sys_getrandom.c revision 1.1
1 /* $NetBSD: sys_getrandom.c,v 1.1 2020/08/14 00:53:16 riastradh Exp $ */ 2 3 /*- 4 * Copyright (c) 2020 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Taylor R. Campbell. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 /* 33 * getrandom() system call 34 */ 35 36 #include <sys/cdefs.h> 37 __KERNEL_RCSID(0, "$NetBSD: sys_getrandom.c,v 1.1 2020/08/14 00:53:16 riastradh Exp $"); 38 39 #include <sys/types.h> 40 #include <sys/param.h> 41 42 #include <sys/atomic.h> 43 #include <sys/cprng.h> 44 #include <sys/entropy.h> 45 #include <sys/kmem.h> 46 #include <sys/lwp.h> 47 #include <sys/proc.h> 48 #include <sys/random.h> 49 #include <sys/sched.h> 50 #include <sys/signalvar.h> 51 #include <sys/syscallargs.h> 52 #include <sys/uio.h> 53 54 #include <crypto/nist_hash_drbg/nist_hash_drbg.h> 55 56 #define RANDOM_BUFSIZE 512 57 58 int 59 dogetrandom(struct uio *uio, unsigned int flags) 60 { 61 uint8_t seed[NIST_HASH_DRBG_SEEDLEN_BYTES] = {0}; 62 struct nist_hash_drbg drbg; 63 uint8_t *buf; 64 int extractflags = 0; 65 int error; 66 67 KASSERT((flags & ~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK)) == 0); 68 KASSERT((flags & (GRND_RANDOM|GRND_INSECURE)) != 69 (GRND_RANDOM|GRND_INSECURE)); 70 71 /* Get a buffer for transfers. */ 72 buf = kmem_alloc(RANDOM_BUFSIZE, KM_SLEEP); 73 74 /* 75 * Fast path: for short reads other than from /dev/random, if 76 * seeded or if INSECURE, just draw from per-CPU cprng_strong. 77 */ 78 if (uio->uio_resid <= RANDOM_BUFSIZE && 79 !ISSET(flags, GRND_RANDOM) && 80 (entropy_ready() || ISSET(flags, GRND_INSECURE))) { 81 /* Generate data and transfer it out. */ 82 cprng_strong(user_cprng, buf, uio->uio_resid, 0); 83 error = uiomove(buf, uio->uio_resid, uio); 84 goto out; 85 } 86 87 /* 88 * Try to get a seed from the entropy pool. Fail if we would 89 * block. If GRND_INSECURE, always return something even if it 90 * is partial entropy; if !GRND_INSECURE, set ENTROPY_HARDFAIL 91 * in order to tell entropy_extract not to bother drawing 92 * anything from a partial pool if we can't get full entropy. 93 */ 94 if (!ISSET(flags, GRND_NONBLOCK) && !ISSET(flags, GRND_INSECURE)) 95 extractflags |= ENTROPY_WAIT|ENTROPY_SIG; 96 if (!ISSET(flags, GRND_INSECURE)) 97 extractflags |= ENTROPY_HARDFAIL; 98 error = entropy_extract(seed, sizeof seed, extractflags); 99 if (error && !ISSET(flags, GRND_INSECURE)) 100 goto out; 101 102 /* Instantiate the DRBG. */ 103 if (nist_hash_drbg_instantiate(&drbg, seed, sizeof seed, NULL, 0, 104 NULL, 0)) 105 panic("nist_hash_drbg_instantiate"); 106 107 /* Promptly zero the seed. */ 108 explicit_memset(seed, 0, sizeof seed); 109 110 /* Generate data. */ 111 error = 0; 112 while (uio->uio_resid) { 113 size_t n = MIN(uio->uio_resid, RANDOM_BUFSIZE); 114 115 /* 116 * Clamp /dev/random output to the entropy capacity and 117 * seed size. Programs can't rely on long reads. 118 */ 119 if (ISSET(flags, GRND_RANDOM)) { 120 n = MIN(n, ENTROPY_CAPACITY); 121 n = MIN(n, sizeof seed); 122 /* 123 * Guarantee never to return more than one 124 * buffer in this case to minimize bookkeeping. 125 */ 126 CTASSERT(ENTROPY_CAPACITY <= RANDOM_BUFSIZE); 127 CTASSERT(sizeof seed <= RANDOM_BUFSIZE); 128 } 129 130 /* 131 * Try to generate a block of data, but if we've hit 132 * the DRBG reseed interval, reseed. 133 */ 134 if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) { 135 /* 136 * Get a fresh seed without blocking -- we have 137 * already generated some output so it is not 138 * useful to block. This can fail only if the 139 * request is obscenely large, so it is OK for 140 * either /dev/random or /dev/urandom to fail: 141 * we make no promises about gigabyte-sized 142 * reads happening all at once. 143 */ 144 error = entropy_extract(seed, sizeof seed, 145 ENTROPY_HARDFAIL); 146 if (error) 147 break; 148 149 /* Reseed and try again. */ 150 if (nist_hash_drbg_reseed(&drbg, seed, sizeof seed, 151 NULL, 0)) 152 panic("nist_hash_drbg_reseed"); 153 154 /* Promptly zero the seed. */ 155 explicit_memset(seed, 0, sizeof seed); 156 157 /* If it fails now, that's a bug. */ 158 if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) 159 panic("nist_hash_drbg_generate"); 160 } 161 162 /* Transfer n bytes out. */ 163 error = uiomove(buf, n, uio); 164 if (error) 165 break; 166 167 /* 168 * If this is /dev/random, stop here, return what we 169 * have, and force the next read to reseed. Programs 170 * can't rely on /dev/random for long reads. 171 */ 172 if (ISSET(flags, GRND_RANDOM)) { 173 error = 0; 174 break; 175 } 176 177 /* Yield if requested. */ 178 if (curcpu()->ci_schedstate.spc_flags & SPCF_SHOULDYIELD) 179 preempt(); 180 181 /* Check for interruption after at least 256 bytes. */ 182 CTASSERT(RANDOM_BUFSIZE >= 256); 183 if (__predict_false(curlwp->l_flag & LW_PENDSIG) && 184 sigispending(curlwp, 0)) { 185 error = EINTR; 186 break; 187 } 188 } 189 190 out: /* Zero the buffer and free it. */ 191 explicit_memset(buf, 0, RANDOM_BUFSIZE); 192 kmem_free(buf, RANDOM_BUFSIZE); 193 194 return error; 195 } 196 197 int 198 sys_getrandom(struct lwp *l, const struct sys_getrandom_args *uap, 199 register_t *retval) 200 { 201 /* { 202 syscallarg(void *) buf; 203 syscallarg(size_t) buflen; 204 syscallarg(unsigned) flags; 205 } */ 206 void *buf = SCARG(uap, buf); 207 size_t buflen = SCARG(uap, buflen); 208 int flags = SCARG(uap, flags); 209 int error; 210 211 /* Set up an iov and uio to read into the user's buffer. */ 212 struct iovec iov = { .iov_base = buf, .iov_len = buflen }; 213 struct uio uio = { 214 .uio_iov = &iov, 215 .uio_iovcnt = 1, 216 .uio_offset = 0, 217 .uio_resid = buflen, 218 .uio_rw = UIO_READ, 219 .uio_vmspace = curproc->p_vmspace, 220 }; 221 222 /* Validate the flags. */ 223 if (flags & ~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK)) { 224 /* Unknown flags. */ 225 error = EINVAL; 226 goto out; 227 } 228 if ((flags & (GRND_RANDOM|GRND_INSECURE)) == 229 (GRND_RANDOM|GRND_INSECURE)) { 230 /* Nonsensical combination. */ 231 error = EINVAL; 232 goto out; 233 } 234 235 /* Do it. */ 236 error = dogetrandom(&uio, flags); 237 238 out: /* 239 * If we transferred anything, return the number of bytes 240 * transferred and suppress error; otherwise return the error. 241 */ 242 *retval = buflen - uio.uio_resid; 243 if (*retval) 244 error = 0; 245 return error; 246 } 247
Indexes created Sun Sep 21 16:09:51 GMT 2025