diff options
author | djm <djm@openbsd.org> | 2022-07-31 08:10:36 +0300 |
---|---|---|
committer | Corinna Vinschen <corinna@vinschen.de> | 2022-09-10 21:59:01 +0300 |
commit | 52a410f9bdd504d94f1e5711ecbf096eaaf9af97 (patch) | |
tree | fb143fd7422d20e17b2dfee0c8824e0ae8d72210 /newlib/libc/stdlib | |
parent | f5fece283864fcfe7c690d4e7c1032b616e5d570 (diff) |
upstream OpenBSD: arc4random: Randomise the rekey interval a little.
Previously, the chacha20 instance would be rekeyed every 1.6MB. This
makes it happen at a random point somewhere in the 1-2MB range.
Feedback deraadt@ visa@, ok tb@ visa@
newlib port: Make REKEY_BASE depend on SIZE_MAX
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Diffstat (limited to 'newlib/libc/stdlib')
-rw-r--r-- | newlib/libc/stdlib/arc4random.c | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/newlib/libc/stdlib/arc4random.c b/newlib/libc/stdlib/arc4random.c index c394f984a..7b6ac8a7a 100644 --- a/newlib/libc/stdlib/arc4random.c +++ b/newlib/libc/stdlib/arc4random.c @@ -1,4 +1,4 @@ -/* $OpenBSD: arc4random.c,v 1.56 2022/02/28 21:56:29 dtucker Exp $ */ +/* $OpenBSD: arc4random.c,v 1.57 2022/07/31 05:10:36 djm Exp $ */ /* * Copyright (c) 1996, David Mazieres <dm@uun.org> @@ -49,6 +49,14 @@ #define BLOCKSZ 64 #define RSBUFSZ (16*BLOCKSZ) +#if SIZE_MAX <= 65535 +#define REKEY_BASE ( 32*1024) /* NB. should be a power of 2 */ +#elif SIZE_MAX <= 1048575 +#define REKEY_BASE ( 512*1024) /* NB. should be a power of 2 */ +#else +#define REKEY_BASE (1024*1024) /* NB. should be a power of 2 */ +#endif + /* Marked MAP_INHERIT_ZERO, so zero'd out in fork children. */ static struct _rs { size_t rs_have; /* valid bytes at end of rs_buf */ @@ -86,6 +94,7 @@ static void _rs_stir(void) { u_char rnd[KEYSZ + IVSZ]; + uint32_t rekey_fuzz = 0; memset(rnd, 0, (KEYSZ + IVSZ) * sizeof(u_char)); @@ -102,8 +111,10 @@ _rs_stir(void) rs->rs_have = 0; memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf)); - rs->rs_count = (SIZE_MAX <= 65535) ? 65000 - : (SIZE_MAX <= 1048575 ? 1048000 : 1600000); + /* rekey interval should not be predictable */ + chacha_encrypt_bytes(&rsx->rs_chacha, (uint8_t *)&rekey_fuzz, + (uint8_t *)&rekey_fuzz, sizeof(rekey_fuzz)); + rs->rs_count = REKEY_BASE + (rekey_fuzz % REKEY_BASE); } static inline void |