Systemd/src/basic/random-util.h

/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once

#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>

typedef enum RandomFlags {
        RANDOM_EXTEND_WITH_PSEUDO = 1 << 0, /* If we can't get enough genuine randomness, but some, fill up the rest with pseudo-randomness */
        RANDOM_BLOCK              = 1 << 1, /* Rather block than return crap randomness (only if the kernel supports that) */
        RANDOM_MAY_FAIL           = 1 << 2, /* If we can't get any randomness at all, return early with -ENODATA */
        RANDOM_ALLOW_RDRAND       = 1 << 3, /* Allow usage of the CPU RNG */
        RANDOM_ALLOW_INSECURE     = 1 << 4, /* Allow usage of GRND_INSECURE flag to kernel's getrandom() API */
} RandomFlags;

int genuine_random_bytes(void *p, size_t n, RandomFlags flags); /* returns "genuine" randomness, optionally filled up with pseudo random, if not enough is available */
void pseudo_random_bytes(void *p, size_t n);                    /* returns only pseudo-randommess (but possibly seeded from something better) */
void random_bytes(void *p, size_t n);                           /* returns genuine randomness if cheaply available, and pseudo randomness if not. */

void initialize_srand(void);

static inline uint64_t random_u64(void) {
        uint64_t u;
        random_bytes(&u, sizeof(u));
        return u;
}

static inline uint32_t random_u32(void) {
        uint32_t u;
        random_bytes(&u, sizeof(u));
        return u;
}

int rdrand(unsigned long *ret);

/* Some limits on the pool sizes when we deal with the kernel random pool */
#define RANDOM_POOL_SIZE_MIN 512U
#define RANDOM_POOL_SIZE_MAX (10U*1024U*1024U)

size_t random_pool_size(void);

int random_write_entropy(int fd, const void *seed, size_t size, bool credit);
license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 05:23:58 +01:00			`/* SPDX-License-Identifier: LGPL-2.1-or-later */`
shared: add random-util.[ch] 2015-04-10 22:27:10 +02:00			`#pragma once`

basic/random-util: do not fall back to /dev/urandom if getrandom() returns short During early boot, we'd call getrandom(), and immediately fall back to reading from /dev/urandom unless we got the full requested number of bytes. Those two sources are the same, so the most likely result is /dev/urandom producing some pseudorandom numbers for us, complaining widely on the way. Let's change our behaviour to be more conservative: - if the numbers are only used to initialize a hash table, a short read is OK, we don't really care if we get the first part of the seed truly random and then some pseudorandom bytes. So just do that and return "success". - if getrandom() returns -EAGAIN, fall back to rand() instead of querying /dev/urandom again. The idea with those two changes is to avoid generating a warning about reading from an /dev/urandom when the kernel doesn't have enough entropy. - only in the cases where we really need to make the best effort possible (sd_id128_randomize and firstboot password hashing), fall back to /dev/urandom. When calling getrandom(), drop the checks whether the argument fits in an int — getrandom() should do that for us already, and we call it with small arguments only anyway. Note that this does not really change the (relatively high) number of random bytes we request from the kernel. On my laptop, during boot, PID 1 and all other processes using this code through libsystemd request: 74780 bytes with high_quality_required == false 464 bytes with high_quality_required == true and it does not eliminate reads from /dev/urandom completely. If the kernel was short on entropy and getrandom() would fail, we would fall back to /dev/urandom for those 464 bytes. When falling back to /dev/urandom, don't lose the short read we already got, and just read the remaining bytes. If getrandom() syscall is not available, we fall back to /dev/urandom same as before. Fixes #4167 (possibly partially, let's see). 2017-06-25 23:09:05 +02:00			`#include <stdbool.h>`
basic: include only what we use This is a cleaned up result of running iwyu but without forward declarations on src/basic. 2015-11-30 21:43:37 +01:00			`#include <stddef.h>`
shared: add random-util.[ch] 2015-04-10 22:27:10 +02:00			`#include <stdint.h>`

random-util: change high_quality_required bool parameter into a flags parameter No change in behaviour, just some refactoring. 2018-11-07 18:40:26 +01:00			`typedef enum RandomFlags {`
			`RANDOM_EXTEND_WITH_PSEUDO = 1 << 0, /* If we can't get enough genuine randomness, but some, fill up the rest with pseudo-randomness */`
random-util: optionally enable blocking getrandom() behaviour When generating the salt for the firstboot password logic, let's use getrandom() blocking mode, and insist in the very best entropy. 2018-11-07 19:04:04 +01:00			`RANDOM_BLOCK = 1 << 1, /* Rather block than return crap randomness (only if the kernel supports that) */`
random-util: rename RANDOM_DONT_DRAIN → RANDOM_MAY_FAIL The old flag name was a bit of a misnomer, as /dev/urandom cannot be "drained". Once it's initialized it's initialized and then is good forever. (Only /dev/random has a concept of 'draining', but we never use that, as it's an obsolete interface). The flag is still useful though, since it allows us to suppress accesses to the random pool while it is not initialized, as that trips up the kernel and it logs about any such attempts, which we really don't want. 2019-05-07 22:18:13 +02:00			`RANDOM_MAY_FAIL = 1 << 2, /* If we can't get any randomness at all, return early with -ENODATA */`
random-util: optionally allow randomness to be generated via RDRAND We only use this when we don't require the best randomness. The primary usecase for this is UUID generation, as this means we don't drain randomness from the kernel pool for them. Since UUIDs are usually not secrets RDRAND should be goot enough for them to avoid real-life collisions. 2018-11-07 19:46:18 +01:00			`RANDOM_ALLOW_RDRAND = 1 << 3, /* Allow usage of the CPU RNG */`
random-util: make use of GRND_INSECURE when it is defined kernel 5.6 added support for a new flag for getrandom(): GRND_INSECURE. If we set it we can get some random data out of the kernel random pool, even if it is not yet initializated. This is great for us to initialize hash table seeds and such, where it is OK if they are crap initially. We used RDRAND for these cases so far, but RDRAND is only available on newer CPUs and some archs. Let's now use GRND_INSECURE for these cases as well, which means we won't needlessly delay boot anymore even on archs/CPUs that do not have RDRAND. Of course we never set this flag when generating crypto keys or uuids. Which makes it different from RDRAND for us (and is the reason I think we should keep explicit RDRAND support in): RDRAND we don't trust enough for crypto keys. But we do trust it enough for UUIDs. 2020-05-10 11:15:16 +02:00			`RANDOM_ALLOW_INSECURE = 1 << 4, /* Allow usage of GRND_INSECURE flag to kernel's getrandom() API */`
random-util: change high_quality_required bool parameter into a flags parameter No change in behaviour, just some refactoring. 2018-11-07 18:40:26 +01:00			`} RandomFlags;`

random-util: rename RANDOM_DONT_DRAIN → RANDOM_MAY_FAIL The old flag name was a bit of a misnomer, as /dev/urandom cannot be "drained". Once it's initialized it's initialized and then is good forever. (Only /dev/random has a concept of 'draining', but we never use that, as it's an obsolete interface). The flag is still useful though, since it allows us to suppress accesses to the random pool while it is not initialized, as that trips up the kernel and it logs about any such attempts, which we really don't want. 2019-05-07 22:18:13 +02:00			`int genuine_random_bytes(void p, size_t n, RandomFlags flags); / returns "genuine" randomness, optionally filled up with pseudo random, if not enough is available */`
random-util: change high_quality_required bool parameter into a flags parameter No change in behaviour, just some refactoring. 2018-11-07 18:40:26 +01:00			`void pseudo_random_bytes(void p, size_t n); / returns only pseudo-randommess (but possibly seeded from something better) */`
			`void random_bytes(void p, size_t n); / returns genuine randomness if cheaply available, and pseudo randomness if not. */`
random-util: rename acquire_random_bytes() → genuine_random_bytes() It's more descriptive, since we also have a function random_bytes() which sounds very similar. Also rename pseudorandom_bytes() to pseudo_random_bytes(). This way the two functions are nicely systematic, one returning genuine random bytes and the other pseudo random ones. 2018-11-07 18:27:57 +01:00
shared: add random-util.[ch] 2015-04-10 22:27:10 +02:00			`void initialize_srand(void);`

			`static inline uint64_t random_u64(void) {`
			`uint64_t u;`
			`random_bytes(&u, sizeof(u));`
			`return u;`
			`}`

			`static inline uint32_t random_u32(void) {`
			`uint32_t u;`
			`random_bytes(&u, sizeof(u));`
			`return u;`
			`}`
random-util: use RDRAND for randomness if the kernel doesn't want to give us any Pretty much all intel cpus have had RDRAND in a long time. While CPU-internal RNG are widely not trusted, for seeding hash tables it's perfectly OK to use: we don't high quality entropy in that case, hence let's use it. This is only hooked up with 'high_quality_required' is false. If we require high quality entropy the kernel is the only source we should use. 2018-07-26 10:42:01 +02:00
random-util: allow RDRAND to be used in 32-bit x86 binaries Rename rdrand64 to rdrand, and switch from uint64_t to unsigned long. This produces code that will compile/assemble on both x86-64 and x86-32. This could be useful when running a 32-bit copy of systemd on a modern Intel processor. RDRAND is inherently arch-specific, so relying on the compiler-defined 'long' type seems reasonable. 2018-11-08 15:47:16 +01:00			`int rdrand(unsigned long *ret);`
random-seed: move pool size determination to random-util.[ch] That way we can reuse it elsewhere. 2019-07-19 19:34:10 +02:00
			`/* Some limits on the pool sizes when we deal with the kernel random pool */`
			`#define RANDOM_POOL_SIZE_MIN 512U`
			`#define RANDOM_POOL_SIZE_MAX (10U1024U1024U)`

			`size_t random_pool_size(void);`
random-util: add common helper random_write_entropy() for crediting entropy to the kernel's pool 2020-06-11 09:53:29 +02:00
			`int random_write_entropy(int fd, const void *seed, size_t size, bool credit);`