1 files changed, 236 insertions, 0 deletions
diff --git a/src/lib/libc/crypt/arc4random.c b/src/lib/libc/crypt/arc4random.c
new file mode 100644
index 0000000000..e836395803
--- /dev/null
+++ b/src/lib/libc/crypt/arc4random.c
@@ -0,0 +1,236 @@
+/*      $OpenBSD: arc4random.c,v 1.26 2013/10/21 20:33:23 deraadt Exp $ */
+/*
+ * Copyright (c) 1996, David Mazieres <dm@uun.org>
+ * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
+ * Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+/*
+ * ChaCha based random number generator for OpenBSD.
+ */
+#include <fcntl.h>
+#include <limits.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/time.h>
+#include <sys/sysctl.h>
+#include "thread_private.h"
+#define KEYSTREAM_ONLY
+#include "chacha_private.h"
+#ifdef __GNUC__
+#define inline __inline
+#else                           /* !__GNUC__ */
+#define inline
+#endif                          /* !__GNUC__ */
+#define KEYSZ   32
+#define IVSZ    8
+#define BLOCKSZ 64
+#define RSBUFSZ (16*BLOCKSZ)
+static int rs_initialized;
+static pid_t rs_stir_pid;
+static chacha_ctx rs;           /* chacha context for random keystream */
+static u_char rs_buf[RSBUFSZ];  /* keystream blocks */
+static size_t rs_have;          /* valid bytes at end of rs_buf */
+static size_t rs_count;         /* bytes till reseed */
+static inline void _rs_rekey(u_char *dat, size_t datlen);
+static inline void
+_rs_init(u_char *buf, size_t n)
+{
+        if (n < KEYSZ + IVSZ)
+                return;
+        chacha_keysetup(&rs, buf, KEYSZ * 8, 0);
+        chacha_ivsetup(&rs, buf + KEYSZ);
+}
+static void
+_rs_stir(void)
+{
+        int     mib[2];
+        size_t  len;
+        u_char rnd[KEYSZ + IVSZ];
+        mib[0] = CTL_KERN;
+        mib[1] = KERN_ARND;
+        len = sizeof(rnd);
+        sysctl(mib, 2, rnd, &len, NULL, 0);
+        if (!rs_initialized) {
+                rs_initialized = 1;
+                _rs_init(rnd, sizeof(rnd));
+        } else
+                _rs_rekey(rnd, sizeof(rnd));
+        memset(rnd, 0, sizeof(rnd));
+        /* invalidate rs_buf */
+        rs_have = 0;
+        memset(rs_buf, 0, RSBUFSZ);
+        rs_count = 1600000;
+}
+static inline void
+_rs_stir_if_needed(size_t len)
+{
+        pid_t pid = getpid();
+        if (rs_count <= len || !rs_initialized || rs_stir_pid != pid) {
+                rs_stir_pid = pid;
+                _rs_stir();
+        } else
+                rs_count -= len;
+}
+static inline void
+_rs_rekey(u_char *dat, size_t datlen)
+{
+#ifndef KEYSTREAM_ONLY
+        memset(rs_buf, 0,RSBUFSZ);
+#endif
+        /* fill rs_buf with the keystream */
+        chacha_encrypt_bytes(&rs, rs_buf, rs_buf, RSBUFSZ);
+        /* mix in optional user provided data */
+        if (dat) {
+                size_t i, m;
+                m = MIN(datlen, KEYSZ + IVSZ);
+                for (i = 0; i < m; i++)
+                        rs_buf[i] ^= dat[i];
+        }
+        /* immediately reinit for backtracking resistance */
+        _rs_init(rs_buf, KEYSZ + IVSZ);
+        memset(rs_buf, 0, KEYSZ + IVSZ);
+        rs_have = RSBUFSZ - KEYSZ - IVSZ;
+}
+static inline void
+_rs_random_buf(void *_buf, size_t n)
+{
+        u_char *buf = (u_char *)_buf;
+        size_t m;
+        _rs_stir_if_needed(n);
+        while (n > 0) {
+                if (rs_have > 0) {
+                        m = MIN(n, rs_have);
+                        memcpy(buf, rs_buf + RSBUFSZ - rs_have, m);
+                        memset(rs_buf + RSBUFSZ - rs_have, 0, m);
+                        buf += m;
+                        n -= m;
+                        rs_have -= m;
+                }
+                if (rs_have == 0)
+                        _rs_rekey(NULL, 0);
+        }
+}
+static inline void
+_rs_random_u32(u_int32_t *val)
+{
+        _rs_stir_if_needed(sizeof(*val));
+        if (rs_have < sizeof(*val))
+                _rs_rekey(NULL, 0);
+        memcpy(val, rs_buf + RSBUFSZ - rs_have, sizeof(*val));
+        memset(rs_buf + RSBUFSZ - rs_have, 0, sizeof(*val));
+        rs_have -= sizeof(*val);
+        return;
+}
+u_int32_t
+arc4random(void)
+{
+        u_int32_t val;
+        _ARC4_LOCK();
+        _rs_random_u32(&val);
+        _ARC4_UNLOCK();
+        return val;
+}
+void
+arc4random_buf(void *buf, size_t n)
+{
+        _ARC4_LOCK();
+        _rs_random_buf(buf, n);
+        _ARC4_UNLOCK();
+}
+/*
+ * Calculate a uniformly distributed random number less than upper_bound
+ * avoiding "modulo bias".
+ *
+ * Uniformity is achieved by generating new random numbers until the one
+ * returned is outside the range [0, 2**32 % upper_bound).  This
+ * guarantees the selected random number will be inside
+ * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound)
+ * after reduction modulo upper_bound.
+ */
+u_int32_t
+arc4random_uniform(u_int32_t upper_bound)
+{
+        u_int32_t r, min;
+        if (upper_bound < 2)
+                return 0;
+        /* 2**32 % x == (2**32 - x) % x */
+        min = -upper_bound % upper_bound;
+        /*
+         * This could theoretically loop forever but each retry has
+         * p > 0.5 (worst case, usually far better) of selecting a
+         * number inside the range we need, so it should rarely need
+         * to re-roll.
+         */
+        for (;;) {
+                r = arc4random();
+                if (r >= min)
+                        break;
+        }
+        return r % upper_bound;
+}
+#if 0
+/*-------- Test code for i386 --------*/
+#include <stdio.h>
+#include <machine/pctr.h>
+int
+main(int argc, char **argv)
+{
+        const int iter = 1000000;
+        int     i;
+        pctrval v;
+        v = rdtsc();
+        for (i = 0; i < iter; i++)
+                arc4random();
+        v = rdtsc() - v;
+        v /= iter;
+        printf("%qd cycles\n", v);
+        exit(0);
+}
+#endif

diff --git a/src/lib/libc/crypt/arc4random.c b/src/lib/libc/crypt/arc4random.c new file mode 100644 index 0000000000..e836395803 --- /dev/null +++ b/src/lib/libc/crypt/arc4random.c
@@ -0,0 +1,236 @@
	1	/* $OpenBSD: arc4random.c,v 1.26 2013/10/21 20:33:23 deraadt Exp $ */
	2
	3	/*
	4	* Copyright (c) 1996, David Mazieres <dm@uun.org>
	5	* Copyright (c) 2008, Damien Miller <djm@openbsd.org>
	6	* Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
	7	*
	8	* Permission to use, copy, modify, and distribute this software for any
	9	* purpose with or without fee is hereby granted, provided that the above
	10	* copyright notice and this permission notice appear in all copies.
	11	*
	12	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	13	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	14	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	15	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	16	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	17	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	18	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	19	*/
	20
	21	/*
	22	* ChaCha based random number generator for OpenBSD.
	23	*/
	24
	25	#include <fcntl.h>
	26	#include <limits.h>
	27	#include <stdlib.h>
	28	#include <string.h>
	29	#include <unistd.h>
	30	#include <sys/types.h>
	31	#include <sys/param.h>
	32	#include <sys/time.h>
	33	#include <sys/sysctl.h>
	34	#include "thread_private.h"
	35
	36	#define KEYSTREAM_ONLY
	37	#include "chacha_private.h"
	38
	39	#ifdef __GNUC__
	40	#define inline __inline
	41	#else /* !__GNUC__ */
	42	#define inline
	43	#endif /* !__GNUC__ */
	44
	45	#define KEYSZ 32
	46	#define IVSZ 8
	47	#define BLOCKSZ 64
	48	#define RSBUFSZ (16*BLOCKSZ)
	49	static int rs_initialized;
	50	static pid_t rs_stir_pid;
	51	static chacha_ctx rs; /* chacha context for random keystream */
	52	static u_char rs_buf[RSBUFSZ]; /* keystream blocks */
	53	static size_t rs_have; /* valid bytes at end of rs_buf */
	54	static size_t rs_count; /* bytes till reseed */
	55
	56	static inline void _rs_rekey(u_char *dat, size_t datlen);
	57
	58	static inline void
	59	_rs_init(u_char *buf, size_t n)
	60	{
	61	if (n < KEYSZ + IVSZ)
	62	return;
	63	chacha_keysetup(&rs, buf, KEYSZ * 8, 0);
	64	chacha_ivsetup(&rs, buf + KEYSZ);
	65	}
	66
	67	static void
	68	_rs_stir(void)
	69	{
	70	int mib[2];
	71	size_t len;
	72	u_char rnd[KEYSZ + IVSZ];
	73
	74	mib[0] = CTL_KERN;
	75	mib[1] = KERN_ARND;
	76
	77	len = sizeof(rnd);
	78	sysctl(mib, 2, rnd, &len, NULL, 0);
	79
	80	if (!rs_initialized) {
	81	rs_initialized = 1;
	82	_rs_init(rnd, sizeof(rnd));
	83	} else
	84	_rs_rekey(rnd, sizeof(rnd));
	85	memset(rnd, 0, sizeof(rnd));
	86
	87	/* invalidate rs_buf */
	88	rs_have = 0;
	89	memset(rs_buf, 0, RSBUFSZ);
	90
	91	rs_count = 1600000;
	92	}
	93
	94	static inline void
	95	_rs_stir_if_needed(size_t len)
	96	{
	97	pid_t pid = getpid();
	98
	99	if (rs_count <= len \|\| !rs_initialized \|\| rs_stir_pid != pid) {
	100	rs_stir_pid = pid;
	101	_rs_stir();
	102	} else
	103	rs_count -= len;
	104	}
	105
	106	static inline void
	107	_rs_rekey(u_char *dat, size_t datlen)
	108	{
	109	#ifndef KEYSTREAM_ONLY
	110	memset(rs_buf, 0,RSBUFSZ);
	111	#endif
	112	/* fill rs_buf with the keystream */
	113	chacha_encrypt_bytes(&rs, rs_buf, rs_buf, RSBUFSZ);
	114	/* mix in optional user provided data */
	115	if (dat) {
	116	size_t i, m;
	117
	118	m = MIN(datlen, KEYSZ + IVSZ);
	119	for (i = 0; i < m; i++)
	120	rs_buf[i] ^= dat[i];
	121	}
	122	/* immediately reinit for backtracking resistance */
	123	_rs_init(rs_buf, KEYSZ + IVSZ);
	124	memset(rs_buf, 0, KEYSZ + IVSZ);
	125	rs_have = RSBUFSZ - KEYSZ - IVSZ;
	126	}
	127
	128	static inline void
	129	_rs_random_buf(void *_buf, size_t n)
	130	{
	131	u_char buf = (u_char )_buf;
	132	size_t m;
	133
	134	_rs_stir_if_needed(n);
	135	while (n > 0) {
	136	if (rs_have > 0) {
	137	m = MIN(n, rs_have);
	138	memcpy(buf, rs_buf + RSBUFSZ - rs_have, m);
	139	memset(rs_buf + RSBUFSZ - rs_have, 0, m);
	140	buf += m;
	141	n -= m;
	142	rs_have -= m;
	143	}
	144	if (rs_have == 0)
	145	_rs_rekey(NULL, 0);
	146	}
	147	}
	148
	149	static inline void
	150	_rs_random_u32(u_int32_t *val)
	151	{
	152	_rs_stir_if_needed(sizeof(*val));
	153	if (rs_have < sizeof(*val))
	154	_rs_rekey(NULL, 0);
	155	memcpy(val, rs_buf + RSBUFSZ - rs_have, sizeof(*val));
	156	memset(rs_buf + RSBUFSZ - rs_have, 0, sizeof(*val));
	157	rs_have -= sizeof(*val);
	158	return;
	159	}
	160
	161	u_int32_t
	162	arc4random(void)
	163	{
	164	u_int32_t val;
	165
	166	_ARC4_LOCK();
	167	_rs_random_u32(&val);
	168	_ARC4_UNLOCK();
	169	return val;
	170	}
	171
	172	void
	173	arc4random_buf(void *buf, size_t n)
	174	{
	175	_ARC4_LOCK();
	176	_rs_random_buf(buf, n);
	177	_ARC4_UNLOCK();
	178	}
	179
	180	/*
	181	* Calculate a uniformly distributed random number less than upper_bound
	182	* avoiding "modulo bias".
	183	*
	184	* Uniformity is achieved by generating new random numbers until the one
	185	* returned is outside the range [0, 2**32 % upper_bound). This
	186	* guarantees the selected random number will be inside
	187	* [232 % upper_bound, 232) which maps back to [0, upper_bound)
	188	* after reduction modulo upper_bound.
	189	*/
	190	u_int32_t
	191	arc4random_uniform(u_int32_t upper_bound)
	192	{
	193	u_int32_t r, min;
	194
	195	if (upper_bound < 2)
	196	return 0;
	197
	198	/* 232 % x == (232 - x) % x */
	199	min = -upper_bound % upper_bound;
	200
	201	/*
	202	* This could theoretically loop forever but each retry has
	203	* p > 0.5 (worst case, usually far better) of selecting a
	204	* number inside the range we need, so it should rarely need
	205	* to re-roll.
	206	*/
	207	for (;;) {
	208	r = arc4random();
	209	if (r >= min)
	210	break;
	211	}
	212
	213	return r % upper_bound;
	214	}
	215
	216	#if 0
	217	/-------- Test code for i386 --------/
	218	#include <stdio.h>
	219	#include <machine/pctr.h>
	220	int
	221	main(int argc, char **argv)
	222	{
	223	const int iter = 1000000;
	224	int i;
	225	pctrval v;
	226
	227	v = rdtsc();
	228	for (i = 0; i < iter; i++)
	229	arc4random();
	230	v = rdtsc() - v;
	231	v /= iter;
	232
	233	printf("%qd cycles\n", v);
	234	exit(0);
	235	}
	236	#endif