arc4random(3): Pacify some of lint's complaints.

PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork

arc4random(3): Add automatic tests.

This verifies that:
- arc4random zeroes its state and reseeds itself on fork
- arc4random reseeds itself on entropy consolidation (e.g., VM clone)
- arc4random fa

arc4random(3): Add automatic tests.

This verifies that:
- arc4random zeroes its state and reseeds itself on fork
- arc4random reseeds itself on entropy consolidation (e.g., VM clone)
- arc4random falls back to global state if it can't allocate local
state because address space limits cause mmap to fail

NOTE: This adds a new libc symbol __arc4random_global, but it's in
the reserved namespace and only used by t_arc4random, so no libc
minor bump.

PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork

show more ...

arc4random.c: Fix test program.

This isn't wired up anywhere, but let's reduce the bitrot. It was
helpful in reminding me that kern.entropy.epoch was, for reasons I
can't remember, restricted to pr

arc4random.c: Fix test program.

This isn't wired up anywhere, but let's reduce the bitrot. It was
helpful in reminding me that kern.entropy.epoch was, for reasons I
can't remember, restricted to privileged access.

PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork

show more ...

arc4random(3): Reseed if system entropy epoch changes.

This can happen, for example, if the system is a VM instance, and the
VM is cloned.

This incurs the cost of a system call on every arc4random

arc4random(3): Reseed if system entropy epoch changes.

This can happen, for example, if the system is a VM instance, and the
VM is cloned.

This incurs the cost of a system call on every arc4random call, which
is unfortunate, but

1. we don't currently have a (machine-independent) mechanism for
exposing a read-only page to userland shared by the kernel to
enable a cheaper access path to the entropy epoch; and

2. the algorithm here -- a simple application of ChaCha -- is likely
also a bottleneck and could be much cheaper by

(a) using sys/crypto/chacha for machine-dependent vectorized
ChaCha code, and

(b) filling a buffer (somewhere between a cipher block and a page)
in a batch at a time, instead of running ChaCha to generate
only 32 bytes at a time.

So although this might be a performance hit, the security benefit is
worthwhile and we have a clear path to do better than reversing the
performance hit later.

PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork

show more ...

Catch up with all the lint warnings since exit on warning was disabled.
Disable 'missing header declaration' and 'nested extern' warnings for now.

lib: remove CONSTCOND comment

Since 2021-01-31, lint doesn't need it anymore for the common pattern of
'do ... while (0)'.

lint is not smart enough to figure out that ilog2() is constant.

KNF

Missing MAP_PRIVATE on mmap

Remove #ifdef MAP_INHERIT_ZERO.

This is essential for fork-safety, so don't merely #warn about it.
Attaining fork-safety without it requires restructuring things -- in
particular, there's no clear w

Remove #ifdef MAP_INHERIT_ZERO.

This is essential for fork-safety, so don't merely #warn about it.
Attaining fork-safety without it requires restructuring things -- in
particular, there's no clear way to make it per-thread and fork-safe
without some global list of states to zero on fork.

show more ...

Use ChaCha20 here as advertised, not ChaCha8.

Oops.

Fortunately, there is no public cryptanalysis even of ChaCha8: the
best published attack is on ChaCha7 with time complexity 2^248.

Fix non _REENTRANT build.

Rewrite arc4random(3) with ChaCha20-based PRNG and per-thread state.

Explain the security model in the man page.

No more RC4!

XXX pullup to netbsd-6, netbsd-5

Document that our use of pthread_mutex_unlock(3) is async-signal-safe
and as such can be used in a phtread_atfork(3) child handler.

fix missing backslash in previous

Wrap complex macros in do { ... } while (0). Also replace the magic
number 1600000 with a macro.

Re-stir after forking, fixes PR lib/25367.
Re-stir after consuming 1600000 bytes, fixes PR lib/45952.

remove always inline because new gcc bitches.

I'm fairly sure the libc rules require that arc4random_addrandom,
arc4random_buf, arc4random_stir and arc4random_uniform be weak.

arc4 is a random number sequence, there is no point using its own
output values to determine a number of output values to skip.
Skipping values on any possibly random event might be worth while, as

arc4 is a random number sequence, there is no point using its own
output values to determine a number of output values to skip.
Skipping values on any possibly random event might be worth while, as
might using the keying algorithm to stir in a possibly random value.

show more ...

Since 'rs' is statically initialised (not bss) its s[] might as well be
compile-time initialised as well.
arc4_init) is the same as arc4_stir().
Initialise rs.i to 0xff (not 0) so that the first ke

Since 'rs' is statically initialised (not bss) its s[] might as well be
compile-time initialised as well.
arc4_init) is the same as arc4_stir().
Initialise rs.i to 0xff (not 0) so that the first key byte is processed
with rs.i == 0 without the splurios rs.i-- in arc4_addrandom().
Remove the assignment rs.j = rs.i at the end of arc4_addrandom(), it isn't
necessary and I can see no justificationm for it.
Replace RSIZE with __arraycount(as->s), however it is manifestly 256 (more
correctly the number of values in rs.i and rs.j).

show more ...

cache rs.i and rs.j in arc4random_buf() since the compiler can't be
told that buf[] dosn't alias them.
Reduces the number of instructions inside the loop.
All the other functions are ok.

Change the logic used for thread locking to make the code more readable.
The effect on the object code is to replace a function call with a
branch that will predict correctly in the non-threaded ca

Change the logic used for thread locking to make the code more readable.
The effect on the object code is to replace a function call with a
branch that will predict correctly in the non-threaded case.
Minor optimise of some other paths.

show more ...

Use an inline function to check for initialisation, and an non-inlined
one to do the actual initialise.
Fixes lib/46751 by removing all the replicated tests in each function.

Make this compile with the compiler I'm using.
Move variable defs to top of function.
Don't use const static mib[] - run time initialisation won't matter,
and not using static data may actually help

Make this compile with the compiler I'm using.
Move variable defs to top of function.
Don't use const static mib[] - run time initialisation won't matter,
and not using static data may actually help in a .so.

show more ...