here could creates non-uniformity since very short fetches of 0 would
be excluded. blocks of 0 are just as random as any other data, including
blocks of 4 4 4.. This is a misguided attempt to identify errors from the
entropy churn/gather code doesn't make sense, errors don't happen.
ok bcook
use fallback mechanims if unsuccessful.
The design of Linux getrandom is broken. It has an
uninitialized phase coupled with blocking behaviour, which
is unacceptable from within a library at boot time without
possible recovery.
ok deraadt@ jsing@
In the event of a failure in _rs_allocate for rsx, we still have a reference to
freed memory for rs on return. Not a huge deal since we subsequently abort in
_rs_init, but it looks strange on its own.
ok deraadt@
For Windows, we are simply using calloc, which has two annoyances:
the memory has more permissions than needed by default, and it comes
from the process heap, which looks like a memory leak since this memory
is rightfully never freed.
This switches _rs_alloc on Windows to use VirtualAlloc, which restricts the
memory to READ|WRITE and keeps the memory out of the process heap.
ok deraadt@
Work around this particular case by reseeding whenever pid=1, but as guenther@
notes, directly calling clone(2), and then forking to match another pid,
provides other ways to bypass new process detection on Linux.
Hopefully at some point Linux implements something like MAP_INHERIT_ZERO, and
does not invent a corresponding mechanism to subvert it.
Noted by Sebastian Krahmer and the opmsg team.
See http://stealth.openwall.net/crypto/randup.c for a test program.
ok beck@
This only provides the sysctl wrapper in glibc, which we do not use and is not available in other libc implementations for Linux. Thanks to ncopa from github.
The latest NetBSD (6.1.5) arc4random does not appear to reseed the CRNG state
after a fork, so provide an override until the fork-safe version in CVS appears
in a release.
These are the same as the FreeBSD shims.
ok deraadt@
The FreeBSD-native arc4random_buf implementation falls back to weak sources of
entropy if the sysctl fails. Remove these dangerous fallbacks by overriding
locally.
Unfortunately, pthread_atfork() is also broken on FreeBSD (at least 9 and 10)
if a program does not link to -lthr. Callbacks registered with pthread_atfork()
simply fail silently. So, it is not always possible to detect a PID wraparound.
I wish we could do better.
This improves arc4random_buf's safety compared to the native FreeBSD
implementation.
Tested on FreeBSD 9 and 10.
This enables support for the new getrandom(2) syscall in Linux 3.17.
If the call exists and fails, return a failure in getentropy(2) emulation as
well. This adds a EINTR check in case the urandom pool is not initialized.
Tested on Fedora Rawhide with 3.17rc0 and Ubuntu 14.04
ok deraadt@
Move <sys/mman.h> and raise(SIGKILL) calls to OS-specific headers.
On OpenBSD, move thread_private.h as well to arc4random.h.
On Windows, use TerminateProcess on getentropy failure.
ok deraadt@
it shows up in libraries. Even the system call is probably not finalized.
Bit dissapointed it has turned out to be a descriptor-less read() with
EINVAL and EINTR error conditions, but we can work with it.
into one if a system has an awesome getentropy(). In that case it
is valid to totally throw away the rsx state in the child. If the
getentropy() is not very good and has a lazy reseed operation, this
combining is a bad idea, and the reseed should probably continue to
use the "something old, something new" mix. _rs_allocate() can
accomodate either method, but not on the fly.
ok matthew
1. Use "len" parameter instead of sizeof(*rs).
2. Simplify the atfork handler to be strictly async signal safe by
simply writing to a global volatile sig_atomic_t object, and then
checking for this in _rs_forkdetect(). (Idea from discussions with
Szabolcs Nagy and Rich Felker.)
3. Use memset(rs, 0, sizeof(*rs)) to match OpenBSD's MAP_INHERIT_ZERO
fork semantics to avoid any skew in behavior across platforms.
ok deraadt
into the hash; hoping the system has some ASLR or PIE. This replaces and
substantially improves upon &main which proved problematic with some picky
linkers.
Work with kettenis, testing by beck