arc4random.c revision 1.40
1 /* $NetBSD: arc4random.c,v 1.40 2025/03/02 22:46:23 riastradh Exp $ */ 2 3 /*- 4 * Copyright (c) 2014 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Taylor R. Campbell. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 /* 33 * Legacy arc4random(3) API from OpenBSD reimplemented using the 34 * ChaCha20 PRF, with per-thread state. 35 * 36 * Security model: 37 * - An attacker who sees some outputs cannot predict past or future 38 * outputs. 39 * - An attacker who sees the PRNG state cannot predict past outputs. 40 * - An attacker who sees a child's PRNG state cannot predict past or 41 * future outputs in the parent, or in other children. 42 * 43 * The arc4random(3) API may abort the process if: 44 * 45 * (a) the crypto self-test fails, 46 * (b) pthread_atfork or thr_keycreate fail, or 47 * (c) sysctl(KERN_ARND) fails when reseeding the PRNG. 48 * 49 * The crypto self-test, pthread_atfork, and thr_keycreate occur only 50 * once, on the first use of any of the arc4random(3) API. KERN_ARND 51 * is unlikely to fail later unless the kernel is seriously broken. 52 */ 53 54 #include <sys/cdefs.h> 55 __RCSID("$NetBSD: arc4random.c,v 1.40 2025/03/02 22:46:23 riastradh Exp $"); 56 57 #include "namespace.h" 58 #include "reentrant.h" 59 60 #include <sys/bitops.h> 61 #include <sys/endian.h> 62 #include <sys/errno.h> 63 #include <sys/mman.h> 64 #include <sys/sysctl.h> 65 66 #include <assert.h> 67 #include <sha2.h> 68 #include <stdatomic.h> 69 #include <stdbool.h> 70 #include <stdint.h> 71 #include <stdlib.h> 72 #include <string.h> 73 #include <unistd.h> 74 75 #include "arc4random.h" 76 #include "atfork.h" 77 #include "reentrant.h" 78 79 #ifdef __weak_alias 80 __weak_alias(arc4random,_arc4random) 81 __weak_alias(arc4random_addrandom,_arc4random_addrandom) 82 __weak_alias(arc4random_buf,_arc4random_buf) 83 __weak_alias(arc4random_stir,_arc4random_stir) 84 __weak_alias(arc4random_uniform,_arc4random_uniform) 85 #endif 86 87 /* 88 * For standard ChaCha, use le32dec/le32enc. We don't need that for 89 * the purposes of a nondeterministic random number generator -- we 90 * don't need to be bit-for-bit compatible over any wire. 91 */ 92 93 static inline uint32_t 94 crypto_le32dec(const void *p) 95 { 96 uint32_t v; 97 98 (void)memcpy(&v, p, sizeof v); 99 100 return v; 101 } 102 103 static inline void 104 crypto_le32enc(void *p, uint32_t v) 105 { 106 107 (void)memcpy(p, &v, sizeof v); 108 } 109 110 /* ChaCha core */ 111 112 #define crypto_core_OUTPUTBYTES 64 113 #define crypto_core_INPUTBYTES 16 114 #define crypto_core_KEYBYTES 32 115 #define crypto_core_CONSTBYTES 16 116 117 #define crypto_core_ROUNDS 20 118 119 static uint32_t 120 rotate(uint32_t u, unsigned c) 121 { 122 123 return (u << c) | (u >> (32 - c)); 124 } 125 126 #define QUARTERROUND(a, b, c, d) do { \ 127 (a) += (b); (d) ^= (a); (d) = rotate((d), 16); \ 128 (c) += (d); (b) ^= (c); (b) = rotate((b), 12); \ 129 (a) += (b); (d) ^= (a); (d) = rotate((d), 8); \ 130 (c) += (d); (b) ^= (c); (b) = rotate((b), 7); \ 131 } while (0) 132 133 static const uint8_t crypto_core_constant32[16] = "expand 32-byte k"; 134 135 static void 136 crypto_core(uint8_t *out, const uint8_t *in, const uint8_t *k, 137 const uint8_t *c) 138 { 139 uint32_t x0,x1,x2,x3,x4,x5,x6,x7,x8,x9,x10,x11,x12,x13,x14,x15; 140 uint32_t j0,j1,j2,j3,j4,j5,j6,j7,j8,j9,j10,j11,j12,j13,j14,j15; 141 int i; 142 143 j0 = x0 = crypto_le32dec(c + 0); 144 j1 = x1 = crypto_le32dec(c + 4); 145 j2 = x2 = crypto_le32dec(c + 8); 146 j3 = x3 = crypto_le32dec(c + 12); 147 j4 = x4 = crypto_le32dec(k + 0); 148 j5 = x5 = crypto_le32dec(k + 4); 149 j6 = x6 = crypto_le32dec(k + 8); 150 j7 = x7 = crypto_le32dec(k + 12); 151 j8 = x8 = crypto_le32dec(k + 16); 152 j9 = x9 = crypto_le32dec(k + 20); 153 j10 = x10 = crypto_le32dec(k + 24); 154 j11 = x11 = crypto_le32dec(k + 28); 155 j12 = x12 = crypto_le32dec(in + 0); 156 j13 = x13 = crypto_le32dec(in + 4); 157 j14 = x14 = crypto_le32dec(in + 8); 158 j15 = x15 = crypto_le32dec(in + 12); 159 160 for (i = crypto_core_ROUNDS; i > 0; i -= 2) { 161 QUARTERROUND( x0, x4, x8,x12); 162 QUARTERROUND( x1, x5, x9,x13); 163 QUARTERROUND( x2, x6,x10,x14); 164 QUARTERROUND( x3, x7,x11,x15); 165 QUARTERROUND( x0, x5,x10,x15); 166 QUARTERROUND( x1, x6,x11,x12); 167 QUARTERROUND( x2, x7, x8,x13); 168 QUARTERROUND( x3, x4, x9,x14); 169 } 170 171 crypto_le32enc(out + 0, x0 + j0); 172 crypto_le32enc(out + 4, x1 + j1); 173 crypto_le32enc(out + 8, x2 + j2); 174 crypto_le32enc(out + 12, x3 + j3); 175 crypto_le32enc(out + 16, x4 + j4); 176 crypto_le32enc(out + 20, x5 + j5); 177 crypto_le32enc(out + 24, x6 + j6); 178 crypto_le32enc(out + 28, x7 + j7); 179 crypto_le32enc(out + 32, x8 + j8); 180 crypto_le32enc(out + 36, x9 + j9); 181 crypto_le32enc(out + 40, x10 + j10); 182 crypto_le32enc(out + 44, x11 + j11); 183 crypto_le32enc(out + 48, x12 + j12); 184 crypto_le32enc(out + 52, x13 + j13); 185 crypto_le32enc(out + 56, x14 + j14); 186 crypto_le32enc(out + 60, x15 + j15); 187 } 188 189 /* ChaCha self-test */ 190 191 #ifdef _DIAGNOSTIC 192 193 /* 194 * Test vector for ChaCha20 from 195 * <http://tools.ietf.org/html/draft-strombergson-chacha-test-vectors-00>, 196 * test vectors for ChaCha12 and ChaCha8 and for big-endian machines 197 * generated by the same crypto_core code with crypto_core_ROUNDS and 198 * crypto_le32enc/dec varied. 199 */ 200 201 static const uint8_t crypto_core_selftest_vector[64] = { 202 #if _BYTE_ORDER == _LITTLE_ENDIAN 203 # if crypto_core_ROUNDS == 8 204 0x3e,0x00,0xef,0x2f,0x89,0x5f,0x40,0xd6, 205 0x7f,0x5b,0xb8,0xe8,0x1f,0x09,0xa5,0xa1, 206 0x2c,0x84,0x0e,0xc3,0xce,0x9a,0x7f,0x3b, 207 0x18,0x1b,0xe1,0x88,0xef,0x71,0x1a,0x1e, 208 0x98,0x4c,0xe1,0x72,0xb9,0x21,0x6f,0x41, 209 0x9f,0x44,0x53,0x67,0x45,0x6d,0x56,0x19, 210 0x31,0x4a,0x42,0xa3,0xda,0x86,0xb0,0x01, 211 0x38,0x7b,0xfd,0xb8,0x0e,0x0c,0xfe,0x42, 212 # elif crypto_core_ROUNDS == 12 213 0x9b,0xf4,0x9a,0x6a,0x07,0x55,0xf9,0x53, 214 0x81,0x1f,0xce,0x12,0x5f,0x26,0x83,0xd5, 215 0x04,0x29,0xc3,0xbb,0x49,0xe0,0x74,0x14, 216 0x7e,0x00,0x89,0xa5,0x2e,0xae,0x15,0x5f, 217 0x05,0x64,0xf8,0x79,0xd2,0x7a,0xe3,0xc0, 218 0x2c,0xe8,0x28,0x34,0xac,0xfa,0x8c,0x79, 219 0x3a,0x62,0x9f,0x2c,0xa0,0xde,0x69,0x19, 220 0x61,0x0b,0xe8,0x2f,0x41,0x13,0x26,0xbe, 221 # elif crypto_core_ROUNDS == 20 222 0x76,0xb8,0xe0,0xad,0xa0,0xf1,0x3d,0x90, 223 0x40,0x5d,0x6a,0xe5,0x53,0x86,0xbd,0x28, 224 0xbd,0xd2,0x19,0xb8,0xa0,0x8d,0xed,0x1a, 225 0xa8,0x36,0xef,0xcc,0x8b,0x77,0x0d,0xc7, 226 0xda,0x41,0x59,0x7c,0x51,0x57,0x48,0x8d, 227 0x77,0x24,0xe0,0x3f,0xb8,0xd8,0x4a,0x37, 228 0x6a,0x43,0xb8,0xf4,0x15,0x18,0xa1,0x1c, 229 0xc3,0x87,0xb6,0x69,0xb2,0xee,0x65,0x86, 230 # else 231 # error crypto_core_ROUNDS must be 8, 12, or 20. 232 # endif 233 #elif _BYTE_ORDER == _BIG_ENDIAN 234 # if crypto_core_ROUNDS == 8 235 0x9a,0x13,0x07,0xe3,0x38,0x18,0x9e,0x99, 236 0x15,0x37,0x16,0x4d,0x04,0xe6,0x48,0x9a, 237 0x07,0xd6,0xe8,0x7a,0x02,0xf9,0xf5,0xc7, 238 0x3f,0xa9,0xc2,0x0a,0xe1,0xc6,0x62,0xea, 239 0x80,0xaf,0xb6,0x51,0xca,0x52,0x43,0x87, 240 0xe3,0xa6,0xa6,0x61,0x11,0xf5,0xe6,0xcf, 241 0x09,0x0f,0xdc,0x9d,0xc3,0xc3,0xbb,0x43, 242 0xd7,0xfa,0x70,0x42,0xbf,0xa5,0xee,0xa2, 243 # elif crypto_core_ROUNDS == 12 244 0xcf,0x6c,0x16,0x48,0xbf,0xf4,0xba,0x85, 245 0x32,0x69,0xd3,0x98,0xc8,0x7d,0xcd,0x3f, 246 0xdc,0x76,0x6b,0xa2,0x7b,0xcb,0x17,0x4d, 247 0x05,0xda,0xdd,0xd8,0x62,0x54,0xbf,0xe0, 248 0x65,0xed,0x0e,0xf4,0x01,0x7e,0x3c,0x05, 249 0x35,0xb2,0x7a,0x60,0xf3,0x8f,0x12,0x33, 250 0x24,0x60,0xcd,0x85,0xfe,0x4c,0xf3,0x39, 251 0xb1,0x0e,0x3e,0xe0,0xba,0xa6,0x2f,0xa9, 252 # elif crypto_core_ROUNDS == 20 253 0x83,0x8b,0xf8,0x75,0xf7,0xde,0x9d,0x8c, 254 0x33,0x14,0x72,0x28,0xd1,0xbe,0x88,0xe5, 255 0x94,0xb5,0xed,0xb8,0x56,0xb5,0x9e,0x0c, 256 0x64,0x6a,0xaf,0xd9,0xa7,0x49,0x10,0x59, 257 0xba,0x3a,0x82,0xf8,0x4a,0x70,0x9c,0x00, 258 0x82,0x2c,0xae,0xc6,0xd7,0x1c,0x2e,0xda, 259 0x2a,0xfb,0x61,0x70,0x2b,0xd1,0xbf,0x8b, 260 0x95,0xbc,0x23,0xb6,0x4b,0x60,0x02,0xec, 261 # else 262 # error crypto_core_ROUNDS must be 8, 12, or 20. 263 # endif 264 #else 265 # error Byte order must be little-endian or big-endian. 266 #endif 267 }; 268 269 static int 270 crypto_core_selftest(void) 271 { 272 const uint8_t nonce[crypto_core_INPUTBYTES] = {0}; 273 const uint8_t key[crypto_core_KEYBYTES] = {0}; 274 uint8_t block[64]; 275 unsigned i; 276 277 crypto_core(block, nonce, key, crypto_core_constant32); 278 for (i = 0; i < 64; i++) { 279 if (block[i] != crypto_core_selftest_vector[i]) 280 return EIO; 281 } 282 283 return 0; 284 } 285 286 #else /* !_DIAGNOSTIC */ 287 288 static int 289 crypto_core_selftest(void) 290 { 291 292 return 0; 293 } 294 295 #endif 296 297 /* PRNG */ 298 299 /* 300 * For a state s, rather than use ChaCha20 as a stream cipher to 301 * generate the concatenation ChaCha20_s(0) || ChaCha20_s(1) || ..., we 302 * split ChaCha20_s(0) into s' || x and yield x for the first request, 303 * split ChaCha20_s'(0) into s'' || y and yield y for the second 304 * request, &c. This provides backtracking resistance: an attacker who 305 * finds s'' can't recover s' or x. 306 */ 307 308 #define crypto_prng_SEEDBYTES crypto_core_KEYBYTES 309 #define crypto_prng_MAXOUTPUTBYTES \ 310 (crypto_core_OUTPUTBYTES - crypto_prng_SEEDBYTES) 311 312 __CTASSERT(sizeof(struct crypto_prng) == crypto_prng_SEEDBYTES); 313 314 static void 315 crypto_prng_seed(struct crypto_prng *prng, const void *seed) 316 { 317 318 (void)memcpy(prng->state, seed, crypto_prng_SEEDBYTES); 319 } 320 321 static void 322 crypto_prng_buf(struct crypto_prng *prng, void *buf, size_t n) 323 { 324 const uint8_t nonce[crypto_core_INPUTBYTES] = {0}; 325 uint8_t output[crypto_core_OUTPUTBYTES]; 326 327 _DIAGASSERT(n <= crypto_prng_MAXOUTPUTBYTES); 328 __CTASSERT(sizeof prng->state + crypto_prng_MAXOUTPUTBYTES 329 <= sizeof output); 330 331 crypto_core(output, nonce, prng->state, crypto_core_constant32); 332 (void)memcpy(prng->state, output, sizeof prng->state); 333 (void)memcpy(buf, output + sizeof prng->state, n); 334 (void)explicit_memset(output, 0, sizeof output); 335 } 336 337 /* One-time stream: expand short single-use secret into long secret */ 338 339 #define crypto_onetimestream_SEEDBYTES crypto_core_KEYBYTES 340 341 static void 342 crypto_onetimestream(const void *seed, void *buf, size_t n) 343 { 344 uint32_t nonce[crypto_core_INPUTBYTES / sizeof(uint32_t)] = {0}; 345 uint8_t block[crypto_core_OUTPUTBYTES]; 346 uint8_t *p8, *p32; 347 const uint8_t *nonce8 = (const uint8_t *)(void *)nonce; 348 size_t ni, nb, nf; 349 350 /* 351 * Guarantee we can generate up to n bytes. We have 352 * 2^(8*INPUTBYTES) possible inputs yielding output of 353 * OUTPUTBYTES*2^(8*INPUTBYTES) bytes. It suffices to require 354 * that sizeof n > (1/CHAR_BIT) log_2 n be less than 355 * (1/CHAR_BIT) log_2 of the total output stream length. We 356 * have 357 * 358 * log_2 (o 2^(8 i)) = log_2 o + log_2 2^(8 i) 359 * = log_2 o + 8 i. 360 */ 361 #ifndef __lint__ 362 __CTASSERT(CHAR_BIT * sizeof n <= (ilog2(crypto_core_OUTPUTBYTES) + 363 8 * crypto_core_INPUTBYTES)); 364 #endif 365 366 p8 = buf; 367 p32 = (uint8_t *)roundup2((uintptr_t)p8, 4); 368 ni = p32 - p8; 369 if (n < ni) 370 ni = n; 371 nb = (n - ni) / sizeof block; 372 nf = (n - ni) % sizeof block; 373 374 _DIAGASSERT(((uintptr_t)p32 & 3) == 0); 375 _DIAGASSERT(ni <= n); 376 _DIAGASSERT(nb <= (n / sizeof block)); 377 _DIAGASSERT(nf <= n); 378 _DIAGASSERT(n == (ni + (nb * sizeof block) + nf)); 379 _DIAGASSERT(ni < 4); 380 _DIAGASSERT(nf < sizeof block); 381 382 if (ni) { 383 crypto_core(block, nonce8, seed, crypto_core_constant32); 384 nonce[0]++; 385 (void)memcpy(p8, block, ni); 386 } 387 while (nb--) { 388 crypto_core(p32, nonce8, seed, crypto_core_constant32); 389 if (++nonce[0] == 0) 390 nonce[1]++; 391 p32 += crypto_core_OUTPUTBYTES; 392 } 393 if (nf) { 394 crypto_core(block, nonce8, seed, crypto_core_constant32); 395 if (++nonce[0] == 0) 396 nonce[1]++; 397 (void)memcpy(p32, block, nf); 398 } 399 400 if (ni | nf) 401 (void)explicit_memset(block, 0, sizeof block); 402 } 403 404 /* 405 * entropy_epoch() 406 * 407 * Return the current entropy epoch, from the sysctl node 408 * kern.entropy.epoch. 409 * 410 * The entropy epoch is never zero. Initially, or on error, it is 411 * (unsigned)-1. It may wrap around but it skips (unsigned)-1 and 412 * 0 when it does. Changes happen less than once per second, so 413 * wraparound will only affect systems after 136 years of uptime. 414 * 415 * XXX This should get it from a page shared read-only by kernel 416 * with userland, but until we implement such a mechanism, this 417 * sysctl -- incurring the cost of a syscall -- will have to 418 * serve. 419 */ 420 static unsigned 421 entropy_epoch(void) 422 { 423 static atomic_int mib0[3]; 424 static atomic_bool initialized = false; 425 int mib[3]; 426 unsigned epoch = (unsigned)-1; 427 size_t epochlen = sizeof(epoch); 428 429 /* 430 * Resolve kern.entropy.epoch if we haven't already. Cache it 431 * for the next caller. Initialization is idempotent, so it's 432 * OK if two threads do it at once. 433 */ 434 if (atomic_load_explicit(&initialized, memory_order_acquire)) { 435 mib[0] = atomic_load_explicit(&mib0[0], memory_order_relaxed); 436 mib[1] = atomic_load_explicit(&mib0[1], memory_order_relaxed); 437 mib[2] = atomic_load_explicit(&mib0[2], memory_order_relaxed); 438 } else { 439 size_t nmib = __arraycount(mib); 440 441 if (sysctlnametomib("kern.entropy.epoch", mib, &nmib) == -1) 442 return (unsigned)-1; 443 if (nmib != __arraycount(mib)) 444 return (unsigned)-1; 445 atomic_store_explicit(&mib0[0], mib[0], memory_order_relaxed); 446 atomic_store_explicit(&mib0[1], mib[1], memory_order_relaxed); 447 atomic_store_explicit(&mib0[2], mib[2], memory_order_relaxed); 448 atomic_store_explicit(&initialized, true, 449 memory_order_release); 450 } 451 452 if (sysctl(mib, __arraycount(mib), &epoch, &epochlen, NULL, 0) == -1) 453 return (unsigned)-1; 454 if (epochlen != sizeof(epoch)) 455 return (unsigned)-1; 456 457 return epoch; 458 } 459 460 /* arc4random state: per-thread, per-process (zeroed in child on fork) */ 461 462 static void 463 arc4random_prng_addrandom(struct arc4random_prng *prng, const void *data, 464 size_t datalen) 465 { 466 const int mib[] = { CTL_KERN, KERN_ARND }; 467 SHA256_CTX ctx; 468 uint8_t buf[crypto_prng_SEEDBYTES]; 469 size_t buflen = sizeof buf; 470 unsigned epoch = entropy_epoch(); 471 472 __CTASSERT(sizeof buf == SHA256_DIGEST_LENGTH); 473 474 SHA256_Init(&ctx); 475 476 crypto_prng_buf(&prng->arc4_prng, buf, sizeof buf); 477 SHA256_Update(&ctx, buf, sizeof buf); 478 479 if (sysctl(mib, (u_int)__arraycount(mib), buf, &buflen, NULL, 0) == -1) 480 abort(); 481 if (buflen != sizeof buf) 482 abort(); 483 SHA256_Update(&ctx, buf, sizeof buf); 484 485 if (data != NULL) 486 SHA256_Update(&ctx, data, datalen); 487 488 SHA256_Final(buf, &ctx); 489 (void)explicit_memset(&ctx, 0, sizeof ctx); 490 491 /* reseed(SHA256(prng() || sysctl(KERN_ARND) || data)) */ 492 crypto_prng_seed(&prng->arc4_prng, buf); 493 (void)explicit_memset(buf, 0, sizeof buf); 494 prng->arc4_epoch = epoch; 495 } 496 497 #ifdef _REENTRANT 498 static struct arc4random_prng * 499 arc4random_prng_create(void) 500 { 501 struct arc4random_prng *prng; 502 const size_t size = roundup(sizeof(*prng), sysconf(_SC_PAGESIZE)); 503 504 prng = mmap(NULL, size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 505 0); 506 if (prng == MAP_FAILED) 507 goto fail0; 508 if (minherit(prng, size, MAP_INHERIT_ZERO) == -1) 509 goto fail1; 510 511 return prng; 512 513 fail1: (void)munmap(prng, size); 514 fail0: return NULL; 515 } 516 #endif 517 518 #ifdef _REENTRANT 519 static void 520 arc4random_prng_destroy(struct arc4random_prng *prng) 521 { 522 const size_t size = roundup(sizeof(*prng), sysconf(_SC_PAGESIZE)); 523 524 (void)explicit_memset(prng, 0, sizeof(*prng)); 525 (void)munmap(prng, size); 526 } 527 #endif 528 529 /* Library state */ 530 531 struct arc4random_global_state arc4random_global = { 532 #ifdef _REENTRANT 533 .lock = MUTEX_INITIALIZER, 534 #endif 535 .initialized = false, 536 }; 537 538 static struct atfork_callback arc4random_atfork_prepare_cb; 539 static void 540 arc4random_atfork_prepare(void) 541 { 542 543 mutex_lock(&arc4random_global.lock); 544 (void)explicit_memset(&arc4random_global.prng, 0, 545 sizeof arc4random_global.prng); 546 } 547 548 static struct atfork_callback arc4random_atfork_parent_cb; 549 static void 550 arc4random_atfork_parent(void) 551 { 552 553 mutex_unlock(&arc4random_global.lock); 554 } 555 556 static struct atfork_callback arc4random_atfork_child_cb; 557 static void 558 arc4random_atfork_child(void) 559 { 560 561 mutex_unlock(&arc4random_global.lock); 562 } 563 564 #ifdef _REENTRANT 565 static void 566 arc4random_tsd_destructor(void *p) 567 { 568 struct arc4random_prng *const prng = p; 569 570 arc4random_prng_destroy(prng); 571 } 572 #endif 573 574 static void 575 arc4random_initialize(void) 576 { 577 578 mutex_lock(&arc4random_global.lock); 579 if (!arc4random_global.initialized) { 580 if (crypto_core_selftest() != 0) 581 abort(); 582 __libc_atfork( 583 &arc4random_atfork_prepare_cb, &arc4random_atfork_prepare, 584 &arc4random_atfork_parent_cb, &arc4random_atfork_parent, 585 &arc4random_atfork_child_cb, &arc4random_atfork_child); 586 #ifdef _REENTRANT 587 if (thr_keycreate(&arc4random_global.thread_key, 588 &arc4random_tsd_destructor) == 0) 589 arc4random_global.per_thread = true; 590 #endif 591 arc4random_global.initialized = true; 592 } 593 mutex_unlock(&arc4random_global.lock); 594 } 595 596 static struct arc4random_prng * 597 arc4random_prng_get(void) 598 { 599 struct arc4random_prng *prng = NULL; 600 601 /* Make sure the library is initialized. */ 602 if (__predict_false(!arc4random_global.initialized)) 603 arc4random_initialize(); 604 605 #ifdef _REENTRANT 606 /* Get or create the per-thread PRNG state. */ 607 prng = __predict_true(arc4random_global.per_thread) 608 ? thr_getspecific(arc4random_global.thread_key) 609 : NULL; 610 if (__predict_false(prng == NULL) && arc4random_global.per_thread) { 611 prng = arc4random_prng_create(); 612 thr_setspecific(arc4random_global.thread_key, prng); 613 } 614 #endif 615 616 /* If we can't create it, fall back to the global PRNG. */ 617 if (__predict_false(prng == NULL)) { 618 mutex_lock(&arc4random_global.lock); 619 prng = &arc4random_global.prng; 620 } 621 622 /* Guarantee the PRNG is seeded. */ 623 if (__predict_false(prng->arc4_epoch != entropy_epoch())) 624 arc4random_prng_addrandom(prng, NULL, 0); 625 626 return prng; 627 } 628 629 static void 630 arc4random_prng_put(struct arc4random_prng *prng) 631 { 632 633 /* If we had fallen back to the global PRNG, unlock it. */ 634 if (__predict_false(prng == &arc4random_global.prng)) 635 mutex_unlock(&arc4random_global.lock); 636 } 637 638 /* Public API */ 639 640 uint32_t 641 arc4random(void) 642 { 643 struct arc4random_prng *prng; 644 uint32_t v; 645 646 prng = arc4random_prng_get(); 647 crypto_prng_buf(&prng->arc4_prng, &v, sizeof v); 648 arc4random_prng_put(prng); 649 650 return v; 651 } 652 653 void 654 arc4random_buf(void *buf, size_t len) 655 { 656 struct arc4random_prng *prng; 657 658 if (len <= crypto_prng_MAXOUTPUTBYTES) { 659 prng = arc4random_prng_get(); 660 crypto_prng_buf(&prng->arc4_prng, buf, len); 661 arc4random_prng_put(prng); 662 } else { 663 uint8_t seed[crypto_onetimestream_SEEDBYTES]; 664 665 prng = arc4random_prng_get(); 666 crypto_prng_buf(&prng->arc4_prng, seed, sizeof seed); 667 arc4random_prng_put(prng); 668 669 crypto_onetimestream(seed, buf, len); 670 (void)explicit_memset(seed, 0, sizeof seed); 671 } 672 } 673 674 uint32_t 675 arc4random_uniform(uint32_t bound) 676 { 677 struct arc4random_prng *prng; 678 uint32_t minimum, r; 679 680 /* 681 * We want a uniform random choice in [0, n), and arc4random() 682 * makes a uniform random choice in [0, 2^32). If we reduce 683 * that modulo n, values in [0, 2^32 mod n) will be represented 684 * slightly more than values in [2^32 mod n, n). Instead we 685 * choose only from [2^32 mod n, 2^32) by rejecting samples in 686 * [0, 2^32 mod n), to avoid counting the extra representative 687 * of [0, 2^32 mod n). To compute 2^32 mod n, note that 688 * 689 * 2^32 mod n = 2^32 mod n - 0 690 * = 2^32 mod n - n mod n 691 * = (2^32 - n) mod n, 692 * 693 * the last of which is what we compute in 32-bit arithmetic. 694 */ 695 minimum = (-bound % bound); 696 697 prng = arc4random_prng_get(); 698 do crypto_prng_buf(&prng->arc4_prng, &r, sizeof r); 699 while (__predict_false(r < minimum)); 700 arc4random_prng_put(prng); 701 702 return (r % bound); 703 } 704 705 void 706 arc4random_stir(void) 707 { 708 struct arc4random_prng *prng; 709 710 prng = arc4random_prng_get(); 711 arc4random_prng_addrandom(prng, NULL, 0); 712 arc4random_prng_put(prng); 713 } 714 715 /* 716 * Silly signature here is for hysterical raisins. Should instead be 717 * const void *data and size_t datalen. 718 */ 719 void 720 arc4random_addrandom(u_char *data, int datalen) 721 { 722 struct arc4random_prng *prng; 723 724 _DIAGASSERT(0 <= datalen); 725 726 prng = arc4random_prng_get(); 727 arc4random_prng_addrandom(prng, data, datalen); 728 arc4random_prng_put(prng); 729 } 730 731 #ifdef _ARC4RANDOM_TEST 732 733 #include <sys/wait.h> 734 735 #include <err.h> 736 #include <stdio.h> 737 738 int 739 main(int argc __unused, char **argv __unused) 740 { 741 unsigned char gubbish[] = "random gubbish"; 742 const uint8_t zero64[64] = {0}; 743 uint8_t buf[2048]; 744 unsigned i, a, n; 745 746 /* Test arc4random: should not be deterministic. */ 747 if (printf("arc4random: %08"PRIx32"\n", arc4random()) < 0) 748 err(1, "printf"); 749 750 /* Test stirring: should definitely not be deterministic. */ 751 arc4random_stir(); 752 753 /* Test small buffer. */ 754 arc4random_buf(buf, 8); 755 if (printf("arc4randombuf small:") < 0) 756 err(1, "printf"); 757 for (i = 0; i < 8; i++) 758 if (printf(" %02x", buf[i]) < 0) 759 err(1, "printf"); 760 if (printf("\n") < 0) 761 err(1, "printf"); 762 763 /* Test addrandom: should not make the rest deterministic. */ 764 arc4random_addrandom(gubbish, sizeof gubbish); 765 766 /* Test large buffer. */ 767 arc4random_buf(buf, sizeof buf); 768 if (printf("arc4randombuf_large:") < 0) 769 err(1, "printf"); 770 for (i = 0; i < sizeof buf; i++) 771 if (printf(" %02x", buf[i]) < 0) 772 err(1, "printf"); 773 if (printf("\n") < 0) 774 err(1, "printf"); 775 776 /* Test misaligned small and large. */ 777 for (a = 0; a < 64; a++) { 778 for (n = a; n < sizeof buf; n++) { 779 (void)memset(buf, 0, sizeof buf); 780 arc4random_buf(buf, n - a); 781 if (memcmp(buf + n - a, zero64, a) != 0) 782 errx(1, "arc4random buffer overflow 0"); 783 784 (void)memset(buf, 0, sizeof buf); 785 arc4random_buf(buf + a, n - a); 786 if (memcmp(buf, zero64, a) != 0) 787 errx(1, "arc4random buffer overflow 1"); 788 789 if ((2*a) <= n) { 790 (void)memset(buf, 0, sizeof buf); 791 arc4random_buf(buf + a, n - a - a); 792 if (memcmp(buf + n - a, zero64, a) != 0) 793 errx(1, 794 "arc4random buffer overflow 2"); 795 } 796 } 797 } 798 799 /* Test fork-safety. */ 800 { 801 pid_t pid, rpid; 802 int status; 803 804 pid = fork(); 805 switch (pid) { 806 case -1: 807 err(1, "fork"); 808 case 0: { 809 /* 810 * Verify the epoch has been set to zero by fork. 811 */ 812 struct arc4random_prng *prng = NULL; 813 #ifdef _REENTRANT 814 prng = thr_getspecific(arc4random_global.thread_key); 815 #endif 816 if (prng == NULL) 817 prng = &arc4random_global.prng; 818 _exit(prng->arc4_epoch != 0); 819 } 820 default: 821 rpid = waitpid(pid, &status, 0); 822 if (rpid == -1) 823 err(1, "waitpid"); 824 if (rpid != pid) 825 errx(1, "waitpid returned wrong pid" 826 ": %"PRIdMAX" != %"PRIdMAX, 827 (intmax_t)rpid, 828 (intmax_t)pid); 829 if (WIFEXITED(status)) { 830 if (WEXITSTATUS(status) != 0) 831 errx(1, "child exited with %d", 832 WEXITSTATUS(status)); 833 } else if (WIFSIGNALED(status)) { 834 errx(1, "child terminated on signal %d", 835 WTERMSIG(status)); 836 } else { 837 errx(1, "child died mysteriously: %d", status); 838 } 839 } 840 } 841 842 /* XXX Test multithreaded fork safety...? */ 843 844 return 0; 845 } 846 #endif 847
Indexes created Mon Sep 29 21:09:56 GMT 2025