9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi/*
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * Copyright (c) 1996, David Mazieres <dm@uun.org>
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * Copyright (c) 2015 Joyent, Inc.
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi *
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * Permission to use, copy, modify, and distribute this software for any
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * purpose with or without fee is hereby granted, provided that the above
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * copyright notice and this permission notice appear in all copies.
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi *
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi */
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi/*
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * arc4random(3C), derived from the OpenBSD version.
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi *
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * To ensure that a parent process and any potential children see a different
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * state, we mmap the entire arc4_state_t structure and mark that page as
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * MC_INHERIT_ZERO. That ensures that the data is zeroed, and really the bit we
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * care about, arc4_init is set to B_FALSE, which will cause the child to
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi * reinitialize it when they first use the interface.
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi */
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi#include <synch.h>
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi#include <stdlib.h>
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi#include <string.h>
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi#include <unistd.h>
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi#include <sys/sysmacros.h>
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi#include <chacha.h>
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi#include "thr_uberdata.h"
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi#define ARC4_KEYSZ 32
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi#define ARC4_IVSZ 8
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi#define ARC4_BLOCKSZ 64
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi#define ARC4_KSBUFSZ (16*ARC4_BLOCKSZ) /* key stream byte size */
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi#define ARC4_COUNT 1600000 /* bytes for rekeying */
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchitypedef struct arc4_state {
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi boolean_t arc4_init; /* Initialized? */
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi size_t arc4_have; /* Valid bytes in arc4_buf */
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi size_t arc4_count; /* bytes until reseed */
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi chacha_ctx_t arc4_chacha; /* chacha context */
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi uint8_t arc4_buf[ARC4_KSBUFSZ]; /* keystream blocks */
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi} arc4_state_t;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchistatic arc4_state_t *arc4;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchistatic mutex_t arc4_lock = DEFAULTMUTEX;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchistatic void
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchiarc4_init(uint8_t *buf, size_t n)
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi{
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi if (n < ARC4_KEYSZ + ARC4_IVSZ)
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi abort();
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi chacha_keysetup(&arc4->arc4_chacha, buf, ARC4_KEYSZ * 8, 0);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi chacha_ivsetup(&arc4->arc4_chacha, buf + ARC4_KEYSZ);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi}
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchistatic void
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchiarc4_rekey(uint8_t *data, size_t datalen)
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi{
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi /* Fill in the keystream buffer */
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi chacha_encrypt_bytes(&arc4->arc4_chacha, arc4->arc4_buf, arc4->arc4_buf,
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi sizeof (arc4->arc4_buf));
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi /* mix in optional user provided data */
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi if (data != NULL) {
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi size_t i, m;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi m = MIN(datalen, ARC4_KEYSZ + ARC4_IVSZ);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi for (i = 0; i < m; i++)
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4->arc4_buf[i] ^= data[i];
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi }
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi /* immediately reinit for backtracking resistence */
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4_init(arc4->arc4_buf, ARC4_KEYSZ + ARC4_IVSZ);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi explicit_bzero(arc4->arc4_buf, ARC4_KEYSZ + ARC4_IVSZ);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4->arc4_have = sizeof (arc4->arc4_buf) - ARC4_KEYSZ - ARC4_IVSZ;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi}
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchistatic void
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchiarc4_stir(size_t len)
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi{
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi uint8_t rnd[ARC4_KEYSZ + ARC4_IVSZ];
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi if (arc4->arc4_count <= len) {
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi if (getentropy(rnd, sizeof (rnd)) == -1)
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi abort();
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi if (arc4->arc4_init == B_FALSE) {
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4_init(rnd, sizeof (rnd));
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4->arc4_init = B_TRUE;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi } else {
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4_rekey(rnd, sizeof (rnd));
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi }
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi explicit_bzero(rnd, sizeof (rnd));
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi /* Invalidate the data buffer */
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4->arc4_have = 0;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi memset(arc4->arc4_buf, 0, sizeof (arc4->arc4_buf));
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4->arc4_count = ARC4_COUNT;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi }
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi if (arc4->arc4_count <= len) {
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4->arc4_count = 0;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi } else {
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4->arc4_count -= len;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi }
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi}
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchistatic void
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchiarc4_fill(uint8_t *buf, size_t n)
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi{
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi if (arc4 == NULL) {
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi size_t pgsz, mapsz;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi void *a;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi pgsz = sysconf(_SC_PAGESIZE);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi if (pgsz == -1)
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi abort();
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi mapsz = P2ROUNDUP(sizeof (arc4_state_t), pgsz);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi a = mmap(NULL, mapsz, PROT_READ | PROT_WRITE,
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi MAP_PRIVATE | MAP_ANON, -1, 0);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi if (a == MAP_FAILED)
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi abort();
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi if (memcntl(a, mapsz, MC_INHERIT_ZERO, 0, 0, 0) != 0)
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi abort();
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4 = a;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi }
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4_stir(n);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi while (n > 0) {
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi if (arc4->arc4_have > 0) {
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi uint8_t *keystream;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi size_t m = MIN(n, arc4->arc4_have);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi keystream = arc4->arc4_buf + sizeof (arc4->arc4_buf) -
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4->arc4_have;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi memcpy(buf, keystream, m);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi explicit_bzero(keystream, m);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi buf += m;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi n -= m;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4->arc4_have -= m;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi }
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi if (arc4->arc4_have == 0)
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4_rekey(NULL, 0);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi }
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi}
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchiuint32_t
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchiarc4random(void)
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi{
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi uint32_t out;
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi lmutex_lock(&arc4_lock);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4_fill((uint8_t *)&out, sizeof (uint32_t));
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi lmutex_unlock(&arc4_lock);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi return (out);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi}
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchivoid
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchiarc4random_buf(void *buf, size_t n)
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi{
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi lmutex_lock(&arc4_lock);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi arc4_fill(buf, n);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi lmutex_unlock(&arc4_lock);
9d12795f87b63c2e39e87bff369182edd34677d3Robert Mustacchi}