arc4random.c revision 262566
1/* OPENBSD ORIGINAL: lib/libc/crypto/arc4random.c */ 2 3/* $OpenBSD: arc4random.c,v 1.25 2013/10/01 18:34:57 markus Exp $ */ 4 5/* 6 * Copyright (c) 1996, David Mazieres <dm@uun.org> 7 * Copyright (c) 2008, Damien Miller <djm@openbsd.org> 8 * Copyright (c) 2013, Markus Friedl <markus@openbsd.org> 9 * 10 * Permission to use, copy, modify, and distribute this software for any 11 * purpose with or without fee is hereby granted, provided that the above 12 * copyright notice and this permission notice appear in all copies. 13 * 14 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 15 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 16 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 17 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 18 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 19 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 20 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 21 */ 22 23/* 24 * ChaCha based random number generator for OpenBSD. 25 */ 26 27#include "includes.h" 28 29#include <stdlib.h> 30#include <string.h> 31#include <unistd.h> 32#include <sys/types.h> 33 34#ifndef HAVE_ARC4RANDOM 35 36#include <openssl/rand.h> 37#include <openssl/err.h> 38 39#include "log.h" 40 41#define KEYSTREAM_ONLY 42#include "chacha_private.h" 43 44#ifdef __GNUC__ 45#define inline __inline 46#else /* !__GNUC__ */ 47#define inline 48#endif /* !__GNUC__ */ 49 50/* OpenSSH isn't multithreaded */ 51#define _ARC4_LOCK() 52#define _ARC4_UNLOCK() 53 54#define KEYSZ 32 55#define IVSZ 8 56#define BLOCKSZ 64 57#define RSBUFSZ (16*BLOCKSZ) 58static int rs_initialized; 59static pid_t rs_stir_pid; 60static chacha_ctx rs; /* chacha context for random keystream */ 61static u_char rs_buf[RSBUFSZ]; /* keystream blocks */ 62static size_t rs_have; /* valid bytes at end of rs_buf */ 63static size_t rs_count; /* bytes till reseed */ 64 65static inline void _rs_rekey(u_char *dat, size_t datlen); 66 67static inline void 68_rs_init(u_char *buf, size_t n) 69{ 70 if (n < KEYSZ + IVSZ) 71 return; 72 chacha_keysetup(&rs, buf, KEYSZ * 8, 0); 73 chacha_ivsetup(&rs, buf + KEYSZ); 74} 75 76static void 77_rs_stir(void) 78{ 79 u_char rnd[KEYSZ + IVSZ]; 80 81 if (RAND_bytes(rnd, sizeof(rnd)) <= 0) 82 fatal("Couldn't obtain random bytes (error %ld)", 83 ERR_get_error()); 84 85 if (!rs_initialized) { 86 rs_initialized = 1; 87 _rs_init(rnd, sizeof(rnd)); 88 } else 89 _rs_rekey(rnd, sizeof(rnd)); 90 memset(rnd, 0, sizeof(rnd)); 91 92 /* invalidate rs_buf */ 93 rs_have = 0; 94 memset(rs_buf, 0, RSBUFSZ); 95 96 rs_count = 1600000; 97} 98 99static inline void 100_rs_stir_if_needed(size_t len) 101{ 102 pid_t pid = getpid(); 103 104 if (rs_count <= len || !rs_initialized || rs_stir_pid != pid) { 105 rs_stir_pid = pid; 106 _rs_stir(); 107 } else 108 rs_count -= len; 109} 110 111static inline void 112_rs_rekey(u_char *dat, size_t datlen) 113{ 114#ifndef KEYSTREAM_ONLY 115 memset(rs_buf, 0,RSBUFSZ); 116#endif 117 /* fill rs_buf with the keystream */ 118 chacha_encrypt_bytes(&rs, rs_buf, rs_buf, RSBUFSZ); 119 /* mix in optional user provided data */ 120 if (dat) { 121 size_t i, m; 122 123 m = MIN(datlen, KEYSZ + IVSZ); 124 for (i = 0; i < m; i++) 125 rs_buf[i] ^= dat[i]; 126 } 127 /* immediately reinit for backtracking resistance */ 128 _rs_init(rs_buf, KEYSZ + IVSZ); 129 memset(rs_buf, 0, KEYSZ + IVSZ); 130 rs_have = RSBUFSZ - KEYSZ - IVSZ; 131} 132 133static inline void 134_rs_random_buf(void *_buf, size_t n) 135{ 136 u_char *buf = (u_char *)_buf; 137 size_t m; 138 139 _rs_stir_if_needed(n); 140 while (n > 0) { 141 if (rs_have > 0) { 142 m = MIN(n, rs_have); 143 memcpy(buf, rs_buf + RSBUFSZ - rs_have, m); 144 memset(rs_buf + RSBUFSZ - rs_have, 0, m); 145 buf += m; 146 n -= m; 147 rs_have -= m; 148 } 149 if (rs_have == 0) 150 _rs_rekey(NULL, 0); 151 } 152} 153 154static inline void 155_rs_random_u32(u_int32_t *val) 156{ 157 _rs_stir_if_needed(sizeof(*val)); 158 if (rs_have < sizeof(*val)) 159 _rs_rekey(NULL, 0); 160 memcpy(val, rs_buf + RSBUFSZ - rs_have, sizeof(*val)); 161 memset(rs_buf + RSBUFSZ - rs_have, 0, sizeof(*val)); 162 rs_have -= sizeof(*val); 163 return; 164} 165 166void 167arc4random_stir(void) 168{ 169 _ARC4_LOCK(); 170 _rs_stir(); 171 _ARC4_UNLOCK(); 172} 173 174void 175arc4random_addrandom(u_char *dat, int datlen) 176{ 177 int m; 178 179 _ARC4_LOCK(); 180 if (!rs_initialized) 181 _rs_stir(); 182 while (datlen > 0) { 183 m = MIN(datlen, KEYSZ + IVSZ); 184 _rs_rekey(dat, m); 185 dat += m; 186 datlen -= m; 187 } 188 _ARC4_UNLOCK(); 189} 190 191u_int32_t 192arc4random(void) 193{ 194 u_int32_t val; 195 196 _ARC4_LOCK(); 197 _rs_random_u32(&val); 198 _ARC4_UNLOCK(); 199 return val; 200} 201 202/* 203 * If we are providing arc4random, then we can provide a more efficient 204 * arc4random_buf(). 205 */ 206# ifndef HAVE_ARC4RANDOM_BUF 207void 208arc4random_buf(void *buf, size_t n) 209{ 210 _ARC4_LOCK(); 211 _rs_random_buf(buf, n); 212 _ARC4_UNLOCK(); 213} 214# endif /* !HAVE_ARC4RANDOM_BUF */ 215#endif /* !HAVE_ARC4RANDOM */ 216 217/* arc4random_buf() that uses platform arc4random() */ 218#if !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) 219void 220arc4random_buf(void *_buf, size_t n) 221{ 222 size_t i; 223 u_int32_t r = 0; 224 char *buf = (char *)_buf; 225 226 for (i = 0; i < n; i++) { 227 if (i % 4 == 0) 228 r = arc4random(); 229 buf[i] = r & 0xff; 230 r >>= 8; 231 } 232 i = r = 0; 233} 234#endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */ 235 236#ifndef HAVE_ARC4RANDOM_UNIFORM 237/* 238 * Calculate a uniformly distributed random number less than upper_bound 239 * avoiding "modulo bias". 240 * 241 * Uniformity is achieved by generating new random numbers until the one 242 * returned is outside the range [0, 2**32 % upper_bound). This 243 * guarantees the selected random number will be inside 244 * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound) 245 * after reduction modulo upper_bound. 246 */ 247u_int32_t 248arc4random_uniform(u_int32_t upper_bound) 249{ 250 u_int32_t r, min; 251 252 if (upper_bound < 2) 253 return 0; 254 255 /* 2**32 % x == (2**32 - x) % x */ 256 min = -upper_bound % upper_bound; 257 258 /* 259 * This could theoretically loop forever but each retry has 260 * p > 0.5 (worst case, usually far better) of selecting a 261 * number inside the range we need, so it should rarely need 262 * to re-roll. 263 */ 264 for (;;) { 265 r = arc4random(); 266 if (r >= min) 267 break; 268 } 269 270 return r % upper_bound; 271} 272#endif /* !HAVE_ARC4RANDOM_UNIFORM */ 273 274#if 0 275/*-------- Test code for i386 --------*/ 276#include <stdio.h> 277#include <machine/pctr.h> 278int 279main(int argc, char **argv) 280{ 281 const int iter = 1000000; 282 int i; 283 pctrval v; 284 285 v = rdtsc(); 286 for (i = 0; i < iter; i++) 287 arc4random(); 288 v = rdtsc() - v; 289 v /= iter; 290 291 printf("%qd cycles\n", v); 292 exit(0); 293} 294#endif 295