Source file src/pkg/crypto/rand/rand_unix.go
1 // Copyright 2010 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // +build darwin freebsd linux netbsd openbsd 6 7 // Unix cryptographically secure pseudorandom number 8 // generator. 9 10 package rand 11 12 import ( 13 "bufio" 14 "crypto/aes" 15 "crypto/cipher" 16 "io" 17 "os" 18 "sync" 19 "time" 20 ) 21 22 // Easy implementation: read from /dev/urandom. 23 // This is sufficient on Linux, OS X, and FreeBSD. 24 25 func init() { Reader = &devReader{name: "/dev/urandom"} } 26 27 // A devReader satisfies reads by reading the file named name. 28 type devReader struct { 29 name string 30 f io.Reader 31 mu sync.Mutex 32 } 33 34 func (r *devReader) Read(b []byte) (n int, err error) { 35 r.mu.Lock() 36 defer r.mu.Unlock() 37 if r.f == nil { 38 f, err := os.Open(r.name) 39 if f == nil { 40 return 0, err 41 } 42 r.f = bufio.NewReader(f) 43 } 44 return r.f.Read(b) 45 } 46 47 // Alternate pseudo-random implementation for use on 48 // systems without a reliable /dev/urandom. So far we 49 // haven't needed it. 50 51 // newReader returns a new pseudorandom generator that 52 // seeds itself by reading from entropy. If entropy == nil, 53 // the generator seeds itself by reading from the system's 54 // random number generator, typically /dev/random. 55 // The Read method on the returned reader always returns 56 // the full amount asked for, or else it returns an error. 57 // 58 // The generator uses the X9.31 algorithm with AES-128, 59 // reseeding after every 1 MB of generated data. 60 func newReader(entropy io.Reader) io.Reader { 61 if entropy == nil { 62 entropy = &devReader{name: "/dev/random"} 63 } 64 return &reader{entropy: entropy} 65 } 66 67 type reader struct { 68 mu sync.Mutex 69 budget int // number of bytes that can be generated 70 cipher cipher.Block 71 entropy io.Reader 72 time, seed, dst, key [aes.BlockSize]byte 73 } 74 75 func (r *reader) Read(b []byte) (n int, err error) { 76 r.mu.Lock() 77 defer r.mu.Unlock() 78 n = len(b) 79 80 for len(b) > 0 { 81 if r.budget == 0 { 82 _, err := io.ReadFull(r.entropy, r.seed[0:]) 83 if err != nil { 84 return n - len(b), err 85 } 86 _, err = io.ReadFull(r.entropy, r.key[0:]) 87 if err != nil { 88 return n - len(b), err 89 } 90 r.cipher, err = aes.NewCipher(r.key[0:]) 91 if err != nil { 92 return n - len(b), err 93 } 94 r.budget = 1 << 20 // reseed after generating 1MB 95 } 96 r.budget -= aes.BlockSize 97 98 // ANSI X9.31 (== X9.17) algorithm, but using AES in place of 3DES. 99 // 100 // single block: 101 // t = encrypt(time) 102 // dst = encrypt(t^seed) 103 // seed = encrypt(t^dst) 104 ns := time.Now().UnixNano() 105 r.time[0] = byte(ns >> 56) 106 r.time[1] = byte(ns >> 48) 107 r.time[2] = byte(ns >> 40) 108 r.time[3] = byte(ns >> 32) 109 r.time[4] = byte(ns >> 24) 110 r.time[5] = byte(ns >> 16) 111 r.time[6] = byte(ns >> 8) 112 r.time[7] = byte(ns) 113 r.cipher.Encrypt(r.time[0:], r.time[0:]) 114 for i := 0; i < aes.BlockSize; i++ { 115 r.dst[i] = r.time[i] ^ r.seed[i] 116 } 117 r.cipher.Encrypt(r.dst[0:], r.dst[0:]) 118 for i := 0; i < aes.BlockSize; i++ { 119 r.seed[i] = r.time[i] ^ r.dst[i] 120 } 121 r.cipher.Encrypt(r.seed[0:], r.seed[0:]) 122 123 m := copy(b, r.dst[0:]) 124 b = b[m:] 125 } 126 127 return n, nil 128 }