Merge pull request #10676 from poettering/rdrand-everywhere
prefer RDRAND over getrandom() and /dev/urandom when we don't need the very best randomness
This commit is contained in:
commit
abdcb688a8
|
@ -65,77 +65,123 @@ int rdrand64(uint64_t *ret) {
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
int acquire_random_bytes(void *p, size_t n, bool high_quality_required) {
|
int genuine_random_bytes(void *p, size_t n, RandomFlags flags) {
|
||||||
static int have_syscall = -1;
|
static int have_syscall = -1;
|
||||||
|
|
||||||
_cleanup_close_ int fd = -1;
|
_cleanup_close_ int fd = -1;
|
||||||
size_t already_done = 0;
|
bool got_some = false;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
/* Gathers some randomness from the kernel. This call will never block. If
|
/* Gathers some randomness from the kernel (or the CPU if the RANDOM_ALLOW_RDRAND flag is set). This call won't
|
||||||
* high_quality_required, it will always return some data from the kernel,
|
* block, unless the RANDOM_BLOCK flag is set. If RANDOM_DONT_DRAIN is set, an error is returned if the random
|
||||||
* regardless of whether the random pool is fully initialized or not.
|
* pool is not initialized. Otherwise it will always return some data from the kernel, regardless of whether
|
||||||
* Otherwise, it will return success if at least some random bytes were
|
* the random pool is fully initialized or not. */
|
||||||
* successfully acquired, and an error if the kernel has no entropy whatsover
|
|
||||||
* for us. */
|
if (n == 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
if (FLAGS_SET(flags, RANDOM_ALLOW_RDRAND))
|
||||||
|
/* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is not
|
||||||
|
* required, as we don't trust it (who does?). Note that we only do a single iteration of RDRAND here,
|
||||||
|
* even though the Intel docs suggest calling this in a tight loop of 10 invocations or so. That's
|
||||||
|
* because we don't really care about the quality here. We generally prefer using RDRAND if the caller
|
||||||
|
* allows us too, since this way we won't drain the kernel randomness pool if we don't need it, as the
|
||||||
|
* pool's entropy is scarce. */
|
||||||
|
for (;;) {
|
||||||
|
uint64_t u;
|
||||||
|
size_t m;
|
||||||
|
|
||||||
|
if (rdrand64(&u) < 0) {
|
||||||
|
if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
|
||||||
|
/* Fill in the remaining bytes using pseudo-random values */
|
||||||
|
pseudo_random_bytes(p, n);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* OK, this didn't work, let's go to getrandom() + /dev/urandom instead */
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
m = MIN(sizeof(u), n);
|
||||||
|
memcpy(p, &u, m);
|
||||||
|
|
||||||
|
p = (uint8_t*) p + m;
|
||||||
|
n -= m;
|
||||||
|
|
||||||
|
if (n == 0)
|
||||||
|
return 0; /* Yay, success! */
|
||||||
|
|
||||||
|
got_some = true;
|
||||||
|
}
|
||||||
|
|
||||||
/* Use the getrandom() syscall unless we know we don't have it. */
|
/* Use the getrandom() syscall unless we know we don't have it. */
|
||||||
if (have_syscall != 0 && !HAS_FEATURE_MEMORY_SANITIZER) {
|
if (have_syscall != 0 && !HAS_FEATURE_MEMORY_SANITIZER) {
|
||||||
r = getrandom(p, n, GRND_NONBLOCK);
|
|
||||||
if (r > 0) {
|
|
||||||
have_syscall = true;
|
|
||||||
if ((size_t) r == n)
|
|
||||||
return 0;
|
|
||||||
if (!high_quality_required) {
|
|
||||||
/* Fill in the remaining bytes using pseudorandom values */
|
|
||||||
pseudorandom_bytes((uint8_t*) p + r, n - r);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
already_done = r;
|
for (;;) {
|
||||||
} else if (errno == ENOSYS)
|
r = getrandom(p, n, FLAGS_SET(flags, RANDOM_BLOCK) ? 0 : GRND_NONBLOCK);
|
||||||
/* We lack the syscall, continue with reading from /dev/urandom. */
|
if (r > 0) {
|
||||||
have_syscall = false;
|
have_syscall = true;
|
||||||
else if (errno == EAGAIN) {
|
|
||||||
/* The kernel has no entropy whatsoever. Let's remember to
|
|
||||||
* use the syscall the next time again though.
|
|
||||||
*
|
|
||||||
* If high_quality_required is false, return an error so that
|
|
||||||
* random_bytes() can produce some pseudorandom
|
|
||||||
* bytes. Otherwise, fall back to /dev/urandom, which we know
|
|
||||||
* is empty, but the kernel will produce some bytes for us on
|
|
||||||
* a best-effort basis. */
|
|
||||||
have_syscall = true;
|
|
||||||
|
|
||||||
if (!high_quality_required) {
|
if ((size_t) r == n)
|
||||||
uint64_t u;
|
return 0; /* Yay, success! */
|
||||||
size_t k;
|
|
||||||
|
|
||||||
/* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality
|
assert((size_t) r < n);
|
||||||
* randomness is not required, as we don't trust it (who does?). Note that we only do a
|
p = (uint8_t*) p + r;
|
||||||
* single iteration of RDRAND here, even though the Intel docs suggest calling this in
|
n -= r;
|
||||||
* a tight loop of 10 invocatins or so. That's because we don't really care about the
|
|
||||||
* quality here. */
|
|
||||||
|
|
||||||
if (rdrand64(&u) < 0)
|
if (FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
|
||||||
|
/* Fill in the remaining bytes using pseudo-random values */
|
||||||
|
pseudo_random_bytes(p, n);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
got_some = true;
|
||||||
|
|
||||||
|
/* Hmm, we didn't get enough good data but the caller insists on good data? Then try again */
|
||||||
|
if (FLAGS_SET(flags, RANDOM_BLOCK))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
/* Fill in the rest with /dev/urandom */
|
||||||
|
break;
|
||||||
|
|
||||||
|
} else if (r == 0) {
|
||||||
|
have_syscall = true;
|
||||||
|
return -EIO;
|
||||||
|
|
||||||
|
} else if (errno == ENOSYS) {
|
||||||
|
/* We lack the syscall, continue with reading from /dev/urandom. */
|
||||||
|
have_syscall = false;
|
||||||
|
break;
|
||||||
|
|
||||||
|
} else if (errno == EAGAIN) {
|
||||||
|
/* The kernel has no entropy whatsoever. Let's remember to use the syscall the next
|
||||||
|
* time again though.
|
||||||
|
*
|
||||||
|
* If RANDOM_DONT_DRAIN is set, return an error so that random_bytes() can produce some
|
||||||
|
* pseudo-random bytes instead. Otherwise, fall back to /dev/urandom, which we know is empty,
|
||||||
|
* but the kernel will produce some bytes for us on a best-effort basis. */
|
||||||
|
have_syscall = true;
|
||||||
|
|
||||||
|
if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
|
||||||
|
/* Fill in the remaining bytes using pseudorandom values */
|
||||||
|
pseudo_random_bytes(p, n);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (FLAGS_SET(flags, RANDOM_DONT_DRAIN))
|
||||||
return -ENODATA;
|
return -ENODATA;
|
||||||
|
|
||||||
k = MIN(n, sizeof(u));
|
/* Use /dev/urandom instead */
|
||||||
memcpy(p, &u, k);
|
break;
|
||||||
|
} else
|
||||||
/* We only get 64bit out of RDRAND, the rest let's fill up with pseudo-random crap. */
|
return -errno;
|
||||||
pseudorandom_bytes((uint8_t*) p + k, n - k);
|
}
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
} else
|
|
||||||
return -errno;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
|
fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
|
||||||
if (fd < 0)
|
if (fd < 0)
|
||||||
return errno == ENOENT ? -ENOSYS : -errno;
|
return errno == ENOENT ? -ENOSYS : -errno;
|
||||||
|
|
||||||
return loop_read_exact(fd, (uint8_t*) p + already_done, n - already_done, true);
|
return loop_read_exact(fd, p, n, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
void initialize_srand(void) {
|
void initialize_srand(void) {
|
||||||
|
@ -180,7 +226,7 @@ void initialize_srand(void) {
|
||||||
# define RAND_STEP 1
|
# define RAND_STEP 1
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
void pseudorandom_bytes(void *p, size_t n) {
|
void pseudo_random_bytes(void *p, size_t n) {
|
||||||
uint8_t *q;
|
uint8_t *q;
|
||||||
|
|
||||||
initialize_srand();
|
initialize_srand();
|
||||||
|
@ -203,13 +249,10 @@ void pseudorandom_bytes(void *p, size_t n) {
|
||||||
}
|
}
|
||||||
|
|
||||||
void random_bytes(void *p, size_t n) {
|
void random_bytes(void *p, size_t n) {
|
||||||
int r;
|
|
||||||
|
|
||||||
r = acquire_random_bytes(p, n, false);
|
if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO|RANDOM_DONT_DRAIN|RANDOM_ALLOW_RDRAND) >= 0)
|
||||||
if (r >= 0)
|
|
||||||
return;
|
return;
|
||||||
|
|
||||||
/* If some idiot made /dev/urandom unavailable to us, or the
|
/* If for some reason some user made /dev/urandom unavailable to us, or the kernel has no entropy, use a PRNG instead. */
|
||||||
* kernel has no entropy, use a PRNG instead. */
|
pseudo_random_bytes(p, n);
|
||||||
return pseudorandom_bytes(p, n);
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,9 +5,17 @@
|
||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
|
|
||||||
int acquire_random_bytes(void *p, size_t n, bool high_quality_required);
|
typedef enum RandomFlags {
|
||||||
void pseudorandom_bytes(void *p, size_t n);
|
RANDOM_EXTEND_WITH_PSEUDO = 1 << 0, /* If we can't get enough genuine randomness, but some, fill up the rest with pseudo-randomness */
|
||||||
void random_bytes(void *p, size_t n);
|
RANDOM_BLOCK = 1 << 1, /* Rather block than return crap randomness (only if the kernel supports that) */
|
||||||
|
RANDOM_DONT_DRAIN = 1 << 2, /* If we can't get any randomness at all, return early with -EAGAIN */
|
||||||
|
RANDOM_ALLOW_RDRAND = 1 << 3, /* Allow usage of the CPU RNG */
|
||||||
|
} RandomFlags;
|
||||||
|
|
||||||
|
int genuine_random_bytes(void *p, size_t n, RandomFlags flags); /* returns "genuine" randomness, optionally filled upwith pseudo random, if not enough is available */
|
||||||
|
void pseudo_random_bytes(void *p, size_t n); /* returns only pseudo-randommess (but possibly seeded from something better) */
|
||||||
|
void random_bytes(void *p, size_t n); /* returns genuine randomness if cheaply available, and pseudo randomness if not. */
|
||||||
|
|
||||||
void initialize_srand(void);
|
void initialize_srand(void);
|
||||||
|
|
||||||
static inline uint64_t random_u64(void) {
|
static inline uint64_t random_u64(void) {
|
||||||
|
|
|
@ -647,7 +647,8 @@ static int process_root_password(void) {
|
||||||
if (!arg_root_password)
|
if (!arg_root_password)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
r = acquire_random_bytes(raw, 16, true);
|
/* Insist on the best randomness by setting RANDOM_BLOCK, this is about keeping passwords secret after all. */
|
||||||
|
r = genuine_random_bytes(raw, 16, RANDOM_BLOCK);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to get salt: %m");
|
return log_error_errno(r, "Failed to get salt: %m");
|
||||||
|
|
||||||
|
|
|
@ -272,7 +272,9 @@ _public_ int sd_id128_randomize(sd_id128_t *ret) {
|
||||||
|
|
||||||
assert_return(ret, -EINVAL);
|
assert_return(ret, -EINVAL);
|
||||||
|
|
||||||
r = acquire_random_bytes(&t, sizeof t, true);
|
/* We allow usage if x86-64 RDRAND here. It might not be trusted enough for keeping secrets, but it should be
|
||||||
|
* fine for UUIDS. */
|
||||||
|
r = genuine_random_bytes(&t, sizeof t, RANDOM_ALLOW_RDRAND);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
|
|
@ -5,14 +5,14 @@
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "tests.h"
|
#include "tests.h"
|
||||||
|
|
||||||
static void test_acquire_random_bytes(bool high_quality_required) {
|
static void test_genuine_random_bytes(RandomFlags flags) {
|
||||||
uint8_t buf[16] = {};
|
uint8_t buf[16] = {};
|
||||||
unsigned i;
|
unsigned i;
|
||||||
|
|
||||||
log_info("/* %s */", __func__);
|
log_info("/* %s */", __func__);
|
||||||
|
|
||||||
for (i = 1; i < sizeof buf; i++) {
|
for (i = 1; i < sizeof buf; i++) {
|
||||||
assert_se(acquire_random_bytes(buf, i, high_quality_required) == 0);
|
assert_se(genuine_random_bytes(buf, i, flags) == 0);
|
||||||
if (i + 1 < sizeof buf)
|
if (i + 1 < sizeof buf)
|
||||||
assert_se(buf[i] == 0);
|
assert_se(buf[i] == 0);
|
||||||
|
|
||||||
|
@ -20,14 +20,14 @@ static void test_acquire_random_bytes(bool high_quality_required) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static void test_pseudorandom_bytes(void) {
|
static void test_pseudo_random_bytes(void) {
|
||||||
uint8_t buf[16] = {};
|
uint8_t buf[16] = {};
|
||||||
unsigned i;
|
unsigned i;
|
||||||
|
|
||||||
log_info("/* %s */", __func__);
|
log_info("/* %s */", __func__);
|
||||||
|
|
||||||
for (i = 1; i < sizeof buf; i++) {
|
for (i = 1; i < sizeof buf; i++) {
|
||||||
pseudorandom_bytes(buf, i);
|
pseudo_random_bytes(buf, i);
|
||||||
if (i + 1 < sizeof buf)
|
if (i + 1 < sizeof buf)
|
||||||
assert_se(buf[i] == 0);
|
assert_se(buf[i] == 0);
|
||||||
|
|
||||||
|
@ -54,10 +54,12 @@ static void test_rdrand64(void) {
|
||||||
int main(int argc, char **argv) {
|
int main(int argc, char **argv) {
|
||||||
test_setup_logging(LOG_DEBUG);
|
test_setup_logging(LOG_DEBUG);
|
||||||
|
|
||||||
test_acquire_random_bytes(false);
|
test_genuine_random_bytes(RANDOM_EXTEND_WITH_PSEUDO);
|
||||||
test_acquire_random_bytes(true);
|
test_genuine_random_bytes(0);
|
||||||
|
test_genuine_random_bytes(RANDOM_BLOCK);
|
||||||
|
test_genuine_random_bytes(RANDOM_ALLOW_RDRAND);
|
||||||
|
|
||||||
test_pseudorandom_bytes();
|
test_pseudo_random_bytes();
|
||||||
|
|
||||||
test_rdrand64();
|
test_rdrand64();
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue