From 61bd7d1ed595a98e5fbfeb75b530539c4834f6a4 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Sat, 28 Nov 2020 15:24:44 +0100
Subject: [PATCH] random-util: open /dev/urandom implicitly in
 random_write_entropy() if needed

---
 src/basic/random-util.c  | 17 ++++++++++++++---
 src/core/efi-random.c    |  7 +------
 src/core/main.c          |  9 +--------
 src/shared/pkcs11-util.c |  7 +------
 4 files changed, 17 insertions(+), 23 deletions(-)

diff --git a/src/basic/random-util.c b/src/basic/random-util.c
index c8c34a2034..c831f06dac 100644
--- a/src/basic/random-util.c
+++ b/src/basic/random-util.c
@@ -452,10 +452,21 @@ size_t random_pool_size(void) {
 }
 
 int random_write_entropy(int fd, const void *seed, size_t size, bool credit) {
+        _cleanup_close_ int opened_fd = -1;
         int r;
 
-        assert(fd >= 0);
-        assert(seed && size > 0);
+        assert(seed || size == 0);
+
+        if (size == 0)
+                return 0;
+
+        if (fd < 0) {
+                opened_fd = open("/dev/urandom", O_WRONLY|O_CLOEXEC|O_NOCTTY);
+                if (opened_fd < 0)
+                        return -errno;
+
+                fd = opened_fd;
+        }
 
         if (credit) {
                 _cleanup_free_ struct rand_pool_info *info = NULL;
@@ -481,5 +492,5 @@ int random_write_entropy(int fd, const void *seed, size_t size, bool credit) {
                         return r;
         }
 
-        return 0;
+        return 1;
 }
diff --git a/src/core/efi-random.c b/src/core/efi-random.c
index 2bc74fab98..94e138b35b 100644
--- a/src/core/efi-random.c
+++ b/src/core/efi-random.c
@@ -43,7 +43,6 @@ static void lock_down_efi_variables(void) {
 
 int efi_take_random_seed(void) {
         _cleanup_free_ void *value = NULL;
-        _cleanup_close_ int random_fd = -1;
         size_t size;
         int r;
 
@@ -77,17 +76,13 @@ int efi_take_random_seed(void) {
         if (size == 0)
                 return log_warning_errno(SYNTHETIC_ERRNO(EINVAL), "Random seed passed from boot loader has zero size? Ignoring.");
 
-        random_fd = open("/dev/urandom", O_WRONLY|O_CLOEXEC|O_NOCTTY);
-        if (random_fd < 0)
-                return log_warning_errno(errno, "Failed to open /dev/urandom for writing, ignoring: %m");
-
         /* Before we use the seed, let's mark it as used, so that we never credit it twice. Also, it's a nice
          * way to let users known that we successfully acquired entropy from the boot laoder. */
         r = touch("/run/systemd/efi-random-seed-taken");
         if (r < 0)
                 return log_warning_errno(r, "Unable to mark EFI random seed as used, not using it: %m");
 
-        r = random_write_entropy(random_fd, value, size, true);
+        r = random_write_entropy(-1, value, size, true);
         if (r < 0)
                 return log_warning_errno(errno, "Failed to credit entropy, ignoring: %m");
 
diff --git a/src/core/main.c b/src/core/main.c
index 9cb6afcd82..ef4d03750f 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1605,7 +1605,6 @@ static void apply_clock_update(void) {
 }
 
 static void cmdline_take_random_seed(void) {
-        _cleanup_close_ int random_fd = -1;
         size_t suggested;
         int r;
 
@@ -1622,13 +1621,7 @@ static void cmdline_take_random_seed(void) {
                 log_warning("Random seed specified on kernel command line has size %zu, but %zu bytes required to fill entropy pool.",
                             arg_random_seed_size, suggested);
 
-        random_fd = open("/dev/urandom", O_WRONLY|O_CLOEXEC|O_NOCTTY);
-        if (random_fd < 0) {
-                log_warning_errno(errno, "Failed to open /dev/urandom for writing, ignoring: %m");
-                return;
-        }
-
-        r = random_write_entropy(random_fd, arg_random_seed, arg_random_seed_size, true);
+        r = random_write_entropy(-1, arg_random_seed, arg_random_seed_size, true);
         if (r < 0) {
                 log_warning_errno(r, "Failed to credit entropy specified on kernel command line, ignoring: %m");
                 return;
diff --git a/src/shared/pkcs11-util.c b/src/shared/pkcs11-util.c
index e74f0be260..078a86ec32 100644
--- a/src/shared/pkcs11-util.c
+++ b/src/shared/pkcs11-util.c
@@ -671,7 +671,6 @@ int pkcs11_token_acquire_rng(
                 CK_SESSION_HANDLE session) {
 
         _cleanup_free_ void *buffer = NULL;
-        _cleanup_close_ int fd = -1;
         size_t rps;
         CK_RV rv;
         int r;
@@ -696,11 +695,7 @@ int pkcs11_token_acquire_rng(
                 return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                        "Failed to generate RNG data on security token: %s", p11_kit_strerror(rv));
 
-        fd = open("/dev/urandom", O_WRONLY|O_CLOEXEC|O_NOCTTY);
-        if (fd < 0)
-                return log_debug_errno(errno, "Failed to open /dev/urandom for writing: %m");
-
-        r = loop_write(fd, buffer, rps, false);
+        r = random_write_entropy(-1, buffer, rps, false);
         if (r < 0)
                 return log_debug_errno(r, "Failed to write PKCS#11 acquired random data to /dev/urandom: %m");