use HAVE_ARC4RANDOM and choose to call arc4random() instead of srand()

and rand() and friends.
being fed upstream by robert

7 files changed, 58 insertions, 13 deletions

diff --git a/kerberosV/src/appl/xnlock/xnlock.c b/kerberosV/src/appl/xnlock/xnlock.c
index 4acbc3b8a5a..27ef7cb6a41 100644
--- a/kerberosV/src/appl/xnlock/xnlock.c
+++ b/kerberosV/src/appl/xnlock/xnlock.c
@@ -8,7 +8,7 @@
  */
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: xnlock.c,v 1.6 2013/06/17 19:11:38 robert Exp $");
+RCSID("$Id: xnlock.c,v 1.7 2013/11/30 18:11:59 deraadt Exp $");
 #endif
 
 #include <stdio.h>
@@ -377,6 +377,8 @@ walk(int dir)
 static long
 my_random (void)
 {
+#ifdef HAVE_ARC4RANDOM
+    return arc4random();
 #ifdef HAVE_RANDOM
     return random();
 #else
@@ -938,7 +940,9 @@ main (int argc, char **argv)
       strlcpy(login, pw->pw_name, sizeof(login));
     }
 
-#if defined(HAVE_SRANDOMDEV)
+#if defined(HAVE_ARC4RANDOM)
+    /* do nothing */
+#elif defined(HAVE_SRANDOMDEV)
     srandomdev();
 #elif defined(HAVE_RANDOM)
     srandom(time(NULL));
diff --git a/kerberosV/src/kadmin/add-random-users.c b/kerberosV/src/kadmin/add-random-users.c
index c3beaf206a6..01f1630744f 100644
--- a/kerberosV/src/kadmin/add-random-users.c
+++ b/kerberosV/src/kadmin/add-random-users.c
@@ -86,9 +86,13 @@ add_user (krb5_context context, void *kadm_handle,
     krb5_error_code ret;
     int mask;
 
+#ifdef HAVE_ARC4RANDOM
+    r1 = arc4random();
+    r2 = arc4random();
+#else
     r1 = rand();
     r2 = rand();
-
+#endif
     snprintf (name, sizeof(name), "%s%d", words[r1 % nwords], r2 % 1000);
 
     mask = KADM5_PRINCIPAL;
@@ -169,7 +173,9 @@ main(int argc, char **argv)
 	print_version(NULL);
 	return 0;
     }
+#ifndef HAVE_ARC4RANDOM
     srand (0);
+#endif
     argc -= optidx;
     argv += optidx;
 
diff --git a/kerberosV/src/kpasswd/kpasswd-generator.c b/kerberosV/src/kpasswd/kpasswd-generator.c
index 294c0795390..6986437fb26 100644
--- a/kerberosV/src/kpasswd/kpasswd-generator.c
+++ b/kerberosV/src/kpasswd/kpasswd-generator.c
@@ -33,7 +33,7 @@
 
 #include "kpasswd_locl.h"
 
-RCSID("$Id: kpasswd-generator.c,v 1.6 2013/06/17 18:57:42 robert Exp $");
+RCSID("$Id: kpasswd-generator.c,v 1.7 2013/11/30 18:11:59 deraadt Exp $");
 
 static unsigned
 read_words (const char *filename, char ***ret_w)
@@ -78,7 +78,7 @@ generate_requests (const char *filename, unsigned nreq)
 {
     krb5_context context;
     krb5_error_code ret;
-    int i;
+    int i, rnd;
     char **words;
     unsigned nwords;
 
@@ -89,7 +89,12 @@ generate_requests (const char *filename, unsigned nreq)
     nwords = read_words (filename, &words);
 
     for (i = 0; i < nreq; ++i) {
-	char *name = words[rand() % nwords];
+#ifdef HAVE_ARC4RANDOM
+	rnd = arc4random()
+#else
+	rnd = rand();
+#endif
+	char *name = words[rnd % nwords];
 	krb5_get_init_creds_opt *opt;
 	krb5_creds cred;
 	krb5_principal principal;
@@ -198,7 +203,9 @@ main(int argc, char **argv)
 
     if (argc != 2)
 	usage (1);
+#ifndef HAVE_ARC4RANDOM
     srand (0);
+#endif
     nreq = strtol (argv[1], &end, 0);
     if (argv[1] == end || *end != '\0')
 	usage (1);
diff --git a/kerberosV/src/kuser/generate-requests.c b/kerberosV/src/kuser/generate-requests.c
index 8f50427adca..16f0268cbf6 100644
--- a/kerberosV/src/kuser/generate-requests.c
+++ b/kerberosV/src/kuser/generate-requests.c
@@ -67,7 +67,7 @@ generate_requests (const char *filename, unsigned nreq)
     krb5_context context;
     krb5_error_code ret;
     krb5_creds cred;
-    int i;
+    int i, rnd;
     char **words;
     unsigned nwords;
 
@@ -78,7 +78,12 @@ generate_requests (const char *filename, unsigned nreq)
     nwords = read_words (filename, &words);
 
     for (i = 0; i < nreq; ++i) {
-	char *name = words[rand() % nwords];
+#ifdef HAVE_ARC4RANDOM
+	rnd = arc4random();
+#else
+	rnd = rand();
+#endif
+	char *name = words[rnd % nwords];
 
 	memset(&cred, 0, sizeof(cred));
 
@@ -136,7 +141,9 @@ main(int argc, char **argv)
 
     if (argc != 2)
 	usage (1);
+#ifndef HAVE_ARC4RANDOM
     srand (0);
+#endif
     nreq = strtol (argv[1], &end, 0);
     if (argv[1] == end || *end != '\0')
 	usage (1);
diff --git a/kerberosV/src/lib/hx509/softp11.c b/kerberosV/src/lib/hx509/softp11.c
index 38f587e0fea..e721973765e 100644
--- a/kerberosV/src/lib/hx509/softp11.c
+++ b/kerberosV/src/lib/hx509/softp11.c
@@ -33,6 +33,7 @@
 
 #define CRYPTOKI_EXPORTS 1
 
+#include <config.h>
 #include "hx_locl.h"
 #include "pkcs11.h"
 
@@ -304,6 +305,7 @@ static struct st_object *
 add_st_object(void)
 {
     struct st_object *o, **objs;
+    u_int32_t rnd;
     int i;
 
     o = calloc(1, sizeof(*o));
@@ -326,8 +328,14 @@ add_st_object(void)
 	soft_token.object.objs = objs;
 	soft_token.object.objs[soft_token.object.num_objs++] = o;
     }
+#ifdef HAVE_ARC4RANDOM
+    rnd = arc4random();
+#else
+    rnd = random();
+#endif
+
     soft_token.object.objs[i]->object_handle =
-	(random() & (~OBJECT_ID_MASK)) | i;
+	(rnd & (~OBJECT_ID_MASK)) | i;
 
     return o;
 }
@@ -868,7 +876,9 @@ C_Initialize(CK_VOID_PTR a)
 
     OpenSSL_add_all_algorithms();
 
+#ifndef HAVE_ARC4RANDOM
     srandom(getpid() ^ (int) time(NULL));
+#endif
 
     for (i = 0; i < MAX_NUM_SESSION; i++) {
 	soft_token.state[i].session_handle = CK_INVALID_HANDLE;
@@ -1114,6 +1124,7 @@ C_OpenSession(CK_SLOT_ID slotID,
 	      CK_SESSION_HANDLE_PTR phSession)
 {
     size_t i;
+    u_int32_t rnd;
     INIT_CONTEXT();
     st_logf("OpenSession: slot: %d\n", (int)slotID);
 
@@ -1129,10 +1140,15 @@ C_OpenSession(CK_SLOT_ID slotID,
     if (i == MAX_NUM_SESSION)
 	abort();
 
-    soft_token.open_sessions++;
+#ifdef HAVE_ARC4RANDOM
+    rnd = arc4random();
+#else
+    rnd = random();
+#endif
 
+    soft_token.open_sessions++;
     soft_token.state[i].session_handle =
-	(CK_SESSION_HANDLE)(random() & 0xfffff);
+	(CK_SESSION_HANDLE)(rnd & 0xfffff);
     *phSession = soft_token.state[i].session_handle;
 
     return CKR_OK;
diff --git a/kerberosV/src/lib/roken/rand.c b/kerberosV/src/lib/roken/rand.c
index ef92c2052b7..22ff72bddb4 100644
--- a/kerberosV/src/lib/roken/rand.c
+++ b/kerberosV/src/lib/roken/rand.c
@@ -31,13 +31,14 @@
  * SUCH DAMAGE.
  */
 
+#include <config.h>
 #include "roken.h"
 
 void ROKEN_LIB_FUNCTION
 rk_random_init(void)
 {
 #if defined(HAVE_ARC4RANDOM)
-    arc4random_stir();
+    /* do nothing */
 #elif defined(HAVE_SRANDOMDEV)
     srandomdev();
 #elif defined(HAVE_RANDOM)
diff --git a/kerberosV/src/lib/sqlite/sqlite3.c b/kerberosV/src/lib/sqlite/sqlite3.c
index 3e6f9833128..e95033df936 100644
--- a/kerberosV/src/lib/sqlite/sqlite3.c
+++ b/kerberosV/src/lib/sqlite/sqlite3.c
@@ -27259,7 +27259,11 @@ static int afpLock(sqlite3_file *id, int eFileLock){
     mask = (sizeof(long)==8) ? LARGEST_INT64 : 0x7fffffff;
     /* Now get the read-lock SHARED_LOCK */
     /* note that the quality of the randomness doesn't matter that much */
+#ifdef HAVE_ARC4RANDOM
+    lk = arc4random();
+#else
     lk = random(); 
+#endif
     pInode->sharedByte = (lk & mask)%(SHARED_SIZE - 1);
     lrc1 = afpSetLock(context->dbPath, pFile, 
           SHARED_FIRST+pInode->sharedByte, 1, 1);
@@ -130321,7 +130325,7 @@ SQLITE_API int sqlite3_extension_init(
 **    May you share freely, never taking more than you give.
 **
 *************************************************************************
-** $Id: sqlite3.c,v 1.1 2013/06/17 19:11:44 robert Exp $
+** $Id: sqlite3.c,v 1.2 2013/11/30 18:11:59 deraadt Exp $
 **
 ** This file implements an integration between the ICU library 
 ** ("International Components for Unicode", an open-source library