Update dependencies

vendor/gvisor.dev/gvisor/pkg/rand/rand.go

@@ -0,0 +1,28 @@
+// Copyright 2018 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !linux
+// +build !linux
+
+package rand
+
+import "crypto/rand"
+
+// Reader is the default reader.
+var Reader = rand.Reader
+
+// Read implements io.Reader.Read.
+func Read(b []byte) (int, error) {
+	return rand.Read(b)
+}

vendor/gvisor.dev/gvisor/pkg/rand/rand_linux.go

@@ -0,0 +1,82 @@
+// Copyright 2018 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package rand
+
+import (
+	"bufio"
+	"crypto/rand"
+	"io"
+
+	"golang.org/x/sys/unix"
+	"gvisor.dev/gvisor/pkg/sync"
+)
+
+// reader implements an io.Reader that returns pseudorandom bytes.
+type reader struct {
+	once         sync.Once
+	useGetrandom bool
+}
+
+// Read implements io.Reader.Read.
+func (r *reader) Read(p []byte) (int, error) {
+	r.once.Do(func() {
+		_, err := unix.Getrandom(p, 0)
+		if err != unix.ENOSYS {
+			r.useGetrandom = true
+		}
+	})
+
+	if r.useGetrandom {
+		return unix.Getrandom(p, 0)
+	}
+	return rand.Read(p)
+}
+
+// bufferedReader implements a threadsafe buffered io.Reader.
+type bufferedReader struct {
+	mu sync.Mutex
+	r  *bufio.Reader
+}
+
+// Read implements io.Reader.Read.
+func (b *bufferedReader) Read(p []byte) (int, error) {
+	// In Linux, reads of up to page size bytes will always complete fully.
+	// See drivers/char/random.c:get_random_bytes_user().
+	// NOTE(gvisor.dev/issue/9445): Some applications rely on this behavior.
+	const pageSize = 4096
+	min := len(p)
+	if min > pageSize {
+		min = pageSize
+	}
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	return io.ReadAtLeast(b.r, p, min)
+}
+
+// Reader is the default reader.
+var Reader io.Reader = &bufferedReader{r: bufio.NewReader(&reader{})}
+
+// Read reads from the default reader.
+func Read(b []byte) (int, error) {
+	return io.ReadFull(Reader, b)
+}
+
+// Init can be called to make sure /dev/urandom is pre-opened on kernels that
+// do not support getrandom(2).
+func Init() error {
+	p := make([]byte, 1)
+	_, err := Read(p)
+	return err
+}

vendor/gvisor.dev/gvisor/pkg/rand/rand_linux_state_autogen.go

@@ -0,0 +1,3 @@
+// automatically generated by stateify.
+
+package rand

vendor/gvisor.dev/gvisor/pkg/rand/rand_state_autogen.go

@@ -0,0 +1,6 @@
+// automatically generated by stateify.
+
+//go:build !linux
+// +build !linux
+
+package rand

vendor/gvisor.dev/gvisor/pkg/rand/rng.go

@@ -0,0 +1,131 @@
+// Copyright 2023 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package rand implements a cryptographically secure pseudorandom number
+// generator.
+package rand
+
+import (
+	"encoding/binary"
+	"fmt"
+	"io"
+)
+
+// RNG exposes convenience functions based on a cryptographically secure
+// io.Reader.
+type RNG struct {
+	Reader io.Reader
+}
+
+// RNGFrom returns a new RNG. r must be a cryptographically secure io.Reader.
+func RNGFrom(r io.Reader) RNG {
+	return RNG{Reader: r}
+}
+
+// Uint16 is analogous to the standard library's math/rand.Uint16.
+func (rg *RNG) Uint16() uint16 {
+	var data [2]byte
+	if _, err := rg.Reader.Read(data[:]); err != nil {
+		panic(fmt.Sprintf("Read() failed: %v", err))
+	}
+	return binary.NativeEndian.Uint16(data[:])
+}
+
+// Uint32 is analogous to the standard library's math/rand.Uint32.
+func (rg *RNG) Uint32() uint32 {
+	var data [4]byte
+	if _, err := rg.Reader.Read(data[:]); err != nil {
+		panic(fmt.Sprintf("Read() failed: %v", err))
+	}
+	return binary.NativeEndian.Uint32(data[:])
+}
+
+// Int63n is analogous to the standard library's math/rand.Int63n.
+func (rg *RNG) Int63n(n int64) int64 {
+	// Based on Go's rand package implementation, but using
+	// cryptographically secure random numbers.
+	if n <= 0 {
+		panic(fmt.Sprintf("n must be positive, but got %d", n))
+	}
+
+	// This can be done quickly when n is a power of 2.
+	if n&(n-1) == 0 {
+		return int64(rg.Uint64()) & (n - 1)
+	}
+
+	// The naive approach would be to return rg.Int63()%n, but we need the
+	// random number to be fair. It shouldn't be biased towards certain
+	// results, but simple modular math can be very biased. For example, if
+	// n is 40% of the maximum int64, then the output values of rg.Int63
+	// map to return values as follows:
+	//
+	//  - The first 40% of values map to themselves.
+	//  - The second 40% map to themselves - maximum int64.
+	//  - The remaining 20% map to the themselves - 2 * (maximum int64),
+	//    i.e. the first half of possible output values.
+	//
+	// And thus 60% of results map the first half of possible output
+	// values, and 40% map the second half. Oops!
+	//
+	// We use the same trick as Go to deal with this: shave off the last
+	// segment (the 20% in our example) to make the RNG more fair.
+	//
+	// In the worst case, n is just over half of maximum int64, meaning
+	// that the upper half of rg.Int63 return values are bad. So each call
+	// to rg.Int63 has, at worst, a 50% chance of needing a retry.
+	maximum := int64((1 << 63) - 1 - (1<<63)%uint64(n))
+	ret := rg.Int63()
+	for ret > maximum {
+		ret = rg.Int63()
+	}
+	return ret % n
+}
+
+// Int63 is analogous to the standard library's math/rand.Int63.
+func (rg *RNG) Int63() int64 {
+	return ((1 << 63) - 1) & int64(rg.Uint64())
+}
+
+// Uint64 is analogous to the standard library's math/rand.Uint64.
+func (rg *RNG) Uint64() uint64 {
+	var data [8]byte
+	if _, err := rg.Reader.Read(data[:]); err != nil {
+		panic(fmt.Sprintf("Read() failed: %v", err))
+	}
+	return binary.NativeEndian.Uint64(data[:])
+}
+
+// Uint32 is analogous to the standard library's math/rand.Uint32.
+func Uint32() uint32 {
+	rng := RNG{Reader: Reader}
+	return rng.Uint32()
+}
+
+// Int63n is analogous to the standard library's math/rand.Int63n.
+func Int63n(n int64) int64 {
+	rng := RNG{Reader: Reader}
+	return rng.Int63n(n)
+}
+
+// Int63 is analogous to the standard library's math/rand.Int63.
+func Int63() int64 {
+	rng := RNG{Reader: Reader}
+	return rng.Int63()
+}
+
+// Uint64 is analogous to the standard library's math/rand.Uint64.
+func Uint64() uint64 {
+	rng := RNG{Reader: Reader}
+	return rng.Uint64()
+}