1 // Copyright 2010 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // +build darwin freebsd linux openbsd
7 // Unix cryptographically secure pseudorandom number
21 // Easy implementation: read from /dev/urandom.
22 // This is sufficient on Linux, OS X, and FreeBSD.
24 func init() { Reader = &devReader{name: "/dev/urandom"} }
26 // A devReader satisfies reads by reading the file named name.
27 type devReader struct {
33 func (r *devReader) Read(b []byte) (n int, err error) {
37 f, err := os.Open(r.name)
41 r.f = bufio.NewReader(f)
46 // Alternate pseudo-random implementation for use on
47 // systems without a reliable /dev/urandom. So far we
50 // newReader returns a new pseudorandom generator that
51 // seeds itself by reading from entropy. If entropy == nil,
52 // the generator seeds itself by reading from the system's
53 // random number generator, typically /dev/random.
54 // The Read method on the returned reader always returns
55 // the full amount asked for, or else it returns an error.
57 // The generator uses the X9.31 algorithm with AES-128,
58 // reseeding after every 1 MB of generated data.
59 func newReader(entropy io.Reader) io.Reader {
61 entropy = &devReader{name: "/dev/random"}
63 return &reader{entropy: entropy}
68 budget int // number of bytes that can be generated
71 time, seed, dst, key [aes.BlockSize]byte
74 func (r *reader) Read(b []byte) (n int, err error) {
81 _, err := io.ReadFull(r.entropy, r.seed[0:])
83 return n - len(b), err
85 _, err = io.ReadFull(r.entropy, r.key[0:])
87 return n - len(b), err
89 r.cipher, err = aes.NewCipher(r.key[0:])
91 return n - len(b), err
93 r.budget = 1 << 20 // reseed after generating 1MB
95 r.budget -= aes.BlockSize
97 // ANSI X9.31 (== X9.17) algorithm, but using AES in place of 3DES.
101 // dst = encrypt(t^seed)
102 // seed = encrypt(t^dst)
103 ns := time.Nanoseconds()
104 r.time[0] = byte(ns >> 56)
105 r.time[1] = byte(ns >> 48)
106 r.time[2] = byte(ns >> 40)
107 r.time[3] = byte(ns >> 32)
108 r.time[4] = byte(ns >> 24)
109 r.time[5] = byte(ns >> 16)
110 r.time[6] = byte(ns >> 8)
112 r.cipher.Encrypt(r.time[0:], r.time[0:])
113 for i := 0; i < aes.BlockSize; i++ {
114 r.dst[i] = r.time[i] ^ r.seed[i]
116 r.cipher.Encrypt(r.dst[0:], r.dst[0:])
117 for i := 0; i < aes.BlockSize; i++ {
118 r.seed[i] = r.time[i] ^ r.dst[i]
120 r.cipher.Encrypt(r.seed[0:], r.seed[0:])
122 m := copy(b, r.dst[0:])