include: ssp: fortify <stdlib.h>

The immediately obvious and attractive targets from <stdlib.h> are
arc4random_buf(3) and realpath(3) -- scraping the header didn't reveal
much else of interest.

Rev

include: ssp: fortify <stdlib.h>

The immediately obvious and attractive targets from <stdlib.h> are
arc4random_buf(3) and realpath(3) -- scraping the header didn't reveal
much else of interest.

Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45681

show more ...

libc: Purge unneeded cdefs.h

These sys/cdefs.h are not needed. Purge them. They are mostly left-over
from the $FreeBSD$ removal. A few in libc are still required for macros
that cdefs.h defines. Kee

libc: Purge unneeded cdefs.h

These sys/cdefs.h are not needed. Purge them. They are mostly left-over
from the $FreeBSD$ removal. A few in libc are still required for macros
that cdefs.h defines. Keep those.

Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D42385

show more ...

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

arc4random(3): Reduce diff with OpenBSD.

The main change was v1.57 by djm@:

Randomise the rekey interval a little. Previously, the chacha20
instance would be rekeyed every 1.6MB. This makes it

arc4random(3): Reduce diff with OpenBSD.

The main change was v1.57 by djm@:

Randomise the rekey interval a little. Previously, the chacha20
instance would be rekeyed every 1.6MB. This makes it happen at a
random point somewhere in the 1-2MB range.

Reviewed by: csprng (markm, cem)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D36088

show more ...

Fix building on Linux/macOS after r366622

We have to bootstrap arc4random.c, so guard the FenestrasX code to avoid
using it on Linux/macOS.

Reviewed By: cem
Differential Revision: https://reviews.f

Fix building on Linux/macOS after r366622

We have to bootstrap arc4random.c, so guard the FenestrasX code to avoid
using it on Linux/macOS.

Reviewed By: cem
Differential Revision: https://reviews.freebsd.org/D26738

show more ...

random(4) FenestrasX: Push root seed version to arc4random(3)

Push the root seed version to userspace through the VDSO page, if
the RANDOM_FENESTRASX algorithm is enabled. Otherwise, there is no
fu

random(4) FenestrasX: Push root seed version to arc4random(3)

Push the root seed version to userspace through the VDSO page, if
the RANDOM_FENESTRASX algorithm is enabled. Otherwise, there is no
functional change. The mechanism can be disabled with
debug.fxrng_vdso_enable=0.

arc4random(3) obtains a pointer to the root seed version published by
the kernel in the shared page at allocation time. Like arc4random(9),
it maintains its own per-process copy of the seed version corresponding
to the root seed version at the time it last rekeyed. On read requests,
the process seed version is compared with the version published in the
shared page; if they do not match, arc4random(3) reseeds from the
kernel before providing generated output.

This change does not implement the FenestrasX concept of PCPU userspace
generators seeded from a per-process base generator. That change is
left for future discussion/work.

Reviewed by: kib (previous version)
Approved by: csprng (me -- only touching FXRNG here)
Differential Revision: https://reviews.freebsd.org/D22839

show more ...

Sync with OpenBSD:

arc4random.c: In the incredibly unbelievable circumstance where
_rs_init() fails to allocate pages, don't call abort() because of
corefile data leakage concerns, but simply _exit(

Sync with OpenBSD:

arc4random.c: In the incredibly unbelievable circumstance where
_rs_init() fails to allocate pages, don't call abort() because of
corefile data leakage concerns, but simply _exit(). The reasoning
is _rs_init() will only fail if someone finds a way to apply
specific pressure against this failure point, for the purpose of
leaking information into a core which they can read. We don't
need a corefile in this instance to debug that. So take this
"lever" away from whoever in the future wants to do that.

arc4random.3: reference random(4)

arc4random_uniform.c: include stdint.h over sys/types.h

show more ...

Merge ^/head r339015 through r339669.

Embedded chacha: Distinguish via dedicated macro

Set embedding expectations via CHACHA_EMBED macro rather than _KERNEL
definition.

No functional change.

Sponsored by: Dell EMC Isilon

Merge ^/head r338026 through r338297, and resolve conflicts.

Merge ^/head r337646 through r338014.

include: ssp: fortify <stdlib.h>

The immediately obvious and attractive targets from <stdlib.h> are
arc4random_buf(3) and realpath(3) -- scraping the header didn't reveal
much else of interest.

Rev

include: ssp: fortify <stdlib.h>

The immediately obvious and attractive targets from <stdlib.h> are
arc4random_buf(3) and realpath(3) -- scraping the header didn't reveal
much else of interest.

Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45681

show more ...

libc: Purge unneeded cdefs.h

These sys/cdefs.h are not needed. Purge them. They are mostly left-over
from the $FreeBSD$ removal. A few in libc are still required for macros
that cdefs.h defines. Kee

libc: Purge unneeded cdefs.h

These sys/cdefs.h are not needed. Purge them. They are mostly left-over
from the $FreeBSD$ removal. A few in libc are still required for macros
that cdefs.h defines. Keep those.

Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D42385

show more ...

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

arc4random(3): Reduce diff with OpenBSD.

The main change was v1.57 by djm@:

Randomise the rekey interval a little. Previously, the chacha20
instance would be rekeyed every 1.6MB. This makes it

arc4random(3): Reduce diff with OpenBSD.

The main change was v1.57 by djm@:

Randomise the rekey interval a little. Previously, the chacha20
instance would be rekeyed every 1.6MB. This makes it happen at a
random point somewhere in the 1-2MB range.

Reviewed by: csprng (markm, cem)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D36088

show more ...

Fix building on Linux/macOS after r366622

We have to bootstrap arc4random.c, so guard the FenestrasX code to avoid
using it on Linux/macOS.

Reviewed By: cem
Differential Revision: https://reviews.f

Fix building on Linux/macOS after r366622

We have to bootstrap arc4random.c, so guard the FenestrasX code to avoid
using it on Linux/macOS.

Reviewed By: cem
Differential Revision: https://reviews.freebsd.org/D26738

show more ...

random(4) FenestrasX: Push root seed version to arc4random(3)

Push the root seed version to userspace through the VDSO page, if
the RANDOM_FENESTRASX algorithm is enabled. Otherwise, there is no
fu

random(4) FenestrasX: Push root seed version to arc4random(3)

Push the root seed version to userspace through the VDSO page, if
the RANDOM_FENESTRASX algorithm is enabled. Otherwise, there is no
functional change. The mechanism can be disabled with
debug.fxrng_vdso_enable=0.

arc4random(3) obtains a pointer to the root seed version published by
the kernel in the shared page at allocation time. Like arc4random(9),
it maintains its own per-process copy of the seed version corresponding
to the root seed version at the time it last rekeyed. On read requests,
the process seed version is compared with the version published in the
shared page; if they do not match, arc4random(3) reseeds from the
kernel before providing generated output.

This change does not implement the FenestrasX concept of PCPU userspace
generators seeded from a per-process base generator. That change is
left for future discussion/work.

Reviewed by: kib (previous version)
Approved by: csprng (me -- only touching FXRNG here)
Differential Revision: https://reviews.freebsd.org/D22839

show more ...

Sync with OpenBSD:

arc4random.c: In the incredibly unbelievable circumstance where
_rs_init() fails to allocate pages, don't call abort() because of
corefile data leakage concerns, but simply _exit(

Sync with OpenBSD:

arc4random.c: In the incredibly unbelievable circumstance where
_rs_init() fails to allocate pages, don't call abort() because of
corefile data leakage concerns, but simply _exit(). The reasoning
is _rs_init() will only fail if someone finds a way to apply
specific pressure against this failure point, for the purpose of
leaking information into a core which they can read. We don't
need a corefile in this instance to debug that. So take this
"lever" away from whoever in the future wants to do that.

arc4random.3: reference random(4)

arc4random_uniform.c: include stdint.h over sys/types.h

show more ...

Merge ^/head r339015 through r339669.

Embedded chacha: Distinguish via dedicated macro

Set embedding expectations via CHACHA_EMBED macro rather than _KERNEL
definition.

No functional change.

Sponsored by: Dell EMC Isilon

Merge ^/head r338026 through r338297, and resolve conflicts.

Merge ^/head r337646 through r338014.

Update userland arc4random() with OpenBSD's Chacha20 based arc4random().

ObsoleteFiles.inc:

Remove manual pages for arc4random_addrandom(3) and
arc4random_stir(3).

contrib/ntp/lib/isc/

Update userland arc4random() with OpenBSD's Chacha20 based arc4random().

ObsoleteFiles.inc:

Remove manual pages for arc4random_addrandom(3) and
arc4random_stir(3).

contrib/ntp/lib/isc/random.c:
contrib/ntp/sntp/libevent/evutil_rand.c:

Eliminate in-tree usage of arc4random_addrandom().

crypto/heimdal/lib/roken/rand.c:
crypto/openssh/config.h:

Eliminate in-tree usage of arc4random_stir().

include/stdlib.h:

Remove arc4random_stir() and arc4random_addrandom() prototypes,
provide temporary shims for transistion period.

lib/libc/gen/Makefile.inc:

Hook arc4random-compat.c to build, add hint for Chacha20 source for
kernel, and remove arc4random_addrandom(3) and arc4random_stir(3)
links.

lib/libc/gen/arc4random.c:

Adopt OpenBSD arc4random.c,v 1.54 with bare minimum changes, use the
sys/crypto/chacha20 implementation of keystream.

lib/libc/gen/Symbol.map:

Remove arc4random_stir and arc4random_addrandom interfaces.

lib/libc/gen/arc4random.h:

Adopt OpenBSD arc4random.h,v 1.4 but provide _ARC4_LOCK of our own.

lib/libc/gen/arc4random.3:

Adopt OpenBSD arc4random.3,v 1.35 but keep FreeBSD r114444 and
r118247.

lib/libc/gen/arc4random-compat.c:

Compatibility shims for arc4random_stir and arc4random_addrandom
functions to preserve ABI. Log once when called but do nothing
otherwise.

lib/libc/gen/getentropy.c:
lib/libc/include/libc_private.h:

Fold __arc4_sysctl into getentropy.c (renamed to arnd_sysctl).
Remove from libc_private.h as a result.

sys/crypto/chacha20/chacha.c:
sys/crypto/chacha20/chacha.h:

Make it possible to use the kernel implementation in libc.

PR: 182610
Reviewed by: cem, markm
Obtained from: OpenBSD
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D16760

show more ...

Split arc4random_uniform into it's own file and sync with OpenBSD.

PR: 182610
Obtained from: OpenBSD
MFC after: 2 weeks

getentropy(3): Fallback to kern.arandom sysctl on older kernels

On older kernels, when userspace program disables SIGSYS, catch ENOSYS and
emulate getrandom(2) syscall with the kern.arandom sysctl (

getentropy(3): Fallback to kern.arandom sysctl on older kernels

On older kernels, when userspace program disables SIGSYS, catch ENOSYS and
emulate getrandom(2) syscall with the kern.arandom sysctl (via existing
arc4_sysctl wrapper).

Special care is taken to faithfully emulate EFAULT on NULL pointers, because
sysctl(3) as used by kern.arandom ignores NULL oldp. (This was caught by
getentropy(3) ATF tests.)

Reported by: kib
Reviewed by: kib
Discussed with: delphij
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D14785

show more ...