unbound/compat/arc4random.c

   1 /*      $OpenBSD: arc4random.c,v 1.41 2014/07/12 13:24:54 deraadt Exp $ */
   2
   3 /*
   4  * Copyright (c) 1996, David Mazieres <dm@uun.org>
   5  * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
   6  * Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
   7  *
   8  * Permission to use, copy, modify, and distribute this software for any
   9  * purpose with or without fee is hereby granted, provided that the above
  10  * copyright notice and this permission notice appear in all copies.
  11  *
  12  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  13  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  14  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  15  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  16  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19  */
  20 #include "config.h"
  21
  22 /*
  23  * ChaCha based random number generator for OpenBSD.
  24  */
  25
  26 #include <fcntl.h>
  27 #include <limits.h>
  28 #include <signal.h>
  29 #include <stdint.h>
  30 #include <stdlib.h>
  31 #include <string.h>
  32 #include <unistd.h>
  33 #include <sys/types.h>
  34 #include <sys/param.h>
  35 #include <sys/time.h>
  36 #ifndef UB_ON_WINDOWS
  37 #include <sys/mman.h>
  38 #endif
  39
  40 #define KEYSTREAM_ONLY
  41 #include "chacha_private.h"
  42
  43 #define arc4_min(a, b) ((a) < (b) ? (a) : (b))
  44 #ifdef __GNUC__
  45 #define inline __inline
  46 #else                           /* !__GNUC__ */
  47 #define inline
  48 #endif                          /* !__GNUC__ */
  49
  50 #define KEYSZ   32
  51 #define IVSZ    8
  52 #define BLOCKSZ 64
  53 #define RSBUFSZ (16*BLOCKSZ)
  54
  55 /* Marked MAP_INHERIT_ZERO, so zero'd out in fork children. */
  56 static struct {
  57         size_t          rs_have;        /* valid bytes at end of rs_buf */
  58         size_t          rs_count;       /* bytes till reseed */
  59 } *rs;
  60
  61 /* Preserved in fork children. */
  62 static struct {
  63         chacha_ctx      rs_chacha;      /* chacha context for random keystream */
  64         u_char          rs_buf[RSBUFSZ];        /* keystream blocks */
  65 } *rsx;
  66
  67 static inline void _rs_rekey(u_char *dat, size_t datlen);
  68
  69 static inline void
  70 _rs_init(u_char *buf, size_t n)
  71 {
  72         if (n < KEYSZ + IVSZ)
  73                 return;
  74
  75         if (rs == NULL) {
  76 #ifndef UB_ON_WINDOWS
  77                 if ((rs = mmap(NULL, sizeof(*rs), PROT_READ|PROT_WRITE,
  78                     MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED)
  79                         abort();
  80 #ifdef MAP_INHERIT_ZERO
  81                 if (minherit(rs, sizeof(*rs), MAP_INHERIT_ZERO) == -1)
  82                         abort();
  83 #endif
  84 #else /* WINDOWS */
  85                 rs = malloc(sizeof(*rs));
  86                 if(!rs)
  87                         abort();
  88 #endif
  89         }
  90         if (rsx == NULL) {
  91 #ifndef UB_ON_WINDOWS
  92                 if ((rsx = mmap(NULL, sizeof(*rsx), PROT_READ|PROT_WRITE,
  93                     MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED)
  94                         abort();
  95 #else /* WINDOWS */
  96                 rsx = malloc(sizeof(*rsx));
  97                 if(!rsx)
  98                         abort();
  99 #endif
 100         }
 101
 102         chacha_keysetup(&rsx->rs_chacha, buf, KEYSZ * 8, 0);
 103         chacha_ivsetup(&rsx->rs_chacha, buf + KEYSZ);
 104 }
 105
 106 static void
 107 _rs_stir(void)
 108 {
 109         u_char rnd[KEYSZ + IVSZ];
 110
 111         if (getentropy(rnd, sizeof rnd) == -1) {
 112 #ifdef SIGKILL
 113                 raise(SIGKILL);
 114 #else
 115                 exit(9); /* windows */
 116 #endif
 117         }
 118
 119         if (!rs)
 120                 _rs_init(rnd, sizeof(rnd));
 121         else
 122                 _rs_rekey(rnd, sizeof(rnd));
 123         explicit_bzero(rnd, sizeof(rnd));       /* discard source seed */
 124
 125         /* invalidate rs_buf */
 126         rs->rs_have = 0;
 127         memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
 128
 129         rs->rs_count = 1600000;
 130 }
 131
 132 static inline void
 133 _rs_stir_if_needed(size_t len)
 134 {
 135 #ifndef MAP_INHERIT_ZERO
 136         static pid_t _rs_pid = 0;
 137         pid_t pid = getpid();
 138
 139         /* If a system lacks MAP_INHERIT_ZERO, resort to getpid() */
 140         if (_rs_pid == 0 || _rs_pid != pid) {
 141                 _rs_pid = pid;
 142                 if (rs)
 143                         rs->rs_count = 0;
 144         }
 145 #endif
 146         if (!rs || rs->rs_count <= len)
 147                 _rs_stir();
 148         if (rs->rs_count <= len)
 149                 rs->rs_count = 0;
 150         else
 151                 rs->rs_count -= len;
 152 }
 153
 154 static inline void
 155 _rs_rekey(u_char *dat, size_t datlen)
 156 {
 157 #ifndef KEYSTREAM_ONLY
 158         memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
 159 #endif
 160         /* fill rs_buf with the keystream */
 161         chacha_encrypt_bytes(&rsx->rs_chacha, rsx->rs_buf,
 162             rsx->rs_buf, sizeof(rsx->rs_buf));
 163         /* mix in optional user provided data */
 164         if (dat) {
 165                 size_t i, m;
 166
 167                 m = arc4_min(datlen, KEYSZ + IVSZ);
 168                 for (i = 0; i < m; i++)
 169                         rsx->rs_buf[i] ^= dat[i];
 170         }
 171         /* immediately reinit for backtracking resistance */
 172         _rs_init(rsx->rs_buf, KEYSZ + IVSZ);
 173         memset(rsx->rs_buf, 0, KEYSZ + IVSZ);
 174         rs->rs_have = sizeof(rsx->rs_buf) - KEYSZ - IVSZ;
 175 }
 176
 177 static inline void
 178 _rs_random_buf(void *_buf, size_t n)
 179 {
 180         u_char *buf = (u_char *)_buf;
 181         u_char *keystream;
 182         size_t m;
 183
 184         _rs_stir_if_needed(n);
 185         while (n > 0) {
 186                 if (rs->rs_have > 0) {
 187                         m = arc4_min(n, rs->rs_have);
 188                         keystream = rsx->rs_buf + sizeof(rsx->rs_buf)
 189                             - rs->rs_have;
 190                         memcpy(buf, keystream, m);
 191                         memset(keystream, 0, m);
 192                         buf += m;
 193                         n -= m;
 194                         rs->rs_have -= m;
 195                 }
 196                 if (rs->rs_have == 0)
 197                         _rs_rekey(NULL, 0);
 198         }
 199 }
 200
 201 static inline void
 202 _rs_random_u32(uint32_t *val)
 203 {
 204         u_char *keystream;
 205         _rs_stir_if_needed(sizeof(*val));
 206         if (rs->rs_have < sizeof(*val))
 207                 _rs_rekey(NULL, 0);
 208         keystream = rsx->rs_buf + sizeof(rsx->rs_buf) - rs->rs_have;
 209         memcpy(val, keystream, sizeof(*val));
 210         memset(keystream, 0, sizeof(*val));
 211         rs->rs_have -= sizeof(*val);
 212 }
 213
 214 uint32_t
 215 arc4random(void)
 216 {
 217         uint32_t val;
 218
 219         _ARC4_LOCK();
 220         _rs_random_u32(&val);
 221         _ARC4_UNLOCK();
 222         return val;
 223 }
 224
 225 void
 226 arc4random_buf(void *buf, size_t n)
 227 {
 228         _ARC4_LOCK();
 229         _rs_random_buf(buf, n);
 230         _ARC4_UNLOCK();
 231 }