diff --git a/src/basic/random-util.c b/src/basic/random-util.c index 6b08f72fc2..8eb6acfbbf 100644 --- a/src/basic/random-util.c +++ b/src/basic/random-util.c @@ -67,18 +67,52 @@ int rdrand64(uint64_t *ret) { int genuine_random_bytes(void *p, size_t n, RandomFlags flags) { static int have_syscall = -1; - _cleanup_close_ int fd = -1; + bool got_some = false; int r; - /* Gathers some randomness from the kernel. This call won't block, unless the RANDOM_BLOCK flag is set. If - * RANDOM_DONT_DRAIN is set, an error is returned if the random pool is not initialized. Otherwise it will - * always return some data from the kernel, regardless of whether the random pool is fully initialized or - * not. */ + /* Gathers some randomness from the kernel (or the CPU if the RANDOM_ALLOW_RDRAND flag is set). This call won't + * block, unless the RANDOM_BLOCK flag is set. If RANDOM_DONT_DRAIN is set, an error is returned if the random + * pool is not initialized. Otherwise it will always return some data from the kernel, regardless of whether + * the random pool is fully initialized or not. */ if (n == 0) return 0; + if (FLAGS_SET(flags, RANDOM_ALLOW_RDRAND)) + /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is not + * required, as we don't trust it (who does?). Note that we only do a single iteration of RDRAND here, + * even though the Intel docs suggest calling this in a tight loop of 10 invocations or so. That's + * because we don't really care about the quality here. We generally prefer using RDRAND if the caller + * allows us too, since this way we won't drain the kernel randomness pool if we don't need it, as the + * pool's entropy is scarce. */ + for (;;) { + uint64_t u; + size_t m; + + if (rdrand64(&u) < 0) { + if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) { + /* Fill in the remaining bytes using pseudo-random values */ + pseudo_random_bytes(p, n); + return 0; + } + + /* OK, this didn't work, let's go to getrandom() + /dev/urandom instead */ + break; + } + + m = MIN(sizeof(u), n); + memcpy(p, &u, m); + + p = (uint8_t*) p + m; + n -= m; + + if (n == 0) + return 0; /* Yay, success! */ + + got_some = true; + } + /* Use the getrandom() syscall unless we know we don't have it. */ if (have_syscall != 0 && !HAS_FEATURE_MEMORY_SANITIZER) { @@ -100,6 +134,8 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) { return 0; } + got_some = true; + /* Hmm, we didn't get enough good data but the caller insists on good data? Then try again */ if (FLAGS_SET(flags, RANDOM_BLOCK)) continue; @@ -125,30 +161,15 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) { * but the kernel will produce some bytes for us on a best-effort basis. */ have_syscall = true; - if (FLAGS_SET(flags, RANDOM_DONT_DRAIN)) - return -ENODATA; - - if (FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) { - uint64_t u; - size_t k; - - /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality - * randomness is not required, as we don't trust it (who does?). Note that we only do a - * single iteration of RDRAND here, even though the Intel docs suggest calling this in - * a tight loop of 10 invocatins or so. That's because we don't really care about the - * quality here. */ - - if (rdrand64(&u) < 0) - return -ENODATA; - - k = MIN(n, sizeof(u)); - memcpy(p, &u, k); - - /* We only get 64bit out of RDRAND, the rest let's fill up with pseudo-random crap. */ - pseudo_random_bytes((uint8_t*) p + k, n - k); + if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) { + /* Fill in the remaining bytes using pseudorandom values */ + pseudo_random_bytes(p, n); return 0; } + if (FLAGS_SET(flags, RANDOM_DONT_DRAIN)) + return -ENODATA; + /* Use /dev/urandom instead */ break; } else @@ -229,7 +250,7 @@ void pseudo_random_bytes(void *p, size_t n) { void random_bytes(void *p, size_t n) { - if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO|RANDOM_DONT_DRAIN) >= 0) + if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO|RANDOM_DONT_DRAIN|RANDOM_ALLOW_RDRAND) >= 0) return; /* If for some reason some user made /dev/urandom unavailable to us, or the kernel has no entropy, use a PRNG instead. */ diff --git a/src/basic/random-util.h b/src/basic/random-util.h index 487f20e0ab..7a960cf9e7 100644 --- a/src/basic/random-util.h +++ b/src/basic/random-util.h @@ -9,6 +9,7 @@ typedef enum RandomFlags { RANDOM_EXTEND_WITH_PSEUDO = 1 << 0, /* If we can't get enough genuine randomness, but some, fill up the rest with pseudo-randomness */ RANDOM_BLOCK = 1 << 1, /* Rather block than return crap randomness (only if the kernel supports that) */ RANDOM_DONT_DRAIN = 1 << 2, /* If we can't get any randomness at all, return early with -EAGAIN */ + RANDOM_ALLOW_RDRAND = 1 << 3, /* Allow usage of the CPU RNG */ } RandomFlags; int genuine_random_bytes(void *p, size_t n, RandomFlags flags); /* returns "genuine" randomness, optionally filled upwith pseudo random, if not enough is available */ diff --git a/src/libsystemd/sd-id128/sd-id128.c b/src/libsystemd/sd-id128/sd-id128.c index 218070010d..3593a71c02 100644 --- a/src/libsystemd/sd-id128/sd-id128.c +++ b/src/libsystemd/sd-id128/sd-id128.c @@ -272,7 +272,9 @@ _public_ int sd_id128_randomize(sd_id128_t *ret) { assert_return(ret, -EINVAL); - r = genuine_random_bytes(&t, sizeof t, 0); + /* We allow usage if x86-64 RDRAND here. It might not be trusted enough for keeping secrets, but it should be + * fine for UUIDS. */ + r = genuine_random_bytes(&t, sizeof t, RANDOM_ALLOW_RDRAND); if (r < 0) return r; diff --git a/src/test/test-random-util.c b/src/test/test-random-util.c index 79c65a148c..a59c6374b2 100644 --- a/src/test/test-random-util.c +++ b/src/test/test-random-util.c @@ -57,6 +57,7 @@ int main(int argc, char **argv) { test_genuine_random_bytes(RANDOM_EXTEND_WITH_PSEUDO); test_genuine_random_bytes(0); test_genuine_random_bytes(RANDOM_BLOCK); + test_genuine_random_bytes(RANDOM_ALLOW_RDRAND); test_pseudo_random_bytes();