From c56cbc75071e66f014528d40e0e8c48c395f494d Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Mon, 13 Jan 2020 22:26:24 +0000 Subject: [PATCH 1/2] New system call getrandom() compatible with Linux. Three ways to call: getrandom(p, n, 0) May block. Returns up to n bytes at p, guaranteeing >=256 bytes even if interrupted after blocking. Can be used as getrandom(NULL,0,0) to serve as `entropy barrier': return only after system is seeded. getrandom(p, n, GRND_INSECURE) Never blocks. Guarantees >=256 bytes even if interrupted. Equivalent to /dev/urandom. Safe only after successful getrandom(..., 0), getrandom(..., GRND_RANDOM), or read from /dev/random. getrandom(p, n, GRND_RANDOM) May block. Returns up to n bytes at p, but no guarantees about how many. Equivalent to /dev/random. Legacy. Can also use flags|GRND_NONBLOCK to fail with EWOULDBLOCK/EAGAIN instead of blocking. (The combination GRND_INSECURE|GRND_NONBLOCK is the same as GRND_INSECURE, since GRND_INSECURE never blocks anyway. The combination GRND_INSECURE|GRND_RANDOM is nonsensical and fails with EINVAL.) --- distrib/sets/lists/comp/mi | 3 + distrib/sets/lists/debug/mi | 1 + distrib/sets/lists/tests/mi | 1 + lib/libc/sys/Makefile.inc | 7 +- lib/libc/sys/getrandom.2 | 252 ++++++++++++++++++++ sys/dev/random.c | 186 ++------------- sys/kern/files.kern | 1 + sys/kern/kern_entropy.c | 14 +- sys/kern/sys_getrandom.c | 244 +++++++++++++++++++ sys/kern/syscalls.master | 3 +- sys/rump/librump/rumpkern/Makefile.rumpkern | 1 + sys/sys/Makefile | 2 +- sys/sys/entropy.h | 5 +- sys/sys/random.h | 69 ++++++ tests/lib/libc/sys/Makefile | 1 + tests/lib/libc/sys/t_getrandom.c | 170 +++++++++++++ 16 files changed, 788 insertions(+), 172 deletions(-) create mode 100644 lib/libc/sys/getrandom.2 create mode 100644 sys/kern/sys_getrandom.c create mode 100644 sys/sys/random.h create mode 100644 tests/lib/libc/sys/t_getrandom.c diff --git a/distrib/sets/lists/comp/mi b/distrib/sets/lists/comp/mi index 6dfb4f6e3189..732eb5355300 100644 --- a/distrib/sets/lists/comp/mi +++ b/distrib/sets/lists/comp/mi @@ -3131,6 +3131,7 @@ ./usr/include/sys/quotactl.h comp-c-include ./usr/include/sys/radioio.h comp-c-include ./usr/include/sys/radixtree.h comp-c-include +./usr/include/sys/random.h comp-c-include ./usr/include/sys/ras.h comp-c-include ./usr/include/sys/rb.h comp-obsolete obsolete ./usr/include/sys/rbtree.h comp-c-include @@ -12514,6 +12515,7 @@ ./usr/share/man/html2/getpid.html comp-c-htmlman html ./usr/share/man/html2/getppid.html comp-c-htmlman html ./usr/share/man/html2/getpriority.html comp-c-htmlman html +./usr/share/man/html2/getrandom.html comp-c-htmlman html ./usr/share/man/html2/getrlimit.html comp-c-htmlman html ./usr/share/man/html2/getrusage.html comp-c-htmlman html ./usr/share/man/html2/getsid.html comp-c-htmlman html @@ -20426,6 +20428,7 @@ ./usr/share/man/man2/getpid.2 comp-c-man .man ./usr/share/man/man2/getppid.2 comp-c-man .man ./usr/share/man/man2/getpriority.2 comp-c-man .man +./usr/share/man/man2/getrandom.2 comp-c-man .man ./usr/share/man/man2/getrlimit.2 comp-c-man .man ./usr/share/man/man2/getrusage.2 comp-c-man .man ./usr/share/man/man2/getsid.2 comp-c-man .man diff --git a/distrib/sets/lists/debug/mi b/distrib/sets/lists/debug/mi index 30c9d3b8de79..d4651b47445b 100644 --- a/distrib/sets/lists/debug/mi +++ b/distrib/sets/lists/debug/mi @@ -2127,6 +2127,7 @@ ./usr/libdata/debug/usr/tests/lib/libc/sys/t_getitimer.debug tests-lib-debug debug,atf,compattestfile ./usr/libdata/debug/usr/tests/lib/libc/sys/t_getlogin.debug tests-lib-debug debug,atf,compattestfile ./usr/libdata/debug/usr/tests/lib/libc/sys/t_getpid.debug tests-lib-debug debug,atf,compattestfile +./usr/libdata/debug/usr/tests/lib/libc/sys/t_getrandom.debug tests-lib-debug debug,atf,compattestfile ./usr/libdata/debug/usr/tests/lib/libc/sys/t_getrusage.debug tests-lib-debug debug,atf,compattestfile ./usr/libdata/debug/usr/tests/lib/libc/sys/t_getsid.debug tests-lib-debug debug,atf,compattestfile ./usr/libdata/debug/usr/tests/lib/libc/sys/t_getsockname.debug tests-lib-debug debug,atf,compattestfile diff --git a/distrib/sets/lists/tests/mi b/distrib/sets/lists/tests/mi index 9c5aa8d313e0..324f4975f125 100644 --- a/distrib/sets/lists/tests/mi +++ b/distrib/sets/lists/tests/mi @@ -3125,6 +3125,7 @@ ./usr/tests/lib/libc/sys/t_getitimer tests-lib-tests compattestfile,atf ./usr/tests/lib/libc/sys/t_getlogin tests-lib-tests compattestfile,atf ./usr/tests/lib/libc/sys/t_getpid tests-lib-tests compattestfile,atf +./usr/tests/lib/libc/sys/t_getrandom tests-lib-tests compattestfile,atf ./usr/tests/lib/libc/sys/t_getrusage tests-lib-tests compattestfile,atf ./usr/tests/lib/libc/sys/t_getsid tests-lib-tests compattestfile,atf ./usr/tests/lib/libc/sys/t_getsockname tests-lib-tests compattestfile,atf diff --git a/lib/libc/sys/Makefile.inc b/lib/libc/sys/Makefile.inc index 7eddf7e3fc19..d7faaefef29a 100644 --- a/lib/libc/sys/Makefile.inc +++ b/lib/libc/sys/Makefile.inc @@ -110,7 +110,7 @@ ASM= access.S acct.S \ __fstatvfs190.S fstatat.S __futimes50.S futimens.S \ __getcwd.S __getdents30.S __getfh30.S __getvfsstat90.S getgroups.S\ __getitimer50.S __getlogin.S getpeername.S getpgid.S getpgrp.S \ - getpriority.S getrlimit.S __getrusage50.S getsid.S \ + getpriority.S getrandom.S getrlimit.S __getrusage50.S getsid.S \ getsockname.S getsockopt.S getsockopt2.S __gettimeofday50.S \ ioctl.S \ kqueue.S kqueue1.S ktrace.S \ @@ -250,8 +250,9 @@ MAN+= accept.2 access.2 acct.2 adjtime.2 bind.2 brk.2 chdir.2 \ flock.2 fork.2 fsync.2 getcontext.2 getdents.2 \ getfh.2 getvfsstat.2 getgid.2 getgroups.2 \ getitimer.2 getlogin.2 getpeername.2 getpgrp.2 getpid.2 \ - getpriority.2 getrlimit.2 getrusage.2 getsid.2 getsockname.2 \ - getsockopt.2 gettimeofday.2 getuid.2 intro.2 ioctl.2 issetugid.2 \ + getpriority.2 getrandom.2 getrlimit.2 getrusage.2 getsid.2 \ + getsockname.2 getsockopt.2 gettimeofday.2 getuid.2\ + intro.2 ioctl.2 issetugid.2 \ kill.2 kqueue.2 ktrace.2 _ksem.2 \ lfs_bmapv.2 lfs_markv.2 lfs_segclean.2 lfs_segwait.2 \ link.2 listen.2 lseek.2 \ diff --git a/lib/libc/sys/getrandom.2 b/lib/libc/sys/getrandom.2 new file mode 100644 index 000000000000..fcd1d41d431c --- /dev/null +++ b/lib/libc/sys/getrandom.2 @@ -0,0 +1,252 @@ +.\" $NetBSD$ +.\" +.\" Copyright (c) 2020 The NetBSD Foundation, Inc. +.\" All rights reserved. +.\" +.\" This code is derived from software contributed to The NetBSD Foundation +.\" by Taylor R. Campbell. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd January 13, 2020 +.Dt GETRANDOM 2 +.Os +.Sh NAME +.Nm getrandom +.Nd random number generation from system entropy +.Sh LIBRARY +.Lb libc +.Sh SYNOPSIS +.In sys/random.h +.Ft ssize_t +.Fn getrandom "void *buf" "size_t buflen" "unsigned int flags" +.Sh DESCRIPTION +The +.Nm +function fills +.Fa buf +with up to +.Fa buflen +independent uniform random bytes derived from the system's entropy +pool. +.Pp +The function may block until the system has full entropy, meaning that +the system has observed enough noise from physical processes that an +adversary cannot predict what state it is in: +.Bl -bullet -compact +.It +When the system has only partial entropy, the output of +.Fn getrandom +may be predictable. +.It +When the system has full entropy, the output is fit for use as +cryptographic key material. +.El +.Pp +The +.Fa flags +argument may be: +.Bl -tag -offset abcd -width GRND_INSECURE +.It Li 0 +Block until the system entropy pool has full entropy; then generate +arbitrarily much data. +.Em Recommended . +.Pp +If interrupted by a signal, may fail with +.Er EINTR +or return a short read. +If successful, guaranteed to return at least 256 bytes even if +interrupted. +.It Dv GRND_INSECURE +Do not block; instead fill +.Fa buf +with output derived from whatever is in the system entropy pool so +far. +Equivalent to reading from +.Pa /dev/urandom ; +see +.Xr rnd 4 . +.Pp +If interrupted by a signal, may fail with +.Er EINTR +or return a short read. +If successful, guaranteed to return at least 256 bytes even if +interrupted. +.Pp +Despite the name, this is secure as long as you only do it +.Em after +at least one successful call without +.Dv GRND_INSECURE , +such as +.Li "getrandom(..., 0)" +or +.Li "getrandom(..., GRND_RANDOM)" , +or after reading at least one byte from +.Pa /dev/random . +.Pp +.Sy WARNING : +If you use +.Dv GRND_INSECURE +.Em before +the system has full entropy. the output may enable an adversary to +search the possible states of the entropy pool by brute force, and +thereby reduce its entropy to zero. +Thus, incautious use of +.Dv GRND_INSECURE +can ruin the security of the whole system. +.It Dv GRND_RANDOM +Block until the system entropy pool has full entropy; then generate a +small amount of data. +Equivalent to reading from +.Pa /dev/random ; +see +.Xr rnd 4 . +This is provided mainly for source compatibility with Linux; there is +essentially no reason to ever use it. +.El +.Pp +The flag +.Dv GNRD_NONBLOCK +may also be included with bitwise-OR, in which case if +.Fn getrandom +would have blocked without +.Dv GRND_NONBLOCK , +it returns +.Er EAGAIN +instead. +.Pp +Adding +.Dv GRND_NONBLOCK +to +.Dv GRND_INSECURE +has no effect; the combination +.Dv GRND_INSECURE Ns Li "|" Ns Li GRND_NONBLOCK +is equivalent to +.Dv GRND_INSECURE , +since +.Dv GRND_INSECURE +never blocks. +The combination +.Dv GRND_INSECURE Ns Li "|" Ns Li GRND_RANDOM +is nonsensical and fails with +.Er EINVAL . +.Sh RETURN VALUES +If successful, +.Fn getrandom +returns the number of bytes stored in +.Fa buf . +Otherwise, +.Fn getrandom +returns \-1 and sets +.Va errno . +.Sh EXAMPLES +.Sy Recommended usage . +Generate a key for cryptography: +.Bd -literal + uint8_t secretkey[32]; + + if (getrandom(secretkey, sizeof secretkey, 0) == -1) + err(EXIT_FAILURE, "getrandom"); + crypto_secretbox_xsalsa20poly1305(..., secretkey); +.Ed +.Pp +Other idioms for illustration: +.Bl -bullet +.It +Wait for entropy once, and then generate many keys without waiting: +.Bd -literal + struct { uint8_t key[32]; } user[100]; + + if (getrandom(NULL, 0, 0) == -1) + err(EXIT_FAILURE, "getrandom"); + for (i = 0; i < 100; i++) + getrandom(user[i].key, sizeof user[i].key, + GRND_INSECURE); +.Ed +.It +Twiddle thumbs while waiting for entropy: +.Bd -literal + uint8_t secretkey[32]; + + while (getrandom(secretkey, sizeof secretkey, GRND_NONBLOCK) + == -1) { + if (errno != EAGAIN) + err(EXIT_FAILURE, "getrandom"); + twiddle_thumbs(); + } + crypto_secretbox_xsalsa20poly1305(..., secretkey); +.Ed +.El +.Pp +(No examples of +.Dv GRND_RANDOM +because it is not useful.) +.Sh ERRORS +.Bl -tag -width Er +.It Bq Er EAGAIN +The +.Dv GRND_NONBLOCK +flag was specified, and the system entropy pool does not have full +entropy. +.It Bq Er EINTR +The +.Dv GRND_NONBLOCK +flag was +.Em not +specified, the system entropy pool does not have full entropy, and the +process was interrupted by a signal while waiting. +.It Bq Er EINVAL +.Fa flags +contains an unrecognized flag or a nonsensical combination of flags. +.It Bq Er EFAULT +.Fa buf +points outside the allocated address space. +.El +.Sh SEE ALSO +.Xr rnd 4 +.Sh HISTORY +The +.Nm +system call first appeared in Linux 3.17, and was added to +.Nx 10.0 . +.Sh AUTHORS +The +.Nx +implementation of +.Nm +and this man page were written by +.An Taylor R Campbell Aq Mt riastradh@NetBSD.org . +.Sh BUGS +There is no way to multiplex waiting for +.Fn getrandom +with other I/O in +.Xr select 2 , +.Xr poll 2 , +or +.Xr kqueue 2 . +Instead, you can wait for a read from +.Pa /dev/random ; +see +.Xr rnd 4 . +.Pp +.Dv GRND_RANDOM +is a little silly. diff --git a/sys/dev/random.c b/sys/dev/random.c index 35000bc22a40..2dbc56f56345 100644 --- a/sys/dev/random.c +++ b/sys/dev/random.c @@ -58,16 +58,15 @@ __KERNEL_RCSID(0, "$NetBSD$"); #include #include #include +#include #include #include -#include +#include #include #include #include #include -#include - #include "ioconf.h" static dev_type_open(random_open); @@ -94,7 +93,6 @@ const struct cdevsw rnd_cdevsw = { }; #define RANDOM_BUFSIZE 512 /* XXX pulled from arse */ -static pool_cache_t random_buf_pc __read_mostly; /* Entropy source for writes to /dev/random and /dev/urandom */ static krndsource_t user_rndsource; @@ -103,8 +101,6 @@ void rndattach(int num) { - random_buf_pc = pool_cache_init(RANDOM_BUFSIZE, 0, 0, 0, - "randombuf", NULL, IPL_NONE, NULL, NULL, NULL); rnd_attach_source(&user_rndsource, "/dev/random", RND_TYPE_UNKNOWN, RND_FLAG_COLLECT_VALUE); } @@ -211,161 +207,30 @@ random_kqfilter(dev_t dev, struct knote *kn) static int random_read(dev_t dev, struct uio *uio, int flags) { - uint8_t seed[NIST_HASH_DRBG_SEEDLEN_BYTES] = {0}; - struct nist_hash_drbg drbg; - uint8_t *buf; - int extractflags; - bool interruptible; - int error; - - /* Get a buffer for transfers. */ - buf = pool_cache_get(random_buf_pc, PR_WAITOK); - - /* - * If it's a short read from /dev/urandom, just generate the - * output directly with per-CPU cprng_strong. - */ - if (minor(dev) == RND_DEV_URANDOM && - uio->uio_resid <= RANDOM_BUFSIZE) { - /* Generate data and transfer it out. */ - cprng_strong(user_cprng, buf, uio->uio_resid, 0); - error = uiomove(buf, uio->uio_resid, uio); - goto out; - } - - /* - * If we're doing a blocking read from /dev/random, wait - * interruptibly. Otherwise, don't wait. - */ - if (minor(dev) == RND_DEV_RANDOM && !ISSET(flags, FNONBLOCK)) - extractflags = ENTROPY_WAIT|ENTROPY_SIG; - else - extractflags = 0; - - /* - * Query the entropy pool. For /dev/random, stop here if this - * fails. For /dev/urandom, go on either way -- - * entropy_extract will always fill the buffer with what we - * have from the global pool. - */ - error = entropy_extract(seed, sizeof seed, extractflags); - if (minor(dev) == RND_DEV_RANDOM && error) - goto out; - - /* Instantiate the DRBG. */ - if (nist_hash_drbg_instantiate(&drbg, seed, sizeof seed, NULL, 0, - NULL, 0)) - panic("nist_hash_drbg_instantiate"); - - /* Promptly zero the seed. */ - explicit_memset(seed, 0, sizeof seed); - - /* - * Generate data. Assume no error until failure. No - * interruption at this point until we've generated at least - * one block of output. - */ - error = 0; - interruptible = false; - while (uio->uio_resid) { - size_t n = uio->uio_resid; - - /* No more than one buffer's worth. */ - n = MIN(n, RANDOM_BUFSIZE); - - /* - * If we're `depleting' and this is /dev/random, clamp - * to the smaller of the entropy capacity or the seed. - */ - if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && - minor(dev) == RND_DEV_RANDOM) { - n = MIN(n, ENTROPY_CAPACITY); - n = MIN(n, sizeof seed); - /* - * Guarantee never to return more than one - * buffer in this case to minimize bookkeeping. - */ - CTASSERT(ENTROPY_CAPACITY <= RANDOM_BUFSIZE); - CTASSERT(sizeof seed <= RANDOM_BUFSIZE); - } - - /* Yield if requested. */ - if (curcpu()->ci_schedstate.spc_flags & SPCF_SHOULDYIELD) - preempt(); - - /* - * Allow interruption, but only after providing a - * minimum number of bytes. - */ - CTASSERT(RANDOM_BUFSIZE >= 256); - /* Check for interruption. */ - if (__predict_false(curlwp->l_flag & LW_PENDSIG) && - interruptible && sigispending(curlwp, 0)) { - error = EINTR; /* XXX ERESTART? */ - break; - } - - /* - * Try to generate a block of data, but if we've hit - * the DRBG reseed interval, reseed. - */ - if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) { - /* - * Get a fresh seed without blocking -- we have - * already generated some output so it is not - * useful to block. This can fail only if the - * request is obscenely large, so it is OK for - * either /dev/random or /dev/urandom to fail: - * we make no promises about gigabyte-sized - * reads happening all at once. - */ - error = entropy_extract(seed, sizeof seed, 0); - if (error) - break; - - /* Reseed and try again. */ - if (nist_hash_drbg_reseed(&drbg, seed, sizeof seed, - NULL, 0)) - panic("nist_hash_drbg_reseed"); - - /* Promptly zero the seed. */ - explicit_memset(seed, 0, sizeof seed); - - /* If it fails now, that's a bug. */ - if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) - panic("nist_hash_drbg_generate"); - } - - /* Transfer n bytes out. */ - error = uiomove(buf, n, uio); - if (error) - break; - - /* - * If we're `depleting' and this is /dev/random, stop - * here, return what we have, and force the next read - * to reseed. Could grab more from the pool if - * possible without blocking, but that's more - * work. - */ - if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && - minor(dev) == RND_DEV_RANDOM) { - error = 0; - break; - } + int gflags; + /* Set the appropriate GRND_* flags. */ + switch (minor(dev)) { + case RND_DEV_RANDOM: + gflags = GRND_RANDOM; + break; + case RND_DEV_URANDOM: /* - * We have generated one block of output, so it is - * reasonable to allow interruption after this point. + * Misnomer from Linux -- it's only insecure if you do + * it before reading at least one byte of /dev/random. */ - interruptible = true; + gflags = GRND_INSECURE; + break; + default: + return ENXIO; } -out: /* Zero the buffer and return it to the pool cache. */ - explicit_memset(buf, 0, RANDOM_BUFSIZE); - pool_cache_put(random_buf_pc, buf); + /* Set GRND_NONBLOCK if user requested FNONBLOCK. */ + if (flags & FNONBLOCK) + gflags |= GRND_NONBLOCK; - return error; + /* Defer to getrandom. */ + return dogetrandom(uio, gflags); } /* @@ -403,14 +268,11 @@ random_write(dev_t dev, struct uio *uio, int flags) privileged = true; /* Get a buffer for transfers. */ - buf = pool_cache_get(random_buf_pc, PR_WAITOK); + buf = kmem_alloc(RANDOM_BUFSIZE, KM_SLEEP); /* Consume data. */ while (uio->uio_resid) { - size_t n = uio->uio_resid; - - /* No more than one buffer's worth in one step. */ - n = MIN(uio->uio_resid, RANDOM_BUFSIZE); + size_t n = MIN(uio->uio_resid, RANDOM_BUFSIZE); /* Yield if requested. */ if (curcpu()->ci_schedstate.spc_flags & SPCF_SHOULDYIELD) @@ -430,8 +292,8 @@ random_write(dev_t dev, struct uio *uio, int flags) rnd_add_data(&user_rndsource, buf, n, privileged ? n*NBBY : 0); } - /* Zero the buffer and return it to the pool cache. */ + /* Zero the buffer and free it. */ explicit_memset(buf, 0, RANDOM_BUFSIZE); - pool_cache_put(random_buf_pc, buf); + kmem_free(buf, RANDOM_BUFSIZE); return error; } diff --git a/sys/kern/files.kern b/sys/kern/files.kern index 4d18f896e3d0..8e06d0f9d49d 100644 --- a/sys/kern/files.kern +++ b/sys/kern/files.kern @@ -153,6 +153,7 @@ file kern/subr_xcall.c kern file kern/sys_aio.c aio file kern/sys_descrip.c kern file kern/sys_generic.c kern +file kern/sys_getrandom.c kern file kern/sys_module.c kern file kern/sys_mqueue.c mqueue file kern/sys_lwp.c kern diff --git a/sys/kern/kern_entropy.c b/sys/kern/kern_entropy.c index 0628870c48b4..11f12af197fa 100644 --- a/sys/kern/kern_entropy.c +++ b/sys/kern/kern_entropy.c @@ -1173,6 +1173,8 @@ sysctl_entropy_consolidate(SYSCTLFN_ARGS) * * ENTROPY_WAIT Wait for entropy if not available yet. * ENTROPY_SIG Allow interruption by a signal during wait. + * ENTROPY_NOPARTIAL Either fill the buffer with full entropy, + * or fail without filling it at all. * * Return zero on success, or error on failure: * @@ -1234,9 +1236,15 @@ entropy_extract(void *buf, size_t len, int flags) } } - /* Count failure -- but fill the buffer nevertheless. */ - if (error) + /* + * Count failure -- but fill the buffer nevertheless, unless + * the caller specified ENTROPY_NOPARTIAL. + */ + if (error) { + if (ISSET(flags, ENTROPY_NOPARTIAL)) + goto out; entropy_extract_fail_evcnt.ev_count++; + } /* * Report a warning if we have never yet reached full entropy. @@ -1266,7 +1274,7 @@ entropy_extract(void *buf, size_t len, int flags) entropy_deplete_evcnt.ev_count++; } - /* Release the global lock and return the error. */ +out: /* Release the global lock and return the error. */ if (E->stage >= ENTROPY_WARM) mutex_exit(&E->lock); return error; diff --git a/sys/kern/sys_getrandom.c b/sys/kern/sys_getrandom.c new file mode 100644 index 000000000000..b02bada23e0e --- /dev/null +++ b/sys/kern/sys_getrandom.c @@ -0,0 +1,244 @@ +/* $NetBSD$ */ + +/*- + * Copyright (c) 2020 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Taylor R. Campbell. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * getrandom() system call + */ + +#include +__KERNEL_RCSID(0, "$NetBSD$"); + +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#define RANDOM_BUFSIZE 512 + +int +dogetrandom(struct uio *uio, unsigned int flags) +{ + uint8_t seed[NIST_HASH_DRBG_SEEDLEN_BYTES] = {0}; + struct nist_hash_drbg drbg; + void *buf; + int eflags = 0; + int error; + + KASSERT((flags & ~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK)) == 0); + KASSERT((flags & (GRND_RANDOM|GRND_INSECURE)) != + (GRND_RANDOM|GRND_INSECURE)); + + /* Allocate a buffer. */ + buf = kmem_alloc(RANDOM_BUFSIZE, KM_SLEEP); + + /* + * Fast path: for short reads, if INSECURE, or if we have + * entropy and we're not doing depletion, just return it from + * the per-CPU cprng_strong. + */ + if (uio->uio_resid <= RANDOM_BUFSIZE && + (ISSET(flags, GRND_INSECURE) || + (__predict_true(!atomic_load_relaxed(&entropy_depletion)) && + __predict_true(entropy_epoch() != (unsigned)-1)))) { + cprng_strong(user_cprng, buf, uio->uio_resid, 0); + error = uiomove(buf, uio->uio_resid, uio); + goto out; + } + + /* + * Try to get a seed from the entropy pool. Fail if we would + * block. If GRND_INSECURE, always return something even if it + * is partial entropy; if !GRND_INSECURE, set ENTROPY_NOPARTIAL + * in order to tell entropy_extract not to bother drawing + * anything from a partial pool if we can't get full entropy. + */ + if (!ISSET(flags, GRND_NONBLOCK) && !ISSET(flags, GRND_INSECURE)) + eflags |= ENTROPY_WAIT|ENTROPY_SIG; + if (!ISSET(flags, GRND_INSECURE)) + eflags |= ENTROPY_NOPARTIAL; + error = entropy_extract(seed, sizeof seed, eflags); + if (error && !ISSET(flags, GRND_INSECURE)) + goto out; + + /* Instantiate the DRBG and promptly zero the seed. */ + if (nist_hash_drbg_instantiate(&drbg, seed, sizeof seed, NULL, 0, + NULL, 0)) + panic("nist_hash_drbg_instantiate"); + explicit_memset(seed, 0, sizeof seed); + + /* Generate data. */ + error = 0; + while (uio->uio_resid) { + size_t n = MIN(uio->uio_resid, RANDOM_BUFSIZE); + + /* + * If we're `depleting' and this is /dev/random, clamp + * to the smaller of the entropy capacity or the seed. + */ + if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && + ISSET(flags, GRND_RANDOM)) { + n = MIN(n, ENTROPY_CAPACITY); + n = MIN(n, sizeof seed); + /* + * Guarantee never to return more than one + * buffer in this case to minimize bookkeeping. + */ + CTASSERT(ENTROPY_CAPACITY <= RANDOM_BUFSIZE); + CTASSERT(sizeof seed <= RANDOM_BUFSIZE); + } + + /* + * Try to generate a block of data, but if we've hit + * the DRBG reseed interval, reseed. + */ + if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) { + /* + * Get a fresh seed without blocking -- we have + * already generated some output so it is not + * useful to block. This can fail only if the + * request is obscenely large, so it is OK for + * either /dev/random or /dev/urandom to fail: + * we make no promises about gigabyte-sized + * reads happening all at once. + */ + error = entropy_extract(seed, sizeof seed, + ENTROPY_NOPARTIAL); + if (error) + break; + + /* Reseed, promptly zero seed, and try again. */ + if (nist_hash_drbg_reseed(&drbg, seed, sizeof seed, + NULL, 0)) + panic("nist_hash_drbg_reseed"); + explicit_memset(seed, 0, sizeof seed); + + /* If it fails now, that's a bug. */ + if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) + panic("nist_hash_drbg_generate"); + } + + /* Transfer n bytes out. */ + error = uiomove(buf, n, uio); + if (error) + break; + + /* + * If we're `depleting' and this is /dev/random, stop + * here, return what we have, and force the next read + * to reseed. Could grab more from the pool if + * possible without blocking, but that's more work. + */ + if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && + ISSET(flags, GRND_RANDOM)) { + error = 0; + break; + } + + /* Yield if requested. */ + if (curcpu()->ci_schedstate.spc_flags & SPCF_SHOULDYIELD) + preempt(); + + /* Check for interruption after at least one transfer. */ + if (__predict_false(curlwp->l_flag & LW_PENDSIG) && + sigispending(curlwp, 0)) { + error = EINTR; + break; + } + } + +out: /* Zero and free the buffer, and we're done -- return any error. */ + explicit_memset(buf, 0, RANDOM_BUFSIZE); + kmem_free(buf, RANDOM_BUFSIZE); + return error; +} + +int +sys_getrandom(struct lwp *l, const struct sys_getrandom_args *uap, + register_t *retval) +{ + /* { + syscallarg(void *) buf; + syscallarg(size_t) buflen; + syscallarg(unsigned) flags; + } */ + void *buf = SCARG(uap, buf); + size_t buflen = SCARG(uap, buflen); + int flags = SCARG(uap, flags); + int error; + + /* Set up an iov and uio to read into the user's buffer. */ + struct iovec iov = { .iov_base = buf, .iov_len = buflen }; + struct uio uio = { + .uio_iov = &iov, + .uio_iovcnt = 1, + .uio_offset = 0, + .uio_resid = buflen, + .uio_rw = UIO_READ, + .uio_vmspace = curproc->p_vmspace, + }; + + /* Validate the flags. */ + if (flags & ~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK)) { + /* Unknown flags. */ + error = EINVAL; + goto out; + } + if ((flags & (GRND_RANDOM|GRND_INSECURE)) == + (GRND_RANDOM|GRND_INSECURE)) { + /* Nonsensical combination. */ + error = EINVAL; + goto out; + } + + /* Do it. */ + error = dogetrandom(&uio, flags); + +out: /* + * If we transferred anything, return the number of bytes + * transferred and suppress error; otherwise return the error. + */ + *retval = buflen - uio.uio_resid; + if (*retval) + error = 0; + return error; +} diff --git a/sys/kern/syscalls.master b/sys/kern/syscalls.master index f86f232e2e69..e708f307821d 100644 --- a/sys/kern/syscalls.master +++ b/sys/kern/syscalls.master @@ -215,7 +215,8 @@ 89 COMPAT_43 MODULAR compat_43 \ { int|sys||getdtablesize(void); } ogetdtablesize 90 STD RUMP { int|sys||dup2(int from, int to); } -91 UNIMPL getdopt +91 STD RUMP { ssize_t|sys||getrandom(void *buf, size_t buflen, \ + unsigned int flags); } 92 STD RUMP { int|sys||fcntl(int fd, int cmd, ... void *arg); } 93 COMPAT_50 MODULAR compat_50 RUMP \ { int|sys||select(int nd, fd_set *in, fd_set *ou, \ diff --git a/sys/rump/librump/rumpkern/Makefile.rumpkern b/sys/rump/librump/rumpkern/Makefile.rumpkern index d6d54ee7187d..7b84049d8ac9 100644 --- a/sys/rump/librump/rumpkern/Makefile.rumpkern +++ b/sys/rump/librump/rumpkern/Makefile.rumpkern @@ -129,6 +129,7 @@ SRCS+= init_sysctl_base.c \ subr_xcall.c \ sys_descrip.c \ sys_generic.c \ + sys_getrandom.c \ sys_module.c \ sys_pipe.c \ sys_select.c \ diff --git a/sys/sys/Makefile b/sys/sys/Makefile index baa0ffc5d783..572e584ea16b 100644 --- a/sys/sys/Makefile +++ b/sys/sys/Makefile @@ -33,7 +33,7 @@ INCS= acct.h agpio.h aio.h ansi.h aout_mids.h ataio.h atomic.h \ param.h pcu.h pipe.h pmf.h poll.h pool.h power.h proc.h \ protosw.h pset.h psref.h ptrace.h ptree.h \ queue.h quota.h quotactl.h \ - radixtree.h ras.h rbtree.h reboot.h radioio.h resource.h \ + radioio.h radixtree.h random.h ras.h rbtree.h reboot.h resource.h \ resourcevar.h rmd160.h rnd.h rndio.h rwlock.h \ scanio.h sched.h scsiio.h sdt.h select.h selinfo.h sem.h semaphore.h \ sha1.h sha2.h sha3.h shm.h siginfo.h signal.h signalvar.h sigtypes.h \ diff --git a/sys/sys/entropy.h b/sys/sys/entropy.h index cabff68e6394..de561bcca9a7 100644 --- a/sys/sys/entropy.h +++ b/sys/sys/entropy.h @@ -44,8 +44,9 @@ struct knote; #define ENTROPY_CAPACITY ENTPOOL_CAPACITY /* bytes */ -#define ENTROPY_WAIT 0x01 -#define ENTROPY_SIG 0x02 +#define ENTROPY_WAIT 0x01 +#define ENTROPY_SIG 0x02 +#define ENTROPY_NOPARTIAL 0x04 void entropy_bootrequest(void); unsigned entropy_epoch(void); diff --git a/sys/sys/random.h b/sys/sys/random.h new file mode 100644 index 000000000000..ceac8c722725 --- /dev/null +++ b/sys/sys/random.h @@ -0,0 +1,69 @@ +/* $NetBSD$ */ + +/*- + * Copyright (c) 2020 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Taylor R. Campbell. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _SYS_RANDOM_H +#define _SYS_RANDOM_H + +#include + +#include /* _BSD_SIZE_T_ */ + +#define GRND_NONBLOCK (1u << 0) +#define GRND_RANDOM (1u << 1) +#define GRND_INSECURE (1u << 2) + +#ifdef _KERNEL + +struct uio; + +int dogetrandom(struct uio *, unsigned int); + +#endif /* _KERNEL */ + +#ifndef _KERNEL +__BEGIN_DECLS + +#ifdef _BSD_SIZE_T_ +typedef _BSD_SIZE_T_ size_t; +#undef _BSD_SIZE_T_ +#endif + +#ifdef _BSD_SSIZE_T_ +typedef _BSD_SSIZE_T_ ssize_t; +#undef _BSD_SSIZE_T_ +#endif + +ssize_t getrandom(void *, size_t, unsigned int); + +__END_DECLS +#endif /* !_KERNEL */ + +#endif /* _SYS_RANDOM_H */ diff --git a/tests/lib/libc/sys/Makefile b/tests/lib/libc/sys/Makefile index e72e8ee64920..8d04563266b1 100644 --- a/tests/lib/libc/sys/Makefile +++ b/tests/lib/libc/sys/Makefile @@ -23,6 +23,7 @@ TESTS_C+= t_getgroups TESTS_C+= t_getitimer TESTS_C+= t_getlogin TESTS_C+= t_getpid +TESTS_C+= t_getrandom TESTS_C+= t_getrusage TESTS_C+= t_getsid TESTS_C+= t_getsockname diff --git a/tests/lib/libc/sys/t_getrandom.c b/tests/lib/libc/sys/t_getrandom.c new file mode 100644 index 000000000000..9a50f97babe8 --- /dev/null +++ b/tests/lib/libc/sys/t_getrandom.c @@ -0,0 +1,170 @@ +/* $NetBSD$ */ + +/*- + * Copyright (c) 2020 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Taylor R. Campbell. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include +__RCSID("$NetBSD$"); + +#include + +#include +#include +#include +#include + +static uint8_t buf[65536]; +static uint8_t zero24[24]; + +static void +alarm_handler(int signo) +{ +} + +ATF_TC(getrandom); +ATF_TC_HEAD(getrandom, tc) +{ + + atf_tc_set_md_var(tc, "descr", "getrandom(2)"); +} + +/* + * Probability of spurious failure is 1/2^192 for each of the memcmps. + * As long as there are fewer than 2^64 of them, the probability of + * spurious failure is at most 1/2^128, which is low enough that we + * don't care about it. + */ + +ATF_TC_BODY(getrandom, tc) +{ + ssize_t n; + + ATF_REQUIRE(signal(SIGALRM, &alarm_handler) != SIG_ERR); + + /* default */ + alarm(1); + memset(buf, 0, sizeof buf); + n = getrandom(buf, sizeof buf, 0); + if (n == -1) { + ATF_CHECK_EQ(errno, EINTR); + } else { + ATF_CHECK_EQ((size_t)n, sizeof buf); + ATF_CHECK(memcmp(buf, zero24, 24) != 0); + ATF_CHECK(memcmp(buf + sizeof buf - 24, zero24, 24) != 0); + } + alarm(0); + + /* default, nonblocking */ + memset(buf, 0, sizeof buf); + n = getrandom(buf, sizeof buf, GRND_NONBLOCK); + if (n == -1) { + ATF_CHECK_EQ(errno, EAGAIN); + } else { + ATF_CHECK_EQ((size_t)n, sizeof buf); + ATF_CHECK(memcmp(buf, zero24, 24) != 0); + ATF_CHECK(memcmp(buf + sizeof buf - 24, zero24, 24) != 0); + } + + /* insecure */ + memset(buf, 0, sizeof buf); + n = getrandom(buf, sizeof buf, GRND_INSECURE); + ATF_CHECK(n != -1); + ATF_CHECK_EQ((size_t)n, sizeof buf); + ATF_CHECK(memcmp(buf, zero24, 24) != 0); + ATF_CHECK(memcmp(buf + sizeof buf - 24, zero24, 24) != 0); + + /* insecure, nonblocking -- same as mere insecure */ + memset(buf, 0, sizeof buf); + n = getrandom(buf, sizeof buf, GRND_INSECURE|GRND_NONBLOCK); + ATF_CHECK(n != -1); + ATF_CHECK_EQ((size_t)n, sizeof buf); + ATF_CHECK(memcmp(buf, zero24, 24) != 0); + ATF_CHECK(memcmp(buf + sizeof buf - 24, zero24, 24) != 0); + + /* `random' (hokey) */ + alarm(1); + memset(buf, 0, sizeof buf); + n = getrandom(buf, sizeof buf, GRND_RANDOM); + if (n == -1) { + ATF_CHECK_EQ(errno, EINTR); + } else { + ATF_CHECK(n != 0); + ATF_CHECK((size_t)n <= sizeof buf); + if ((size_t)n >= 24) { + ATF_CHECK(memcmp(buf, zero24, 24) != 0); + ATF_CHECK(memcmp(buf + n - 24, zero24, 24) != 0); + } + } + alarm(0); + + /* `random' (hokey), nonblocking */ + memset(buf, 0, sizeof buf); + n = getrandom(buf, sizeof buf, GRND_RANDOM|GRND_NONBLOCK); + if (n == -1) { + ATF_CHECK_EQ(errno, EAGAIN); + } else { + ATF_CHECK(n != 0); + ATF_CHECK((size_t)n <= sizeof buf); + if ((size_t)n >= 24) { + ATF_CHECK(memcmp(buf, zero24, 24) != 0); + ATF_CHECK(memcmp(buf + n - 24, zero24, 24) != 0); + } + } + + /* random and insecure -- nonsensical */ + n = getrandom(buf, sizeof buf, GRND_RANDOM|GRND_INSECURE); + ATF_CHECK_EQ(n, -1); + ATF_CHECK_EQ(errno, EINVAL); + + /* random and insecure, nonblocking -- nonsensical */ + n = getrandom(buf, sizeof buf, + GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK); + ATF_CHECK_EQ(n, -1); + ATF_CHECK_EQ(errno, EINVAL); + + /* invalid flags */ + __CTASSERT(~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK)); + n = getrandom(buf, sizeof buf, + ~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK)); + ATF_CHECK_EQ(n, -1); + ATF_CHECK_EQ(errno, EINVAL); + + /* unmapped */ + n = getrandom(NULL, sizeof buf, GRND_INSECURE|GRND_NONBLOCK); + ATF_CHECK_EQ(n, -1); + ATF_CHECK_EQ(errno, EFAULT); +} + +ATF_TP_ADD_TCS(tp) +{ + + ATF_TP_ADD_TC(tp, getrandom); + + return atf_no_error(); +} From a5a46411df3719e43f53f601a4a216ca5c12313e Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Tue, 14 Jan 2020 02:33:12 +0000 Subject: [PATCH 2/2] Simplify /dev/random and getrandom(GRND_RANDOM) semantics. Just clamp to 32-byte reads irrespective of whether we're doing entropy depletion. You shouldn't do bulk reads out of /dev/random. --- sys/kern/sys_getrandom.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/sys/kern/sys_getrandom.c b/sys/kern/sys_getrandom.c index b02bada23e0e..5d4887cff821 100644 --- a/sys/kern/sys_getrandom.c +++ b/sys/kern/sys_getrandom.c @@ -72,11 +72,12 @@ dogetrandom(struct uio *uio, unsigned int flags) buf = kmem_alloc(RANDOM_BUFSIZE, KM_SLEEP); /* - * Fast path: for short reads, if INSECURE, or if we have - * entropy and we're not doing depletion, just return it from - * the per-CPU cprng_strong. + * Fast path, for short reads other than from /dev/random: if + * INSECURE, or if we have entropy and we're not doing + * `depletion', just return it from the per-CPU cprng_strong. */ if (uio->uio_resid <= RANDOM_BUFSIZE && + !ISSET(flags, GRND_RANDOM) && (ISSET(flags, GRND_INSECURE) || (__predict_true(!atomic_load_relaxed(&entropy_depletion)) && __predict_true(entropy_epoch() != (unsigned)-1)))) { @@ -112,11 +113,10 @@ dogetrandom(struct uio *uio, unsigned int flags) size_t n = MIN(uio->uio_resid, RANDOM_BUFSIZE); /* - * If we're `depleting' and this is /dev/random, clamp - * to the smaller of the entropy capacity or the seed. + * If this is /dev/random, clamp to the smaller of the + * entropy capacity or the seed. */ - if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && - ISSET(flags, GRND_RANDOM)) { + if (ISSET(flags, GRND_RANDOM)) { n = MIN(n, ENTROPY_CAPACITY); n = MIN(n, sizeof seed); /* @@ -163,13 +163,11 @@ dogetrandom(struct uio *uio, unsigned int flags) break; /* - * If we're `depleting' and this is /dev/random, stop - * here, return what we have, and force the next read - * to reseed. Could grab more from the pool if - * possible without blocking, but that's more work. + * If this is /dev/random, stop here and return what we + * have, and force the next read to reseed. You're not + * supposed to draw lots of data from /dev/random. */ - if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && - ISSET(flags, GRND_RANDOM)) { + if (ISSET(flags, GRND_RANDOM)) { error = 0; break; }