update documentation for these functions. They now state the case regarding

pthreads and chroot, and safe initialization without /dev/random and such junk. If you are in control of an arc4random in another library, please look at these pages and get caught up. ok various
author: deraadt <> 2013-10-21 20:35:09 +0000
committer: deraadt <> 2013-10-21 20:35:09 +0000
commit: 42756039caaf804d1123cb442dc1bc79e057433d (patch)
tree: 2d399706983d5d6e1bac1caf3a63738812ad123c
parent: 390e9177b6abd61dc70c43919a1ef0ec18aeda32 (diff)
download: openbsd-42756039caaf804d1123cb442dc1bc79e057433d.tar.gz
openbsd-42756039caaf804d1123cb442dc1bc79e057433d.tar.bz2
openbsd-42756039caaf804d1123cb442dc1bc79e057433d.zip
1 files changed, 45 insertions, 63 deletions
diff --git a/src/lib/libc/crypt/arc4random.3 b/src/lib/libc/crypt/arc4random.3
index 3cc26bbf18..c74c9cc121 100644
--- a/src/lib/libc/crypt/arc4random.3
+++ b/src/lib/libc/crypt/arc4random.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: arc4random.3,v 1.29 2013/06/05 03:39:22 tedu Exp $
+.\" $OpenBSD: arc4random.3,v 1.30 2013/10/21 20:35:09 deraadt Exp $
 .\"
 .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
 .\" All rights reserved.
@@ -30,16 +30,14 @@
 .\"
 .\" Manual page, using -mandoc macros
 .\"
-.Dd $Mdocdate: June 5 2013 $
+.Dd $Mdocdate: October 21 2013 $
 .Dt ARC4RANDOM 3
 .Os
 .Sh NAME
 .Nm arc4random ,
 .Nm arc4random_buf ,
-.Nm arc4random_uniform ,
+.Nm arc4random_uniform
-.Nm arc4random_stir ,
+.Nd random number generator
-.Nm arc4random_addrandom
-.Nd arc4 random number generator
 .Sh SYNOPSIS
 .In stdlib.h
 .Ft u_int32_t
@@ -48,65 +46,54 @@
 .Fn arc4random_buf "void *buf" "size_t nbytes"
 .Ft u_int32_t
 .Fn arc4random_uniform "u_int32_t upper_bound"
-.Ft void
-.Fn arc4random_stir "void"
-.Ft void
-.Fn arc4random_addrandom "u_char *dat" "int datlen"
 .Sh DESCRIPTION
-The
+This family of functions provides higher quality data than those
-.Fn arc4random
+described in
-function provides a high quality 32-bit pseudo-random
-number very quickly.
-.Fn arc4random
-seeds itself on a regular basis from the kernel strong random number
-subsystem described in
-.Xr random 4 .
-On each call, an ARC4 generator is used to generate a new result.
-The
-.Fn arc4random
-function uses the ARC4 cipher key stream generator,
-which uses 8*8 8-bit S-Boxes.
-The S-Boxes can be in about (2**1700) states.
-.Pp
-.Fn arc4random
-provides a cryptographically secure pseudo-random number generator,
-as opposed to the fast but poor quality interfaces described in
 .Xr rand 3 ,
 .Xr random 3 ,
 and
 .Xr drand48 3 .
 .Pp
+Use of these functions is encouraged for almost all random number
+consumption because the other interfaces are deficient in either
+quality, portability, standardization, or availability.
+These functions can be called in almost all coding environments,
+including
+.Xr pthreads 3
+and
+.Xr chroot 2 .
+.Pp
+High quality 32-bit pseudo-random numbers are generated very quickly.
+On each call, a cryptographic pseudo-random number generator is used
+to generate a new result.
+One data pool is used for all consumers in a process, so that consumption
+under program flow can act as additional stirring.
+The subsystem is re-seeded from the kernel random number subsystem using
+.Xr sysctl 3
+on a regular basis, and also upon
+.Xr fork 2 .
+.Pp
+The
+.Fn arc4random
+function returns a single 32-bit value.
+.Pp
 .Fn arc4random_buf
 fills the region
 .Fa buf
 of length
 .Fa nbytes
-with ARC4-derived random data.
+with random data.
 .Pp
 .Fn arc4random_uniform
-will return a uniformly distributed random number less than
+will return a single 32-bit value, uniformly distributed but less than
 .Fa upper_bound .
-.Fn arc4random_uniform
+This is recommended over constructions like
-is recommended over constructions like
 .Dq Li arc4random() % upper_bound
 as it avoids "modulo bias" when the upper bound is not a power of two.
+In the worst case, this function may consume multiple iterations
+to ensure uniformity; see the source code to understand the problem
+and solution.
 .Pp
-The
-.Fn arc4random_stir
-function reads data using
-.Xr sysctl 3
-from
-.Va kern.arandom
-and uses it to permute the S-Boxes via
-.Fn arc4random_addrandom .
-.Pp
-There is no need to call
-.Fn arc4random_stir
-before using
-.Fn arc4random ,
-since
-.Fn arc4random
-automatically initializes itself.
 .Sh RETURN VALUES
 These functions are always successful, and no return value is
 reserved to indicate an error.
@@ -115,21 +102,16 @@ reserved to indicate an error.
 .Xr rand48 3 ,
 .Xr random 3
 .Sh HISTORY
-An algorithm called
-.Pa RC4
-was designed by RSA Data Security, Inc.
-It was considered a trade secret.
-Because it was a trade secret, it obviously could not be patented.
-A clone of this was posted anonymously to USENET and confirmed to
-be equivalent by several sources who had access to the original cipher.
-Because of the trade secret situation, RSA Data Security, Inc. could
-do nothing about the release of the
-.Ql Alleged RC4
-algorithm.
-Since
-.Pa RC4
-was trademarked, the cipher is now referred to as
-.Pa ARC4 .
 .Pp
 These functions first appeared in
 .Ox 2.1 .
+.Pp
+The original version of this random number generator used the
+RC4 (also known as ARC4) algorithm.
+In
+.Ox 5.5 ,
+it was replaced with the ChaCha20 cipher, and it may be replaced
+again in the future as cryptographic techniques advance.
+techniques advance.
+A good mnemonic is
+.Dq A Replacement Call for Random .
author	deraadt <>	2013-10-21 20:35:09 +0000
committer	deraadt <>	2013-10-21 20:35:09 +0000
commit	42756039caaf804d1123cb442dc1bc79e057433d (patch)
tree	2d399706983d5d6e1bac1caf3a63738812ad123c
parent	390e9177b6abd61dc70c43919a1ef0ec18aeda32 (diff)
download	openbsd-42756039caaf804d1123cb442dc1bc79e057433d.tar.gz openbsd-42756039caaf804d1123cb442dc1bc79e057433d.tar.bz2 openbsd-42756039caaf804d1123cb442dc1bc79e057433d.zip

diff --git a/src/lib/libc/crypt/arc4random.3 b/src/lib/libc/crypt/arc4random.3 index 3cc26bbf18..c74c9cc121 100644 --- a/src/lib/libc/crypt/arc4random.3 +++ b/src/lib/libc/crypt/arc4random.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: arc4random.3,v 1.29 2013/06/05 03:39:22 tedu Exp $	1	.\" $OpenBSD: arc4random.3,v 1.30 2013/10/21 20:35:09 deraadt Exp $
2	.\"	2	.\"
3	.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>	3	.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
4	.\" All rights reserved.	4	.\" All rights reserved.
@@ -30,16 +30,14 @@
30	.\"	30	.\"
31	.\" Manual page, using -mandoc macros	31	.\" Manual page, using -mandoc macros
32	.\"	32	.\"
33	.Dd $Mdocdate: June 5 2013 $	33	.Dd $Mdocdate: October 21 2013 $
34	.Dt ARC4RANDOM 3	34	.Dt ARC4RANDOM 3
35	.Os	35	.Os
36	.Sh NAME	36	.Sh NAME
37	.Nm arc4random ,	37	.Nm arc4random ,
38	.Nm arc4random_buf ,	38	.Nm arc4random_buf ,
39	.Nm arc4random_uniform ,	39	.Nm arc4random_uniform
40	.Nm arc4random_stir ,	40	.Nd random number generator
41	.Nm arc4random_addrandom
42	.Nd arc4 random number generator
43	.Sh SYNOPSIS	41	.Sh SYNOPSIS
44	.In stdlib.h	42	.In stdlib.h
45	.Ft u_int32_t	43	.Ft u_int32_t
@@ -48,65 +46,54 @@
48	.Fn arc4random_buf "void *buf" "size_t nbytes"	46	.Fn arc4random_buf "void *buf" "size_t nbytes"
49	.Ft u_int32_t	47	.Ft u_int32_t
50	.Fn arc4random_uniform "u_int32_t upper_bound"	48	.Fn arc4random_uniform "u_int32_t upper_bound"
51	.Ft void
52	.Fn arc4random_stir "void"
53	.Ft void
54	.Fn arc4random_addrandom "u_char *dat" "int datlen"
55	.Sh DESCRIPTION	49	.Sh DESCRIPTION
56	The	50	This family of functions provides higher quality data than those
57	.Fn arc4random	51	described in
58	function provides a high quality 32-bit pseudo-random
59	number very quickly.
60	.Fn arc4random
61	seeds itself on a regular basis from the kernel strong random number
62	subsystem described in
63	.Xr random 4 .
64	On each call, an ARC4 generator is used to generate a new result.
65	The
66	.Fn arc4random
67	function uses the ARC4 cipher key stream generator,
68	which uses 8*8 8-bit S-Boxes.
69	The S-Boxes can be in about (2**1700) states.
70	.Pp
71	.Fn arc4random
72	provides a cryptographically secure pseudo-random number generator,
73	as opposed to the fast but poor quality interfaces described in
74	.Xr rand 3 ,	52	.Xr rand 3 ,
75	.Xr random 3 ,	53	.Xr random 3 ,
76	and	54	and
77	.Xr drand48 3 .	55	.Xr drand48 3 .
78	.Pp	56	.Pp
		57	Use of these functions is encouraged for almost all random number
		58	consumption because the other interfaces are deficient in either
		59	quality, portability, standardization, or availability.
		60	These functions can be called in almost all coding environments,
		61	including
		62	.Xr pthreads 3
		63	and
		64	.Xr chroot 2 .
		65	.Pp
		66	High quality 32-bit pseudo-random numbers are generated very quickly.
		67	On each call, a cryptographic pseudo-random number generator is used
		68	to generate a new result.
		69	One data pool is used for all consumers in a process, so that consumption
		70	under program flow can act as additional stirring.
		71	The subsystem is re-seeded from the kernel random number subsystem using
		72	.Xr sysctl 3
		73	on a regular basis, and also upon
		74	.Xr fork 2 .
		75	.Pp
		76	The
		77	.Fn arc4random
		78	function returns a single 32-bit value.
		79	.Pp
79	.Fn arc4random_buf	80	.Fn arc4random_buf
80	fills the region	81	fills the region
81	.Fa buf	82	.Fa buf
82	of length	83	of length
83	.Fa nbytes	84	.Fa nbytes
84	with ARC4-derived random data.	85	with random data.
85	.Pp	86	.Pp
86	.Fn arc4random_uniform	87	.Fn arc4random_uniform
87	will return a uniformly distributed random number less than	88	will return a single 32-bit value, uniformly distributed but less than
88	.Fa upper_bound .	89	.Fa upper_bound .
89	.Fn arc4random_uniform	90	This is recommended over constructions like
90	is recommended over constructions like
91	.Dq Li arc4random() % upper_bound	91	.Dq Li arc4random() % upper_bound
92	as it avoids "modulo bias" when the upper bound is not a power of two.	92	as it avoids "modulo bias" when the upper bound is not a power of two.
		93	In the worst case, this function may consume multiple iterations
		94	to ensure uniformity; see the source code to understand the problem
		95	and solution.
93	.Pp	96	.Pp
94	The
95	.Fn arc4random_stir
96	function reads data using
97	.Xr sysctl 3
98	from
99	.Va kern.arandom
100	and uses it to permute the S-Boxes via
101	.Fn arc4random_addrandom .
102	.Pp
103	There is no need to call
104	.Fn arc4random_stir
105	before using
106	.Fn arc4random ,
107	since
108	.Fn arc4random
109	automatically initializes itself.
110	.Sh RETURN VALUES	97	.Sh RETURN VALUES
111	These functions are always successful, and no return value is	98	These functions are always successful, and no return value is
112	reserved to indicate an error.	99	reserved to indicate an error.
@@ -115,21 +102,16 @@ reserved to indicate an error.
115	.Xr rand48 3 ,	102	.Xr rand48 3 ,
116	.Xr random 3	103	.Xr random 3
117	.Sh HISTORY	104	.Sh HISTORY
118	An algorithm called
119	.Pa RC4
120	was designed by RSA Data Security, Inc.
121	It was considered a trade secret.
122	Because it was a trade secret, it obviously could not be patented.
123	A clone of this was posted anonymously to USENET and confirmed to
124	be equivalent by several sources who had access to the original cipher.
125	Because of the trade secret situation, RSA Data Security, Inc. could
126	do nothing about the release of the
127	.Ql Alleged RC4
128	algorithm.
129	Since
130	.Pa RC4
131	was trademarked, the cipher is now referred to as
132	.Pa ARC4 .
133	.Pp	105	.Pp
134	These functions first appeared in	106	These functions first appeared in
135	.Ox 2.1 .	107	.Ox 2.1 .
		108	.Pp
		109	The original version of this random number generator used the
		110	RC4 (also known as ARC4) algorithm.
		111	In
		112	.Ox 5.5 ,
		113	it was replaced with the ChaCha20 cipher, and it may be replaced
		114	again in the future as cryptographic techniques advance.
		115	techniques advance.
		116	A good mnemonic is
		117	.Dq A Replacement Call for Random .