Randomise the rekey interval a little. Previously, the chacha20

instance would be rekeyed every 1.6MB. This makes it happen at a
random point somewhere in the 1-2MB range.

Feedback deraadt@ visa@, ok tb@ visa@

1 files changed, 8 insertions, 2 deletions

diff --git a/src/lib/libc/crypt/arc4random.c b/src/lib/libc/crypt/arc4random.c
index 6cbab6e79b..61bf0edaaa 100644
--- a/src/lib/libc/crypt/arc4random.c
+++ b/src/lib/libc/crypt/arc4random.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: arc4random.c,v 1.56 2022/02/28 21:56:29 dtucker Exp $ */
+/*      $OpenBSD: arc4random.c,v 1.57 2022/07/31 05:10:36 djm Exp $     */
 
 /*
  * Copyright (c) 1996, David Mazieres <dm@uun.org>
@@ -49,6 +49,8 @@
 #define BLOCKSZ 64
 #define RSBUFSZ (16*BLOCKSZ)
 
+#define REKEY_BASE      (1024*1024) /* NB. should be a power of 2 */
+
 /* Marked MAP_INHERIT_ZERO, so zero'd out in fork children. */
 static struct _rs {
         size_t          rs_have;        /* valid bytes at end of rs_buf */
@@ -86,6 +88,7 @@ static void
 _rs_stir(void)
 {
         u_char rnd[KEYSZ + IVSZ];
+        uint32_t rekey_fuzz = 0;
 
         if (getentropy(rnd, sizeof rnd) == -1)
                 _getentropy_fail();
@@ -100,7 +103,10 @@ _rs_stir(void)
         rs->rs_have = 0;
         memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
 
-        rs->rs_count = 1600000;
+        /* rekey interval should not be predictable */
+        chacha_encrypt_bytes(&rsx->rs_chacha, (uint8_t *)&rekey_fuzz,
+             (uint8_t *)&rekey_fuzz, sizeof(rekey_fuzz));
+        rs->rs_count = REKEY_BASE + (rekey_fuzz % REKEY_BASE);
 }
 
 static inline void