replace rc4 with ChaCha20; inspired by Nick Mathewson's work on libottery;

feedback and ok djm@
author: markus <> 2013-10-01 18:34:57 +0000
committer: markus <> 2013-10-01 18:34:57 +0000
commit: 9a356934a3a8aebc5822ec33f95340401a618b02 (patch)
tree: c9d1e389fa36eda850bab2211063e000d8567112 /src/lib/libc/crypt/arc4random.c
parent: 362b96a0554ddbc24305e3d4835efe41c2d73b81 (diff)
download: openbsd-9a356934a3a8aebc5822ec33f95340401a618b02.tar.gz
openbsd-9a356934a3a8aebc5822ec33f95340401a618b02.tar.bz2
openbsd-9a356934a3a8aebc5822ec33f95340401a618b02.zip
1 files changed, 106 insertions, 98 deletions
diff --git a/src/lib/libc/crypt/arc4random.c b/src/lib/libc/crypt/arc4random.c
index f00f5ee9f1..356e231815 100644
--- a/src/lib/libc/crypt/arc4random.c
+++ b/src/lib/libc/crypt/arc4random.c
@@ -1,8 +1,9 @@
-/*      $OpenBSD: arc4random.c,v 1.24 2013/06/11 16:59:50 deraadt Exp $ */
+/*      $OpenBSD: arc4random.c,v 1.25 2013/10/01 18:34:57 markus Exp $  */
 /*
 * Copyright (c) 1996, David Mazieres <dm@uun.org>
 * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
+ * Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -18,20 +19,13 @@
 */
 /*
- * Arc4 random number generator for OpenBSD.
+ * ChaCha based random number generator for OpenBSD.
- *
- * This code is derived from section 17.1 of Applied Cryptography,
- * second edition, which describes a stream cipher allegedly
- * compatible with RSA Labs "RC4" cipher (the actual description of
- * which is a trade secret).  The same algorithm is used as a stream
- * cipher called "arcfour" in Tatu Ylonen's ssh package.
- *
- * RC4 is a registered trademark of RSA Laboratories.
 */
 #include <fcntl.h>
 #include <limits.h>
 #include <stdlib.h>
+#include <string.h>
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/param.h>
@@ -39,64 +33,43 @@
 #include <sys/sysctl.h>
 #include "thread_private.h"
+#define KEYSTREAM_ONLY
+#include "chacha_private.h"
 #ifdef __GNUC__
 #define inline __inline
 #else                           /* !__GNUC__ */
 #define inline
 #endif                          /* !__GNUC__ */
-struct arc4_stream {
+#define KEYSZ   32
-        u_int8_t i;
+#define IVSZ    8
-        u_int8_t j;
+#define BLOCKSZ 64
-        u_int8_t s[256];
+#define RSBUFSZ (16*BLOCKSZ)
-};
 static int rs_initialized;
-static struct arc4_stream rs;
+static pid_t rs_stir_pid;
-static pid_t arc4_stir_pid;
+static chacha_ctx rs;           /* chacha context for random keystream */
-static int arc4_count;
+static u_char rs_buf[RSBUFSZ];  /* keystream blocks */
+static size_t rs_have;          /* valid bytes at end of rs_buf */
-static inline u_int8_t arc4_getbyte(void);
+static size_t rs_count;         /* bytes till reseed */
-static inline void
+static inline void _rs_rekey(u_char *dat, size_t datlen);
-arc4_init(void)
-{
-        int     n;
-        for (n = 0; n < 256; n++)
-                rs.s[n] = n;
-        rs.i = 0;
-        rs.j = 0;
-}
 static inline void
-arc4_addrandom(u_char *dat, int datlen)
+_rs_init(u_char *buf, size_t n)
 {
-        int     n;
+        if (n < KEYSZ + IVSZ)
-        u_int8_t si;
+                return;
+        chacha_keysetup(&rs, buf, KEYSZ * 8, 0);
-        rs.i--;
+        chacha_ivsetup(&rs, buf + KEYSZ);
-        for (n = 0; n < 256; n++) {
-                rs.i = (rs.i + 1);
-                si = rs.s[rs.i];
-                rs.j = (rs.j + si + dat[n % datlen]);
-                rs.s[rs.i] = rs.s[rs.j];
-                rs.s[rs.j] = si;
-        }
-        rs.j = rs.i;
 }
 static void
-arc4_stir(void)
+_rs_stir(void)
 {
-        int     i, mib[2];
+        int     mib[2];
        size_t  len;
-        u_char rnd[128];
+        u_char rnd[KEYSZ + IVSZ];
-        if (!rs_initialized) {
-                arc4_init();
-                rs_initialized = 1;
-        }
        mib[0] = CTL_KERN;
        mib[1] = KERN_ARND;
@@ -104,68 +77,109 @@ arc4_stir(void)
        len = sizeof(rnd);
        sysctl(mib, 2, rnd, &len, NULL, 0);
-        arc4_addrandom(rnd, sizeof(rnd));
+        if (!rs_initialized) {
+                rs_initialized = 1;
+                _rs_init(rnd, sizeof(rnd));
+        } else
+                _rs_rekey(rnd, sizeof(rnd));
+        memset(rnd, 0, sizeof(rnd));
-        /*
+        /* invalidate rs_buf */
-         * Discard early keystream, as per recommendations in:
+        rs_have = 0;
-         * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
+        memset(rs_buf, 0, RSBUFSZ);
-         */
-        for (i = 0; i < 256; i++)
+        rs_count = 1600000;
-                (void)arc4_getbyte();
-        arc4_count = 1600000;
 }
-static void
+static inline void
-arc4_stir_if_needed(void)
+_rs_stir_if_needed(size_t len)
 {
        pid_t pid = getpid();
-        if (arc4_count <= 0 || !rs_initialized || arc4_stir_pid != pid) {
+        if (rs_count <= len || !rs_initialized || rs_stir_pid != pid) {
-                arc4_stir_pid = pid;
+                rs_stir_pid = pid;
-                arc4_stir();
+                _rs_stir();
+        } else
+                rs_count -= len;
+}
+static inline void
+_rs_rekey(u_char *dat, size_t datlen)
+{
+#ifndef KEYSTREAM_ONLY
+        memset(rs_buf, 0,RSBUFSZ);
+#endif
+        /* fill rs_buf with the keystream */
+        chacha_encrypt_bytes(&rs, rs_buf, rs_buf, RSBUFSZ);
+        /* mix in optional user provided data */
+        if (dat) {
+                size_t i, m;
+                m = MIN(datlen, KEYSZ + IVSZ);
+                for (i = 0; i < m; i++)
+                        rs_buf[i] ^= dat[i];
        }
+        /* immediately reinit for backtracking resistance */
+        _rs_init(rs_buf, KEYSZ + IVSZ);
+        memset(rs_buf, 0, KEYSZ + IVSZ);
+        rs_have = RSBUFSZ - KEYSZ - IVSZ;
 }
-static inline u_int8_t
+static inline void
-arc4_getbyte(void)
+_rs_random_buf(void *_buf, size_t n)
 {
-        u_int8_t si, sj;
+        u_char *buf = (u_char *)_buf;
+        size_t m;
-        rs.i = (rs.i + 1);
-        si = rs.s[rs.i];
+        _rs_stir_if_needed(n);
-        rs.j = (rs.j + si);
+        while (n > 0) {
-        sj = rs.s[rs.j];
+                if (rs_have > 0) {
-        rs.s[rs.i] = sj;
+                        m = MIN(n, rs_have);
-        rs.s[rs.j] = si;
+                        memcpy(buf, rs_buf + RSBUFSZ - rs_have, m);
-        return (rs.s[(si + sj) & 0xff]);
+                        memset(rs_buf + RSBUFSZ - rs_have, 0, m);
+                        buf += m;
+                        n -= m;
+                        rs_have -= m;
+                }
+                if (rs_have == 0)
+                        _rs_rekey(NULL, 0);
+        }
 }
-static inline u_int32_t
+static inline void
-arc4_getword(void)
+_rs_random_u32(u_int32_t *val)
 {
-        u_int32_t val;
+        _rs_stir_if_needed(sizeof(*val));
-        val = arc4_getbyte() << 24;
+        if (rs_have < sizeof(*val))
-        val |= arc4_getbyte() << 16;
+                _rs_rekey(NULL, 0);
-        val |= arc4_getbyte() << 8;
+        memcpy(val, rs_buf + RSBUFSZ - rs_have, sizeof(*val));
-        val |= arc4_getbyte();
+        memset(rs_buf + RSBUFSZ - rs_have, 0, sizeof(*val));
-        return val;
+        rs_have -= sizeof(*val);
+        return;
 }
 void
 arc4random_stir(void)
 {
        _ARC4_LOCK();
-        arc4_stir();
+        _rs_stir();
        _ARC4_UNLOCK();
 }
 void
 arc4random_addrandom(u_char *dat, int datlen)
 {
+        int m;
        _ARC4_LOCK();
        if (!rs_initialized)
-                arc4_stir();
+                _rs_stir();
-        arc4_addrandom(dat, datlen);
+        while (datlen > 0) {
+                m = MIN(datlen, KEYSZ + IVSZ);
+                _rs_rekey(dat, m);
+                dat += m;
+                datlen -= m;
+        }
        _ARC4_UNLOCK();
 }
@@ -173,25 +187,18 @@ u_int32_t
 arc4random(void)
 {
        u_int32_t val;
        _ARC4_LOCK();
-        arc4_count -= 4;
+        _rs_random_u32(&val);
-        arc4_stir_if_needed();
-        val = arc4_getword();
        _ARC4_UNLOCK();
        return val;
 }
 void
-arc4random_buf(void *_buf, size_t n)
+arc4random_buf(void *buf, size_t n)
 {
-        u_char *buf = (u_char *)_buf;
        _ARC4_LOCK();
-        arc4_stir_if_needed();
+        _rs_random_buf(buf, n);
-        while (n--) {
-                if (--arc4_count <= 0)
-                        arc4_stir();
-                buf[n] = arc4_getbyte();
-        }
        _ARC4_UNLOCK();
 }
@@ -249,5 +256,6 @@ main(int argc, char **argv)
        v /= iter;
        printf("%qd cycles\n", v);
+        exit(0);
 }
 #endif
author	markus <>	2013-10-01 18:34:57 +0000
committer	markus <>	2013-10-01 18:34:57 +0000
commit	9a356934a3a8aebc5822ec33f95340401a618b02 (patch)
tree	c9d1e389fa36eda850bab2211063e000d8567112 /src/lib/libc/crypt/arc4random.c
parent	362b96a0554ddbc24305e3d4835efe41c2d73b81 (diff)
download	openbsd-9a356934a3a8aebc5822ec33f95340401a618b02.tar.gz openbsd-9a356934a3a8aebc5822ec33f95340401a618b02.tar.bz2 openbsd-9a356934a3a8aebc5822ec33f95340401a618b02.zip

diff --git a/src/lib/libc/crypt/arc4random.c b/src/lib/libc/crypt/arc4random.c index f00f5ee9f1..356e231815 100644 --- a/src/lib/libc/crypt/arc4random.c +++ b/src/lib/libc/crypt/arc4random.c
@@ -1,8 +1,9 @@
1	/* $OpenBSD: arc4random.c,v 1.24 2013/06/11 16:59:50 deraadt Exp $ */	1	/* $OpenBSD: arc4random.c,v 1.25 2013/10/01 18:34:57 markus Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 1996, David Mazieres <dm@uun.org>	4	* Copyright (c) 1996, David Mazieres <dm@uun.org>
5	* Copyright (c) 2008, Damien Miller <djm@openbsd.org>	5	* Copyright (c) 2008, Damien Miller <djm@openbsd.org>
		6	* Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
6	*	7	*
7	* Permission to use, copy, modify, and distribute this software for any	8	* Permission to use, copy, modify, and distribute this software for any
8	* purpose with or without fee is hereby granted, provided that the above	9	* purpose with or without fee is hereby granted, provided that the above
@@ -18,20 +19,13 @@
18	*/	19	*/
19		20
20	/*	21	/*
21	* Arc4 random number generator for OpenBSD.	22	* ChaCha based random number generator for OpenBSD.
22	*
23	* This code is derived from section 17.1 of Applied Cryptography,
24	* second edition, which describes a stream cipher allegedly
25	* compatible with RSA Labs "RC4" cipher (the actual description of
26	* which is a trade secret). The same algorithm is used as a stream
27	* cipher called "arcfour" in Tatu Ylonen's ssh package.
28	*
29	* RC4 is a registered trademark of RSA Laboratories.
30	*/	23	*/
31		24
32	#include <fcntl.h>	25	#include <fcntl.h>
33	#include <limits.h>	26	#include <limits.h>
34	#include <stdlib.h>	27	#include <stdlib.h>
		28	#include <string.h>
35	#include <unistd.h>	29	#include <unistd.h>
36	#include <sys/types.h>	30	#include <sys/types.h>
37	#include <sys/param.h>	31	#include <sys/param.h>
@@ -39,64 +33,43 @@
39	#include <sys/sysctl.h>	33	#include <sys/sysctl.h>
40	#include "thread_private.h"	34	#include "thread_private.h"
41		35
		36	#define KEYSTREAM_ONLY
		37	#include "chacha_private.h"
		38
42	#ifdef __GNUC__	39	#ifdef __GNUC__
43	#define inline __inline	40	#define inline __inline
44	#else /* !__GNUC__ */	41	#else /* !__GNUC__ */
45	#define inline	42	#define inline
46	#endif /* !__GNUC__ */	43	#endif /* !__GNUC__ */
47		44
48	struct arc4_stream {	45	#define KEYSZ 32
49	u_int8_t i;	46	#define IVSZ 8
50	u_int8_t j;	47	#define BLOCKSZ 64
51	u_int8_t s[256];	48	#define RSBUFSZ (16*BLOCKSZ)
52	};
53
54	static int rs_initialized;	49	static int rs_initialized;
55	static struct arc4_stream rs;	50	static pid_t rs_stir_pid;
56	static pid_t arc4_stir_pid;	51	static chacha_ctx rs; /* chacha context for random keystream */
57	static int arc4_count;	52	static u_char rs_buf[RSBUFSZ]; /* keystream blocks */
58		53	static size_t rs_have; /* valid bytes at end of rs_buf */
59	static inline u_int8_t arc4_getbyte(void);	54	static size_t rs_count; /* bytes till reseed */
60		55
61	static inline void	56	static inline void _rs_rekey(u_char *dat, size_t datlen);
62	arc4_init(void)
63	{
64	int n;
65
66	for (n = 0; n < 256; n++)
67	rs.s[n] = n;
68	rs.i = 0;
69	rs.j = 0;
70	}
71		57
72	static inline void	58	static inline void
73	arc4_addrandom(u_char *dat, int datlen)	59	_rs_init(u_char *buf, size_t n)
74	{	60	{
75	int n;	61	if (n < KEYSZ + IVSZ)
76	u_int8_t si;	62	return;
77		63	chacha_keysetup(&rs, buf, KEYSZ * 8, 0);
78	rs.i--;	64	chacha_ivsetup(&rs, buf + KEYSZ);
79	for (n = 0; n < 256; n++) {
80	rs.i = (rs.i + 1);
81	si = rs.s[rs.i];
82	rs.j = (rs.j + si + dat[n % datlen]);
83	rs.s[rs.i] = rs.s[rs.j];
84	rs.s[rs.j] = si;
85	}
86	rs.j = rs.i;
87	}	65	}
88		66
89	static void	67	static void
90	arc4_stir(void)	68	_rs_stir(void)
91	{	69	{
92	int i, mib[2];	70	int mib[2];
93	size_t len;	71	size_t len;
94	u_char rnd[128];	72	u_char rnd[KEYSZ + IVSZ];
95
96	if (!rs_initialized) {
97	arc4_init();
98	rs_initialized = 1;
99	}
100		73
101	mib[0] = CTL_KERN;	74	mib[0] = CTL_KERN;
102	mib[1] = KERN_ARND;	75	mib[1] = KERN_ARND;
@@ -104,68 +77,109 @@ arc4_stir(void)
104	len = sizeof(rnd);	77	len = sizeof(rnd);
105	sysctl(mib, 2, rnd, &len, NULL, 0);	78	sysctl(mib, 2, rnd, &len, NULL, 0);
106		79
107	arc4_addrandom(rnd, sizeof(rnd));	80	if (!rs_initialized) {
		81	rs_initialized = 1;
		82	_rs_init(rnd, sizeof(rnd));
		83	} else
		84	_rs_rekey(rnd, sizeof(rnd));
		85	memset(rnd, 0, sizeof(rnd));
108		86
109	/*	87	/* invalidate rs_buf */
110	* Discard early keystream, as per recommendations in:	88	rs_have = 0;
111	* http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps	89	memset(rs_buf, 0, RSBUFSZ);
112	*/	90
113	for (i = 0; i < 256; i++)	91	rs_count = 1600000;
114	(void)arc4_getbyte();
115	arc4_count = 1600000;
116	}	92	}
117		93
118	static void	94	static inline void
119	arc4_stir_if_needed(void)	95	_rs_stir_if_needed(size_t len)
120	{	96	{
121	pid_t pid = getpid();	97	pid_t pid = getpid();
122		98
123	if (arc4_count <= 0 \|\| !rs_initialized \|\| arc4_stir_pid != pid) {	99	if (rs_count <= len \|\| !rs_initialized \|\| rs_stir_pid != pid) {
124	arc4_stir_pid = pid;	100	rs_stir_pid = pid;
125	arc4_stir();	101	_rs_stir();
		102	} else
		103	rs_count -= len;
		104	}
		105
		106	static inline void
		107	_rs_rekey(u_char *dat, size_t datlen)
		108	{
		109	#ifndef KEYSTREAM_ONLY
		110	memset(rs_buf, 0,RSBUFSZ);
		111	#endif
		112	/* fill rs_buf with the keystream */
		113	chacha_encrypt_bytes(&rs, rs_buf, rs_buf, RSBUFSZ);
		114	/* mix in optional user provided data */
		115	if (dat) {
		116	size_t i, m;
		117
		118	m = MIN(datlen, KEYSZ + IVSZ);
		119	for (i = 0; i < m; i++)
		120	rs_buf[i] ^= dat[i];
126	}	121	}
		122	/* immediately reinit for backtracking resistance */
		123	_rs_init(rs_buf, KEYSZ + IVSZ);
		124	memset(rs_buf, 0, KEYSZ + IVSZ);
		125	rs_have = RSBUFSZ - KEYSZ - IVSZ;
127	}	126	}
128		127
129	static inline u_int8_t	128	static inline void
130	arc4_getbyte(void)	129	_rs_random_buf(void *_buf, size_t n)
131	{	130	{
132	u_int8_t si, sj;	131	u_char buf = (u_char )_buf;
133		132	size_t m;
134	rs.i = (rs.i + 1);	133
135	si = rs.s[rs.i];	134	_rs_stir_if_needed(n);
136	rs.j = (rs.j + si);	135	while (n > 0) {
137	sj = rs.s[rs.j];	136	if (rs_have > 0) {
138	rs.s[rs.i] = sj;	137	m = MIN(n, rs_have);
139	rs.s[rs.j] = si;	138	memcpy(buf, rs_buf + RSBUFSZ - rs_have, m);
140	return (rs.s[(si + sj) & 0xff]);	139	memset(rs_buf + RSBUFSZ - rs_have, 0, m);
		140	buf += m;
		141	n -= m;
		142	rs_have -= m;
		143	}
		144	if (rs_have == 0)
		145	_rs_rekey(NULL, 0);
		146	}
141	}	147	}
142		148
143	static inline u_int32_t	149	static inline void
144	arc4_getword(void)	150	_rs_random_u32(u_int32_t *val)
145	{	151	{
146	u_int32_t val;	152	_rs_stir_if_needed(sizeof(*val));
147	val = arc4_getbyte() << 24;	153	if (rs_have < sizeof(*val))
148	val \|= arc4_getbyte() << 16;	154	_rs_rekey(NULL, 0);
149	val \|= arc4_getbyte() << 8;	155	memcpy(val, rs_buf + RSBUFSZ - rs_have, sizeof(*val));
150	val \|= arc4_getbyte();	156	memset(rs_buf + RSBUFSZ - rs_have, 0, sizeof(*val));
151	return val;	157	rs_have -= sizeof(*val);
		158	return;
152	}	159	}
153		160
154	void	161	void
155	arc4random_stir(void)	162	arc4random_stir(void)
156	{	163	{
157	_ARC4_LOCK();	164	_ARC4_LOCK();
158	arc4_stir();	165	_rs_stir();
159	_ARC4_UNLOCK();	166	_ARC4_UNLOCK();
160	}	167	}
161		168
162	void	169	void
163	arc4random_addrandom(u_char *dat, int datlen)	170	arc4random_addrandom(u_char *dat, int datlen)
164	{	171	{
		172	int m;
		173
165	_ARC4_LOCK();	174	_ARC4_LOCK();
166	if (!rs_initialized)	175	if (!rs_initialized)
167	arc4_stir();	176	_rs_stir();
168	arc4_addrandom(dat, datlen);	177	while (datlen > 0) {
		178	m = MIN(datlen, KEYSZ + IVSZ);
		179	_rs_rekey(dat, m);
		180	dat += m;
		181	datlen -= m;
		182	}
169	_ARC4_UNLOCK();	183	_ARC4_UNLOCK();
170	}	184	}
171		185
@@ -173,25 +187,18 @@ u_int32_t
173	arc4random(void)	187	arc4random(void)
174	{	188	{
175	u_int32_t val;	189	u_int32_t val;
		190
176	_ARC4_LOCK();	191	_ARC4_LOCK();
177	arc4_count -= 4;	192	_rs_random_u32(&val);
178	arc4_stir_if_needed();
179	val = arc4_getword();
180	_ARC4_UNLOCK();	193	_ARC4_UNLOCK();
181	return val;	194	return val;
182	}	195	}
183		196
184	void	197	void
185	arc4random_buf(void *_buf, size_t n)	198	arc4random_buf(void *buf, size_t n)
186	{	199	{
187	u_char buf = (u_char )_buf;
188	_ARC4_LOCK();	200	_ARC4_LOCK();
189	arc4_stir_if_needed();	201	_rs_random_buf(buf, n);
190	while (n--) {
191	if (--arc4_count <= 0)
192	arc4_stir();
193	buf[n] = arc4_getbyte();
194	}
195	_ARC4_UNLOCK();	202	_ARC4_UNLOCK();
196	}	203	}
197		204
@@ -249,5 +256,6 @@ main(int argc, char **argv)
249	v /= iter;	256	v /= iter;
250		257
251	printf("%qd cycles\n", v);	258	printf("%qd cycles\n", v);
		259	exit(0);
252	}	260	}
253	#endif	261	#endif