From 4228200606be25d9b3f898bb4f6c076d19987a69 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Mon, 13 Jan 2020 22:26:24 +0000 Subject: [PATCH 1/3] New system call getrandom() compatible with Linux. Three ways to call: getrandom(p, n, 0) Block; then return up to n bytes at p, guaranteeing >=256 bytes even if interrupted after blocking. Can be used as getrandom(NULL,0,0) to serve as `entropy barrier': return only after system is seeded. getrandom(p, n, GRND_INSECURE) Never block; guarantee >=256 bytes even if interrupted. Equivalent to /dev/urandom. Safe only after successful getrandom(..., 0), getrandom(..., GRND_RANDOM), or read from /dev/random. getrandom(p, n, GRND_RANDOM) Block; then return up to n bytes at p, but no guarantees about how many. Equivalent to /dev/random. Legacy. Can also use flags|GRND_NONBLOCK to fail with EWOULDBLOCK/EAGAIN instead of blocking. (GRND_INSECURE|GRND_NONBLOCK is the same as GRND_INSECURE; GRND_INSECURE|GRND_RANDOM isn't very useful but technically works to return a very short read.) --- distrib/sets/lists/comp/mi | 3 + distrib/sets/lists/tests/mi | 1 + lib/libc/sys/Makefile.inc | 7 +- lib/libc/sys/getrandom.2 | 252 ++++++++++++++++++++ sys/dev/random.c | 186 ++------------- sys/kern/files.kern | 1 + sys/kern/kern_entropy.c | 14 +- sys/kern/sys_getrandom.c | 244 +++++++++++++++++++ sys/kern/syscalls.master | 2 + sys/rump/librump/rumpkern/Makefile.rumpkern | 1 + sys/sys/Makefile | 2 +- sys/sys/entropy.h | 5 +- sys/sys/random.h | 69 ++++++ tests/lib/libc/sys/Makefile | 1 + tests/lib/libc/sys/t_getrandom.c | 170 +++++++++++++ 15 files changed, 787 insertions(+), 171 deletions(-) create mode 100644 lib/libc/sys/getrandom.2 create mode 100644 sys/kern/sys_getrandom.c create mode 100644 sys/sys/random.h create mode 100644 tests/lib/libc/sys/t_getrandom.c diff --git a/distrib/sets/lists/comp/mi b/distrib/sets/lists/comp/mi index 111541d09dde..2c4cacb9ba6e 100644 --- a/distrib/sets/lists/comp/mi +++ b/distrib/sets/lists/comp/mi @@ -3104,6 +3104,7 @@ ./usr/include/sys/quotactl.h comp-c-include ./usr/include/sys/radioio.h comp-c-include ./usr/include/sys/radixtree.h comp-c-include +./usr/include/sys/random.h comp-c-include ./usr/include/sys/ras.h comp-c-include ./usr/include/sys/rb.h comp-obsolete obsolete ./usr/include/sys/rbtree.h comp-c-include @@ -12470,6 +12471,7 @@ ./usr/share/man/html2/getpid.html comp-c-htmlman html ./usr/share/man/html2/getppid.html comp-c-htmlman html ./usr/share/man/html2/getpriority.html comp-c-htmlman html +./usr/share/man/html2/getrandom.html comp-c-htmlman html ./usr/share/man/html2/getrlimit.html comp-c-htmlman html ./usr/share/man/html2/getrusage.html comp-c-htmlman html ./usr/share/man/html2/getsid.html comp-c-htmlman html @@ -20371,6 +20373,7 @@ ./usr/share/man/man2/getpid.2 comp-c-man .man ./usr/share/man/man2/getppid.2 comp-c-man .man ./usr/share/man/man2/getpriority.2 comp-c-man .man +./usr/share/man/man2/getrandom.2 comp-c-man .man ./usr/share/man/man2/getrlimit.2 comp-c-man .man ./usr/share/man/man2/getrusage.2 comp-c-man .man ./usr/share/man/man2/getsid.2 comp-c-man .man diff --git a/distrib/sets/lists/tests/mi b/distrib/sets/lists/tests/mi index a138e5206b91..e317d3c52457 100644 --- a/distrib/sets/lists/tests/mi +++ b/distrib/sets/lists/tests/mi @@ -3116,6 +3116,7 @@ ./usr/tests/lib/libc/sys/t_getitimer tests-lib-tests compattestfile,atf ./usr/tests/lib/libc/sys/t_getlogin tests-lib-tests compattestfile,atf ./usr/tests/lib/libc/sys/t_getpid tests-lib-tests compattestfile,atf +./usr/tests/lib/libc/sys/t_getrandom tests-lib-tests compattestfile,atf ./usr/tests/lib/libc/sys/t_getrusage tests-lib-tests compattestfile,atf ./usr/tests/lib/libc/sys/t_getsid tests-lib-tests compattestfile,atf ./usr/tests/lib/libc/sys/t_getsockname tests-lib-tests compattestfile,atf diff --git a/lib/libc/sys/Makefile.inc b/lib/libc/sys/Makefile.inc index 7eddf7e3fc19..d7faaefef29a 100644 --- a/lib/libc/sys/Makefile.inc +++ b/lib/libc/sys/Makefile.inc @@ -110,7 +110,7 @@ ASM= access.S acct.S \ __fstatvfs190.S fstatat.S __futimes50.S futimens.S \ __getcwd.S __getdents30.S __getfh30.S __getvfsstat90.S getgroups.S\ __getitimer50.S __getlogin.S getpeername.S getpgid.S getpgrp.S \ - getpriority.S getrlimit.S __getrusage50.S getsid.S \ + getpriority.S getrandom.S getrlimit.S __getrusage50.S getsid.S \ getsockname.S getsockopt.S getsockopt2.S __gettimeofday50.S \ ioctl.S \ kqueue.S kqueue1.S ktrace.S \ @@ -250,8 +250,9 @@ MAN+= accept.2 access.2 acct.2 adjtime.2 bind.2 brk.2 chdir.2 \ flock.2 fork.2 fsync.2 getcontext.2 getdents.2 \ getfh.2 getvfsstat.2 getgid.2 getgroups.2 \ getitimer.2 getlogin.2 getpeername.2 getpgrp.2 getpid.2 \ - getpriority.2 getrlimit.2 getrusage.2 getsid.2 getsockname.2 \ - getsockopt.2 gettimeofday.2 getuid.2 intro.2 ioctl.2 issetugid.2 \ + getpriority.2 getrandom.2 getrlimit.2 getrusage.2 getsid.2 \ + getsockname.2 getsockopt.2 gettimeofday.2 getuid.2\ + intro.2 ioctl.2 issetugid.2 \ kill.2 kqueue.2 ktrace.2 _ksem.2 \ lfs_bmapv.2 lfs_markv.2 lfs_segclean.2 lfs_segwait.2 \ link.2 listen.2 lseek.2 \ diff --git a/lib/libc/sys/getrandom.2 b/lib/libc/sys/getrandom.2 new file mode 100644 index 000000000000..fcd1d41d431c --- /dev/null +++ b/lib/libc/sys/getrandom.2 @@ -0,0 +1,252 @@ +.\" $NetBSD$ +.\" +.\" Copyright (c) 2020 The NetBSD Foundation, Inc. +.\" All rights reserved. +.\" +.\" This code is derived from software contributed to The NetBSD Foundation +.\" by Taylor R. Campbell. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd January 13, 2020 +.Dt GETRANDOM 2 +.Os +.Sh NAME +.Nm getrandom +.Nd random number generation from system entropy +.Sh LIBRARY +.Lb libc +.Sh SYNOPSIS +.In sys/random.h +.Ft ssize_t +.Fn getrandom "void *buf" "size_t buflen" "unsigned int flags" +.Sh DESCRIPTION +The +.Nm +function fills +.Fa buf +with up to +.Fa buflen +independent uniform random bytes derived from the system's entropy +pool. +.Pp +The function may block until the system has full entropy, meaning that +the system has observed enough noise from physical processes that an +adversary cannot predict what state it is in: +.Bl -bullet -compact +.It +When the system has only partial entropy, the output of +.Fn getrandom +may be predictable. +.It +When the system has full entropy, the output is fit for use as +cryptographic key material. +.El +.Pp +The +.Fa flags +argument may be: +.Bl -tag -offset abcd -width GRND_INSECURE +.It Li 0 +Block until the system entropy pool has full entropy; then generate +arbitrarily much data. +.Em Recommended . +.Pp +If interrupted by a signal, may fail with +.Er EINTR +or return a short read. +If successful, guaranteed to return at least 256 bytes even if +interrupted. +.It Dv GRND_INSECURE +Do not block; instead fill +.Fa buf +with output derived from whatever is in the system entropy pool so +far. +Equivalent to reading from +.Pa /dev/urandom ; +see +.Xr rnd 4 . +.Pp +If interrupted by a signal, may fail with +.Er EINTR +or return a short read. +If successful, guaranteed to return at least 256 bytes even if +interrupted. +.Pp +Despite the name, this is secure as long as you only do it +.Em after +at least one successful call without +.Dv GRND_INSECURE , +such as +.Li "getrandom(..., 0)" +or +.Li "getrandom(..., GRND_RANDOM)" , +or after reading at least one byte from +.Pa /dev/random . +.Pp +.Sy WARNING : +If you use +.Dv GRND_INSECURE +.Em before +the system has full entropy. the output may enable an adversary to +search the possible states of the entropy pool by brute force, and +thereby reduce its entropy to zero. +Thus, incautious use of +.Dv GRND_INSECURE +can ruin the security of the whole system. +.It Dv GRND_RANDOM +Block until the system entropy pool has full entropy; then generate a +small amount of data. +Equivalent to reading from +.Pa /dev/random ; +see +.Xr rnd 4 . +This is provided mainly for source compatibility with Linux; there is +essentially no reason to ever use it. +.El +.Pp +The flag +.Dv GNRD_NONBLOCK +may also be included with bitwise-OR, in which case if +.Fn getrandom +would have blocked without +.Dv GRND_NONBLOCK , +it returns +.Er EAGAIN +instead. +.Pp +Adding +.Dv GRND_NONBLOCK +to +.Dv GRND_INSECURE +has no effect; the combination +.Dv GRND_INSECURE Ns Li "|" Ns Li GRND_NONBLOCK +is equivalent to +.Dv GRND_INSECURE , +since +.Dv GRND_INSECURE +never blocks. +The combination +.Dv GRND_INSECURE Ns Li "|" Ns Li GRND_RANDOM +is nonsensical and fails with +.Er EINVAL . +.Sh RETURN VALUES +If successful, +.Fn getrandom +returns the number of bytes stored in +.Fa buf . +Otherwise, +.Fn getrandom +returns \-1 and sets +.Va errno . +.Sh EXAMPLES +.Sy Recommended usage . +Generate a key for cryptography: +.Bd -literal + uint8_t secretkey[32]; + + if (getrandom(secretkey, sizeof secretkey, 0) == -1) + err(EXIT_FAILURE, "getrandom"); + crypto_secretbox_xsalsa20poly1305(..., secretkey); +.Ed +.Pp +Other idioms for illustration: +.Bl -bullet +.It +Wait for entropy once, and then generate many keys without waiting: +.Bd -literal + struct { uint8_t key[32]; } user[100]; + + if (getrandom(NULL, 0, 0) == -1) + err(EXIT_FAILURE, "getrandom"); + for (i = 0; i < 100; i++) + getrandom(user[i].key, sizeof user[i].key, + GRND_INSECURE); +.Ed +.It +Twiddle thumbs while waiting for entropy: +.Bd -literal + uint8_t secretkey[32]; + + while (getrandom(secretkey, sizeof secretkey, GRND_NONBLOCK) + == -1) { + if (errno != EAGAIN) + err(EXIT_FAILURE, "getrandom"); + twiddle_thumbs(); + } + crypto_secretbox_xsalsa20poly1305(..., secretkey); +.Ed +.El +.Pp +(No examples of +.Dv GRND_RANDOM +because it is not useful.) +.Sh ERRORS +.Bl -tag -width Er +.It Bq Er EAGAIN +The +.Dv GRND_NONBLOCK +flag was specified, and the system entropy pool does not have full +entropy. +.It Bq Er EINTR +The +.Dv GRND_NONBLOCK +flag was +.Em not +specified, the system entropy pool does not have full entropy, and the +process was interrupted by a signal while waiting. +.It Bq Er EINVAL +.Fa flags +contains an unrecognized flag or a nonsensical combination of flags. +.It Bq Er EFAULT +.Fa buf +points outside the allocated address space. +.El +.Sh SEE ALSO +.Xr rnd 4 +.Sh HISTORY +The +.Nm +system call first appeared in Linux 3.17, and was added to +.Nx 10.0 . +.Sh AUTHORS +The +.Nx +implementation of +.Nm +and this man page were written by +.An Taylor R Campbell Aq Mt riastradh@NetBSD.org . +.Sh BUGS +There is no way to multiplex waiting for +.Fn getrandom +with other I/O in +.Xr select 2 , +.Xr poll 2 , +or +.Xr kqueue 2 . +Instead, you can wait for a read from +.Pa /dev/random ; +see +.Xr rnd 4 . +.Pp +.Dv GRND_RANDOM +is a little silly. diff --git a/sys/dev/random.c b/sys/dev/random.c index 0ddf031add6f..c27a3ba2275d 100644 --- a/sys/dev/random.c +++ b/sys/dev/random.c @@ -60,16 +60,15 @@ __KERNEL_RCSID(0, "$NetBSD$"); #include #include #include +#include #include #include -#include +#include #include #include #include #include -#include - #include "ioconf.h" static dev_type_open(random_open); @@ -109,7 +108,6 @@ EVCNT_ATTACH_STATIC(devrandom_open); EVCNT_ATTACH_STATIC(devurandom_open); #define RANDOM_BUFSIZE 512 /* XXX pulled from arse */ -static pool_cache_t random_buf_pc __read_mostly; /* Entropy source for writes to /dev/random and /dev/urandom */ static krndsource_t user_rndsource; @@ -118,8 +116,6 @@ void rndattach(int num) { - random_buf_pc = pool_cache_init(RANDOM_BUFSIZE, 0, 0, 0, - "randombuf", NULL, IPL_NONE, NULL, NULL, NULL); rnd_attach_source(&user_rndsource, "/dev/random", RND_TYPE_UNKNOWN, RND_FLAG_COLLECT_VALUE); } @@ -227,161 +223,30 @@ random_kqfilter(dev_t dev, struct knote *kn) static int random_read(dev_t dev, struct uio *uio, int flags) { - uint8_t seed[NIST_HASH_DRBG_SEEDLEN_BYTES] = {0}; - struct nist_hash_drbg drbg; - uint8_t *buf; - int extractflags; - bool interruptible; - int error; - - /* Get a buffer for transfers. */ - buf = pool_cache_get(random_buf_pc, PR_WAITOK); - - /* - * If it's a short read from /dev/urandom, just generate the - * output directly with per-CPU cprng_strong. - */ - if (minor(dev) == RND_DEV_URANDOM && - uio->uio_resid <= RANDOM_BUFSIZE) { - /* Generate data and transfer it out. */ - cprng_strong(user_cprng, buf, uio->uio_resid, 0); - error = uiomove(buf, uio->uio_resid, uio); - goto out; - } - - /* - * If we're doing a blocking read from /dev/random, wait - * interruptibly. Otherwise, don't wait. - */ - if (minor(dev) == RND_DEV_RANDOM && !ISSET(flags, FNONBLOCK)) - extractflags = ENTROPY_WAIT|ENTROPY_SIG; - else - extractflags = 0; - - /* - * Query the entropy pool. For /dev/random, stop here if this - * fails. For /dev/urandom, go on either way -- - * entropy_extract will always fill the buffer with what we - * have from the global pool. - */ - error = entropy_extract(seed, sizeof seed, extractflags); - if (minor(dev) == RND_DEV_RANDOM && error) - goto out; - - /* Instantiate the DRBG. */ - if (nist_hash_drbg_instantiate(&drbg, seed, sizeof seed, NULL, 0, - NULL, 0)) - panic("nist_hash_drbg_instantiate"); - - /* Promptly zero the seed. */ - explicit_memset(seed, 0, sizeof seed); - - /* - * Generate data. Assume no error until failure. No - * interruption at this point until we've generated at least - * one block of output. - */ - error = 0; - interruptible = false; - while (uio->uio_resid) { - size_t n = uio->uio_resid; - - /* No more than one buffer's worth. */ - n = MIN(n, RANDOM_BUFSIZE); - - /* - * If we're `depleting' and this is /dev/random, clamp - * to the smaller of the entropy capacity or the seed. - */ - if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && - minor(dev) == RND_DEV_RANDOM) { - n = MIN(n, ENTROPY_CAPACITY); - n = MIN(n, sizeof seed); - /* - * Guarantee never to return more than one - * buffer in this case to minimize bookkeeping. - */ - CTASSERT(ENTROPY_CAPACITY <= RANDOM_BUFSIZE); - CTASSERT(sizeof seed <= RANDOM_BUFSIZE); - } - - /* Yield if requested. */ - if (curcpu()->ci_schedstate.spc_flags & SPCF_SHOULDYIELD) - preempt(); - - /* - * Allow interruption, but only after providing a - * minimum number of bytes. - */ - CTASSERT(RANDOM_BUFSIZE >= 256); - /* Check for interruption. */ - if (__predict_false(curlwp->l_flag & LW_PENDSIG) && - interruptible && sigispending(curlwp, 0)) { - error = EINTR; /* XXX ERESTART? */ - break; - } - - /* - * Try to generate a block of data, but if we've hit - * the DRBG reseed interval, reseed. - */ - if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) { - /* - * Get a fresh seed without blocking -- we have - * already generated some output so it is not - * useful to block. This can fail only if the - * request is obscenely large, so it is OK for - * either /dev/random or /dev/urandom to fail: - * we make no promises about gigabyte-sized - * reads happening all at once. - */ - error = entropy_extract(seed, sizeof seed, 0); - if (error) - break; - - /* Reseed and try again. */ - if (nist_hash_drbg_reseed(&drbg, seed, sizeof seed, - NULL, 0)) - panic("nist_hash_drbg_reseed"); - - /* Promptly zero the seed. */ - explicit_memset(seed, 0, sizeof seed); - - /* If it fails now, that's a bug. */ - if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) - panic("nist_hash_drbg_generate"); - } - - /* Transfer n bytes out. */ - error = uiomove(buf, n, uio); - if (error) - break; - - /* - * If we're `depleting' and this is /dev/random, stop - * here, return what we have, and force the next read - * to reseed. Could grab more from the pool if - * possible without blocking, but that's more - * work. - */ - if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && - minor(dev) == RND_DEV_RANDOM) { - error = 0; - break; - } + int gflags; + /* Set the appropriate GRND_* flags. */ + switch (minor(dev)) { + case RND_DEV_RANDOM: + gflags = GRND_RANDOM; + break; + case RND_DEV_URANDOM: /* - * We have generated one block of output, so it is - * reasonable to allow interruption after this point. + * Misnomer from Linux -- it's only insecure if you do + * it before reading at least one byte of /dev/random. */ - interruptible = true; + gflags = GRND_INSECURE; + break; + default: + return ENXIO; } -out: /* Zero the buffer and return it to the pool cache. */ - explicit_memset(buf, 0, RANDOM_BUFSIZE); - pool_cache_put(random_buf_pc, buf); + /* Set GRND_NONBLOCK if user requested FNONBLOCK. */ + if (flags & FNONBLOCK) + gflags |= GRND_NONBLOCK; - return error; + /* Defer to getrandom. */ + return dogetrandom(uio, gflags); } /* @@ -419,14 +284,11 @@ random_write(dev_t dev, struct uio *uio, int flags) privileged = true; /* Get a buffer for transfers. */ - buf = pool_cache_get(random_buf_pc, PR_WAITOK); + buf = kmem_alloc(RANDOM_BUFSIZE, KM_SLEEP); /* Consume data. */ while (uio->uio_resid) { - size_t n = uio->uio_resid; - - /* No more than one buffer's worth in one step. */ - n = MIN(uio->uio_resid, RANDOM_BUFSIZE); + size_t n = MIN(uio->uio_resid, RANDOM_BUFSIZE); /* Yield if requested. */ if (curcpu()->ci_schedstate.spc_flags & SPCF_SHOULDYIELD) @@ -446,8 +308,8 @@ random_write(dev_t dev, struct uio *uio, int flags) rnd_add_data(&user_rndsource, buf, n, privileged ? n*NBBY : 0); } - /* Zero the buffer and return it to the pool cache. */ + /* Zero the buffer and free it. */ explicit_memset(buf, 0, RANDOM_BUFSIZE); - pool_cache_put(random_buf_pc, buf); + kmem_free(buf, RANDOM_BUFSIZE); return error; } diff --git a/sys/kern/files.kern b/sys/kern/files.kern index 2217df5f2c76..c1ade4a1590a 100644 --- a/sys/kern/files.kern +++ b/sys/kern/files.kern @@ -154,6 +154,7 @@ file kern/subr_xcall.c kern file kern/sys_aio.c aio file kern/sys_descrip.c kern file kern/sys_generic.c kern +file kern/sys_getrandom.c kern file kern/sys_module.c kern file kern/sys_mqueue.c mqueue file kern/sys_lwp.c kern diff --git a/sys/kern/kern_entropy.c b/sys/kern/kern_entropy.c index 1497f2f6a001..06b4ef8869b3 100644 --- a/sys/kern/kern_entropy.c +++ b/sys/kern/kern_entropy.c @@ -1173,6 +1173,8 @@ sysctl_entropy_consolidate(SYSCTLFN_ARGS) * * ENTROPY_WAIT Wait for entropy if not available yet. * ENTROPY_SIG Allow interruption by a signal during wait. + * ENTROPY_NOPARTIAL Either fill the buffer with full entropy, + * or fail without filling it at all. * * Return zero on success, or error on failure: * @@ -1234,9 +1236,15 @@ entropy_extract(void *buf, size_t len, int flags) } } - /* Count failure -- but fill the buffer nevertheless. */ - if (error) + /* + * Count failure -- but fill the buffer nevertheless, unless + * the caller specified ENTROPY_NOPARTIAL. + */ + if (error) { + if (ISSET(flags, ENTROPY_NOPARTIAL)) + goto out; entropy_extract_fail_evcnt.ev_count++; + } /* * Report a warning if we have never yet reached full entropy. @@ -1266,7 +1274,7 @@ entropy_extract(void *buf, size_t len, int flags) entropy_deplete_evcnt.ev_count++; } - /* Release the global lock and return the error. */ +out: /* Release the global lock and return the error. */ if (E->stage >= ENTROPY_WARM) mutex_exit(&E->lock); return error; diff --git a/sys/kern/sys_getrandom.c b/sys/kern/sys_getrandom.c new file mode 100644 index 000000000000..b02bada23e0e --- /dev/null +++ b/sys/kern/sys_getrandom.c @@ -0,0 +1,244 @@ +/* $NetBSD$ */ + +/*- + * Copyright (c) 2020 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Taylor R. Campbell. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * getrandom() system call + */ + +#include +__KERNEL_RCSID(0, "$NetBSD$"); + +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#define RANDOM_BUFSIZE 512 + +int +dogetrandom(struct uio *uio, unsigned int flags) +{ + uint8_t seed[NIST_HASH_DRBG_SEEDLEN_BYTES] = {0}; + struct nist_hash_drbg drbg; + void *buf; + int eflags = 0; + int error; + + KASSERT((flags & ~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK)) == 0); + KASSERT((flags & (GRND_RANDOM|GRND_INSECURE)) != + (GRND_RANDOM|GRND_INSECURE)); + + /* Allocate a buffer. */ + buf = kmem_alloc(RANDOM_BUFSIZE, KM_SLEEP); + + /* + * Fast path: for short reads, if INSECURE, or if we have + * entropy and we're not doing depletion, just return it from + * the per-CPU cprng_strong. + */ + if (uio->uio_resid <= RANDOM_BUFSIZE && + (ISSET(flags, GRND_INSECURE) || + (__predict_true(!atomic_load_relaxed(&entropy_depletion)) && + __predict_true(entropy_epoch() != (unsigned)-1)))) { + cprng_strong(user_cprng, buf, uio->uio_resid, 0); + error = uiomove(buf, uio->uio_resid, uio); + goto out; + } + + /* + * Try to get a seed from the entropy pool. Fail if we would + * block. If GRND_INSECURE, always return something even if it + * is partial entropy; if !GRND_INSECURE, set ENTROPY_NOPARTIAL + * in order to tell entropy_extract not to bother drawing + * anything from a partial pool if we can't get full entropy. + */ + if (!ISSET(flags, GRND_NONBLOCK) && !ISSET(flags, GRND_INSECURE)) + eflags |= ENTROPY_WAIT|ENTROPY_SIG; + if (!ISSET(flags, GRND_INSECURE)) + eflags |= ENTROPY_NOPARTIAL; + error = entropy_extract(seed, sizeof seed, eflags); + if (error && !ISSET(flags, GRND_INSECURE)) + goto out; + + /* Instantiate the DRBG and promptly zero the seed. */ + if (nist_hash_drbg_instantiate(&drbg, seed, sizeof seed, NULL, 0, + NULL, 0)) + panic("nist_hash_drbg_instantiate"); + explicit_memset(seed, 0, sizeof seed); + + /* Generate data. */ + error = 0; + while (uio->uio_resid) { + size_t n = MIN(uio->uio_resid, RANDOM_BUFSIZE); + + /* + * If we're `depleting' and this is /dev/random, clamp + * to the smaller of the entropy capacity or the seed. + */ + if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && + ISSET(flags, GRND_RANDOM)) { + n = MIN(n, ENTROPY_CAPACITY); + n = MIN(n, sizeof seed); + /* + * Guarantee never to return more than one + * buffer in this case to minimize bookkeeping. + */ + CTASSERT(ENTROPY_CAPACITY <= RANDOM_BUFSIZE); + CTASSERT(sizeof seed <= RANDOM_BUFSIZE); + } + + /* + * Try to generate a block of data, but if we've hit + * the DRBG reseed interval, reseed. + */ + if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) { + /* + * Get a fresh seed without blocking -- we have + * already generated some output so it is not + * useful to block. This can fail only if the + * request is obscenely large, so it is OK for + * either /dev/random or /dev/urandom to fail: + * we make no promises about gigabyte-sized + * reads happening all at once. + */ + error = entropy_extract(seed, sizeof seed, + ENTROPY_NOPARTIAL); + if (error) + break; + + /* Reseed, promptly zero seed, and try again. */ + if (nist_hash_drbg_reseed(&drbg, seed, sizeof seed, + NULL, 0)) + panic("nist_hash_drbg_reseed"); + explicit_memset(seed, 0, sizeof seed); + + /* If it fails now, that's a bug. */ + if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) + panic("nist_hash_drbg_generate"); + } + + /* Transfer n bytes out. */ + error = uiomove(buf, n, uio); + if (error) + break; + + /* + * If we're `depleting' and this is /dev/random, stop + * here, return what we have, and force the next read + * to reseed. Could grab more from the pool if + * possible without blocking, but that's more work. + */ + if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && + ISSET(flags, GRND_RANDOM)) { + error = 0; + break; + } + + /* Yield if requested. */ + if (curcpu()->ci_schedstate.spc_flags & SPCF_SHOULDYIELD) + preempt(); + + /* Check for interruption after at least one transfer. */ + if (__predict_false(curlwp->l_flag & LW_PENDSIG) && + sigispending(curlwp, 0)) { + error = EINTR; + break; + } + } + +out: /* Zero and free the buffer, and we're done -- return any error. */ + explicit_memset(buf, 0, RANDOM_BUFSIZE); + kmem_free(buf, RANDOM_BUFSIZE); + return error; +} + +int +sys_getrandom(struct lwp *l, const struct sys_getrandom_args *uap, + register_t *retval) +{ + /* { + syscallarg(void *) buf; + syscallarg(size_t) buflen; + syscallarg(unsigned) flags; + } */ + void *buf = SCARG(uap, buf); + size_t buflen = SCARG(uap, buflen); + int flags = SCARG(uap, flags); + int error; + + /* Set up an iov and uio to read into the user's buffer. */ + struct iovec iov = { .iov_base = buf, .iov_len = buflen }; + struct uio uio = { + .uio_iov = &iov, + .uio_iovcnt = 1, + .uio_offset = 0, + .uio_resid = buflen, + .uio_rw = UIO_READ, + .uio_vmspace = curproc->p_vmspace, + }; + + /* Validate the flags. */ + if (flags & ~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK)) { + /* Unknown flags. */ + error = EINVAL; + goto out; + } + if ((flags & (GRND_RANDOM|GRND_INSECURE)) == + (GRND_RANDOM|GRND_INSECURE)) { + /* Nonsensical combination. */ + error = EINVAL; + goto out; + } + + /* Do it. */ + error = dogetrandom(&uio, flags); + +out: /* + * If we transferred anything, return the number of bytes + * transferred and suppress error; otherwise return the error. + */ + *retval = buflen - uio.uio_resid; + if (*retval) + error = 0; + return error; +} diff --git a/sys/kern/syscalls.master b/sys/kern/syscalls.master index d950452a71fe..d0eb999b9dcc 100644 --- a/sys/kern/syscalls.master +++ b/sys/kern/syscalls.master @@ -1014,3 +1014,5 @@ struct statvfs *buf, int flags); } 486 STD RUMP { int|sys|90|fhstatvfs1(const void *fhp, \ size_t fh_size, struct statvfs *buf, int flags); } +487 STD RUMP { ssize_t|sys||getrandom(void *buf, size_t buflen, \ + unsigned int flags); } diff --git a/sys/rump/librump/rumpkern/Makefile.rumpkern b/sys/rump/librump/rumpkern/Makefile.rumpkern index d6d54ee7187d..7b84049d8ac9 100644 --- a/sys/rump/librump/rumpkern/Makefile.rumpkern +++ b/sys/rump/librump/rumpkern/Makefile.rumpkern @@ -129,6 +129,7 @@ SRCS+= init_sysctl_base.c \ subr_xcall.c \ sys_descrip.c \ sys_generic.c \ + sys_getrandom.c \ sys_module.c \ sys_pipe.c \ sys_select.c \ diff --git a/sys/sys/Makefile b/sys/sys/Makefile index 049fdb808acf..02da96aad0dc 100644 --- a/sys/sys/Makefile +++ b/sys/sys/Makefile @@ -33,7 +33,7 @@ INCS= acct.h agpio.h aio.h ansi.h aout_mids.h ataio.h atomic.h \ param.h pcu.h pipe.h pmf.h poll.h pool.h power.h proc.h \ protosw.h pset.h psref.h ptrace.h ptree.h \ queue.h quota.h quotactl.h \ - radixtree.h ras.h rbtree.h reboot.h radioio.h resource.h \ + radioio.h radixtree.h random.h ras.h rbtree.h reboot.h resource.h \ resourcevar.h rmd160.h rnd.h rndio.h rwlock.h \ scanio.h sched.h scsiio.h sdt.h select.h selinfo.h sem.h semaphore.h \ sha1.h sha2.h sha3.h shm.h siginfo.h signal.h signalvar.h sigtypes.h \ diff --git a/sys/sys/entropy.h b/sys/sys/entropy.h index cabff68e6394..de561bcca9a7 100644 --- a/sys/sys/entropy.h +++ b/sys/sys/entropy.h @@ -44,8 +44,9 @@ struct knote; #define ENTROPY_CAPACITY ENTPOOL_CAPACITY /* bytes */ -#define ENTROPY_WAIT 0x01 -#define ENTROPY_SIG 0x02 +#define ENTROPY_WAIT 0x01 +#define ENTROPY_SIG 0x02 +#define ENTROPY_NOPARTIAL 0x04 void entropy_bootrequest(void); unsigned entropy_epoch(void); diff --git a/sys/sys/random.h b/sys/sys/random.h new file mode 100644 index 000000000000..ceac8c722725 --- /dev/null +++ b/sys/sys/random.h @@ -0,0 +1,69 @@ +/* $NetBSD$ */ + +/*- + * Copyright (c) 2020 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Taylor R. Campbell. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _SYS_RANDOM_H +#define _SYS_RANDOM_H + +#include + +#include /* _BSD_SIZE_T_ */ + +#define GRND_NONBLOCK (1u << 0) +#define GRND_RANDOM (1u << 1) +#define GRND_INSECURE (1u << 2) + +#ifdef _KERNEL + +struct uio; + +int dogetrandom(struct uio *, unsigned int); + +#endif /* _KERNEL */ + +#ifndef _KERNEL +__BEGIN_DECLS + +#ifdef _BSD_SIZE_T_ +typedef _BSD_SIZE_T_ size_t; +#undef _BSD_SIZE_T_ +#endif + +#ifdef _BSD_SSIZE_T_ +typedef _BSD_SSIZE_T_ ssize_t; +#undef _BSD_SSIZE_T_ +#endif + +ssize_t getrandom(void *, size_t, unsigned int); + +__END_DECLS +#endif /* !_KERNEL */ + +#endif /* _SYS_RANDOM_H */ diff --git a/tests/lib/libc/sys/Makefile b/tests/lib/libc/sys/Makefile index 1e10a2e1391f..10e792e66ea8 100644 --- a/tests/lib/libc/sys/Makefile +++ b/tests/lib/libc/sys/Makefile @@ -23,6 +23,7 @@ TESTS_C+= t_getgroups TESTS_C+= t_getitimer TESTS_C+= t_getlogin TESTS_C+= t_getpid +TESTS_C+= t_getrandom TESTS_C+= t_getrusage TESTS_C+= t_getsid TESTS_C+= t_getsockname diff --git a/tests/lib/libc/sys/t_getrandom.c b/tests/lib/libc/sys/t_getrandom.c new file mode 100644 index 000000000000..9a50f97babe8 --- /dev/null +++ b/tests/lib/libc/sys/t_getrandom.c @@ -0,0 +1,170 @@ +/* $NetBSD$ */ + +/*- + * Copyright (c) 2020 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Taylor R. Campbell. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include +__RCSID("$NetBSD$"); + +#include + +#include +#include +#include +#include + +static uint8_t buf[65536]; +static uint8_t zero24[24]; + +static void +alarm_handler(int signo) +{ +} + +ATF_TC(getrandom); +ATF_TC_HEAD(getrandom, tc) +{ + + atf_tc_set_md_var(tc, "descr", "getrandom(2)"); +} + +/* + * Probability of spurious failure is 1/2^192 for each of the memcmps. + * As long as there are fewer than 2^64 of them, the probability of + * spurious failure is at most 1/2^128, which is low enough that we + * don't care about it. + */ + +ATF_TC_BODY(getrandom, tc) +{ + ssize_t n; + + ATF_REQUIRE(signal(SIGALRM, &alarm_handler) != SIG_ERR); + + /* default */ + alarm(1); + memset(buf, 0, sizeof buf); + n = getrandom(buf, sizeof buf, 0); + if (n == -1) { + ATF_CHECK_EQ(errno, EINTR); + } else { + ATF_CHECK_EQ((size_t)n, sizeof buf); + ATF_CHECK(memcmp(buf, zero24, 24) != 0); + ATF_CHECK(memcmp(buf + sizeof buf - 24, zero24, 24) != 0); + } + alarm(0); + + /* default, nonblocking */ + memset(buf, 0, sizeof buf); + n = getrandom(buf, sizeof buf, GRND_NONBLOCK); + if (n == -1) { + ATF_CHECK_EQ(errno, EAGAIN); + } else { + ATF_CHECK_EQ((size_t)n, sizeof buf); + ATF_CHECK(memcmp(buf, zero24, 24) != 0); + ATF_CHECK(memcmp(buf + sizeof buf - 24, zero24, 24) != 0); + } + + /* insecure */ + memset(buf, 0, sizeof buf); + n = getrandom(buf, sizeof buf, GRND_INSECURE); + ATF_CHECK(n != -1); + ATF_CHECK_EQ((size_t)n, sizeof buf); + ATF_CHECK(memcmp(buf, zero24, 24) != 0); + ATF_CHECK(memcmp(buf + sizeof buf - 24, zero24, 24) != 0); + + /* insecure, nonblocking -- same as mere insecure */ + memset(buf, 0, sizeof buf); + n = getrandom(buf, sizeof buf, GRND_INSECURE|GRND_NONBLOCK); + ATF_CHECK(n != -1); + ATF_CHECK_EQ((size_t)n, sizeof buf); + ATF_CHECK(memcmp(buf, zero24, 24) != 0); + ATF_CHECK(memcmp(buf + sizeof buf - 24, zero24, 24) != 0); + + /* `random' (hokey) */ + alarm(1); + memset(buf, 0, sizeof buf); + n = getrandom(buf, sizeof buf, GRND_RANDOM); + if (n == -1) { + ATF_CHECK_EQ(errno, EINTR); + } else { + ATF_CHECK(n != 0); + ATF_CHECK((size_t)n <= sizeof buf); + if ((size_t)n >= 24) { + ATF_CHECK(memcmp(buf, zero24, 24) != 0); + ATF_CHECK(memcmp(buf + n - 24, zero24, 24) != 0); + } + } + alarm(0); + + /* `random' (hokey), nonblocking */ + memset(buf, 0, sizeof buf); + n = getrandom(buf, sizeof buf, GRND_RANDOM|GRND_NONBLOCK); + if (n == -1) { + ATF_CHECK_EQ(errno, EAGAIN); + } else { + ATF_CHECK(n != 0); + ATF_CHECK((size_t)n <= sizeof buf); + if ((size_t)n >= 24) { + ATF_CHECK(memcmp(buf, zero24, 24) != 0); + ATF_CHECK(memcmp(buf + n - 24, zero24, 24) != 0); + } + } + + /* random and insecure -- nonsensical */ + n = getrandom(buf, sizeof buf, GRND_RANDOM|GRND_INSECURE); + ATF_CHECK_EQ(n, -1); + ATF_CHECK_EQ(errno, EINVAL); + + /* random and insecure, nonblocking -- nonsensical */ + n = getrandom(buf, sizeof buf, + GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK); + ATF_CHECK_EQ(n, -1); + ATF_CHECK_EQ(errno, EINVAL); + + /* invalid flags */ + __CTASSERT(~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK)); + n = getrandom(buf, sizeof buf, + ~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK)); + ATF_CHECK_EQ(n, -1); + ATF_CHECK_EQ(errno, EINVAL); + + /* unmapped */ + n = getrandom(NULL, sizeof buf, GRND_INSECURE|GRND_NONBLOCK); + ATF_CHECK_EQ(n, -1); + ATF_CHECK_EQ(errno, EFAULT); +} + +ATF_TP_ADD_TCS(tp) +{ + + ATF_TP_ADD_TC(tp, getrandom); + + return atf_no_error(); +} From 9b04a6a43f41896e4ec598df8e082f572c042c86 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Tue, 14 Jan 2020 02:33:12 +0000 Subject: [PATCH 2/3] Simplify /dev/random and getrandom(GRND_RANDOM) semantics. Just clamp to 32-byte reads irrespective of whether we're doing entropy depletion. You shouldn't do bulk reads out of /dev/random. --- sys/kern/sys_getrandom.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/sys/kern/sys_getrandom.c b/sys/kern/sys_getrandom.c index b02bada23e0e..5d4887cff821 100644 --- a/sys/kern/sys_getrandom.c +++ b/sys/kern/sys_getrandom.c @@ -72,11 +72,12 @@ dogetrandom(struct uio *uio, unsigned int flags) buf = kmem_alloc(RANDOM_BUFSIZE, KM_SLEEP); /* - * Fast path: for short reads, if INSECURE, or if we have - * entropy and we're not doing depletion, just return it from - * the per-CPU cprng_strong. + * Fast path, for short reads other than from /dev/random: if + * INSECURE, or if we have entropy and we're not doing + * `depletion', just return it from the per-CPU cprng_strong. */ if (uio->uio_resid <= RANDOM_BUFSIZE && + !ISSET(flags, GRND_RANDOM) && (ISSET(flags, GRND_INSECURE) || (__predict_true(!atomic_load_relaxed(&entropy_depletion)) && __predict_true(entropy_epoch() != (unsigned)-1)))) { @@ -112,11 +113,10 @@ dogetrandom(struct uio *uio, unsigned int flags) size_t n = MIN(uio->uio_resid, RANDOM_BUFSIZE); /* - * If we're `depleting' and this is /dev/random, clamp - * to the smaller of the entropy capacity or the seed. + * If this is /dev/random, clamp to the smaller of the + * entropy capacity or the seed. */ - if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && - ISSET(flags, GRND_RANDOM)) { + if (ISSET(flags, GRND_RANDOM)) { n = MIN(n, ENTROPY_CAPACITY); n = MIN(n, sizeof seed); /* @@ -163,13 +163,11 @@ dogetrandom(struct uio *uio, unsigned int flags) break; /* - * If we're `depleting' and this is /dev/random, stop - * here, return what we have, and force the next read - * to reseed. Could grab more from the pool if - * possible without blocking, but that's more work. + * If this is /dev/random, stop here and return what we + * have, and force the next read to reseed. You're not + * supposed to draw lots of data from /dev/random. */ - if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && - ISSET(flags, GRND_RANDOM)) { + if (ISSET(flags, GRND_RANDOM)) { error = 0; break; } From c07d30e82bac71aaefb2c8efffc55c4f40804a83 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Sun, 9 Feb 2020 21:49:56 +0000 Subject: [PATCH 3/3] WIP: regen --- sys/kern/init_sysent.c | 10 +++--- sys/kern/syscalls.c | 8 ++--- sys/kern/syscalls_autoload.c | 4 +-- sys/kern/systrace_args.c | 32 ++++++++++++++++++- sys/rump/include/rump/rump_syscalls.h | 7 ++++- sys/rump/librump/rumpkern/rump_syscalls.c | 38 ++++++++++++++++++++--- sys/rump/rump.sysmap | 1 + sys/sys/syscall.h | 7 +++-- sys/sys/syscallargs.h | 11 ++++++- 9 files changed, 99 insertions(+), 19 deletions(-) diff --git a/sys/kern/init_sysent.c b/sys/kern/init_sysent.c index e3e477fd6a87..04b4138f695e 100644 --- a/sys/kern/init_sysent.c +++ b/sys/kern/init_sysent.c @@ -1,4 +1,4 @@ -/* $NetBSD: init_sysent.c,v 1.327 2020/01/21 02:38:25 pgoyette Exp $ */ +/* $NetBSD$ */ /* * System call switch table. @@ -8,7 +8,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: init_sysent.c,v 1.327 2020/01/21 02:38:25 pgoyette Exp $"); +__KERNEL_RCSID(0, "$NetBSD$"); #ifdef _KERNEL_OPT #include "opt_modular.h" @@ -2359,8 +2359,10 @@ struct sysent sysent[] = { .sy_call = (sy_call_t *)sys___fhstatvfs190 }, /* 486 = __fhstatvfs190 */ { - .sy_call = sys_nosys, - }, /* 487 = filler */ + ns(struct sys_getrandom_args), + .sy_flags = SYCALL_ARG_PTR, + .sy_call = (sy_call_t *)sys_getrandom + }, /* 487 = getrandom */ { .sy_call = sys_nosys, }, /* 488 = filler */ diff --git a/sys/kern/syscalls.c b/sys/kern/syscalls.c index f18938cadb4f..9a2020ccb4d4 100644 --- a/sys/kern/syscalls.c +++ b/sys/kern/syscalls.c @@ -1,4 +1,4 @@ -/* $NetBSD: syscalls.c,v 1.315 2020/01/21 02:38:25 pgoyette Exp $ */ +/* $NetBSD$ */ /* * System call names. @@ -8,7 +8,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: syscalls.c,v 1.315 2020/01/21 02:38:25 pgoyette Exp $"); +__KERNEL_RCSID(0, "$NetBSD$"); #if defined(_KERNEL_OPT) #ifdef _KERNEL_OPT @@ -536,7 +536,7 @@ const char *const syscallnames[] = { /* 484 */ "__statvfs190", /* 485 */ "__fstatvfs190", /* 486 */ "__fhstatvfs190", - /* 487 */ "# filler", + /* 487 */ "getrandom", /* 488 */ "# filler", /* 489 */ "# filler", /* 490 */ "# filler", @@ -1073,7 +1073,7 @@ const char *const altsyscallnames[] = { /* 484 */ "statvfs1", /* 485 */ "fstatvfs1", /* 486 */ "fhstatvfs1", - /* 487 */ NULL, /* filler */ + /* 487 */ NULL, /* getrandom */ /* 488 */ NULL, /* filler */ /* 489 */ NULL, /* filler */ /* 490 */ NULL, /* filler */ diff --git a/sys/kern/syscalls_autoload.c b/sys/kern/syscalls_autoload.c index b6a23887cc16..4d4946352c64 100644 --- a/sys/kern/syscalls_autoload.c +++ b/sys/kern/syscalls_autoload.c @@ -1,4 +1,4 @@ -/* $NetBSD: syscalls_autoload.c,v 1.32 2020/01/21 02:38:25 pgoyette Exp $ */ +/* $NetBSD$ */ /* * System call autoload table. @@ -8,7 +8,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: syscalls_autoload.c,v 1.32 2020/01/21 02:38:25 pgoyette Exp $"); +__KERNEL_RCSID(0, "$NetBSD$"); #ifdef _KERNEL_OPT #include "opt_modular.h" diff --git a/sys/kern/systrace_args.c b/sys/kern/systrace_args.c index 90c3cf68ea18..e17cb1a25e90 100644 --- a/sys/kern/systrace_args.c +++ b/sys/kern/systrace_args.c @@ -1,4 +1,4 @@ -/* $NetBSD: systrace_args.c,v 1.34 2020/01/21 02:38:25 pgoyette Exp $ */ +/* $NetBSD$ */ /* * System call argument to DTrace register array converstion. @@ -3701,6 +3701,15 @@ systrace_args(register_t sysnum, const void *params, uintptr_t *uarg, size_t *n_ *n_args = 4; break; } + /* sys_getrandom */ + case 487: { + const struct sys_getrandom_args *p = params; + uarg[0] = (intptr_t) SCARG(p, buf); /* void * */ + uarg[1] = SCARG(p, buflen); /* size_t */ + uarg[2] = SCARG(p, flags); /* unsigned int */ + *n_args = 3; + break; + } default: *n_args = 0; break; @@ -9979,6 +9988,22 @@ systrace_entry_setargdesc(int sysnum, int ndx, char *desc, size_t descsz) break; }; break; + /* sys_getrandom */ + case 487: + switch(ndx) { + case 0: + p = "void *"; + break; + case 1: + p = "size_t"; + break; + case 2: + p = "unsigned int"; + break; + default: + break; + }; + break; default: break; }; @@ -12076,6 +12101,11 @@ systrace_return_setargdesc(int sysnum, int ndx, char *desc, size_t descsz) if (ndx == 0 || ndx == 1) p = "int"; break; + /* sys_getrandom */ + case 487: + if (ndx == 0 || ndx == 1) + p = "ssize_t"; + break; default: break; }; diff --git a/sys/rump/include/rump/rump_syscalls.h b/sys/rump/include/rump/rump_syscalls.h index bd9943c7f2b5..5d3ad57281e5 100644 --- a/sys/rump/include/rump/rump_syscalls.h +++ b/sys/rump/include/rump/rump_syscalls.h @@ -1,4 +1,4 @@ -/* $NetBSD: rump_syscalls.h,v 1.113 2020/01/21 02:38:26 pgoyette Exp $ */ +/* $NetBSD$ */ /* * System call protos in rump namespace. @@ -204,6 +204,10 @@ #define RUMP_SYS_RENAME_DUP rump___sysimpl_dup #endif +#ifndef RUMP_SYS_RENAME_GETRANDOM +#define RUMP_SYS_RENAME_GETRANDOM rump___sysimpl_getrandom +#endif + #ifndef RUMP_SYS_RENAME_LCHMOD #define RUMP_SYS_RENAME_LCHMOD rump___sysimpl_lchmod #endif @@ -1063,6 +1067,7 @@ int rump_sys_getvfsstat(struct statvfs *, size_t, int) __RENAME(RUMP_SYS_RENAME_ int rump_sys_statvfs1(const char *, struct statvfs *, int) __RENAME(RUMP_SYS_RENAME_STATVFS1); int rump_sys_fstatvfs1(int, struct statvfs *, int) __RENAME(RUMP_SYS_RENAME_FSTATVFS1); int rump_sys_fhstatvfs1(const void *, size_t, struct statvfs *, int) __RENAME(RUMP_SYS_RENAME_FHSTATVFS1); +ssize_t rump_sys_getrandom(void *, size_t, unsigned int) __RENAME(RUMP_SYS_RENAME_GETRANDOM); int rump_sys_pipe(int *); #endif /* _RUMP_RUMP_SYSCALLS_H_ */ diff --git a/sys/rump/librump/rumpkern/rump_syscalls.c b/sys/rump/librump/rumpkern/rump_syscalls.c index d7dd052e036d..dd73553c3baf 100644 --- a/sys/rump/librump/rumpkern/rump_syscalls.c +++ b/sys/rump/librump/rumpkern/rump_syscalls.c @@ -1,4 +1,4 @@ -/* $NetBSD: rump_syscalls.c,v 1.144 2020/01/21 02:38:26 pgoyette Exp $ */ +/* $NetBSD$ */ /* * System call vector and marshalling for rump. @@ -15,7 +15,7 @@ #ifdef __NetBSD__ #include -__KERNEL_RCSID(0, "$NetBSD: rump_syscalls.c,v 1.144 2020/01/21 02:38:26 pgoyette Exp $"); +__KERNEL_RCSID(0, "$NetBSD$"); #include #include @@ -6523,6 +6523,36 @@ __weak_alias(___fhstatvfs190,rump___sysimpl_fhstatvfs190); __strong_alias(_sys___fhstatvfs190,rump___sysimpl_fhstatvfs190); #endif /* RUMP_KERNEL_IS_LIBC */ +ssize_t rump___sysimpl_getrandom(void *, size_t, unsigned int); +ssize_t +rump___sysimpl_getrandom(void * buf, size_t buflen, unsigned int flags) +{ + register_t retval[2]; + int error = 0; + ssize_t rv = -1; + struct sys_getrandom_args callarg; + + memset(&callarg, 0, sizeof(callarg)); + SPARG(&callarg, buf) = buf; + SPARG(&callarg, buflen) = buflen; + SPARG(&callarg, flags) = flags; + + error = rsys_syscall(SYS_getrandom, &callarg, sizeof(callarg), retval); + rsys_seterrno(error); + if (error == 0) { + if (sizeof(ssize_t) > sizeof(register_t)) + rv = *(ssize_t *)retval; + else + rv = *retval; + } + return rv; +} +#ifdef RUMP_KERNEL_IS_LIBC +__weak_alias(getrandom,rump___sysimpl_getrandom); +__weak_alias(_getrandom,rump___sysimpl_getrandom); +__strong_alias(_sys_getrandom,rump___sysimpl_getrandom); +#endif /* RUMP_KERNEL_IS_LIBC */ + int rump_sys_pipe(int *); int rump_sys_pipe(int *fd) @@ -8448,9 +8478,9 @@ struct sysent rump_sysent[] = { .sy_call = (sy_call_t *)(void *)rumpns_enosys, }, /* 486 = __fhstatvfs190 */ { - .sy_flags = SYCALL_NOSYS, + ns(struct sys_getrandom_args), .sy_call = (sy_call_t *)(void *)rumpns_enosys, - }, /* 487 = filler */ + }, /* 487 = getrandom */ { .sy_flags = SYCALL_NOSYS, .sy_call = (sy_call_t *)(void *)rumpns_enosys, diff --git a/sys/rump/rump.sysmap b/sys/rump/rump.sysmap index e85583d0ab98..0ccc4dcb4368 100644 --- a/sys/rump/rump.sysmap +++ b/sys/rump/rump.sysmap @@ -217,3 +217,4 @@ 484 sys___statvfs190 __statvfs190 rump___sysimpl_statvfs190 485 sys___fstatvfs190 __fstatvfs190 rump___sysimpl_fstatvfs190 486 sys___fhstatvfs190 __fhstatvfs190 rump___sysimpl_fhstatvfs190 +487 sys_getrandom getrandom rump___sysimpl_getrandom diff --git a/sys/sys/syscall.h b/sys/sys/syscall.h index 4a455ac33d23..dcf0dfa954ad 100644 --- a/sys/sys/syscall.h +++ b/sys/sys/syscall.h @@ -1,4 +1,4 @@ -/* $NetBSD: syscall.h,v 1.309 2020/01/21 02:38:26 pgoyette Exp $ */ +/* $NetBSD$ */ /* * System call numbers. @@ -1341,6 +1341,9 @@ /* syscall: "__fhstatvfs190" ret: "int" args: "const void *" "size_t" "struct statvfs *" "int" */ #define SYS___fhstatvfs190 486 -#define SYS_MAXSYSCALL 487 +/* syscall: "getrandom" ret: "ssize_t" args: "void *" "size_t" "unsigned int" */ +#define SYS_getrandom 487 + +#define SYS_MAXSYSCALL 488 #define SYS_NSYSENT 512 #endif /* _SYS_SYSCALL_H_ */ diff --git a/sys/sys/syscallargs.h b/sys/sys/syscallargs.h index 157932357b92..5d695b2e7521 100644 --- a/sys/sys/syscallargs.h +++ b/sys/sys/syscallargs.h @@ -1,4 +1,4 @@ -/* $NetBSD: syscallargs.h,v 1.293 2020/01/21 02:38:26 pgoyette Exp $ */ +/* $NetBSD$ */ /* * System call argument lists. @@ -3175,6 +3175,13 @@ struct sys___fhstatvfs190_args { }; check_syscall_args(sys___fhstatvfs190) +struct sys_getrandom_args { + syscallarg(void *) buf; + syscallarg(size_t) buflen; + syscallarg(unsigned int) flags; +}; +check_syscall_args(sys_getrandom) + /* * System call prototypes. */ @@ -4057,5 +4064,7 @@ int sys___fstatvfs190(struct lwp *, const struct sys___fstatvfs190_args *, regis int sys___fhstatvfs190(struct lwp *, const struct sys___fhstatvfs190_args *, register_t *); +int sys_getrandom(struct lwp *, const struct sys_getrandom_args *, register_t *); + #endif /* !RUMP_CLIENT */ #endif /* _SYS_SYSCALLARGS_H_ */