diff options
Diffstat (limited to 'code/ecp/crypto/arc4random')
| -rwxr-xr-x | code/ecp/crypto/arc4random/Makefile | 14 | ||||
| -rwxr-xr-x | code/ecp/crypto/arc4random/arc4random.c | 259 | ||||
| -rwxr-xr-x | code/ecp/crypto/arc4random/arc4random.h | 78 | ||||
| -rwxr-xr-x | code/ecp/crypto/arc4random/chacha_private.h | 223 |
4 files changed, 574 insertions, 0 deletions
diff --git a/code/ecp/crypto/arc4random/Makefile b/code/ecp/crypto/arc4random/Makefile new file mode 100755 index 0000000..3d74290 --- /dev/null +++ b/code/ecp/crypto/arc4random/Makefile @@ -0,0 +1,14 @@ +include ../../Makefile.platform +CFLAGS=$(CFLAGS_PL) $(PIC) + +obj = arc4random.o + + +all: $(obj) +dep: all + +%.o: %.c + $(CC) $(CFLAGS) -c $< + +clean: + rm -f *.o *.a diff --git a/code/ecp/crypto/arc4random/arc4random.c b/code/ecp/crypto/arc4random/arc4random.c new file mode 100755 index 0000000..e891dd6 --- /dev/null +++ b/code/ecp/crypto/arc4random/arc4random.c @@ -0,0 +1,259 @@ +/* + * Copyright (c) 1996, David Mazieres <dm@uun.org> + * Copyright (c) 2008, Damien Miller <djm@openbsd.org> + * Copyright (c) 2013, Markus Friedl <markus@openbsd.org> + * Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org> + * Copyright (c) 2015, Sudhi Herle <sudhi@herle.net> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + + +/* + * ChaCha based random number generator from OpenBSD. + * + * Made fully portable and thread-safe by Sudhi Herle. + */ + +#include <stdint.h> +#include <stdlib.h> +#include <string.h> +#include <sys/types.h> +#include <assert.h> + +#define ARC4R_KEYSZ 32 +#define ARC4R_IVSZ 8 +#define ARC4R_BLOCKSZ 64 +#define ARC4R_RSBUFSZ (16*ARC4R_BLOCKSZ) + +typedef struct +{ + uint32_t input[16]; /* could be compressed */ +} chacha_ctx; + +struct rand_state +{ + size_t rs_have; /* valid bytes at end of rs_buf */ + size_t rs_count; /* bytes till reseed */ + chacha_ctx rs_chacha; /* chacha context for random keystream */ + u_char rs_buf[ARC4R_RSBUFSZ]; /* keystream blocks */ +}; +typedef struct rand_state rand_state; + + +/* kernel entropy */ +static int (*getentropy) (void* buf, size_t n); + + +#define KEYSTREAM_ONLY +#include "chacha_private.h" + +#define minimum(a, b) ((a) < (b) ? (a) : (b)) + +#include "arc4random.h" + + +static inline void +_rs_init(rand_state* st, u8 *buf, size_t n) +{ + assert(n >= (ARC4R_KEYSZ + ARC4R_IVSZ)); + + chacha_keysetup(&st->rs_chacha, buf, ARC4R_KEYSZ * 8, 0); + chacha_ivsetup(&st->rs_chacha, buf + ARC4R_KEYSZ); +} + + + +static inline void +_rs_rekey(rand_state* st, u8 *dat, size_t datlen) +{ + /* fill rs_buf with the keystream */ + chacha_encrypt_bytes(&st->rs_chacha, st->rs_buf, st->rs_buf, sizeof st->rs_buf); + + /* mix in optional user provided data */ + if (dat) { + size_t i, m; + + m = minimum(datlen, ARC4R_KEYSZ + ARC4R_IVSZ); + for (i = 0; i < m; i++) + st->rs_buf[i] ^= dat[i]; + + memset(dat, 0, datlen); + } + + /* immediately reinit for backtracking resistance */ + _rs_init(st, st->rs_buf, ARC4R_KEYSZ + ARC4R_IVSZ); + memset(st->rs_buf, 0, ARC4R_KEYSZ + ARC4R_IVSZ); + st->rs_have = (sizeof st->rs_buf) - ARC4R_KEYSZ - ARC4R_IVSZ; +} + + +static void +_rs_stir(rand_state* st) +{ + u8 rnd[ARC4R_KEYSZ + ARC4R_IVSZ]; + + + int r = getentropy(rnd, sizeof rnd); + assert(r == 0); + + _rs_rekey(st, rnd, sizeof(rnd)); + + /* invalidate rs_buf */ + st->rs_have = 0; + memset(st->rs_buf, 0, sizeof st->rs_buf); + + st->rs_count = 1600000; +} + + +static inline void +_rs_stir_if_needed(rand_state* st, size_t len) +{ + if (st->rs_count <= len) + _rs_stir(st); + + st->rs_count -= len; +} + + +static inline void +_rs_random_buf(rand_state* rs, void *_buf, size_t n) +{ + u8 *buf = (u8 *)_buf; + u8 *keystream; + size_t m; + + _rs_stir_if_needed(rs, n); + while (n > 0) { + if (rs->rs_have > 0) { + m = minimum(n, rs->rs_have); + keystream = rs->rs_buf + sizeof(rs->rs_buf) - rs->rs_have; + memcpy(buf, keystream, m); + memset(keystream, 0, m); + buf += m; + n -= m; + rs->rs_have -= m; + } else + _rs_rekey(rs, NULL, 0); + } +} + +static inline uint32_t +_rs_random_u32(rand_state* rs) +{ + u8 *keystream; + uint32_t val; + + _rs_stir_if_needed(rs, sizeof(val)); + if (rs->rs_have < sizeof(val)) + _rs_rekey(rs, NULL, 0); + keystream = rs->rs_buf + sizeof(rs->rs_buf) - rs->rs_have; + memcpy(&val, keystream, sizeof(val)); + memset(keystream, 0, sizeof(val)); + rs->rs_have -= sizeof(val); + + return val; +} + + +/* + * Use gcc extension to declare a thread-local variable. + * + * On most systems (including x86_64), thread-local access is + * essentially free for non .so use cases. + * + */ +static rand_state st = { .rs_count = 0 }; +static inline rand_state* +sget() +{ + rand_state* s = &st; + + if (s->rs_count == 0) + _rs_stir(s); + return s; +} + + + +/* + * Public API. + */ + + +void +arc4random_init(int (*f) (void*, size_t)) +{ + getentropy = f; +} + + +uint32_t +arc4random() +{ + rand_state* z = sget(); + + return _rs_random_u32(z); +} + + +void +arc4random_buf(void* b, size_t n) +{ + rand_state* z = sget(); + + _rs_random_buf(z, b, n); +} + + + + +/* + * Calculate a uniformly distributed random number less than upper_bound + * avoiding "modulo bias". + * + * Uniformity is achieved by generating new random numbers until the one + * returned is outside the range [0, 2**32 % upper_bound). This + * guarantees the selected random number will be inside + * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound) + * after reduction modulo upper_bound. + */ +uint32_t +arc4random_uniform(uint32_t upper_bound) +{ + rand_state* z = sget(); + uint32_t r, min; + + if (upper_bound < 2) + return 0; + + /* 2**32 % x == (2**32 - x) % x */ + min = -upper_bound % upper_bound; + + /* + * This could theoretically loop forever but each retry has + * p > 0.5 (worst case, usually far better) of selecting a + * number inside the range we need, so it should rarely need + * to re-roll. + */ + for (;;) { + r = _rs_random_u32(z); + if (r >= min) + break; + } + + return r % upper_bound; +} + +/* EOF */ diff --git a/code/ecp/crypto/arc4random/arc4random.h b/code/ecp/crypto/arc4random/arc4random.h new file mode 100755 index 0000000..e281a89 --- /dev/null +++ b/code/ecp/crypto/arc4random/arc4random.h @@ -0,0 +1,78 @@ +/* + * Copyright (c) 1996, David Mazieres <dm@uun.org> + * Copyright (c) 2008, Damien Miller <djm@openbsd.org> + * Copyright (c) 2013, Markus Friedl <markus@openbsd.org> + * Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org> + * Copyright (c) 2015, Sudhi Herle <sudhi@herle.net> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef ___ARC4RANDOM_H_5000666_1462841354__ +#define ___ARC4RANDOM_H_5000666_1462841354__ 1 + + /* Provide C linkage for symbols declared here .. */ +#ifdef __cplusplus +extern "C" { +#endif /* __cplusplus */ + +#include <stdint.h> +#include <sys/types.h> + +/* + * On OpenBSD - we should NOT use the same symbol names. OpenBSD + * libc defines these, and the rest of libc uses this - from dynamic + * loading, to malloc() to printf() etc. + * + * For some fun, don't redefine the names - and see what happens :-) + */ +#ifdef __OpenBSD__ + +#define arc4random mt_arc4random +#define arc4random_uniform mt_arc4random_uniform +#define arc4random_buf mt_arc4random_buf + +#endif /* __OpenBSD__ */ + + +/* + * Initialize generator with getentropy + */ +extern void arc4random_init(int (*) (void*, size_t)); + + +/* + * Generate and return a random 32-bit number + */ +extern uint32_t arc4random(void); + + +/* + * Generate and return a uniformly random 32-bit quantity with an + * upper bound of 'upper_bound' + */ +extern uint32_t arc4random_uniform(uint32_t upper_bound); + + +/* + * Generate 'n' random bytes and put them in 'buf'. + */ +extern void arc4random_buf(void* buf, size_t n); + +#ifdef __cplusplus +} +#endif /* __cplusplus */ + +#endif /* ! ___ARC4RANDOM_H_5000666_1462841354__ */ + +/* EOF */ diff --git a/code/ecp/crypto/arc4random/chacha_private.h b/code/ecp/crypto/arc4random/chacha_private.h new file mode 100755 index 0000000..05ce200 --- /dev/null +++ b/code/ecp/crypto/arc4random/chacha_private.h @@ -0,0 +1,223 @@ +/* + * chacha-merged.c version 20080118 + * D. J. Bernstein + * Public domain. + */ + +/* $OpenBSD$ */ + +#include <stdint.h> + + +typedef unsigned char u8; +typedef uint32_t u32; + + +#define U8C(v) (v##U) +#define U32C(v) (v##U) + +#define U8V(v) ((u8)(v) & U8C(0xFF)) +#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF)) + +#define ROTL32(v, n) \ + (U32V((v) << (n)) | ((v) >> (32 - (n)))) + +#define U8TO32_LITTLE(p) \ + (((u32)((p)[0]) ) | \ + ((u32)((p)[1]) << 8) | \ + ((u32)((p)[2]) << 16) | \ + ((u32)((p)[3]) << 24)) + +#define U32TO8_LITTLE(p, v) \ + do { \ + (p)[0] = U8V((v) ); \ + (p)[1] = U8V((v) >> 8); \ + (p)[2] = U8V((v) >> 16); \ + (p)[3] = U8V((v) >> 24); \ + } while (0) + +#define ROTATE(v,c) (ROTL32(v,c)) +#define XOR(v,w) ((v) ^ (w)) +#define PLUS(v,w) (U32V((v) + (w))) +#define PLUSONE(v) (PLUS((v),1)) + +#define QUARTERROUND(a,b,c,d) \ + a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \ + c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \ + a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \ + c = PLUS(c,d); b = ROTATE(XOR(b,c), 7); + +static const char sigma[16] = "expand 32-byte k"; +static const char tau[16] = "expand 16-byte k"; + +static void +chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits) +{ + const char *constants; + + (void)ivbits; + + x->input[4] = U8TO32_LITTLE(k + 0); + x->input[5] = U8TO32_LITTLE(k + 4); + x->input[6] = U8TO32_LITTLE(k + 8); + x->input[7] = U8TO32_LITTLE(k + 12); + if (kbits == 256) { /* recommended */ + k += 16; + constants = sigma; + } else { /* kbits == 128 */ + constants = tau; + } + x->input[8] = U8TO32_LITTLE(k + 0); + x->input[9] = U8TO32_LITTLE(k + 4); + x->input[10] = U8TO32_LITTLE(k + 8); + x->input[11] = U8TO32_LITTLE(k + 12); + x->input[0] = U8TO32_LITTLE(constants + 0); + x->input[1] = U8TO32_LITTLE(constants + 4); + x->input[2] = U8TO32_LITTLE(constants + 8); + x->input[3] = U8TO32_LITTLE(constants + 12); +} + +static void +chacha_ivsetup(chacha_ctx *x,const u8 *iv) +{ + x->input[12] = 0; + x->input[13] = 0; + x->input[14] = U8TO32_LITTLE(iv + 0); + x->input[15] = U8TO32_LITTLE(iv + 4); +} + +static void +chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes) +{ + u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; + u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; + u8 *ctarget = NULL; + u8 tmp[64]; + u_int i; + + if (!bytes) return; + + j0 = x->input[0]; + j1 = x->input[1]; + j2 = x->input[2]; + j3 = x->input[3]; + j4 = x->input[4]; + j5 = x->input[5]; + j6 = x->input[6]; + j7 = x->input[7]; + j8 = x->input[8]; + j9 = x->input[9]; + j10 = x->input[10]; + j11 = x->input[11]; + j12 = x->input[12]; + j13 = x->input[13]; + j14 = x->input[14]; + j15 = x->input[15]; + + for (;;) { + if (bytes < 64) { + for (i = 0;i < bytes;++i) tmp[i] = m[i]; + m = tmp; + ctarget = c; + c = tmp; + } + x0 = j0; + x1 = j1; + x2 = j2; + x3 = j3; + x4 = j4; + x5 = j5; + x6 = j6; + x7 = j7; + x8 = j8; + x9 = j9; + x10 = j10; + x11 = j11; + x12 = j12; + x13 = j13; + x14 = j14; + x15 = j15; + for (i = 20;i > 0;i -= 2) { + QUARTERROUND( x0, x4, x8,x12) + QUARTERROUND( x1, x5, x9,x13) + QUARTERROUND( x2, x6,x10,x14) + QUARTERROUND( x3, x7,x11,x15) + QUARTERROUND( x0, x5,x10,x15) + QUARTERROUND( x1, x6,x11,x12) + QUARTERROUND( x2, x7, x8,x13) + QUARTERROUND( x3, x4, x9,x14) + } + x0 = PLUS(x0,j0); + x1 = PLUS(x1,j1); + x2 = PLUS(x2,j2); + x3 = PLUS(x3,j3); + x4 = PLUS(x4,j4); + x5 = PLUS(x5,j5); + x6 = PLUS(x6,j6); + x7 = PLUS(x7,j7); + x8 = PLUS(x8,j8); + x9 = PLUS(x9,j9); + x10 = PLUS(x10,j10); + x11 = PLUS(x11,j11); + x12 = PLUS(x12,j12); + x13 = PLUS(x13,j13); + x14 = PLUS(x14,j14); + x15 = PLUS(x15,j15); + +#ifndef KEYSTREAM_ONLY + x0 = XOR(x0,U8TO32_LITTLE(m + 0)); + x1 = XOR(x1,U8TO32_LITTLE(m + 4)); + x2 = XOR(x2,U8TO32_LITTLE(m + 8)); + x3 = XOR(x3,U8TO32_LITTLE(m + 12)); + x4 = XOR(x4,U8TO32_LITTLE(m + 16)); + x5 = XOR(x5,U8TO32_LITTLE(m + 20)); + x6 = XOR(x6,U8TO32_LITTLE(m + 24)); + x7 = XOR(x7,U8TO32_LITTLE(m + 28)); + x8 = XOR(x8,U8TO32_LITTLE(m + 32)); + x9 = XOR(x9,U8TO32_LITTLE(m + 36)); + x10 = XOR(x10,U8TO32_LITTLE(m + 40)); + x11 = XOR(x11,U8TO32_LITTLE(m + 44)); + x12 = XOR(x12,U8TO32_LITTLE(m + 48)); + x13 = XOR(x13,U8TO32_LITTLE(m + 52)); + x14 = XOR(x14,U8TO32_LITTLE(m + 56)); + x15 = XOR(x15,U8TO32_LITTLE(m + 60)); +#endif + + j12 = PLUSONE(j12); + if (!j12) { + j13 = PLUSONE(j13); + /* stopping at 2^70 bytes per nonce is user's responsibility */ + } + + U32TO8_LITTLE(c + 0,x0); + U32TO8_LITTLE(c + 4,x1); + U32TO8_LITTLE(c + 8,x2); + U32TO8_LITTLE(c + 12,x3); + U32TO8_LITTLE(c + 16,x4); + U32TO8_LITTLE(c + 20,x5); + U32TO8_LITTLE(c + 24,x6); + U32TO8_LITTLE(c + 28,x7); + U32TO8_LITTLE(c + 32,x8); + U32TO8_LITTLE(c + 36,x9); + U32TO8_LITTLE(c + 40,x10); + U32TO8_LITTLE(c + 44,x11); + U32TO8_LITTLE(c + 48,x12); + U32TO8_LITTLE(c + 52,x13); + U32TO8_LITTLE(c + 56,x14); + U32TO8_LITTLE(c + 60,x15); + + if (bytes <= 64) { + if (bytes < 64) { + for (i = 0;i < bytes;++i) ctarget[i] = c[i]; + } + x->input[12] = j12; + x->input[13] = j13; + return; + } + bytes -= 64; + c += 64; +#ifndef KEYSTREAM_ONLY + m += 64; +#endif + } +} |