1 // Copyright 2010 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 //go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || plan9 || solaris
6 // +build aix darwin dragonfly freebsd linux netbsd openbsd plan9 solaris
8 // Unix cryptographically secure pseudorandom number
26 import "crypto/internal/boring"
28 const urandomDevice = "/dev/urandom"
30 // Easy implementation: read from /dev/urandom.
31 // This is sufficient on Linux, OS X, and FreeBSD.
35 Reader = boring.RandReader
38 if runtime.GOOS == "plan9" {
39 Reader = newReader(nil)
41 Reader = &devReader{name: urandomDevice}
45 // A devReader satisfies reads by reading the file named name.
46 type devReader struct {
50 used int32 // atomic; whether this devReader has been used
53 // altGetRandom if non-nil specifies an OS-specific function to get
54 // urandom-style randomness.
55 var altGetRandom func([]byte) (ok bool)
58 println("crypto/rand: blocked for 60 seconds waiting to read random data from the kernel")
61 func (r *devReader) Read(b []byte) (n int, err error) {
63 if atomic.CompareAndSwapInt32(&r.used, 0, 1) {
64 // First use of randomness. Start timer to warn about
65 // being blocked on entropy not being available.
66 t := time.AfterFunc(60*time.Second, warnBlocked)
69 if altGetRandom != nil && r.name == urandomDevice && altGetRandom(b) {
75 f, err := os.Open(r.name)
79 if runtime.GOOS == "plan9" {
82 r.f = bufio.NewReader(hideAgainReader{f})
88 var isEAGAIN func(error) bool // set by eagain.go on unix systems
90 // hideAgainReader masks EAGAIN reads from /dev/urandom.
91 // See golang.org/issue/9205
92 type hideAgainReader struct {
96 func (hr hideAgainReader) Read(p []byte) (n int, err error) {
98 if err != nil && isEAGAIN != nil && isEAGAIN(err) {
104 // Alternate pseudo-random implementation for use on
105 // systems without a reliable /dev/urandom.
107 // newReader returns a new pseudorandom generator that
108 // seeds itself by reading from entropy. If entropy == nil,
109 // the generator seeds itself by reading from the system's
110 // random number generator, typically /dev/random.
111 // The Read method on the returned reader always returns
112 // the full amount asked for, or else it returns an error.
114 // The generator uses the X9.31 algorithm with AES-128,
115 // reseeding after every 1 MB of generated data.
116 func newReader(entropy io.Reader) io.Reader {
118 entropy = &devReader{name: "/dev/random"}
120 return &reader{entropy: entropy}
125 budget int // number of bytes that can be generated
128 time, seed, dst, key [aes.BlockSize]byte
131 func (r *reader) Read(b []byte) (n int, err error) {
139 _, err := io.ReadFull(r.entropy, r.seed[0:])
141 return n - len(b), err
143 _, err = io.ReadFull(r.entropy, r.key[0:])
145 return n - len(b), err
147 r.cipher, err = aes.NewCipher(r.key[0:])
149 return n - len(b), err
151 r.budget = 1 << 20 // reseed after generating 1MB
153 r.budget -= aes.BlockSize
155 // ANSI X9.31 (== X9.17) algorithm, but using AES in place of 3DES.
159 // dst = encrypt(t^seed)
160 // seed = encrypt(t^dst)
161 ns := time.Now().UnixNano()
162 binary.BigEndian.PutUint64(r.time[:], uint64(ns))
163 r.cipher.Encrypt(r.time[0:], r.time[0:])
164 for i := 0; i < aes.BlockSize; i++ {
165 r.dst[i] = r.time[i] ^ r.seed[i]
167 r.cipher.Encrypt(r.dst[0:], r.dst[0:])
168 for i := 0; i < aes.BlockSize; i++ {
169 r.seed[i] = r.time[i] ^ r.dst[i]
171 r.cipher.Encrypt(r.seed[0:], r.seed[0:])
173 m := copy(b, r.dst[0:])