summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2018-11-08 13:33:02 +0100
committerGitHub <noreply@github.com>2018-11-08 13:33:02 +0100
commitabdcb688a8a82807cb5f864babdba91c859ac5f8 (patch)
tree864fd69e249a3bfb2626f1637538cde223369779
parent010c9a247d56add8c9c8ef644dfd5f609fc3eccb (diff)
parentcc83d5197ca08d68fa78167b6a64e9f28da3cc96 (diff)
downloadsystemd-abdcb688a8a82807cb5f864babdba91c859ac5f8.tar.gz
systemd-abdcb688a8a82807cb5f864babdba91c859ac5f8.tar.bz2
systemd-abdcb688a8a82807cb5f864babdba91c859ac5f8.zip
Merge pull request #10676 from poettering/rdrand-everywhere
prefer RDRAND over getrandom() and /dev/urandom when we don't need the very best randomness
Diffstat
-rw-r--r--src/basic/random-util.c167
-rw-r--r--src/basic/random-util.h14
-rw-r--r--src/firstboot/firstboot.c3
-rw-r--r--src/libsystemd/sd-id128/sd-id128.c4
-rw-r--r--src/test/test-random-util.c16
5 files changed, 130 insertions, 74 deletions
diff --git a/src/basic/random-util.c b/src/basic/random-util.c
index 071a41f186..8eb6acfbbf 100644
--- a/src/basic/random-util.c
+++ b/src/basic/random-util.c
@@ -65,77 +65,123 @@ int rdrand64(uint64_t *ret) {
#endif
}
-int acquire_random_bytes(void *p, size_t n, bool high_quality_required) {
+int genuine_random_bytes(void *p, size_t n, RandomFlags flags) {
static int have_syscall = -1;
-
_cleanup_close_ int fd = -1;
- size_t already_done = 0;
+ bool got_some = false;
int r;
- /* Gathers some randomness from the kernel. This call will never block. If
- * high_quality_required, it will always return some data from the kernel,
- * regardless of whether the random pool is fully initialized or not.
- * Otherwise, it will return success if at least some random bytes were
- * successfully acquired, and an error if the kernel has no entropy whatsover
- * for us. */
+ /* Gathers some randomness from the kernel (or the CPU if the RANDOM_ALLOW_RDRAND flag is set). This call won't
+ * block, unless the RANDOM_BLOCK flag is set. If RANDOM_DONT_DRAIN is set, an error is returned if the random
+ * pool is not initialized. Otherwise it will always return some data from the kernel, regardless of whether
+ * the random pool is fully initialized or not. */
+
+ if (n == 0)
+ return 0;
+
+ if (FLAGS_SET(flags, RANDOM_ALLOW_RDRAND))
+ /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is not
+ * required, as we don't trust it (who does?). Note that we only do a single iteration of RDRAND here,
+ * even though the Intel docs suggest calling this in a tight loop of 10 invocations or so. That's
+ * because we don't really care about the quality here. We generally prefer using RDRAND if the caller
+ * allows us too, since this way we won't drain the kernel randomness pool if we don't need it, as the
+ * pool's entropy is scarce. */
+ for (;;) {
+ uint64_t u;
+ size_t m;
+
+ if (rdrand64(&u) < 0) {
+ if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
+ /* Fill in the remaining bytes using pseudo-random values */
+ pseudo_random_bytes(p, n);
+ return 0;
+ }
+
+ /* OK, this didn't work, let's go to getrandom() + /dev/urandom instead */
+ break;
+ }
+
+ m = MIN(sizeof(u), n);
+ memcpy(p, &u, m);
+
+ p = (uint8_t*) p + m;
+ n -= m;
+
+ if (n == 0)
+ return 0; /* Yay, success! */
+
+ got_some = true;
+ }
/* Use the getrandom() syscall unless we know we don't have it. */
if (have_syscall != 0 && !HAS_FEATURE_MEMORY_SANITIZER) {
- r = getrandom(p, n, GRND_NONBLOCK);
- if (r > 0) {
- have_syscall = true;
- if ((size_t) r == n)
- return 0;
- if (!high_quality_required) {
- /* Fill in the remaining bytes using pseudorandom values */
- pseudorandom_bytes((uint8_t*) p + r, n - r);
- return 0;
- }
- already_done = r;
- } else if (errno == ENOSYS)
- /* We lack the syscall, continue with reading from /dev/urandom. */
- have_syscall = false;
- else if (errno == EAGAIN) {
- /* The kernel has no entropy whatsoever. Let's remember to
- * use the syscall the next time again though.
- *
- * If high_quality_required is false, return an error so that
- * random_bytes() can produce some pseudorandom
- * bytes. Otherwise, fall back to /dev/urandom, which we know
- * is empty, but the kernel will produce some bytes for us on
- * a best-effort basis. */
- have_syscall = true;
-
- if (!high_quality_required) {
- uint64_t u;
- size_t k;
-
- /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality
- * randomness is not required, as we don't trust it (who does?). Note that we only do a
- * single iteration of RDRAND here, even though the Intel docs suggest calling this in
- * a tight loop of 10 invocatins or so. That's because we don't really care about the
- * quality here. */
-
- if (rdrand64(&u) < 0)
+ for (;;) {
+ r = getrandom(p, n, FLAGS_SET(flags, RANDOM_BLOCK) ? 0 : GRND_NONBLOCK);
+ if (r > 0) {
+ have_syscall = true;
+
+ if ((size_t) r == n)
+ return 0; /* Yay, success! */
+
+ assert((size_t) r < n);
+ p = (uint8_t*) p + r;
+ n -= r;
+
+ if (FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
+ /* Fill in the remaining bytes using pseudo-random values */
+ pseudo_random_bytes(p, n);
+ return 0;
+ }
+
+ got_some = true;
+
+ /* Hmm, we didn't get enough good data but the caller insists on good data? Then try again */
+ if (FLAGS_SET(flags, RANDOM_BLOCK))
+ continue;
+
+ /* Fill in the rest with /dev/urandom */
+ break;
+
+ } else if (r == 0) {
+ have_syscall = true;
+ return -EIO;
+
+ } else if (errno == ENOSYS) {
+ /* We lack the syscall, continue with reading from /dev/urandom. */
+ have_syscall = false;
+ break;
+
+ } else if (errno == EAGAIN) {
+ /* The kernel has no entropy whatsoever. Let's remember to use the syscall the next
+ * time again though.
+ *
+ * If RANDOM_DONT_DRAIN is set, return an error so that random_bytes() can produce some
+ * pseudo-random bytes instead. Otherwise, fall back to /dev/urandom, which we know is empty,
+ * but the kernel will produce some bytes for us on a best-effort basis. */
+ have_syscall = true;
+
+ if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
+ /* Fill in the remaining bytes using pseudorandom values */
+ pseudo_random_bytes(p, n);
+ return 0;
+ }
+
+ if (FLAGS_SET(flags, RANDOM_DONT_DRAIN))
return -ENODATA;
- k = MIN(n, sizeof(u));
- memcpy(p, &u, k);
-
- /* We only get 64bit out of RDRAND, the rest let's fill up with pseudo-random crap. */
- pseudorandom_bytes((uint8_t*) p + k, n - k);
- return 0;
- }
- } else
- return -errno;
+ /* Use /dev/urandom instead */
+ break;
+ } else
+ return -errno;
+ }
}
fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
if (fd < 0)
return errno == ENOENT ? -ENOSYS : -errno;
- return loop_read_exact(fd, (uint8_t*) p + already_done, n - already_done, true);
+ return loop_read_exact(fd, p, n, true);
}
void initialize_srand(void) {
@@ -180,7 +226,7 @@ void initialize_srand(void) {
# define RAND_STEP 1
#endif
-void pseudorandom_bytes(void *p, size_t n) {
+void pseudo_random_bytes(void *p, size_t n) {
uint8_t *q;
initialize_srand();
@@ -203,13 +249,10 @@ void pseudorandom_bytes(void *p, size_t n) {
}
void random_bytes(void *p, size_t n) {
- int r;
- r = acquire_random_bytes(p, n, false);
- if (r >= 0)
+ if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO|RANDOM_DONT_DRAIN|RANDOM_ALLOW_RDRAND) >= 0)
return;
- /* If some idiot made /dev/urandom unavailable to us, or the
- * kernel has no entropy, use a PRNG instead. */
- return pseudorandom_bytes(p, n);
+ /* If for some reason some user made /dev/urandom unavailable to us, or the kernel has no entropy, use a PRNG instead. */
+ pseudo_random_bytes(p, n);
}
diff --git a/src/basic/random-util.h b/src/basic/random-util.h
index affcc9ac1d..7a960cf9e7 100644
--- a/src/basic/random-util.h
+++ b/src/basic/random-util.h
@@ -5,9 +5,17 @@
#include <stddef.h>
#include <stdint.h>
-int acquire_random_bytes(void *p, size_t n, bool high_quality_required);
-void pseudorandom_bytes(void *p, size_t n);
-void random_bytes(void *p, size_t n);
+typedef enum RandomFlags {
+ RANDOM_EXTEND_WITH_PSEUDO = 1 << 0, /* If we can't get enough genuine randomness, but some, fill up the rest with pseudo-randomness */
+ RANDOM_BLOCK = 1 << 1, /* Rather block than return crap randomness (only if the kernel supports that) */
+ RANDOM_DONT_DRAIN = 1 << 2, /* If we can't get any randomness at all, return early with -EAGAIN */
+ RANDOM_ALLOW_RDRAND = 1 << 3, /* Allow usage of the CPU RNG */
+} RandomFlags;
+
+int genuine_random_bytes(void *p, size_t n, RandomFlags flags); /* returns "genuine" randomness, optionally filled upwith pseudo random, if not enough is available */
+void pseudo_random_bytes(void *p, size_t n); /* returns only pseudo-randommess (but possibly seeded from something better) */
+void random_bytes(void *p, size_t n); /* returns genuine randomness if cheaply available, and pseudo randomness if not. */
+
void initialize_srand(void);
static inline uint64_t random_u64(void) {
diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c
index c5deb66edf..d8b5893f76 100644
--- a/src/firstboot/firstboot.c
+++ b/src/firstboot/firstboot.c
@@ -647,7 +647,8 @@ static int process_root_password(void) {
if (!arg_root_password)
return 0;
- r = acquire_random_bytes(raw, 16, true);
+ /* Insist on the best randomness by setting RANDOM_BLOCK, this is about keeping passwords secret after all. */
+ r = genuine_random_bytes(raw, 16, RANDOM_BLOCK);
if (r < 0)
return log_error_errno(r, "Failed to get salt: %m");
diff --git a/src/libsystemd/sd-id128/sd-id128.c b/src/libsystemd/sd-id128/sd-id128.c
index b7cca832d8..3593a71c02 100644
--- a/src/libsystemd/sd-id128/sd-id128.c
+++ b/src/libsystemd/sd-id128/sd-id128.c
@@ -272,7 +272,9 @@ _public_ int sd_id128_randomize(sd_id128_t *ret) {
assert_return(ret, -EINVAL);
- r = acquire_random_bytes(&t, sizeof t, true);
+ /* We allow usage if x86-64 RDRAND here. It might not be trusted enough for keeping secrets, but it should be
+ * fine for UUIDS. */
+ r = genuine_random_bytes(&t, sizeof t, RANDOM_ALLOW_RDRAND);
if (r < 0)
return r;
diff --git a/src/test/test-random-util.c b/src/test/test-random-util.c
index 9652a0af05..a59c6374b2 100644
--- a/src/test/test-random-util.c
+++ b/src/test/test-random-util.c
@@ -5,14 +5,14 @@
#include "log.h"
#include "tests.h"
-static void test_acquire_random_bytes(bool high_quality_required) {
+static void test_genuine_random_bytes(RandomFlags flags) {
uint8_t buf[16] = {};
unsigned i;
log_info("/* %s */", __func__);
for (i = 1; i < sizeof buf; i++) {
- assert_se(acquire_random_bytes(buf, i, high_quality_required) == 0);
+ assert_se(genuine_random_bytes(buf, i, flags) == 0);
if (i + 1 < sizeof buf)
assert_se(buf[i] == 0);
@@ -20,14 +20,14 @@ static void test_acquire_random_bytes(bool high_quality_required) {
}
}
-static void test_pseudorandom_bytes(void) {
+static void test_pseudo_random_bytes(void) {
uint8_t buf[16] = {};
unsigned i;
log_info("/* %s */", __func__);
for (i = 1; i < sizeof buf; i++) {
- pseudorandom_bytes(buf, i);
+ pseudo_random_bytes(buf, i);
if (i + 1 < sizeof buf)
assert_se(buf[i] == 0);
@@ -54,10 +54,12 @@ static void test_rdrand64(void) {
int main(int argc, char **argv) {
test_setup_logging(LOG_DEBUG);
- test_acquire_random_bytes(false);
- test_acquire_random_bytes(true);
+ test_genuine_random_bytes(RANDOM_EXTEND_WITH_PSEUDO);
+ test_genuine_random_bytes(0);
+ test_genuine_random_bytes(RANDOM_BLOCK);
+ test_genuine_random_bytes(RANDOM_ALLOW_RDRAND);
- test_pseudorandom_bytes();
+ test_pseudo_random_bytes();
test_rdrand64();
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-15 04:16:52 +0000