// Copyright 2010 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. //go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || plan9 || solaris // +build aix darwin dragonfly freebsd linux netbsd openbsd plan9 solaris // Unix cryptographically secure pseudorandom number // generator. package rand import ( "bufio" "crypto/aes" "crypto/cipher" "encoding/binary" "io" "os" "runtime" "sync" "sync/atomic" "time" ) const urandomDevice = "/dev/urandom" // Easy implementation: read from /dev/urandom. // This is sufficient on Linux, OS X, and FreeBSD. func init() { if runtime.GOOS == "plan9" { Reader = newReader(nil) } else { Reader = &devReader{name: urandomDevice} } } // A devReader satisfies reads by reading the file named name. type devReader struct { name string f io.Reader mu sync.Mutex used int32 // atomic; whether this devReader has been used } // altGetRandom if non-nil specifies an OS-specific function to get // urandom-style randomness. var altGetRandom func([]byte) (ok bool) func warnBlocked() { println("crypto/rand: blocked for 60 seconds waiting to read random data from the kernel") } func (r *devReader) Read(b []byte) (n int, err error) { if atomic.CompareAndSwapInt32(&r.used, 0, 1) { // First use of randomness. Start timer to warn about // being blocked on entropy not being available. t := time.AfterFunc(60*time.Second, warnBlocked) defer t.Stop() } if altGetRandom != nil && r.name == urandomDevice && altGetRandom(b) { return len(b), nil } r.mu.Lock() defer r.mu.Unlock() if r.f == nil { f, err := os.Open(r.name) if f == nil { return 0, err } if runtime.GOOS == "plan9" { r.f = f } else { r.f = bufio.NewReader(hideAgainReader{f}) } } return r.f.Read(b) } var isEAGAIN func(error) bool // set by eagain.go on unix systems // hideAgainReader masks EAGAIN reads from /dev/urandom. // See golang.org/issue/9205 type hideAgainReader struct { r io.Reader } func (hr hideAgainReader) Read(p []byte) (n int, err error) { n, err = hr.r.Read(p) if err != nil && isEAGAIN != nil && isEAGAIN(err) { err = nil } return } // Alternate pseudo-random implementation for use on // systems without a reliable /dev/urandom. // newReader returns a new pseudorandom generator that // seeds itself by reading from entropy. If entropy == nil, // the generator seeds itself by reading from the system's // random number generator, typically /dev/random. // The Read method on the returned reader always returns // the full amount asked for, or else it returns an error. // // The generator uses the X9.31 algorithm with AES-128, // reseeding after every 1 MB of generated data. func newReader(entropy io.Reader) io.Reader { if entropy == nil { entropy = &devReader{name: "/dev/random"} } return &reader{entropy: entropy} } type reader struct { mu sync.Mutex budget int // number of bytes that can be generated cipher cipher.Block entropy io.Reader time, seed, dst, key [aes.BlockSize]byte } func (r *reader) Read(b []byte) (n int, err error) { r.mu.Lock() defer r.mu.Unlock() n = len(b) for len(b) > 0 { if r.budget == 0 { _, err := io.ReadFull(r.entropy, r.seed[0:]) if err != nil { return n - len(b), err } _, err = io.ReadFull(r.entropy, r.key[0:]) if err != nil { return n - len(b), err } r.cipher, err = aes.NewCipher(r.key[0:]) if err != nil { return n - len(b), err } r.budget = 1 << 20 // reseed after generating 1MB } r.budget -= aes.BlockSize // ANSI X9.31 (== X9.17) algorithm, but using AES in place of 3DES. // // single block: // t = encrypt(time) // dst = encrypt(t^seed) // seed = encrypt(t^dst) ns := time.Now().UnixNano() binary.BigEndian.PutUint64(r.time[:], uint64(ns)) r.cipher.Encrypt(r.time[0:], r.time[0:]) for i := 0; i < aes.BlockSize; i++ { r.dst[i] = r.time[i] ^ r.seed[i] } r.cipher.Encrypt(r.dst[0:], r.dst[0:]) for i := 0; i < aes.BlockSize; i++ { r.seed[i] = r.time[i] ^ r.dst[i] } r.cipher.Encrypt(r.seed[0:], r.seed[0:]) m := copy(b, r.dst[0:]) b = b[m:] } return n, nil }