/src/hpn-ssh/openbsd-compat/arc4random.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: arc4random.c,v 1.58 2022/07/31 13:41:45 tb Exp $ */ |
2 | | |
3 | | /* |
4 | | * Copyright (c) 1996, David Mazieres <dm@uun.org> |
5 | | * Copyright (c) 2008, Damien Miller <djm@openbsd.org> |
6 | | * Copyright (c) 2013, Markus Friedl <markus@openbsd.org> |
7 | | * Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org> |
8 | | * |
9 | | * Permission to use, copy, modify, and distribute this software for any |
10 | | * purpose with or without fee is hereby granted, provided that the above |
11 | | * copyright notice and this permission notice appear in all copies. |
12 | | * |
13 | | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
14 | | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
15 | | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
16 | | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
17 | | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
18 | | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
19 | | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
20 | | */ |
21 | | |
22 | | /* |
23 | | * ChaCha based random number generator for OpenBSD. |
24 | | */ |
25 | | |
26 | | /* OPENBSD ORIGINAL: lib/libc/crypt/arc4random.c */ |
27 | | |
28 | | #include "includes.h" |
29 | | |
30 | | #include <sys/types.h> |
31 | | |
32 | | #include <fcntl.h> |
33 | | #include <limits.h> |
34 | | #include <signal.h> |
35 | | #ifdef HAVE_STDINT_H |
36 | | #include <stdint.h> |
37 | | #endif |
38 | | #include <stdlib.h> |
39 | | #include <string.h> |
40 | | #include <unistd.h> |
41 | | #include <sys/types.h> |
42 | | #include <sys/time.h> |
43 | | |
44 | | #ifndef HAVE_ARC4RANDOM |
45 | | |
46 | | /* |
47 | | * Always use the getentropy implementation from bsd-getentropy.c, which |
48 | | * will call a native getentropy if available then fall back as required. |
49 | | * We use a different name so that OpenSSL cannot call the wrong getentropy. |
50 | | */ |
51 | | int _ssh_compat_getentropy(void *, size_t); |
52 | | #ifdef getentropy |
53 | | # undef getentropy |
54 | | #endif |
55 | 1 | #define getentropy(x, y) (_ssh_compat_getentropy((x), (y))) |
56 | | |
57 | | #include "log.h" |
58 | | |
59 | | #define KEYSTREAM_ONLY |
60 | | #include "chacha_private.h" |
61 | | |
62 | 2 | #define minimum(a, b) ((a) < (b) ? (a) : (b)) |
63 | | |
64 | | #if defined(__GNUC__) || defined(_MSC_VER) |
65 | | #define inline __inline |
66 | | #else /* __GNUC__ || _MSC_VER */ |
67 | | #define inline |
68 | | #endif /* !__GNUC__ && !_MSC_VER */ |
69 | | |
70 | 9 | #define KEYSZ 32 |
71 | 5 | #define IVSZ 8 |
72 | | #define BLOCKSZ 64 |
73 | | #define RSBUFSZ (16*BLOCKSZ) |
74 | | |
75 | 2 | #define REKEY_BASE (1024*1024) /* NB. should be a power of 2 */ |
76 | | |
77 | | /* Marked MAP_INHERIT_ZERO, so zero'd out in fork children. */ |
78 | | static struct _rs { |
79 | | size_t rs_have; /* valid bytes at end of rs_buf */ |
80 | | size_t rs_count; /* bytes till reseed */ |
81 | | } *rs; |
82 | | |
83 | | /* Maybe be preserved in fork children, if _rs_allocate() decides. */ |
84 | | static struct _rsx { |
85 | | chacha_ctx rs_chacha; /* chacha context for random keystream */ |
86 | | u_char rs_buf[RSBUFSZ]; /* keystream blocks */ |
87 | | } *rsx; |
88 | | |
89 | | static inline int _rs_allocate(struct _rs **, struct _rsx **); |
90 | | static inline void _rs_forkdetect(void); |
91 | | #include "arc4random.h" |
92 | | |
93 | | static inline void _rs_rekey(u_char *dat, size_t datlen); |
94 | | |
95 | | static inline void |
96 | | _rs_init(u_char *buf, size_t n) |
97 | 2 | { |
98 | 2 | if (n < KEYSZ + IVSZ) |
99 | 0 | return; |
100 | | |
101 | 2 | if (rs == NULL) { |
102 | 1 | if (_rs_allocate(&rs, &rsx) == -1) |
103 | 0 | _exit(1); |
104 | 1 | } |
105 | | |
106 | 2 | chacha_keysetup(&rsx->rs_chacha, buf, KEYSZ * 8); |
107 | 2 | chacha_ivsetup(&rsx->rs_chacha, buf + KEYSZ); |
108 | 2 | } |
109 | | |
110 | | static void |
111 | | _rs_stir(void) |
112 | 1 | { |
113 | 1 | u_char rnd[KEYSZ + IVSZ]; |
114 | 1 | uint32_t rekey_fuzz = 0; |
115 | | |
116 | 1 | if (getentropy(rnd, sizeof rnd) == -1) |
117 | 0 | _getentropy_fail(); |
118 | | |
119 | 1 | if (!rs) |
120 | 1 | _rs_init(rnd, sizeof(rnd)); |
121 | 0 | else |
122 | 0 | _rs_rekey(rnd, sizeof(rnd)); |
123 | 1 | explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */ |
124 | | |
125 | | /* invalidate rs_buf */ |
126 | 1 | rs->rs_have = 0; |
127 | 1 | memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf)); |
128 | | |
129 | | /* rekey interval should not be predictable */ |
130 | 1 | chacha_encrypt_bytes(&rsx->rs_chacha, (uint8_t *)&rekey_fuzz, |
131 | 1 | (uint8_t *)&rekey_fuzz, sizeof(rekey_fuzz)); |
132 | 1 | rs->rs_count = REKEY_BASE + (rekey_fuzz % REKEY_BASE); |
133 | 1 | } |
134 | | |
135 | | static inline void |
136 | | _rs_stir_if_needed(size_t len) |
137 | 2 | { |
138 | 2 | _rs_forkdetect(); |
139 | 2 | if (!rs || rs->rs_count <= len) |
140 | 1 | _rs_stir(); |
141 | 2 | if (rs->rs_count <= len) |
142 | 0 | rs->rs_count = 0; |
143 | 2 | else |
144 | 2 | rs->rs_count -= len; |
145 | 2 | } |
146 | | |
147 | | static inline void |
148 | | _rs_rekey(u_char *dat, size_t datlen) |
149 | 1 | { |
150 | | #ifndef KEYSTREAM_ONLY |
151 | | memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf)); |
152 | | #endif |
153 | | /* fill rs_buf with the keystream */ |
154 | 1 | chacha_encrypt_bytes(&rsx->rs_chacha, rsx->rs_buf, |
155 | 1 | rsx->rs_buf, sizeof(rsx->rs_buf)); |
156 | | /* mix in optional user provided data */ |
157 | 1 | if (dat) { |
158 | 0 | size_t i, m; |
159 | |
|
160 | 0 | m = minimum(datlen, KEYSZ + IVSZ); |
161 | 0 | for (i = 0; i < m; i++) |
162 | 0 | rsx->rs_buf[i] ^= dat[i]; |
163 | 0 | } |
164 | | /* immediately reinit for backtracking resistance */ |
165 | 1 | _rs_init(rsx->rs_buf, KEYSZ + IVSZ); |
166 | 1 | memset(rsx->rs_buf, 0, KEYSZ + IVSZ); |
167 | 1 | rs->rs_have = sizeof(rsx->rs_buf) - KEYSZ - IVSZ; |
168 | 1 | } |
169 | | |
170 | | static inline void |
171 | | _rs_random_buf(void *_buf, size_t n) |
172 | 2 | { |
173 | 2 | u_char *buf = (u_char *)_buf; |
174 | 2 | u_char *keystream; |
175 | 2 | size_t m; |
176 | | |
177 | 2 | _rs_stir_if_needed(n); |
178 | 5 | while (n > 0) { |
179 | 3 | if (rs->rs_have > 0) { |
180 | 2 | m = minimum(n, rs->rs_have); |
181 | 2 | keystream = rsx->rs_buf + sizeof(rsx->rs_buf) |
182 | 2 | - rs->rs_have; |
183 | 2 | memcpy(buf, keystream, m); |
184 | 2 | memset(keystream, 0, m); |
185 | 2 | buf += m; |
186 | 2 | n -= m; |
187 | 2 | rs->rs_have -= m; |
188 | 2 | } |
189 | 3 | if (rs->rs_have == 0) |
190 | 1 | _rs_rekey(NULL, 0); |
191 | 3 | } |
192 | 2 | } |
193 | | |
194 | | static inline void |
195 | | _rs_random_u32(uint32_t *val) |
196 | 0 | { |
197 | 0 | u_char *keystream; |
198 | |
|
199 | 0 | _rs_stir_if_needed(sizeof(*val)); |
200 | 0 | if (rs->rs_have < sizeof(*val)) |
201 | 0 | _rs_rekey(NULL, 0); |
202 | 0 | keystream = rsx->rs_buf + sizeof(rsx->rs_buf) - rs->rs_have; |
203 | 0 | memcpy(val, keystream, sizeof(*val)); |
204 | 0 | memset(keystream, 0, sizeof(*val)); |
205 | 0 | rs->rs_have -= sizeof(*val); |
206 | 0 | } |
207 | | |
208 | | uint32_t |
209 | | arc4random(void) |
210 | 0 | { |
211 | 0 | uint32_t val; |
212 | |
|
213 | 0 | _ARC4_LOCK(); |
214 | 0 | _rs_random_u32(&val); |
215 | 0 | _ARC4_UNLOCK(); |
216 | 0 | return val; |
217 | 0 | } |
218 | | DEF_WEAK(arc4random); |
219 | | |
220 | | /* |
221 | | * If we are providing arc4random, then we can provide a more efficient |
222 | | * arc4random_buf(). |
223 | | */ |
224 | | # ifndef HAVE_ARC4RANDOM_BUF |
225 | | void |
226 | | arc4random_buf(void *buf, size_t n) |
227 | 2 | { |
228 | 2 | _ARC4_LOCK(); |
229 | 2 | _rs_random_buf(buf, n); |
230 | 2 | _ARC4_UNLOCK(); |
231 | 2 | } |
232 | | DEF_WEAK(arc4random_buf); |
233 | | # endif /* !HAVE_ARC4RANDOM_BUF */ |
234 | | #endif /* !HAVE_ARC4RANDOM */ |
235 | | |
236 | | /* arc4random_buf() that uses platform arc4random() */ |
237 | | #if !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) |
238 | | void |
239 | | arc4random_buf(void *_buf, size_t n) |
240 | | { |
241 | | size_t i; |
242 | | u_int32_t r = 0; |
243 | | char *buf = (char *)_buf; |
244 | | |
245 | | for (i = 0; i < n; i++) { |
246 | | if (i % 4 == 0) |
247 | | r = arc4random(); |
248 | | buf[i] = r & 0xff; |
249 | | r >>= 8; |
250 | | } |
251 | | explicit_bzero(&r, sizeof(r)); |
252 | | } |
253 | | #endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */ |
254 | | |