- (djm) [openbsd-compat/Makefile.in openbsd-compat/arc4random.c]

   [openbsd-compat/bsd-arc4random.c] Replace old RC4-based arc4random
   implementation with recent OpenBSD's ChaCha-based PRNG. ok dtucker@,
   tested tim@

4 files changed, 52 insertions, 165 deletions

diff --git a/ChangeLog b/ChangeLog
index 34b6d17f9..78578cf19 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,10 @@
  - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull
    in OpenBSD implementation of arc4random, shortly to replace the existing
    bsd-arc4random.c
+ - (djm) [openbsd-compat/Makefile.in openbsd-compat/arc4random.c]
+   [openbsd-compat/bsd-arc4random.c] Replace old RC4-based arc4random
+   implementation with recent OpenBSD's ChaCha-based PRNG. ok dtucker@,
+   tested tim@
 
 20130922
  - (dtucker) [platform.c platform.h sshd.c] bz#2156: restore Linux oom_adj
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 365cf006d..a5f4a266c 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.51 2013/05/10 06:28:56 dtucker Exp $
+# $Id: Makefile.in,v 1.52 2013/10/08 23:44:49 djm Exp $
 
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@
 
 OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o
 
-COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
+COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
 
 PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
 
diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c
index 356e23181..eac073cc0 100644
--- a/openbsd-compat/arc4random.c
+++ b/openbsd-compat/arc4random.c
@@ -1,3 +1,5 @@
+/* OPENBSD ORIGINAL: lib/libc/crypto/arc4random.c */
+
 /*      $OpenBSD: arc4random.c,v 1.25 2013/10/01 18:34:57 markus Exp $  */
 
 /*
@@ -22,16 +24,19 @@
  * ChaCha based random number generator for OpenBSD.
  */
 
-#include <fcntl.h>
-#include <limits.h>
+#include "includes.h"
+
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <sys/types.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/sysctl.h>
-#include "thread_private.h"
+
+#ifndef HAVE_ARC4RANDOM
+
+#include <openssl/rand.h>
+#include <openssl/err.h>
+
+#include "log.h"
 
 #define KEYSTREAM_ONLY
 #include "chacha_private.h"
@@ -42,6 +47,10 @@
 #define inline
 #endif                          /* !__GNUC__ */
 
+/* OpenSSH isn't multithreaded */
+#define _ARC4_LOCK()
+#define _ARC4_UNLOCK()
+
 #define KEYSZ   32
 #define IVSZ    8
 #define BLOCKSZ 64
@@ -67,15 +76,11 @@ _rs_init(u_char *buf, size_t n)
 static void
 _rs_stir(void)
 {
-        int     mib[2];
-        size_t  len;
         u_char rnd[KEYSZ + IVSZ];
 
-        mib[0] = CTL_KERN;
-        mib[1] = KERN_ARND;
-
-        len = sizeof(rnd);
-        sysctl(mib, 2, rnd, &len, NULL, 0);
+        if (RAND_bytes(rnd, sizeof(rnd)) <= 0)
+                fatal("Couldn't obtain random bytes (error %ld)",
+                    ERR_get_error());
 
         if (!rs_initialized) {
                 rs_initialized = 1;
@@ -194,6 +199,11 @@ arc4random(void)
         return val;
 }
 
+/*
+ * If we are providing arc4random, then we can provide a more efficient 
+ * arc4random_buf().
+ */
+# ifndef HAVE_ARC4RANDOM_BUF
 void
 arc4random_buf(void *buf, size_t n)
 {
@@ -201,7 +211,29 @@ arc4random_buf(void *buf, size_t n)
         _rs_random_buf(buf, n);
         _ARC4_UNLOCK();
 }
+# endif /* !HAVE_ARC4RANDOM_BUF */
+#endif /* !HAVE_ARC4RANDOM */
+
+/* arc4random_buf() that uses platform arc4random() */
+#if !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM)
+void
+arc4random_buf(void *_buf, size_t n)
+{
+        size_t i;
+        u_int32_t r = 0;
+        char *buf = (char *)_buf;
+
+        for (i = 0; i < n; i++) {
+                if (i % 4 == 0)
+                        r = arc4random();
+                buf[i] = r & 0xff;
+                r >>= 8;
+        }
+        i = r = 0;
+}
+#endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */
 
+#ifndef HAVE_ARC4RANDOM_UNIFORM
 /*
  * Calculate a uniformly distributed random number less than upper_bound
  * avoiding "modulo bias".
@@ -237,6 +269,7 @@ arc4random_uniform(u_int32_t upper_bound)
 
         return r % upper_bound;
 }
+#endif /* !HAVE_ARC4RANDOM_UNIFORM */
 
 #if 0
 /*-------- Test code for i386 --------*/
diff --git a/openbsd-compat/bsd-arc4random.c b/openbsd-compat/bsd-arc4random.c
deleted file mode 100644
index d7c586253..000000000
--- a/openbsd-compat/bsd-arc4random.c
+++ /dev/null
@@ -1,150 +0,0 @@
-/*
- * Copyright (c) 1999,2000,2004 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <string.h>
-#include <stdlib.h>
-#include <stdarg.h>
-
-#include "log.h"
-
-#ifndef HAVE_ARC4RANDOM
-
-#include <openssl/rand.h>
-#include <openssl/rc4.h>
-#include <openssl/err.h>
-
-/* Size of key to use */
-#define SEED_SIZE 20
-
-/* Number of bytes to reseed after */
-#define REKEY_BYTES     (1 << 24)
-
-static int rc4_ready = 0;
-static RC4_KEY rc4;
-
-unsigned int
-arc4random(void)
-{
-        unsigned int r = 0;
-        static int first_time = 1;
-
-        if (rc4_ready <= 0) {
-                if (first_time)
-                        seed_rng();
-                first_time = 0;
-                arc4random_stir();
-        }
-
-        RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r);
-
-        rc4_ready -= sizeof(r);
-        
-        return(r);
-}
-
-void
-arc4random_stir(void)
-{
-        unsigned char rand_buf[SEED_SIZE];
-        int i;
-
-        memset(&rc4, 0, sizeof(rc4));
-        if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0)
-                fatal("Couldn't obtain random bytes (error %ld)",
-                    ERR_get_error());
-        RC4_set_key(&rc4, sizeof(rand_buf), rand_buf);
-
-        /*
-         * Discard early keystream, as per recommendations in:
-         * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
-         */
-        for(i = 0; i <= 256; i += sizeof(rand_buf))
-                RC4(&rc4, sizeof(rand_buf), rand_buf, rand_buf);
-
-        memset(rand_buf, 0, sizeof(rand_buf));
-
-        rc4_ready = REKEY_BYTES;
-}
-#endif /* !HAVE_ARC4RANDOM */
-
-#ifndef HAVE_ARC4RANDOM_BUF
-void
-arc4random_buf(void *_buf, size_t n)
-{
-        size_t i;
-        u_int32_t r = 0;
-        char *buf = (char *)_buf;
-
-        for (i = 0; i < n; i++) {
-                if (i % 4 == 0)
-                        r = arc4random();
-                buf[i] = r & 0xff;
-                r >>= 8;
-        }
-        i = r = 0;
-}
-#endif /* !HAVE_ARC4RANDOM_BUF */
-
-#ifndef HAVE_ARC4RANDOM_UNIFORM
-/*
- * Calculate a uniformly distributed random number less than upper_bound
- * avoiding "modulo bias".
- *
- * Uniformity is achieved by generating new random numbers until the one
- * returned is outside the range [0, 2**32 % upper_bound).  This
- * guarantees the selected random number will be inside
- * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound)
- * after reduction modulo upper_bound.
- */
-u_int32_t
-arc4random_uniform(u_int32_t upper_bound)
-{
-        u_int32_t r, min;
-
-        if (upper_bound < 2)
-                return 0;
-
-#if (ULONG_MAX > 0xffffffffUL)
-        min = 0x100000000UL % upper_bound;
-#else
-        /* Calculate (2**32 % upper_bound) avoiding 64-bit math */
-        if (upper_bound > 0x80000000)
-                min = 1 + ~upper_bound;         /* 2**32 - upper_bound */
-        else {
-                /* (2**32 - (x * 2)) % x == 2**32 % x when x <= 2**31 */
-                min = ((0xffffffff - (upper_bound * 2)) + 1) % upper_bound;
-        }
-#endif
-
-        /*
-         * This could theoretically loop forever but each retry has
-         * p > 0.5 (worst case, usually far better) of selecting a
-         * number inside the range we need, so it should rarely need
-         * to re-roll.
-         */
-        for (;;) {
-                r = arc4random();
-                if (r >= min)
-                        break;
-        }
-
-        return r % upper_bound;
-}
-#endif /* !HAVE_ARC4RANDOM_UNIFORM */