bdad8b2721
Three ways to call:
getrandom(p, n, 0) Blocks at boot until full entropy.
Returns up to n bytes at p; guarantees
up to 256 bytes even if interrupted
after blocking. getrandom(0,0,0)
serves as an entropy barrier: return
only after system has full entropy.
getrandom(p, n, GRND_INSECURE) Never blocks. Guarantees up to 256
bytes even if interrupted. Equivalent
to /dev/urandom. Safe only after
successful getrandom(...,0),
getrandom(...,GRND_RANDOM), or read
from /dev/random.
getrandom(p, n, GRND_RANDOM) May block at any time. Returns up to n
bytes at p, but no guarantees about how
many -- may return as short as 1 byte.
Equivalent to /dev/random. Legacy.
Provided only for source compatibility
with Linux.
Can also use flags|GRND_NONBLOCK to fail with EWOULDBLOCK/EAGAIN
without producing any output instead of blocking.
- The combination GRND_INSECURE|GRND_NONBLOCK is the same as
GRND_INSECURE, since GRND_INSECURE never blocks anyway.
- The combinations GRND_INSECURE|GRND_RANDOM and
GRND_INSECURE|GRND_RANDOM|GRND_NONBLOCK are nonsensical and fail
with EINVAL.
As proposed on tech-userlevel, tech-crypto, tech-security, and
tech-kern, and subsequently adopted by core (minus the getentropy part
of the proposal, because other operating systems and participants in
the discussion couldn't come to an agreement about getentropy and
blocking semantics):
https://mail-index.netbsd.org/tech-userlevel/2020/05/02/msg012333.html
247 lines
7.1 KiB
C
247 lines
7.1 KiB
C
/* $NetBSD: sys_getrandom.c,v 1.1 2020/08/14 00:53:16 riastradh Exp $ */
|
|
|
|
/*-
|
|
* Copyright (c) 2020 The NetBSD Foundation, Inc.
|
|
* All rights reserved.
|
|
*
|
|
* This code is derived from software contributed to The NetBSD Foundation
|
|
* by Taylor R. Campbell.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
/*
|
|
* getrandom() system call
|
|
*/
|
|
|
|
#include <sys/cdefs.h>
|
|
__KERNEL_RCSID(0, "$NetBSD: sys_getrandom.c,v 1.1 2020/08/14 00:53:16 riastradh Exp $");
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/param.h>
|
|
|
|
#include <sys/atomic.h>
|
|
#include <sys/cprng.h>
|
|
#include <sys/entropy.h>
|
|
#include <sys/kmem.h>
|
|
#include <sys/lwp.h>
|
|
#include <sys/proc.h>
|
|
#include <sys/random.h>
|
|
#include <sys/sched.h>
|
|
#include <sys/signalvar.h>
|
|
#include <sys/syscallargs.h>
|
|
#include <sys/uio.h>
|
|
|
|
#include <crypto/nist_hash_drbg/nist_hash_drbg.h>
|
|
|
|
#define RANDOM_BUFSIZE 512
|
|
|
|
int
|
|
dogetrandom(struct uio *uio, unsigned int flags)
|
|
{
|
|
uint8_t seed[NIST_HASH_DRBG_SEEDLEN_BYTES] = {0};
|
|
struct nist_hash_drbg drbg;
|
|
uint8_t *buf;
|
|
int extractflags = 0;
|
|
int error;
|
|
|
|
KASSERT((flags & ~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK)) == 0);
|
|
KASSERT((flags & (GRND_RANDOM|GRND_INSECURE)) !=
|
|
(GRND_RANDOM|GRND_INSECURE));
|
|
|
|
/* Get a buffer for transfers. */
|
|
buf = kmem_alloc(RANDOM_BUFSIZE, KM_SLEEP);
|
|
|
|
/*
|
|
* Fast path: for short reads other than from /dev/random, if
|
|
* seeded or if INSECURE, just draw from per-CPU cprng_strong.
|
|
*/
|
|
if (uio->uio_resid <= RANDOM_BUFSIZE &&
|
|
!ISSET(flags, GRND_RANDOM) &&
|
|
(entropy_ready() || ISSET(flags, GRND_INSECURE))) {
|
|
/* Generate data and transfer it out. */
|
|
cprng_strong(user_cprng, buf, uio->uio_resid, 0);
|
|
error = uiomove(buf, uio->uio_resid, uio);
|
|
goto out;
|
|
}
|
|
|
|
/*
|
|
* Try to get a seed from the entropy pool. Fail if we would
|
|
* block. If GRND_INSECURE, always return something even if it
|
|
* is partial entropy; if !GRND_INSECURE, set ENTROPY_HARDFAIL
|
|
* in order to tell entropy_extract not to bother drawing
|
|
* anything from a partial pool if we can't get full entropy.
|
|
*/
|
|
if (!ISSET(flags, GRND_NONBLOCK) && !ISSET(flags, GRND_INSECURE))
|
|
extractflags |= ENTROPY_WAIT|ENTROPY_SIG;
|
|
if (!ISSET(flags, GRND_INSECURE))
|
|
extractflags |= ENTROPY_HARDFAIL;
|
|
error = entropy_extract(seed, sizeof seed, extractflags);
|
|
if (error && !ISSET(flags, GRND_INSECURE))
|
|
goto out;
|
|
|
|
/* Instantiate the DRBG. */
|
|
if (nist_hash_drbg_instantiate(&drbg, seed, sizeof seed, NULL, 0,
|
|
NULL, 0))
|
|
panic("nist_hash_drbg_instantiate");
|
|
|
|
/* Promptly zero the seed. */
|
|
explicit_memset(seed, 0, sizeof seed);
|
|
|
|
/* Generate data. */
|
|
error = 0;
|
|
while (uio->uio_resid) {
|
|
size_t n = MIN(uio->uio_resid, RANDOM_BUFSIZE);
|
|
|
|
/*
|
|
* Clamp /dev/random output to the entropy capacity and
|
|
* seed size. Programs can't rely on long reads.
|
|
*/
|
|
if (ISSET(flags, GRND_RANDOM)) {
|
|
n = MIN(n, ENTROPY_CAPACITY);
|
|
n = MIN(n, sizeof seed);
|
|
/*
|
|
* Guarantee never to return more than one
|
|
* buffer in this case to minimize bookkeeping.
|
|
*/
|
|
CTASSERT(ENTROPY_CAPACITY <= RANDOM_BUFSIZE);
|
|
CTASSERT(sizeof seed <= RANDOM_BUFSIZE);
|
|
}
|
|
|
|
/*
|
|
* Try to generate a block of data, but if we've hit
|
|
* the DRBG reseed interval, reseed.
|
|
*/
|
|
if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) {
|
|
/*
|
|
* Get a fresh seed without blocking -- we have
|
|
* already generated some output so it is not
|
|
* useful to block. This can fail only if the
|
|
* request is obscenely large, so it is OK for
|
|
* either /dev/random or /dev/urandom to fail:
|
|
* we make no promises about gigabyte-sized
|
|
* reads happening all at once.
|
|
*/
|
|
error = entropy_extract(seed, sizeof seed,
|
|
ENTROPY_HARDFAIL);
|
|
if (error)
|
|
break;
|
|
|
|
/* Reseed and try again. */
|
|
if (nist_hash_drbg_reseed(&drbg, seed, sizeof seed,
|
|
NULL, 0))
|
|
panic("nist_hash_drbg_reseed");
|
|
|
|
/* Promptly zero the seed. */
|
|
explicit_memset(seed, 0, sizeof seed);
|
|
|
|
/* If it fails now, that's a bug. */
|
|
if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0))
|
|
panic("nist_hash_drbg_generate");
|
|
}
|
|
|
|
/* Transfer n bytes out. */
|
|
error = uiomove(buf, n, uio);
|
|
if (error)
|
|
break;
|
|
|
|
/*
|
|
* If this is /dev/random, stop here, return what we
|
|
* have, and force the next read to reseed. Programs
|
|
* can't rely on /dev/random for long reads.
|
|
*/
|
|
if (ISSET(flags, GRND_RANDOM)) {
|
|
error = 0;
|
|
break;
|
|
}
|
|
|
|
/* Yield if requested. */
|
|
if (curcpu()->ci_schedstate.spc_flags & SPCF_SHOULDYIELD)
|
|
preempt();
|
|
|
|
/* Check for interruption after at least 256 bytes. */
|
|
CTASSERT(RANDOM_BUFSIZE >= 256);
|
|
if (__predict_false(curlwp->l_flag & LW_PENDSIG) &&
|
|
sigispending(curlwp, 0)) {
|
|
error = EINTR;
|
|
break;
|
|
}
|
|
}
|
|
|
|
out: /* Zero the buffer and free it. */
|
|
explicit_memset(buf, 0, RANDOM_BUFSIZE);
|
|
kmem_free(buf, RANDOM_BUFSIZE);
|
|
|
|
return error;
|
|
}
|
|
|
|
int
|
|
sys_getrandom(struct lwp *l, const struct sys_getrandom_args *uap,
|
|
register_t *retval)
|
|
{
|
|
/* {
|
|
syscallarg(void *) buf;
|
|
syscallarg(size_t) buflen;
|
|
syscallarg(unsigned) flags;
|
|
} */
|
|
void *buf = SCARG(uap, buf);
|
|
size_t buflen = SCARG(uap, buflen);
|
|
int flags = SCARG(uap, flags);
|
|
int error;
|
|
|
|
/* Set up an iov and uio to read into the user's buffer. */
|
|
struct iovec iov = { .iov_base = buf, .iov_len = buflen };
|
|
struct uio uio = {
|
|
.uio_iov = &iov,
|
|
.uio_iovcnt = 1,
|
|
.uio_offset = 0,
|
|
.uio_resid = buflen,
|
|
.uio_rw = UIO_READ,
|
|
.uio_vmspace = curproc->p_vmspace,
|
|
};
|
|
|
|
/* Validate the flags. */
|
|
if (flags & ~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK)) {
|
|
/* Unknown flags. */
|
|
error = EINVAL;
|
|
goto out;
|
|
}
|
|
if ((flags & (GRND_RANDOM|GRND_INSECURE)) ==
|
|
(GRND_RANDOM|GRND_INSECURE)) {
|
|
/* Nonsensical combination. */
|
|
error = EINVAL;
|
|
goto out;
|
|
}
|
|
|
|
/* Do it. */
|
|
error = dogetrandom(&uio, flags);
|
|
|
|
out: /*
|
|
* If we transferred anything, return the number of bytes
|
|
* transferred and suppress error; otherwise return the error.
|
|
*/
|
|
*retval = buflen - uio.uio_resid;
|
|
if (*retval)
|
|
error = 0;
|
|
return error;
|
|
}
|