github.com/roboticscm/goman@v0.0.0-20210203095141-87c07b4a0a55/src/crypto/rand/rand_unix.go (about) 1 // Copyright 2010 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // +build darwin dragonfly freebsd linux nacl netbsd openbsd plan9 solaris 6 7 // Unix cryptographically secure pseudorandom number 8 // generator. 9 10 package rand 11 12 import ( 13 "bufio" 14 "crypto/aes" 15 "crypto/cipher" 16 "io" 17 "os" 18 "runtime" 19 "sync" 20 "time" 21 ) 22 23 const urandomDevice = "/dev/urandom" 24 25 // Easy implementation: read from /dev/urandom. 26 // This is sufficient on Linux, OS X, and FreeBSD. 27 28 func init() { 29 if runtime.GOOS == "plan9" { 30 Reader = newReader(nil) 31 } else { 32 Reader = &devReader{name: urandomDevice} 33 } 34 } 35 36 // A devReader satisfies reads by reading the file named name. 37 type devReader struct { 38 name string 39 f io.Reader 40 mu sync.Mutex 41 } 42 43 // altGetRandom if non-nil specifies an OS-specific function to get 44 // urandom-style randomness. 45 var altGetRandom func([]byte) (ok bool) 46 47 func (r *devReader) Read(b []byte) (n int, err error) { 48 if altGetRandom != nil && r.name == urandomDevice && altGetRandom(b) { 49 return len(b), nil 50 } 51 r.mu.Lock() 52 defer r.mu.Unlock() 53 if r.f == nil { 54 f, err := os.Open(r.name) 55 if f == nil { 56 return 0, err 57 } 58 if runtime.GOOS == "plan9" { 59 r.f = f 60 } else { 61 r.f = bufio.NewReader(f) 62 } 63 } 64 return r.f.Read(b) 65 } 66 67 // Alternate pseudo-random implementation for use on 68 // systems without a reliable /dev/urandom. 69 70 // newReader returns a new pseudorandom generator that 71 // seeds itself by reading from entropy. If entropy == nil, 72 // the generator seeds itself by reading from the system's 73 // random number generator, typically /dev/random. 74 // The Read method on the returned reader always returns 75 // the full amount asked for, or else it returns an error. 76 // 77 // The generator uses the X9.31 algorithm with AES-128, 78 // reseeding after every 1 MB of generated data. 79 func newReader(entropy io.Reader) io.Reader { 80 if entropy == nil { 81 entropy = &devReader{name: "/dev/random"} 82 } 83 return &reader{entropy: entropy} 84 } 85 86 type reader struct { 87 mu sync.Mutex 88 budget int // number of bytes that can be generated 89 cipher cipher.Block 90 entropy io.Reader 91 time, seed, dst, key [aes.BlockSize]byte 92 } 93 94 func (r *reader) Read(b []byte) (n int, err error) { 95 r.mu.Lock() 96 defer r.mu.Unlock() 97 n = len(b) 98 99 for len(b) > 0 { 100 if r.budget == 0 { 101 _, err := io.ReadFull(r.entropy, r.seed[0:]) 102 if err != nil { 103 return n - len(b), err 104 } 105 _, err = io.ReadFull(r.entropy, r.key[0:]) 106 if err != nil { 107 return n - len(b), err 108 } 109 r.cipher, err = aes.NewCipher(r.key[0:]) 110 if err != nil { 111 return n - len(b), err 112 } 113 r.budget = 1 << 20 // reseed after generating 1MB 114 } 115 r.budget -= aes.BlockSize 116 117 // ANSI X9.31 (== X9.17) algorithm, but using AES in place of 3DES. 118 // 119 // single block: 120 // t = encrypt(time) 121 // dst = encrypt(t^seed) 122 // seed = encrypt(t^dst) 123 ns := time.Now().UnixNano() 124 r.time[0] = byte(ns >> 56) 125 r.time[1] = byte(ns >> 48) 126 r.time[2] = byte(ns >> 40) 127 r.time[3] = byte(ns >> 32) 128 r.time[4] = byte(ns >> 24) 129 r.time[5] = byte(ns >> 16) 130 r.time[6] = byte(ns >> 8) 131 r.time[7] = byte(ns) 132 r.cipher.Encrypt(r.time[0:], r.time[0:]) 133 for i := 0; i < aes.BlockSize; i++ { 134 r.dst[i] = r.time[i] ^ r.seed[i] 135 } 136 r.cipher.Encrypt(r.dst[0:], r.dst[0:]) 137 for i := 0; i < aes.BlockSize; i++ { 138 r.seed[i] = r.time[i] ^ r.dst[i] 139 } 140 r.cipher.Encrypt(r.seed[0:], r.seed[0:]) 141 142 m := copy(b, r.dst[0:]) 143 b = b[m:] 144 } 145 146 return n, nil 147 }