about summary refs log tree commit diff
path: root/stdlib/arc4random.c
diff options
context:
space:
mode:
Diffstat (limited to 'stdlib/arc4random.c')
-rw-r--r--stdlib/arc4random.c196
1 files changed, 45 insertions, 151 deletions
diff --git a/stdlib/arc4random.c b/stdlib/arc4random.c
index 65547e79aa..e417ef624d 100644
--- a/stdlib/arc4random.c
+++ b/stdlib/arc4random.c
@@ -1,4 +1,4 @@
-/* Pseudo Random Number Generator based on ChaCha20.
+/* Pseudo Random Number Generator
    Copyright (C) 2022 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
@@ -16,7 +16,6 @@
    License along with the GNU C Library; if not, see
    <https://www.gnu.org/licenses/>.  */
 
-#include <arc4random.h>
 #include <errno.h>
 #include <not-cancel.h>
 #include <stdio.h>
@@ -24,53 +23,6 @@
 #include <sys/mman.h>
 #include <sys/param.h>
 #include <sys/random.h>
-#include <tls-internal.h>
-
-/* arc4random keeps two counters: 'have' is the current valid bytes not yet
-   consumed in 'buf' while 'count' is the maximum number of bytes until a
-   reseed.
-
-   Both the initial seed and reseed try to obtain entropy from the kernel
-   and abort the process if none could be obtained.
-
-   The state 'buf' improves the usage of the cipher calls, allowing to call
-   optimized implementations (if the architecture provides it) and minimize
-   function call overhead.  */
-
-#include <chacha20.c>
-
-/* Called from the fork function to reset the state.  */
-void
-__arc4random_fork_subprocess (void)
-{
-  struct arc4random_state_t *state = __glibc_tls_internal ()->rand_state;
-  if (state != NULL)
-    {
-      explicit_bzero (state, sizeof (*state));
-      /* Force key init.  */
-      state->count = -1;
-    }
-}
-
-/* Return the current thread random state or try to create one if there is
-   none available.  In the case malloc can not allocate a state, arc4random
-   will try to get entropy with arc4random_getentropy.  */
-static struct arc4random_state_t *
-arc4random_get_state (void)
-{
-  struct arc4random_state_t *state = __glibc_tls_internal ()->rand_state;
-  if (state == NULL)
-    {
-      state = malloc (sizeof (struct arc4random_state_t));
-      if (state != NULL)
-	{
-	  /* Force key initialization on first call.  */
-	  state->count = -1;
-	  __glibc_tls_internal ()->rand_state = state;
-	}
-    }
-  return state;
-}
 
 static void
 arc4random_getrandom_failure (void)
@@ -78,106 +30,63 @@ arc4random_getrandom_failure (void)
   __libc_fatal ("Fatal glibc error: cannot get entropy for arc4random\n");
 }
 
-static void
-arc4random_rekey (struct arc4random_state_t *state, uint8_t *rnd, size_t rndlen)
+void
+__arc4random_buf (void *p, size_t n)
 {
-  chacha20_crypt (state->ctx, state->buf, state->buf, sizeof state->buf);
-
-  /* Mix optional user provided data.  */
-  if (rnd != NULL)
-    {
-      size_t m = MIN (rndlen, CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE);
-      for (size_t i = 0; i < m; i++)
-	state->buf[i] ^= rnd[i];
-    }
-
-  /* Immediately reinit for backtracking resistance.  */
-  chacha20_init (state->ctx, state->buf, state->buf + CHACHA20_KEY_SIZE);
-  explicit_bzero (state->buf, CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE);
-  state->have = sizeof (state->buf) - (CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE);
-}
+  static int seen_initialized;
+  size_t l;
+  int fd;
 
-static void
-arc4random_getentropy (void *rnd, size_t len)
-{
-  if (__getrandom_nocancel (rnd, len, GRND_NONBLOCK) == len)
+  if (n == 0)
     return;
 
-  int fd = TEMP_FAILURE_RETRY (__open64_nocancel ("/dev/urandom",
-						  O_RDONLY | O_CLOEXEC));
-  if (fd != -1)
+  for (;;)
     {
-      uint8_t *p = rnd;
-      uint8_t *end = p + len;
-      do
+      l = TEMP_FAILURE_RETRY (__getrandom_nocancel (p, n, 0));
+      if (l > 0)
 	{
-	  ssize_t ret = TEMP_FAILURE_RETRY (__read_nocancel (fd, p, end - p));
-	  if (ret <= 0)
-	    arc4random_getrandom_failure ();
-	  p += ret;
+	  if ((size_t) l == n)
+	    return; /* Done reading, success.  */
+	  p = (uint8_t *) p + l;
+	  n -= l;
+	  continue; /* Interrupted by a signal; keep going.  */
 	}
-      while (p < end);
-
-      if (__close_nocancel (fd) == 0)
-	return;
+      else if (l < 0 && errno == ENOSYS)
+	break; /* No syscall, so fallback to /dev/urandom.  */
+      arc4random_getrandom_failure ();
     }
-  arc4random_getrandom_failure ();
-}
 
-/* Check if the thread context STATE should be reseed with kernel entropy
-   depending of requested LEN bytes.  If there is less than requested,
-   the state is either initialized or reseeded, otherwise the internal
-   counter subtract the requested length.  */
-static void
-arc4random_check_stir (struct arc4random_state_t *state, size_t len)
-{
-  if (state->count <= len || state->count == -1)
+  if (atomic_load_relaxed (&seen_initialized) == 0)
     {
-      uint8_t rnd[CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE];
-      arc4random_getentropy (rnd, sizeof rnd);
-
-      if (state->count == -1)
-	chacha20_init (state->ctx, rnd, rnd + CHACHA20_KEY_SIZE);
-      else
-	arc4random_rekey (state, rnd, sizeof rnd);
-
-      explicit_bzero (rnd, sizeof rnd);
-
-      /* Invalidate the buf.  */
-      state->have = 0;
-      memset (state->buf, 0, sizeof state->buf);
-      state->count = CHACHA20_RESEED_SIZE;
+      /* Poll /dev/random as an approximation of RNG initialization.  */
+      struct pollfd pfd = { .events = POLLIN };
+      pfd.fd = TEMP_FAILURE_RETRY (
+	  __open64_nocancel ("/dev/random", O_RDONLY | O_CLOEXEC | O_NOCTTY));
+      if (pfd.fd < 0)
+	arc4random_getrandom_failure ();
+      if (TEMP_FAILURE_RETRY (__poll_infinity_nocancel (&pfd, 1)) < 0)
+	arc4random_getrandom_failure ();
+      if (__close_nocancel (pfd.fd) < 0)
+	arc4random_getrandom_failure ();
+      atomic_store_relaxed (&seen_initialized, 1);
     }
-  else
-    state->count -= len;
-}
 
-void
-__arc4random_buf (void *buffer, size_t len)
-{
-  struct arc4random_state_t *state = arc4random_get_state ();
-  if (__glibc_unlikely (state == NULL))
-    {
-      arc4random_getentropy (buffer, len);
-      return;
-    }
-
-  arc4random_check_stir (state, len);
-  while (len > 0)
+  fd = TEMP_FAILURE_RETRY (
+      __open64_nocancel ("/dev/urandom", O_RDONLY | O_CLOEXEC | O_NOCTTY));
+  if (fd < 0)
+    arc4random_getrandom_failure ();
+  for (;;)
     {
-      if (state->have > 0)
-	{
-	  size_t m = MIN (len, state->have);
-	  uint8_t *ks = state->buf + sizeof (state->buf) - state->have;
-	  memcpy (buffer, ks, m);
-	  explicit_bzero (ks, m);
-	  buffer += m;
-	  len -= m;
-	  state->have -= m;
-	}
-      if (state->have == 0)
-	arc4random_rekey (state, NULL, 0);
+      l = TEMP_FAILURE_RETRY (__read_nocancel (fd, p, n));
+      if (l <= 0)
+	arc4random_getrandom_failure ();
+      if ((size_t) l == n)
+	break; /* Done reading, success.  */
+      p = (uint8_t *) p + l;
+      n -= l;
     }
+  if (__close_nocancel (fd) < 0)
+    arc4random_getrandom_failure ();
 }
 libc_hidden_def (__arc4random_buf)
 weak_alias (__arc4random_buf, arc4random_buf)
@@ -186,22 +95,7 @@ uint32_t
 __arc4random (void)
 {
   uint32_t r;
-
-  struct arc4random_state_t *state = arc4random_get_state ();
-  if (__glibc_unlikely (state == NULL))
-    {
-      arc4random_getentropy (&r, sizeof (uint32_t));
-      return r;
-    }
-
-  arc4random_check_stir (state, sizeof (uint32_t));
-  if (state->have < sizeof (uint32_t))
-    arc4random_rekey (state, NULL, 0);
-  uint8_t *ks = state->buf + sizeof (state->buf) - state->have;
-  memcpy (&r, ks, sizeof (uint32_t));
-  memset (ks, 0, sizeof (uint32_t));
-  state->have -= sizeof (uint32_t);
-
+  __arc4random_buf (&r, sizeof (r));
   return r;
 }
 libc_hidden_def (__arc4random)