git: 09f390a21553 - stable/13 - arc4random(3): Reduce diff with OpenBSD.

From: Xin LI <delphij_at_FreeBSD.org>
Date: Wed, 24 Aug 2022 05:11:24 UTC
The branch stable/13 has been updated by delphij:

URL: https://cgit.FreeBSD.org/src/commit/?id=09f390a21553f9adf8f581b40060b9b3c0f6a021

commit 09f390a21553f9adf8f581b40060b9b3c0f6a021
Author:     Xin LI <delphij@FreeBSD.org>
AuthorDate: 2022-08-10 00:27:54 +0000
Commit:     Xin LI <delphij@FreeBSD.org>
CommitDate: 2022-08-24 05:11:09 +0000

    arc4random(3): Reduce diff with OpenBSD.
    
    The main change was v1.57 by djm@:
    
      Randomise the rekey interval a little. Previously, the chacha20
      instance would be rekeyed every 1.6MB. This makes it happen at a
      random point somewhere in the 1-2MB range.
    
    Reviewed by:    csprng (markm, cem)
    Differential Revision: https://reviews.freebsd.org/D36088
    
    (cherry picked from commit e9a2e4d1d28bf608a2ec915e25df9200af98e3b8)
---
 lib/libc/gen/arc4random.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/libc/gen/arc4random.c b/lib/libc/gen/arc4random.c
index aecbdb8911bd..07e31e64e758 100644
--- a/lib/libc/gen/arc4random.c
+++ b/lib/libc/gen/arc4random.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: arc4random.c,v 1.55 2019/03/24 17:56:54 deraadt Exp $	*/
+/*	$OpenBSD: arc4random.c,v 1.58 2022/07/31 13:41:45 tb Exp $	*/
 
 /*
  * Copyright (c) 1996, David Mazieres <dm@uun.org>
@@ -66,6 +66,8 @@ __FBSDID("$FreeBSD$");
 #define BLOCKSZ	64
 #define RSBUFSZ	(16*BLOCKSZ)
 
+#define REKEY_BASE	(1024*1024) /* NB. should be a power of 2 */
+
 /* Marked INHERIT_ZERO, so zero'd out in fork children. */
 static struct _rs {
 	size_t		rs_have;	/* valid bytes at end of rs_buf */
@@ -106,6 +108,7 @@ static void
 _rs_stir(void)
 {
 	u_char rnd[KEYSZ + IVSZ];
+	uint32_t rekey_fuzz = 0;
 
 #if defined(__FreeBSD__)
 	bool need_init;
@@ -152,7 +155,10 @@ _rs_stir(void)
 	rs->rs_have = 0;
 	memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
 
-	rs->rs_count = 1600000;
+	/* rekey interval should not be predictable */
+	chacha_encrypt_bytes(&rsx->rs_chacha, (uint8_t *)&rekey_fuzz,
+	    (uint8_t *)&rekey_fuzz, sizeof(rekey_fuzz));
+	rs->rs_count = REKEY_BASE + (rekey_fuzz % REKEY_BASE);
 }
 
 static inline void