1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 #if defined(__i386__) || defined(__x86_64__)
17 # include <sys/auxv.h>
21 # include <sys/random.h>
23 # include <linux/random.h>
26 #include "alloc-util.h"
30 #include "random-util.h"
31 #include "time-util.h"
33 int rdrand(unsigned long *ret
) {
35 #if defined(__i386__) || defined(__x86_64__)
36 static int have_rdrand
= -1;
39 if (have_rdrand
< 0) {
40 uint32_t eax
, ebx
, ecx
, edx
;
42 /* Check if RDRAND is supported by the CPU */
43 if (__get_cpuid(1, &eax
, &ebx
, &ecx
, &edx
) == 0) {
48 have_rdrand
= !!(ecx
& (1U << 30));
54 asm volatile("rdrand %0;"
58 msan_unpoison(&err
, sizeof(err
));
68 int genuine_random_bytes(void *p
, size_t n
, RandomFlags flags
) {
69 static int have_syscall
= -1;
70 _cleanup_close_
int fd
= -1;
71 bool got_some
= false;
74 /* Gathers some randomness from the kernel (or the CPU if the RANDOM_ALLOW_RDRAND flag is set). This call won't
75 * block, unless the RANDOM_BLOCK flag is set. If RANDOM_DONT_DRAIN is set, an error is returned if the random
76 * pool is not initialized. Otherwise it will always return some data from the kernel, regardless of whether
77 * the random pool is fully initialized or not. */
82 if (FLAGS_SET(flags
, RANDOM_ALLOW_RDRAND
))
83 /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is not
84 * required, as we don't trust it (who does?). Note that we only do a single iteration of RDRAND here,
85 * even though the Intel docs suggest calling this in a tight loop of 10 invocations or so. That's
86 * because we don't really care about the quality here. We generally prefer using RDRAND if the caller
87 * allows us too, since this way we won't drain the kernel randomness pool if we don't need it, as the
88 * pool's entropy is scarce. */
94 if (got_some
&& FLAGS_SET(flags
, RANDOM_EXTEND_WITH_PSEUDO
)) {
95 /* Fill in the remaining bytes using pseudo-random values */
96 pseudo_random_bytes(p
, n
);
100 /* OK, this didn't work, let's go to getrandom() + /dev/urandom instead */
104 m
= MIN(sizeof(u
), n
);
107 p
= (uint8_t*) p
+ m
;
111 return 0; /* Yay, success! */
116 /* Use the getrandom() syscall unless we know we don't have it. */
117 if (have_syscall
!= 0 && !HAS_FEATURE_MEMORY_SANITIZER
) {
120 r
= getrandom(p
, n
, FLAGS_SET(flags
, RANDOM_BLOCK
) ? 0 : GRND_NONBLOCK
);
125 return 0; /* Yay, success! */
127 assert((size_t) r
< n
);
128 p
= (uint8_t*) p
+ r
;
131 if (FLAGS_SET(flags
, RANDOM_EXTEND_WITH_PSEUDO
)) {
132 /* Fill in the remaining bytes using pseudo-random values */
133 pseudo_random_bytes(p
, n
);
139 /* Hmm, we didn't get enough good data but the caller insists on good data? Then try again */
140 if (FLAGS_SET(flags
, RANDOM_BLOCK
))
143 /* Fill in the rest with /dev/urandom */
150 } else if (errno
== ENOSYS
) {
151 /* We lack the syscall, continue with reading from /dev/urandom. */
152 have_syscall
= false;
155 } else if (errno
== EAGAIN
) {
156 /* The kernel has no entropy whatsoever. Let's remember to use the syscall the next
159 * If RANDOM_DONT_DRAIN is set, return an error so that random_bytes() can produce some
160 * pseudo-random bytes instead. Otherwise, fall back to /dev/urandom, which we know is empty,
161 * but the kernel will produce some bytes for us on a best-effort basis. */
164 if (got_some
&& FLAGS_SET(flags
, RANDOM_EXTEND_WITH_PSEUDO
)) {
165 /* Fill in the remaining bytes using pseudorandom values */
166 pseudo_random_bytes(p
, n
);
170 if (FLAGS_SET(flags
, RANDOM_DONT_DRAIN
))
173 /* Use /dev/urandom instead */
180 fd
= open("/dev/urandom", O_RDONLY
|O_CLOEXEC
|O_NOCTTY
);
182 return errno
== ENOENT
? -ENOSYS
: -errno
;
184 return loop_read_exact(fd
, p
, n
, true);
187 void initialize_srand(void) {
188 static bool srand_called
= false;
199 /* The kernel provides us with 16 bytes of entropy in auxv, so let's
200 * try to make use of that to seed the pseudo-random generator. It's
201 * better than nothing... */
203 auxv
= (const void*) getauxval(AT_RANDOM
);
205 assert_cc(sizeof(x
) <= 16);
206 memcpy(&x
, auxv
, sizeof(x
));
211 x
^= (unsigned) now(CLOCK_REALTIME
);
212 x
^= (unsigned) gettid();
221 /* INT_MAX gives us only 31 bits, so use 24 out of that. */
222 #if RAND_MAX >= INT_MAX
225 /* SHORT_INT_MAX or lower gives at most 15 bits, we just just 8 out of that. */
229 void pseudo_random_bytes(void *p
, size_t n
) {
234 for (q
= p
; q
< (uint8_t*) p
+ n
; q
+= RAND_STEP
) {
237 rr
= (unsigned) rand();
240 if ((size_t) (q
- (uint8_t*) p
+ 2) < n
)
244 if ((size_t) (q
- (uint8_t*) p
+ 1) < n
)
251 void random_bytes(void *p
, size_t n
) {
253 if (genuine_random_bytes(p
, n
, RANDOM_EXTEND_WITH_PSEUDO
|RANDOM_DONT_DRAIN
|RANDOM_ALLOW_RDRAND
) >= 0)
256 /* If for some reason some user made /dev/urandom unavailable to us, or the kernel has no entropy, use a PRNG instead. */
257 pseudo_random_bytes(p
, n
);