[thirdparty/systemd.git] / src / basic / random-util.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering
***/

#include <elf.h>
#include <errno.h>
#include <fcntl.h>
#include <linux/random.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <sys/time.h>

#if HAVE_SYS_AUXV_H
#  include <sys/auxv.h>
#endif

#if USE_SYS_RANDOM_H
#  include <sys/random.h>
#else
#  include <linux/random.h>
#endif

#include "fd-util.h"
#include "io-util.h"
#include "missing.h"
#include "random-util.h"
#include "time-util.h"

int acquire_random_bytes(void *p, size_t n, bool high_quality_required) {
        static int have_syscall = -1;

        _cleanup_close_ int fd = -1;
        unsigned already_done = 0;
        int r;

        /* Gathers some randomness from the kernel. This call will never block. If
         * high_quality_required, it will always return some data from the kernel,
         * regardless of whether the random pool is fully initialized or not.
         * Otherwise, it will return success if at least some random bytes were
         * successfully acquired, and an error if the kernel has no entropy whatsover
         * for us. */

        /* Use the getrandom() syscall unless we know we don't have it. */
        if (have_syscall != 0) {
                r = getrandom(p, n, GRND_NONBLOCK);
                if (r > 0) {
                        have_syscall = true;
                        if ((size_t) r == n)
                                return 0;
                        if (!high_quality_required) {
                                /* Fill in the remaining bytes using pseudorandom values */
                                pseudorandom_bytes((uint8_t*) p + r, n - r);
                                return 0;
                        }

                        already_done = r;
                } else if (errno == ENOSYS)
                          /* We lack the syscall, continue with reading from /dev/urandom. */
                          have_syscall = false;
                else if (errno == EAGAIN) {
                        /* The kernel has no entropy whatsoever. Let's remember to
                         * use the syscall the next time again though.
                         *
                         * If high_quality_required is false, return an error so that
                         * random_bytes() can produce some pseudorandom
                         * bytes. Otherwise, fall back to /dev/urandom, which we know
                         * is empty, but the kernel will produce some bytes for us on
                         * a best-effort basis. */
                        have_syscall = true;

                        if (!high_quality_required)
                                return -ENODATA;
                } else
                        return -errno;
        }

        fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
        if (fd < 0)
                return errno == ENOENT ? -ENOSYS : -errno;

        return loop_read_exact(fd, (uint8_t*) p + already_done, n - already_done, true);
}

void initialize_srand(void) {
        static bool srand_called = false;
        unsigned x;
#if HAVE_SYS_AUXV_H
        void *auxv;
#endif

        if (srand_called)
                return;

#if HAVE_SYS_AUXV_H
        /* The kernel provides us with 16 bytes of entropy in auxv, so let's
         * try to make use of that to seed the pseudo-random generator. It's
         * better than nothing... */

        auxv = (void*) getauxval(AT_RANDOM);
        if (auxv) {
                assert_cc(sizeof(x) <= 16);
                memcpy(&x, auxv, sizeof(x));
        } else
#endif
                x = 0;


        x ^= (unsigned) now(CLOCK_REALTIME);
        x ^= (unsigned) gettid();

        srand(x);
        srand_called = true;
}

/* INT_MAX gives us only 31 bits, so use 24 out of that. */
#if RAND_MAX >= INT_MAX
#  define RAND_STEP 3
#else
/* SHORT_INT_MAX or lower gives at most 15 bits, we just just 8 out of that. */
#  define RAND_STEP 1
#endif

void pseudorandom_bytes(void *p, size_t n) {
        uint8_t *q;

        initialize_srand();

        for (q = p; q < (uint8_t*) p + n; q += RAND_STEP) {
                unsigned rr;

                rr = (unsigned) rand();

#if RAND_STEP >= 3
                if ((size_t) (q - (uint8_t*) p + 2) < n)
                        q[2] = rr >> 16;
#endif
#if RAND_STEP >= 2
                if ((size_t) (q - (uint8_t*) p + 1) < n)
                        q[1] = rr >> 8;
#endif
                q[0] = rr;
        }
}

void random_bytes(void *p, size_t n) {
        int r;

        r = acquire_random_bytes(p, n, false);
        if (r >= 0)
                return;

        /* If some idiot made /dev/urandom unavailable to us, or the
         * kernel has no entropy, use a PRNG instead. */
        return pseudorandom_bytes(p, n);
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
3df3e884 RC	2	/***
	3	This file is part of systemd.
	4
	5	Copyright 2010 Lennart Poettering
3df3e884 RC	6	***/
3df3e884 RC	7
11c3a366	8	#include <elf.h>
3df3e884	9	#include <errno.h>
3df3e884	10	#include <fcntl.h>
dccca82b	11	#include <linux/random.h>
11c3a366	12	#include <stdbool.h>
dccca82b	13	#include <stdint.h>
11c3a366	14	#include <stdlib.h>
dccca82b	15	#include <string.h>
11c3a366	16	#include <sys/time.h>
11c3a366	17
349cc4a5	18	#if HAVE_SYS_AUXV_H
5224c2c7 ZJS	19	# include <sys/auxv.h>
	20	#endif
	21
349cc4a5	22	#if USE_SYS_RANDOM_H
5224c2c7 ZJS	23	# include <sys/random.h>
	24	#else
	25	# include <linux/random.h>
a67dab34	26	#endif
3df3e884	27
3ffd4af2	28	#include "fd-util.h"
c004493c	29	#include "io-util.h"
3ffd4af2	30	#include "missing.h"
3df3e884 RC	31	#include "random-util.h"
3df3e884 RC	32	#include "time-util.h"
3df3e884	33
f0d09059	34	int acquire_random_bytes(void *p, size_t n, bool high_quality_required) {
3df3e884 RC	35	static int have_syscall = -1;
	36
	37	_cleanup_close_ int fd = -1;
f0d09059	38	unsigned already_done = 0;
7b54715d	39	int r;
3df3e884	40
f0d09059 ZJS	41	/* Gathers some randomness from the kernel. This call will never block. If
	42	* high_quality_required, it will always return some data from the kernel,
	43	* regardless of whether the random pool is fully initialized or not.
	44	* Otherwise, it will return success if at least some random bytes were
	45	* successfully acquired, and an error if the kernel has no entropy whatsover
	46	* for us. */
3df3e884	47
f0d09059 ZJS	48	/* Use the getrandom() syscall unless we know we don't have it. */
f0d09059 ZJS	49	if (have_syscall != 0) {
3df3e884	50	r = getrandom(p, n, GRND_NONBLOCK);
f0d09059	51	if (r > 0) {
3df3e884	52	have_syscall = true;
7b54715d	53	if ((size_t) r == n)
f0d09059 ZJS	54	return 0;
f0d09059 ZJS	55	if (!high_quality_required) {
ed88a900	56	/* Fill in the remaining bytes using pseudorandom values */
f0d09059 ZJS	57	pseudorandom_bytes((uint8_t*) p + r, n - r);
	58	return 0;
	59	}
	60
	61	already_done = r;
	62	} else if (errno == ENOSYS)
	63	/* We lack the syscall, continue with reading from /dev/urandom. */
	64	have_syscall = false;
	65	else if (errno == EAGAIN) {
	66	/* The kernel has no entropy whatsoever. Let's remember to
	67	* use the syscall the next time again though.
	68	*
	69	* If high_quality_required is false, return an error so that
	70	* random_bytes() can produce some pseudorandom
	71	* bytes. Otherwise, fall back to /dev/urandom, which we know
	72	* is empty, but the kernel will produce some bytes for us on
	73	* a best-effort basis. */
	74	have_syscall = true;
	75
	76	if (!high_quality_required)
	77	return -ENODATA;
3df3e884	78	} else
f0d09059	79	return -errno;
3df3e884 RC	80	}
	81
	82	fd = open("/dev/urandom", O_RDONLY\|O_CLOEXEC\|O_NOCTTY);
	83	if (fd < 0)
	84	return errno == ENOENT ? -ENOSYS : -errno;
	85
f0d09059	86	return loop_read_exact(fd, (uint8_t*) p + already_done, n - already_done, true);
3df3e884 RC	87	}
	88
	89	void initialize_srand(void) {
	90	static bool srand_called = false;
	91	unsigned x;
349cc4a5	92	#if HAVE_SYS_AUXV_H
3df3e884 RC	93	void *auxv;
	94	#endif
	95
	96	if (srand_called)
	97	return;
	98
349cc4a5	99	#if HAVE_SYS_AUXV_H
f0d09059 ZJS	100	/* The kernel provides us with 16 bytes of entropy in auxv, so let's
	101	* try to make use of that to seed the pseudo-random generator. It's
	102	* better than nothing... */
3df3e884 RC	103
3df3e884 RC	104	auxv = (void*) getauxval(AT_RANDOM);
ad6b1fa2	105	if (auxv) {
b5fa4c77	106	assert_cc(sizeof(x) <= 16);
ad6b1fa2 LP	107	memcpy(&x, auxv, sizeof(x));
ad6b1fa2 LP	108	} else
3df3e884	109	#endif
ad6b1fa2 LP	110	x = 0;
ad6b1fa2 LP	111
3df3e884 RC	112
	113	x ^= (unsigned) now(CLOCK_REALTIME);
	114	x ^= (unsigned) gettid();
	115
	116	srand(x);
	117	srand_called = true;
	118	}
	119
6a06b1a5 ZJS	120	/* INT_MAX gives us only 31 bits, so use 24 out of that. */
	121	#if RAND_MAX >= INT_MAX
	122	# define RAND_STEP 3
	123	#else
	124	/* SHORT_INT_MAX or lower gives at most 15 bits, we just just 8 out of that. */
	125	# define RAND_STEP 1
	126	#endif
	127
	128	void pseudorandom_bytes(void *p, size_t n) {
3df3e884	129	uint8_t *q;
6a06b1a5 ZJS	130
	131	initialize_srand();
	132
	133	for (q = p; q < (uint8_t*) p + n; q += RAND_STEP) {
	134	unsigned rr;
	135
	136	rr = (unsigned) rand();
	137
	138	#if RAND_STEP >= 3
7b54715d	139	if ((size_t) (q - (uint8_t*) p + 2) < n)
6a06b1a5 ZJS	140	q[2] = rr >> 16;
	141	#endif
	142	#if RAND_STEP >= 2
7b54715d	143	if ((size_t) (q - (uint8_t*) p + 1) < n)
6a06b1a5 ZJS	144	q[1] = rr >> 8;
	145	#endif
	146	q[0] = rr;
	147	}
	148	}
	149
	150	void random_bytes(void *p, size_t n) {
3df3e884 RC	151	int r;
3df3e884 RC	152
f0d09059	153	r = acquire_random_bytes(p, n, false);
3df3e884 RC	154	if (r >= 0)
	155	return;
	156
6a06b1a5 ZJS	157	/* If some idiot made /dev/urandom unavailable to us, or the
	158	* kernel has no entropy, use a PRNG instead. */
	159	return pseudorandom_bytes(p, n);
3df3e884	160	}