xref: /freebsd/sys/kern/sys_getrandom.c (revision fdafd315ad0d0f28a11b9fb4476a9ab059c62b92) 
1e9ac2743SConrad Meyer /*-
24d846d26SWarner Losh  * SPDX-License-Identifier: BSD-2-Clause
3e9ac2743SConrad Meyer  *
4e9ac2743SConrad Meyer  * Copyright (c) 2018 Conrad Meyer <cem@FreeBSD.org>
5e9ac2743SConrad Meyer  * All rights reserved.
6e9ac2743SConrad Meyer  *
7e9ac2743SConrad Meyer  * Redistribution and use in source and binary forms, with or without
8e9ac2743SConrad Meyer  * modification, are permitted provided that the following conditions
9e9ac2743SConrad Meyer  * are met:
10e9ac2743SConrad Meyer  * 1. Redistributions of source code must retain the above copyright
11e9ac2743SConrad Meyer  *    notice, this list of conditions and the following disclaimer.
12e9ac2743SConrad Meyer  * 2. Redistributions in binary form must reproduce the above copyright
13e9ac2743SConrad Meyer  *    notice, this list of conditions and the following disclaimer in the
14e9ac2743SConrad Meyer  *    documentation and/or other materials provided with the distribution.
15e9ac2743SConrad Meyer  *
16e9ac2743SConrad Meyer  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17e9ac2743SConrad Meyer  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18e9ac2743SConrad Meyer  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19e9ac2743SConrad Meyer  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20e9ac2743SConrad Meyer  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21e9ac2743SConrad Meyer  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22e9ac2743SConrad Meyer  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23e9ac2743SConrad Meyer  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24e9ac2743SConrad Meyer  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25e9ac2743SConrad Meyer  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26e9ac2743SConrad Meyer  * SUCH DAMAGE.
27e9ac2743SConrad Meyer  */
28e9ac2743SConrad Meyer 
29e9ac2743SConrad Meyer #include <sys/param.h>
30e9ac2743SConrad Meyer #include <sys/errno.h>
31c37125d9SConrad Meyer #include <sys/limits.h>
32e9ac2743SConrad Meyer #include <sys/proc.h>
33e9ac2743SConrad Meyer #include <sys/random.h>
34e9ac2743SConrad Meyer #include <sys/sysproto.h>
35e9ac2743SConrad Meyer #include <sys/systm.h>
36e9ac2743SConrad Meyer #include <sys/uio.h>
37e9ac2743SConrad Meyer 
3886def3dcSConrad Meyer #define GRND_VALIDFLAGS	(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE)
39e9ac2743SConrad Meyer 
40e9ac2743SConrad Meyer /*
41*a4e4ea73SMitchell Horne  * read_random_uio(9) returns EWOULDBLOCK if a nonblocking request would block,
42e9ac2743SConrad Meyer  * but the Linux API name is EAGAIN.  On FreeBSD, they have the same numeric
43e9ac2743SConrad Meyer  * value for now.
44e9ac2743SConrad Meyer  */
45e9ac2743SConrad Meyer CTASSERT(EWOULDBLOCK == EAGAIN);
46e9ac2743SConrad Meyer 
47e9ac2743SConrad Meyer static int
kern_getrandom(struct thread * td,void * user_buf,size_t buflen,unsigned int flags)48e9ac2743SConrad Meyer kern_getrandom(struct thread *td, void *user_buf, size_t buflen,
49e9ac2743SConrad Meyer     unsigned int flags)
50e9ac2743SConrad Meyer {
51e9ac2743SConrad Meyer 	struct uio auio;
52e9ac2743SConrad Meyer 	struct iovec aiov;
53e9ac2743SConrad Meyer 	int error;
54e9ac2743SConrad Meyer 
55e9ac2743SConrad Meyer 	if ((flags & ~GRND_VALIDFLAGS) != 0)
56e9ac2743SConrad Meyer 		return (EINVAL);
57e9ac2743SConrad Meyer 	if (buflen > IOSIZE_MAX)
58e9ac2743SConrad Meyer 		return (EINVAL);
59e9ac2743SConrad Meyer 
6086def3dcSConrad Meyer 	/*
6186def3dcSConrad Meyer 	 * Linux compatibility: We have two choices for handling Linux's
6286def3dcSConrad Meyer 	 * GRND_INSECURE.
6386def3dcSConrad Meyer 	 *
6486def3dcSConrad Meyer 	 * 1. We could ignore it completely (like GRND_RANDOM).  However, this
6586def3dcSConrad Meyer 	 * might produce the surprising result of GRND_INSECURE requests
6686def3dcSConrad Meyer 	 * blocking, when the Linux API does not block.
6786def3dcSConrad Meyer 	 *
6886def3dcSConrad Meyer 	 * 2. Alternatively, we could treat GRND_INSECURE requests as requests
69365cd522SConrad Meyer 	 * for GRND_NONBLOCK.  Here, the surprising result for Linux programs
7086def3dcSConrad Meyer 	 * is that invocations with unseeded random(4) will produce EAGAIN,
7186def3dcSConrad Meyer 	 * rather than garbage.
7286def3dcSConrad Meyer 	 *
7386def3dcSConrad Meyer 	 * Honoring the flag in the way Linux does seems fraught.  If we
7486def3dcSConrad Meyer 	 * actually use the output of a random(4) implementation prior to
7586def3dcSConrad Meyer 	 * seeding, we leak some entropy about the initial seed to attackers.
7686def3dcSConrad Meyer 	 * This seems unacceptable -- it defeats the purpose of blocking on
7786def3dcSConrad Meyer 	 * initial seeding.
7886def3dcSConrad Meyer 	 *
7986def3dcSConrad Meyer 	 * Secondary to that concern, before seeding we may have arbitrarily
8086def3dcSConrad Meyer 	 * little entropy collected; producing output from zero or a handful of
8186def3dcSConrad Meyer 	 * entropy bits does not seem particularly useful to userspace.
8286def3dcSConrad Meyer 	 *
8386def3dcSConrad Meyer 	 * If userspace can accept garbage, insecure non-random bytes, they can
8486def3dcSConrad Meyer 	 * create their own insecure garbage with srandom(time(NULL)) or
8586def3dcSConrad Meyer 	 * similar.  Asking the kernel to produce it from the secure
8686def3dcSConrad Meyer 	 * getrandom(2) API seems inane.
8786def3dcSConrad Meyer 	 *
8886def3dcSConrad Meyer 	 * We elect to emulate GRND_INSECURE as an alternative spelling of
8986def3dcSConrad Meyer 	 * GRND_NONBLOCK (2).
9086def3dcSConrad Meyer 	 */
9186def3dcSConrad Meyer 	if ((flags & GRND_INSECURE) != 0)
9286def3dcSConrad Meyer 		flags |= GRND_NONBLOCK;
9386def3dcSConrad Meyer 
94e9ac2743SConrad Meyer 	if (buflen == 0) {
95e9ac2743SConrad Meyer 		td->td_retval[0] = 0;
96e9ac2743SConrad Meyer 		return (0);
97e9ac2743SConrad Meyer 	}
98e9ac2743SConrad Meyer 
99e9ac2743SConrad Meyer 	aiov.iov_base = user_buf;
100e9ac2743SConrad Meyer 	aiov.iov_len = buflen;
101e9ac2743SConrad Meyer 	auio.uio_iov = &aiov;
102e9ac2743SConrad Meyer 	auio.uio_iovcnt = 1;
103e9ac2743SConrad Meyer 	auio.uio_offset = 0;
104e9ac2743SConrad Meyer 	auio.uio_resid = buflen;
105e9ac2743SConrad Meyer 	auio.uio_segflg = UIO_USERSPACE;
106e9ac2743SConrad Meyer 	auio.uio_rw = UIO_READ;
107e9ac2743SConrad Meyer 	auio.uio_td = td;
108e9ac2743SConrad Meyer 
109e9ac2743SConrad Meyer 	error = read_random_uio(&auio, (flags & GRND_NONBLOCK) != 0);
110e9ac2743SConrad Meyer 	if (error == 0)
111e9ac2743SConrad Meyer 		td->td_retval[0] = buflen - auio.uio_resid;
112e9ac2743SConrad Meyer 	return (error);
113e9ac2743SConrad Meyer }
114e9ac2743SConrad Meyer 
115e9ac2743SConrad Meyer #ifndef _SYS_SYSPROTO_H_
116e9ac2743SConrad Meyer struct getrandom_args {
117e9ac2743SConrad Meyer 	void		*buf;
118e9ac2743SConrad Meyer 	size_t		buflen;
119e9ac2743SConrad Meyer 	unsigned int	flags;
120e9ac2743SConrad Meyer };
121e9ac2743SConrad Meyer #endif
122e9ac2743SConrad Meyer 
123e9ac2743SConrad Meyer int
sys_getrandom(struct thread * td,struct getrandom_args * uap)124e9ac2743SConrad Meyer sys_getrandom(struct thread *td, struct getrandom_args *uap)
125e9ac2743SConrad Meyer {
126e9ac2743SConrad Meyer 	return (kern_getrandom(td, uap->buf, uap->buflen, uap->flags));
127e9ac2743SConrad Meyer }
128