Page MenuHomeFreeBSD
Files F136029422

D23130.id.diff
No OneTemporary
Actions

D23130.id.diff
View Options

Index: head/lib/libc/sys/getrandom.2
===================================================================
--- head/lib/libc/sys/getrandom.2
+++ head/lib/libc/sys/getrandom.2
@@ -1,5 +1,4 @@
-.\" Copyright (c) 2018 Conrad Meyer <cem@FreeBSD.org>
-.\" All rights reserved.
+.\" Copyright 2020, 2018 Conrad Meyer <cem@FreeBSD.org>. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
@@ -24,7 +23,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd February 24, 2018
+.Dd January 12, 2020
.Dt GETRANDOM 2
.Os
.Sh NAME
@@ -64,13 +63,16 @@
and
.Pa /dev/urandom
are identical.
+.It Ql GRND_INSECURE
+This flag is treated as an alternative name for
+.Dv GRND_NONBLOCK .
+It is provided solely for API compatibility with Linux.
.El
.Pp
If the
.Xr random 4
device has been seeded, reads of up to 256 bytes will always return as many
bytes as requested and will not be interrupted by signals.
-.Pp
.Sh RETURN VALUES
Upon successful completion, the number of bytes which were actually read is
returned.
@@ -87,6 +89,8 @@
.It Bq Er EAGAIN
The
.Ql GRND_NONBLOCK
+(or
+.Ql GRND_INSECURE )
flag was set and the
.Xr random 4
device was not yet seeded.
@@ -111,7 +115,7 @@
.Xr getentropy 3 ,
.Xr random 4
.Sh STANDARDS
-.Fn getentropy
+.Fn getrandom
is non-standard.
It is present in Linux.
.Sh HISTORY
@@ -119,3 +123,11 @@
.Fn getrandom
system call first appeared in
.Fx 12.0 .
+.Sh CAVEATS
+Unlike Linux, the
+.Dv GRND_INSECURE
+flag on
+.Fx
+does not produce any output before the
+.Xr random 4
+device is seeded.
Index: head/sys/kern/sys_getrandom.c
===================================================================
--- head/sys/kern/sys_getrandom.c
+++ head/sys/kern/sys_getrandom.c
@@ -38,7 +38,7 @@
#include <sys/systm.h>
#include <sys/uio.h>
-#define GRND_VALIDFLAGS (GRND_NONBLOCK | GRND_RANDOM)
+#define GRND_VALIDFLAGS (GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE)
/*
* random_read_uio(9) returns EWOULDBLOCK if a nonblocking request would block,
@@ -59,6 +59,40 @@
return (EINVAL);
if (buflen > IOSIZE_MAX)
return (EINVAL);
+
+ /*
+ * Linux compatibility: We have two choices for handling Linux's
+ * GRND_INSECURE.
+ *
+ * 1. We could ignore it completely (like GRND_RANDOM). However, this
+ * might produce the surprising result of GRND_INSECURE requests
+ * blocking, when the Linux API does not block.
+ *
+ * 2. Alternatively, we could treat GRND_INSECURE requests as requests
+ * for GRND_NONBLOCk. Here, the surprising result for Linux programs
+ * is that invocations with unseeded random(4) will produce EAGAIN,
+ * rather than garbage.
+ *
+ * Honoring the flag in the way Linux does seems fraught. If we
+ * actually use the output of a random(4) implementation prior to
+ * seeding, we leak some entropy about the initial seed to attackers.
+ * This seems unacceptable -- it defeats the purpose of blocking on
+ * initial seeding.
+ *
+ * Secondary to that concern, before seeding we may have arbitrarily
+ * little entropy collected; producing output from zero or a handful of
+ * entropy bits does not seem particularly useful to userspace.
+ *
+ * If userspace can accept garbage, insecure non-random bytes, they can
+ * create their own insecure garbage with srandom(time(NULL)) or
+ * similar. Asking the kernel to produce it from the secure
+ * getrandom(2) API seems inane.
+ *
+ * We elect to emulate GRND_INSECURE as an alternative spelling of
+ * GRND_NONBLOCK (2).
+ */
+ if ((flags & GRND_INSECURE) != 0)
+ flags |= GRND_NONBLOCK;
if (buflen == 0) {
td->td_retval[0] = 0;
Index: head/sys/sys/random.h
===================================================================
--- head/sys/sys/random.h
+++ head/sys/sys/random.h
@@ -159,6 +159,7 @@
#define GRND_NONBLOCK 0x1
#define GRND_RANDOM 0x2
+#define GRND_INSECURE 0x4
__BEGIN_DECLS
ssize_t getrandom(void *buf, size_t buflen, unsigned int flags);

File Metadata

Mime Type
text/plain
Expires
Sun, Nov 16, 5:52 AM (14 h, 7 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
25350212
Default Alt Text
D23130.id.diff (3 KB)

Event Timeline