// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || plan9 || solaris
+//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris
// Unix cryptographically secure pseudorandom number
// generator.
import (
"bufio"
- "crypto/aes"
- "crypto/cipher"
- "encoding/binary"
+ "errors"
"io"
"os"
- "runtime"
"sync"
"sync/atomic"
+ "syscall"
"time"
)
const urandomDevice = "/dev/urandom"
-// Easy implementation: read from /dev/urandom.
-// This is sufficient on Linux, OS X, and FreeBSD.
-
func init() {
if boring.Enabled {
Reader = boring.RandReader
return
}
- if runtime.GOOS == "plan9" {
- Reader = newReader(nil)
- } else {
- Reader = &devReader{name: urandomDevice}
- }
+ Reader = &reader{}
}
-// A devReader satisfies reads by reading the file named name.
-type devReader struct {
- name string
+// A reader satisfies reads by reading from urandomDevice
+type reader struct {
f io.Reader
mu sync.Mutex
- used int32 // atomic; whether this devReader has been used
+ used int32 // atomic; whether this reader has been used
}
// altGetRandom if non-nil specifies an OS-specific function to get
println("crypto/rand: blocked for 60 seconds waiting to read random data from the kernel")
}
-func (r *devReader) Read(b []byte) (n int, err error) {
+func (r *reader) Read(b []byte) (n int, err error) {
boring.Unreachable()
if atomic.CompareAndSwapInt32(&r.used, 0, 1) {
// First use of randomness. Start timer to warn about
// being blocked on entropy not being available.
- t := time.AfterFunc(60*time.Second, warnBlocked)
+ t := time.AfterFunc(time.Minute, warnBlocked)
defer t.Stop()
}
- if altGetRandom != nil && r.name == urandomDevice && altGetRandom(b) {
+ if altGetRandom != nil && altGetRandom(b) {
return len(b), nil
}
r.mu.Lock()
defer r.mu.Unlock()
if r.f == nil {
- f, err := os.Open(r.name)
- if f == nil {
+ f, err := os.Open(urandomDevice)
+ if err != nil {
return 0, err
}
- if runtime.GOOS == "plan9" {
- r.f = f
- } else {
- r.f = bufio.NewReader(hideAgainReader{f})
- }
+ r.f = bufio.NewReader(hideAgainReader{f})
}
return r.f.Read(b)
}
-var isEAGAIN func(error) bool // set by eagain.go on unix systems
-
// hideAgainReader masks EAGAIN reads from /dev/urandom.
// See golang.org/issue/9205
type hideAgainReader struct {
func (hr hideAgainReader) Read(p []byte) (n int, err error) {
n, err = hr.r.Read(p)
- if err != nil && isEAGAIN != nil && isEAGAIN(err) {
+ if errors.Is(err, syscall.EAGAIN) {
err = nil
}
return
}
-
-// Alternate pseudo-random implementation for use on
-// systems without a reliable /dev/urandom.
-
-// newReader returns a new pseudorandom generator that
-// seeds itself by reading from entropy. If entropy == nil,
-// the generator seeds itself by reading from the system's
-// random number generator, typically /dev/random.
-// The Read method on the returned reader always returns
-// the full amount asked for, or else it returns an error.
-//
-// The generator uses the X9.31 algorithm with AES-128,
-// reseeding after every 1 MB of generated data.
-func newReader(entropy io.Reader) io.Reader {
- if entropy == nil {
- entropy = &devReader{name: "/dev/random"}
- }
- return &reader{entropy: entropy}
-}
-
-type reader struct {
- mu sync.Mutex
- budget int // number of bytes that can be generated
- cipher cipher.Block
- entropy io.Reader
- time, seed, dst, key [aes.BlockSize]byte
-}
-
-func (r *reader) Read(b []byte) (n int, err error) {
- boring.Unreachable()
- r.mu.Lock()
- defer r.mu.Unlock()
- n = len(b)
-
- for len(b) > 0 {
- if r.budget == 0 {
- _, err := io.ReadFull(r.entropy, r.seed[0:])
- if err != nil {
- return n - len(b), err
- }
- _, err = io.ReadFull(r.entropy, r.key[0:])
- if err != nil {
- return n - len(b), err
- }
- r.cipher, err = aes.NewCipher(r.key[0:])
- if err != nil {
- return n - len(b), err
- }
- r.budget = 1 << 20 // reseed after generating 1MB
- }
- r.budget -= aes.BlockSize
-
- // ANSI X9.31 (== X9.17) algorithm, but using AES in place of 3DES.
- //
- // single block:
- // t = encrypt(time)
- // dst = encrypt(t^seed)
- // seed = encrypt(t^dst)
- ns := time.Now().UnixNano()
- binary.BigEndian.PutUint64(r.time[:], uint64(ns))
- r.cipher.Encrypt(r.time[0:], r.time[0:])
- for i := 0; i < aes.BlockSize; i++ {
- r.dst[i] = r.time[i] ^ r.seed[i]
- }
- r.cipher.Encrypt(r.dst[0:], r.dst[0:])
- for i := 0; i < aes.BlockSize; i++ {
- r.seed[i] = r.time[i] ^ r.dst[i]
- }
- r.cipher.Encrypt(r.seed[0:], r.seed[0:])
-
- m := copy(b, r.dst[0:])
- b = b[m:]
- }
-
- return n, nil
-}