deraadt
3f9dd576c8
Split arc4random_uniform into it's own file, to assist other projects
now using this as upstream code. The particular problem is systems
that contain older arc4random derivations lacking arc4random_uniform().
ok tedu miod
10 years ago
beck
a99ff4bd9f
Solaris uses a symbolic link for /dev/urandom which harms best practice of
using O_NOFOLLOW - cope with it as best as possible by trying two
different paths. - written by deraadt@ and kettenis@
10 years ago
deraadt
25da0193d5
odds are that some ABI change occured today, no matter how careful everyone
is
10 years ago
tedu
5bee4066ca
i'm a dumbdumb. fix build.
10 years ago
tedu
447cee822e
move all the feature settings to a common header.
probably ok beck jsing miod
10 years ago
beck
2e9cadcb9c
Make sure we leave OPENSSL_NO_PSK in the conf files so things
can know...
ok jsing@
10 years ago
kettenis
78bf858a52
Add locking for __cxa_finalize() as it modifies the page permissions of the
__atexit tables and touches global variables. From Srinavasa Nagaraju
through Android/Elliott Hughes.
ok tedu@, guenther@
10 years ago
tedu
ae7f8bb30d
better document perils of setuid getenv and xr with issetugid
ok deraadt
10 years ago
tedu
beacb71783
as noted by google/android via kettenis, atexit handlers can install new
handlers. if this happens, restart the loop.
ok kettenis matthew millert miod
10 years ago
tedu
705f1bf46e
reduce obvious dependency on global g_pool by moving to local aliases
ok otto
10 years ago
naddy
33c9c303eb
rephrase the stpcpy() warning
new wording agreed by at least kettenis@ millert@ otto@
10 years ago
beck
97abe91297
Clean up after arc4random u_int32_t uint32_t change
ok jsing@
10 years ago
bcook
165f09edc7
changes to improve portability
ok beck@ deraadt@ jsing@ guenther@
10 years ago
bcook
a3816c6eb6
remove unused variables getentropy for OS X
ok beck@
10 years ago
miod
32c03af696
RSA_NULL used to be a compile option allowing the RSA interfaces to be
compiled-in, with nonfunctional code, to be able to cope with the RSA
patent.
However, we don't use this option, and the RSA patent has expired more than 10
years ago, so just drop this piece.
10 years ago
miod
892a9183d4
Remove undocumented _des_crypt() interface and its companion header file,
which had never been installed, so it's unlikely something ever used this
in the last 15~20 years.
ok deraadt@ jsing@ beck@
10 years ago
beck
91875b6d33
getentropy for osx and solaris. will be needed for a portable release
10 years ago
beck
b7e16f9d19
fix oops, accidental delete.. darn copying of files between machines
10 years ago
beck
8de43bf12f
j should be an int, like repeat
10 years ago
beck
287fe24a2f
unbreak last commit - but same intent, make re-seed less expensive
10 years ago
deraadt
bc5b290d46
repeat calls to getentrypy() with the same pid likely indicate reseeds.
Since we assume the PRNG above is doing "something old, something new"
folding, shortcut and do fewer repeats through the timing loop.
ok beck
10 years ago
deraadt
1a1b9e989b
sys/types.h rather than sys/param.h, where applicable. avoid overreach.
10 years ago
deraadt
d1fde0ca73
sort includes much more sensibly
10 years ago
deraadt
55d6095cc3
limits.h rather than sys/param.h
10 years ago
deraadt
b3e0f519ff
re-init and init code paths are now more shared, so the getpid()-based
portable code path must handle that; with brent cook
10 years ago
deraadt
df559b50e4
extra evil spaces snuck in over the last while
10 years ago
otto
08ecfcb5b8
Move to a smaller rbytes buffer and skip a random part. Not to
improve the random stream itself (it doesn't), but to introduce
noise in the arc4random calling pattern. Thanks to matthew@ who
pointed out bias in a previous diff, ok deraadt@ matthew@
10 years ago
deraadt
b6b255face
Add back an #ifndef MAP_INHERIT_ZERO chunk to support the old getpid()
mechanism, to aid in portability to other systems as requested.
ok matthew
10 years ago
deraadt
0dedf80951
fix HD() misuse; from brent cook
10 years ago
beck
344e312a56
AT_BASE returns us the *address* of the start of ld.so, so
use the address, not what it points to (which is always the same)
ok deraadt@
10 years ago
beck
aed4dc98fb
get the page of data at AT_SYSINFO_EHDR
ok deraadt@
10 years ago
beck
802d41544e
comment fixes from theo
10 years ago
beck
eaa7e91438
Possibly obtain a little bit of entropy from addresses returned
by getauxval if we have it.
ok deraadt@
10 years ago
beck
839b9ab79f
O_NOFOLLOW would be very nice to have here if the version of linux
we are running supports it.
from enh@google.com
10 years ago
deraadt
db13a3eef8
document why we explicit_bzero
10 years ago
miod
d97cb916df
Remove BIO_f_reliable(), guilty of playing with EVP_MD_CTX internals it
should not know anything about. Verified not to be used in ports; riding upon
the recent libcrypto major bump.
10 years ago
jsing
572e20b3b3
Crank libcrypto major since my previous commit changed the size of the
ChaCha context. Other changes will also ride this crank.
10 years ago
beck
dca54ba442
unbreak build of getentropy_sysctl - we need linux/sysctl.h, and
RANDOM_UUID is an enum member.
10 years ago
beck
13d2b96f86
unbreak - main needs to be extern in here somewhere.
10 years ago
deraadt
40d09112d0
repair indentation for an inner loop; shorten some macros and variable
names to shorten line lengths
ok beck
10 years ago
tedu
f0d4f91f14
loosen the spec for timingsafe functions slightly, so as to not
artificially constrain alternative implementations. ok deraadt
10 years ago
matthew
f198222e04
Protect explicit_bzero() from link-time optimization
Modern compiler toolchains are capable of optimizing even across
translation unit boundaries, so simply moving the memory clearing into
a separate function is not guaranteed to clear memory.
To avoid this, we take advantage of ELF weak symbol semantics, and
insert a call to an empty, weakly named function. The semantics of
calling this function aren't determinable until load time, so the
compiler and linker need to keep the memset() call.
There are still ways a toolchain might defeat this trick (e.g.,
optimistically expecting the weak symbol to not be overloaded, and
only calling memset() if it is; promoting weak symbols to strong
symbols at link-time when emitting a static binary because they won't
be interposed; implementing load-time optimizations). But at least
for the foreseeable future, these seem unlikely.
ok deraadt
10 years ago
deraadt
7eb671100b
hash in correct pointer
10 years ago
beck
ac370875b0
KNF
10 years ago
deraadt
8f4e03ef5a
indent
10 years ago
otto
1878cbb6e4
rearrange so that the main function with the important comments is at the top
ok deraadt@ beck@
10 years ago
beck
a1d1946997
Work in progress on how to deal with the inherit unreliability of
/dev/urandom. Does well in the fallback case. Get it in tree so
it can be worked on.
ok otto@ deraadt@
10 years ago
matthew
16792c29e6
arc4random: hard fail with raise(SIGKILL) if getentropy() returns -1
Allow other non-zero return values in case we change our mind to
return an ssize_t byte count instead of simple success/fail.
ok deraadt, djm
10 years ago
matthew
5374ff9a6b
Move rs_chacha and rs_buf into the same memory page and don't mark it
MAP_INHERIT_ZERO anymore. This restores arc4random's previous
behavior where fork children would mix in some randomness from the
parent process.
New behavior noticed by deraadt
ok deraadt, tedu
10 years ago
kettenis
32ba0b02ca
Always call atexit handlers as if they were registered with __cxa_atexit.
The extra argument doesn't hurt genuine atexit handlers and this fixes a
bug where we didn't provide the argument (effectively passing garbage) for
functions registered with __cxa_atexit in the main executable.
Pointed out by Dmitriy Ivanov <dimitry@google.com> and Elliott Hughes
<enh@google.com>.
ok matthew@
10 years ago