Branch data Line data Source code
1 : : /* SPDX-License-Identifier: LGPL-2.1+ */
2 : :
3 : : #if defined(__i386__) || defined(__x86_64__)
4 : : #include <cpuid.h>
5 : : #endif
6 : :
7 : : #include <elf.h>
8 : : #include <errno.h>
9 : : #include <fcntl.h>
10 : : #include <stdbool.h>
11 : : #include <stdint.h>
12 : : #include <stdlib.h>
13 : : #include <string.h>
14 : : #include <sys/time.h>
15 : :
16 : : #if HAVE_SYS_AUXV_H
17 : : # include <sys/auxv.h>
18 : : #endif
19 : :
20 : : #if USE_SYS_RANDOM_H
21 : : # include <sys/random.h>
22 : : #else
23 : : # include <linux/random.h>
24 : : #endif
25 : :
26 : : #include "alloc-util.h"
27 : : #include "fd-util.h"
28 : : #include "fileio.h"
29 : : #include "io-util.h"
30 : : #include "missing.h"
31 : : #include "parse-util.h"
32 : : #include "random-util.h"
33 : : #include "siphash24.h"
34 : : #include "time-util.h"
35 : :
36 : 1502610 : int rdrand(unsigned long *ret) {
37 : :
38 : : /* So, you are a "security researcher", and you wonder why we bother with using raw RDRAND here,
39 : : * instead of sticking to /dev/urandom or getrandom()?
40 : : *
41 : : * Here's why: early boot. On Linux, during early boot the random pool that backs /dev/urandom and
42 : : * getrandom() is generally not initialized yet. It is very common that initialization of the random
43 : : * pool takes a longer time (up to many minutes), in particular on embedded devices that have no
44 : : * explicit hardware random generator, as well as in virtualized environments such as major cloud
45 : : * installations that do not provide virtio-rng or a similar mechanism.
46 : : *
47 : : * In such an environment using getrandom() synchronously means we'd block the entire system boot-up
48 : : * until the pool is initialized, i.e. *very* long. Using getrandom() asynchronously (GRND_NONBLOCK)
49 : : * would mean acquiring randomness during early boot would simply fail. Using /dev/urandom would mean
50 : : * generating many kmsg log messages about our use of it before the random pool is properly
51 : : * initialized. Neither of these outcomes is desirable.
52 : : *
53 : : * Thus, for very specific purposes we use RDRAND instead of either of these three options. RDRAND
54 : : * provides us quickly and relatively reliably with random values, without having to delay boot,
55 : : * without triggering warning messages in kmsg.
56 : : *
57 : : * Note that we use RDRAND only under very specific circumstances, when the requirements on the
58 : : * quality of the returned entropy permit it. Specifically, here are some cases where we *do* use
59 : : * RDRAND:
60 : : *
61 : : * • UUID generation: UUIDs are supposed to be universally unique but are not cryptographic
62 : : * key material. The quality and trust level of RDRAND should hence be OK: UUIDs should be
63 : : * generated in a way that is reliably unique, but they do not require ultimate trust into
64 : : * the entropy generator. systemd generates a number of UUIDs during early boot, including
65 : : * 'invocation IDs' for every unit spawned that identify the specific invocation of the
66 : : * service globally, and a number of others. Other alternatives for generating these UUIDs
67 : : * have been considered, but don't really work: for example, hashing uuids from a local
68 : : * system identifier combined with a counter falls flat because during early boot disk
69 : : * storage is not yet available (think: initrd) and thus a system-specific ID cannot be
70 : : * stored or retrieved yet.
71 : : *
72 : : * • Hash table seed generation: systemd uses many hash tables internally. Hash tables are
73 : : * generally assumed to have O(1) access complexity, but can deteriorate to prohibitive
74 : : * O(n) access complexity if an attacker manages to trigger a large number of hash
75 : : * collisions. Thus, systemd (as any software employing hash tables should) uses seeded
76 : : * hash functions for its hash tables, with a seed generated randomly. The hash tables
77 : : * systemd employs watch the fill level closely and reseed if necessary. This allows use of
78 : : * a low quality RNG initially, as long as it improves should a hash table be under attack:
79 : : * the attacker after all needs to to trigger many collisions to exploit it for the purpose
80 : : * of DoS, but if doing so improves the seed the attack surface is reduced as the attack
81 : : * takes place.
82 : : *
83 : : * Some cases where we do NOT use RDRAND are:
84 : : *
85 : : * • Generation of cryptographic key material 🔑
86 : : *
87 : : * • Generation of cryptographic salt values 🧂
88 : : *
89 : : * This function returns:
90 : : *
91 : : * -EOPNOTSUPP → RDRAND is not available on this system 😔
92 : : * -EAGAIN → The operation failed this time, but is likely to work if you try again a few
93 : : * times ♻
94 : : * -EUCLEAN → We got some random value, but it looked strange, so we refused using it.
95 : : * This failure might or might not be temporary. 😕
96 : : */
97 : :
98 : : #if defined(__i386__) || defined(__x86_64__)
99 : : static int have_rdrand = -1;
100 : : unsigned long v;
101 : : uint8_t success;
102 : :
103 [ + + ]: 1502610 : if (have_rdrand < 0) {
104 : : uint32_t eax, ebx, ecx, edx;
105 : :
106 : : /* Check if RDRAND is supported by the CPU */
107 [ - + ]: 767 : if (__get_cpuid(1, &eax, &ebx, &ecx, &edx) == 0) {
108 : 0 : have_rdrand = false;
109 : 0 : return -EOPNOTSUPP;
110 : : }
111 : :
112 : : /* Compat with old gcc where bit_RDRND didn't exist yet */
113 : : #ifndef bit_RDRND
114 : : #define bit_RDRND (1U << 30)
115 : : #endif
116 : :
117 : 767 : have_rdrand = !!(ecx & bit_RDRND);
118 : : }
119 : :
120 [ - + ]: 1502610 : if (have_rdrand == 0)
121 : 0 : return -EOPNOTSUPP;
122 : :
123 : 1502610 : asm volatile("rdrand %0;"
124 : : "setc %1"
125 : : : "=r" (v),
126 : : "=qm" (success));
127 : : msan_unpoison(&success, sizeof(success));
128 [ - + ]: 1502610 : if (!success)
129 : 0 : return -EAGAIN;
130 : :
131 : : /* Apparently on some AMD CPUs RDRAND will sometimes (after a suspend/resume cycle?) report success
132 : : * via the carry flag but nonetheless return the same fixed value -1 in all cases. This appears to be
133 : : * a bad bug in the CPU or firmware. Let's deal with that and work-around this by explicitly checking
134 : : * for this special value (and also 0, just to be sure) and filtering it out. This is a work-around
135 : : * only however and something AMD really should fix properly. The Linux kernel should probably work
136 : : * around this issue by turning off RDRAND altogether on those CPUs. See:
137 : : * https://github.com/systemd/systemd/issues/11810 */
138 [ + - - + ]: 1502610 : if (v == 0 || v == ULONG_MAX)
139 [ # # ]: 0 : return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN),
140 : : "RDRAND returned suspicious value %lx, assuming bad hardware RNG, not using value.", v);
141 : :
142 : 1502610 : *ret = v;
143 : 1502610 : return 0;
144 : : #else
145 : : return -EOPNOTSUPP;
146 : : #endif
147 : : }
148 : :
149 : 38025 : int genuine_random_bytes(void *p, size_t n, RandomFlags flags) {
150 : : static int have_syscall = -1;
151 : 38025 : _cleanup_close_ int fd = -1;
152 : 38025 : bool got_some = false;
153 : : int r;
154 : :
155 : : /* Gathers some high-quality randomness from the kernel (or potentially mid-quality randomness from
156 : : * the CPU if the RANDOM_ALLOW_RDRAND flag is set). This call won't block, unless the RANDOM_BLOCK
157 : : * flag is set. If RANDOM_MAY_FAIL is set, an error is returned if the random pool is not
158 : : * initialized. Otherwise it will always return some data from the kernel, regardless of whether the
159 : : * random pool is fully initialized or not. If RANDOM_EXTEND_WITH_PSEUDO is set, and some but not
160 : : * enough better quality randomness could be acquired, the rest is filled up with low quality
161 : : * randomness.
162 : : *
163 : : * Of course, when creating cryptographic key material you really shouldn't use RANDOM_ALLOW_DRDRAND
164 : : * or even RANDOM_EXTEND_WITH_PSEUDO.
165 : : *
166 : : * When generating UUIDs it's fine to use RANDOM_ALLOW_RDRAND but not OK to use
167 : : * RANDOM_EXTEND_WITH_PSEUDO. In fact RANDOM_EXTEND_WITH_PSEUDO is only really fine when invoked via
168 : : * an "all bets are off" wrapper, such as random_bytes(), see below. */
169 : :
170 [ - + ]: 38025 : if (n == 0)
171 : 0 : return 0;
172 : :
173 [ + + ]: 38025 : if (FLAGS_SET(flags, RANDOM_ALLOW_RDRAND))
174 : : /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is
175 : : * not required, as we don't trust it (who does?). Note that we only do a single iteration of
176 : : * RDRAND here, even though the Intel docs suggest calling this in a tight loop of 10
177 : : * invocations or so. That's because we don't really care about the quality here. We
178 : : * generally prefer using RDRAND if the caller allows us to, since this way we won't upset
179 : : * the kernel's random subsystem by accessing it before the pool is initialized (after all it
180 : : * will kmsg log about every attempt to do so)..*/
181 : 1464729 : for (;;) {
182 : : unsigned long u;
183 : : size_t m;
184 : :
185 [ - + ]: 1502562 : if (rdrand(&u) < 0) {
186 [ # # # # ]: 0 : if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
187 : : /* Fill in the remaining bytes using pseudo-random values */
188 : 0 : pseudo_random_bytes(p, n);
189 : 37833 : return 0;
190 : : }
191 : :
192 : : /* OK, this didn't work, let's go to getrandom() + /dev/urandom instead */
193 : 0 : break;
194 : : }
195 : :
196 : 1502562 : m = MIN(sizeof(u), n);
197 : 1502562 : memcpy(p, &u, m);
198 : :
199 : 1502562 : p = (uint8_t*) p + m;
200 : 1502562 : n -= m;
201 : :
202 [ + + ]: 1502562 : if (n == 0)
203 : 37833 : return 0; /* Yay, success! */
204 : :
205 : 1464729 : got_some = true;
206 : : }
207 : :
208 : : /* Use the getrandom() syscall unless we know we don't have it. */
209 [ + - ]: 192 : if (have_syscall != 0 && !HAS_FEATURE_MEMORY_SANITIZER) {
210 : :
211 : : for (;;) {
212 : 192 : r = getrandom(p, n, FLAGS_SET(flags, RANDOM_BLOCK) ? 0 : GRND_NONBLOCK);
213 [ + - ]: 192 : if (r > 0) {
214 : 192 : have_syscall = true;
215 : :
216 [ + - ]: 192 : if ((size_t) r == n)
217 : 192 : return 0; /* Yay, success! */
218 : :
219 [ # # ]: 0 : assert((size_t) r < n);
220 : 0 : p = (uint8_t*) p + r;
221 : 0 : n -= r;
222 : :
223 [ # # ]: 0 : if (FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
224 : : /* Fill in the remaining bytes using pseudo-random values */
225 : 0 : pseudo_random_bytes(p, n);
226 : 0 : return 0;
227 : : }
228 : :
229 : 0 : got_some = true;
230 : :
231 : : /* Hmm, we didn't get enough good data but the caller insists on good data? Then try again */
232 [ # # ]: 0 : if (FLAGS_SET(flags, RANDOM_BLOCK))
233 : 0 : continue;
234 : :
235 : : /* Fill in the rest with /dev/urandom */
236 : 0 : break;
237 : :
238 [ # # ]: 0 : } else if (r == 0) {
239 : 0 : have_syscall = true;
240 : 0 : return -EIO;
241 : :
242 [ # # ]: 0 : } else if (errno == ENOSYS) {
243 : : /* We lack the syscall, continue with reading from /dev/urandom. */
244 : 0 : have_syscall = false;
245 : 0 : break;
246 : :
247 [ # # ]: 0 : } else if (errno == EAGAIN) {
248 : : /* The kernel has no entropy whatsoever. Let's remember to use the syscall
249 : : * the next time again though.
250 : : *
251 : : * If RANDOM_MAY_FAIL is set, return an error so that random_bytes() can
252 : : * produce some pseudo-random bytes instead. Otherwise, fall back to
253 : : * /dev/urandom, which we know is empty, but the kernel will produce some
254 : : * bytes for us on a best-effort basis. */
255 : 0 : have_syscall = true;
256 : :
257 [ # # # # ]: 0 : if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
258 : : /* Fill in the remaining bytes using pseudorandom values */
259 : 0 : pseudo_random_bytes(p, n);
260 : 0 : return 0;
261 : : }
262 : :
263 [ # # ]: 0 : if (FLAGS_SET(flags, RANDOM_MAY_FAIL))
264 : 0 : return -ENODATA;
265 : :
266 : : /* Use /dev/urandom instead */
267 : 0 : break;
268 : : } else
269 : 0 : return -errno;
270 : : }
271 : : }
272 : :
273 : 0 : fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
274 [ # # ]: 0 : if (fd < 0)
275 [ # # ]: 0 : return errno == ENOENT ? -ENOSYS : -errno;
276 : :
277 : 0 : return loop_read_exact(fd, p, n, true);
278 : : }
279 : :
280 : 73 : void initialize_srand(void) {
281 : : static bool srand_called = false;
282 : : unsigned x;
283 : : #if HAVE_SYS_AUXV_H
284 : : const void *auxv;
285 : : #endif
286 : : unsigned long k;
287 : :
288 [ + + ]: 73 : if (srand_called)
289 : 65 : return;
290 : :
291 : : #if HAVE_SYS_AUXV_H
292 : : /* The kernel provides us with 16 bytes of entropy in auxv, so let's try to make use of that to seed
293 : : * the pseudo-random generator. It's better than nothing... But let's first hash it to make it harder
294 : : * to recover the original value by watching any pseudo-random bits we generate. After all the
295 : : * AT_RANDOM data might be used by other stuff too (in particular: ASLR), and we probably shouldn't
296 : : * leak the seed for that. */
297 : :
298 : 8 : auxv = ULONG_TO_PTR(getauxval(AT_RANDOM));
299 [ + - ]: 8 : if (auxv) {
300 : : static const uint8_t auxval_hash_key[16] = {
301 : : 0x92, 0x6e, 0xfe, 0x1b, 0xcf, 0x00, 0x52, 0x9c, 0xcc, 0x42, 0xcf, 0xdc, 0x94, 0x1f, 0x81, 0x0f
302 : : };
303 : :
304 : 8 : x = (unsigned) siphash24(auxv, 16, auxval_hash_key);
305 : : } else
306 : : #endif
307 : 0 : x = 0;
308 : :
309 : 8 : x ^= (unsigned) now(CLOCK_REALTIME);
310 : 8 : x ^= (unsigned) gettid();
311 : :
312 [ + - ]: 8 : if (rdrand(&k) >= 0)
313 : 8 : x ^= (unsigned) k;
314 : :
315 : 8 : srand(x);
316 : 8 : srand_called = true;
317 : : }
318 : :
319 : : /* INT_MAX gives us only 31 bits, so use 24 out of that. */
320 : : #if RAND_MAX >= INT_MAX
321 : : # define RAND_STEP 3
322 : : #else
323 : : /* SHORT_INT_MAX or lower gives at most 15 bits, we just just 8 out of that. */
324 : : # define RAND_STEP 1
325 : : #endif
326 : :
327 : 73 : void pseudo_random_bytes(void *p, size_t n) {
328 : : uint8_t *q;
329 : :
330 : : /* This returns pseudo-random data using libc's rand() function. You probably never want to call this
331 : : * directly, because why would you use this if you can get better stuff cheaply? Use random_bytes()
332 : : * instead, see below: it will fall back to this function if there's nothing better to get, but only
333 : : * then. */
334 : :
335 : 73 : initialize_srand();
336 : :
337 [ + + ]: 279 : for (q = p; q < (uint8_t*) p + n; q += RAND_STEP) {
338 : : unsigned rr;
339 : :
340 : 206 : rr = (unsigned) rand();
341 : :
342 : : #if RAND_STEP >= 3
343 [ + + ]: 206 : if ((size_t) (q - (uint8_t*) p + 2) < n)
344 : 153 : q[2] = rr >> 16;
345 : : #endif
346 : : #if RAND_STEP >= 2
347 [ + + ]: 206 : if ((size_t) (q - (uint8_t*) p + 1) < n)
348 : 173 : q[1] = rr >> 8;
349 : : #endif
350 : 206 : q[0] = rr;
351 : : }
352 : 73 : }
353 : :
354 : 31585 : void random_bytes(void *p, size_t n) {
355 : :
356 : : /* This returns high quality randomness if we can get it cheaply. If we can't because for some reason
357 : : * it is not available we'll try some crappy fallbacks.
358 : : *
359 : : * What this function will do:
360 : : *
361 : : * • This function will preferably use the CPU's RDRAND operation, if it is available, in
362 : : * order to return "mid-quality" random values cheaply.
363 : : *
364 : : * • Use getrandom() with GRND_NONBLOCK, to return high-quality random values if they are
365 : : * cheaply available.
366 : : *
367 : : * • This function will return pseudo-random data, generated via libc rand() if nothing
368 : : * better is available.
369 : : *
370 : : * • This function will work fine in early boot
371 : : *
372 : : * • This function will always succeed
373 : : *
374 : : * What this function won't do:
375 : : *
376 : : * • This function will never fail: it will give you randomness no matter what. It might not
377 : : * be high quality, but it will return some, possibly generated via libc's rand() call.
378 : : *
379 : : * • This function will never block: if the only way to get good randomness is a blocking,
380 : : * synchronous getrandom() we'll instead provide you with pseudo-random data.
381 : : *
382 : : * This function is hence great for things like seeding hash tables, generating random numeric UNIX
383 : : * user IDs (that are checked for collisions before use) and such.
384 : : *
385 : : * This function is hence not useful for generating UUIDs or cryptographic key material.
386 : : */
387 : :
388 [ + - ]: 31585 : if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO|RANDOM_MAY_FAIL|RANDOM_ALLOW_RDRAND) >= 0)
389 : 31585 : return;
390 : :
391 : : /* If for some reason some user made /dev/urandom unavailable to us, or the kernel has no entropy, use a PRNG instead. */
392 : 0 : pseudo_random_bytes(p, n);
393 : : }
394 : :
395 : 0 : size_t random_pool_size(void) {
396 : 0 : _cleanup_free_ char *s = NULL;
397 : : int r;
398 : :
399 : : /* Read pool size, if possible */
400 : 0 : r = read_one_line_file("/proc/sys/kernel/random/poolsize", &s);
401 [ # # ]: 0 : if (r < 0)
402 [ # # ]: 0 : log_debug_errno(r, "Failed to read pool size from kernel: %m");
403 : : else {
404 : : unsigned sz;
405 : :
406 : 0 : r = safe_atou(s, &sz);
407 [ # # ]: 0 : if (r < 0)
408 [ # # ]: 0 : log_debug_errno(r, "Failed to parse pool size: %s", s);
409 : : else
410 : : /* poolsize is in bits on 2.6, but we want bytes */
411 [ # # ]: 0 : return CLAMP(sz / 8, RANDOM_POOL_SIZE_MIN, RANDOM_POOL_SIZE_MAX);
412 : : }
413 : :
414 : : /* Use the minimum as default, if we can't retrieve the correct value */
415 : 0 : return RANDOM_POOL_SIZE_MIN;
416 : : }
|
