the same fixed value -1 in all cases. This appears to be
144 * a bad bug in the CPU or firmware. Let's deal with that and work-around this by explicitly checking
145 * for this special value (and also 0, just to be sure) and filtering it out. This is a work-around
146 * only however and something AMD really should fix properly. The Linux kernel should probably work
147 * around this issue by turning off RDRAND altogether on those CPUs. See:
148 * https://github.com/systemd/systemd/issues/11810 */
149 if (v == 0 || v == ULONG_MAX)
150 return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN),
151 "RDRAND returned suspicious value %lx, assuming bad hardware RNG, not using value.", v);
152
153 *ret = v;
154 return 0;
155 #else
156 return -EOPNOTSUPP;
157 #endif
158 }
159
160 int genuine_random_bytes(void *p, size_t n, RandomFlags flags) {
161 static int have_syscall = -1;
162 _cleanup_close_ int fd = -1;
163 bool got_some = false;
164 int r;
165
166 /* Gathers some high-quality randomness from the kernel (or potentially mid-quality randomness from
167 * the CPU if the RANDOM_ALLOW_RDRAND flag is set). This call won't block, unless the RANDOM_BLOCK
168 * flag is set. If RANDOM_MAY_FAIL is set, an error is returned if the random pool is not
169 * initialized. Otherwise it will always return some data from the kernel, regardless of whether the
170 * random pool is fully initialized or not. If RANDOM_EXTEND_WITH_PSEUDO is set, and some but not
171 * enough better quality randomness could be acquired, the rest is filled up with low quality
172 * randomness.
173 *
174 * Of course, when creating cryptographic key material you really shouldn't use RANDOM_ALLOW_DRDRAND
175 * or even RANDOM_EXTEND_WITH_PSEUDO.
176 *
177 * When generating UUIDs it's fine to use RANDOM_ALLOW_RDRAND but not OK to use
178 * RANDOM_EXTEND_WITH_PSEUDO. In fact RANDOM_EXTEND_WITH_PSEUDO is only really fine when invoked via
179 * an "all bets are off" wrapper, such as random_bytes(), see below. */
180
181 if (n == 0)
182 return 0;
183
184 if (FLAGS_SET(flags, RANDOM_ALLOW_RDRAND))
185 /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is
186 * not required, as we don't trust it (who does?). Note that we only do a single iteration of
187 * RDRAND here, even though the Intel docs suggest calling this in a tight loop of 10
188 * invocations or so. That's because we don't really care about the quality here. We
189 * generally prefer using RDRAND if the caller allows us to, since this way we won't upset
190 * the kernel's random subsystem by accessing it before the pool is initialized (after all it
191 * will kmsg log about every attempt to do so)..*/
192 for (;;) {
193 unsigned long u;
194 size_t m;
195
196 if (rdrand(&u) < 0) {
197 if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
198 /* Fill in the remaining bytes using pseudo-random values */
199 pseudo_random_bytes(p, n);
200 return 0;
201 }
202
203 /* OK, this didn't work, let's go to getrandom() + /dev/urandom instead */
204 break;
205 }
206
207 m = MIN(sizeof(u), n);
208 memcpy(p, &u, m);
209
210 p = (uint8_t*) p + m;
211 n -= m;
212
213 if (n == 0)
214 return 0; /* Yay, success! */
215
216 got_some = true;
217 }
218
219 /* Use the getrandom() syscall unless we know we don't have it. */
220 if (have_syscall != 0 && !HAS_FEATURE_MEMORY_SANITIZER) {
221
222 for (;;) {
223 r = getrandom(p, n,
224 (FLAGS_SET(flags, RANDOM_BLOCK) ? 0 : GRND_NONBLOCK) |
225 (FLAGS_SET(flags, RANDOM_ALLOW_INSECURE) ? GRND_INSECURE : 0));
226 if (r > 0) {
227 have_syscall = true;
228
229 if ((size_t) r == n)
230 return 0; /* Yay, success! */
231
232 assert((size_t) r < n);
233 p = (uint8_t*) p + r;
234 n -= r;
235
236 if (FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
237 /* Fill in the remaining bytes using pseudo-random values */
238 pseudo_random_bytes(p, n);
239 return 0;
240 }
241
242 got_some = true;
243
244 /* Hmm, we didn't get enough good data but the caller insists on good data? Then try again */
245 if (FLAGS_SET(flags, RANDOM_BLOCK))
246 continue;
247
248 /* Fill in the rest with /dev/urandom */
249 break;
250
251 } else if (r == 0) {
252 have_syscall = true;
253 return -EIO;
254
255 } else if (ERRNO_IS_NOT_SUPPORTED(errno)) {
256 /* We lack the syscall, continue with reading from /dev/urandom. */
257 have_syscall = false;
258 break;
259
260 } else if (errno == EAGAIN) {
261 /* The kernel has no entropy whatsoever. Let's remember to use the syscall
262 * the next time again though.
263 *
264 * If RANDOM_MAY_FAIL is set, return an error so that random_bytes() can
265 * produce some pseudo-random bytes instead. Otherwise, fall back to
266 * /dev/urandom, which we know is empty, but the kernel will produce some
267 * bytes for us on a best-effort basis. */
268 have_syscall = true;
269
270 if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
271 /* Fill in the remaining bytes using pseudorandom values */
272 pseudo_random_bytes(p, n);
273 return 0;
274 }
275
276 if (FLAGS_SET(flags, RANDOM_MAY_FAIL))
277 return -ENODATA;
278
279 /* Use /dev/urandom instead */
280 break;
281
282 } else if (errno == EINVAL) {
283
284 /* Most likely: unknown flag. We know that GRND_INSECURE might cause this,
285 * hence try without. */
286
287 if (FLAGS_SET(flags, RANDOM_ALLOW_INSECURE)) {
288 flags = flags &~ RANDOM_ALLOW_INSECURE;
289 continue;
290 }
291
292 return -errno;
293 } else
294 return -errno;
295 }
296 }
297
298 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
299 if (fd < 0)
300 return errno == ENOENT ? -ENOSYS : -errno;
301
302 return loop_read_exact(fd, p, n, true);
303 }
304
305 static void clear_srand_initialization(void) {
306 srand_called = false;
307 }
308
309 void initialize_srand(void) {
310 static bool pthread_atfork_registered = false;
311 unsigned x;
312 #if HAVE_SYS_AUXV_H
313 const void *auxv;
314 #endif
315 unsigned long k;
316
317 if (srand_called)
318 return;
319
320 #if HAVE_SYS_AUXV_H
321 /* The kernel provides us with 16 bytes of entropy in auxv, so let's try to make use of that to seed
322 * the pseudo-random generator. It's better than nothing... But let's first hash it to make it harder
323 * to recover the original value by watching any pseudo-random bits we generate. After all the
324 * AT_RANDOM data might be used by other stuff too (in particular: ASLR), and we probably shouldn't
325 * leak the seed for that. */
326
327 auxv = ULONG_TO_PTR(getauxval(AT_RANDOM));
328 if (auxv) {
329 static const uint8_t auxval_hash_key[16] = {
330 0x92, 0x6e, 0xfe, 0x1b, 0xcf, 0x00, 0x52, 0x9c, 0xcc, 0x42, 0xcf, 0xdc, 0x94, 0x1f, 0x81, 0x0f
331 };
332
333 x = (unsigned) siphash24(auxv, 16, auxval_hash_key);
334 } else
335 #endif
336 x = 0;
337
338 x ^= (unsigned) now(CLOCK_REALTIME);
339 x ^= (unsigned) gettid();
340
341 if (rdrand(&k) >= 0)
342 x ^= (unsigned) k;
343
344 srand(x);
345 srand_called = true;
346
347 if (!pthread_atfork_registered) {
348 (void) pthread_atfork(NULL, NULL, clear_srand_initialization);
349 pthread_atfork_registered = true;
350 }
351 }
352
353 /* INT_MAX gives us only 31 bits, so use 24 out of that. */
354 #if RAND_MAX >= INT_MAX
355 assert_cc(RAND_MAX >= 16777215);
356 # define RAND_STEP 3
357 #else
358 /* SHORT_INT_MAX or lower gives at most 15 bits, we just use 8 out of that. */
359 assert_cc(RAND_MAX >= 255);
360 # define RAND_STEP 1
361 #endif
362
363 void pseudo_random_bytes(void *p, size_t n) {
364 uint8_t *q;
365
366 /* This returns pseudo-random data using libc's rand() function. You probably never want to call this
367 * directly, because why would you use this if you can get better stuff cheaply? Use random_bytes()
368 * instead, see below: it will fall back to this function if there's nothing better to get, but only
369 * then. */
370
371 initialize_srand();
372
373 for (q = p; q < (uint8_t*) p + n; q += RAND_STEP) {
374 unsigned rr;
375
376 rr = (unsigned) rand();
377
378 #if RAND_STEP >= 3
379 if ((size_t) (q - (uint8_t*) p + 2) < n)
380 q[2] = rr >> 16;
381 #endif
382 #if RAND_STEP >= 2
383 if ((size_t) (q - (uint8_t*) p + 1) < n)
384 q[1] = rr >> 8;
385 #endif
386 q[0] = rr;
387 }
388 }
389
390 void random_bytes(void *p, size_t n) {
391
392 /* This returns high quality randomness if we can get it cheaply. If we can't because for some reason
393 * it is not available we'll try some crappy fallbacks.
394 *
395 * What this function will do:
396 *
397 * • This function will preferably use the CPU's RDRAND operation, if it is available, in
398 * order to return "mid-quality" random values cheaply.
399 *
400 * • Use getrandom() with GRND_NONBLOCK, to return high-quality random values if they are
401 * cheaply available.
402 *
403 * • This function will return pseudo-random data, generated via libc rand() if nothing
404 * better is available.
405 *
406 * • This function will work fine in early boot
407 *
408 * • This function will always succeed
409 *
410 * What this function won't do:
411 *
412 * • This function will never fail: it will give you randomness no matter what. It might not
413 * be high quality, but it will return some, possibly generated via libc's rand() call.
414 *
415 * • This function will never block: if the only way to get good randomness is a blocking,
416 * synchronous getrandom() we'll instead provide you with pseudo-random data.
417 *
418 * This function is hence great for things like seeding hash tables, generating random numeric UNIX
419 * user IDs (that are checked for collisions before use) and such.
420 *
421 * This function is hence not useful for generating UUIDs or cryptographic key material.
422 */
423
424 if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO|RANDOM_MAY_FAIL|RANDOM_ALLOW_RDRAND|RANDOM_ALLOW_INSECURE) >= 0)
425 return;
426
427 /* If for some reason some user made /dev/urandom unavailable to us, or the kernel has no entropy, use a PRNG instead. */
428 pseudo_random_bytes(p, n);
429 }
430
431 size_t random_pool_size(void) {
432 _cleanup_free_ char *s = NULL;
433 int r;
434
435 /* Read pool size, if possible */
436 r = read_one_line_file("/proc/sys/kernel/random/poolsize", &s);
437 if (r < 0)
438 log_debug_errno(r, "Failed to read pool size from kernel: %m");
439 else {
440 unsigned sz;
441
442 r = safe_atou(s, &sz);
443 if (r < 0)
444 log_debug_errno(r, "Failed to parse pool size: %s", s);
445 else
446 /* poolsize is in bits on 2.6, but we want bytes */
447 return CLAMP(sz / 8, RANDOM_POOL_SIZE_MIN, RANDOM_POOL_SIZE_MAX);
448 }
449
450 /* Use the minimum as default, if we can't retrieve the correct value */
451 return RANDOM_POOL_SIZE_MIN;
452 }
453
454 int random_write_entropy(int fd, const void *seed, size_t size, bool credit) {
455 int r;
456
457 assert(fd >= 0);
458 assert(seed && size > 0);
459
460 if (credit) {
461 _cleanup_free_ struct rand_pool_info *info = NULL;
462
463 /* The kernel API only accepts "int" as entropy count (which is in bits), let's avoid any
464 * chance for confusion here. */
465 if (size > INT_MAX / 8)
466 return -EOVERFLOW;
467
468 info = malloc(offsetof(struct rand_pool_info, buf) + size);
469 if (!info)
470 return -ENOMEM;
471
472 info->entropy_count = size * 8;
473 info->buf_size = size;
474 memcpy(info->buf, seed, size);
475
476 if (ioctl(fd, RNDADDENTROPY, info) < 0)
477 return -errno;
478 } else {
479 r = loop_write(fd, seed, size, false);
480 if (r < 0)
481 return r;
482 }
483
484 return 0;
485 }
Unnamed repository; edit this file 'description' to name the repository.