From: Ondřej Surý <ondrej@isc.org>
Date: Mon, 25 Aug 2025 17:02:54 +0000 (+0200)
Subject: Use arc4random for CSPRNG when available
X-Git-Tag: v9.21.14~5^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4db9e5d90e290f77718f8e1e0a64c3e1a8fe34f9;p=thirdparty%2Fbind9.git

Use arc4random for CSPRNG when available

Use arc4random on platforms where available.  arc4random() provides high
quality cryptographically-secure pseudo-random numbers and is generally
recommended for application use.

The uv_random() call unfortunately uses getentropy() on platforms like
MacOS, OpenBSD or NetBSD which is not recommended for application use.
---

diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
deleted file mode 100644
index a037960bd18..00000000000
--- a/lib/isc/entropy.c
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#include <isc/entropy.h>
-#include <isc/types.h>
-#include <isc/util.h>
-#include <isc/uv.h>
-
-void
-isc_entropy_get(void *buf, size_t buflen) {
-	int r = uv_random(NULL, NULL, buf, buflen, 0, NULL);
-
-	UV_RUNTIME_CHECK(uv_random, r);
-}
diff --git a/lib/isc/hash.c b/lib/isc/hash.c
index 387e2373cd1..49b942ef5bc 100644
--- a/lib/isc/hash.c
+++ b/lib/isc/hash.c
@@ -16,7 +16,6 @@
 #include <stddef.h>
 
 #include <isc/ascii.h>
-#include <isc/entropy.h>
 #include <isc/hash.h> /* IWYU pragma: keep */
 #include <isc/random.h>
 #include <isc/result.h>
@@ -35,7 +34,7 @@ isc__hash_initialize(void) {
 	 */
 	uint8_t key[16] = { 1 };
 #if !FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-	isc_entropy_get(key, sizeof(key));
+	isc_random_buf(key, sizeof(key));
 #endif /* if FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
 	STATIC_ASSERT(sizeof(key) >= sizeof(isc_hash_key),
 		      "sizeof(key) < sizeof(isc_hash_key)");
diff --git a/lib/isc/hashmap.c b/lib/isc/hashmap.c
index d8c2bd58ae7..87b1a3f21a3 100644
--- a/lib/isc/hashmap.c
+++ b/lib/isc/hashmap.c
@@ -32,7 +32,6 @@
 
 #include <isc/ascii.h>
 #include <isc/atomic.h>
-#include <isc/entropy.h>
 #include <isc/hash.h>
 #include <isc/hashmap.h>
 #include <isc/magic.h>
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
deleted file mode 100644
index 81c2ed7cac4..00000000000
--- a/lib/isc/include/isc/entropy.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#pragma once
-
-#include <stdlib.h>
-
-/*! \file isc/entropy.h
- * \brief Implements wrapper around CSPRNG cryptographic library calls
- * for getting cryptographically secure pseudo-random numbers.
- *
- * Uses synchronous version of uv_random().
- */
-
-void
-isc_entropy_get(void *buf, size_t buflen);
-/*!<
- * \brief Get cryptographically-secure pseudo-random data.
- */
diff --git a/lib/isc/include/isc/nonce.h b/lib/isc/include/isc/nonce.h
index ce15b7e12a2..b61270bd825 100644
--- a/lib/isc/include/isc/nonce.h
+++ b/lib/isc/include/isc/nonce.h
@@ -15,12 +15,16 @@
 
 #include <stdlib.h>
 
+#include <isc/random.h>
+
 /*! \file isc/nonce.h
  * \brief Provides a function for generating an arbitrarily long nonce.
  */
 
-void
-isc_nonce_buf(void *buf, size_t buflen);
+static inline void
+isc_nonce_buf(void *buf, size_t buflen) {
+	isc_random_buf(buf, buflen);
+}
 /*!<
  * Fill 'buf', up to 'buflen' bytes, with random data from the
  * crypto provider's random function.
diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
index f7638905c1f..efee399095e 100644
--- a/lib/isc/include/isc/random.h
+++ b/lib/isc/include/isc/random.h
@@ -24,18 +24,11 @@
  *
  */
 
-uint8_t
-isc_random8(void);
-/*!<
- * \brief Returns a single 8-bit random value.
- */
-
-uint16_t
-isc_random16(void);
-/*!<
- * \brief Returns a single 16-bit random value.
- */
-
+#if HAVE_ARC4RANDOM && !defined(__linux__)
+#define isc_random32()			arc4random()
+#define isc_random_buf(buf, buflen)	arc4random_buf(buf, buflen)
+#define isc_random_uniform(upper_bound) arc4random_uniform(upper_bound)
+#else /* HAVE_ARC4RANDOM && !defined(__linux__) */
 uint32_t
 isc_random32(void);
 /*!<
@@ -64,3 +57,21 @@ isc_random_uniform(uint32_t upper_bound);
  * resample is very small when the upper_bound is small, rising to 0.5
  * when upper_bound is UINT32_MAX/2.
  */
+
+#endif /* HAVE_ARC4RANDOM && !defined(__linux__) */
+
+static inline uint8_t
+isc_random8(void) {
+	return (uint8_t)isc_random32();
+}
+/*!<
+ * \brief Returns a single 8-bit random value.
+ */
+
+static inline uint16_t
+isc_random16(void) {
+	return (uint16_t)isc_random32();
+}
+/*!<
+ * \brief Returns a single 16-bit random value.
+ */
diff --git a/lib/isc/meson.build b/lib/isc/meson.build
index 0e8e9cf0b34..d4db21672e3 100644
--- a/lib/isc/meson.build
+++ b/lib/isc/meson.build
@@ -77,7 +77,6 @@ isc_srcset.add(
         'counter.c',
         'crypto.c',
         'dir.c',
-        'entropy.c',
         'errno.c',
         'errno2result.c',
         'error.c',
@@ -106,7 +105,6 @@ isc_srcset.add(
         'net.c',
         'netaddr.c',
         'netscope.c',
-        'nonce.c',
         'openssl_shim.c',
         'os.c',
         'parseint.c',
diff --git a/lib/isc/nonce.c b/lib/isc/nonce.c
deleted file mode 100644
index 316498a6136..00000000000
--- a/lib/isc/nonce.c
+++ /dev/null
@@ -1,20 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#include <isc/entropy.h>
-#include <isc/nonce.h>
-
-void
-isc_nonce_buf(void *buf, size_t buflen) {
-	isc_entropy_get(buf, buflen);
-}
diff --git a/lib/isc/random.c b/lib/isc/random.c
index 666975c119e..1367fd5a121 100644
--- a/lib/isc/random.c
+++ b/lib/isc/random.c
@@ -30,22 +30,24 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#if !HAVE_ARC4RANDOM || defined(__linux__)
+
 #include <inttypes.h>
 #include <stdio.h>
 
-#include <isc/entropy.h>
 #include <isc/os.h>
 #include <isc/random.h>
 #include <isc/thread.h>
 #include <isc/util.h>
+#include <isc/uv.h>
 
 #define ISC_RANDOM_BUFSIZE (ISC_OS_CACHELINE_SIZE / sizeof(uint32_t))
 
 thread_local static uint32_t isc__random_pool[ISC_RANDOM_BUFSIZE];
 thread_local static size_t isc__random_pos = ISC_RANDOM_BUFSIZE;
 
-static uint32_t
-random_u32(void) {
+uint32_t
+isc_random32(void) {
 #if FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 	/*
 	 * A fixed stream of numbers helps with problem reproduction when
@@ -56,28 +58,13 @@ random_u32(void) {
 #endif /* if FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
 
 	if (isc__random_pos == ISC_RANDOM_BUFSIZE) {
-		isc_entropy_get(isc__random_pool, sizeof(isc__random_pool));
+		isc_random_buf(isc__random_pool, sizeof(isc__random_pool));
 		isc__random_pos = 0;
 	}
 
 	return isc__random_pool[isc__random_pos++];
 }
 
-uint8_t
-isc_random8(void) {
-	return (uint8_t)random_u32();
-}
-
-uint16_t
-isc_random16(void) {
-	return (uint16_t)random_u32();
-}
-
-uint32_t
-isc_random32(void) {
-	return random_u32();
-}
-
 void
 isc_random_buf(void *buf, size_t buflen) {
 	REQUIRE(buflen == 0 || buf != NULL);
@@ -86,7 +73,8 @@ isc_random_buf(void *buf, size_t buflen) {
 		return;
 	}
 
-	isc_entropy_get(buf, buflen);
+	int r = uv_random(NULL, NULL, buf, buflen, 0, NULL);
+	UV_RUNTIME_CHECK(uv_random, r);
 }
 
 uint32_t
@@ -102,7 +90,7 @@ isc_random_uniform(uint32_t limit) {
 	 * integer part (upper 32 bits), and we will use the fraction part
 	 * (lower 32 bits) to determine whether or not we need to resample.
 	 */
-	uint64_t num = (uint64_t)random_u32() * (uint64_t)limit;
+	uint64_t num = (uint64_t)isc_random32() * (uint64_t)limit;
 	/*
 	 * In the fast path, we avoid doing a division in most cases by
 	 * comparing the fraction part of `num` with the limit, which is
@@ -154,7 +142,7 @@ isc_random_uniform(uint32_t limit) {
 		 * our valid range, it is superfluous, and we resample.
 		 */
 		while ((uint32_t)(num) < residue) {
-			num = (uint64_t)random_u32() * (uint64_t)limit;
+			num = (uint64_t)isc_random32() * (uint64_t)limit;
 		}
 	}
 	/*
@@ -162,3 +150,5 @@ isc_random_uniform(uint32_t limit) {
 	 */
 	return (uint32_t)(num >> 32);
 }
+
+#endif /* HAVE_ARC4RANDOM && !defined(__linux__) */
diff --git a/meson.build b/meson.build
index f614dfe4228..93223794577 100644
--- a/meson.build
+++ b/meson.build
@@ -519,6 +519,9 @@ foreach fn, header : {
     'sched_getaffinity': '#include <sched.h>',
     'sched_yield': '#include <sched.h>',
 
+    # CSPRNG
+    'arc4random': '#include <stdlib.h>',
+
     # Misc.
     'chroot': '#include <unistd.h>',
     'clock_gettime': '#include <time.h>',