summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2013-10-09 10:44:47 +1100
committerDamien Miller <djm@mindrot.org>2013-10-09 10:44:47 +1100
commit720711960b130d36dfdd3d50eb25ef482bdd000e (patch)
tree8b633b6901b92ec4ac380f46720011e9bd157b40
parent9159310087a218e28940a592896808b8eb76a039 (diff)
- (djm) [openbsd-compat/Makefile.in openbsd-compat/arc4random.c]
[openbsd-compat/bsd-arc4random.c] Replace old RC4-based arc4random implementation with recent OpenBSD's ChaCha-based PRNG. ok dtucker@, tested tim@
-rw-r--r--ChangeLog4
-rw-r--r--openbsd-compat/Makefile.in4
-rw-r--r--openbsd-compat/arc4random.c59
-rw-r--r--openbsd-compat/bsd-arc4random.c150
4 files changed, 52 insertions, 165 deletions
diff --git a/ChangeLog b/ChangeLog
index 34b6d17f9..78578cf19 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,10 @@
2 - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull 2 - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull
3 in OpenBSD implementation of arc4random, shortly to replace the existing 3 in OpenBSD implementation of arc4random, shortly to replace the existing
4 bsd-arc4random.c 4 bsd-arc4random.c
5 - (djm) [openbsd-compat/Makefile.in openbsd-compat/arc4random.c]
6 [openbsd-compat/bsd-arc4random.c] Replace old RC4-based arc4random
7 implementation with recent OpenBSD's ChaCha-based PRNG. ok dtucker@,
8 tested tim@
5 9
620130922 1020130922
7 - (dtucker) [platform.c platform.h sshd.c] bz#2156: restore Linux oom_adj 11 - (dtucker) [platform.c platform.h sshd.c] bz#2156: restore Linux oom_adj
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 365cf006d..a5f4a266c 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.51 2013/05/10 06:28:56 dtucker Exp $ 1# $Id: Makefile.in,v 1.52 2013/10/08 23:44:49 djm Exp $
2 2
3sysconfdir=@sysconfdir@ 3sysconfdir=@sysconfdir@
4piddir=@piddir@ 4piddir=@piddir@
@@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@
18 18
19OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o 19OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o
20 20
21COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o 21COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
22 22
23PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o 23PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
24 24
diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c
index 356e23181..eac073cc0 100644
--- a/openbsd-compat/arc4random.c
+++ b/openbsd-compat/arc4random.c
@@ -1,3 +1,5 @@
1/* OPENBSD ORIGINAL: lib/libc/crypto/arc4random.c */
2
1/* $OpenBSD: arc4random.c,v 1.25 2013/10/01 18:34:57 markus Exp $ */ 3/* $OpenBSD: arc4random.c,v 1.25 2013/10/01 18:34:57 markus Exp $ */
2 4
3/* 5/*
@@ -22,16 +24,19 @@
22 * ChaCha based random number generator for OpenBSD. 24 * ChaCha based random number generator for OpenBSD.
23 */ 25 */
24 26
25#include <fcntl.h> 27#include "includes.h"
26#include <limits.h> 28
27#include <stdlib.h> 29#include <stdlib.h>
28#include <string.h> 30#include <string.h>
29#include <unistd.h> 31#include <unistd.h>
30#include <sys/types.h> 32#include <sys/types.h>
31#include <sys/param.h> 33
32#include <sys/time.h> 34#ifndef HAVE_ARC4RANDOM
33#include <sys/sysctl.h> 35
34#include "thread_private.h" 36#include <openssl/rand.h>
37#include <openssl/err.h>
38
39#include "log.h"
35 40
36#define KEYSTREAM_ONLY 41#define KEYSTREAM_ONLY
37#include "chacha_private.h" 42#include "chacha_private.h"
@@ -42,6 +47,10 @@
42#define inline 47#define inline
43#endif /* !__GNUC__ */ 48#endif /* !__GNUC__ */
44 49
50/* OpenSSH isn't multithreaded */
51#define _ARC4_LOCK()
52#define _ARC4_UNLOCK()
53
45#define KEYSZ 32 54#define KEYSZ 32
46#define IVSZ 8 55#define IVSZ 8
47#define BLOCKSZ 64 56#define BLOCKSZ 64
@@ -67,15 +76,11 @@ _rs_init(u_char *buf, size_t n)
67static void 76static void
68_rs_stir(void) 77_rs_stir(void)
69{ 78{
70 int mib[2];
71 size_t len;
72 u_char rnd[KEYSZ + IVSZ]; 79 u_char rnd[KEYSZ + IVSZ];
73 80
74 mib[0] = CTL_KERN; 81 if (RAND_bytes(rnd, sizeof(rnd)) <= 0)
75 mib[1] = KERN_ARND; 82 fatal("Couldn't obtain random bytes (error %ld)",
76 83 ERR_get_error());
77 len = sizeof(rnd);
78 sysctl(mib, 2, rnd, &len, NULL, 0);
79 84
80 if (!rs_initialized) { 85 if (!rs_initialized) {
81 rs_initialized = 1; 86 rs_initialized = 1;
@@ -194,6 +199,11 @@ arc4random(void)
194 return val; 199 return val;
195} 200}
196 201
202/*
203 * If we are providing arc4random, then we can provide a more efficient
204 * arc4random_buf().
205 */
206# ifndef HAVE_ARC4RANDOM_BUF
197void 207void
198arc4random_buf(void *buf, size_t n) 208arc4random_buf(void *buf, size_t n)
199{ 209{
@@ -201,7 +211,29 @@ arc4random_buf(void *buf, size_t n)
201 _rs_random_buf(buf, n); 211 _rs_random_buf(buf, n);
202 _ARC4_UNLOCK(); 212 _ARC4_UNLOCK();
203} 213}
214# endif /* !HAVE_ARC4RANDOM_BUF */
215#endif /* !HAVE_ARC4RANDOM */
216
217/* arc4random_buf() that uses platform arc4random() */
218#if !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM)
219void
220arc4random_buf(void *_buf, size_t n)
221{
222 size_t i;
223 u_int32_t r = 0;
224 char *buf = (char *)_buf;
225
226 for (i = 0; i < n; i++) {
227 if (i % 4 == 0)
228 r = arc4random();
229 buf[i] = r & 0xff;
230 r >>= 8;
231 }
232 i = r = 0;
233}
234#endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */
204 235
236#ifndef HAVE_ARC4RANDOM_UNIFORM
205/* 237/*
206 * Calculate a uniformly distributed random number less than upper_bound 238 * Calculate a uniformly distributed random number less than upper_bound
207 * avoiding "modulo bias". 239 * avoiding "modulo bias".
@@ -237,6 +269,7 @@ arc4random_uniform(u_int32_t upper_bound)
237 269
238 return r % upper_bound; 270 return r % upper_bound;
239} 271}
272#endif /* !HAVE_ARC4RANDOM_UNIFORM */
240 273
241#if 0 274#if 0
242/*-------- Test code for i386 --------*/ 275/*-------- Test code for i386 --------*/
diff --git a/openbsd-compat/bsd-arc4random.c b/openbsd-compat/bsd-arc4random.c
deleted file mode 100644
index d7c586253..000000000
--- a/openbsd-compat/bsd-arc4random.c
+++ /dev/null
@@ -1,150 +0,0 @@
1/*
2 * Copyright (c) 1999,2000,2004 Damien Miller <djm@mindrot.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17#include "includes.h"
18
19#include <sys/types.h>
20
21#include <string.h>
22#include <stdlib.h>
23#include <stdarg.h>
24
25#include "log.h"
26
27#ifndef HAVE_ARC4RANDOM
28
29#include <openssl/rand.h>
30#include <openssl/rc4.h>
31#include <openssl/err.h>
32
33/* Size of key to use */
34#define SEED_SIZE 20
35
36/* Number of bytes to reseed after */
37#define REKEY_BYTES (1 << 24)
38
39static int rc4_ready = 0;
40static RC4_KEY rc4;
41
42unsigned int
43arc4random(void)
44{
45 unsigned int r = 0;
46 static int first_time = 1;
47
48 if (rc4_ready <= 0) {
49 if (first_time)
50 seed_rng();
51 first_time = 0;
52 arc4random_stir();
53 }
54
55 RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r);
56
57 rc4_ready -= sizeof(r);
58
59 return(r);
60}
61
62void
63arc4random_stir(void)
64{
65 unsigned char rand_buf[SEED_SIZE];
66 int i;
67
68 memset(&rc4, 0, sizeof(rc4));
69 if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0)
70 fatal("Couldn't obtain random bytes (error %ld)",
71 ERR_get_error());
72 RC4_set_key(&rc4, sizeof(rand_buf), rand_buf);
73
74 /*
75 * Discard early keystream, as per recommendations in:
76 * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
77 */
78 for(i = 0; i <= 256; i += sizeof(rand_buf))
79 RC4(&rc4, sizeof(rand_buf), rand_buf, rand_buf);
80
81 memset(rand_buf, 0, sizeof(rand_buf));
82
83 rc4_ready = REKEY_BYTES;
84}
85#endif /* !HAVE_ARC4RANDOM */
86
87#ifndef HAVE_ARC4RANDOM_BUF
88void
89arc4random_buf(void *_buf, size_t n)
90{
91 size_t i;
92 u_int32_t r = 0;
93 char *buf = (char *)_buf;
94
95 for (i = 0; i < n; i++) {
96 if (i % 4 == 0)
97 r = arc4random();
98 buf[i] = r & 0xff;
99 r >>= 8;
100 }
101 i = r = 0;
102}
103#endif /* !HAVE_ARC4RANDOM_BUF */
104
105#ifndef HAVE_ARC4RANDOM_UNIFORM
106/*
107 * Calculate a uniformly distributed random number less than upper_bound
108 * avoiding "modulo bias".
109 *
110 * Uniformity is achieved by generating new random numbers until the one
111 * returned is outside the range [0, 2**32 % upper_bound). This
112 * guarantees the selected random number will be inside
113 * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound)
114 * after reduction modulo upper_bound.
115 */
116u_int32_t
117arc4random_uniform(u_int32_t upper_bound)
118{
119 u_int32_t r, min;
120
121 if (upper_bound < 2)
122 return 0;
123
124#if (ULONG_MAX > 0xffffffffUL)
125 min = 0x100000000UL % upper_bound;
126#else
127 /* Calculate (2**32 % upper_bound) avoiding 64-bit math */
128 if (upper_bound > 0x80000000)
129 min = 1 + ~upper_bound; /* 2**32 - upper_bound */
130 else {
131 /* (2**32 - (x * 2)) % x == 2**32 % x when x <= 2**31 */
132 min = ((0xffffffff - (upper_bound * 2)) + 1) % upper_bound;
133 }
134#endif
135
136 /*
137 * This could theoretically loop forever but each retry has
138 * p > 0.5 (worst case, usually far better) of selecting a
139 * number inside the range we need, so it should rarely need
140 * to re-roll.
141 */
142 for (;;) {
143 r = arc4random();
144 if (r >= min)
145 break;
146 }
147
148 return r % upper_bound;
149}
150#endif /* !HAVE_ARC4RANDOM_UNIFORM */