svn commit: r317015 - in head/sys: boot/forth conf crypto/chacha20 dev/random libkern sys
Mark Murray
markm at FreeBSD.org
Sun Apr 16 09:11:05 UTC 2017
Author: markm
Date: Sun Apr 16 09:11:02 2017
New Revision: 317015
URL: https://svnweb.freebsd.org/changeset/base/317015
Log:
Replace the RC4 algorithm for generating in-kernel secure random
numbers with Chacha20. Keep the API, though, as that is what the
other *BSD's have done.
Use the boot-time entropy stash (if present) to bootstrap the
in-kernel entropy source.
Reviewed by: delphij,rwatson
Approved by: so(delphij)
MFC after: 2 months
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D10048
--This line, and those below, will be ignored--
> Description of fields to fill in above: 76 columns --|
> PR: If and which Problem Report is related.
> Submitted by: If someone else sent in the change.
> Reported by: If someone else reported the issue.
> Reviewed by: If someone else reviewed your modification.
> Approved by: If you needed approval for this commit.
> Obtained from: If the change is from a third party.
> MFC after: N [day[s]|week[s]|month[s]]. Request a reminder email.
> MFH: Ports tree branch name. Request approval for merge.
> Relnotes: Set to 'yes' for mention in release notes.
> Security: Vulnerability reference (one per line) or description.
> Sponsored by: If the change was sponsored by an organization.
> Differential Revision: https://reviews.freebsd.org/D### (*full* phabric URL needed).
> Empty fields above will be automatically removed.
Added:
head/sys/crypto/chacha20/chacha.c (contents, props changed)
head/sys/crypto/chacha20/chacha.h (contents, props changed)
Modified:
head/sys/boot/forth/loader.conf
head/sys/conf/files
head/sys/dev/random/random_harvestq.c
head/sys/dev/random/random_harvestq.h
head/sys/libkern/arc4random.c
head/sys/sys/libkern.h
head/sys/sys/random.h
Modified: head/sys/boot/forth/loader.conf
==============================================================================
--- head/sys/boot/forth/loader.conf Sun Apr 16 09:00:10 2017 (r317014)
+++ head/sys/boot/forth/loader.conf Sun Apr 16 09:11:02 2017 (r317015)
@@ -48,7 +48,7 @@ bitmap_type="splash_image_data" # and pl
entropy_cache_load="YES" # Set this to NO to disable loading
# entropy at boot time
entropy_cache_name="/boot/entropy" # Set this to the name of the file
-entropy_cache_type="/boot/entropy" # Required for the kernel to find
+entropy_cache_type="boot_entropy_cache" # Required for the kernel to find
# the boot-time entropy cache. This
# must not change value even if the
# _name above does change!
Modified: head/sys/conf/files
==============================================================================
--- head/sys/conf/files Sun Apr 16 09:00:10 2017 (r317014)
+++ head/sys/conf/files Sun Apr 16 09:11:02 2017 (r317015)
@@ -3810,6 +3810,7 @@ kgssapi/gsstest.c optional kgssapi_debu
# the file should be moved to conf/files.<arch> from here.
#
libkern/arc4random.c standard
+crypto/chacha20/chacha.c standard
libkern/asprintf.c standard
libkern/bcd.c standard
libkern/bsearch.c standard
Added: head/sys/crypto/chacha20/chacha.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/sys/crypto/chacha20/chacha.c Sun Apr 16 09:11:02 2017 (r317015)
@@ -0,0 +1,224 @@
+/*
+chacha-merged.c version 20080118
+D. J. Bernstein
+Public domain.
+*/
+
+/* $OpenBSD: chacha.c,v 1.1 2013/11/21 00:45:44 djm Exp $ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/param.h>
+#include <sys/types.h>
+
+#include <crypto/chacha20/chacha.h>
+
+
+typedef uint8_t u8;
+typedef uint32_t u32;
+
+typedef struct chacha_ctx chacha_ctx;
+
+#define U8C(v) (v##U)
+#define U32C(v) (v##U)
+
+#define U8V(v) ((u8)(v) & U8C(0xFF))
+#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
+
+#define ROTL32(v, n) \
+ (U32V((v) << (n)) | ((v) >> (32 - (n))))
+
+#define U8TO32_LITTLE(p) \
+ (((u32)((p)[0]) ) | \
+ ((u32)((p)[1]) << 8) | \
+ ((u32)((p)[2]) << 16) | \
+ ((u32)((p)[3]) << 24))
+
+#define U32TO8_LITTLE(p, v) \
+ do { \
+ (p)[0] = U8V((v) ); \
+ (p)[1] = U8V((v) >> 8); \
+ (p)[2] = U8V((v) >> 16); \
+ (p)[3] = U8V((v) >> 24); \
+ } while (0)
+
+#define ROTATE(v,c) (ROTL32(v,c))
+#define XOR(v,w) ((v) ^ (w))
+#define PLUS(v,w) (U32V((v) + (w)))
+#define PLUSONE(v) (PLUS((v),1))
+
+#define QUARTERROUND(a,b,c,d) \
+ a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
+ c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
+ a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
+ c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
+
+static const char sigma[16] = "expand 32-byte k";
+static const char tau[16] = "expand 16-byte k";
+
+void
+chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits)
+{
+ const char *constants;
+
+ x->input[4] = U8TO32_LITTLE(k + 0);
+ x->input[5] = U8TO32_LITTLE(k + 4);
+ x->input[6] = U8TO32_LITTLE(k + 8);
+ x->input[7] = U8TO32_LITTLE(k + 12);
+ if (kbits == 256) { /* recommended */
+ k += 16;
+ constants = sigma;
+ } else { /* kbits == 128 */
+ constants = tau;
+ }
+ x->input[8] = U8TO32_LITTLE(k + 0);
+ x->input[9] = U8TO32_LITTLE(k + 4);
+ x->input[10] = U8TO32_LITTLE(k + 8);
+ x->input[11] = U8TO32_LITTLE(k + 12);
+ x->input[0] = U8TO32_LITTLE(constants + 0);
+ x->input[1] = U8TO32_LITTLE(constants + 4);
+ x->input[2] = U8TO32_LITTLE(constants + 8);
+ x->input[3] = U8TO32_LITTLE(constants + 12);
+}
+
+void
+chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter)
+{
+ x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
+ x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
+ x->input[14] = U8TO32_LITTLE(iv + 0);
+ x->input[15] = U8TO32_LITTLE(iv + 4);
+}
+
+void
+chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
+{
+ u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+ u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+ u8 *ctarget = NULL;
+ u8 tmp[64];
+ u_int i;
+
+ if (!bytes) return;
+
+ j0 = x->input[0];
+ j1 = x->input[1];
+ j2 = x->input[2];
+ j3 = x->input[3];
+ j4 = x->input[4];
+ j5 = x->input[5];
+ j6 = x->input[6];
+ j7 = x->input[7];
+ j8 = x->input[8];
+ j9 = x->input[9];
+ j10 = x->input[10];
+ j11 = x->input[11];
+ j12 = x->input[12];
+ j13 = x->input[13];
+ j14 = x->input[14];
+ j15 = x->input[15];
+
+ for (;;) {
+ if (bytes < 64) {
+ for (i = 0;i < bytes;++i) tmp[i] = m[i];
+ m = tmp;
+ ctarget = c;
+ c = tmp;
+ }
+ x0 = j0;
+ x1 = j1;
+ x2 = j2;
+ x3 = j3;
+ x4 = j4;
+ x5 = j5;
+ x6 = j6;
+ x7 = j7;
+ x8 = j8;
+ x9 = j9;
+ x10 = j10;
+ x11 = j11;
+ x12 = j12;
+ x13 = j13;
+ x14 = j14;
+ x15 = j15;
+ for (i = 20;i > 0;i -= 2) {
+ QUARTERROUND( x0, x4, x8,x12)
+ QUARTERROUND( x1, x5, x9,x13)
+ QUARTERROUND( x2, x6,x10,x14)
+ QUARTERROUND( x3, x7,x11,x15)
+ QUARTERROUND( x0, x5,x10,x15)
+ QUARTERROUND( x1, x6,x11,x12)
+ QUARTERROUND( x2, x7, x8,x13)
+ QUARTERROUND( x3, x4, x9,x14)
+ }
+ x0 = PLUS(x0,j0);
+ x1 = PLUS(x1,j1);
+ x2 = PLUS(x2,j2);
+ x3 = PLUS(x3,j3);
+ x4 = PLUS(x4,j4);
+ x5 = PLUS(x5,j5);
+ x6 = PLUS(x6,j6);
+ x7 = PLUS(x7,j7);
+ x8 = PLUS(x8,j8);
+ x9 = PLUS(x9,j9);
+ x10 = PLUS(x10,j10);
+ x11 = PLUS(x11,j11);
+ x12 = PLUS(x12,j12);
+ x13 = PLUS(x13,j13);
+ x14 = PLUS(x14,j14);
+ x15 = PLUS(x15,j15);
+
+ x0 = XOR(x0,U8TO32_LITTLE(m + 0));
+ x1 = XOR(x1,U8TO32_LITTLE(m + 4));
+ x2 = XOR(x2,U8TO32_LITTLE(m + 8));
+ x3 = XOR(x3,U8TO32_LITTLE(m + 12));
+ x4 = XOR(x4,U8TO32_LITTLE(m + 16));
+ x5 = XOR(x5,U8TO32_LITTLE(m + 20));
+ x6 = XOR(x6,U8TO32_LITTLE(m + 24));
+ x7 = XOR(x7,U8TO32_LITTLE(m + 28));
+ x8 = XOR(x8,U8TO32_LITTLE(m + 32));
+ x9 = XOR(x9,U8TO32_LITTLE(m + 36));
+ x10 = XOR(x10,U8TO32_LITTLE(m + 40));
+ x11 = XOR(x11,U8TO32_LITTLE(m + 44));
+ x12 = XOR(x12,U8TO32_LITTLE(m + 48));
+ x13 = XOR(x13,U8TO32_LITTLE(m + 52));
+ x14 = XOR(x14,U8TO32_LITTLE(m + 56));
+ x15 = XOR(x15,U8TO32_LITTLE(m + 60));
+
+ j12 = PLUSONE(j12);
+ if (!j12) {
+ j13 = PLUSONE(j13);
+ /* stopping at 2^70 bytes per nonce is user's responsibility */
+ }
+
+ U32TO8_LITTLE(c + 0,x0);
+ U32TO8_LITTLE(c + 4,x1);
+ U32TO8_LITTLE(c + 8,x2);
+ U32TO8_LITTLE(c + 12,x3);
+ U32TO8_LITTLE(c + 16,x4);
+ U32TO8_LITTLE(c + 20,x5);
+ U32TO8_LITTLE(c + 24,x6);
+ U32TO8_LITTLE(c + 28,x7);
+ U32TO8_LITTLE(c + 32,x8);
+ U32TO8_LITTLE(c + 36,x9);
+ U32TO8_LITTLE(c + 40,x10);
+ U32TO8_LITTLE(c + 44,x11);
+ U32TO8_LITTLE(c + 48,x12);
+ U32TO8_LITTLE(c + 52,x13);
+ U32TO8_LITTLE(c + 56,x14);
+ U32TO8_LITTLE(c + 60,x15);
+
+ if (bytes <= 64) {
+ if (bytes < 64) {
+ for (i = 0;i < bytes;++i) ctarget[i] = c[i];
+ }
+ x->input[12] = j12;
+ x->input[13] = j13;
+ return;
+ }
+ bytes -= 64;
+ c += 64;
+ m += 64;
+ }
+}
Added: head/sys/crypto/chacha20/chacha.h
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/sys/crypto/chacha20/chacha.h Sun Apr 16 09:11:02 2017 (r317015)
@@ -0,0 +1,32 @@
+/* $OpenBSD: chacha.h,v 1.4 2016/08/27 04:04:56 guenther Exp $ */
+
+/*
+chacha-merged.c version 20080118
+D. J. Bernstein
+Public domain.
+
+ $FreeBSD$
+*/
+
+#ifndef CHACHA_H
+#define CHACHA_H
+
+#include <sys/types.h>
+
+struct chacha_ctx {
+ u_int input[16];
+};
+
+#define CHACHA_MINKEYLEN 16
+#define CHACHA_NONCELEN 8
+#define CHACHA_CTRLEN 8
+#define CHACHA_STATELEN (CHACHA_NONCELEN+CHACHA_CTRLEN)
+#define CHACHA_BLOCKLEN 64
+
+void chacha_keysetup(struct chacha_ctx *x, const u_char *k, u_int kbits);
+void chacha_ivsetup(struct chacha_ctx *x, const u_char *iv, const u_char *ctr);
+void chacha_encrypt_bytes(struct chacha_ctx *x, const u_char *m,
+ u_char *c, u_int bytes);
+
+#endif /* CHACHA_H */
+
Modified: head/sys/dev/random/random_harvestq.c
==============================================================================
--- head/sys/dev/random/random_harvestq.c Sun Apr 16 09:00:10 2017 (r317014)
+++ head/sys/dev/random/random_harvestq.c Sun Apr 16 09:11:02 2017 (r317015)
@@ -352,10 +352,19 @@ random_harvestq_prime(void *unused __unu
* Get entropy that may have been preloaded by loader(8)
* and use it to pre-charge the entropy harvest queue.
*/
- keyfile = preload_search_by_type(RANDOM_HARVESTQ_BOOT_ENTROPY_FILE);
+ keyfile = preload_search_by_type(RANDOM_CACHED_BOOT_ENTROPY_MODULE);
+#ifndef NO_BACKWARD_COMPATIBILITY
+ if (keyfile == NULL)
+ keyfile = preload_search_by_type(RANDOM_LEGACY_BOOT_ENTROPY_MODULE);
+#endif
if (keyfile != NULL) {
data = preload_fetch_addr(keyfile);
size = preload_fetch_size(keyfile);
+ /* skip the first bit of the stash so others like arc4 can also have some. */
+ if (size > RANDOM_CACHED_SKIP_START) {
+ data += RANDOM_CACHED_SKIP_START;
+ size -= RANDOM_CACHED_SKIP_START;
+ }
/* Trim the size. If the admin has a file with a funny size, we lose some. Tough. */
size -= (size % sizeof(event.he_entropy));
if (data != NULL && size != 0) {
Modified: head/sys/dev/random/random_harvestq.h
==============================================================================
--- head/sys/dev/random/random_harvestq.h Sun Apr 16 09:00:10 2017 (r317014)
+++ head/sys/dev/random/random_harvestq.h Sun Apr 16 09:11:02 2017 (r317015)
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2013-2015 Mark R V Murray
+ * Copyright (c) 2013-2015, 2017 Mark R V Murray
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -45,8 +45,6 @@ struct harvest_event {
void read_rate_increment(u_int);
-#define RANDOM_HARVESTQ_BOOT_ENTROPY_FILE "/boot/entropy"
-
#define RANDOM_HARVEST_INIT_LOCK(x) mtx_init(&harvest_context.hc_mtx, "entropy harvest mutex", NULL, MTX_SPIN)
#define RANDOM_HARVEST_LOCK(x) mtx_lock_spin(&harvest_context.hc_mtx)
#define RANDOM_HARVEST_UNLOCK(x) mtx_unlock_spin(&harvest_context.hc_mtx)
Modified: head/sys/libkern/arc4random.c
==============================================================================
--- head/sys/libkern/arc4random.c Sun Apr 16 09:00:10 2017 (r317014)
+++ head/sys/libkern/arc4random.c Sun Apr 16 09:11:02 2017 (r317015)
@@ -1,11 +1,28 @@
/*-
- * THE BEER-WARE LICENSE
+ * Copyright (c) 2017 The FreeBSD Foundation
+ * All rights reserved.
*
- * <dan at FreeBSD.ORG> wrote this file. As long as you retain this notice you
- * can do whatever you want with this stuff. If we meet some day, and you
- * think this stuff is worth it, you can buy me a beer in return.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer
+ * in this position and unchanged.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * Dan Moschuk
*/
#include <sys/cdefs.h>
@@ -14,144 +31,122 @@ __FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/param.h>
#include <sys/kernel.h>
-#include <sys/random.h>
#include <sys/libkern.h>
+#include <sys/linker.h>
#include <sys/lock.h>
+#include <sys/malloc.h>
#include <sys/mutex.h>
-#include <sys/time.h>
+#include <sys/random.h>
#include <sys/smp.h>
-#include <sys/malloc.h>
+#include <sys/time.h>
+
+#include <crypto/chacha20/chacha.h>
-#define ARC4_RESEED_BYTES 65536
-#define ARC4_RESEED_SECONDS 300
-#define ARC4_KEYBYTES 256
+#define CHACHA20_RESEED_BYTES 65536
+#define CHACHA20_RESEED_SECONDS 300
+#define CHACHA20_KEYBYTES 32
+#define CHACHA20_BUFFER_SIZE 64
+
+CTASSERT(CHACHA20_KEYBYTES*8 >= CHACHA_MINKEYLEN);
int arc4rand_iniseed_state = ARC4_ENTR_NONE;
-MALLOC_DEFINE(M_ARC4RANDOM, "arc4random", "arc4random structures");
+MALLOC_DEFINE(M_CHACHA20RANDOM, "chacha20random", "chacha20random structures");
-struct arc4_s {
+struct chacha20_s {
struct mtx mtx;
- u_int8_t i, j;
- int numruns;
- u_int8_t sbox[256];
+ int numbytes;
+ int first_time_done;
time_t t_reseed;
-
+ u_int8_t m_buffer[CHACHA20_BUFFER_SIZE];
+ struct chacha_ctx ctx;
} __aligned(CACHE_LINE_SIZE);
-static struct arc4_s *arc4inst = NULL;
+static struct chacha20_s *chacha20inst = NULL;
-#define ARC4_FOREACH(_arc4) \
- for (_arc4 = &arc4inst[0]; _arc4 <= &arc4inst[mp_maxid]; _arc4++)
-
-static u_int8_t arc4_randbyte(struct arc4_s *arc4);
-
-static __inline void
-arc4_swap(u_int8_t *a, u_int8_t *b)
-{
- u_int8_t c;
-
- c = *a;
- *a = *b;
- *b = c;
-}
+#define CHACHA20_FOREACH(_chacha20) \
+ for (_chacha20 = &chacha20inst[0]; \
+ _chacha20 <= &chacha20inst[mp_maxid]; \
+ _chacha20++)
/*
- * Stir our S-box.
+ * Mix up the current context.
*/
static void
-arc4_randomstir(struct arc4_s* arc4)
+chacha20_randomstir(struct chacha20_s* chacha20)
{
- u_int8_t key[ARC4_KEYBYTES];
- int n;
struct timeval tv_now;
+ size_t n, size;
+ u_int8_t key[CHACHA20_KEYBYTES], *data;
+ caddr_t keyfile;
/*
- * XXX: FIX!! This isn't brilliant. Need more confidence.
- * This returns zero entropy before random(4) is seeded.
+ * This is making the best of what may be an insecure
+ * Situation. If the loader(8) did not have an entropy
+ * stash from the previous shutdown to load, then we will
+ * be improperly seeded. The answer is to make sure there
+ * is an entropy stash at shutdown time.
*/
- (void)read_random(key, ARC4_KEYBYTES);
- getmicrouptime(&tv_now);
- mtx_lock(&arc4->mtx);
- for (n = 0; n < 256; n++) {
- arc4->j = (arc4->j + arc4->sbox[n] + key[n]) % 256;
- arc4_swap(&arc4->sbox[n], &arc4->sbox[arc4->j]);
+ (void)read_random(key, CHACHA20_KEYBYTES);
+ if (!chacha20->first_time_done) {
+ keyfile = preload_search_by_type(RANDOM_CACHED_BOOT_ENTROPY_MODULE);
+ if (keyfile != NULL) {
+ data = preload_fetch_addr(keyfile);
+ size = MIN(preload_fetch_size(keyfile), CHACHA20_KEYBYTES);
+ for (n = 0; n < size; n++)
+ key[n] ^= data[n];
+ explicit_bzero(data, size);
+ if (bootverbose)
+ printf("arc4random: read %zu bytes from preloaded cache\n", size);
+ } else
+ printf("arc4random: no preloaded entropy cache\n");
+ chacha20->first_time_done = 1;
}
- arc4->i = arc4->j = 0;
+ getmicrouptime(&tv_now);
+ mtx_lock(&chacha20->mtx);
+ chacha_keysetup(&chacha20->ctx, key, CHACHA20_KEYBYTES*8);
+ chacha_ivsetup(&chacha20->ctx, (u_char *)&tv_now.tv_sec, (u_char *)&tv_now.tv_usec);
/* Reset for next reseed cycle. */
- arc4->t_reseed = tv_now.tv_sec + ARC4_RESEED_SECONDS;
- arc4->numruns = 0;
- /*
- * Throw away the first N words of output, as suggested in the
- * paper "Weaknesses in the Key Scheduling Algorithm of RC4"
- * by Fluher, Mantin, and Shamir. (N = 768 in our case.)
- *
- * http://dl.acm.org/citation.cfm?id=646557.694759
- */
- for (n = 0; n < 768*4; n++)
- arc4_randbyte(arc4);
-
- mtx_unlock(&arc4->mtx);
+ chacha20->t_reseed = tv_now.tv_sec + CHACHA20_RESEED_SECONDS;
+ chacha20->numbytes = 0;
+ mtx_unlock(&chacha20->mtx);
}
/*
- * Initialize our S-box to its beginning defaults.
+ * Initialize the contexts.
*/
static void
-arc4_init(void)
+chacha20_init(void)
{
- struct arc4_s *arc4;
- int n;
-
- arc4inst = malloc((mp_maxid + 1) * sizeof(struct arc4_s),
- M_ARC4RANDOM, M_NOWAIT | M_ZERO);
- KASSERT(arc4inst != NULL, ("arc4_init: memory allocation error"));
+ struct chacha20_s *chacha20;
- ARC4_FOREACH(arc4) {
- mtx_init(&arc4->mtx, "arc4_mtx", NULL, MTX_DEF);
-
- arc4->i = arc4->j = 0;
- for (n = 0; n < 256; n++)
- arc4->sbox[n] = (u_int8_t) n;
-
- arc4->t_reseed = -1;
- arc4->numruns = 0;
+ chacha20inst = malloc((mp_maxid + 1) * sizeof(struct chacha20_s),
+ M_CHACHA20RANDOM, M_NOWAIT | M_ZERO);
+ KASSERT(chacha20inst != NULL, ("chacha20_init: memory allocation error"));
+
+ CHACHA20_FOREACH(chacha20) {
+ mtx_init(&chacha20->mtx, "chacha20_mtx", NULL, MTX_DEF);
+ chacha20->t_reseed = -1;
+ chacha20->numbytes = 0;
+ chacha20->first_time_done = 0;
+ explicit_bzero(chacha20->m_buffer, CHACHA20_BUFFER_SIZE);
+ explicit_bzero(&chacha20->ctx, sizeof(chacha20->ctx));
}
}
-SYSINIT(arc4, SI_SUB_LOCK, SI_ORDER_ANY, arc4_init, NULL);
+SYSINIT(chacha20, SI_SUB_LOCK, SI_ORDER_ANY, chacha20_init, NULL);
static void
-arc4_uninit(void)
+chacha20_uninit(void)
{
- struct arc4_s *arc4;
+ struct chacha20_s *chacha20;
- ARC4_FOREACH(arc4) {
- mtx_destroy(&arc4->mtx);
- }
-
- free(arc4inst, M_ARC4RANDOM);
+ CHACHA20_FOREACH(chacha20)
+ mtx_destroy(&chacha20->mtx);
+ free(chacha20inst, M_CHACHA20RANDOM);
}
+SYSUNINIT(chacha20, SI_SUB_LOCK, SI_ORDER_ANY, chacha20_uninit, NULL);
-SYSUNINIT(arc4, SI_SUB_LOCK, SI_ORDER_ANY, arc4_uninit, NULL);
-
-
-/*
- * Generate a random byte.
- */
-static u_int8_t
-arc4_randbyte(struct arc4_s *arc4)
-{
- u_int8_t arc4_t;
-
- arc4->i = (arc4->i + 1) % 256;
- arc4->j = (arc4->j + arc4->sbox[arc4->i]) % 256;
-
- arc4_swap(&arc4->sbox[arc4->i], &arc4->sbox[arc4->j]);
-
- arc4_t = (arc4->sbox[arc4->i] + arc4->sbox[arc4->j]) % 256;
- return arc4->sbox[arc4_t];
-}
/*
* MPSAFE
@@ -159,28 +154,36 @@ arc4_randbyte(struct arc4_s *arc4)
void
arc4rand(void *ptr, u_int len, int reseed)
{
- u_char *p;
+ struct chacha20_s *chacha20;
struct timeval tv;
- struct arc4_s *arc4;
+ u_int length;
+ u_int8_t *p;
- if (reseed || atomic_cmpset_int(&arc4rand_iniseed_state,
- ARC4_ENTR_HAVE, ARC4_ENTR_SEED)) {
- ARC4_FOREACH(arc4)
- arc4_randomstir(arc4);
- }
+ if (reseed || atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_HAVE, ARC4_ENTR_SEED))
+ CHACHA20_FOREACH(chacha20)
+ chacha20_randomstir(chacha20);
- arc4 = &arc4inst[curcpu];
+ chacha20 = &chacha20inst[curcpu];
getmicrouptime(&tv);
- if ((arc4->numruns > ARC4_RESEED_BYTES) ||
- (tv.tv_sec > arc4->t_reseed))
- arc4_randomstir(arc4);
+ /* We may get unlucky and be migrated off this CPU, but that is expected to be infrequent */
+ if ((chacha20->numbytes > CHACHA20_RESEED_BYTES) || (tv.tv_sec > chacha20->t_reseed))
+ chacha20_randomstir(chacha20);
- mtx_lock(&arc4->mtx);
- arc4->numruns += len;
+ mtx_lock(&chacha20->mtx);
p = ptr;
- while (len--)
- *p++ = arc4_randbyte(arc4);
- mtx_unlock(&arc4->mtx);
+ while (len) {
+ length = MIN(CHACHA20_BUFFER_SIZE, len);
+ chacha_encrypt_bytes(&chacha20->ctx, chacha20->m_buffer, p, length);
+ p += length;
+ len -= length;
+ chacha20->numbytes += length;
+ if (chacha20->numbytes > CHACHA20_RESEED_BYTES) {
+ mtx_unlock(&chacha20->mtx);
+ chacha20_randomstir(chacha20);
+ mtx_lock(&chacha20->mtx);
+ }
+ }
+ mtx_unlock(&chacha20->mtx);
}
uint32_t
@@ -188,6 +191,13 @@ arc4random(void)
{
uint32_t ret;
- arc4rand(&ret, sizeof ret, 0);
+ arc4rand(&ret, sizeof(ret), 0);
return ret;
}
+
+void
+arc4random_buf(void *ptr, size_t len)
+{
+
+ arc4rand(ptr, len, 0);
+}
Modified: head/sys/sys/libkern.h
==============================================================================
--- head/sys/sys/libkern.h Sun Apr 16 09:00:10 2017 (r317014)
+++ head/sys/sys/libkern.h Sun Apr 16 09:11:02 2017 (r317015)
@@ -117,7 +117,8 @@ extern int arc4rand_iniseed_state;
/* Prototypes for non-quad routines. */
struct malloc_type;
uint32_t arc4random(void);
-void arc4rand(void *ptr, u_int len, int reseed);
+void arc4random_buf(void *, size_t);
+void arc4rand(void *, u_int, int);
int bcmp(const void *, const void *, size_t);
int timingsafe_bcmp(const void *, const void *, size_t);
void *bsearch(const void *, const void *, size_t,
Modified: head/sys/sys/random.h
==============================================================================
--- head/sys/sys/random.h Sun Apr 16 09:00:10 2017 (r317014)
+++ head/sys/sys/random.h Sun Apr 16 09:11:02 2017 (r317015)
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2000-2015 Mark R. V. Murray
+ * Copyright (c) 2000-2015, 2017 Mark R. V. Murray
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -96,6 +96,10 @@ enum random_entropy_source {
#define RANDOM_HARVEST_EVERYTHING_MASK ((1 << (RANDOM_ENVIRONMENTAL_END + 1)) - 1)
+#define RANDOM_LEGACY_BOOT_ENTROPY_MODULE "/boot/entropy"
+#define RANDOM_CACHED_BOOT_ENTROPY_MODULE "boot_entropy_cache"
+#define RANDOM_CACHED_SKIP_START 256
+
#if defined(DEV_RANDOM)
void random_harvest_queue(const void *, u_int, u_int, enum random_entropy_source);
void random_harvest_fast(const void *, u_int, u_int, enum random_entropy_source);
More information about the svn-src-head
mailing list