]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/random-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
random-util: rename "err" to "success"
[thirdparty/systemd.git] / src / basic / random-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #if defined(__i386__) || defined(__x86_64__)
4 #include <cpuid.h>
5 #endif
6
7 #include <elf.h>
8 #include <errno.h>
9 #include <fcntl.h>
10 #include <stdbool.h>
11 #include <stdint.h>
12 #include <stdlib.h>
13 #include <string.h>
14 #include <sys/time.h>
15
16 #if HAVE_SYS_AUXV_H
17 # include <sys/auxv.h>
18 #endif
19
20 #if USE_SYS_RANDOM_H
21 # include <sys/random.h>
22 #else
23 # include <linux/random.h>
24 #endif
25
26 #include "alloc-util.h"
27 #include "fd-util.h"
28 #include "io-util.h"
29 #include "missing.h"
30 #include "random-util.h"
31 #include "siphash24.h"
32 #include "time-util.h"
33
34 int rdrand(unsigned long *ret) {
35
36 #if defined(__i386__) || defined(__x86_64__)
37 static int have_rdrand = -1;
38 uint8_t success;
39
40 if (have_rdrand < 0) {
41 uint32_t eax, ebx, ecx, edx;
42
43 /* Check if RDRAND is supported by the CPU */
44 if (__get_cpuid(1, &eax, &ebx, &ecx, &edx) == 0) {
45 have_rdrand = false;
46 return -EOPNOTSUPP;
47 }
48
49 /* Compat with old gcc where bit_RDRND didn't exist yet */
50 #ifndef bit_RDRND
51 #define bit_RDRND (1U << 30)
52 #endif
53
54 have_rdrand = !!(ecx & bit_RDRND);
55 }
56
57 if (have_rdrand == 0)
58 return -EOPNOTSUPP;
59
60 asm volatile("rdrand %0;"
61 "setc %1"
62 : "=r" (*ret),
63 "=qm" (success));
64 msan_unpoison(&success, sizeof(sucess));
65 if (!success)
66 return -EAGAIN;
67
68 return 0;
69 #else
70 return -EOPNOTSUPP;
71 #endif
72 }
73
74 int genuine_random_bytes(void *p, size_t n, RandomFlags flags) {
75 static int have_syscall = -1;
76 _cleanup_close_ int fd = -1;
77 bool got_some = false;
78 int r;
79
80 /* Gathers some randomness from the kernel (or the CPU if the RANDOM_ALLOW_RDRAND flag is set). This
81 * call won't block, unless the RANDOM_BLOCK flag is set. If RANDOM_MAY_FAIL is set, an error is
82 * returned if the random pool is not initialized. Otherwise it will always return some data from the
83 * kernel, regardless of whether the random pool is fully initialized or not. */
84
85 if (n == 0)
86 return 0;
87
88 if (FLAGS_SET(flags, RANDOM_ALLOW_RDRAND))
89 /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is
90 * not required, as we don't trust it (who does?). Note that we only do a single iteration of
91 * RDRAND here, even though the Intel docs suggest calling this in a tight loop of 10
92 * invocations or so. That's because we don't really care about the quality here. We
93 * generally prefer using RDRAND if the caller allows us to, since this way we won't upset
94 * the kernel's random subsystem by accessing it before the pool is initialized (after all it
95 * will kmsg log about every attempt to do so)..*/
96 for (;;) {
97 unsigned long u;
98 size_t m;
99
100 if (rdrand(&u) < 0) {
101 if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
102 /* Fill in the remaining bytes using pseudo-random values */
103 pseudo_random_bytes(p, n);
104 return 0;
105 }
106
107 /* OK, this didn't work, let's go to getrandom() + /dev/urandom instead */
108 break;
109 }
110
111 m = MIN(sizeof(u), n);
112 memcpy(p, &u, m);
113
114 p = (uint8_t*) p + m;
115 n -= m;
116
117 if (n == 0)
118 return 0; /* Yay, success! */
119
120 got_some = true;
121 }
122
123 /* Use the getrandom() syscall unless we know we don't have it. */
124 if (have_syscall != 0 && !HAS_FEATURE_MEMORY_SANITIZER) {
125
126 for (;;) {
127 r = getrandom(p, n, FLAGS_SET(flags, RANDOM_BLOCK) ? 0 : GRND_NONBLOCK);
128 if (r > 0) {
129 have_syscall = true;
130
131 if ((size_t) r == n)
132 return 0; /* Yay, success! */
133
134 assert((size_t) r < n);
135 p = (uint8_t*) p + r;
136 n -= r;
137
138 if (FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
139 /* Fill in the remaining bytes using pseudo-random values */
140 pseudo_random_bytes(p, n);
141 return 0;
142 }
143
144 got_some = true;
145
146 /* Hmm, we didn't get enough good data but the caller insists on good data? Then try again */
147 if (FLAGS_SET(flags, RANDOM_BLOCK))
148 continue;
149
150 /* Fill in the rest with /dev/urandom */
151 break;
152
153 } else if (r == 0) {
154 have_syscall = true;
155 return -EIO;
156
157 } else if (errno == ENOSYS) {
158 /* We lack the syscall, continue with reading from /dev/urandom. */
159 have_syscall = false;
160 break;
161
162 } else if (errno == EAGAIN) {
163 /* The kernel has no entropy whatsoever. Let's remember to use the syscall
164 * the next time again though.
165 *
166 * If RANDOM_MAY_FAIL is set, return an error so that random_bytes() can
167 * produce some pseudo-random bytes instead. Otherwise, fall back to
168 * /dev/urandom, which we know is empty, but the kernel will produce some
169 * bytes for us on a best-effort basis. */
170 have_syscall = true;
171
172 if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
173 /* Fill in the remaining bytes using pseudorandom values */
174 pseudo_random_bytes(p, n);
175 return 0;
176 }
177
178 if (FLAGS_SET(flags, RANDOM_MAY_FAIL))
179 return -ENODATA;
180
181 /* Use /dev/urandom instead */
182 break;
183 } else
184 return -errno;
185 }
186 }
187
188 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
189 if (fd < 0)
190 return errno == ENOENT ? -ENOSYS : -errno;
191
192 return loop_read_exact(fd, p, n, true);
193 }
194
195 void initialize_srand(void) {
196 static bool srand_called = false;
197 unsigned x;
198 #if HAVE_SYS_AUXV_H
199 const void *auxv;
200 #endif
201 unsigned long k;
202
203 if (srand_called)
204 return;
205
206 #if HAVE_SYS_AUXV_H
207 /* The kernel provides us with 16 bytes of entropy in auxv, so let's try to make use of that to seed
208 * the pseudo-random generator. It's better than nothing... But let's first hash it to make it harder
209 * to recover the original value by watching any pseudo-random bits we generate. After all the
210 * AT_RANDOM data might be used by other stuff too (in particular: ASLR), and we probably shouldn't
211 * leak the seed for that. */
212
213 auxv = ULONG_TO_PTR(getauxval(AT_RANDOM));
214 if (auxv) {
215 static const uint8_t auxval_hash_key[16] = {
216 0x92, 0x6e, 0xfe, 0x1b, 0xcf, 0x00, 0x52, 0x9c, 0xcc, 0x42, 0xcf, 0xdc, 0x94, 0x1f, 0x81, 0x0f
217 };
218
219 x = (unsigned) siphash24(auxv, 16, auxval_hash_key);
220 } else
221 #endif
222 x = 0;
223
224 x ^= (unsigned) now(CLOCK_REALTIME);
225 x ^= (unsigned) gettid();
226
227 if (rdrand(&k) >= 0)
228 x ^= (unsigned) k;
229
230 srand(x);
231 srand_called = true;
232 }
233
234 /* INT_MAX gives us only 31 bits, so use 24 out of that. */
235 #if RAND_MAX >= INT_MAX
236 # define RAND_STEP 3
237 #else
238 /* SHORT_INT_MAX or lower gives at most 15 bits, we just just 8 out of that. */
239 # define RAND_STEP 1
240 #endif
241
242 void pseudo_random_bytes(void *p, size_t n) {
243 uint8_t *q;
244
245 initialize_srand();
246
247 for (q = p; q < (uint8_t*) p + n; q += RAND_STEP) {
248 unsigned rr;
249
250 rr = (unsigned) rand();
251
252 #if RAND_STEP >= 3
253 if ((size_t) (q - (uint8_t*) p + 2) < n)
254 q[2] = rr >> 16;
255 #endif
256 #if RAND_STEP >= 2
257 if ((size_t) (q - (uint8_t*) p + 1) < n)
258 q[1] = rr >> 8;
259 #endif
260 q[0] = rr;
261 }
262 }
263
264 void random_bytes(void *p, size_t n) {
265
266 if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO|RANDOM_MAY_FAIL|RANDOM_ALLOW_RDRAND) >= 0)
267 return;
268
269 /* If for some reason some user made /dev/urandom unavailable to us, or the kernel has no entropy, use a PRNG instead. */
270 pseudo_random_bytes(p, n);
271 }
Unnamed repository; edit this file 'description' to name the repository.