embedded-5_0-branch/libgo/go/crypto/rand/rand_unix.go

   1 // Copyright 2010 The Go Authors.  All rights reserved.
   2 // Use of this source code is governed by a BSD-style
   3 // license that can be found in the LICENSE file.
   4
   5 // +build darwin dragonfly freebsd linux nacl netbsd openbsd plan9 solaris
   6
   7 // Unix cryptographically secure pseudorandom number
   8 // generator.
   9
  10 package rand
  11
  12 import (
  13         "bufio"
  14         "crypto/aes"
  15         "crypto/cipher"
  16         "io"
  17         "os"
  18         "runtime"
  19         "sync"
  20         "time"
  21 )
  22
  23 const urandomDevice = "/dev/urandom"
  24
  25 // Easy implementation: read from /dev/urandom.
  26 // This is sufficient on Linux, OS X, and FreeBSD.
  27
  28 func init() {
  29         if runtime.GOOS == "plan9" {
  30                 Reader = newReader(nil)
  31         } else {
  32                 Reader = &devReader{name: urandomDevice}
  33         }
  34 }
  35
  36 // A devReader satisfies reads by reading the file named name.
  37 type devReader struct {
  38         name string
  39         f    io.Reader
  40         mu   sync.Mutex
  41 }
  42
  43 // altGetRandom if non-nil specifies an OS-specific function to get
  44 // urandom-style randomness.
  45 var altGetRandom func([]byte) (ok bool)
  46
  47 func (r *devReader) Read(b []byte) (n int, err error) {
  48         if altGetRandom != nil && r.name == urandomDevice && altGetRandom(b) {
  49                 return len(b), nil
  50         }
  51         r.mu.Lock()
  52         defer r.mu.Unlock()
  53         if r.f == nil {
  54                 f, err := os.Open(r.name)
  55                 if f == nil {
  56                         return 0, err
  57                 }
  58                 if runtime.GOOS == "plan9" {
  59                         r.f = f
  60                 } else {
  61                         r.f = bufio.NewReader(f)
  62                 }
  63         }
  64         return r.f.Read(b)
  65 }
  66
  67 // Alternate pseudo-random implementation for use on
  68 // systems without a reliable /dev/urandom.
  69
  70 // newReader returns a new pseudorandom generator that
  71 // seeds itself by reading from entropy.  If entropy == nil,
  72 // the generator seeds itself by reading from the system's
  73 // random number generator, typically /dev/random.
  74 // The Read method on the returned reader always returns
  75 // the full amount asked for, or else it returns an error.
  76 //
  77 // The generator uses the X9.31 algorithm with AES-128,
  78 // reseeding after every 1 MB of generated data.
  79 func newReader(entropy io.Reader) io.Reader {
  80         if entropy == nil {
  81                 entropy = &devReader{name: "/dev/random"}
  82         }
  83         return &reader{entropy: entropy}
  84 }
  85
  86 type reader struct {
  87         mu                   sync.Mutex
  88         budget               int // number of bytes that can be generated
  89         cipher               cipher.Block
  90         entropy              io.Reader
  91         time, seed, dst, key [aes.BlockSize]byte
  92 }
  93
  94 func (r *reader) Read(b []byte) (n int, err error) {
  95         r.mu.Lock()
  96         defer r.mu.Unlock()
  97         n = len(b)
  98
  99         for len(b) > 0 {
 100                 if r.budget == 0 {
 101                         _, err := io.ReadFull(r.entropy, r.seed[0:])
 102                         if err != nil {
 103                                 return n - len(b), err
 104                         }
 105                         _, err = io.ReadFull(r.entropy, r.key[0:])
 106                         if err != nil {
 107                                 return n - len(b), err
 108                         }
 109                         r.cipher, err = aes.NewCipher(r.key[0:])
 110                         if err != nil {
 111                                 return n - len(b), err
 112                         }
 113                         r.budget = 1 << 20 // reseed after generating 1MB
 114                 }
 115                 r.budget -= aes.BlockSize
 116
 117                 // ANSI X9.31 (== X9.17) algorithm, but using AES in place of 3DES.
 118                 //
 119                 // single block:
 120                 // t = encrypt(time)
 121                 // dst = encrypt(t^seed)
 122                 // seed = encrypt(t^dst)
 123                 ns := time.Now().UnixNano()
 124                 r.time[0] = byte(ns >> 56)
 125                 r.time[1] = byte(ns >> 48)
 126                 r.time[2] = byte(ns >> 40)
 127                 r.time[3] = byte(ns >> 32)
 128                 r.time[4] = byte(ns >> 24)
 129                 r.time[5] = byte(ns >> 16)
 130                 r.time[6] = byte(ns >> 8)
 131                 r.time[7] = byte(ns)
 132                 r.cipher.Encrypt(r.time[0:], r.time[0:])
 133                 for i := 0; i < aes.BlockSize; i++ {
 134                         r.dst[i] = r.time[i] ^ r.seed[i]
 135                 }
 136                 r.cipher.Encrypt(r.dst[0:], r.dst[0:])
 137                 for i := 0; i < aes.BlockSize; i++ {
 138                         r.seed[i] = r.time[i] ^ r.dst[i]
 139                 }
 140                 r.cipher.Encrypt(r.seed[0:], r.seed[0:])
 141
 142                 m := copy(b, r.dst[0:])
 143                 b = b[m:]
 144         }
 145
 146         return n, nil
 147 }