sys/kern/sys_getrandom.c

54359Sroberto/*-
54359Sroberto * SPDX-License-Identifier: BSD-2-Clause
54359Sroberto *
285612Sdelphij * Copyright (c) 2018 Conrad Meyer <cem@FreeBSD.org>
54359Sroberto * All rights reserved.
54359Sroberto *
54359Sroberto * Redistribution and use in source and binary forms, with or without
330141Sdelphij * modification, are permitted provided that the following conditions
330141Sdelphij * are met:
54359Sroberto * 1. Redistributions of source code must retain the above copyright
82498Sroberto *    notice, this list of conditions and the following disclaimer.
54359Sroberto * 2. Redistributions in binary form must reproduce the above copyright
294569Sdelphij *    notice, this list of conditions and the following disclaimer in the
54359Sroberto *    documentation and/or other materials provided with the distribution.
285612Sdelphij *
285612Sdelphij * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
285612Sdelphij * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
285612Sdelphij * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54359Sroberto * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
54359Sroberto * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
285612Sdelphij * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54359Sroberto * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
54359Sroberto * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
54359Sroberto * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
54359Sroberto * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
54359Sroberto * SUCH DAMAGE.
54359Sroberto */
285612Sdelphij
54359Sroberto#include <sys/param.h>
54359Sroberto#include <sys/errno.h>
54359Sroberto#include <sys/limits.h>
54359Sroberto#include <sys/proc.h>
54359Sroberto#include <sys/random.h>
54359Sroberto#include <sys/sysproto.h>
54359Sroberto#include <sys/systm.h>
54359Sroberto#include <sys/uio.h>
54359Sroberto
54359Sroberto#define GRND_VALIDFLAGS	(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE)
54359Sroberto
285612Sdelphij/*
54359Sroberto * read_random_uio(9) returns EWOULDBLOCK if a nonblocking request would block,
54359Sroberto * but the Linux API name is EAGAIN.  On FreeBSD, they have the same numeric
54359Sroberto * value for now.
54359Sroberto */
54359SrobertoCTASSERT(EWOULDBLOCK == EAGAIN);
54359Sroberto
54359Srobertostatic int
285612Sdelphijkern_getrandom(struct thread *td, void *user_buf, size_t buflen,
54359Sroberto    unsigned int flags)
54359Sroberto{
54359Sroberto	struct uio auio;
54359Sroberto	struct iovec aiov;
54359Sroberto	int error;
54359Sroberto
285612Sdelphij	if ((flags & ~GRND_VALIDFLAGS) != 0)
54359Sroberto		return (EINVAL);
54359Sroberto	if (buflen > IOSIZE_MAX)
285612Sdelphij		return (EINVAL);
54359Sroberto
285612Sdelphij	/*
54359Sroberto	 * Linux compatibility: We have two choices for handling Linux's
54359Sroberto	 * GRND_INSECURE.
54359Sroberto	 *
54359Sroberto	 * 1. We could ignore it completely (like GRND_RANDOM).  However, this
54359Sroberto	 * might produce the surprising result of GRND_INSECURE requests
54359Sroberto	 * blocking, when the Linux API does not block.
289997Sglebius	 *
289997Sglebius	 * 2. Alternatively, we could treat GRND_INSECURE requests as requests
289997Sglebius	 * for GRND_NONBLOCK.  Here, the surprising result for Linux programs
289997Sglebius	 * is that invocations with unseeded random(4) will produce EAGAIN,
289997Sglebius	 * rather than garbage.
289997Sglebius	 *
289997Sglebius	 * Honoring the flag in the way Linux does seems fraught.  If we
289997Sglebius	 * actually use the output of a random(4) implementation prior to
289997Sglebius	 * seeding, we leak some entropy about the initial seed to attackers.
289997Sglebius	 * This seems unacceptable -- it defeats the purpose of blocking on
289997Sglebius	 * initial seeding.
289997Sglebius	 *
289997Sglebius	 * Secondary to that concern, before seeding we may have arbitrarily
289997Sglebius	 * little entropy collected; producing output from zero or a handful of
289997Sglebius	 * entropy bits does not seem particularly useful to userspace.
293650Sglebius	 *
293650Sglebius	 * If userspace can accept garbage, insecure non-random bytes, they can
289997Sglebius	 * create their own insecure garbage with srandom(time(NULL)) or
293650Sglebius	 * similar.  Asking the kernel to produce it from the secure
289997Sglebius	 * getrandom(2) API seems inane.
293650Sglebius	 *
293650Sglebius	 * We elect to emulate GRND_INSECURE as an alternative spelling of
293650Sglebius	 * GRND_NONBLOCK (2).
294569Sdelphij	 */
293650Sglebius	if ((flags & GRND_INSECURE) != 0)
293650Sglebius		flags |= GRND_NONBLOCK;
293650Sglebius
293650Sglebius	if (buflen == 0) {
293650Sglebius		td->td_retval[0] = 0;
293650Sglebius		return (0);
289997Sglebius	}
289997Sglebius
293650Sglebius	aiov.iov_base = user_buf;
289997Sglebius	aiov.iov_len = buflen;
289997Sglebius	auio.uio_iov = &aiov;
289997Sglebius	auio.uio_iovcnt = 1;
289997Sglebius	auio.uio_offset = 0;
298699Sdelphij	auio.uio_resid = buflen;
289997Sglebius	auio.uio_segflg = UIO_USERSPACE;
289997Sglebius	auio.uio_rw = UIO_READ;
289997Sglebius	auio.uio_td = td;
289997Sglebius
289997Sglebius	error = read_random_uio(&auio, (flags & GRND_NONBLOCK) != 0);
289997Sglebius	if (error == 0)
298699Sdelphij		td->td_retval[0] = buflen - auio.uio_resid;
298699Sdelphij	return (error);
298699Sdelphij}
298699Sdelphij
298699Sdelphij#ifndef _SYS_SYSPROTO_H_
298699Sdelphijstruct getrandom_args {
298699Sdelphij	void		*buf;
298699Sdelphij	size_t		buflen;
298699Sdelphij	unsigned int	flags;
298699Sdelphij};
298699Sdelphij#endif
298699Sdelphij
298699Sdelphijint
298699Sdelphijsys_getrandom(struct thread *td, struct getrandom_args *uap)
298699Sdelphij{
298699Sdelphij	return (kern_getrandom(td, uap->buf, uap->buflen, uap->flags));
298699Sdelphij}
298699Sdelphij