github.com/mattn/go@v0.0.0-20171011075504-07f7db3ea99f/src/crypto/rand/rand_unix.go (about)

     1  // Copyright 2010 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // +build darwin dragonfly freebsd linux nacl netbsd openbsd plan9 solaris
     6  
     7  // Unix cryptographically secure pseudorandom number
     8  // generator.
     9  
    10  package rand
    11  
    12  import (
    13  	"bufio"
    14  	"crypto/aes"
    15  	"crypto/cipher"
    16  	"io"
    17  	"os"
    18  	"runtime"
    19  	"sync"
    20  	"time"
    21  )
    22  
    23  const urandomDevice = "/dev/urandom"
    24  
    25  // Easy implementation: read from /dev/urandom.
    26  // This is sufficient on Linux, OS X, and FreeBSD.
    27  
    28  func init() {
    29  	if runtime.GOOS == "plan9" {
    30  		Reader = newReader(nil)
    31  	} else {
    32  		Reader = &devReader{name: urandomDevice}
    33  	}
    34  }
    35  
    36  // A devReader satisfies reads by reading the file named name.
    37  type devReader struct {
    38  	name string
    39  	f    io.Reader
    40  	mu   sync.Mutex
    41  }
    42  
    43  // altGetRandom if non-nil specifies an OS-specific function to get
    44  // urandom-style randomness.
    45  var altGetRandom func([]byte) (ok bool)
    46  
    47  func (r *devReader) Read(b []byte) (n int, err error) {
    48  	if altGetRandom != nil && r.name == urandomDevice && altGetRandom(b) {
    49  		return len(b), nil
    50  	}
    51  	r.mu.Lock()
    52  	defer r.mu.Unlock()
    53  	if r.f == nil {
    54  		f, err := os.Open(r.name)
    55  		if f == nil {
    56  			return 0, err
    57  		}
    58  		if runtime.GOOS == "plan9" {
    59  			r.f = f
    60  		} else {
    61  			r.f = bufio.NewReader(hideAgainReader{f})
    62  		}
    63  	}
    64  	return r.f.Read(b)
    65  }
    66  
    67  var isEAGAIN func(error) bool // set by eagain.go on unix systems
    68  
    69  // hideAgainReader masks EAGAIN reads from /dev/urandom.
    70  // See golang.org/issue/9205
    71  type hideAgainReader struct {
    72  	r io.Reader
    73  }
    74  
    75  func (hr hideAgainReader) Read(p []byte) (n int, err error) {
    76  	n, err = hr.r.Read(p)
    77  	if err != nil && isEAGAIN != nil && isEAGAIN(err) {
    78  		err = nil
    79  	}
    80  	return
    81  }
    82  
    83  // Alternate pseudo-random implementation for use on
    84  // systems without a reliable /dev/urandom.
    85  
    86  // newReader returns a new pseudorandom generator that
    87  // seeds itself by reading from entropy. If entropy == nil,
    88  // the generator seeds itself by reading from the system's
    89  // random number generator, typically /dev/random.
    90  // The Read method on the returned reader always returns
    91  // the full amount asked for, or else it returns an error.
    92  //
    93  // The generator uses the X9.31 algorithm with AES-128,
    94  // reseeding after every 1 MB of generated data.
    95  func newReader(entropy io.Reader) io.Reader {
    96  	if entropy == nil {
    97  		entropy = &devReader{name: "/dev/random"}
    98  	}
    99  	return &reader{entropy: entropy}
   100  }
   101  
   102  type reader struct {
   103  	mu                   sync.Mutex
   104  	budget               int // number of bytes that can be generated
   105  	cipher               cipher.Block
   106  	entropy              io.Reader
   107  	time, seed, dst, key [aes.BlockSize]byte
   108  }
   109  
   110  func (r *reader) Read(b []byte) (n int, err error) {
   111  	r.mu.Lock()
   112  	defer r.mu.Unlock()
   113  	n = len(b)
   114  
   115  	for len(b) > 0 {
   116  		if r.budget == 0 {
   117  			_, err := io.ReadFull(r.entropy, r.seed[0:])
   118  			if err != nil {
   119  				return n - len(b), err
   120  			}
   121  			_, err = io.ReadFull(r.entropy, r.key[0:])
   122  			if err != nil {
   123  				return n - len(b), err
   124  			}
   125  			r.cipher, err = aes.NewCipher(r.key[0:])
   126  			if err != nil {
   127  				return n - len(b), err
   128  			}
   129  			r.budget = 1 << 20 // reseed after generating 1MB
   130  		}
   131  		r.budget -= aes.BlockSize
   132  
   133  		// ANSI X9.31 (== X9.17) algorithm, but using AES in place of 3DES.
   134  		//
   135  		// single block:
   136  		// t = encrypt(time)
   137  		// dst = encrypt(t^seed)
   138  		// seed = encrypt(t^dst)
   139  		ns := time.Now().UnixNano()
   140  		r.time[0] = byte(ns >> 56)
   141  		r.time[1] = byte(ns >> 48)
   142  		r.time[2] = byte(ns >> 40)
   143  		r.time[3] = byte(ns >> 32)
   144  		r.time[4] = byte(ns >> 24)
   145  		r.time[5] = byte(ns >> 16)
   146  		r.time[6] = byte(ns >> 8)
   147  		r.time[7] = byte(ns)
   148  		r.cipher.Encrypt(r.time[0:], r.time[0:])
   149  		for i := 0; i < aes.BlockSize; i++ {
   150  			r.dst[i] = r.time[i] ^ r.seed[i]
   151  		}
   152  		r.cipher.Encrypt(r.dst[0:], r.dst[0:])
   153  		for i := 0; i < aes.BlockSize; i++ {
   154  			r.seed[i] = r.time[i] ^ r.dst[i]
   155  		}
   156  		r.cipher.Encrypt(r.seed[0:], r.seed[0:])
   157  
   158  		m := copy(b, r.dst[0:])
   159  		b = b[m:]
   160  	}
   161  
   162  	return n, nil
   163  }