Index: head/lib/libc/sys/getrandom.2 =================================================================== --- head/lib/libc/sys/getrandom.2 +++ head/lib/libc/sys/getrandom.2 @@ -1,5 +1,4 @@ -.\" Copyright (c) 2018 Conrad Meyer -.\" All rights reserved. +.\" Copyright 2020, 2018 Conrad Meyer . All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -24,7 +23,7 @@ .\" .\" $FreeBSD$ .\" -.Dd February 24, 2018 +.Dd January 12, 2020 .Dt GETRANDOM 2 .Os .Sh NAME @@ -64,13 +63,16 @@ and .Pa /dev/urandom are identical. +.It Ql GRND_INSECURE +This flag is treated as an alternative name for +.Dv GRND_NONBLOCK . +It is provided solely for API compatibility with Linux. .El .Pp If the .Xr random 4 device has been seeded, reads of up to 256 bytes will always return as many bytes as requested and will not be interrupted by signals. -.Pp .Sh RETURN VALUES Upon successful completion, the number of bytes which were actually read is returned. @@ -87,6 +89,8 @@ .It Bq Er EAGAIN The .Ql GRND_NONBLOCK +(or +.Ql GRND_INSECURE ) flag was set and the .Xr random 4 device was not yet seeded. @@ -111,7 +115,7 @@ .Xr getentropy 3 , .Xr random 4 .Sh STANDARDS -.Fn getentropy +.Fn getrandom is non-standard. It is present in Linux. .Sh HISTORY @@ -119,3 +123,11 @@ .Fn getrandom system call first appeared in .Fx 12.0 . +.Sh CAVEATS +Unlike Linux, the +.Dv GRND_INSECURE +flag on +.Fx +does not produce any output before the +.Xr random 4 +device is seeded. Index: head/sys/kern/sys_getrandom.c =================================================================== --- head/sys/kern/sys_getrandom.c +++ head/sys/kern/sys_getrandom.c @@ -38,7 +38,7 @@ #include #include -#define GRND_VALIDFLAGS (GRND_NONBLOCK | GRND_RANDOM) +#define GRND_VALIDFLAGS (GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE) /* * random_read_uio(9) returns EWOULDBLOCK if a nonblocking request would block, @@ -59,6 +59,40 @@ return (EINVAL); if (buflen > IOSIZE_MAX) return (EINVAL); + + /* + * Linux compatibility: We have two choices for handling Linux's + * GRND_INSECURE. + * + * 1. We could ignore it completely (like GRND_RANDOM). However, this + * might produce the surprising result of GRND_INSECURE requests + * blocking, when the Linux API does not block. + * + * 2. Alternatively, we could treat GRND_INSECURE requests as requests + * for GRND_NONBLOCk. Here, the surprising result for Linux programs + * is that invocations with unseeded random(4) will produce EAGAIN, + * rather than garbage. + * + * Honoring the flag in the way Linux does seems fraught. If we + * actually use the output of a random(4) implementation prior to + * seeding, we leak some entropy about the initial seed to attackers. + * This seems unacceptable -- it defeats the purpose of blocking on + * initial seeding. + * + * Secondary to that concern, before seeding we may have arbitrarily + * little entropy collected; producing output from zero or a handful of + * entropy bits does not seem particularly useful to userspace. + * + * If userspace can accept garbage, insecure non-random bytes, they can + * create their own insecure garbage with srandom(time(NULL)) or + * similar. Asking the kernel to produce it from the secure + * getrandom(2) API seems inane. + * + * We elect to emulate GRND_INSECURE as an alternative spelling of + * GRND_NONBLOCK (2). + */ + if ((flags & GRND_INSECURE) != 0) + flags |= GRND_NONBLOCK; if (buflen == 0) { td->td_retval[0] = 0; Index: head/sys/sys/random.h =================================================================== --- head/sys/sys/random.h +++ head/sys/sys/random.h @@ -159,6 +159,7 @@ #define GRND_NONBLOCK 0x1 #define GRND_RANDOM 0x2 +#define GRND_INSECURE 0x4 __BEGIN_DECLS ssize_t getrandom(void *buf, size_t buflen, unsigned int flags);