1 // Copyright 2010 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // +build aix darwin dragonfly freebsd linux netbsd openbsd plan9 solaris
7 // Unix cryptographically secure pseudorandom number
25 import "crypto/internal/boring"
27 const urandomDevice = "/dev/urandom"
29 // Easy implementation: read from /dev/urandom.
30 // This is sufficient on Linux, OS X, and FreeBSD.
34 Reader = boring.RandReader
37 if runtime.GOOS == "plan9" {
38 Reader = newReader(nil)
40 Reader = &devReader{name: urandomDevice}
44 // A devReader satisfies reads by reading the file named name.
45 type devReader struct {
49 used int32 // atomic; whether this devReader has been used
52 // altGetRandom if non-nil specifies an OS-specific function to get
53 // urandom-style randomness.
54 var altGetRandom func([]byte) (ok bool)
56 func (r *devReader) Read(b []byte) (n int, err error) {
58 if atomic.CompareAndSwapInt32(&r.used, 0, 1) {
59 // First use of randomness. Start timer to warn about
60 // being blocked on entropy not being available.
61 t := time.AfterFunc(60*time.Second, warnBlocked)
64 if altGetRandom != nil && r.name == urandomDevice && altGetRandom(b) {
70 f, err := os.Open(r.name)
74 if runtime.GOOS == "plan9" {
77 r.f = bufio.NewReader(hideAgainReader{f})
83 var isEAGAIN func(error) bool // set by eagain.go on unix systems
85 // hideAgainReader masks EAGAIN reads from /dev/urandom.
86 // See golang.org/issue/9205
87 type hideAgainReader struct {
91 func (hr hideAgainReader) Read(p []byte) (n int, err error) {
93 if err != nil && isEAGAIN != nil && isEAGAIN(err) {
99 // Alternate pseudo-random implementation for use on
100 // systems without a reliable /dev/urandom.
102 // newReader returns a new pseudorandom generator that
103 // seeds itself by reading from entropy. If entropy == nil,
104 // the generator seeds itself by reading from the system's
105 // random number generator, typically /dev/random.
106 // The Read method on the returned reader always returns
107 // the full amount asked for, or else it returns an error.
109 // The generator uses the X9.31 algorithm with AES-128,
110 // reseeding after every 1 MB of generated data.
111 func newReader(entropy io.Reader) io.Reader {
113 entropy = &devReader{name: "/dev/random"}
115 return &reader{entropy: entropy}
120 budget int // number of bytes that can be generated
123 time, seed, dst, key [aes.BlockSize]byte
126 func (r *reader) Read(b []byte) (n int, err error) {
134 _, err := io.ReadFull(r.entropy, r.seed[0:])
136 return n - len(b), err
138 _, err = io.ReadFull(r.entropy, r.key[0:])
140 return n - len(b), err
142 r.cipher, err = aes.NewCipher(r.key[0:])
144 return n - len(b), err
146 r.budget = 1 << 20 // reseed after generating 1MB
148 r.budget -= aes.BlockSize
150 // ANSI X9.31 (== X9.17) algorithm, but using AES in place of 3DES.
154 // dst = encrypt(t^seed)
155 // seed = encrypt(t^dst)
156 ns := time.Now().UnixNano()
157 binary.BigEndian.PutUint64(r.time[:], uint64(ns))
158 r.cipher.Encrypt(r.time[0:], r.time[0:])
159 for i := 0; i < aes.BlockSize; i++ {
160 r.dst[i] = r.time[i] ^ r.seed[i]
162 r.cipher.Encrypt(r.dst[0:], r.dst[0:])
163 for i := 0; i < aes.BlockSize; i++ {
164 r.seed[i] = r.time[i] ^ r.dst[i]
166 r.cipher.Encrypt(r.seed[0:], r.seed[0:])
168 m := copy(b, r.dst[0:])