Replace read_random(9) with more appropriate arc4rand(9) KPIs

Reviewed by: ae, delphij Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D19760
2019-04-04 01:02:50 +00:00 · 2019-04-04 01:02:50 +00:00 · a8a16c7128
commit a8a16c7128
parent d9eb18ace9
8 changed files with 8 additions and 39 deletions
--- a/sys/cddl/contrib/opensolaris/uts/common/dtrace/dtrace.c
+++ b/sys/cddl/contrib/opensolaris/uts/common/dtrace/dtrace.c
@ -14631,7 +14631,7 @@ dtrace_state_create(struct cdev *dev, struct ucred *cred __unused)
 	 * SI_SUB_RANDOM < SI_SUB_DTRACE_ANON therefore entropy device is
         * assumed to be seeded at this point (if from Fortuna seed file).
 	 */
-	(void) read_random(&state->dts_rstate[0], 2 * sizeof(uint64_t));
+	arc4random_buf(&state->dts_rstate[0], 2 * sizeof(uint64_t));
 	for (cpu_it = 1; cpu_it < NCPU; cpu_it++) {
 		/*
 		 * Each CPU is assigned a 2^64 period, non-overlapping
--- a/sys/compat/linuxkpi/common/include/linux/etherdevice.h
+++ b/sys/compat/linuxkpi/common/include/linux/etherdevice.h
@ -108,8 +108,7 @@ eth_zero_addr(u8 *pa)
 static inline void
 random_ether_addr(u8 * dst)
 {
-	if (read_random(dst, 6) == 0)
-		arc4rand(dst, 6, 0);
+	arc4random_buf(dst, 6);

 	dst[0] &= 0xfe;
 	dst[0] |= 0x02;
--- a/sys/compat/linuxkpi/common/include/linux/random.h
+++ b/sys/compat/linuxkpi/common/include/linux/random.h
@ -39,8 +39,7 @@ static inline void
 get_random_bytes(void *buf, int nbytes)
 {

-	if (read_random(buf, nbytes) == 0)
-		arc4rand(buf, nbytes, 0);
+	arc4random_buf(buf, nbytes);
 }

 static inline u_int
--- a/sys/net/if_spppsubr.c
+++ b/sys/net/if_spppsubr.c
@ -4337,16 +4337,12 @@ sppp_chap_tld(struct sppp *sp)
 static void
 sppp_chap_scr(struct sppp *sp)
 {
-	u_long *ch, seed;
+	u_long *ch;
 	u_char clen;

 	/* Compute random challenge. */
 	ch = (u_long *)sp->myauth.challenge;
-	read_random(&seed, sizeof seed);
-	ch[0] = seed ^ random();
-	ch[1] = seed ^ random();
-	ch[2] = seed ^ random();
-	ch[3] = seed ^ random();
+	arc4random_buf(ch, 4 * sizeof(*ch));
 	clen = AUTHKEYLEN;

 	sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP];
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@ -4760,34 +4760,10 @@ key_random()
 {
 	u_long value;

-	key_randomfill(&value, sizeof(value));
+	arc4random_buf(&value, sizeof(value));
 	return value;
 }

-void
-key_randomfill(void *p, size_t l)
-{
-	size_t n;
-	u_long v;
-	static int warn = 1;
-
-	n = 0;
-	n = (size_t)read_random(p, (u_int)l);
-	/* last resort */
-	while (n < l) {
-		v = random();
-		bcopy(&v, (u_int8_t *)p + n,
-		    l - n < sizeof(v) ? l - n : sizeof(v));
-		n += sizeof(v);
-
-		if (warn) {
-			printf("WARNING: pseudo-random number generator "
-			    "used for IPsec processing\n");
-			warn = 0;
-		}
-	}
-}
-
 /*
 * map SADB_SATYPE_* to IPPROTO_*.
 * if satype == SADB_SATYPE then satype is mapped to ~0.
--- a/sys/netipsec/key.h
+++ b/sys/netipsec/key.h
@ -78,7 +78,6 @@ void key_unregister_ifnet(struct secpolicy **, u_int);
 void key_delete_xform(const struct xformsw *);

 extern u_long key_random(void);
-extern void key_randomfill(void *, size_t);
 extern void key_freereg(struct socket *);
 extern int key_parse(struct mbuf *, struct socket *);
 extern void key_init(void);
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@ -768,7 +768,7 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 	 */
 	switch (sav->flags & SADB_X_EXT_PMASK) {
 	case SADB_X_EXT_PRAND:
-		(void) read_random(pad, padding - 2);
+		arc4random_buf(pad, padding - 2);
 		break;
 	case SADB_X_EXT_PZERO:
 		bzero(pad, padding - 2);
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@ -3207,7 +3207,7 @@ pf_tcp_iss(struct pf_pdesc *pd)
 	u_int32_t digest[4];

 	if (V_pf_tcp_secret_init == 0) {
-		read_random(&V_pf_tcp_secret, sizeof(V_pf_tcp_secret));
+		arc4random_buf(&V_pf_tcp_secret, sizeof(V_pf_tcp_secret));
 		MD5Init(&V_pf_tcp_secret_ctx);
 		MD5Update(&V_pf_tcp_secret_ctx, V_pf_tcp_secret,
 		    sizeof(V_pf_tcp_secret));