diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2017-06-30 13:05:56 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-06-30 13:05:56 -0400 |
| commit | 74d8f1c55b5aa46d2745fa4a74ae9fced6a3cab8 (patch) | |
| tree | f25c50b7554b2e02dd42e2403c5e12c605b19be9 | |
| parent | 9432a05c541d64e807949c416604cc04f4107307 (diff) | |
| parent | 2416f73be12dbac0d121f23f654f7019ae3e4ca8 (diff) | |
| download | systemd-74d8f1c55b5aa46d2745fa4a74ae9fced6a3cab8.tar.gz | |
Merge pull request #6194 from keszybz/urandom-magic
Fall back to /dev/urandom less and other random number improvements.
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | Makefile.am | 7 | ||||
| -rw-r--r-- | src/basic/random-util.c | 118 | ||||
| -rw-r--r-- | src/basic/random-util.h | 4 | ||||
| -rw-r--r-- | src/firstboot/firstboot.c | 2 | ||||
| -rw-r--r-- | src/libsystemd/sd-id128/sd-id128.c | 2 | ||||
| -rw-r--r-- | src/test/meson.build | 4 | ||||
| -rw-r--r-- | src/test/test-random-util.c | 65 |
8 files changed, 157 insertions, 46 deletions
diff --git a/.gitignore b/.gitignore index bc47db6481..8c4331e54f 100644 --- a/.gitignore +++ b/.gitignore @@ -267,6 +267,7 @@ /test-process-util /test-pty /test-qcow2 +/test-random-util /test-ratelimit /test-replace-var /test-resolve diff --git a/Makefile.am b/Makefile.am index 07995680fe..3fb68dd385 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1624,6 +1624,7 @@ tests += \ test-conf-parser \ test-capability \ test-async \ + test-random-util \ test-ratelimit \ test-condition \ test-uid-range \ @@ -1945,6 +1946,12 @@ test_fstab_util_SOURCES = \ test_fstab_util_LDADD = \ libsystemd-shared.la +test_random_util_SOURCES = \ + src/test/test-random-util.c + +test_random_util_LDADD = \ + libsystemd-shared.la + test_ratelimit_SOURCES = \ src/test/test-ratelimit.c diff --git a/src/basic/random-util.c b/src/basic/random-util.c index b216be579d..490107ef41 100644 --- a/src/basic/random-util.c +++ b/src/basic/random-util.c @@ -42,53 +42,59 @@ #include "random-util.h" #include "time-util.h" -int dev_urandom(void *p, size_t n) { +int acquire_random_bytes(void *p, size_t n, bool high_quality_required) { static int have_syscall = -1; _cleanup_close_ int fd = -1; int r; + unsigned already_done = 0; - /* Gathers some randomness from the kernel. This call will - * never block, and will always return some data from the - * kernel, regardless if the random pool is fully initialized - * or not. It thus makes no guarantee for the quality of the - * returned entropy, but is good enough for our usual usecases - * of seeding the hash functions for hashtable */ + /* Gathers some randomness from the kernel. This call will never block. If + * high_quality_required, it will always return some data from the kernel, + * regardless of whether the random pool is fully initialized or not. + * Otherwise, it will return success if at least some random bytes were + * successfully acquired, and an error if the kernel has no entropy whatsover + * for us. */ - /* Use the getrandom() syscall unless we know we don't have - * it, or when the requested size is too large for it. */ - if (have_syscall != 0 || (size_t) (int) n != n) { + /* Use the getrandom() syscall unless we know we don't have it. */ + if (have_syscall != 0) { r = getrandom(p, n, GRND_NONBLOCK); - if (r == (int) n) { + if (r > 0) { have_syscall = true; - return 0; - } - - if (r < 0) { - if (errno == ENOSYS) - /* we lack the syscall, continue with - * reading from /dev/urandom */ - have_syscall = false; - else if (errno == EAGAIN) - /* not enough entropy for now. Let's - * remember to use the syscall the - * next time, again, but also read - * from /dev/urandom for now, which - * doesn't care about the current - * amount of entropy. */ - have_syscall = true; - else - return -errno; + if (r == n) + return 0; + if (!high_quality_required) { + /* Fill in the remaing bytes using pseudorandom values */ + pseudorandom_bytes((uint8_t*) p + r, n - r); + return 0; + } + + already_done = r; + } else if (errno == ENOSYS) + /* We lack the syscall, continue with reading from /dev/urandom. */ + have_syscall = false; + else if (errno == EAGAIN) { + /* The kernel has no entropy whatsoever. Let's remember to + * use the syscall the next time again though. + * + * If high_quality_required is false, return an error so that + * random_bytes() can produce some pseudorandom + * bytes. Otherwise, fall back to /dev/urandom, which we know + * is empty, but the kernel will produce some bytes for us on + * a best-effort basis. */ + have_syscall = true; + + if (!high_quality_required) + return -ENODATA; } else - /* too short read? */ - return -ENODATA; + return -errno; } fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY); if (fd < 0) return errno == ENOENT ? -ENOSYS : -errno; - return loop_read_exact(fd, p, n, true); + return loop_read_exact(fd, (uint8_t*) p + already_done, n - already_done, true); } void initialize_srand(void) { @@ -102,8 +108,9 @@ void initialize_srand(void) { return; #ifdef HAVE_SYS_AUXV_H - /* The kernel provides us with 16 bytes of entropy in auxv, so let's try to make use of that to seed the - * pseudo-random generator. It's better than nothing... */ + /* The kernel provides us with 16 bytes of entropy in auxv, so let's + * try to make use of that to seed the pseudo-random generator. It's + * better than nothing... */ auxv = (void*) getauxval(AT_RANDOM); if (auxv) { @@ -121,19 +128,44 @@ void initialize_srand(void) { srand_called = true; } -void random_bytes(void *p, size_t n) { +/* INT_MAX gives us only 31 bits, so use 24 out of that. */ +#if RAND_MAX >= INT_MAX +# define RAND_STEP 3 +#else +/* SHORT_INT_MAX or lower gives at most 15 bits, we just just 8 out of that. */ +# define RAND_STEP 1 +#endif + +void pseudorandom_bytes(void *p, size_t n) { uint8_t *q; + + initialize_srand(); + + for (q = p; q < (uint8_t*) p + n; q += RAND_STEP) { + unsigned rr; + + rr = (unsigned) rand(); + +#if RAND_STEP >= 3 + if (q - (uint8_t*) p + 2 < n) + q[2] = rr >> 16; +#endif +#if RAND_STEP >= 2 + if (q - (uint8_t*) p + 1 < n) + q[1] = rr >> 8; +#endif + q[0] = rr; + } +} + +void random_bytes(void *p, size_t n) { int r; - r = dev_urandom(p, n); + r = acquire_random_bytes(p, n, false); if (r >= 0) return; - /* If some idiot made /dev/urandom unavailable to us, he'll - * get a PRNG instead. */ - - initialize_srand(); - - for (q = p; q < (uint8_t*) p + n; q ++) - *q = rand(); + /* If some idiot made /dev/urandom unavailable to us, or the + * kernel has no entropy, use a PRNG instead. */ + return pseudorandom_bytes(p, n); } diff --git a/src/basic/random-util.h b/src/basic/random-util.h index 3cee4c5014..804e225fc1 100644 --- a/src/basic/random-util.h +++ b/src/basic/random-util.h @@ -19,10 +19,12 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>. ***/ +#include <stdbool.h> #include <stddef.h> #include <stdint.h> -int dev_urandom(void *p, size_t n); +int acquire_random_bytes(void *p, size_t n, bool high_quality_required); +void pseudorandom_bytes(void *p, size_t n); void random_bytes(void *p, size_t n); void initialize_srand(void); diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c index bc16290c72..b3578d3e16 100644 --- a/src/firstboot/firstboot.c +++ b/src/firstboot/firstboot.c @@ -572,7 +572,7 @@ static int process_root_password(void) { if (!arg_root_password) return 0; - r = dev_urandom(raw, 16); + r = acquire_random_bytes(raw, 16, true); if (r < 0) return log_error_errno(r, "Failed to get salt: %m"); diff --git a/src/libsystemd/sd-id128/sd-id128.c b/src/libsystemd/sd-id128/sd-id128.c index cc89f2de2e..b1f6c5305f 100644 --- a/src/libsystemd/sd-id128/sd-id128.c +++ b/src/libsystemd/sd-id128/sd-id128.c @@ -289,7 +289,7 @@ _public_ int sd_id128_randomize(sd_id128_t *ret) { assert_return(ret, -EINVAL); - r = dev_urandom(&t, sizeof(t)); + r = acquire_random_bytes(&t, sizeof t, true); if (r < 0) return r; diff --git a/src/test/meson.build b/src/test/meson.build index 892d2929ee..7b493a4d05 100644 --- a/src/test/meson.build +++ b/src/test/meson.build @@ -161,6 +161,10 @@ tests += [ [], []], + [['src/test/test-random-util.c'], + [], + []], + [['src/test/test-ratelimit.c'], [], []], diff --git a/src/test/test-random-util.c b/src/test/test-random-util.c new file mode 100644 index 0000000000..50f4da270d --- /dev/null +++ b/src/test/test-random-util.c @@ -0,0 +1,65 @@ +/*** + This file is part of systemd. + + Copyright 2017 Zbigniew Jędrzejewski-Szmek + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include "hexdecoct.h" +#include "random-util.h" +#include "log.h" + +static void test_acquire_random_bytes(bool high_quality_required) { + uint8_t buf[16] = {}; + unsigned i; + + log_info("/* %s */", __func__); + + for (i = 1; i < sizeof buf; i++) { + assert_se(acquire_random_bytes(buf, i, high_quality_required) == 0); + if (i + 1 < sizeof buf) + assert_se(buf[i] == 0); + + hexdump(stdout, buf, i); + } +} + +static void test_pseudorandom_bytes(void) { + uint8_t buf[16] = {}; + unsigned i; + + log_info("/* %s */", __func__); + + for (i = 1; i < sizeof buf; i++) { + pseudorandom_bytes(buf, i); + if (i + 1 < sizeof buf) + assert_se(buf[i] == 0); + + hexdump(stdout, buf, i); + } +} + +int main(int argc, char **argv) { + log_set_max_level(LOG_DEBUG); + log_parse_environment(); + log_open(); + + test_acquire_random_bytes(false); + test_acquire_random_bytes(true); + + test_pseudorandom_bytes(); + + return 0; +} |