std: switch to faster random sources on macOS and most BSDs

Author: joboet

library/std/src/random.rs

@@ -42,19 +42,25 @@ use crate::sys::random as sys;
 /// Platform               | Source
 /// -----------------------|---------------------------------------------------------------
 /// Linux                  | [`getrandom`] or [`/dev/urandom`] after polling `/dev/random`
-/// Windows                | [`ProcessPrng`]
-/// macOS and other UNIXes | [`getentropy`]
-/// other Apple platforms  | `CCRandomGenerateBytes`
-/// Fuchsia                | [`cprng_draw`]
+/// Windows                | [`ProcessPrng`](https://learn.microsoft.com/en-us/windows/win32/seccng/processprng)
+/// Apple                  | `CCRandomGenerateBytes`
+/// DragonFly              | [`arc4random_buf`](https://man.dragonflybsd.org/?command=arc4random&section=ANY)
+/// FreeBSD                | [`arc4random_buf`](https://man.freebsd.org/cgi/man.cgi?query=arc4random&apropos=0&sektion=0&manpath=FreeBSD+15.0-CURRENT&arch=default&format=html)
+/// Fuchsia                | [`cprng_draw`](https://fuchsia.dev/reference/syscalls/cprng_draw)
+/// Haiku                  | `arc4random_buf`
+/// Illumos                | [`arc4random_buf`](https://www.illumos.org/man/3C/arc4random)
+/// NetBSD                 | [`arc4random_buf`](https://man.netbsd.org/arc4random.3)
+/// OpenBSD                | [`arc4random_buf`](https://man.openbsd.org/arc4random.3)
+/// Solaris                | [`arc4random_buf`](https://docs.oracle.com/cd/E88353_01/html/E37843/arc4random-3c.html)
+/// Vita                   | `arc4random_buf`
 /// Hermit                 | `read_entropy`
 /// Horizon                | `getrandom` shim
 /// Hurd, L4Re, QNX        | `/dev/urandom`
-/// NetBSD before 10.0     | [`kern.arandom`]
 /// Redox                  | `/scheme/rand`
-/// SGX                    | [`rdrand`]
+/// SGX                    | [`rdrand`](https://en.wikipedia.org/wiki/RDRAND)
 /// SOLID                  | `SOLID_RNG_SampleRandomBytes`
 /// TEEOS                  | `TEE_GenerateRandom`
-/// UEFI                   | [`EFI_RNG_PROTOCOL`]
+/// UEFI                   | [`EFI_RNG_PROTOCOL`](https://uefi.org/specs/UEFI/2.10/37_Secure_Technologies.html#random-number-generator-protocol)
 /// VxWorks                | `randABytes` after waiting for `randSecure` to become ready
 /// WASI                   | `random_get`
 /// ZKVM                   | `sys_rand`
@@ -63,12 +69,6 @@ use crate::sys::random as sys;
 ///
 /// [`getrandom`]: https://www.man7.org/linux/man-pages/man2/getrandom.2.html
 /// [`/dev/urandom`]: https://www.man7.org/linux/man-pages/man4/random.4.html
-/// [`ProcessPrng`]: https://learn.microsoft.com/en-us/windows/win32/seccng/processprng
-/// [`getentropy`]: https://pubs.opengroup.org/onlinepubs/9799919799/functions/getentropy.html
-/// [`cprng_draw`]: https://fuchsia.dev/reference/syscalls/cprng_draw
-/// [`kern.arandom`]: https://man.netbsd.org/rnd.4
-/// [`rdrand`]: https://en.wikipedia.org/wiki/RDRAND
-/// [`EFI_RNG_PROTOCOL`]: https://uefi.org/specs/UEFI/2.10/37_Secure_Technologies.html#random-number-generator-protocol
 #[derive(Default, Debug, Clone, Copy)]
 #[unstable(feature = "random", issue = "none")]
 pub struct DefaultRandomSource;

library/std/src/sys/random/apple.rs

@@ -1,20 +1,13 @@
-//! Random data on non-macOS Apple platforms.
+//! Random data on Apple platforms.
 //!
-//! Apple recommends the usage of `getentropy` in their security documentation[^1]
-//! and mark it as being available in iOS 10.0, but we cannot use it on non-macOS
-//! platforms as Apple in their *infinite wisdom* decided to consider this API
-//! private, meaning its use will lead to App Store rejections (see #102643).
-//!
-//! Thus, we need to do the next best thing:
-//!
-//! Both `CCRandomGenerateBytes` and `SecRandomCopyBytes` simply call into
-//! `CCRandomCopyBytes` with `kCCRandomDefault`. `CCRandomCopyBytes` manages a
-//! CSPRNG which is seeded from the kernel's CSPRNG and which runs on its own
-//! thread accessed via GCD (this is so wasteful...). Both are available on
-//! iOS, but we use `CCRandomGenerateBytes` because it is accessible via
+//! `CCRandomGenerateBytes` calls into `CCRandomCopyBytes` with `kCCRandomDefault`.
+//! `CCRandomCopyBytes` manages a CSPRNG which is seeded from the kernel's CSPRNG.
+//! We use `CCRandomGenerateBytes` instead of `SecCopyBytes` because it is accessible via
 //! `libSystem` (libc) while the other needs to link to `Security.framework`.
 //!
-//! [^1]: <https://support.apple.com/en-gb/guide/security/seca0c73a75b/web>
+//! Note that technically, `arc4random_buf` is available as well, but that calls
+//! into the same system service anyway, and `CCRandomGenerateBytes` has been
+//! proven to be App Store-compatible.
 
 pub fn fill_bytes(bytes: &mut [u8], _best_effort: bool) {
     let ret = unsafe { libc::CCRandomGenerateBytes(bytes.as_mut_ptr().cast(), bytes.len()) };

library/std/src/sys/random/arc4random.rs

@@ -0,0 +1,33 @@
+//! Random data generation with `arc4random_buf`.
+//!
+//! Contrary to its name, `arc4random` doesn't actually use the horribly-broken
+//! RC4 cypher anymore, at least not on modern systems, but rather something
+//! like ChaCha20 with continual reseeding from the OS. That makes it an ideal
+//! source of large quantities of cryptographically secure data, which is exactly
+//! what we need for `DefaultRandomSource`. Unfortunately, it's not available
+//! on all UNIX systems, most notably Linux (until recently, and that implementation
+//! is broken).
+
+#[cfg(not(any(
+    target_os = "haiku",
+    target_os = "illumos",
+    target_os = "solaris",
+    target_os = "vita",
+)))]
+use libc::arc4random_buf;
+
+// FIXME: move these to libc (except Haiku, that one needs to link to libbsd.so).
+#[cfg(any(
+    target_os = "haiku", // See https://git.haiku-os.org/haiku/tree/headers/compatibility/bsd/stdlib.h
+    target_os = "illumos", // See https://www.illumos.org/man/3C/arc4random
+    target_os = "solaris", // See https://docs.oracle.com/cd/E88353_01/html/E37843/arc4random-3c.html
+    target_os = "vita", // See https://github.com/vitasdk/newlib/blob/b89e5bc183b516945f9ee07eef483ecb916e45ff/newlib/libc/include/stdlib.h#L74
+))]
+#[cfg_attr(target_os = "haiku", link(name = "bsd"))]
+extern "C" {
+    fn arc4random_buf(buf: *mut core::ffi::c_void, nbytes: libc::size_t);
+}
+
+pub fn fill_bytes(bytes: &mut [u8], _best_effort: bool) {
+    unsafe { arc4random_buf(bytes.as_mut_ptr().cast(), bytes.len()) }
+}

library/std/src/sys/random/getentropy.rs

@@ -0,0 +1,17 @@
+//! Random data generation through `getentropy`.
+//!
+//! Since issue 8 (2024), the POSIX specification mandates the existence of the
+//! `getentropy` function, which fills a slice of up to `GETENTROPY_MAX` bytes
+//! (256 on all known platforms) with random data. Unfortunately, it's only
+//! meant to be used to seed other CPRNGs, which we don't have, so we only use
+//! it where `arc4random_buf` and friends aren't available or secure (currently
+//! that's only the case on Emscripten).
+
+pub fn fill_bytes(bytes: &mut [u8], _best_effort: bool) {
+    // GETENTROPY_MAX isn't defined yet on most platforms, but it's mandated
+    // to be at least 256, so just use that as limit.
+    for chunk in bytes.chunks_mut(256) {
+        let r = unsafe { libc::getentropy(chunk.as_mut_ptr().cast(), chunk.len()) };
+        assert_ne!(r, -1, "failed to generate random data");
+    }
+}

library/std/src/sys/random/mod.rs

@@ -6,32 +6,33 @@ cfg_if::cfg_if! {
     } else if #[cfg(target_os = "windows")] {
         mod windows;
         pub use windows::fill_bytes;
+    } else if #[cfg(target_vendor = "apple")] {
+        mod apple;
+        pub use apple::fill_bytes;
+    // Others, in alphabetical ordering.
     } else if #[cfg(any(
-        target_os = "openbsd",
-        target_os = "freebsd",
-        target_os = "macos",
-        all(target_os = "netbsd", netbsd10),
         target_os = "dragonfly",
+        target_os = "freebsd",
+        target_os = "haiku",
         target_os = "illumos",
+        target_os = "netbsd",
+        target_os = "openbsd",
         target_os = "solaris",
-        target_os = "emscripten",
         target_os = "vita",
-        target_os = "haiku",
     ))] {
-        mod unix;
-        pub use unix::fill_bytes;
-    // Others, in alphabetical ordering.
-    } else if #[cfg(all(target_vendor = "apple", not(target_os = "macos")))] {
-        mod apple;
-        pub use apple::fill_bytes;
+        mod arc4random;
+        pub use arc4random::fill_bytes;
+    } else if #[cfg(target_os = "emscripten")] {
+        mod getentropy;
+        pub use getentropy::fill_bytes;
     } else if #[cfg(target_os = "fuchsia")] {
         mod fuchsia;
         pub use fuchsia::fill_bytes;
     } else if #[cfg(target_os = "hermit")] {
         mod hermit;
         pub use hermit::fill_bytes;
     } else if #[cfg(target_os = "horizon")] {
-        // FIXME: add getentropy to shim-3ds
+        // FIXME: add arc4random_buf to shim-3ds
         mod horizon;
         pub use horizon::fill_bytes;
     } else if #[cfg(any(
@@ -41,10 +42,6 @@ cfg_if::cfg_if! {
     ))] {
         mod unix_legacy;
         pub use unix_legacy::fill_bytes;
-    } else if #[cfg(all(target_os = "netbsd", not(netbsd10)))] {
-        // FIXME: remove once NetBSD 10 is the minimum
-        mod netbsd;
-        pub use netbsd::fill_bytes;
     } else if #[cfg(target_os = "redox")] {
         mod redox;
         pub use redox::fill_bytes;

library/std/src/sys/random/netbsd.rs

@@ -3,8 +3,8 @@
 //! Before `getentropy` was standardized in 2024, UNIX didn't have a standardized
 //! way of getting random data, so systems just followed the precedent set by
 //! Linux and exposed random devices at `/dev/random` and `/dev/urandom`. Thus,
-//! for the few systems that do not support `getentropy` yet, we just read from
-//! the file.
+//! for the few systems that support neither `arc4random_buf` nor `getentropy`
+//! yet, we just read from the file.
 
 use crate::fs::File;
 use crate::io::Read;