For now... assume success of getentropy() just like we assumed success
of sysctl(). Mark it with XXX while we consider.

use getgentropy() call. If it fails, things are pretty bad --
call abort().
this direction discussed at length with miod beck tedu matthew etc

Delete the extraneous "return" statement at the end of a void function.
From Fritjof Bornebusch.

missing NULL checks to see if init is needed. found hard way by deraadt.

clear a stack buffer with explicit_bzero

move chacha context and buffer out of bss and allow mmap to place them
wherever it decides it would like them. first step. ok deraadt dlg djm

delete useless test code

Remove arc4random_stir() and arc4random_addrandom(), which none should
be using directly. Well, a few rare people cloned it upstream and it
will take a bit of time for them to learn.
ok various

replace rc4 with ChaCha20; inspired by Nick Mathewson's work on libottery;
feedback and ok djm@

spacing

Change arc4random_uniform() to calculate ``2**32 % upper_bound'' as
``-upper_bound % upper_bound''. Simplifies the code and makes it the
same on both ILP32 and LP64 architectures, and also slightly

Change arc4random_uniform() to calculate ``2**32 % upper_bound'' as
``-upper_bound % upper_bound''. Simplifies the code and makes it the
same on both ILP32 and LP64 architectures, and also slightly faster on
LP64 architectures by using a 32-bit remainder instead of a 64-bit
remainder.

Pointed out by Jorden Verwer on tech@
ok deraadt; no objections from djm or otto

show more ...

remove comment that hasn't been true for quite a while now;
ok deraadt@ djm@

No point in refreshing the pid from inside arc4_stir() when that
doesn't test it, so factor out the two places that test it into a
routine and do the refreshing there. With this, arch4random_buf()
d

No point in refreshing the pid from inside arc4_stir() when that
doesn't test it, so factor out the two places that test it into a
routine and do the refreshing there. With this, arch4random_buf()
doesn't trigger superfluous calls to getpid() when filling large
buffers.

ok deraadt@, "looks nicer indeed" otto@

show more ...

zap __arc4_getbyte(), it was only used by the old malloc; ok millert@
kurt@

fix math screwup that reintroduced a bias for upper_bounds in range
(2^30,2^31). Nothing in the tree yet requests random numbers bounded
by this range.

report jakob!deraadt; ok deraadt@

diff from djm@ committed at his request:

introduce two new APIs for requesting strong random numbers:

arc4random_buf() - fill an arbitrary memory range with random numbers

arc4random_uniform() - r

diff from djm@ committed at his request:

introduce two new APIs for requesting strong random numbers:

arc4random_buf() - fill an arbitrary memory range with random numbers

arc4random_uniform() - return a uniformly distributed random number
below
a specified upper bound, avoiding the bias that comes from a naive
"arc4random() % upper_bound" construction.

these mirror similarly-named functions in the kernel;
lots of discussion deraadt@ mcbride@

show more ...

- make arc4random*() functions thread safe. Use a custom spinlock function
instead of the generic pthread macros since free(3) uses __arc4_getbyte()
when freeing small sized allocations and the gener

- make arc4random*() functions thread safe. Use a custom spinlock function
instead of the generic pthread macros since free(3) uses __arc4_getbyte()
when freeing small sized allocations and the generic pthread macros call
malloc(3).
- eliminate passing pointers to a static variable with global scope (rs)
for additional code clarity and reduction.
- shlib minor bumps for libc and libpthread due to new functions.
From andreas@ with some bits from me. okay tedu@ marc@ w/some spot
checking from millert@

show more ...

provide an libc internal interface to get random bytes, to be used by malloc
to get random data without calling getpid(), ok millert@ deraadt@

Use sysctl(KERN_ARND) to get n bytes, instead of just 4 at a time
and remove fallback code. If somebody is dumb enough to make the
sysctl fail using systrace, he deserves what he gets. Saves 7 syscal

Use sysctl(KERN_ARND) to get n bytes, instead of just 4 at a time
and remove fallback code. If somebody is dumb enough to make the
sysctl fail using systrace, he deserves what he gets. Saves 7 syscalls
on process startup.
looks good miod@ ok deraadt@ tedu@

show more ...

Change email address for author, at his request.

Change license to standard OpenBSD boilerplate, with permission
from original author (David Mazieres)

use the new fat random sysctl to get initial state. (fallback to looping).
stir after eating 400000 words. ok + input deraadt

kill spaces

ok djm@

Discard first 256 bytes of keystream, as per recommendation in
"Weaknesses in the Key Scheduling Algorithm of RC4", Fluhrer, Mantin and
Shamir. ok itojun@

just use sysctl for stirring. thread safe and can't fail.
ok deraadt and co.