Module Name: src
Committed By: riastradh
Date: Fri Aug 14 00:53:16 UTC 2020
Modified Files:
src/distrib/sets/lists/comp: mi
src/distrib/sets/lists/debug: mi
src/distrib/sets/lists/tests: mi
src/lib/libc/sys: Makefile.inc
src/sys/dev: random.c
src/sys/kern: files.kern kern_entropy.c syscalls.master
src/sys/rump/librump/rumpkern: Makefile.rumpkern
src/sys/sys: Makefile entropy.h
src/tests/lib/libc/sys: Makefile
Added Files:
src/lib/libc/sys: getrandom.2
src/sys/kern: sys_getrandom.c
src/sys/sys: random.h
src/tests/lib/libc/sys: t_getrandom.c
Log Message:
New system call getrandom() compatible with Linux and others.
Three ways to call:
getrandom(p, n, 0) Blocks at boot until full entropy.
Returns up to n bytes at p; guarantees
up to 256 bytes even if interrupted
after blocking. getrandom(0,0,0)
serves as an entropy barrier: return
only after system has full entropy.
getrandom(p, n, GRND_INSECURE) Never blocks. Guarantees up to 256
bytes even if interrupted. Equivalent
to /dev/urandom. Safe only after
successful getrandom(...,0),
getrandom(...,GRND_RANDOM), or read
from /dev/random.
getrandom(p, n, GRND_RANDOM) May block at any time. Returns up to n
bytes at p, but no guarantees about how
many -- may return as short as 1 byte.
Equivalent to /dev/random. Legacy.
Provided only for source compatibility
with Linux.
Can also use flags|GRND_NONBLOCK to fail with EWOULDBLOCK/EAGAIN
without producing any output instead of blocking.
- The combination GRND_INSECURE|GRND_NONBLOCK is the same as
GRND_INSECURE, since GRND_INSECURE never blocks anyway.
- The combinations GRND_INSECURE|GRND_RANDOM and
GRND_INSECURE|GRND_RANDOM|GRND_NONBLOCK are nonsensical and fail
with EINVAL.
As proposed on tech-userlevel, tech-crypto, tech-security, and
tech-kern, and subsequently adopted by core (minus the getentropy part
of the proposal, because other operating systems and participants in
the discussion couldn't come to an agreement about getentropy and
blocking semantics):
https://mail-index.netbsd.org/tech-userlevel/2020/05/02/msg012333.html
To generate a diff of this commit:
cvs rdiff -u -r1.2342 -r1.2343 src/distrib/sets/lists/comp/mi
cvs rdiff -u -r1.326 -r1.327 src/distrib/sets/lists/debug/mi
cvs rdiff -u -r1.888 -r1.889 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.244 -r1.245 src/lib/libc/sys/Makefile.inc
cvs rdiff -u -r0 -r1.1 src/lib/libc/sys/getrandom.2
cvs rdiff -u -r1.7 -r1.8 src/sys/dev/random.c
cvs rdiff -u -r1.50 -r1.51 src/sys/kern/files.kern
cvs rdiff -u -r1.22 -r1.23 src/sys/kern/kern_entropy.c
cvs rdiff -u -r0 -r1.1 src/sys/kern/sys_getrandom.c
cvs rdiff -u -r1.305 -r1.306 src/sys/kern/syscalls.master
cvs rdiff -u -r1.184 -r1.185 src/sys/rump/librump/rumpkern/Makefile.rumpkern
cvs rdiff -u -r1.175 -r1.176 src/sys/sys/Makefile
cvs rdiff -u -r1.3 -r1.4 src/sys/sys/entropy.h
cvs rdiff -u -r0 -r1.1 src/sys/sys/random.h
cvs rdiff -u -r1.66 -r1.67 src/tests/lib/libc/sys/Makefile
cvs rdiff -u -r0 -r1.1 src/tests/lib/libc/sys/t_getrandom.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/distrib/sets/lists/comp/mi
diff -u src/distrib/sets/lists/comp/mi:1.2342 src/distrib/sets/lists/comp/mi:1.2343
--- src/distrib/sets/lists/comp/mi:1.2342 Tue Aug 11 13:19:15 2020
+++ src/distrib/sets/lists/comp/mi Fri Aug 14 00:53:15 2020
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.2342 2020/08/11 13:19:15 christos Exp $
+# $NetBSD: mi,v 1.2343 2020/08/14 00:53:15 riastradh Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
./etc/mtree/set.comp comp-sys-root
@@ -3137,6 +3137,7 @@
./usr/include/sys/quotactl.h comp-c-include
./usr/include/sys/radioio.h comp-c-include
./usr/include/sys/radixtree.h comp-c-include
+./usr/include/sys/random.h comp-c-include
./usr/include/sys/ras.h comp-c-include
./usr/include/sys/rb.h comp-obsolete obsolete
./usr/include/sys/rbtree.h comp-c-include
@@ -12742,6 +12743,7 @@
./usr/share/man/html2/getpid.html comp-c-htmlman html
./usr/share/man/html2/getppid.html comp-c-htmlman html
./usr/share/man/html2/getpriority.html comp-c-htmlman html
+./usr/share/man/html2/getrandom.html comp-c-htmlman html
./usr/share/man/html2/getrlimit.html comp-c-htmlman html
./usr/share/man/html2/getrusage.html comp-c-htmlman html
./usr/share/man/html2/getsid.html comp-c-htmlman html
@@ -20862,6 +20864,7 @@
./usr/share/man/man2/getpid.2 comp-c-man .man
./usr/share/man/man2/getppid.2 comp-c-man .man
./usr/share/man/man2/getpriority.2 comp-c-man .man
+./usr/share/man/man2/getrandom.2 comp-c-man .man
./usr/share/man/man2/getrlimit.2 comp-c-man .man
./usr/share/man/man2/getrusage.2 comp-c-man .man
./usr/share/man/man2/getsid.2 comp-c-man .man
Index: src/distrib/sets/lists/debug/mi
diff -u src/distrib/sets/lists/debug/mi:1.326 src/distrib/sets/lists/debug/mi:1.327
--- src/distrib/sets/lists/debug/mi:1.326 Sat Jul 25 22:53:38 2020
+++ src/distrib/sets/lists/debug/mi Fri Aug 14 00:53:16 2020
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.326 2020/07/25 22:53:38 riastradh Exp $
+# $NetBSD: mi,v 1.327 2020/08/14 00:53:16 riastradh Exp $
./etc/mtree/set.debug comp-sys-root
./usr/lib comp-sys-usr compatdir
./usr/lib/i18n/libBIG5_g.a comp-c-debuglib debuglib,compatfile
@@ -2141,6 +2141,7 @@
./usr/libdata/debug/usr/tests/lib/libc/sys/t_getitimer.debug tests-lib-debug debug,atf,compattestfile
./usr/libdata/debug/usr/tests/lib/libc/sys/t_getlogin.debug tests-lib-debug debug,atf,compattestfile
./usr/libdata/debug/usr/tests/lib/libc/sys/t_getpid.debug tests-lib-debug debug,atf,compattestfile
+./usr/libdata/debug/usr/tests/lib/libc/sys/t_getrandom.debug tests-lib-debug debug,atf,compattestfile
./usr/libdata/debug/usr/tests/lib/libc/sys/t_getrusage.debug tests-lib-debug debug,atf,compattestfile
./usr/libdata/debug/usr/tests/lib/libc/sys/t_getsid.debug tests-lib-debug debug,atf,compattestfile
./usr/libdata/debug/usr/tests/lib/libc/sys/t_getsockname.debug tests-lib-debug debug,atf,compattestfile
Index: src/distrib/sets/lists/tests/mi
diff -u src/distrib/sets/lists/tests/mi:1.888 src/distrib/sets/lists/tests/mi:1.889
--- src/distrib/sets/lists/tests/mi:1.888 Sun Aug 9 16:32:28 2020
+++ src/distrib/sets/lists/tests/mi Fri Aug 14 00:53:16 2020
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.888 2020/08/09 16:32:28 rillig Exp $
+# $NetBSD: mi,v 1.889 2020/08/14 00:53:16 riastradh Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@@ -3142,6 +3142,7 @@
./usr/tests/lib/libc/sys/t_getitimer tests-lib-tests compattestfile,atf
./usr/tests/lib/libc/sys/t_getlogin tests-lib-tests compattestfile,atf
./usr/tests/lib/libc/sys/t_getpid tests-lib-tests compattestfile,atf
+./usr/tests/lib/libc/sys/t_getrandom tests-lib-tests compattestfile,atf
./usr/tests/lib/libc/sys/t_getrusage tests-lib-tests compattestfile,atf
./usr/tests/lib/libc/sys/t_getsid tests-lib-tests compattestfile,atf
./usr/tests/lib/libc/sys/t_getsockname tests-lib-tests compattestfile,atf
Index: src/lib/libc/sys/Makefile.inc
diff -u src/lib/libc/sys/Makefile.inc:1.244 src/lib/libc/sys/Makefile.inc:1.245
--- src/lib/libc/sys/Makefile.inc:1.244 Fri Jul 17 15:34:17 2020
+++ src/lib/libc/sys/Makefile.inc Fri Aug 14 00:53:16 2020
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.inc,v 1.244 2020/07/17 15:34:17 kamil Exp $
+# $NetBSD: Makefile.inc,v 1.245 2020/08/14 00:53:16 riastradh Exp $
# @(#)Makefile.inc 8.3 (Berkeley) 10/24/94
# sys sources
@@ -115,7 +115,7 @@ ASM=\
__fstatvfs190.S fstatat.S __futimes50.S futimens.S \
__getcwd.S __getdents30.S __getfh30.S __getvfsstat90.S getgroups.S\
__getitimer50.S __getlogin.S getpeername.S getpgid.S getpgrp.S \
- getpriority.S getrlimit.S __getrusage50.S getsid.S \
+ getpriority.S getrandom.S getrlimit.S __getrusage50.S getsid.S \
getsockname.S getsockopt.S getsockopt2.S __gettimeofday50.S \
ioctl.S \
kqueue.S kqueue1.S ktrace.S \
@@ -256,8 +256,9 @@ MAN+= accept.2 access.2 acct.2 adjtime.2
flock.2 fork.2 fsync.2 getcontext.2 getdents.2 \
getfh.2 getvfsstat.2 getgid.2 getgroups.2 \
getitimer.2 getlogin.2 getpeername.2 getpgrp.2 getpid.2 \
- getpriority.2 getrlimit.2 getrusage.2 getsid.2 getsockname.2 \
- getsockopt.2 gettimeofday.2 getuid.2 intro.2 ioctl.2 issetugid.2 \
+ getpriority.2 getrandom.2 getrlimit.2 getrusage.2 getsid.2 \
+ getsockname.2 getsockopt.2 gettimeofday.2 getuid.2\
+ intro.2 ioctl.2 issetugid.2 \
kill.2 kqueue.2 ktrace.2 _ksem.2 \
lfs_bmapv.2 lfs_markv.2 lfs_segclean.2 lfs_segwait.2 \
link.2 listen.2 lseek.2 \
Index: src/sys/dev/random.c
diff -u src/sys/dev/random.c:1.7 src/sys/dev/random.c:1.8
--- src/sys/dev/random.c:1.7 Fri May 8 16:05:36 2020
+++ src/sys/dev/random.c Fri Aug 14 00:53:16 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: random.c,v 1.7 2020/05/08 16:05:36 riastradh Exp $ */
+/* $NetBSD: random.c,v 1.8 2020/08/14 00:53:16 riastradh Exp $ */
/*-
* Copyright (c) 2019 The NetBSD Foundation, Inc.
@@ -47,7 +47,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: random.c,v 1.7 2020/05/08 16:05:36 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: random.c,v 1.8 2020/08/14 00:53:16 riastradh Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -62,13 +62,12 @@ __KERNEL_RCSID(0, "$NetBSD: random.c,v 1
#include <sys/kmem.h>
#include <sys/lwp.h>
#include <sys/poll.h>
+#include <sys/random.h>
#include <sys/rnd.h>
#include <sys/rndsource.h>
#include <sys/signalvar.h>
#include <sys/systm.h>
-#include <crypto/nist_hash_drbg/nist_hash_drbg.h>
-
#include "ioconf.h"
static dev_type_open(random_open);
@@ -209,138 +208,26 @@ random_kqfilter(dev_t dev, struct knote
static int
random_read(dev_t dev, struct uio *uio, int flags)
{
- uint8_t seed[NIST_HASH_DRBG_SEEDLEN_BYTES] = {0};
- struct nist_hash_drbg drbg;
- uint8_t *buf;
- int extractflags;
- int error;
+ int gflags;
- /* Get a buffer for transfers. */
- buf = kmem_alloc(RANDOM_BUFSIZE, KM_SLEEP);
-
- /*
- * If it's a short read from /dev/urandom, just generate the
- * output directly with per-CPU cprng_strong.
- */
- if (minor(dev) == RND_DEV_URANDOM &&
- uio->uio_resid <= RANDOM_BUFSIZE) {
- /* Generate data and transfer it out. */
- cprng_strong(user_cprng, buf, uio->uio_resid, 0);
- error = uiomove(buf, uio->uio_resid, uio);
- goto out;
- }
-
- /*
- * If we're doing a blocking read from /dev/random, wait
- * interruptibly. Otherwise, don't wait.
- */
- if (minor(dev) == RND_DEV_RANDOM && !ISSET(flags, FNONBLOCK))
- extractflags = ENTROPY_WAIT|ENTROPY_SIG;
- else
- extractflags = 0;
-
- /*
- * Query the entropy pool. For /dev/random, stop here if this
- * fails. For /dev/urandom, go on either way --
- * entropy_extract will always fill the buffer with what we
- * have from the global pool.
- */
- error = entropy_extract(seed, sizeof seed, extractflags);
- if (minor(dev) == RND_DEV_RANDOM && error)
- goto out;
-
- /* Instantiate the DRBG. */
- if (nist_hash_drbg_instantiate(&drbg, seed, sizeof seed, NULL, 0,
- NULL, 0))
- panic("nist_hash_drbg_instantiate");
-
- /* Promptly zero the seed. */
- explicit_memset(seed, 0, sizeof seed);
-
- /* Generate data. */
- error = 0;
- while (uio->uio_resid) {
- size_t n = MIN(uio->uio_resid, RANDOM_BUFSIZE);
-
- /*
- * Clamp /dev/random output to the entropy capacity and
- * seed size. Programs can't rely on long reads.
- */
- if (minor(dev) == RND_DEV_RANDOM) {
- n = MIN(n, ENTROPY_CAPACITY);
- n = MIN(n, sizeof seed);
- /*
- * Guarantee never to return more than one
- * buffer in this case to minimize bookkeeping.
- */
- CTASSERT(ENTROPY_CAPACITY <= RANDOM_BUFSIZE);
- CTASSERT(sizeof seed <= RANDOM_BUFSIZE);
- }
-
- /*
- * Try to generate a block of data, but if we've hit
- * the DRBG reseed interval, reseed.
- */
- if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) {
- /*
- * Get a fresh seed without blocking -- we have
- * already generated some output so it is not
- * useful to block. This can fail only if the
- * request is obscenely large, so it is OK for
- * either /dev/random or /dev/urandom to fail:
- * we make no promises about gigabyte-sized
- * reads happening all at once.
- */
- error = entropy_extract(seed, sizeof seed, 0);
- if (error)
- break;
-
- /* Reseed and try again. */
- if (nist_hash_drbg_reseed(&drbg, seed, sizeof seed,
- NULL, 0))
- panic("nist_hash_drbg_reseed");
-
- /* Promptly zero the seed. */
- explicit_memset(seed, 0, sizeof seed);
-
- /* If it fails now, that's a bug. */
- if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0))
- panic("nist_hash_drbg_generate");
- }
-
- /* Transfer n bytes out. */
- error = uiomove(buf, n, uio);
- if (error)
- break;
-
- /*
- * If this is /dev/random, stop here, return what we
- * have, and force the next read to reseed. Programs
- * can't rely on /dev/random for long reads.
- */
- if (minor(dev) == RND_DEV_RANDOM) {
- error = 0;
- break;
- }
-
- /* Yield if requested. */
- if (curcpu()->ci_schedstate.spc_flags & SPCF_SHOULDYIELD)
- preempt();
-
- /* Check for interruption after at least 256 bytes. */
- CTASSERT(RANDOM_BUFSIZE >= 256);
- if (__predict_false(curlwp->l_flag & LW_PENDSIG) &&
- sigispending(curlwp, 0)) {
- error = EINTR;
- break;
- }
+ /* Set the appropriate GRND_* mode. */
+ switch (minor(dev)) {
+ case RND_DEV_RANDOM:
+ gflags = GRND_RANDOM;
+ break;
+ case RND_DEV_URANDOM:
+ gflags = GRND_INSECURE;
+ break;
+ default:
+ return ENXIO;
}
-out: /* Zero the buffer and free it. */
- explicit_memset(buf, 0, RANDOM_BUFSIZE);
- kmem_free(buf, RANDOM_BUFSIZE);
+ /* Set GRND_NONBLOCK if the user requested FNONBLOCK. */
+ if (flags & FNONBLOCK)
+ gflags |= GRND_NONBLOCK;
- return error;
+ /* Defer to getrandom. */
+ return dogetrandom(uio, gflags);
}
/*
Index: src/sys/kern/files.kern
diff -u src/sys/kern/files.kern:1.50 src/sys/kern/files.kern:1.51
--- src/sys/kern/files.kern:1.50 Tue Jul 28 20:15:07 2020
+++ src/sys/kern/files.kern Fri Aug 14 00:53:16 2020
@@ -1,4 +1,4 @@
-# $NetBSD: files.kern,v 1.50 2020/07/28 20:15:07 riastradh Exp $
+# $NetBSD: files.kern,v 1.51 2020/08/14 00:53:16 riastradh Exp $
#
# kernel sources
@@ -157,6 +157,7 @@ file kern/sys_aio.c aio
file kern/sys_descrip.c kern
file kern/sys_futex.c kern
file kern/sys_generic.c kern
+file kern/sys_getrandom.c kern
file kern/sys_module.c kern
file kern/sys_mqueue.c mqueue
file kern/sys_lwp.c kern
Index: src/sys/kern/kern_entropy.c
diff -u src/sys/kern/kern_entropy.c:1.22 src/sys/kern/kern_entropy.c:1.23
--- src/sys/kern/kern_entropy.c:1.22 Tue May 12 20:50:17 2020
+++ src/sys/kern/kern_entropy.c Fri Aug 14 00:53:16 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_entropy.c,v 1.22 2020/05/12 20:50:17 riastradh Exp $ */
+/* $NetBSD: kern_entropy.c,v 1.23 2020/08/14 00:53:16 riastradh Exp $ */
/*-
* Copyright (c) 2019 The NetBSD Foundation, Inc.
@@ -75,7 +75,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_entropy.c,v 1.22 2020/05/12 20:50:17 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_entropy.c,v 1.23 2020/08/14 00:53:16 riastradh Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -612,6 +612,18 @@ entropy_epoch(void)
}
/*
+ * entropy_ready()
+ *
+ * True if the entropy pool has full entropy.
+ */
+bool
+entropy_ready(void)
+{
+
+ return atomic_load_relaxed(&E->needed) == 0;
+}
+
+/*
* entropy_account_cpu(ec)
*
* Consider whether to consolidate entropy into the global pool
@@ -1231,6 +1243,8 @@ sysctl_entropy_gather(SYSCTLFN_ARGS)
*
* ENTROPY_WAIT Wait for entropy if not available yet.
* ENTROPY_SIG Allow interruption by a signal during wait.
+ * ENTROPY_HARDFAIL Either fill the buffer with full entropy,
+ * or fail without filling it at all.
*
* Return zero on success, or error on failure:
*
@@ -1292,9 +1306,15 @@ entropy_extract(void *buf, size_t len, i
}
}
- /* Count failure -- but fill the buffer nevertheless. */
- if (error)
+ /*
+ * Count failure -- but fill the buffer nevertheless, unless
+ * the caller specified ENTROPY_HARDFAIL.
+ */
+ if (error) {
+ if (ISSET(flags, ENTROPY_HARDFAIL))
+ goto out;
entropy_extract_fail_evcnt.ev_count++;
+ }
/*
* Report a warning if we have never yet reached full entropy.
@@ -1324,7 +1344,7 @@ entropy_extract(void *buf, size_t len, i
entropy_deplete_evcnt.ev_count++;
}
- /* Release the global lock and return the error. */
+out: /* Release the global lock and return the error. */
if (E->stage >= ENTROPY_WARM)
mutex_exit(&E->lock);
return error;
Index: src/sys/kern/syscalls.master
diff -u src/sys/kern/syscalls.master:1.305 src/sys/kern/syscalls.master:1.306
--- src/sys/kern/syscalls.master:1.305 Sat May 16 18:31:50 2020
+++ src/sys/kern/syscalls.master Fri Aug 14 00:53:16 2020
@@ -1,4 +1,4 @@
- $NetBSD: syscalls.master,v 1.305 2020/05/16 18:31:50 christos Exp $
+ $NetBSD: syscalls.master,v 1.306 2020/08/14 00:53:16 riastradh Exp $
; @(#)syscalls.master 8.2 (Berkeley) 1/13/94
@@ -216,7 +216,8 @@
89 COMPAT_43 MODULAR compat_43 \
{ int|sys||getdtablesize(void); } ogetdtablesize
90 STD RUMP { int|sys||dup2(int from, int to); }
-91 UNIMPL getdopt
+91 STD RUMP { ssize_t|sys||getrandom(void *buf, size_t buflen, \
+ unsigned int flags); }
92 STD RUMP { int|sys||fcntl(int fd, int cmd, ... void *arg); }
93 COMPAT_50 MODULAR compat_50 RUMP \
{ int|sys||select(int nd, fd_set *in, fd_set *ou, \
Index: src/sys/rump/librump/rumpkern/Makefile.rumpkern
diff -u src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.184 src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.185
--- src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.184 Tue Jul 28 20:15:07 2020
+++ src/sys/rump/librump/rumpkern/Makefile.rumpkern Fri Aug 14 00:53:16 2020
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.rumpkern,v 1.184 2020/07/28 20:15:07 riastradh Exp $
+# $NetBSD: Makefile.rumpkern,v 1.185 2020/08/14 00:53:16 riastradh Exp $
#
IOCONFDIR:= ${.PARSEDIR}
@@ -130,6 +130,7 @@ SRCS+= init_sysctl_base.c \
subr_xcall.c \
sys_descrip.c \
sys_generic.c \
+ sys_getrandom.c \
sys_module.c \
sys_pipe.c \
sys_select.c \
Index: src/sys/sys/Makefile
diff -u src/sys/sys/Makefile:1.175 src/sys/sys/Makefile:1.176
--- src/sys/sys/Makefile:1.175 Mon Jun 8 16:36:18 2020
+++ src/sys/sys/Makefile Fri Aug 14 00:53:16 2020
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.175 2020/06/08 16:36:18 maxv Exp $
+# $NetBSD: Makefile,v 1.176 2020/08/14 00:53:16 riastradh Exp $
.include <bsd.own.mk>
@@ -34,7 +34,7 @@ INCS= acct.h acl.h agpio.h aio.h ansi.h
param.h pcu.h pipe.h pmf.h poll.h pool.h power.h proc.h \
protosw.h pset.h psref.h ptrace.h ptree.h \
queue.h quota.h quotactl.h \
- radixtree.h ras.h rbtree.h reboot.h radioio.h resource.h \
+ radioio.h radixtree.h random.h ras.h rbtree.h reboot.h resource.h \
resourcevar.h rmd160.h rnd.h rndio.h rwlock.h \
scanio.h sched.h scsiio.h sdt.h select.h selinfo.h sem.h semaphore.h \
sha1.h sha2.h sha3.h shm.h siginfo.h signal.h signalvar.h sigtypes.h \
Index: src/sys/sys/entropy.h
diff -u src/sys/sys/entropy.h:1.3 src/sys/sys/entropy.h:1.4
--- src/sys/sys/entropy.h:1.3 Fri May 8 15:54:11 2020
+++ src/sys/sys/entropy.h Fri Aug 14 00:53:16 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: entropy.h,v 1.3 2020/05/08 15:54:11 riastradh Exp $ */
+/* $NetBSD: entropy.h,v 1.4 2020/08/14 00:53:16 riastradh Exp $ */
/*-
* Copyright (c) 2019 The NetBSD Foundation, Inc.
@@ -44,12 +44,14 @@ struct knote;
#define ENTROPY_CAPACITY ENTPOOL_CAPACITY /* bytes */
-#define ENTROPY_WAIT 0x01
-#define ENTROPY_SIG 0x02
+#define ENTROPY_WAIT 0x01
+#define ENTROPY_SIG 0x02
+#define ENTROPY_HARDFAIL 0x04
void entropy_bootrequest(void);
void entropy_consolidate(void);
unsigned entropy_epoch(void);
+bool entropy_ready(void);
int entropy_extract(void *, size_t, int);
int entropy_poll(int);
int entropy_kqfilter(struct knote *);
Index: src/tests/lib/libc/sys/Makefile
diff -u src/tests/lib/libc/sys/Makefile:1.66 src/tests/lib/libc/sys/Makefile:1.67
--- src/tests/lib/libc/sys/Makefile:1.66 Fri Jul 17 15:34:16 2020
+++ src/tests/lib/libc/sys/Makefile Fri Aug 14 00:53:16 2020
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.66 2020/07/17 15:34:16 kamil Exp $
+# $NetBSD: Makefile,v 1.67 2020/08/14 00:53:16 riastradh Exp $
MKMAN= no
@@ -25,6 +25,7 @@ TESTS_C+= t_getgroups
TESTS_C+= t_getitimer
TESTS_C+= t_getlogin
TESTS_C+= t_getpid
+TESTS_C+= t_getrandom
TESTS_C+= t_getrusage
TESTS_C+= t_getsid
TESTS_C+= t_getsockname
Added files:
Index: src/lib/libc/sys/getrandom.2
diff -u /dev/null src/lib/libc/sys/getrandom.2:1.1
--- /dev/null Fri Aug 14 00:53:17 2020
+++ src/lib/libc/sys/getrandom.2 Fri Aug 14 00:53:16 2020
@@ -0,0 +1,283 @@
+.\" $NetBSD: getrandom.2,v 1.1 2020/08/14 00:53:16 riastradh Exp $
+.\"
+.\" Copyright (c) 2020 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Taylor R. Campbell.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd January 13, 2020
+.Dt GETRANDOM 2
+.Os
+.Sh NAME
+.Nm getrandom
+.Nd random number generation from system entropy
+.Sh LIBRARY
+.Lb libc
+.Sh SYNOPSIS
+.In sys/random.h
+.Ft ssize_t
+.Fn getrandom "void *buf" "size_t buflen" "unsigned int flags"
+.Sh DESCRIPTION
+The
+.Nm
+function fills
+.Fa buf
+with up to
+.Fa buflen
+independent uniform random bytes derived from the system's entropy
+pool.
+.Pp
+The function may block until the system has full entropy, meaning that
+the system has observed enough noise from physical processes that an
+adversary cannot predict what state it is in:
+.Bl -bullet -compact
+.It
+When the system has only partial entropy, the output of
+.Fn getrandom
+may be predictable.
+.It
+When the system has full entropy, the output is fit for use as
+cryptographic key material.
+.El
+.Pp
+The
+.Fa flags
+argument may be:
+.Bl -tag -offset abcd -width GRND_INSECURE
+.It Li 0
+Block until the system entropy pool has full entropy; then generate
+arbitrarily much data.
+.Em Recommended .
+.Pp
+If interrupted by a signal, may fail with
+.Er EINTR
+or return a short read.
+If successful, guaranteed to return at least 256 bytes even if
+interrupted.
+.It Dv GRND_INSECURE
+Do not block; instead fill
+.Fa buf
+with output derived from whatever is in the system entropy pool so
+far.
+Equivalent to reading from
+.Pa /dev/urandom ;
+see
+.Xr rnd 4 .
+.Pp
+If interrupted by a signal, may fail with
+.Er EINTR
+or return a short read.
+If successful, guaranteed to return at least 256 bytes even if
+interrupted.
+.Pp
+Despite the name, this is secure as long as you only do it
+.Em after
+at least one successful call without
+.Dv GRND_INSECURE ,
+such as
+.Li "getrandom(..., 0)"
+or
+.Li "getrandom(..., GRND_RANDOM)" ,
+or after reading at least one byte from
+.Pa /dev/random .
+.Pp
+.Sy WARNING :
+If you use
+.Dv GRND_INSECURE
+.Em before
+the system has full entropy. the output may enable an adversary to
+search the possible states of the entropy pool by brute force, and
+thereby reduce its entropy to zero.
+Thus, incautious use of
+.Dv GRND_INSECURE
+can ruin the security of the whole system.
+.Pp
+.Nx
+attempts to defend against this threat model by resetting the system's
+entropy estimate to zero in this event, requiring gathering full
+entropy again before
+.Pa /dev/random
+or
+.Fn getrandom
+without
+.Dv GRND_INSECURE
+will unblock, but other operating systems may not.
+.It Dv GRND_RANDOM
+Block until the system entropy pool has full entropy; then generate a
+small amount of data.
+Equivalent to reading from
+.Pa /dev/random ;
+see
+.Xr rnd 4 .
+This is provided mainly for source compatibility with Linux; there is
+essentially no reason to ever use it.
+.El
+.Pp
+The flag
+.Dv GNRD_NONBLOCK
+may also be included with bitwise-OR, in which case if
+.Fn getrandom
+would have blocked without
+.Dv GRND_NONBLOCK ,
+it returns
+.Er EAGAIN
+instead.
+.Pp
+Adding
+.Dv GRND_NONBLOCK
+to
+.Dv GRND_INSECURE
+has no effect; the combination
+.Dv GRND_INSECURE Ns Li "|" Ns Li GRND_NONBLOCK
+is equivalent to
+.Dv GRND_INSECURE ,
+since
+.Dv GRND_INSECURE
+never blocks.
+The combination
+.Dv GRND_INSECURE Ns Li "|" Ns Li GRND_RANDOM
+is nonsensical and fails with
+.Er EINVAL .
+.Sh RETURN VALUES
+If successful,
+.Fn getrandom
+returns the number of bytes stored in
+.Fa buf .
+Otherwise,
+.Fn getrandom
+returns \-1 and sets
+.Va errno .
+.Pp
+Since
+.Li "getrandom(..., 0)"
+and
+.Li "getrandom(..., GRND_INSECURE)"
+are guaranteed to return at least 256 bytes if successful, it
+is sufficient to use, e.g.,
+.Bd -literal -compact
+ getrandom(buf, 32, 0) == -1
+.Ed
+or
+.Bd -literal -compact
+ getrandom(buf, 32, GRND_INSECURE) == -1
+.Ed
+to detect failure.
+However, with
+.Dv GRND_RANDOM ,
+.Fn getrandom
+may return as little as a single byte if successful.
+.Sh EXAMPLES
+.Sy Recommended usage .
+Generate a key for cryptography:
+.Bd -literal
+ uint8_t secretkey[32];
+
+ if (getrandom(secretkey, sizeof secretkey, 0) == -1)
+ err(EXIT_FAILURE, "getrandom");
+ crypto_secretbox_xsalsa20poly1305(..., secretkey);
+.Ed
+.Pp
+Other idioms for illustration:
+.Bl -bullet
+.It
+Wait for entropy once, and then generate many keys without waiting:
+.Bd -literal
+ struct { uint8_t key[32]; } user[100];
+
+ if (getrandom(NULL, 0, 0) == -1)
+ err(EXIT_FAILURE, "getrandom");
+ for (i = 0; i < 100; i++)
+ if (getrandom(user[i].key, sizeof user[i].key,
+ GRND_INSECURE) == -1)
+ err(EXIT_FAILURE, "getrandom");
+.Ed
+.It
+Twiddle thumbs while waiting for entropy:
+.Bd -literal
+ uint8_t secretkey[32];
+
+ while (getrandom(secretkey, sizeof secretkey, GRND_NONBLOCK)
+ == -1) {
+ if (errno != EAGAIN)
+ err(EXIT_FAILURE, "getrandom");
+ twiddle_thumbs();
+ }
+ crypto_secretbox_xsalsa20poly1305(..., secretkey);
+.Ed
+.El
+.Pp
+(No examples of
+.Dv GRND_RANDOM
+because it is not useful.)
+.Sh ERRORS
+.Bl -tag -width Er
+.It Bq Er EAGAIN
+The
+.Dv GRND_NONBLOCK
+flag was specified, and the system entropy pool does not have full
+entropy.
+.It Bq Er EINTR
+The
+.Dv GRND_NONBLOCK
+flag was
+.Em not
+specified, the system entropy pool does not have full entropy, and the
+process was interrupted by a signal while waiting.
+.It Bq Er EINVAL
+.Fa flags
+contains an unrecognized flag or a nonsensical combination of flags.
+.It Bq Er EFAULT
+.Fa buf
+points outside the allocated address space.
+.El
+.Sh SEE ALSO
+.Xr rnd 4
+.Sh HISTORY
+The
+.Nm
+system call first appeared in Linux 3.17, and was added to
+.Nx 10.0 .
+.Sh AUTHORS
+The
+.Nx
+implementation of
+.Nm
+and this man page were written by
+.An Taylor R Campbell Aq Mt [email protected] .
+.Sh BUGS
+There is no way to multiplex waiting for
+.Fn getrandom
+with other I/O in
+.Xr select 2 ,
+.Xr poll 2 ,
+or
+.Xr kqueue 2 .
+Instead, you can wait for a read from
+.Pa /dev/random ;
+see
+.Xr rnd 4 .
+.Pp
+.Dv GRND_RANDOM
+is a little silly.
Index: src/sys/kern/sys_getrandom.c
diff -u /dev/null src/sys/kern/sys_getrandom.c:1.1
--- /dev/null Fri Aug 14 00:53:17 2020
+++ src/sys/kern/sys_getrandom.c Fri Aug 14 00:53:16 2020
@@ -0,0 +1,246 @@
+/* $NetBSD: sys_getrandom.c,v 1.1 2020/08/14 00:53:16 riastradh Exp $ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Taylor R. Campbell.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * getrandom() system call
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD: sys_getrandom.c,v 1.1 2020/08/14 00:53:16 riastradh Exp $");
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <sys/atomic.h>
+#include <sys/cprng.h>
+#include <sys/entropy.h>
+#include <sys/kmem.h>
+#include <sys/lwp.h>
+#include <sys/proc.h>
+#include <sys/random.h>
+#include <sys/sched.h>
+#include <sys/signalvar.h>
+#include <sys/syscallargs.h>
+#include <sys/uio.h>
+
+#include <crypto/nist_hash_drbg/nist_hash_drbg.h>
+
+#define RANDOM_BUFSIZE 512
+
+int
+dogetrandom(struct uio *uio, unsigned int flags)
+{
+ uint8_t seed[NIST_HASH_DRBG_SEEDLEN_BYTES] = {0};
+ struct nist_hash_drbg drbg;
+ uint8_t *buf;
+ int extractflags = 0;
+ int error;
+
+ KASSERT((flags & ~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK)) == 0);
+ KASSERT((flags & (GRND_RANDOM|GRND_INSECURE)) !=
+ (GRND_RANDOM|GRND_INSECURE));
+
+ /* Get a buffer for transfers. */
+ buf = kmem_alloc(RANDOM_BUFSIZE, KM_SLEEP);
+
+ /*
+ * Fast path: for short reads other than from /dev/random, if
+ * seeded or if INSECURE, just draw from per-CPU cprng_strong.
+ */
+ if (uio->uio_resid <= RANDOM_BUFSIZE &&
+ !ISSET(flags, GRND_RANDOM) &&
+ (entropy_ready() || ISSET(flags, GRND_INSECURE))) {
+ /* Generate data and transfer it out. */
+ cprng_strong(user_cprng, buf, uio->uio_resid, 0);
+ error = uiomove(buf, uio->uio_resid, uio);
+ goto out;
+ }
+
+ /*
+ * Try to get a seed from the entropy pool. Fail if we would
+ * block. If GRND_INSECURE, always return something even if it
+ * is partial entropy; if !GRND_INSECURE, set ENTROPY_HARDFAIL
+ * in order to tell entropy_extract not to bother drawing
+ * anything from a partial pool if we can't get full entropy.
+ */
+ if (!ISSET(flags, GRND_NONBLOCK) && !ISSET(flags, GRND_INSECURE))
+ extractflags |= ENTROPY_WAIT|ENTROPY_SIG;
+ if (!ISSET(flags, GRND_INSECURE))
+ extractflags |= ENTROPY_HARDFAIL;
+ error = entropy_extract(seed, sizeof seed, extractflags);
+ if (error && !ISSET(flags, GRND_INSECURE))
+ goto out;
+
+ /* Instantiate the DRBG. */
+ if (nist_hash_drbg_instantiate(&drbg, seed, sizeof seed, NULL, 0,
+ NULL, 0))
+ panic("nist_hash_drbg_instantiate");
+
+ /* Promptly zero the seed. */
+ explicit_memset(seed, 0, sizeof seed);
+
+ /* Generate data. */
+ error = 0;
+ while (uio->uio_resid) {
+ size_t n = MIN(uio->uio_resid, RANDOM_BUFSIZE);
+
+ /*
+ * Clamp /dev/random output to the entropy capacity and
+ * seed size. Programs can't rely on long reads.
+ */
+ if (ISSET(flags, GRND_RANDOM)) {
+ n = MIN(n, ENTROPY_CAPACITY);
+ n = MIN(n, sizeof seed);
+ /*
+ * Guarantee never to return more than one
+ * buffer in this case to minimize bookkeeping.
+ */
+ CTASSERT(ENTROPY_CAPACITY <= RANDOM_BUFSIZE);
+ CTASSERT(sizeof seed <= RANDOM_BUFSIZE);
+ }
+
+ /*
+ * Try to generate a block of data, but if we've hit
+ * the DRBG reseed interval, reseed.
+ */
+ if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) {
+ /*
+ * Get a fresh seed without blocking -- we have
+ * already generated some output so it is not
+ * useful to block. This can fail only if the
+ * request is obscenely large, so it is OK for
+ * either /dev/random or /dev/urandom to fail:
+ * we make no promises about gigabyte-sized
+ * reads happening all at once.
+ */
+ error = entropy_extract(seed, sizeof seed,
+ ENTROPY_HARDFAIL);
+ if (error)
+ break;
+
+ /* Reseed and try again. */
+ if (nist_hash_drbg_reseed(&drbg, seed, sizeof seed,
+ NULL, 0))
+ panic("nist_hash_drbg_reseed");
+
+ /* Promptly zero the seed. */
+ explicit_memset(seed, 0, sizeof seed);
+
+ /* If it fails now, that's a bug. */
+ if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0))
+ panic("nist_hash_drbg_generate");
+ }
+
+ /* Transfer n bytes out. */
+ error = uiomove(buf, n, uio);
+ if (error)
+ break;
+
+ /*
+ * If this is /dev/random, stop here, return what we
+ * have, and force the next read to reseed. Programs
+ * can't rely on /dev/random for long reads.
+ */
+ if (ISSET(flags, GRND_RANDOM)) {
+ error = 0;
+ break;
+ }
+
+ /* Yield if requested. */
+ if (curcpu()->ci_schedstate.spc_flags & SPCF_SHOULDYIELD)
+ preempt();
+
+ /* Check for interruption after at least 256 bytes. */
+ CTASSERT(RANDOM_BUFSIZE >= 256);
+ if (__predict_false(curlwp->l_flag & LW_PENDSIG) &&
+ sigispending(curlwp, 0)) {
+ error = EINTR;
+ break;
+ }
+ }
+
+out: /* Zero the buffer and free it. */
+ explicit_memset(buf, 0, RANDOM_BUFSIZE);
+ kmem_free(buf, RANDOM_BUFSIZE);
+
+ return error;
+}
+
+int
+sys_getrandom(struct lwp *l, const struct sys_getrandom_args *uap,
+ register_t *retval)
+{
+ /* {
+ syscallarg(void *) buf;
+ syscallarg(size_t) buflen;
+ syscallarg(unsigned) flags;
+ } */
+ void *buf = SCARG(uap, buf);
+ size_t buflen = SCARG(uap, buflen);
+ int flags = SCARG(uap, flags);
+ int error;
+
+ /* Set up an iov and uio to read into the user's buffer. */
+ struct iovec iov = { .iov_base = buf, .iov_len = buflen };
+ struct uio uio = {
+ .uio_iov = &iov,
+ .uio_iovcnt = 1,
+ .uio_offset = 0,
+ .uio_resid = buflen,
+ .uio_rw = UIO_READ,
+ .uio_vmspace = curproc->p_vmspace,
+ };
+
+ /* Validate the flags. */
+ if (flags & ~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK)) {
+ /* Unknown flags. */
+ error = EINVAL;
+ goto out;
+ }
+ if ((flags & (GRND_RANDOM|GRND_INSECURE)) ==
+ (GRND_RANDOM|GRND_INSECURE)) {
+ /* Nonsensical combination. */
+ error = EINVAL;
+ goto out;
+ }
+
+ /* Do it. */
+ error = dogetrandom(&uio, flags);
+
+out: /*
+ * If we transferred anything, return the number of bytes
+ * transferred and suppress error; otherwise return the error.
+ */
+ *retval = buflen - uio.uio_resid;
+ if (*retval)
+ error = 0;
+ return error;
+}
Index: src/sys/sys/random.h
diff -u /dev/null src/sys/sys/random.h:1.1
--- /dev/null Fri Aug 14 00:53:17 2020
+++ src/sys/sys/random.h Fri Aug 14 00:53:16 2020
@@ -0,0 +1,69 @@
+/* $NetBSD: random.h,v 1.1 2020/08/14 00:53:16 riastradh Exp $ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Taylor R. Campbell.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _SYS_RANDOM_H
+#define _SYS_RANDOM_H
+
+#include <sys/cdefs.h>
+
+#include <machine/ansi.h> /* _BSD_SIZE_T_ */
+
+#define GRND_NONBLOCK (1u << 0)
+#define GRND_RANDOM (1u << 1)
+#define GRND_INSECURE (1u << 2)
+
+#ifdef _KERNEL
+
+struct uio;
+
+int dogetrandom(struct uio *, unsigned int);
+
+#endif /* _KERNEL */
+
+#ifndef _KERNEL
+__BEGIN_DECLS
+
+#ifdef _BSD_SIZE_T_
+typedef _BSD_SIZE_T_ size_t;
+#undef _BSD_SIZE_T_
+#endif
+
+#ifdef _BSD_SSIZE_T_
+typedef _BSD_SSIZE_T_ ssize_t;
+#undef _BSD_SSIZE_T_
+#endif
+
+ssize_t getrandom(void *, size_t, unsigned int);
+
+__END_DECLS
+#endif /* !_KERNEL */
+
+#endif /* _SYS_RANDOM_H */
Index: src/tests/lib/libc/sys/t_getrandom.c
diff -u /dev/null src/tests/lib/libc/sys/t_getrandom.c:1.1
--- /dev/null Fri Aug 14 00:53:17 2020
+++ src/tests/lib/libc/sys/t_getrandom.c Fri Aug 14 00:53:16 2020
@@ -0,0 +1,170 @@
+/* $NetBSD: t_getrandom.c,v 1.1 2020/08/14 00:53:16 riastradh Exp $ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Taylor R. Campbell.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__RCSID("$NetBSD: t_getrandom.c,v 1.1 2020/08/14 00:53:16 riastradh Exp $");
+
+#include <sys/random.h>
+
+#include <atf-c.h>
+#include <errno.h>
+#include <signal.h>
+#include <unistd.h>
+
+static uint8_t buf[65536];
+static uint8_t zero24[24];
+
+static void
+alarm_handler(int signo)
+{
+}
+
+ATF_TC(getrandom);
+ATF_TC_HEAD(getrandom, tc)
+{
+
+ atf_tc_set_md_var(tc, "descr", "getrandom(2)");
+}
+
+/*
+ * Probability of spurious failure is 1/2^192 for each of the memcmps.
+ * As long as there are fewer than 2^64 of them, the probability of
+ * spurious failure is at most 1/2^128, which is low enough that we
+ * don't care about it.
+ */
+
+ATF_TC_BODY(getrandom, tc)
+{
+ ssize_t n;
+
+ ATF_REQUIRE(signal(SIGALRM, &alarm_handler) != SIG_ERR);
+
+ /* default */
+ alarm(1);
+ memset(buf, 0, sizeof buf);
+ n = getrandom(buf, sizeof buf, 0);
+ if (n == -1) {
+ ATF_CHECK_EQ(errno, EINTR);
+ } else {
+ ATF_CHECK_EQ((size_t)n, sizeof buf);
+ ATF_CHECK(memcmp(buf, zero24, 24) != 0);
+ ATF_CHECK(memcmp(buf + sizeof buf - 24, zero24, 24) != 0);
+ }
+ alarm(0);
+
+ /* default, nonblocking */
+ memset(buf, 0, sizeof buf);
+ n = getrandom(buf, sizeof buf, GRND_NONBLOCK);
+ if (n == -1) {
+ ATF_CHECK_EQ(errno, EAGAIN);
+ } else {
+ ATF_CHECK_EQ((size_t)n, sizeof buf);
+ ATF_CHECK(memcmp(buf, zero24, 24) != 0);
+ ATF_CHECK(memcmp(buf + sizeof buf - 24, zero24, 24) != 0);
+ }
+
+ /* insecure */
+ memset(buf, 0, sizeof buf);
+ n = getrandom(buf, sizeof buf, GRND_INSECURE);
+ ATF_CHECK(n != -1);
+ ATF_CHECK_EQ((size_t)n, sizeof buf);
+ ATF_CHECK(memcmp(buf, zero24, 24) != 0);
+ ATF_CHECK(memcmp(buf + sizeof buf - 24, zero24, 24) != 0);
+
+ /* insecure, nonblocking -- same as mere insecure */
+ memset(buf, 0, sizeof buf);
+ n = getrandom(buf, sizeof buf, GRND_INSECURE|GRND_NONBLOCK);
+ ATF_CHECK(n != -1);
+ ATF_CHECK_EQ((size_t)n, sizeof buf);
+ ATF_CHECK(memcmp(buf, zero24, 24) != 0);
+ ATF_CHECK(memcmp(buf + sizeof buf - 24, zero24, 24) != 0);
+
+ /* `random' (hokey) */
+ alarm(1);
+ memset(buf, 0, sizeof buf);
+ n = getrandom(buf, sizeof buf, GRND_RANDOM);
+ if (n == -1) {
+ ATF_CHECK_EQ(errno, EINTR);
+ } else {
+ ATF_CHECK(n != 0);
+ ATF_CHECK((size_t)n <= sizeof buf);
+ if ((size_t)n >= 24) {
+ ATF_CHECK(memcmp(buf, zero24, 24) != 0);
+ ATF_CHECK(memcmp(buf + n - 24, zero24, 24) != 0);
+ }
+ }
+ alarm(0);
+
+ /* `random' (hokey), nonblocking */
+ memset(buf, 0, sizeof buf);
+ n = getrandom(buf, sizeof buf, GRND_RANDOM|GRND_NONBLOCK);
+ if (n == -1) {
+ ATF_CHECK_EQ(errno, EAGAIN);
+ } else {
+ ATF_CHECK(n != 0);
+ ATF_CHECK((size_t)n <= sizeof buf);
+ if ((size_t)n >= 24) {
+ ATF_CHECK(memcmp(buf, zero24, 24) != 0);
+ ATF_CHECK(memcmp(buf + n - 24, zero24, 24) != 0);
+ }
+ }
+
+ /* random and insecure -- nonsensical */
+ n = getrandom(buf, sizeof buf, GRND_RANDOM|GRND_INSECURE);
+ ATF_CHECK_EQ(n, -1);
+ ATF_CHECK_EQ(errno, EINVAL);
+
+ /* random and insecure, nonblocking -- nonsensical */
+ n = getrandom(buf, sizeof buf,
+ GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK);
+ ATF_CHECK_EQ(n, -1);
+ ATF_CHECK_EQ(errno, EINVAL);
+
+ /* invalid flags */
+ __CTASSERT(~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK));
+ n = getrandom(buf, sizeof buf,
+ ~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK));
+ ATF_CHECK_EQ(n, -1);
+ ATF_CHECK_EQ(errno, EINVAL);
+
+ /* unmapped */
+ n = getrandom(NULL, sizeof buf, GRND_INSECURE|GRND_NONBLOCK);
+ ATF_CHECK_EQ(n, -1);
+ ATF_CHECK_EQ(errno, EFAULT);
+}
+
+ATF_TP_ADD_TCS(tp)
+{
+
+ ATF_TP_ADD_TC(tp, getrandom);
+
+ return atf_no_error();
+}
