picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #10676 from poettering/rdrand-everywhere 

prefer RDRAND over getrandom() and /dev/urandom when we don't need the very best randomness
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2018-11-08 13:33:02 +01:00 committed by GitHub
parent 010c9a247d cc83d5197c
commit abdcb688a8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 127 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

161
src/basic/random-util.c
View File

@ -65,77 +65,123 @@ int rdrand64(uint64_t *ret) {
#endif
}
int acquire_random_bytes(void *p, size_t n, bool high_quality_required) {
int genuine_random_bytes(void *p, size_t n, RandomFlags flags) {
static int have_syscall = -1;
_cleanup_close_ int fd = -1;
size_t already_done = 0;
bool got_some = false;
int r;
/* Gathers some randomness from the kernel. This call will never block. If
* high_quality_required, it will always return some data from the kernel,
* regardless of whether the random pool is fully initialized or not.
* Otherwise, it will return success if at least some random bytes were
* successfully acquired, and an error if the kernel has no entropy whatsover
* for us. */
/* Gathers some randomness from the kernel (or the CPU if the RANDOM_ALLOW_RDRAND flag is set). This call won't
* block, unless the RANDOM_BLOCK flag is set. If RANDOM_DONT_DRAIN is set, an error is returned if the random
* pool is not initialized. Otherwise it will always return some data from the kernel, regardless of whether
* the random pool is fully initialized or not. */
if (n == 0)
return 0;
if (FLAGS_SET(flags, RANDOM_ALLOW_RDRAND))
/* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is not
* required, as we don't trust it (who does?). Note that we only do a single iteration of RDRAND here,
* even though the Intel docs suggest calling this in a tight loop of 10 invocations or so. That's
* because we don't really care about the quality here. We generally prefer using RDRAND if the caller
* allows us too, since this way we won't drain the kernel randomness pool if we don't need it, as the
* pool's entropy is scarce. */
for (;;) {
uint64_t u;
size_t m;
if (rdrand64(&u) < 0) {
if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
/* Fill in the remaining bytes using pseudo-random values */
pseudo_random_bytes(p, n);
return 0;
}
/* OK, this didn't work, let's go to getrandom() + /dev/urandom instead */
break;
}
m = MIN(sizeof(u), n);
memcpy(p, &u, m);
p = (uint8_t*) p + m;
n -= m;
if (n == 0)
return 0; /* Yay, success! */
got_some = true;
}
/* Use the getrandom() syscall unless we know we don't have it. */
if (have_syscall != 0 && !HAS_FEATURE_MEMORY_SANITIZER) {
r = getrandom(p, n, GRND_NONBLOCK);
if (r > 0) {
have_syscall = true;
if ((size_t) r == n)
return 0;
if (!high_quality_required) {
/* Fill in the remaining bytes using pseudorandom values */
pseudorandom_bytes((uint8_t*) p + r, n - r);
return 0;
}
already_done = r;
} else if (errno == ENOSYS)
/* We lack the syscall, continue with reading from /dev/urandom. */
have_syscall = false;
else if (errno == EAGAIN) {
/* The kernel has no entropy whatsoever. Let's remember to
* use the syscall the next time again though.
*
* If high_quality_required is false, return an error so that
* random_bytes() can produce some pseudorandom
* bytes. Otherwise, fall back to /dev/urandom, which we know
* is empty, but the kernel will produce some bytes for us on
* a best-effort basis. */
have_syscall = true;
for (;;) {
r = getrandom(p, n, FLAGS_SET(flags, RANDOM_BLOCK) ? 0 : GRND_NONBLOCK);
if (r > 0) {
have_syscall = true;
if (!high_quality_required) {
uint64_t u;
size_t k;
if ((size_t) r == n)
return 0; /* Yay, success! */
/* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality
* randomness is not required, as we don't trust it (who does?). Note that we only do a
* single iteration of RDRAND here, even though the Intel docs suggest calling this in
* a tight loop of 10 invocatins or so. That's because we don't really care about the
* quality here. */
assert((size_t) r < n);
p = (uint8_t*) p + r;
n -= r;
if (rdrand64(&u) < 0)
if (FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
/* Fill in the remaining bytes using pseudo-random values */
pseudo_random_bytes(p, n);
return 0;
}
got_some = true;
/* Hmm, we didn't get enough good data but the caller insists on good data? Then try again */
if (FLAGS_SET(flags, RANDOM_BLOCK))
continue;
/* Fill in the rest with /dev/urandom */
break;
} else if (r == 0) {
have_syscall = true;
return -EIO;
} else if (errno == ENOSYS) {
/* We lack the syscall, continue with reading from /dev/urandom. */
have_syscall = false;
break;
} else if (errno == EAGAIN) {
/* The kernel has no entropy whatsoever. Let's remember to use the syscall the next
* time again though.
*
* If RANDOM_DONT_DRAIN is set, return an error so that random_bytes() can produce some
* pseudo-random bytes instead. Otherwise, fall back to /dev/urandom, which we know is empty,
* but the kernel will produce some bytes for us on a best-effort basis. */
have_syscall = true;
if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
/* Fill in the remaining bytes using pseudorandom values */
pseudo_random_bytes(p, n);
return 0;
}
if (FLAGS_SET(flags, RANDOM_DONT_DRAIN))
return -ENODATA;
k = MIN(n, sizeof(u));
memcpy(p, &u, k);
/* We only get 64bit out of RDRAND, the rest let's fill up with pseudo-random crap. */
pseudorandom_bytes((uint8_t*) p + k, n - k);
return 0;
}
} else
return -errno;
/* Use /dev/urandom instead */
break;
} else
return -errno;
}
}
fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
if (fd < 0)
return errno == ENOENT ? -ENOSYS : -errno;
return loop_read_exact(fd, (uint8_t*) p + already_done, n - already_done, true);
return loop_read_exact(fd, p, n, true);
}
void initialize_srand(void) {
@ -180,7 +226,7 @@ void initialize_srand(void) {
# define RAND_STEP 1
#endif
void pseudorandom_bytes(void *p, size_t n) {
void pseudo_random_bytes(void *p, size_t n) {
uint8_t *q;
initialize_srand();
@ -203,13 +249,10 @@ void pseudorandom_bytes(void *p, size_t n) {
}
void random_bytes(void *p, size_t n) {
int r;
r = acquire_random_bytes(p, n, false);
if (r >= 0)
if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO|RANDOM_DONT_DRAIN|RANDOM_ALLOW_RDRAND) >= 0)
return;
/* If some idiot made /dev/urandom unavailable to us, or the
* kernel has no entropy, use a PRNG instead. */
return pseudorandom_bytes(p, n);
/* If for some reason some user made /dev/urandom unavailable to us, or the kernel has no entropy, use a PRNG instead. */
pseudo_random_bytes(p, n);
}

14
src/basic/random-util.h
View File

@ -5,9 +5,17 @@
#include <stddef.h>
#include <stdint.h>
int acquire_random_bytes(void *p, size_t n, bool high_quality_required);
void pseudorandom_bytes(void *p, size_t n);
void random_bytes(void *p, size_t n);
typedef enum RandomFlags {
RANDOM_EXTEND_WITH_PSEUDO = 1 << 0, /* If we can't get enough genuine randomness, but some, fill up the rest with pseudo-randomness */
RANDOM_BLOCK = 1 << 1, /* Rather block than return crap randomness (only if the kernel supports that) */
RANDOM_DONT_DRAIN = 1 << 2, /* If we can't get any randomness at all, return early with -EAGAIN */
RANDOM_ALLOW_RDRAND = 1 << 3, /* Allow usage of the CPU RNG */
} RandomFlags;
int genuine_random_bytes(void *p, size_t n, RandomFlags flags); /* returns "genuine" randomness, optionally filled upwith pseudo random, if not enough is available */
void pseudo_random_bytes(void *p, size_t n); /* returns only pseudo-randommess (but possibly seeded from something better) */
void random_bytes(void *p, size_t n); /* returns genuine randomness if cheaply available, and pseudo randomness if not. */
void initialize_srand(void);
static inline uint64_t random_u64(void) {

3
src/firstboot/firstboot.c
View File

@ -647,7 +647,8 @@ static int process_root_password(void) {
if (!arg_root_password)
return 0;
r = acquire_random_bytes(raw, 16, true);
/* Insist on the best randomness by setting RANDOM_BLOCK, this is about keeping passwords secret after all. */
r = genuine_random_bytes(raw, 16, RANDOM_BLOCK);
if (r < 0)
return log_error_errno(r, "Failed to get salt: %m");

4
src/libsystemd/sd-id128/sd-id128.c
View File

@ -272,7 +272,9 @@ _public_ int sd_id128_randomize(sd_id128_t *ret) {
assert_return(ret, -EINVAL);
r = acquire_random_bytes(&t, sizeof t, true);
/* We allow usage if x86-64 RDRAND here. It might not be trusted enough for keeping secrets, but it should be
* fine for UUIDS. */
r = genuine_random_bytes(&t, sizeof t, RANDOM_ALLOW_RDRAND);
if (r < 0)
return r;

16
src/test/test-random-util.c
View File

@ -5,14 +5,14 @@
#include "log.h"
#include "tests.h"
static void test_acquire_random_bytes(bool high_quality_required) {
static void test_genuine_random_bytes(RandomFlags flags) {
uint8_t buf[16] = {};
unsigned i;
log_info("/* %s */", __func__);
for (i = 1; i < sizeof buf; i++) {
assert_se(acquire_random_bytes(buf, i, high_quality_required) == 0);
assert_se(genuine_random_bytes(buf, i, flags) == 0);
if (i + 1 < sizeof buf)
assert_se(buf[i] == 0);
@ -20,14 +20,14 @@ static void test_acquire_random_bytes(bool high_quality_required) {
}
}
static void test_pseudorandom_bytes(void) {
static void test_pseudo_random_bytes(void) {
uint8_t buf[16] = {};
unsigned i;
log_info("/* %s */", __func__);
for (i = 1; i < sizeof buf; i++) {
pseudorandom_bytes(buf, i);
pseudo_random_bytes(buf, i);
if (i + 1 < sizeof buf)
assert_se(buf[i] == 0);
@ -54,10 +54,12 @@ static void test_rdrand64(void) {
int main(int argc, char **argv) {
test_setup_logging(LOG_DEBUG);
test_acquire_random_bytes(false);
test_acquire_random_bytes(true);
test_genuine_random_bytes(RANDOM_EXTEND_WITH_PSEUDO);
test_genuine_random_bytes(0);
test_genuine_random_bytes(RANDOM_BLOCK);
test_genuine_random_bytes(RANDOM_ALLOW_RDRAND);
test_pseudorandom_bytes();
test_pseudo_random_bytes();
test_rdrand64();