Source file src/pkg/crypto/rand/rand_unix.go
1 // Copyright 2010 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4
5 // +build darwin freebsd linux netbsd openbsd
6
7 // Unix cryptographically secure pseudorandom number
8 // generator.
9
10 package rand
11
12 import (
13 "bufio"
14 "crypto/aes"
15 "crypto/cipher"
16 "io"
17 "os"
18 "sync"
19 "time"
20 )
21
22 // Easy implementation: read from /dev/urandom.
23 // This is sufficient on Linux, OS X, and FreeBSD.
24
25 func init() { Reader = &devReader{name: "/dev/urandom"} }
26
27 // A devReader satisfies reads by reading the file named name.
28 type devReader struct {
29 name string
30 f io.Reader
31 mu sync.Mutex
32 }
33
34 func (r *devReader) Read(b []byte) (n int, err error) {
35 r.mu.Lock()
36 defer r.mu.Unlock()
37 if r.f == nil {
38 f, err := os.Open(r.name)
39 if f == nil {
40 return 0, err
41 }
42 r.f = bufio.NewReader(f)
43 }
44 return r.f.Read(b)
45 }
46
47 // Alternate pseudo-random implementation for use on
48 // systems without a reliable /dev/urandom. So far we
49 // haven't needed it.
50
51 // newReader returns a new pseudorandom generator that
52 // seeds itself by reading from entropy. If entropy == nil,
53 // the generator seeds itself by reading from the system's
54 // random number generator, typically /dev/random.
55 // The Read method on the returned reader always returns
56 // the full amount asked for, or else it returns an error.
57 //
58 // The generator uses the X9.31 algorithm with AES-128,
59 // reseeding after every 1 MB of generated data.
60 func newReader(entropy io.Reader) io.Reader {
61 if entropy == nil {
62 entropy = &devReader{name: "/dev/random"}
63 }
64 return &reader{entropy: entropy}
65 }
66
67 type reader struct {
68 mu sync.Mutex
69 budget int // number of bytes that can be generated
70 cipher cipher.Block
71 entropy io.Reader
72 time, seed, dst, key [aes.BlockSize]byte
73 }
74
75 func (r *reader) Read(b []byte) (n int, err error) {
76 r.mu.Lock()
77 defer r.mu.Unlock()
78 n = len(b)
79
80 for len(b) > 0 {
81 if r.budget == 0 {
82 _, err := io.ReadFull(r.entropy, r.seed[0:])
83 if err != nil {
84 return n - len(b), err
85 }
86 _, err = io.ReadFull(r.entropy, r.key[0:])
87 if err != nil {
88 return n - len(b), err
89 }
90 r.cipher, err = aes.NewCipher(r.key[0:])
91 if err != nil {
92 return n - len(b), err
93 }
94 r.budget = 1 << 20 // reseed after generating 1MB
95 }
96 r.budget -= aes.BlockSize
97
98 // ANSI X9.31 (== X9.17) algorithm, but using AES in place of 3DES.
99 //
100 // single block:
101 // t = encrypt(time)
102 // dst = encrypt(t^seed)
103 // seed = encrypt(t^dst)
104 ns := time.Now().UnixNano()
105 r.time[0] = byte(ns >> 56)
106 r.time[1] = byte(ns >> 48)
107 r.time[2] = byte(ns >> 40)
108 r.time[3] = byte(ns >> 32)
109 r.time[4] = byte(ns >> 24)
110 r.time[5] = byte(ns >> 16)
111 r.time[6] = byte(ns >> 8)
112 r.time[7] = byte(ns)
113 r.cipher.Encrypt(r.time[0:], r.time[0:])
114 for i := 0; i < aes.BlockSize; i++ {
115 r.dst[i] = r.time[i] ^ r.seed[i]
116 }
117 r.cipher.Encrypt(r.dst[0:], r.dst[0:])
118 for i := 0; i < aes.BlockSize; i++ {
119 r.seed[i] = r.time[i] ^ r.dst[i]
120 }
121 r.cipher.Encrypt(r.seed[0:], r.seed[0:])
122
123 m := copy(b, r.dst[0:])
124 b = b[m:]
125 }
126
127 return n, nil
128 }