1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
//! OS entropy source via `/dev/urandom`.
use File;
use Read;
use Rng;
/// Reads from `/dev/urandom` — the platform CSPRNG on macOS/Linux.
///
/// This should **pass** every test in the suite with high probability.
/// On macOS, `/dev/urandom` and `/dev/random` are both backed by the same
/// Fortuna-based CSPRNG since macOS 10.12.
///
/// # Early-boot entropy warning
/// `/dev/urandom` on Linux does **not** block if the kernel entropy pool is
/// not yet fully initialized (e.g., early in the boot sequence or inside a
/// container/VM with limited entropy sources). Reading before the pool is
/// seeded can return low-quality output; this is the failure mode documented
/// in Hughes (2021) "BADRANDOM" where TLS servers starting before sufficient
/// entropy was available produced predictable key material. On Linux 3.17+
/// the `getrandom(2)` syscall with the `GRND_RANDOM` flag blocks until the
/// pool is ready and is preferable for cryptographic seeding. macOS's
/// `/dev/urandom` blocks at boot until the CSPRNG is seeded, so this concern
/// is macOS-specific only at very early boot.
///
/// For this test harness running on a fully-booted system, `/dev/urandom` is
/// fine. In production, use `getrandom(2)` or a platform API that guarantees
/// the entropy pool is initialized before returning.