newlib/libc/stdlib/arc4random.c

   1 /*      $OpenBSD: arc4random.c,v 1.58 2022/07/31 13:41:45 tb Exp $      */
   2
   3 /*
   4  * Copyright (c) 1996, David Mazieres <dm@uun.org>
   5  * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
   6  * Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
   7  * Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org>
   8  *
   9  * Permission to use, copy, modify, and distribute this software for any
  10  * purpose with or without fee is hereby granted, provided that the above
  11  * copyright notice and this permission notice appear in all copies.
  12  *
  13  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  14  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  15  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  16  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  17  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  18  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  19  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  20  */
  21
  22 /*
  23  * ChaCha based random number generator for OpenBSD.
  24  */
  25
  26 #include <fcntl.h>
  27 #include <limits.h>
  28 #include <signal.h>
  29 #include <stdint.h>
  30 #include <stdlib.h>
  31 #include <string.h>
  32 #include <unistd.h>
  33 #include <sys/types.h>
  34 #include <sys/time.h>
  35
  36 #define KEYSTREAM_ONLY
  37 #include "chacha_private.h"
  38
  39 #define minimum(a, b) ((a) < (b) ? (a) : (b))
  40
  41 #if defined(__GNUC__) || defined(_MSC_VER)
  42 #define inline __inline
  43 #else                           /* __GNUC__ || _MSC_VER */
  44 #define inline
  45 #endif                          /* !__GNUC__ && !_MSC_VER */
  46
  47 #define KEYSZ   32
  48 #define IVSZ    8
  49 #define BLOCKSZ 64
  50 #define RSBUFSZ (16*BLOCKSZ)
  51
  52 #if SIZE_MAX <= 65535
  53 #define REKEY_BASE      (  32*1024) /* NB. should be a power of 2 */
  54 #elif SIZE_MAX <= 1048575
  55 #define REKEY_BASE      ( 512*1024) /* NB. should be a power of 2 */
  56 #else
  57 #define REKEY_BASE      (1024*1024) /* NB. should be a power of 2 */
  58 #endif
  59
  60 /* Marked MAP_INHERIT_ZERO, so zero'd out in fork children. */
  61 static struct _rs {
  62         size_t          rs_have;        /* valid bytes at end of rs_buf */
  63         size_t          rs_count;       /* bytes till reseed */
  64 } *rs;
  65
  66 /* Maybe be preserved in fork children, if _rs_allocate() decides. */
  67 static struct _rsx {
  68         chacha_ctx      rs_chacha;      /* chacha context for random keystream */
  69         u_char          rs_buf[RSBUFSZ];        /* keystream blocks */
  70 } *rsx;
  71
  72 static inline int _rs_allocate(struct _rs **, struct _rsx **);
  73 static inline void _rs_forkdetect(void);
  74 #include "arc4random.h"
  75
  76 static inline void _rs_rekey(u_char *dat, size_t datlen);
  77
  78 static inline void
  79 _rs_init(u_char *buf, size_t n)
  80 {
  81         if (n < KEYSZ + IVSZ)
  82                 return;
  83
  84         if (rs == NULL) {
  85                 if (_rs_allocate(&rs, &rsx) == -1)
  86                         _exit(1);
  87         }
  88
  89         chacha_keysetup(&rsx->rs_chacha, buf, KEYSZ * 8);
  90         chacha_ivsetup(&rsx->rs_chacha, buf + KEYSZ);
  91 }
  92
  93 static void
  94 _rs_stir(void)
  95 {
  96         u_char rnd[KEYSZ + IVSZ];
  97         uint32_t rekey_fuzz = 0;
  98
  99         memset(rnd, 0, (KEYSZ + IVSZ) * sizeof(u_char));
 100
 101         if (getentropy(rnd, sizeof rnd) == -1)
 102                 _getentropy_fail();
 103
 104         if (!rs)
 105                 _rs_init(rnd, sizeof(rnd));
 106         else
 107                 _rs_rekey(rnd, sizeof(rnd));
 108         explicit_bzero(rnd, sizeof(rnd));       /* discard source seed */
 109
 110         /* invalidate rs_buf */
 111         rs->rs_have = 0;
 112         memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
 113
 114         /* rekey interval should not be predictable */
 115         chacha_encrypt_bytes(&rsx->rs_chacha, (uint8_t *)&rekey_fuzz,
 116             (uint8_t *)&rekey_fuzz, sizeof(rekey_fuzz));
 117         rs->rs_count = REKEY_BASE + (rekey_fuzz % REKEY_BASE);
 118 }
 119
 120 static inline void
 121 _rs_stir_if_needed(size_t len)
 122 {
 123         _rs_forkdetect();
 124         if (!rs || rs->rs_count <= len)
 125                 _rs_stir();
 126         if (rs->rs_count <= len)
 127                 rs->rs_count = 0;
 128         else
 129                 rs->rs_count -= len;
 130 }
 131
 132 static inline void
 133 _rs_rekey(u_char *dat, size_t datlen)
 134 {
 135 #ifndef KEYSTREAM_ONLY
 136         memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
 137 #endif
 138         /* fill rs_buf with the keystream */
 139         chacha_encrypt_bytes(&rsx->rs_chacha, rsx->rs_buf,
 140             rsx->rs_buf, sizeof(rsx->rs_buf));
 141         /* mix in optional user provided data */
 142         if (dat) {
 143                 size_t i, m;
 144
 145                 m = minimum(datlen, KEYSZ + IVSZ);
 146                 for (i = 0; i < m; i++)
 147                         rsx->rs_buf[i] ^= dat[i];
 148         }
 149         /* immediately reinit for backtracking resistance */
 150         _rs_init(rsx->rs_buf, KEYSZ + IVSZ);
 151         memset(rsx->rs_buf, 0, KEYSZ + IVSZ);
 152         rs->rs_have = sizeof(rsx->rs_buf) - KEYSZ - IVSZ;
 153 }
 154
 155 static inline void
 156 _rs_random_buf(void *_buf, size_t n)
 157 {
 158         u_char *buf = (u_char *)_buf;
 159         u_char *keystream;
 160         size_t m;
 161
 162         _rs_stir_if_needed(n);
 163         while (n > 0) {
 164                 if (rs->rs_have > 0) {
 165                         m = minimum(n, rs->rs_have);
 166                         keystream = rsx->rs_buf + sizeof(rsx->rs_buf)
 167                             - rs->rs_have;
 168                         memcpy(buf, keystream, m);
 169                         memset(keystream, 0, m);
 170                         buf += m;
 171                         n -= m;
 172                         rs->rs_have -= m;
 173                 }
 174                 if (rs->rs_have == 0)
 175                         _rs_rekey(NULL, 0);
 176         }
 177 }
 178
 179 static inline void
 180 _rs_random_u32(uint32_t *val)
 181 {
 182         u_char *keystream;
 183
 184         _rs_stir_if_needed(sizeof(*val));
 185         if (rs->rs_have < sizeof(*val))
 186                 _rs_rekey(NULL, 0);
 187         keystream = rsx->rs_buf + sizeof(rsx->rs_buf) - rs->rs_have;
 188         memcpy(val, keystream, sizeof(*val));
 189         memset(keystream, 0, sizeof(*val));
 190         rs->rs_have -= sizeof(*val);
 191 }
 192
 193 uint32_t
 194 arc4random(void)
 195 {
 196         uint32_t val;
 197
 198 #ifndef __SINGLE_THREAD__
 199         _ARC4_LOCK();
 200 #endif
 201         _rs_random_u32(&val);
 202 #ifndef __SINGLE_THREAD__
 203         _ARC4_UNLOCK();
 204 #endif
 205         return val;
 206 }
 207
 208 void
 209 arc4random_buf(void *buf, size_t n)
 210 {
 211 #ifndef __SINGLE_THREAD__
 212         _ARC4_LOCK();
 213 #endif
 214         _rs_random_buf(buf, n);
 215 #ifndef __SINGLE_THREAD__
 216         _ARC4_UNLOCK();
 217 #endif
 218 }