Prefer getrandom(3)/getentropy(3) over arc4random(3bsd)

arc4random(3) without kernel support is unsafe, as it can't know when to
drop the buffer.  Since we depend on libbsd since recently, we have
arc4random(3) functions always available, and thus, this code would have
always called arc4random_buf(3bsd), which is unsafe.  Put it after some
better alternatives, at least until in a decade or so all systems have a
recent enough glibc.

glibc implements arc4random(3) safely, since it's just a wrapper around
getrandom(2).

Link: <https://inbox.sourceware.org/libc-alpha/20220722122137.3270666-1-adhemerval.zanella@linaro.org/>
Link: <https://inbox.sourceware.org/libc-alpha/5c29df04-6283-9eee-6648-215b52cfa26b@cs.ucla.edu/T/>
Cc: Cristian Rodríguez <crrodriguez@opensuse.org>
Cc: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Cc: Guillem Jover <guillem@hadrons.org>
Cc: Björn Esser <besser82@fedoraproject.org>
Reviewed-by: "Jason A. Donenfeld" <Jason@zx2c4.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

diff --git a/libmisc/salt.c b/libmisc/salt.c
index 0aeff738b50c01f4e89732b34526200832d8726b..9c5ca006f4405d18518617660ce3a298ea599a89 100644 (file)
--- a/libmisc/salt.c
+++ b/libmisc/salt.c
@@ -114,12 +114,6 @@ static long read_random_bytes (void)
 {
        long randval = 0;
 
-#ifdef HAVE_ARC4RANDOM_BUF
-       /* arc4random_buf, if it exists, can never fail.  */
-       arc4random_buf (&randval, sizeof (randval));
-       goto end;
-#endif
-
 #ifdef HAVE_GETENTROPY
        /* getentropy may exist but lack kernel support.  */
        if (getentropy (&randval, sizeof (randval)) == 0) {
@@ -134,6 +128,12 @@ static long read_random_bytes (void)
        }
 #endif
 
+#ifdef HAVE_ARC4RANDOM_BUF
+       /* arc4random_buf, if it exists, can never fail.  */
+       arc4random_buf (&randval, sizeof (randval));
+       goto end;
+#endif
+
        /* Use /dev/urandom as a last resort.  */
        FILE *f = fopen ("/dev/urandom", "r");
        if (NULL == f) {